vulcat-v1.1.1

2022.07.25
vulcat-v1.1.1

• 优化部分POC

1. Confluence(CVE-2022-26134)添加了新的Payload
2. 更改部分漏洞的返回信息

• POC模板更新
  如果漏洞返回值为Response类型，则会显示一个http数据包

• 新增POC:

1. Discuz 全局变量防御绕过代码执行 (wooyun-2010-080723)
2. Drupal < 7.32 Drupalgeddon SQL注入 (CVE-2014-3704)
3. Drupal Core 8 PECL YAML 反序列化任意代码执行 (CVE-2017-6920)
4. Drupal 远程代码执行 (CVE-2018-7602)
5. mongo-express 未授权远程代码执行 (CVE-2019-10758)
6. Node.js 目录穿越 (CVE-2017-14849)
7. Node.js 命令执行 (CVE-2021-21315)
8. Webmin 远程代码执行 (CVE-2019-15642)

---

Optimized partial POC

1. Added a new Payload
2. Change the return information for some vulnerabilities

• POC template updated
  If the vulnerability returns a "Response" value, an HTTP packet is displayed

New POC:

1. Discuz Remote code execution (wooyun-2010-080723)
2. Drupal < 7.32 Drupalgeddon SQLinject (CVE-2014-3704)
3. Drupal Core 8 PECL YAML Remote code execution (CVE-2017-6920)
4. Drupal Remote code execution (CVE-2018-7602)
5. mongo-express Remote code execution (CVE-2019-10758)
6. Node.js Directory traversal (CVE-2017-14849)
7. Node.js Remote code execution (CVE-2021-21315)
8. Webmin Remote code execution (CVE-2019-15642)

vulcat-v1.1.0

2022.07.03
vulcat-v1.1.0

优化部分POC

新增功能:

1. 框架指纹识别功能: 当识别出框架时, 会使用相应框架的漏洞POC, 如果没有识别出框架, 才会使用所有POC
   (还有少部分框架没有添加指纹, 后续会增加)

新增参数:

1. -v/--vuln: 指定漏洞编号, 配合-a/--application对单个漏洞进行扫描, 可以使用--list查看漏洞编号,没有漏洞编号的漏洞暂不支持, 编号不区分大小, 符号-和_皆可 (如: -a fastjson -v CNVD-2019-22238 或者 -a Tomcat -v cvE-2017_12615)
2. --no-poc: 禁用安全漏洞扫描

新增POC:

1. Drupal Drupalgeddon 2 远程代码执行 (CVE-2018-7600)
2. jenkins 远程命令执行 (CVE-2018-1000861)
3. Node-RED 任意文件读取 (CVE-2021-3223)
4. ShowDoc 任意文件上传 (CNVD-2020-26585)
5. Webmin Pre-Auth 远程代码执行 (CVE-2019-15107)

---

Optimized partial POC

New features:

1. Framework fingerprint identification function: When the framework is identified, The appropriate vulnerability POC will be used, If the framework is not identified, All pocs are used
   (There are still a few frameworks without fingerprints, which will be added later)

New parameters:

1. -v/--vuln: Specify the vulnerability number,With -a/--application to scan a single vulnerability,You can use --list to see the vulnerability number,vulnerabilities that do not have a vulnerability number are not supported.The number does not discriminate between sizes, and the symbol - and _ are acceptable (e.g. -a fastjson -v cnVD-2019-22238 or -a Tomcat -v CVE-2017_12615)
2. --no-poc: Disable scanning for security vulnerabilities

New POC:

1. Drupal Drupalgeddon 2 Remote code execution (CVE-2018-7600)
2. jenkins Remote code execution (CVE-2018-1000861)
3. Node-RED Directory traversal (CVE-2021-3223)
4. ShowDoc writes to any file (CNVD-2020-26585)
5. Webmin Pre-Auth Remote code execution (CVE-2019-15107)

vulcat-v1.0.9

2022.06.16
vulcat-v1.0.9

• 修复了部分已知BUG

• 新增参数和功能:

1. 扫描前会对目标进行WAF检测，如果检测到WAF，会询问用户是否继续扫描(yes/No)
2. 新增--no-waf和--batch参数
3. --no-waf: 禁用WAF检测
4. --batch: yes/no的选项不需要用户输入, 程序自动使用默认选项
5. 新增POC模板demo2.py，可以根据需求选择不同的模板来自定义POC(demo.py和demo2.py)

• 新增POC:

1. ElasticSearch 命令执行 (CVE-2014-3120)
2. ElasticSearch Groovy 沙盒绕过&&代码执行 (CVE-2015-1427)
3. ElasticSearch 目录穿越 (CVE-2015-3337)
4. ElasticSearch 目录穿越 (CVE-2015-5531)
5. Atlassian Confluence任意文件包含 (CVE-2015-8399)
6. Atlassian Confluence路径遍历和命令执行 (CVE-2019-3396)
7. Atlassian Confluence OGNL表达式命令注入 (CVE-2021-26084)
8. Atlassian Confluence远程代码执行 (CVE-2022-26134)
9. ThinkPHP5.x 远程代码执行 (CVE-2018-1002015)

---

• Fixed some known bugs

• new parameters and functions:

1. Before scanning, WAF detection is performed on the target. If WAF detection is detected, the user is asked whether to continue scanning(yes/No)
2. new: --no-waf / --batch
3. --no-waf: Disable WAF detection
4. --batch: The yes/no option does not require user input. The default option is used
5. The custom POC template demo2.py is added. You can select different templates based on requirements(demo.py / demo2.py)

• new POC:

1. ElasticSearch Remote code execution (CVE-2014-3120)
2. ElasticSearch Groovy Sandbox to bypass && RCE (CVE-2015-1427)
3. ElasticSearch Directory traversal (CVE-2015-3337)
4. ElasticSearch Directory traversal (CVE-2015-5531)
5. Atlassian Confluence any file include (CVE-2015-8399)
6. Atlassian Confluence Directory traversal && RCE (CVE-2019-3396)
7. Atlassian Confluence OGNL expression command injection (CVE-2021-26084)
8. Atlassian Confluence Remote code execution (CVE-2022-26134)
9. ThinkPHP5.x Remote code execution (CVE-2018-1002015)

vulcat-v1.0.8

2022.05.28
vulcat-v1.0.8

• 修BUG......

1. 缺少python库时无法正常运行, 现在可以使用命令 "pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple" 来安装这些库(我保证是最后亿次少库了)
2. 其它小bug

---

• Fixed some known bugs:

1. This will not work without the Python library, so you can now use the command "pip install -r requirements.txt"
2. Other small bug

vulcat-v1.0.7

2022.05.25
vulcat-v1.0.7

• 修复了部分已知BUG:

1. --log参数4/5/6的请求数据包中，不显示Host的问题
2. 缺少urllib3库时, 无法正常运行脚本的问题(现在可以使用pip3 install -r requirements.txt来安装urllib3库)

• 优化部分功能:

1. 优化--output-json参数
2. 优化-r/--recursive参数
3. 优化漏洞信息的Headers参数值, 现在会依次排列显示, 而不是一个字典

• 新增POC:

1. AppWeb 身份认证绕过 (CVE-2018-8715)
2. Django CommonMiddleware url重定向 (CVE-2018-14574)
3. Django GIS sql注入 (CVE-2020-9402)
4. Django QuerySet.order_by sql注入 (CVE-2021-35042)
5. F5-BIG-IP远程代码执行 (CVE-2020-5902)
6. F5-BIG-IP身份认证绕过 (CVE-2022-1388)
7. Keycloak服务端请求伪造 (CVE-2020-10770)
8. Spring Cloud Function SpEL远程代码执行 (CVE-2022-22963)
9. Spring Cloud Gateway SpEl远程代码执行 (CVE-2022-22947)
10. ThinkPHP2.x 远程代码执行 (暂无编号)
11. ThinkPHP5 ids参数 sql注入 (暂无编号)
12. Ueditor编辑器 服务端请求伪造 (暂无编号)

---

• Fixed some known bugs:

1. --log 4/5/6 request packet does not show "Host"
2. Scripts cannot run properly without the "urllib3" library
   (You can now install the "urllib3" library using pip3 install -r requirees.txt)

• Optimize some functions:

1. Optimization --output-json
2. Optimization -r/--recursive
3. The Headers parameter values for optimized vulnerability information are now displayed in sequence instead of a dictionary.

• new POC:

1. AppWeb Authentication bypass (CVE-2018-8715)
2. Django CommonMiddleware URL Redirect (CVE-2018-14574)
3. Django GIS SQLinject (CVE-2020-9402)
4. Django QuerySet.order_by SQLinject (CVE-2021-35042)
5. F5-BIG-IP RCE (CVE-2020-5902)
6. F5-BIG-IP Authentication bypass (CVE-2022-1388)
7. Keycloak SSRF (CVE-2020-10770)
8. Spring Cloud Function SpEL RCE (CVE-2022-22963)
9. Spring Cloud Gateway SpEl RCE (CVE-2022-22947)
10. ThinkPHP2.x RCE (None)
11. ThinkPHP5 ids SQLinject (None)
12. Ueditor SSRF (None)

vulcat-v1.0.6

2022.05.09
vulcat-v1.0.6

• 修复了部分已知BUG
• 优化部分POC
• 新增POC:

1. Struts2 远程代码执行
   S2-008、S2-009、S2-012
2. Apache APISIX默认密钥
   CVE-2020-13945

• 更新--log参数，可以设置扫描时输出的详细日志等级, 等级可选1-6, 默认为1

1. 日志1级: 常规
2. 日志2级: 框架名称+漏洞编号+状态码
3. 日志3级: 等级2的基础上 + 请求方法+请求目标+POST数据
4. 日志4级: 等级2的基础上 + 请求数据包
5. 日志5级: 等级4的基础上 + 响应头
6. 日志6级: 等级5的基础上 + 响应内容

---

• Fixed some known bugs
• Optimize part of POC
• new POC:

1. Struts2 Remote code execution
   S2-008、S2-009、S2-012
2. Apache APISIX default admin access token
   CVE-2020-13945

• Update --log parameter. You can set the level of detailed logs output during scanning. The level can be 1-6, and the default is 1

1. level 1: conventional
2. level 2: Framework name + Vulnerability id + status code
3. level 3: Level 2 based + method + target + POST data
4. level 4: Level 2 based + Request packet
5. level 5: Level 4 based + Response headers
6. level 6: Level 5 based + Response content

vulcat-v1.0.5

2022.04.23
vulcat-v1.0.5

• 优化部分POC
• 新增POC:

1. Fastjson <=1.2.47 反序列化
   CNVD-2019-22238
2. Fastjson <= 1.2.24 反序列化
   CVE-2017-18349
3. Weblogic 服务端请求伪造(SSRF)
   CVE-2014-4210

---

• Optimize part of POC
• new POC:

1. Fastjson <=1.2.47 DeSerialization
   CNVD-2019-22238
2. Fastjson <= 1.2.24 DeSerialization
   CVE-2017-18349
3. Weblogic SSRF
   CVE-2014-4210

vulcat-v1.0.4

2022.04.21
vulcat-v1.0.4

• 修复了部分已知BUG
• 优化部分POC
• 新增POC:

1. ApacheFlink 目录遍历
   CVE-2020-17519
2. ApacheSolr SSRF
   CVE-2021-27905

---

• Fixed some known bugs
• Optimize part of POC
• new POC:

1. ApacheFlink Directory traversal
   CVE-2020-17519
2. ApacheSolr SSRF
   CVE-2021-27905

vulcat-v1.0.3

2022.04.19
vulcat-v1.0.3

• 修改README, 减少工具大小
• vulcat的扫描信息现在也支持中文了, 可通过修改lib/initial/language.py文件中的language函数来切换中英文
• 新增POC:

1. Weblogic 控制台未授权远程命令执行漏洞
   CVE-2020-14882
2. Struts2 远程代码执行
   S2-001、S2-005、S2-007
3. ApacheAirflow身份验证绕过漏洞
   CVE-2020-17526

---

• Modify the README to reduce the tool size
• new POC:

1. Weblogic console unauthorized remote command execution
   CVE-2020-14882
2. Struts2 Remote code execution
   S2-001、S2-005、S2-007
3. ApacheAirflow Authentication bypass
   CVE-2020-17526

vulcat-v1.0.2

2022.04.14
vulcat-v1.0.2

• 优化部分POC
• 修复了CVE-2020-14750 POC中的BUG
• 新增POC:

1. Spring Boot目录遍历
   CVE-2021-21234
2. Spring Cloud目录遍历
   CVE-2020-5410
3. Weblogic wls9_async反序列化
   CVE-2019-2725
4. Weblogic XMLDecoder反序列化
   CVE-2017-10271

---

• Optimize part of POC
• Fixed BUG in CVE-2020-14750 POC
• new POC:

1. Spring Boot Directory traversal
   CVE-2021-21234
2. Spring Cloud Directory traversal
   CVE-2020-5410
3. Weblogic wls9_async DeSerialization
   CVE-2019-2725
4. Weblogic XMLDecoder DeSerialization
   CVE-2017-10271