-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
121 changed files
with
12,928 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,151 @@ | ||
# vulcat | ||
除了代码写得有亿点点烂,等亿点点小问题以外,还是阔以的......吧 | ||
|
||
* vulcat可用于扫描web端漏洞(框架、中间件、CMS等), 发现漏洞时会提示目标url和payload, 使用者可以根据提示对漏洞进行手工验证<br/> | ||
* 使用者还可以自己编写POC, 并添加到vulcat中进行扫描, 本项目也欢迎大家贡献自己的POC(白嫖) | ||
* 如果有什么想法、建议或者遇到了BUG, 都可以issues | ||
|
||
**目前支持扫描的web应用程序有:** | ||
> AlibabaDruid, AlibabaNacos, ApacheTomcat, Cicso, Spring, ThinkPHP, Weblogic, Yonyou | ||
<details> | ||
<summary><b>目前支持扫描的web漏洞有: [点击展开]</b></summary> | ||
|
||
``` | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Target | Vul_id | Type | Method | Description | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| AlibabaDruid | None | unAuth | GET | 阿里巴巴Druid未授权访问 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| ApacheTomcat | CVE-2017-12615 | WriteFile | PUT | PUT方法任意文件写入 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD软件跨站脚本攻击 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Spring | CVE-2022-22965 | RCE | POST | Spring Framework远程代码执行 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE | | ||
| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 | | ||
| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb接口任意文件读取/下载 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
``` | ||
</details> | ||
|
||
## Installation & Usage | ||
工具基于python3开发, 推荐使用python3.8及以上版本 | ||
|
||
* Git: `git clone https://github.com/starcat_l/vulcat.git` | ||
* Zip: [点我](https://github.com/starcat_l/vulcat.zip) | ||
|
||
``` | ||
git clone https://github.com/starcat_l/vulcat.git | ||
cd vulcat | ||
python3 vulcat.py -h | ||
``` | ||
``` | ||
Usage: python3 vulcat.py <options> | ||
Examples: | ||
python3 vulcat.py -u https://www.example.com/ | ||
python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3 | ||
python3 vulcat.py -f url.txt -t 10 | ||
python3 vulcat.py --list | ||
``` | ||
|
||
## Options | ||
``` | ||
Options: | ||
--version show program's version number and exit | ||
-h, --help show this help message and exit | ||
Target: | ||
指定扫描目标 | ||
-u URL, --url=URL 单个url (如: -u http://www.baidu.com/) | ||
-f FILE, --file=FILE | ||
含有多个url的文件, 一行一个 (如: -f url.txt) | ||
-r, --recursive 递归扫描url的每层目录 | ||
Optional: | ||
可选功能选项 | ||
-t THREAD, --thread=THREAD | ||
线程数 (默认: 3) | ||
--delay=DELAY 延迟时间/秒 (默认: 0.5) | ||
--timeout=TIMEOUT 超时时间/秒 (默认: 10) | ||
--http-proxy=HTTP_PROXY | ||
http/https代理 (如: --http-proxy 127.0.0.1:8080) | ||
--user-agent=UA 自定义User-Agent | ||
--log=LOG 日志等级, 可选1-3 (默认: 1) | ||
Application: | ||
指定扫描的目标类型 | ||
-a APPLICATION, --application=APPLICATION | ||
指定目标类型, 多个使用逗号分隔 (如: thinkphp 或者 thinkphp,weblogic) | ||
(默认为全部) | ||
Save: | ||
保存扫描结果 | ||
--output-text=TXT_FILENAME | ||
以txt格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text result.txt) | ||
--output-json=JSON_FILENAME | ||
以json格式保存扫描结果, 无漏洞时不会生成文件(如: --output-text | ||
result.json) | ||
Lists: | ||
漏洞列表 | ||
--list 查看所有Payload | ||
支持的目标类型(-a参数, 不区分大小写): | ||
AliDruid,cisco,thinkphp,tomcat,nacos,spring,weblogic,yonyou | ||
``` | ||
|
||
## language | ||
可以修改-h/--help的语言, 目前只有中文和英文(麻麻再也不用担心我看不懂啦!) | ||
|
||
* 打开vulcat/lib/initial/language.py | ||
* en_us为英文, zh_cn为中文, 将return调换顺序, 然后保存文件就实现了-h语言的切换 | ||
![English](images/language.png) | ||
|
||
## Custom POC | ||
* 如何编写自己的漏洞POC, 并添加到vulcat中 | ||
* 找到vulcat/payloads/demo.py, demo.py是vulcat中的POC模板(半成品), 需要使用者填写剩余的代码 | ||
* **修改步骤:** | ||
1. 先将demo.py复制一份并保存, 防止模板丢失, 然后修改文件名为POC的名字(如ThinkPHP.py), 名字可以自定义 | ||
![custom_1](images/custom_1.png) | ||
2. 修改文件开头的注释, 具体修改如下↓ | ||
![custom_2](images/custom_2.png) | ||
3. 根据代码旁边的提示, 修改相应内容↓ | ||
![custom_3_1](images/custom_3_1.png) | ||
如果payloads有多个, 则添加多个path和data | ||
![custom_3_2](images/custom_3_2.png) | ||
4. 根据提示, 修改相应内容↓ | ||
![custom_4_1](images/custom_4_1.png) | ||
![custom_4_2](images/custom_4_2.png) | ||
5. 修改相应内容↓ | ||
![custom_5_1](images/custom_5_1.png) | ||
![custom_5_2](images/custom_5_2.png) | ||
6. 修改↓ | ||
![custom_6_1](images/custom_6_1.png) | ||
![custom_6_2](images/custom_6_2.png) | ||
7. 打开vulcat/lib/initial/config.py, 并添加应用程序的名字(注意: 名称要一样, 见下图↓) | ||
![custom_7_1](images/custom_7_1.png) | ||
![custom_7_2](images/custom_7_2.png) | ||
8. 打开vulcat/lib/core/coreScan.py, 导入你的POC, 至此, vulcat就可以使用你的POC了, 你现在可以运行vulcat.py试试POC的效果 | ||
![custom_8](images/custom_8.png) | ||
9. 如果你想在-h/--help中显示你的POC的应用程序名称, 打开vulcat/lib/initial/language.py, 找到以下代码并继续添加即可↓ | ||
![custom_9_1](images/custom_9_1.png) | ||
![custom_9_2](images/custom_9_2.png) | ||
|
||
## Thanks | ||
感谢以下开源项目提供的灵感以及部分源代码 | ||
* [vulmap](https://github.com/zhzyker/vulmap) | ||
* [sqlmap](https://github.com/sqlmapproject/sqlmap) | ||
* [dirsearch](https://github.com/maurosoria/dirsearch) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
# vulcat | ||
|
||
* Vulcat can be used to scan for vulnerabilities on the Web side. When a vulnerability is discovered, the target URL and Payload are prompted. Users can manually verify the vulnerability according to the prompt<br/> | ||
* Users can also write their own POC and add it to vulcat for scanning, You are also welcome to contribute your POC to the project | ||
* If you have any ideas, suggestions, or bugs, you can issue | ||
|
||
**Web applications that currently support scanning:** | ||
> AlibabaDruid, AlibabaNacos, ApacheTomcat, Cicso, Spring, ThinkPHP, Weblogic, Yonyou | ||
<details> | ||
<summary><b>The current web vulnerabilities that support scanning: [Click on]</b></summary> | ||
|
||
``` | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Target | Vul_id | Type | Method | Description | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| AlibabaDruid | None | unAuth | GET | 阿里巴巴Druid未授权访问 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| ApacheTomcat | CVE-2017-12615 | WriteFile | PUT | PUT方法任意文件写入 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD软件跨站脚本攻击 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Spring | CVE-2022-22965 | RCE | POST | Spring Framework远程代码执行 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE | | ||
| ThinkPHP | CNNVD-201901-445 | RCE | POST | 核心类Request远程代码执行 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Weblogic | CVE-2020-14750 | unAuth | GET | Weblogic权限验证绕过 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
| Yonyou | CNVD-2021-30167 | RCE | GET | 用友NC BeanShell远程命令执行 | | ||
| Yonyou | None | FileRead | GET | 用友ERP-NC NCFindWeb接口任意文件读取/下载 | | ||
+---------------+------------------+------------+----------+------------------------------------------------------------+ | ||
``` | ||
</details> | ||
|
||
## Installation & Usage | ||
The tool is developed based on python3. Python3.8 or later is recommended | ||
|
||
* Git: `git clone https://github.com/starcat_l/vulcat.git` | ||
* Zip: [click me](https://github.com/starcat_l/vulcat.zip) | ||
|
||
``` | ||
git clone https://github.com/starcat_l/vulcat.git | ||
cd vulcat | ||
python3 vulcat.py -h | ||
``` | ||
``` | ||
Usage: python3 vulcat.py <options> | ||
Examples: | ||
python3 vulcat.py -u https://www.example.com/ | ||
python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3 | ||
python3 vulcat.py -f url.txt -t 10 | ||
python3 vulcat.py --list | ||
``` | ||
|
||
## Options | ||
``` | ||
Options: | ||
--version show program's version number and exit | ||
-h, --help show this help message and exit | ||
Target: | ||
Specify scan target | ||
-u URL, --url=URL A url (e.g. -u http://www.example.com/) | ||
-f FILE, --file=FILE | ||
A file containing multiple urls, one URL per line | ||
(e.g. -f url.txt) | ||
-r, --recursive Recursively scan each directory of the URL | ||
Optional: | ||
Optional function options | ||
-t THREAD, --thread=THREAD | ||
The number of threads (default: 3) | ||
--delay=DELAY Delay time/s (default: 0.5) | ||
--timeout=TIMEOUT Timeout/s (default: 10) | ||
--http-proxy=HTTP_PROXY | ||
The HTTP/HTTPS proxy (e.g. --http-proxy | ||
127.0.0.1:8080) | ||
--user-agent=UA Customize the User-Agent | ||
--log=LOG The log level, Optional 1-3 (default: 1) | ||
Application: | ||
Specify the target type for the scan | ||
-a APPLICATION, --application=APPLICATION | ||
Specifies the target type, separated by commas (e.g. | ||
thinkphp / thinkphp,weblogic) (default: all) | ||
Save: | ||
Save scan results | ||
--output-text=TXT_FILENAME | ||
Save the scan results in TXT format, no vulnerability | ||
will not generate files(e.g. --output-text result.txt) | ||
--output-json=JSON_FILENAME | ||
Save the scan results in JSON format, no vulnerability | ||
will not generate files(e.g. --output-text | ||
result.json) | ||
Lists: | ||
Vulnerability list | ||
--list View all payload | ||
Supported target types(Case insensitive): | ||
AliDruid,cisco,thinkphp,tomcat,nacos,spring,weblogic,yonyou | ||
``` | ||
|
||
## language | ||
You can change the language of -h/--help, currently only Chinese and English | ||
|
||
* Open the vulcat/lib/initial/language.py | ||
* Switching the "return" order and then saving the file implements the -h/--help language switch | ||
![Language](images/language.png) | ||
|
||
## Custom POC | ||
* How do I write my own vulnerability POC and add it to vulcat | ||
* Find vulcat/payloads/demo.py, which is a POC template in Vulcat (semi-finished) and requires the user to fill in the rest of the code | ||
|
||
* **Modify the steps:** | ||
1. Make a copy of demo.py and save it to prevent template loss. Then change the name of the POC file (for example, thinkphp.py) | ||
![custom_1](images/custom_1.png) | ||
2. Modify the comment at the beginning of the file↓ | ||
![custom_2](images/custom_2.png) | ||
3. Modify according to the prompt next to the code↓ | ||
![custom_3_1](images/custom_3_1.png) | ||
If payloads have multiple, add multiple paths and data | ||
![custom_3_2](images/custom_3_2.png) | ||
4. Modify the content as prompted↓ | ||
![custom_4_1](images/custom_4_1.png) | ||
![custom_4_2](images/custom_4_2.png) | ||
4. Modify the content as prompted↓ | ||
![custom_5_1](images/custom_5_1.png) | ||
![custom_5_2](images/custom_5_2.png) | ||
4. Modify the content as prompted↓ | ||
![custom_6_1](images/custom_6_1.png) | ||
![custom_6_2](images/custom_6_2.png) | ||
7. Open the vulcat/lib/initial/config.py, and add the application name (note: shall be the same name, see image below↓) | ||
![custom_7_1](images/custom_7_1.png) | ||
![custom_7_2](images/custom_7_2.png) | ||
8. Open vulcat/lib/core/coreScan.py, import your POC, so far, vulcat can use your POC, you can now run the vulcat.py try out the effect of POC | ||
![custom_8](images/custom_8.png) | ||
9. 如果你想在-h/--help中显示你的POC的应用程序名称, 打开vulcat/lib/initial/language.py, 找到以下代码并继续添加即可↓ | ||
9. If you want to in -h/--help show your POC application name, open the vulcat/lib/initial/language.py, find the following code and continue to add | ||
![custom_9_1](images/custom_9_1.png) | ||
![custom_9_2](images/custom_9_2.png) | ||
|
||
## Thanks | ||
* [vulmap](https://github.com/zhzyker/vulmap) | ||
* [sqlmap](https://github.com/sqlmapproject/sqlmap) | ||
* [dirsearch](https://github.com/maurosoria/dirsearch) |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Oops, something went wrong.