20220525-v1.0.7

README.md

@@ -1,12 +1,12 @@
 # vulcat
-除了代码写得有亿点点烂, 误报率有亿点点高, 等亿点点小问题以外，还是阔以的......吧
+除了代码写得有亿点点烂, BUG有亿点点多, 误报率有亿点点高, 等亿点点小问题以外，还是阔以的......吧
 
 * vulcat可用于扫描web端漏洞(框架、中间件、CMS等), 发现漏洞时会提示目标url和payload, 使用者可以根据提示对漏洞进行手工验证<br/>
 * 使用者还可以自己编写POC, 并添加到vulcat中进行扫描, 本项目也欢迎大家贡献自己的POC(白嫖)
 * 如果有什么想法、建议或者遇到了BUG, 都可以issues
 
 **目前支持扫描的web应用程序有:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, Cicso, Django, Fastjson, Spring, ThinkPHP, Weblogic, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, Cicso, Django, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
 
 <details>
 <summary><b>目前支持扫描的web漏洞有: [点击展开]</b></summary>
@@ -36,20 +36,36 @@
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | ApacheTomcat  | CVE-2017-12615   | FileUpload | PUT      | PUT方法任意文件写入                                          |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
+| AppWeb        | CVE-2018-8715    | unAuth     | GET      | AppWeb身份认证绕过                                          |
++---------------+------------------+------------+----------+------------------------------------------------------------+
 | Cisco         | CVE-2020-3580    | XSS        | POST     | 思科ASA/FTD XSS跨站脚本攻击                                  |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | Django        | CVE-2017-12794   | XSS        | GET      | Django debug page XSS跨站脚本攻击                           |
 | Django        | CVE-2019-14234   | SQLinject  | GET      | Django JSONfield SQL注入                                   |
+| Django        | CVE-2018-14574   | Redirect   | GET      | CommonMiddleware url重定向                                  |
+| Django        | CVE-2020-9402    | SQLinject  | GET      | GIS SQL注入                                                |
+| Django        | CVE-2021-35042   | SQLinject  | GET      | QuerySet.order_by SQL注入                                  |
++---------------+------------------+------------+----------+------------------------------------------------------------+
+| F5-BIG-IP     | CVE-2020-5902    | RCE        | GET      | BIG-IP远程代码执行                                          |
+| F5-BIG-IP     | CVE-2022-1388    | unAuth     | POST     | BIG-IP身份认证绕过                                          |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | Fastjson      | CNVD-2019-22238  | unSerialize| POST     | Fastjson <=1.2.47 反序列化                                  |
 | Fastjson      | CVE-2017-18349   | unSerialize| POST     | Fastjson <= 1.2.24 反序列化                                 |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
+| Keycloak      | CVE-2020-10770   | SSRF       | GET      | 使用request_uri调用未经验证的URL                             |
++---------------+------------------+------------+----------+------------------------------------------------------------+
 | Spring        | CVE-2022-22965   | RCE        | GET/POST | Spring Framework远程代码执行                                |
 | Spring        | CVE-2021-21234   | FileRead   | GET      | Spring Boot目录遍历                                         |
 | Spring        | CVE-2020-5410    | FileRead   | GET      | Spring Cloud目录遍历                                        |
+| Spring        | CVE-2022-22963   | RCE        | POST     | Spring Cloud Function SpEL远程代码执行                      |
+| Spring        | CVE-2022-22947   | RCE        | POST     | Spring Cloud Gateway SpEl远程代码执行                       |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | ThinkPHP      | CNVD-2018-24942  | RCE        | GET      | 未开启强制路由导致RCE                                        |
 | ThinkPHP      | CNNVD-201901-445 | RCE        | POST     | 核心类Request远程代码执行                                    |
+| ThinkPHP      | None             | RCE        | GET      | ThinkPHP2.x 远程代码执行                                    |
+| ThinkPHP      | None             | RCE        | GET      | ThinkPHP5 ids参数SQL注入                                    |
++---------------+------------------+------------+----------+------------------------------------------------------------+
+| Ueditor       | None             | SSRF       | GET      | Ueditor编辑器SSRF                                          |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | Weblogic      | CVE-2020-14882   | RCE        | GET      | Weblogic未授权命令执行                                      |
 | Weblogic      | CVE-2020-14750   | unAuth     | GET      | Weblogic权限验证绕过                                        |
@@ -80,6 +96,7 @@
 ```
 git clone https://github.com/CLincat/vulcat.git
 cd vulcat
+pip3 install -r requirements.txt
 python3 vulcat.py -h
 ```
 ```
@@ -149,8 +166,9 @@ Options:
     --list              查看所有Payload
 
   支持的目标类型(-a参数, 不区分大小写):
-    AliDruid,airflow,apisix,cisco,django,fastjson,flink,thinkphp,tomcat,na
-    cos,spring,solr,struts2,weblogic,yonyou
+    AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,key
+    cloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyo
+    u
 ```
 
 ## language

README_en-us.md

@@ -5,7 +5,7 @@
 * If you have any ideas, suggestions, or bugs, you can issue
 
 **Web applications that currently support scanning:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, Cicso, Django, Fastjson, Spring, ThinkPHP, Weblogic, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, Cicso, Django, F5-BIG-IP, Fastjson, Keycloak, Spring, ThinkPHP, Ueditor, Weblogic, Yonyou
 
 <details>
 <summary><b>The current web vulnerabilities that support scanning: [Click on]</b></summary>
@@ -35,20 +35,36 @@
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | ApacheTomcat  | CVE-2017-12615   | FileUpload | PUT      | Put method writes to any file                              |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
+| AppWeb        | CVE-2018-8715    | unAuth     | GET      | AppWeb Authentication bypass                               |
++---------------+------------------+------------+----------+------------------------------------------------------------+
 | Cisco         | CVE-2020-3580    | XSS        | POST     | Cisco ASA/FTD XSS                                          |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | Django        | CVE-2017-12794   | XSS        | GET      | Django debug page XSS                                      |
 | Django        | CVE-2019-14234   | SQLinject  | GET      | Django JSONfield SQLinject                                 |
+| Django        | CVE-2018-14574   | Redirect   | GET      | Django CommonMiddleware URL Redirect                       |
+| Django        | CVE-2020-9402    | SQLinject  | GET      | Django GIS SQLinject                                       |
+| Django        | CVE-2021-35042   | SQLinject  | GET      | Django QuerySet.order_by SQLinject                         |
++---------------+------------------+------------+----------+------------------------------------------------------------+
+| F5-BIG-IP     | CVE-2020-5902    | RCE        | GET      | BIG-IP Remote code execution                               |
+| F5-BIG-IP     | CVE-2022-1388    | unAuth     | POST     | BIG-IP Authentication bypass                               |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | Fastjson      | CNVD-2019-22238  | unSerialize| POST     | Fastjson <=1.2.47 deSerialization                          |
 | Fastjson      | CVE-2017-18349   | unSerialize| POST     | Fastjson <= 1.2.24 deSerialization                         |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
+| Keycloak      | CVE-2020-10770   | SSRF       | GET      | request_uri SSRF                                           |
++---------------+------------------+------------+----------+------------------------------------------------------------+
 | Spring        | CVE-2022-22965   | RCE        | GET/POST | Spring Framework Remote code execution                     |
 | Spring        | CVE-2021-21234   | FileRead   | GET      | Spring Boot Directory traversal                            |
 | Spring        | CVE-2020-5410    | FileRead   | GET      | Spring Cloud Directory traversal                           |
+| Spring        | CVE-2022-22963   | RCE        | POST     | Spring Cloud Function SpEL Remote code execution           |
+| Spring        | CVE-2022-22947   | RCE        | POST     | Spring Cloud Gateway SpEl Remote code execution            |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | ThinkPHP      | CNVD-2018-24942  | RCE        | GET      | The forced route is not enabled Remote code execution      |
 | ThinkPHP      | CNNVD-201901-445 | RCE        | POST     | Core class Request Remote code execution                   |
+| ThinkPHP      | None             | RCE        | GET      | ThinkPHP2.x Remote code execution                          |
+| ThinkPHP      | None             | RCE        | GET      | ThinkPHP5 ids SQLinject                                    |
++---------------+------------------+------------+----------+------------------------------------------------------------+
+| Ueditor       | None             | SSRF       | GET      | Ueditor SSRF                                               |
 +---------------+------------------+------------+----------+------------------------------------------------------------+
 | Weblogic      | CVE-2020-14882   | RCE        | GET      | Weblogic Unauthorized command execution                    |
 | Weblogic      | CVE-2020-14750   | unAuth     | GET      | Weblogic Authentication bypass                             |
@@ -78,6 +94,7 @@ The tool is developed based on python3. Python3.8 or later is recommended
 ```
 git clone https://github.com/CLincat/vulcat.git
 cd vulcat
+pip3 install -r requirements.txt
 python3 vulcat.py -h
 ```
 ```
@@ -156,8 +173,9 @@ Options:
     --list              View all payload
 
   Supported target types(Case insensitive):
-    AliDruid,airflow,apisix,cisco,django,fastjson,flink,thinkphp,tomcat,na
-    cos,spring,solr,struts2,weblogic,yonyou
+    AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,key
+    cloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyo
+    u
 ```
 
 ## language

lib/api/dns.py

@@ -38,12 +38,12 @@ def domain(self, sessid):
             else:
                 return 'NotDns'
         except requests.ConnectTimeout:
-            return 'dns_timeout'
+            return 'dnslog_timeout'
         except requests.ConnectionError:
-            return 'dns_error'
+            return 'dnslog_error'
         except Exception as e:
             # print(e)
-            return 'error'
+            return 'dnslog_error'
 
     def result(self, md, sessid):
         try:
@@ -54,12 +54,12 @@ def result(self, md, sessid):
             else:
                 return 'NotRes'
         except requests.ConnectTimeout:
-            return 'dns_timeout'
+            return 'dnslog_timeout'
         except requests.ConnectionError:
-            return 'dns_error'
+            return 'dnslog_error'
         except Exception as e:
             # print(e)
-            return 'error'
+            return 'dnslog_error'
 
     # * 不同的dns平台
     def get_dnslog_domain(self, sessid):

lib/core/coreScan.py

@@ -15,12 +15,15 @@
 from payloads.ApacheSolr import solr
 from payloads.ApacheTomcat import tomcat
 from payloads.ApacheStruts2 import struts2
+from payloads.AppWeb import appweb
 from payloads.Cisco import cisco
 from payloads.Django import django
+from payloads.F5BIGIP import f5bigip
 from payloads.Fastjson import fastjson
 from payloads.ThinkPHP import thinkphp
-# from payloads.Keycloak import keycloak
+from payloads.Keycloak import keycloak
 from payloads.Spring import spring
+from payloads.Ueditor import ueditor
 from payloads.Weblogic import weblogic
 from payloads.Yonyou import yonyou
 from thirdparty.tqdm import tqdm

lib/initial/config.py

@@ -7,6 +7,7 @@
 
 from lib.initial.language import language
 from thirdparty.requests import packages
+import re
 import http.client
 
 global config
@@ -34,19 +35,32 @@ def __init__(self, args):
 
         url_list_temp = args.url_list.copy()
         for url in url_list_temp:
-            if url[-1] != '/':                                          # * url最后的斜杠/
+            mark_index = url.find('?')
+            if (mark_index + 1):
+                url = url[:mark_index]
+            del args.url_list[0]
+
+
+            if (url[-1] != '/') and ((re.search(r'(([0-9]{0,3})\.([0-9]{0,3})\.([0-9]{0,3})\.([0-9]{0,3}):([0-9]*))$', url)) or (not re.search(r'(.*\..*)$', url))): # * url的斜杠/(目录)
                 url += '/'
+
             if args.recursive:                                          # * -r参数
-                url_index = 8
-                while url_index:
-                    url_index = url.find('/', url_index)
-                    url_index += 1
-                    args.url_list.append(url[0:url_index])
-                else:
-                    del args.url_list[0]
-                    del args.url_list[-1]
+                url = url.replace('//', 'This_is_a_placeholder', 1)
+                dir_list = url.split('/')
+                url = dir_list[0].replace('This_is_a_placeholder', '//', 1) + '/'
+                del dir_list[0]
+                args.url_list.append(url)
+
+                for dir in range(len(dir_list)):
+                    if ((dir_list[dir]) and (not re.search(r'(.*\..*)$', dir_list[dir]))):
+                        url += dir_list[dir] + '/'
+                        args.url_list.append(url)
+                    else:
+                        url += dir_list[dir]
+                        if (url not in args.url_list):
+                            args.url_list.append(url)
+                        break
             else:
-                del args.url_list[0]
                 args.url_list.append(url)
 
         args.headers = {
@@ -63,7 +77,7 @@ def __init__(self, args):
             'https': args.http_proxy
         }
 
-        app_list = ['alidruid', 'airflow', 'apisix', 'cisco', 'django', 'fastjson', 'flink', 'thinkphp', 'tomcat', 'nacos', 'spring', 'solr', 'struts2', 'weblogic', 'yonyou']
+        app_list = ['alidruid', 'airflow', 'apisix', 'appweb', 'cisco', 'django', 'f5bigip', 'fastjson', 'flink', 'keycloak', 'nacos', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', 'ueditor', 'weblogic', 'yonyou']
         if args.application == 'all':                                   # * -a参数
             args.app_list = app_list
         else:

lib/initial/language.py

@@ -54,7 +54,7 @@ def language():
         },
         'app_list_help': {
             'title': 'Supported target types(Case insensitive)',
-            'name': 'AliDruid,airflow,apisix,cisco,django,fastjson,flink,thinkphp,tomcat,nacos,spring,solr,struts2,weblogic,yonyou'
+            'name': 'AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou'
         },
         'core': {
             'start': {
@@ -81,11 +81,13 @@ def language():
             },
             'text': {
                 'success': '[INFO] The results have been saved to ',
-                'faild': '[ERROR] Failed to save txt'
+                'faild': '[ERROR] Failed to save txt',
+                'notvul': '[-] The result is not saved to '
             },
             'json': {
                 'success': '[INFO] The results have been saved to ',
-                'faild': '[ERROR] Failed to save json'
+                'faild': '[ERROR] Failed to save json',
+                'notvul': '[-] The result is not saved to '
             }
         }
     },
@@ -131,7 +133,7 @@ def language():
         },
         'app_list_help': {
             'title': '支持的目标类型(-a参数, 不区分大小写)',
-            'name': 'AliDruid,airflow,apisix,cisco,django,fastjson,flink,thinkphp,tomcat,nacos,spring,solr,struts2,weblogic,yonyou'
+            'name': 'AliDruid,airflow,apisix,appweb,cisco,django,f5bigip,fastjson,flink,keycloak,nacos,thinkphp,tomcat,spring,solr,struts2,ueditor,weblogic,yonyou'
         },
         'core': {
             'start': {
@@ -158,11 +160,13 @@ def language():
             },
             'text': {
                 'success': '[INFO] 结果已经被保存到文件 ',
-                'faild': '[ERROR] 保存txt文件失败'
+                'faild': '[ERROR] 保存txt文件失败',
+                'notvul': '[-] 未保存结果至'
             },
             'json': {
                 'success': '[INFO] 结果已经被保存到文件 ',
-                'faild': '[ERROR] 保存json文件失败'
+                'faild': '[ERROR] 保存json文件失败',
+                'notvul': '[-] 未保存结果至'
             }
         }
     }