20220725-v1.1.1

CLincat · Jul 25, 2022 · 5e9e38f · 5e9e38f
1 parent 19073af
commit 5e9e38f
Show file tree

Hide file tree

Showing 35 changed files with 1,550 additions and 549 deletions.
diff --git a/README.md b/README.md
diff --git a/README_en-us.md b/README_en-us.md
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
@@ -5,10 +5,12 @@
 
 from lib.initial.config import config
 from lib.tool.logger import logger
-from lib.tool.fingerprint import identify
 from lib.tool import check
 from lib.report import output
 
+from lib.plugins.fingerprint.waf import waf
+from lib.plugins.fingerprint.webapp import webapp
+
 from payloads.AlibabaDruid import alidruid
 from payloads.AlibabaNacos import nacos
 from payloads.ApacheAirflow import airflow
@@ -20,6 +22,7 @@
 from payloads.AppWeb import appweb
 from payloads.AtlassianConfluence import confluence
 from payloads.Cisco import cisco
+from payloads.Discuz import discuz
 from payloads.Django import django
 from payloads.Drupal import drupal
 from payloads.ElasticSearch import elasticsearch
@@ -28,6 +31,8 @@
 from payloads.Jenkins import jenkins
 from payloads.Keycloak import keycloak
 # from payloads.Kindeditor import kindeditor
+from payloads.MongoExpress import mongoexpress
+from payloads.Nodejs import nodejs
 from payloads.NodeRED import nodered
 from payloads.ShowDoc import showdoc
 from payloads.Spring import spring
@@ -73,7 +78,7 @@ def start(self):
 
             # * --------------------WAF指纹识别--------------------
             if (not self.no_waf):
-                waf_info = identify.waf_identify(u)                                                     # * WAF指纹识别
+                waf_info = waf.identify(u)                                                     # * WAF指纹识别
                 if waf_info:
                     while True:
                         if (not self.batch):                                                            # * 是否使用默认选项
@@ -102,8 +107,8 @@ def start(self):
             # * --------------------框架指纹识别--------------------
             if ((self.application == 'auto') and (not self.vuln)):
                 logger.info('yellow_ex', self.lang['core']['web_finger']['web'])
-                identify.stop = self.stop
-                new_app_list = identify.webapp_identify(u)
+                webapp.stop = self.stop
+                new_app_list = webapp.identify(u)
                 if new_app_list:
                     logger.info('yellow_ex', self.lang['core']['web_finger']['web_find'].format(str(new_app_list)))
                     self.app_list = new_app_list
@@ -113,7 +118,7 @@ def start(self):
             # * --------------------框架指纹识别--------------------
 
             if self.no_poc:
-                logger.info('red', '[No-POC] 不进行漏洞扫描')
+                logger.info('red', self.lang['core']['start']['no_poc'])
                 continue
 
             if check.check_connect(u):

diff --git a/lib/initial/config.py b/lib/initial/config.py
@@ -70,7 +70,7 @@ def __init__(self, args):
             'Connection': 'close'
         }
         if args.cookie:
-            args.headers['Cookie'] = args.cookie
+            args.headers['Cookie'] = args.cookie.lstrip('Cookie: ')
 
         args.proxies = {
             'http': args.http_proxy,
@@ -84,13 +84,14 @@ def __init__(self, args):
         app_list = [
             'alidruid', 'airflow', 'apisix', 'appweb', 
             'cisco', 'confluence', 
-            'django', 'drupal',
+            'discuz', 'django', 'drupal',
             'elasticsearch', 
             'f5bigip', 'fastjson', 'flink', 
             'jenkins',
             # 'keycloak', 'kindeditor',
             'keycloak', 
-            'nacos', 'nodered',
+            'mongoexpress', 
+            'nacos', 'nodered', 'nodejs', 
             'showdoc', 'solr', 'struts2', 'spring', 
             'thinkphp', 'tomcat', 
             'ueditor', 

diff --git a/lib/initial/language.py b/lib/initial/language.py
@@ -62,13 +62,14 @@ def language():
         },
         'app_list_help': {
             'title': 'Supported target types(Case insensitive)',
-            'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+            'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
         },
         'core': {
             'start': {
                 'start': '[INFO] Start scanning target ',
                 'unable': '[WARN] Unable to connect to ',
-                'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://'
+                'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://',
+                'no_poc': '[No-POC] Disable Vulnerability scanning'
             },
             'waf_finger': {
                 'waf': '[INFO] The WAF detection for the current URL starts',
@@ -176,13 +177,14 @@ def language():
         },
         'app_list_help': {
             'title': '支持的目标类型(-a参数, 不区分大小写)',
-            'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+            'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
         },
         'core': {
             'start': {
                 'start': '[INFO] 开始扫描目标 ',
                 'unable': '[WARN] 无法连接到 ',
-                'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头'
+                'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头',
+                'no_poc': '[No-POC] 不进行漏洞扫描'
             },
             'waf_finger': {
                 'waf': '[INFO] 对当前url进行WAF检测, 请稍等...',

diff --git a/lib/initial/list.py b/lib/initial/list.py
@@ -8,18 +8,18 @@ def list():
     ''' 显示漏洞列表 '''
     vul_num = 0
     vul_list = ''
-    vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n'
+    vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
 
     for vul in vul_info:
         for info in vul_info[vul]:
             vul_num += 1
             vul_list += '| {}|'.format(vul.ljust(21))
-            vul_list += ' {}|'.format(info['vul_id'].ljust(17))
+            vul_list += ' {}|'.format(info['vul_id'].ljust(19))
             vul_list += ' {}|'.format(info['type'].ljust(13))
             vul_list += ' {}|'.format(info['method'].ljust(9))
-            vul_list += ' {}\t|'.format(info['description'].ljust(56))
+            vul_list += ' {}\t|'.format(info['description'].ljust(62))
             vul_list += '\n'
-        vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n'
+        vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
 
     print(color.cyan(vul_list + str(vul_num - 1)))
     # print(vul_num)
@@ -170,6 +170,14 @@ def list():
             'description': '思科ASA/FTD XSS跨站脚本攻击'
         }
     ],
+    'Discuz': [
+        {
+            'vul_id': 'wooyun-2010-080723',
+            'type': 'RCE',
+            'method': 'GET',
+            'description': '全局变量防御绕过RCE'
+        }
+    ],
     'Django': [
         {
             'vul_id': 'CVE-2017-12794',
@@ -203,11 +211,29 @@ def list():
         }
     ],
     'Drupal': [
+        {
+            'vul_id': 'CVE-2014-3704',
+            'type': 'SQLinject',
+            'method': 'POST',
+            'description': 'Drupal < 7.32 Drupalgeddon SQL 注入'
+        },
+        {
+            'vul_id': 'CVE-2017-6920',
+            'type': 'RCE',
+            'method': 'POST',
+            'description': 'Drupal Core 8 PECL YAML 反序列化代码执行'
+        },
         {
             'vul_id': 'CVE-2018-7600',
             'type': 'RCE',
             'method': 'POST',
             'description': 'Drupal Drupalgeddon 2 远程代码执行'
+        },
+        {
+            'vul_id': 'CVE-2018-7602',
+            'type': 'RCE',
+            'method': 'POST',
+            'description': 'Drupal 远程代码执行'
         }
     ],
     'ElasticSearch': [
@@ -288,6 +314,28 @@ def list():
     #         'description': 'Kindeditor 目录遍历'
     #     }
     # ],
+    'mongo-express': [
+        {
+            'vul_id': 'CVE-2019-10758',
+            'type': 'RCE',
+            'method': 'POST',
+            'description': '未授权远程代码执行'
+        }
+    ],
+    'Nodejs': [
+        {
+            'vul_id': 'CVE-2017-14849',
+            'type': 'FileRead',
+            'method': 'GET',
+            'description': 'Node.js目录穿越'
+        },
+        {
+            'vul_id': 'CVE-2021-21315',
+            'type': 'RCE',
+            'method': 'GET',
+            'description': 'Node.js命令执行'
+        }
+    ],
     'NodeRED': [
         {
             'vul_id': 'CVE-2021-3223',
@@ -414,6 +462,12 @@ def list():
             'type': 'RCE',
             'method': 'POST',
             'description': 'Webmin Pre-Auth 远程代码执行'
+        },
+        {
+            'vul_id': 'CVE-2019-15642',
+            'type': 'RCE',
+            'method': 'POST',
+            'description': 'Webmin 远程代码执行'
         }
     ],
     'Yonyou': [

diff --git a/lib/initial/parse.py b/lib/initial/parse.py
@@ -19,7 +19,7 @@ def parse():
 python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
 python3 vulcat.py -f url.txt -t 10
 python3 vulcat.py --list
-''', version='vulcat.py-1.1.0\n')
+''', version='vulcat.py-1.1.1\n')
     # * 指定目标
     target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
     target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -29,7 +29,7 @@ def parse():
     # * 可选参数
     optional = parser.add_option_group(lang['optional_help']['title'], lang['optional_help']['name'])
     optional.add_option('-t', '--thread', type='int', dest='thread', default=2, help=lang['optional_help']['thread'])
-    optional.add_option('--delay', type='int', dest='delay', default=1, help=lang['optional_help']['delay'])
+    optional.add_option('--delay', type='float', dest='delay', default=1, help=lang['optional_help']['delay'])
     optional.add_option('--timeout', type='int', dest='timeout', default=10, help=lang['optional_help']['timeout'])
     optional.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['optional_help']['http_proxy'])
     optional.add_option('--user-agent', type='string', dest='ua', default='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0', help=lang['optional_help']['user_agent'])
@@ -40,6 +40,7 @@ def parse():
     application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name'])
     application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application'])
     application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln'])
+    # application.add_option('-c', '--command', type='string', dest='command', default=None, help='配合exp执行自定义命令')
 
     # * 第三方api, 例如dnslog/ceye
     api = parser.add_option_group(lang['api_help']['title'], lang['api_help']['name'])

diff --git a/lib/plugins/Exp.py b/lib/plugins/Exp.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+    插件:
+        POC转EXP
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+import re
+
+def exp(result):
+    pass