From b9e314d55ee684bff2e7a2ac843df6119207bb85 Mon Sep 17 00:00:00 2001
From: CLincat <3132002932@qq.com>
Date: Fri, 5 Aug 2022 14:39:16 +0800
Subject: [PATCH] 20220805-v1.1.2
---
README.md | 212 +++++++++++---------
README_en-us.md | 212 +++++++++++---------
lib/core/coreScan.py | 6 +
lib/initial/config.py | 7 +-
lib/initial/language.py | 4 +-
lib/initial/list.py | 144 +++++++-------
lib/initial/parse.py | 3 +-
lib/plugins/fingerprint/webapp.py | 94 ++++++++-
lib/report/output.py | 24 ++-
lib/tool/logger.py | 5 +-
payloads/ApacheHadoop.py | 155 +++++++++++++++
payloads/Gitea.py | 160 +++++++++++++++
payloads/Gitlab.py | 235 ++++++++++++++++++++++
payloads/Grafana.py | 148 ++++++++++++++
payloads/Landray.py | 134 +++++++++++++
payloads/RubyOnRails.py | 320 ++++++++++++++++++++++++++++++
payloads/Spring.py | 6 +-
payloads/Yonyou.py | 209 ++++++++++++++++++-
payloads/demo.py | 1 +
payloads/demo2.py | 2 +-
20 files changed, 1798 insertions(+), 283 deletions(-)
create mode 100644 payloads/ApacheHadoop.py
create mode 100644 payloads/Gitea.py
create mode 100644 payloads/Gitlab.py
create mode 100644 payloads/Grafana.py
create mode 100644 payloads/Landray.py
create mode 100644 payloads/RubyOnRails.py
diff --git a/README.md b/README.md
index 7ef23a1..eb805eb 100644
--- a/README.md
+++ b/README.md
@@ -6,108 +6,126 @@
* 如果有什么想法、建议或者遇到了BUG, 都可以issues
**目前支持扫描的web应用程序有:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
目前支持扫描的web漏洞有: [点击展开]
```
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | GET | 阿里巴巴Druid未授权访问 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow身份验证绕过 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX默认密钥 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink目录遍历 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/任意文件读取 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | POST | Struts2远程代码执行 |
-| Apache Struts2 | S2-005 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-007 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-008 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-009 | RCE | GET | Struts2远程代码执行 |
-| Apache Struts2 | S2-012 | RCE | GET | Struts2远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb身份认证绕过 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence任意文件包含 |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence路径遍历和命令执行 |
-| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
-| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD XSS跨站脚本攻击 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Discuz | wooyun-2010-080723 | RCE | GET | 全局变量防御绕过RCE |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | debug page XSS跨站脚本攻击 |
-| Django | CVE-2018-14574 | Redirect | GET | CommonMiddleware url重定向 |
-| Django | CVE-2019-14234 | SQLinject | GET | JSONfield SQL注入 |
-| Django | CVE-2020-9402 | SQLinject | GET | GIS SQL注入 |
-| Django | CVE-2021-35042 | SQLinject | GET | QuerySet.order_by SQL注入 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQL 注入 |
-| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML 反序列化代码执行 |
-| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 远程代码执行 |
-| Drupal | CVE-2018-7602 | RCE | POST | Drupal 远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch命令执行 |
-| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy 沙盒绕过&&代码执行 |
-| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch 目录穿越 |
-| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch 目录穿越 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP远程代码执行 |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP身份认证绕过 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 反序列化 |
-| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <= 1.2.47 反序列化 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins 远程命令执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | 使用request_uri调用未经验证的URL |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| mongo-express | CVE-2019-10758 | RCE | POST | 未授权远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js目录穿越 |
-| Nodejs | CVE-2021-21315 | RCE | GET | Node.js命令执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED 任意文件读取 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc 任意文件上传 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud目录遍历 |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot目录遍历 |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl远程代码执行 |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL远程代码执行 |
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x 远程代码执行 |
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x 远程代码执行 |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids参数SQL注入 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor编辑器SSRF |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic 服务端请求伪造 |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder反序列化 |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async反序列化 |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic 权限验证绕过 |
-| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic 未授权命令执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth 远程代码执行 |
-| Webmin | CVE-2019-15642 | RCE | POST | Webmin 远程代码执行 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 |
-| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb目录遍历 |
-+----------------------+--------------------+--------------+----------+-------------------------------------------------------------------------+
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Target | Vul_id | Type | Description |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | 阿里巴巴Druid未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | 阿里巴巴Nacos未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | Airflow身份验证绕过 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX默认密钥 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | Flink目录遍历 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager 未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/任意文件读取 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-005 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-007 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-008 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-009 | RCE | Struts2远程代码执行 |
+| Apache Struts2 | S2-012 | RCE | Struts2远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT方法任意文件写入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | AppWeb身份认证绕过 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence任意文件包含 |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence路径遍历和命令执行 |
+| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence Webwork Pre-Auth OGNL表达式命令注入 |
+| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | 思科ASA/FTD XSS跨站脚本攻击 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | 全局变量防御绕过RCE |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | debug page XSS跨站脚本攻击 |
+| Django | CVE-2018-14574 | Redirect | CommonMiddleware url重定向 |
+| Django | CVE-2019-14234 | SQLinject | JSONfield SQL注入 |
+| Django | CVE-2020-9402 | SQLinject | GIS SQL注入 |
+| Django | CVE-2021-35042 | SQLinject | QuerySet.order_by SQL注入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQL 注入 |
+| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML 反序列化代码执行 |
+| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 远程代码执行 |
+| Drupal | CVE-2018-7602 | RCE | Drupal 远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch命令执行 |
+| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy 沙盒绕过&&代码执行 |
+| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch 目录穿越 |
+| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch 目录穿越 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP远程代码执行 |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP身份认证绕过 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 反序列化 |
+| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <= 1.2.47 反序列化 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Gitea | None | unAuth | Gitea 1.4.0 未授权访问 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth 远程命令执行 |
+| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API未授权 SSRF |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x 插件模块路径遍历 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | jenkins 远程命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | 使用request_uri调用未经验证的URL |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Landray | CNVD-2021-28277 | FileRead/SSRF| 蓝凌OA 任意文件读取/SSRF |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | 未授权远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | Node.js目录穿越 |
+| Nodejs | CVE-2021-21315 | RCE | Node.js命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | Node-RED 任意文件读取 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails 路径遍历 |
+| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails 任意文件读取 |
+| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails 命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc 任意文件上传 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | Spring Cloud目录遍历 |
+| Spring | CVE-2021-21234 | FileRead | Spring Boot目录遍历 |
+| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl远程代码执行 |
+| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL远程代码执行 |
+| Spring | CVE-2022-22965 | RCE | Spring Framework远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x 远程代码执行 |
+| ThinkPHP | CNVD-2018-24942 | RCE | 未开启强制路由导致RCE |
+| ThinkPHP | CNNVD-201901-445 | RCE | 核心类Request远程代码执行 |
+| ThinkPHP | None | RCE | ThinkPHP2.x 远程代码执行 |
+| ThinkPHP | None | SQLinject | ThinkPHP5 ids参数SQL注入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Ueditor | None | SSRF | Ueditor编辑器SSRF |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic 服务端请求伪造 |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder反序列化 |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async反序列化 |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic 权限验证绕过 |
+| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic 未授权命令执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth 远程代码执行 |
+| Webmin | CVE-2019-15642 | RCE | Webmin 远程代码执行 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
+| Yonyou | CNNVD-201610-923 | SQLinject | 用友GRP-U8 Proxy SQL注入 |
+| Yonyou | CNVD-2021-30167 | RCE | 用友NC BeanShell远程命令执行 |
+| Yonyou | None | FileRead | 用友ERP-NC NCFindWeb目录遍历 |
+| Yonyou | None | DSinfo | 用友U8 OA getSessionList.jsp 敏感信息泄漏 |
+| Yonyou | None | SQLinject | 用友U8 OA test.jsp SQL注入 |
++----------------------+--------------------+--------------+--------------------------------------------------------------------+
```
diff --git a/README_en-us.md b/README_en-us.md
index 8ba3b09..b67389b 100644
--- a/README_en-us.md
+++ b/README_en-us.md
@@ -5,108 +5,126 @@
* If you have any ideas, suggestions, or bugs, you can issue
**Web applications that currently support scanning:**
-> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
+> AlibabaDruid, AlibabaNacos, ApacheAirflow, ApacheAPISIX, ApacheFlink, ApacheHadoop, ApacheSolr, ApacheStruts2, ApacheTomcat, AppWeb, AtlassianConfluence, Cicso, Discuz, Django, Drupal, ElasticSearch, F5-BIG-IP, Fastjson, Gitea, Gitlab, Grafana, Landray-OA, RubyOnRails, Jenkins, Keycloak, mongo-express, Node.js, NodeRED, ShowDoc, Spring, ThinkPHP, Ueditor, Weblogic, Webmin, Yonyou
The current web vulnerabilities that support scanning: [Click on]
```
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Target | Vul_id | Type | Method | Description |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Druid | None | unAuth | GET | Alibaba Druid unAuthorized |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Alibaba Nacos | CVE-2021-29441 | unAuth | GET/POST | Alibaba Nacos unAuthorized |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Airflow | CVE-2020-17526 | unAuth | GET | Airflow Authentication bypass |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache APISIX | CVE-2020-13945 | unAuth | GET | Apache APISIX default access token |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Flink | CVE-2020-17519 | FileRead | GET | Flink Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Solr | CVE-2021-27905 | SSRF | GET/POST | Solr SSRF/FileRead |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Struts2 | S2-001 | RCE | POST | Struts2 Remote code execution |
-| Apache Struts2 | S2-005 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-007 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-008 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-009 | RCE | GET | Struts2 Remote code execution |
-| Apache Struts2 | S2-012 | RCE | GET | Struts2 Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Apache Tomcat | CVE-2017-12615 | FileUpload | PUT | Put method writes to any file |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| AppWeb | CVE-2018-8715 | unAuth | GET | AppWeb Authentication bypass |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399 | FileRead | GET | Confluence any file include |
-| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | POST | Confluence Directory traversal && RCE |
-| Atlassian Confluence | CVE-2021-26084 | RCE | POST | Confluence OGNL expression command injection |
-| Atlassian Confluence | CVE-2022-26134 | RCE | GET | Confluence Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Cisco | CVE-2020-3580 | XSS | POST | Cisco ASA/FTD XSS |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Discuz | wooyun-2010-080723 | RCE | GET | Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS |
-| Django | CVE-2018-14574 | Redirect | GET | Django CommonMiddleware URL Redirect |
-| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield SQLinject |
-| Django | CVE-2020-9402 | SQLinject | GET | Django GIS SQLinject |
-| Django | CVE-2021-35042 | SQLinject | GET | Django QuerySet.order_by SQLinject |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Drupal | CVE-2014-3704 | SQLinject | POST | Drupal < 7.32 Drupalgeddon SQLinject |
-| Drupal | CVE-2017-6920 | RCE | POST | Drupal Core 8 PECL YAML Remote code execution |
-| Drupal | CVE-2018-7600 | RCE | POST | Drupal Drupalgeddon 2 Remote code execution |
-| Drupal | CVE-2018-7602 | RCE | POST | Drupal Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| ElasticSearch | CVE-2014-3120 | RCE | POST | ElasticSearch Remote code execution |
-| ElasticSearch | CVE-2015-1427 | RCE | POST | ElasticSearch Groovy Sandbox to bypass && RCE |
-| ElasticSearch | CVE-2015-3337 | FileRead | GET | ElasticSearch Directory traversal |
-| ElasticSearch | CVE-2015-5531 | FileRead | PUT/GET | ElasticSearch Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| F5 BIG-IP | CVE-2020-5902 | RCE | GET | BIG-IP Remote code execution |
-| F5 BIG-IP | CVE-2022-1388 | unAuth | POST | BIG-IP Authentication bypass |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Fastjson | CNVD-2017-02833 | unSerialize | POST | Fastjson <= 1.2.24 deSerialization |
-| Fastjson | CNVD-2019-22238 | unSerialize | POST | Fastjson <=1.2.47 deSerialization |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Jenkins | CVE-2018-1000861 | RCE | POST | jenkins Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Keycloak | CVE-2020-10770 | SSRF | GET | request_uri SSRF |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| mongo-express | CVE-2019-10758 | RCE | POST | Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Nodejs | CVE-2017-14849 | FileRead | GET | Node.js Directory traversal |
-| Nodejs | CVE-2021-21315 | RCE | GET | Node.js Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| NodeRED | CVE-2021-3223 | FileRead | GET | Node-RED Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| ShowDoc | CNVD-2020-26585 | FileUpload | POST | ShowDoc writes to any file |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Spring | CVE-2020-5410 | FileRead | GET | Spring Cloud Directory traversal |
-| Spring | CVE-2021-21234 | FileRead | GET | Spring Boot Directory traversal |
-| Spring | CVE-2022-22947 | RCE | POST | Spring Cloud Gateway SpEl Remote code execution |
-| Spring | CVE-2022-22963 | RCE | POST | Spring Cloud Function SpEL Remote code execution |
-| Spring | CVE-2022-22965 | RCE | GET/POST | Spring Framework Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| ThinkPHP | CVE-2018-1002015 | RCE | GET | ThinkPHP5.x Remote code execution |
-| ThinkPHP | CNVD-2018-24942 | RCE | GET | The forced route is not enabled Remote code execution |
-| ThinkPHP | CNNVD-201901-445 | RCE | POST | Core class Request Remote code execution |
-| ThinkPHP | None | RCE | GET | ThinkPHP2.x Remote code execution |
-| ThinkPHP | None | SQLinject | GET | ThinkPHP5 ids SQLinject |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Ueditor | None | SSRF | GET | Ueditor SSRF |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Oracle Weblogic | CVE-2014-4210 | SSRF | GET | Weblogic SSRF |
-| Oracle Weblogic | CVE-2017-10271 | unSerialize | POST | Weblogic XMLDecoder deSerialization |
-| Oracle Weblogic | CVE-2019-2725 | unSerialize | POST | Weblogic wls9_async deSerialization |
-| Oracle Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic Authentication bypass |
-| Oracle Weblogic | CVE-2020-14882 | RCE | GET | Weblogic Unauthorized command execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Webmin | CVE-2019-15107 | RCE | POST | Webmin Pre-Auth Remote code execution |
-| Webmin | CVE-2019-15642 | RCE | POST | Webmin Remote code execution |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
-| Yonyou | CNVD-2021-30167 | RCE | GET | Yonyou-NC BeanShell Remote code execution |
-| Yonyou | None | FileRead | GET | Yonyou-ERP-NC NCFindWeb Directory traversal |
-+----------------------+--------------------+--------------+----------+------------------------------------------------------------+
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Target | Vul_id | Type | Description |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Alibaba Druid | None | unAuth | Alibaba Druid unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Alibaba Nacos | CVE-2021-29441 | unAuth | Alibaba Nacos unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Airflow | CVE-2020-17526 | unAuth | Airflow Authentication bypass |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache APISIX | CVE-2020-13945 | unAuth | Apache APISIX default access token |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Flink | CVE-2020-17519 | FileRead | Flink Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Hadoop | None | unAuth | Hadoop YARN ResourceManager unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Solr | CVE-2021-27905 | SSRF | Solr SSRF/FileRead |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Struts2 | S2-001 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-005 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-007 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-008 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-009 | RCE | Struts2 Remote code execution |
+| Apache Struts2 | S2-012 | RCE | Struts2 Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Apache Tomcat | CVE-2017-12615 | FileUpload | Put method writes to any file |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| AppWeb | CVE-2018-8715 | unAuth | AppWeb Authentication bypass |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Atlassian Confluence | CVE-2015-8399 | FileRead | Confluence any file include |
+| Atlassian Confluence | CVE-2019-3396 | RCE/FileRead | Confluence Directory traversal && RCE |
+| Atlassian Confluence | CVE-2021-26084 | RCE | Confluence OGNL expression command injection |
+| Atlassian Confluence | CVE-2022-26134 | RCE | Confluence Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Cisco | CVE-2020-3580 | XSS | Cisco ASA/FTD XSS |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Discuz | wooyun-2010-080723 | RCE | Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Django | CVE-2017-12794 | XSS | Django debug page XSS |
+| Django | CVE-2018-14574 | Redirect | Django CommonMiddleware URL Redirect |
+| Django | CVE-2019-14234 | SQLinject | Django JSONfield SQLinject |
+| Django | CVE-2020-9402 | SQLinject | Django GIS SQLinject |
+| Django | CVE-2021-35042 | SQLinject | Django QuerySet.order_by SQLinject |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Drupal | CVE-2014-3704 | SQLinject | Drupal < 7.32 Drupalgeddon SQLinject |
+| Drupal | CVE-2017-6920 | RCE | Drupal Core 8 PECL YAML Remote code execution |
+| Drupal | CVE-2018-7600 | RCE | Drupal Drupalgeddon 2 Remote code execution |
+| Drupal | CVE-2018-7602 | RCE | Drupal Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| ElasticSearch | CVE-2014-3120 | RCE | ElasticSearch Remote code execution |
+| ElasticSearch | CVE-2015-1427 | RCE | ElasticSearch Groovy Sandbox to bypass && RCE |
+| ElasticSearch | CVE-2015-3337 | FileRead | ElasticSearch Directory traversal |
+| ElasticSearch | CVE-2015-5531 | FileRead | ElasticSearch Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| F5 BIG-IP | CVE-2020-5902 | RCE | BIG-IP Remote code execution |
+| F5 BIG-IP | CVE-2022-1388 | unAuth | BIG-IP Authentication bypass |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Fastjson | CNVD-2017-02833 | unSerialize | Fastjson <= 1.2.24 deSerialization |
+| Fastjson | CNVD-2019-22238 | unSerialize | Fastjson <=1.2.47 deSerialization |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Gitea | None | unAuth | Gitea 1.4.0 unAuthorized |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Gitlab | CVE-2021-22205 | RCE | GitLab Pre-Auth Remote code execution |
+| Gitlab | CVE-2021-22214 | SSRF | Gitlab CI Lint API SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Grafana | CVE-2021-43798 | FileRead | Grafana 8.x Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Jenkins | CVE-2018-1000861 | RCE | jenkins Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Keycloak | CVE-2020-10770 | SSRF | request_uri SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Landray | CNVD-2021-28277 | FileRead/SSRF| Landray-OA FileRead/SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| mongo-express | CVE-2019-10758 | RCE | Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Nodejs | CVE-2017-14849 | FileRead | Node.js Directory traversal |
+| Nodejs | CVE-2021-21315 | RCE | Node.js Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| NodeRED | CVE-2021-3223 | FileRead | Node-RED Directory traversal |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Ruby on Rails | CVE-2018-3760 | FileRead | Ruby on Rails Directory traversal |
+| Ruby on Rails | CVE-2019-5418 | FileRead | Ruby on Rails FileRead |
+| Ruby on Rails | CVE-2020-8163 | RCE | Ruby on Rails Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| ShowDoc | CNVD-2020-26585 | FileUpload | ShowDoc writes to any file |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Spring | CVE-2020-5410 | FileRead | Spring Cloud Directory traversal |
+| Spring | CVE-2021-21234 | FileRead | Spring Boot Directory traversal |
+| Spring | CVE-2022-22947 | RCE | Spring Cloud Gateway SpEl Remote code execution |
+| Spring | CVE-2022-22963 | RCE | Spring Cloud Function SpEL Remote code execution |
+| Spring | CVE-2022-22965 | RCE | Spring Framework Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| ThinkPHP | CVE-2018-1002015 | RCE | ThinkPHP5.x Remote code execution |
+| ThinkPHP | CNVD-2018-24942 | RCE | The forced route is not enabled Remote code execution |
+| ThinkPHP | CNNVD-201901-445 | RCE | Core class Request Remote code execution |
+| ThinkPHP | None | RCE | ThinkPHP2.x Remote code execution |
+| ThinkPHP | None | SQLinject | ThinkPHP5 ids SQLinject |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Ueditor | None | SSRF | Ueditor SSRF |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Oracle Weblogic | CVE-2014-4210 | SSRF | Weblogic SSRF |
+| Oracle Weblogic | CVE-2017-10271 | unSerialize | Weblogic XMLDecoder deSerialization |
+| Oracle Weblogic | CVE-2019-2725 | unSerialize | Weblogic wls9_async deSerialization |
+| Oracle Weblogic | CVE-2020-14750 | unAuth | Weblogic Authentication bypass |
+| Oracle Weblogic | CVE-2020-14882 | RCE | Weblogic Unauthorized command execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Webmin | CVE-2019-15107 | RCE | Webmin Pre-Auth Remote code execution |
+| Webmin | CVE-2019-15642 | RCE | Webmin Remote code execution |
++----------------------+--------------------+--------------+------------------------------------------------------------+
+| Yonyou | CNNVD-201610-923 | SQLinject | Yonyou-GRP-U8 Proxy SQLinject |
+| Yonyou | CNVD-2021-30167 | RCE | Yonyou-NC BeanShell Remote code execution |
+| Yonyou | None | FileRead | Yonyou-ERP-NC NCFindWeb Directory traversal |
+| Yonyou | None | DSinfo | Yonyou-U8-OA getSessionList.jsp Disclosure information |
+| Yonyou | None | SQLinject | Yonyou-U8-OA test.jsp SQLinject |
++----------------------+--------------------+--------------+------------------------------------------------------------+
```
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index 86d8fe2..7aec2f7 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -28,12 +28,18 @@
from payloads.ElasticSearch import elasticsearch
from payloads.F5BIGIP import f5bigip
from payloads.Fastjson import fastjson
+from payloads.Gitea import gitea
+from payloads.Gitlab import gitlab
+from payloads.Grafana import grafana
+from payloads.ApacheHadoop import hadoop
from payloads.Jenkins import jenkins
from payloads.Keycloak import keycloak
# from payloads.Kindeditor import kindeditor
+from payloads.Landray import landray
from payloads.MongoExpress import mongoexpress
from payloads.Nodejs import nodejs
from payloads.NodeRED import nodered
+from payloads.RubyOnRails import rails
from payloads.ShowDoc import showdoc
from payloads.Spring import spring
from payloads.ThinkPHP import thinkphp
diff --git a/lib/initial/config.py b/lib/initial/config.py
index 5c8fd94..aec9184 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -87,11 +87,16 @@ def __init__(self, args):
'discuz', 'django', 'drupal',
'elasticsearch',
'f5bigip', 'fastjson', 'flink',
+ # 'gitea', 'gitlab', 'grafana',
+ 'gitea', 'gitlab',
+ 'hadoop',
'jenkins',
# 'keycloak', 'kindeditor',
'keycloak',
+ 'landray',
'mongoexpress',
- 'nacos', 'nodered', 'nodejs',
+ 'nacos', 'nodejs', 'nodered',
+ 'rails',
'showdoc', 'solr', 'struts2', 'spring',
'thinkphp', 'tomcat',
'ueditor',
diff --git a/lib/initial/language.py b/lib/initial/language.py
index d9054e1..d21eefb 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -62,7 +62,7 @@ def language():
},
'app_list_help': {
'title': 'Supported target types(Case insensitive)',
- 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+ 'name': 'AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,gitea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,nodered,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
},
'core': {
'start': {
@@ -177,7 +177,7 @@ def language():
},
'app_list_help': {
'title': '支持的目标类型(-a参数, 不区分大小写)',
- 'name': 'AliDruid,nacos,airflow,apisix,flink,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,jenkins,keycloak,mongoexpress,nodejs,nodered,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
+ 'name': 'AliDruid,nacos,airflow,apisix,flink,hadoop,solr,struts2,tomcat,appweb,confluence,cisco,discuz,django,drupal,elasticsearch,f5bigip,fastjson,gitea,gitlab,grafana,jenkins,keycloak,landray,mongoexpress,nodejs,nodered,rails,showdoc,spring,thinkphp,ueditor,weblogic,webmin,yonyou'
},
'core': {
'start': {
diff --git a/lib/initial/list.py b/lib/initial/list.py
index e9e3709..9311be5 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -8,7 +8,7 @@ def list():
''' 显示漏洞列表 '''
vul_num = 0
vul_list = ''
- vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*68) + '+\n'
for vul in vul_info:
for info in vul_info[vul]:
@@ -16,10 +16,9 @@ def list():
vul_list += '| {}|'.format(vul.ljust(21))
vul_list += ' {}|'.format(info['vul_id'].ljust(19))
vul_list += ' {}|'.format(info['type'].ljust(13))
- vul_list += ' {}|'.format(info['method'].ljust(9))
- vul_list += ' {}\t|'.format(info['description'].ljust(62))
+ vul_list += ' {}\t|'.format(info['description'].ljust(57))
vul_list += '\n'
- vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*10) + '+' + ('-'*73) + '+\n'
+ vul_list += '+' + ('-'*22) + '+' + ('-'*20) + '+' + ('-'*14) + '+' + ('-'*68) + '+\n'
print(color.cyan(vul_list + str(vul_num - 1)))
# print(vul_num)
@@ -30,7 +29,6 @@ def list():
{
'vul_id': 'Vul_id',
'type': 'Type',
- 'method': 'Method',
'description': 'Description\t'
}
],
@@ -38,7 +36,6 @@ def list():
{
'vul_id': 'None',
'type': 'unAuth',
- 'method': 'GET',
'description': '阿里巴巴Druid未授权访问'
}
],
@@ -46,7 +43,6 @@ def list():
{
'vul_id': 'CVE-2021-29441',
'type': 'unAuth',
- 'method': 'GET/POST',
'description': '阿里巴巴Nacos未授权访问'
}
],
@@ -54,7 +50,6 @@ def list():
{
'vul_id': 'CVE-2020-17526',
'type': 'unAuth',
- 'method': 'GET',
'description': 'Airflow身份验证绕过'
}
],
@@ -62,7 +57,6 @@ def list():
{
'vul_id': 'CVE-2020-13945',
'type': 'unAuth',
- 'method': 'GET',
'description': 'Apache APISIX默认密钥'
}
],
@@ -70,15 +64,20 @@ def list():
{
'vul_id': 'CVE-2020-17519',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Flink目录遍历'
}
],
+ 'Apache Hadoop': [
+ {
+ 'vul_id': 'None',
+ 'type': 'unAuth',
+ 'description': 'Hadoop YARN ResourceManager 未授权访问'
+ }
+ ],
'Apache Solr': [
{
'vul_id': 'CVE-2021-27905',
'type': 'SSRF',
- 'method': 'GET/POST',
'description': 'Solr SSRF/任意文件读取'
}
],
@@ -86,37 +85,31 @@ def list():
{
'vul_id': 'S2-001',
'type': 'RCE',
- 'method': 'POST',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-005',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-007',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-008',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-009',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
},
{
'vul_id': 'S2-012',
'type': 'RCE',
- 'method': 'GET',
'description': 'Struts2远程代码执行'
}
],
@@ -124,7 +117,6 @@ def list():
{
'vul_id': 'CVE-2017-12615',
'type': 'FileUpload',
- 'method': 'PUT',
'description': 'PUT方法任意文件写入'
}
],
@@ -132,7 +124,6 @@ def list():
{
'vul_id': 'CVE-2018-8715',
'type': 'unAuth',
- 'method': 'GET',
'description': 'AppWeb身份认证绕过'
}
],
@@ -140,25 +131,21 @@ def list():
{
'vul_id': 'CVE-2015-8399',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Confluence任意文件包含'
},
{
'vul_id': 'CVE-2019-3396',
'type': 'RCE/FileRead',
- 'method': 'POST',
'description': 'Confluence路径遍历和命令执行'
},
{
'vul_id': 'CVE-2021-26084',
'type': 'RCE',
- 'method': 'POST',
'description': 'Confluence Webwork Pre-Auth OGNL表达式命令注入'
},
{
'vul_id': 'CVE-2022-26134',
'type': 'RCE',
- 'method': 'GET',
'description': 'Confluence远程代码执行'
}
],
@@ -166,7 +153,6 @@ def list():
{
'vul_id': 'CVE-2020-3580',
'type': 'XSS',
- 'method': 'POST',
'description': '思科ASA/FTD XSS跨站脚本攻击'
}
],
@@ -174,7 +160,6 @@ def list():
{
'vul_id': 'wooyun-2010-080723',
'type': 'RCE',
- 'method': 'GET',
'description': '全局变量防御绕过RCE'
}
],
@@ -182,31 +167,26 @@ def list():
{
'vul_id': 'CVE-2017-12794',
'type': 'XSS',
- 'method': 'GET',
'description': 'debug page XSS跨站脚本攻击'
},
{
'vul_id': 'CVE-2018-14574',
'type': 'Redirect',
- 'method': 'GET',
'description': 'CommonMiddleware url重定向'
},
{
'vul_id': 'CVE-2019-14234',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'JSONfield SQL注入'
},
{
'vul_id': 'CVE-2020-9402',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'GIS SQL注入'
},
{
'vul_id': 'CVE-2021-35042',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'QuerySet.order_by SQL注入'
}
],
@@ -214,25 +194,21 @@ def list():
{
'vul_id': 'CVE-2014-3704',
'type': 'SQLinject',
- 'method': 'POST',
'description': 'Drupal < 7.32 Drupalgeddon SQL 注入'
},
{
'vul_id': 'CVE-2017-6920',
'type': 'RCE',
- 'method': 'POST',
'description': 'Drupal Core 8 PECL YAML 反序列化代码执行'
},
{
'vul_id': 'CVE-2018-7600',
'type': 'RCE',
- 'method': 'POST',
'description': 'Drupal Drupalgeddon 2 远程代码执行'
},
{
'vul_id': 'CVE-2018-7602',
'type': 'RCE',
- 'method': 'POST',
'description': 'Drupal 远程代码执行'
}
],
@@ -240,25 +216,21 @@ def list():
{
'vul_id': 'CVE-2014-3120',
'type': 'RCE',
- 'method': 'POST',
'description': 'ElasticSearch命令执行'
},
{
'vul_id': 'CVE-2015-1427',
'type': 'RCE',
- 'method': 'POST',
'description': 'ElasticSearch Groovy 沙盒绕过&&代码执行'
},
{
'vul_id': 'CVE-2015-3337',
'type': 'FileRead',
- 'method': 'GET',
'description': 'ElasticSearch 目录穿越'
},
{
'vul_id': 'CVE-2015-5531',
'type': 'FileRead',
- 'method': 'PUT/GET',
'description': 'ElasticSearch 目录穿越'
},
],
@@ -266,13 +238,11 @@ def list():
{
'vul_id': 'CVE-2020-5902',
'type': 'RCE',
- 'method': 'GET',
'description': 'BIG-IP远程代码执行'
},
{
'vul_id': 'CVE-2022-1388',
'type': 'unAuth',
- 'method': 'POST',
'description': 'BIG-IP身份认证绕过'
}
],
@@ -280,21 +250,44 @@ def list():
{
'vul_id': 'CNVD-2017-02833',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Fastjson <= 1.2.24 反序列化'
},
{
'vul_id': 'CNVD-2019-22238',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Fastjson <= 1.2.47 反序列化'
}
],
+ 'Gitea': [
+ {
+ 'vul_id': 'None',
+ 'type': 'unAuth',
+ 'description': 'Gitea 1.4.0 未授权访问'
+ },
+ ],
+ 'Gitlab': [
+ {
+ 'vul_id': 'CVE-2021-22205',
+ 'type': 'RCE',
+ 'description': 'GitLab Pre-Auth 远程命令执行'
+ },
+ {
+ 'vul_id': 'CVE-2021-22214',
+ 'type': 'SSRF',
+ 'description': 'Gitlab CI Lint API未授权 SSRF'
+ }
+ ],
+ 'Grafana': [
+ {
+ 'vul_id': 'CVE-2021-43798',
+ 'type': 'FileRead',
+ 'description': 'Grafana 8.x 插件模块路径遍历'
+ },
+ ],
'Jenkins': [
{
'vul_id': 'CVE-2018-1000861',
'type': 'RCE',
- 'method': 'POST',
'description': 'jenkins 远程命令执行'
}
],
@@ -302,7 +295,6 @@ def list():
{
'vul_id': 'CVE-2020-10770',
'type': 'SSRF',
- 'method': 'GET',
'description': '使用request_uri调用未经验证的URL'
}
],
@@ -314,11 +306,17 @@ def list():
# 'description': 'Kindeditor 目录遍历'
# }
# ],
+ 'Landray': [
+ {
+ 'vul_id': 'CNVD-2021-28277',
+ 'type': 'FileRead/SSRF',
+ 'description': '蓝凌OA 任意文件读取/SSRF'
+ }
+ ],
'mongo-express': [
{
'vul_id': 'CVE-2019-10758',
'type': 'RCE',
- 'method': 'POST',
'description': '未授权远程代码执行'
}
],
@@ -326,13 +324,11 @@ def list():
{
'vul_id': 'CVE-2017-14849',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Node.js目录穿越'
},
{
'vul_id': 'CVE-2021-21315',
'type': 'RCE',
- 'method': 'GET',
'description': 'Node.js命令执行'
}
],
@@ -340,15 +336,30 @@ def list():
{
'vul_id': 'CVE-2021-3223',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Node-RED 任意文件读取'
}
],
+ 'Ruby on Rails': [
+ {
+ 'vul_id': 'CVE-2018-3760',
+ 'type': 'FileRead',
+ 'description': 'Ruby on Rails 路径遍历'
+ },
+ {
+ 'vul_id': 'CVE-2019-5418',
+ 'type': 'FileRead',
+ 'description': 'Ruby on Rails 任意文件读取'
+ },
+ {
+ 'vul_id': 'CVE-2020-8163',
+ 'type': 'RCE',
+ 'description': 'Ruby on Rails 命令执行'
+ }
+ ],
'ShowDoc': [
{
'vul_id': 'CNVD-2020-26585',
'type': 'FileUpload',
- 'method': 'POST',
'description': 'ShowDoc 任意文件上传'
}
],
@@ -356,31 +367,26 @@ def list():
{
'vul_id': 'CVE-2020-5410',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Spring Cloud目录遍历'
},
{
'vul_id': 'CVE-2021-21234',
'type': 'FileRead',
- 'method': 'GET',
'description': 'Spring Boot目录遍历'
},
{
'vul_id': 'CVE-2022-22947',
'type': 'RCE',
- 'method': 'POST',
'description': 'Spring Cloud Gateway SpEl远程代码执行'
},
{
'vul_id': 'CVE-2022-22963',
'type': 'RCE',
- 'method': 'POST',
'description': 'Spring Cloud Function SpEL远程代码执行'
},
{
'vul_id': 'CVE-2022-22965',
'type': 'RCE',
- 'method': 'GET/POST',
'description': 'Spring Framework远程代码执行'
}
],
@@ -388,31 +394,26 @@ def list():
{
'vul_id': 'CVE-2018-1002015',
'type': 'RCE',
- 'method': 'GET',
'description': 'ThinkPHP5.x 远程代码执行'
},
{
'vul_id': 'CNVD-2018-24942',
'type': 'RCE',
- 'method': 'GET',
'description': '未开启强制路由导致RCE'
},
{
'vul_id': 'CNNVD-201901-445',
'type': 'RCE',
- 'method': 'POST',
'description': '核心类Request远程代码执行'
},
{
'vul_id': 'None',
'type': 'RCE',
- 'method': 'GET',
'description': 'ThinkPHP2.x 远程代码执行'
},
{
'vul_id': 'None',
'type': 'SQLinject',
- 'method': 'GET',
'description': 'ThinkPHP5 ids参数SQL注入'
}
],
@@ -420,7 +421,6 @@ def list():
{
'vul_id': 'None',
'type': 'SSRF',
- 'method': 'GET',
'description': 'Ueditor编辑器SSRF'
}
],
@@ -428,31 +428,26 @@ def list():
{
'vul_id': 'CVE-2014-4210',
'type': 'SSRF',
- 'method': 'GET',
'description': 'Weblogic 服务端请求伪造'
},
{
'vul_id': 'CVE-2017-10271',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Weblogic XMLDecoder反序列化'
},
{
'vul_id': 'CVE-2019-2725',
'type': 'unSerialize',
- 'method': 'POST',
'description': 'Weblogic wls9_async反序列化'
},
{
'vul_id': 'CVE-2020-14750',
'type': 'unAuth',
- 'method': 'GET',
'description': 'Weblogic 权限验证绕过'
},
{
'vul_id': 'CVE-2020-14882',
'type': 'RCE',
- 'method': 'GET',
'description': 'Weblogic 未授权命令执行'
}
],
@@ -460,28 +455,39 @@ def list():
{
'vul_id': 'CVE-2019-15107',
'type': 'RCE',
- 'method': 'POST',
'description': 'Webmin Pre-Auth 远程代码执行'
},
{
'vul_id': 'CVE-2019-15642',
'type': 'RCE',
- 'method': 'POST',
'description': 'Webmin 远程代码执行'
}
],
'Yonyou': [
+ {
+ 'vul_id': 'CNNVD-201610-923',
+ 'type': 'SQLinject',
+ 'description': '用友GRP-U8 Proxy SQL注入'
+ },
{
'vul_id': 'CNVD-2021-30167',
'type': 'RCE',
- 'method': 'GET',
'description': '用友NC BeanShell远程命令执行'
},
{
'vul_id': 'None',
'type': 'FileRead',
- 'method': 'GET',
'description': '用友ERP-NC NCFindWeb目录遍历'
+ },
+ {
+ 'vul_id': 'None',
+ 'type': 'DSinfo',
+ 'description': '用友U8 OA getSessionList.jsp 敏感信息泄漏'
+ },
+ {
+ 'vul_id': 'None',
+ 'type': 'SQLinject',
+ 'description': '用友U8 OA test.jsp SQL注入'
}
]
}
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index 5bf0348..6e4a82f 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -19,7 +19,7 @@ def parse():
python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
-''', version='vulcat.py-1.1.1\n')
+''', version='vulcat.py-1.1.2\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -55,7 +55,6 @@ def parse():
general = parser.add_option_group(lang['general_help']['title'], lang['general_help']['name'])
general.add_option('--no-waf', dest='no_waf', action='store_true', help=lang['general_help']['no_waf'])
general.add_option('--no-poc', dest='no_poc', action='store_true', help=lang['general_help']['no_poc'])
- # general.add_option('--no-webapp', dest='no_webapp', action='store_true', help='')
general.add_option('--batch', dest='batch', action='store_true', help=lang['general_help']['batch'])
# * 查看漏洞列表
diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py
index 8a92d33..346e528 100644
--- a/lib/plugins/fingerprint/webapp.py
+++ b/lib/plugins/fingerprint/webapp.py
@@ -293,6 +293,64 @@ def __init__(self):
r'JSON parse error: set property error, autoCommit;'
]
},
+ {
+ 'name': 'fastjson',
+ 'path': '',
+ 'data': '{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"abcd","autoCommit":true}}',
+ 'fingerprint': [
+ r'com\.alibaba\.fastjson\.JSONException:',
+ r'JSON parse error: set property error, autoCommit;'
+ ]
+ },
+ {
+ 'name': 'gitea',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'.* - Gitea: Git with a cup of tea',
+ r'Copyright (c) .* The Gitea Authors',
+ r'Gitea 当前版本: .* 页面: \d*ms 模板: \d*ms',
+ r'Go 语言 支持的平台都可以运行 Gitea,包括 Windows、Mac、Linux 以及 ARM。挑一个您喜欢的就行!',
+ r'.*一个廉价的树莓派的配置足以满足 Gitea 的最低系统硬件要求。最大程度上节省您的服务器资源!.*
',
+ r'所有的代码都开源在 GitHub 上,赶快加入我们来共同发展这个伟大的项目!还等什么?成为贡献者吧!'
+ ]
+ },
+ {
+ 'name': 'gitlab',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'GitLab',
+ r'',
+ r'',
+ r'meta content="GitLab Community Edition" property="twitter:description"',
+ r'meta content="GitLab Community Edition" name="description"',
+ r'About GitLab'
+ ]
+ },
+ {
+ 'name': 'grafana',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'',
+ r'Server metrics',
+ r"'sType':'natural', 'aTargets': \[0\], 'mRender': parseHadoopID",
+ r'org\.apache\.hadoop\.yarn\.webapp\.WebAppException:'
+ ]
+ },
{
'name': 'jenkins',
'path': '',
@@ -322,6 +380,15 @@ def __init__(self):
# r'KindEditor - WYSIWYG HTML Editor for Internet'
# ]
# },
+ {
+ 'name': 'landray',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'\["sys/ui/extend.{0,50}\.css"\]',
+ r"'lui': 'sys/ui/js'"
+ ]
+ },
{
'name': 'mongoexpress',
'path': '',
@@ -353,6 +420,21 @@ def __init__(self):
r'Node-RED'
]
},
+ {
+ 'name': 'rails',
+ 'path': '',
+ 'data': '',
+ 'fingerprint': [
+ r'Ruby on Rails',
+ r'Yay! You’re on Rails!
',
+ r'Rails version:.*
',
+ r'Ruby version:.*(.*)',
+ r'Rails\.root: .*
',
+ r'For more information about routes, please see the Rails guideRails Routing from the Outside In\.',
+ r'RailsFileContent',
+ r''
+ ]
+ },
{
'name': 'showdoc',
'path': '',
@@ -458,7 +540,17 @@ def __init__(self):
'data': '',
'fingerprint': [
r' 