Releases: CLincat/vulcat
Releases · CLincat/vulcat
vulcat-v1.1.1
2022.07.25
vulcat-v1.1.1
- 优化部分POC
- Confluence(CVE-2022-26134)添加了新的Payload
- 更改部分漏洞的返回信息
-
POC模板更新
如果漏洞返回值为Response类型,则会显示一个http数据包 -
新增POC:
- Discuz 全局变量防御绕过代码执行 (wooyun-2010-080723)
- Drupal < 7.32 Drupalgeddon SQL注入 (CVE-2014-3704)
- Drupal Core 8 PECL YAML 反序列化任意代码执行 (CVE-2017-6920)
- Drupal 远程代码执行 (CVE-2018-7602)
- mongo-express 未授权远程代码执行 (CVE-2019-10758)
- Node.js 目录穿越 (CVE-2017-14849)
- Node.js 命令执行 (CVE-2021-21315)
- Webmin 远程代码执行 (CVE-2019-15642)
Optimized partial POC
- Added a new Payload
- Change the return information for some vulnerabilities
- POC template updated
If the vulnerability returns a "Response" value, an HTTP packet is displayed
New POC:
- Discuz Remote code execution (wooyun-2010-080723)
- Drupal < 7.32 Drupalgeddon SQLinject (CVE-2014-3704)
- Drupal Core 8 PECL YAML Remote code execution (CVE-2017-6920)
- Drupal Remote code execution (CVE-2018-7602)
- mongo-express Remote code execution (CVE-2019-10758)
- Node.js Directory traversal (CVE-2017-14849)
- Node.js Remote code execution (CVE-2021-21315)
- Webmin Remote code execution (CVE-2019-15642)
vulcat-v1.1.0
2022.07.03
vulcat-v1.1.0
优化部分POC
新增功能:
- 框架指纹识别功能: 当识别出框架时, 会使用相应框架的漏洞POC, 如果没有识别出框架, 才会使用所有POC
(还有少部分框架没有添加指纹, 后续会增加)
新增参数:
- -v/--vuln: 指定漏洞编号, 配合-a/--application对单个漏洞进行扫描, 可以使用--list查看漏洞编号,没有漏洞编号的漏洞暂不支持, 编号不区分大小, 符号-和_皆可 (如: -a fastjson -v CNVD-2019-22238 或者 -a Tomcat -v cvE-2017_12615)
- --no-poc: 禁用安全漏洞扫描
新增POC:
- Drupal Drupalgeddon 2 远程代码执行 (CVE-2018-7600)
- jenkins 远程命令执行 (CVE-2018-1000861)
- Node-RED 任意文件读取 (CVE-2021-3223)
- ShowDoc 任意文件上传 (CNVD-2020-26585)
- Webmin Pre-Auth 远程代码执行 (CVE-2019-15107)
Optimized partial POC
New features:
- Framework fingerprint identification function: When the framework is identified, The appropriate vulnerability POC will be used, If the framework is not identified, All pocs are used
(There are still a few frameworks without fingerprints, which will be added later)
New parameters:
- -v/--vuln: Specify the vulnerability number,With -a/--application to scan a single vulnerability,You can use --list to see the vulnerability number,vulnerabilities that do not have a vulnerability number are not supported.The number does not discriminate between sizes, and the symbol - and _ are acceptable (e.g. -a fastjson -v cnVD-2019-22238 or -a Tomcat -v CVE-2017_12615)
- --no-poc: Disable scanning for security vulnerabilities
New POC:
- Drupal Drupalgeddon 2 Remote code execution (CVE-2018-7600)
- jenkins Remote code execution (CVE-2018-1000861)
- Node-RED Directory traversal (CVE-2021-3223)
- ShowDoc writes to any file (CNVD-2020-26585)
- Webmin Pre-Auth Remote code execution (CVE-2019-15107)
vulcat-v1.0.9
2022.06.16
vulcat-v1.0.9
-
修复了部分已知BUG
-
新增参数和功能:
- 扫描前会对目标进行WAF检测,如果检测到WAF,会询问用户是否继续扫描(yes/No)
- 新增--no-waf和--batch参数
- --no-waf: 禁用WAF检测
- --batch: yes/no的选项不需要用户输入, 程序自动使用默认选项
- 新增POC模板demo2.py,可以根据需求选择不同的模板来自定义POC(demo.py和demo2.py)
- 新增POC:
- ElasticSearch 命令执行 (CVE-2014-3120)
- ElasticSearch Groovy 沙盒绕过&&代码执行 (CVE-2015-1427)
- ElasticSearch 目录穿越 (CVE-2015-3337)
- ElasticSearch 目录穿越 (CVE-2015-5531)
- Atlassian Confluence任意文件包含 (CVE-2015-8399)
- Atlassian Confluence路径遍历和命令执行 (CVE-2019-3396)
- Atlassian Confluence OGNL表达式命令注入 (CVE-2021-26084)
- Atlassian Confluence远程代码执行 (CVE-2022-26134)
- ThinkPHP5.x 远程代码执行 (CVE-2018-1002015)
-
Fixed some known bugs
-
new parameters and functions:
- Before scanning, WAF detection is performed on the target. If WAF detection is detected, the user is asked whether to continue scanning(yes/No)
- new: --no-waf / --batch
- --no-waf: Disable WAF detection
- --batch: The yes/no option does not require user input. The default option is used
- The custom POC template demo2.py is added. You can select different templates based on requirements(demo.py / demo2.py)
- new POC:
- ElasticSearch Remote code execution (CVE-2014-3120)
- ElasticSearch Groovy Sandbox to bypass && RCE (CVE-2015-1427)
- ElasticSearch Directory traversal (CVE-2015-3337)
- ElasticSearch Directory traversal (CVE-2015-5531)
- Atlassian Confluence any file include (CVE-2015-8399)
- Atlassian Confluence Directory traversal && RCE (CVE-2019-3396)
- Atlassian Confluence OGNL expression command injection (CVE-2021-26084)
- Atlassian Confluence Remote code execution (CVE-2022-26134)
- ThinkPHP5.x Remote code execution (CVE-2018-1002015)
vulcat-v1.0.8
2022.05.28
vulcat-v1.0.8
- 修BUG......
- 缺少python库时无法正常运行, 现在可以使用命令 "pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple" 来安装这些库(我保证是最后亿次少库了)
- 其它小bug
- Fixed some known bugs:
- This will not work without the Python library, so you can now use the command "pip install -r requirements.txt"
- Other small bug
vulcat-v1.0.7
2022.05.25
vulcat-v1.0.7
- 修复了部分已知BUG:
- --log参数4/5/6的请求数据包中,不显示Host的问题
- 缺少urllib3库时, 无法正常运行脚本的问题(现在可以使用pip3 install -r requirements.txt来安装urllib3库)
- 优化部分功能:
- 优化--output-json参数
- 优化-r/--recursive参数
- 优化漏洞信息的Headers参数值, 现在会依次排列显示, 而不是一个字典
- 新增POC:
- AppWeb 身份认证绕过 (CVE-2018-8715)
- Django CommonMiddleware url重定向 (CVE-2018-14574)
- Django GIS sql注入 (CVE-2020-9402)
- Django QuerySet.order_by sql注入 (CVE-2021-35042)
- F5-BIG-IP远程代码执行 (CVE-2020-5902)
- F5-BIG-IP身份认证绕过 (CVE-2022-1388)
- Keycloak服务端请求伪造 (CVE-2020-10770)
- Spring Cloud Function SpEL远程代码执行 (CVE-2022-22963)
- Spring Cloud Gateway SpEl远程代码执行 (CVE-2022-22947)
- ThinkPHP2.x 远程代码执行 (暂无编号)
- ThinkPHP5 ids参数 sql注入 (暂无编号)
- Ueditor编辑器 服务端请求伪造 (暂无编号)
- Fixed some known bugs:
- --log 4/5/6 request packet does not show "Host"
- Scripts cannot run properly without the "urllib3" library
(You can now install the "urllib3" library using pip3 install -r requirees.txt)
- Optimize some functions:
- Optimization --output-json
- Optimization -r/--recursive
- The Headers parameter values for optimized vulnerability information are now displayed in sequence instead of a dictionary.
- new POC:
- AppWeb Authentication bypass (CVE-2018-8715)
- Django CommonMiddleware URL Redirect (CVE-2018-14574)
- Django GIS SQLinject (CVE-2020-9402)
- Django QuerySet.order_by SQLinject (CVE-2021-35042)
- F5-BIG-IP RCE (CVE-2020-5902)
- F5-BIG-IP Authentication bypass (CVE-2022-1388)
- Keycloak SSRF (CVE-2020-10770)
- Spring Cloud Function SpEL RCE (CVE-2022-22963)
- Spring Cloud Gateway SpEl RCE (CVE-2022-22947)
- ThinkPHP2.x RCE (None)
- ThinkPHP5 ids SQLinject (None)
- Ueditor SSRF (None)
vulcat-v1.0.6
2022.05.09
vulcat-v1.0.6
- 修复了部分已知BUG
- 优化部分POC
- 新增POC:
- Struts2 远程代码执行
S2-008、S2-009、S2-012 - Apache APISIX默认密钥
CVE-2020-13945
- 更新--log参数,可以设置扫描时输出的详细日志等级, 等级可选1-6, 默认为1
- 日志1级: 常规
- 日志2级: 框架名称+漏洞编号+状态码
- 日志3级: 等级2的基础上 + 请求方法+请求目标+POST数据
- 日志4级: 等级2的基础上 + 请求数据包
- 日志5级: 等级4的基础上 + 响应头
- 日志6级: 等级5的基础上 + 响应内容
- Fixed some known bugs
- Optimize part of POC
- new POC:
- Struts2 Remote code execution
S2-008、S2-009、S2-012 - Apache APISIX default admin access token
CVE-2020-13945
- Update --log parameter. You can set the level of detailed logs output during scanning. The level can be 1-6, and the default is 1
- level 1: conventional
- level 2: Framework name + Vulnerability id + status code
- level 3: Level 2 based + method + target + POST data
- level 4: Level 2 based + Request packet
- level 5: Level 4 based + Response headers
- level 6: Level 5 based + Response content
vulcat-v1.0.5
2022.04.23
vulcat-v1.0.5
- 优化部分POC
- 新增POC:
- Fastjson <=1.2.47 反序列化
CNVD-2019-22238 - Fastjson <= 1.2.24 反序列化
CVE-2017-18349 - Weblogic 服务端请求伪造(SSRF)
CVE-2014-4210
- Optimize part of POC
- new POC:
- Fastjson <=1.2.47 DeSerialization
CNVD-2019-22238 - Fastjson <= 1.2.24 DeSerialization
CVE-2017-18349 - Weblogic SSRF
CVE-2014-4210
vulcat-v1.0.4
2022.04.21
vulcat-v1.0.4
- 修复了部分已知BUG
- 优化部分POC
- 新增POC:
- ApacheFlink 目录遍历
CVE-2020-17519 - ApacheSolr SSRF
CVE-2021-27905
- Fixed some known bugs
- Optimize part of POC
- new POC:
- ApacheFlink Directory traversal
CVE-2020-17519 - ApacheSolr SSRF
CVE-2021-27905
vulcat-v1.0.3
2022.04.19
vulcat-v1.0.3
- 修改README, 减少工具大小
- vulcat的扫描信息现在也支持中文了, 可通过修改lib/initial/language.py文件中的language函数来切换中英文
- 新增POC:
- Weblogic 控制台未授权远程命令执行漏洞
CVE-2020-14882 - Struts2 远程代码执行
S2-001、S2-005、S2-007 - ApacheAirflow身份验证绕过漏洞
CVE-2020-17526
- Modify the README to reduce the tool size
- new POC:
- Weblogic console unauthorized remote command execution
CVE-2020-14882 - Struts2 Remote code execution
S2-001、S2-005、S2-007 - ApacheAirflow Authentication bypass
CVE-2020-17526
vulcat-v1.0.2
2022.04.14
vulcat-v1.0.2
- 优化部分POC
- 修复了CVE-2020-14750 POC中的BUG
- 新增POC:
- Spring Boot目录遍历
CVE-2021-21234 - Spring Cloud目录遍历
CVE-2020-5410 - Weblogic wls9_async反序列化
CVE-2019-2725 - Weblogic XMLDecoder反序列化
CVE-2017-10271
- Optimize part of POC
- Fixed BUG in CVE-2020-14750 POC
- new POC:
- Spring Boot Directory traversal
CVE-2021-21234 - Spring Cloud Directory traversal
CVE-2020-5410 - Weblogic wls9_async DeSerialization
CVE-2019-2725 - Weblogic XMLDecoder DeSerialization
CVE-2017-10271