-
-
Notifications
You must be signed in to change notification settings - Fork 219
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #434 from m-1-k-3/exploit_sources
Add Packetstorm and Snyk PoC sources
- Loading branch information
Showing
7 changed files
with
11,612 additions
and
13 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
#!/bin/bash | ||
|
||
URL="https://packetstormsecurity.com/files/tags/exploit/page" | ||
LINKS="packet_storm_links.txt" | ||
SAVE_PATH="/tmp/packet_storm" | ||
EMBA_CONFIG_PATH="./config/" | ||
|
||
if ! [[ -d "$EMBA_CONFIG_PATH" ]]; then | ||
echo "[-] No EMBA config directory found! Please start this crawler from the EMBA directory" | ||
exit 1 | ||
fi | ||
|
||
## Color definition | ||
GREEN="\033[0;32m" | ||
ORANGE="\033[0;33m" | ||
NC="\033[0m" # no color | ||
|
||
if [[ -d "$SAVE_PATH" ]]; then | ||
rm -r "$SAVE_PATH" | ||
fi | ||
if ! [[ -d "$SAVE_PATH/advisory" ]]; then | ||
mkdir -p "$SAVE_PATH/advisory" | ||
fi | ||
|
||
echo "[*] Generating URL list for packetstorm advisories" | ||
ID=1 | ||
CUR_SLEEP_TIME=1 | ||
echo "CVE;advisory name;advisory URL;exploit type (local/remote)" > "$SAVE_PATH"/PS_PoC_results.csv | ||
|
||
while ( true ); do | ||
FAIL_CNT=0 | ||
while ! lynx -dump -hiddenlinks=listonly "$URL""$ID" > "$SAVE_PATH"/"$LINKS"; do | ||
((CUR_SLEEP_TIME+=$(shuf -i 1-5 -n 1))) | ||
((FAIL_CNT+=1)) | ||
if [[ "$FAIL_CNT" -gt 20 ]]; then | ||
echo "[-] No further download possible ... exit now" | ||
exit 1 | ||
fi | ||
echo "[-] Error downloading $URL$ID ... waiting for $CUR_SLEEP_TIME seconds" | ||
sleep "$CUR_SLEEP_TIME" | ||
done | ||
CUR_SLEEP_TIME=1 | ||
|
||
if grep -q "No Results Found" "$SAVE_PATH"/"$LINKS"; then | ||
echo "[-] Finished downloading exploits from packetstormsecurity.com with page$ID ... exit now" | ||
break | ||
fi | ||
|
||
echo "" | ||
echo "[*] Generating list of URLs of packetstorm advisory page $ID" | ||
|
||
mapfile -t MARKERS < <(grep -zoP "\n \[[0-9]+\].*" "$SAVE_PATH"/"$LINKS" | grep -a -v '\]packet storm\|Register\|Login\|SERVICES_TAB') | ||
|
||
for ((index=0; index < ${#MARKERS[@]}; index++)); do | ||
CVEs=() | ||
REMOTE=0 | ||
LOCAL=0 | ||
DoS=0 | ||
MSF=0 | ||
TYPE="unknown" | ||
|
||
# init marker with name: | ||
# e.g.: [22]Spitfire CMS 1.0.475 PHP Object Injection | ||
CURRENT_MARKER=$(echo "${MARKERS[index]}" | cut -d '[' -f2 | cut -d ']' -f1) | ||
# the name is after the first marker | ||
ADV_NAME=$(echo "${MARKERS[index]}" | cut -d '[' -f2 | cut -d ']' -f2) | ||
|
||
# with the following search we are going to find the URL of the marker | ||
ADV_URL=$(grep " $CURRENT_MARKER\.\ " "$SAVE_PATH"/"$LINKS" | awk '{print $2}' | sort -u) | ||
NEXT_MARKER=$(echo "${MARKERS[index+1]}" | cut -d '[' -f2 | cut -d ']' -f1) | ||
if [[ -z "$NEXT_MARKER" ]]; then | ||
NEXT_MARKER=$(grep -E "Back\[[0-9]+\]" "$SAVE_PATH"/"$LINKS" | cut -d '[' -f2 | cut -d ']' -f1) | ||
fi | ||
|
||
# we do not store metasploit exploits as we already have the MSF database in EMBA | ||
MSF=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "metasploit.com\|This Metasploit module") | ||
REMOTE=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "tags .*remote") | ||
LOCAL=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "tags .*local") | ||
DoS=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "tags .*denial of service") | ||
|
||
if [[ "$REMOTE" -gt 0 ]]; then | ||
TYPE="remote" | ||
fi | ||
if [[ "$LOCAL" -gt 0 ]]; then | ||
# if it is not unknown it is remote and we have now remote/local | ||
if ! [[ "$TYPE" == "unknown" ]]; then | ||
TYPE="$TYPE""/local" | ||
else | ||
TYPE="local" | ||
fi | ||
fi | ||
if [[ "$DoS" -gt 0 ]]; then | ||
if ! [[ "$TYPE" == "unknown" ]]; then | ||
TYPE="$TYPE""/DoS" | ||
else | ||
TYPE="DoS" | ||
fi | ||
fi | ||
|
||
mapfile -t CVEs < <(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -o -E "\[[0-9]+\]CVE-[0-9]+-[0-9]+" \ | ||
| sed 's/\[[0-9]*\]//' | sort -u) | ||
if [[ -v CVEs ]]; then | ||
for CVE in "${CVEs[@]}";do | ||
echo -e "[+] Found PoC for $ORANGE$CVE$NC in advisory $ORANGE$ADV_NAME$NC / $ORANGE$ADV_URL$NC" | ||
if [[ "$MSF" -eq 0 ]]; then | ||
echo "$CVE;$ADV_NAME;$ADV_URL;$TYPE" >> "$SAVE_PATH"/PS_PoC_results.csv | ||
fi | ||
done | ||
fi | ||
done | ||
((ID+=1)) | ||
|
||
sleep "$CUR_SLEEP_TIME" | ||
done | ||
|
||
sed -i '/\;\;\;/d' "$SAVE_PATH"/PS_PoC_results.csv | ||
|
||
if [[ -f "$SAVE_PATH"/PS_PoC_results.csv ]] && [[ -d "$EMBA_CONFIG_PATH" ]]; then | ||
mv "$SAVE_PATH"/PS_PoC_results.csv "$EMBA_CONFIG_PATH" | ||
rm -r "$SAVE_PATH" | ||
echo -e "${GREEN}[+] Successfully stored generated PoC file in EMBA configuration directory." | ||
else | ||
echo "[-] Not able to copy generated PoC file to configuration directory $EMBA_CONFIG_PATH" | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
#!/bin/bash | ||
|
||
URL="https://security.snyk.io/vuln" | ||
LINKS="snyk_adv_links.txt" | ||
SAVE_PATH="/tmp/snyk" | ||
EMBA_CONFIG_PATH="./config/" | ||
|
||
if ! [[ -d "$EMBA_CONFIG_PATH" ]]; then | ||
echo "[-] No EMBA config directory found! Please start this crawler from the EMBA directory" | ||
exit 1 | ||
fi | ||
|
||
## Color definition | ||
GREEN="\033[0;32m" | ||
ORANGE="\033[0;33m" | ||
NC="\033[0m" # no color | ||
|
||
if [[ -d "$SAVE_PATH" ]]; then | ||
rm "$SAVE_PATH" | ||
fi | ||
if ! [[ -d "$SAVE_PATH/vuln" ]]; then | ||
mkdir -p "$SAVE_PATH/vuln" | ||
fi | ||
|
||
echo "[*] Generating URL list for snyk advisories" | ||
ID=1 | ||
# this approach will end after 31 pages: | ||
while lynx -dump -hiddenlinks=listonly "$URL"/"$ID" | grep "$URL/SNYK" >> "$SAVE_PATH"/"$LINKS"; do | ||
echo -e "[*] Generating list of URLs of Snyk advisory page $ORANGE$ID$NC / $ORANGE$URL$ID$NC" | ||
((ID+=1)) | ||
done | ||
|
||
# some filters we can use to get further results: | ||
APPLICATIONS=("cargo" "cocoapods" "composer" "golang" "hex" "maven" "npm" "nuget" "pip" \ | ||
"rubygems" "unmanaged" "alpine" "linux" "alpine" "amzn" "centos" "debian" "oracle" "rhel" \ | ||
"sles" "ubuntu") | ||
|
||
for APPLICATION in "${APPLICATIONS[@]}"; do | ||
ID=1 | ||
while lynx -dump -hiddenlinks=listonly "$URL"/"$APPLICATION"/"$ID" | grep "$URL/SNYK" >> "$SAVE_PATH"/"$LINKS"; do | ||
echo -e "[*] Generating list of URLs of Snyk advisory page $ORANGE$ID$NC / application $ORANGE$APPLICATION$NC / URL $ORANGE$URL/$APPLICATION/$ID$NC" | ||
((ID+=1)) | ||
done | ||
done | ||
|
||
# remove the numbering at the beginning of every entry: | ||
sed 's/.*http/http/' "$SAVE_PATH"/"$LINKS" | sort -u > "$SAVE_PATH"/"$LINKS"_sorted | ||
|
||
ADV_CNT="$(wc -l "$SAVE_PATH"/"$LINKS"_sorted | awk '{print $1}')" | ||
echo -e "[*] Detected $ORANGE$ADV_CNT$NC advisories for download" | ||
echo "" | ||
|
||
ID=1 | ||
while read -r ADV; do | ||
((ID+=1)) | ||
FILENAME="$(echo "$ADV" | rev | cut -d '/' -f1 | rev)" | ||
if [[ -f "$SAVE_PATH/vuln/$FILENAME" ]]; then | ||
echo -e "[-] Already downloaded $ORANGE$FILENAME$NC" | ||
continue | ||
fi | ||
echo -e "[*] Downloading $ORANGE$FILENAME$NC ($ORANGE$ID$NC/$ORANGE$ADV_CNT$NC) to $ORANGE$SAVE_PATH/vuln/$FILENAME$NC" | ||
wget "$ADV" -O "$SAVE_PATH"/vuln/"$FILENAME" | ||
done < "$SAVE_PATH"/"$LINKS"_sorted | ||
|
||
echo -e "[*] Finished downloading $ORANGE$ADV_CNT$NC advisories to $ORANGE$SAVE_PATH/vuln$NC" | ||
echo "" | ||
|
||
echo -e "[*] The following advisories have PoC code included:" | ||
PoC_CNT=0 | ||
# removed exploit-db as we already have it in EMBA | ||
#echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;exploit-db;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv | ||
echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv | ||
|
||
while IFS= read -r -d '' ADV; do | ||
PoC_PoC="no" | ||
PoC_GH="no" | ||
PoC_EDB="no" | ||
PoC_CURL="no" | ||
PoC_XML="no" | ||
CVE="NA" | ||
ADV_NAME=$(basename "$ADV") | ||
ADV_URL="$URL"/"$ADV_NAME" | ||
|
||
# unsure if this is good enough: | ||
PoC_PoC=$(grep -c -a "PoC" "$ADV") | ||
PoC="$PoC_PoC" | ||
if [[ "$PoC_PoC" -gt 0 ]]; then | ||
PoC_PoC="yes" | ||
else | ||
PoC_PoC="no" | ||
fi | ||
# GitHub PoC references: | ||
PoC_GH=$(grep -a -c "GitHub PoC" "$ADV") | ||
((PoC+="$PoC_GH")) | ||
if [[ "$PoC_GH" -gt 0 ]]; then | ||
PoC_GH="yes" | ||
else | ||
PoC_GH="no" | ||
fi | ||
# removed exploit-db as we already have it in EMBA | ||
# exploit-db references: | ||
#PoC_EDB=$(grep -a -c -E "https://www.exploit-db.com/exploits/[0-9]+" "$ADV") | ||
#((PoC+="$PoC_EDB")) | ||
#if [[ "$PoC_EDB" -gt 0 ]]; then | ||
# PoC_EDB="yes" | ||
#else | ||
# PoC_EDB="no" | ||
#fi | ||
# curl http exploits: | ||
PoC_CURL=$(grep -a -c "curl http" "$ADV") | ||
((PoC+="$PoC_CURL")) | ||
if [[ "$PoC_CURL" -gt 0 ]]; then | ||
PoC_CURL="yes" | ||
else | ||
PoC_CURL="no" | ||
fi | ||
# xml exploits: | ||
PoC_XML=$(grep -a -c "For example the below code contains" "$ADV") | ||
((PoC+="$PoC_XML")) | ||
if [[ "$PoC_XML" -gt 0 ]]; then | ||
PoC_XML="yes" | ||
else | ||
PoC_XML="no" | ||
fi | ||
mapfile -t CVEs < <(grep -a -o -E "<title>.*CVE-[0-9]{4}-[0-9]+.*</title>" "$ADV" | \ | ||
grep -o -E "CVE-[0-9]{4}-[0-9]+" | sort -u) | ||
|
||
if [[ "$PoC" -gt 0 ]] && [[ "${#CVEs[@]}" -gt 0 ]]; then | ||
for CVE in "${CVEs[@]}"; do | ||
echo -e "[+] Found PoC for $ORANGE$CVE$NC in advisory $ORANGE$ADV_NAME$NC (unknown PoC: $ORANGE$PoC_PoC$NC / Github: $ORANGE$PoC_GH$NC / exploit-db: $ORANGE$PoC_EDB$NC / Curl: $ORANGE$PoC_CURL$NC / XML: $ORANGE$PoC_XML$NC)" | ||
# removed exploit-db as we already have it in EMBA | ||
#echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_EDB;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv | ||
echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv | ||
((PoC_CNT+=1)) | ||
done | ||
fi | ||
done < <(find "$SAVE_PATH"/vuln/ -type f -print0) | ||
|
||
if [[ -f "$SAVE_PATH"/Snyk_PoC_results.csv ]] && [[ -d "$EMBA_CONFIG_PATH" ]]; then | ||
mv "$SAVE_PATH"/Snyk_PoC_results.csv "$EMBA_CONFIG_PATH" | ||
rm -r "$SAVE_PATH" | ||
echo -e "${GREEN}[+] Successfully stored generated PoC file in EMBA configuration directory." | ||
else | ||
echo "[-] Not able to copy generated PoC file to configuration directory $EMBA_CONFIG_PATH" | ||
fi | ||
|
||
echo "" | ||
echo -e "${GREEN}[+] Found $ORANGE$PoC_CNT$GREEN advisories with PoC code" |
Oops, something went wrong.