7
Github GitHub - zhzyker/vulmap: Vulmap - Web vulnerability scanning and verifica...
source link: https://github.com/zhzyker/vulmap
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Vulmap - Web vulnerability scanning and verification tools
Vulmap是一款Web漏洞扫描和验证工具, 可对Web容器、Web服务器、Web中间件以及CMS等Web程序进行漏洞扫描, 并且具备漏洞利用功能
Vulmap目前有漏洞扫描(poc)和漏洞利用(exp)模式, 使用"-m"选现指定使用哪个模式, 缺省则默认poc模式, 在poc模式中还支持"-f"批量目标扫描、"-o"文件输出结果等主要功能, 更多功能参见options或者python vulmap.py -h, 目前支持扫描 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, nexus, weblogic, jboss, thinkphp
Installation
操作系统中必须有python3, 推荐python3.8或者更高版本
# git 或前往 release 获取原码 git clone https://github.com/zhzyker/vulmap.git # 安装所需的依赖环境 pip install -r requirements.txt # Linux & MacOS & Windows python vulmap.py -u http://example.com
Discussion
- Vulmap Bug 反馈或新功能建议点我
- 交流鹅群: 219291257
Options
可选参数:
-h, --help 显示此帮助消息并退出
-u URL, --url URL 目标 URL (e.g. -u "http://example.com")
-f FILE, --file FILE 选择一个目标列表文件,每个url必须用行来区分 (e.g. -f "/home/user/list.txt")
-m MODE, --mode MODE 模式支持"poc"和"exp",可以省略此选项,默认进入"poc"模式
-a APP, --app APP 指定web容器、web服务器、web中间件或cms(e.g. "weblogic")不指定则默认扫描全部
-c CMD, --cmd CMD 自定义远程命令执行执行的命令,默认是"echo VuLnEcHoPoCSuCCeSS"
-v VULN, --vuln VULN 利用漏洞,需要指定漏洞编号 (e.g. -v "CVE-2020-2729")
--list 显示支持的漏洞列表
--debug exp模式显示request和responses,poc模式显示扫描漏洞列表
--delay DELAY 延时时间,每隔多久发送一次,默认0s
--timeout TIMEOUT 超时时间,默认5s
-t NUM, --thread NUM 扫描线程数量,默认10线程
--user-agent UA 允许自定义User-Agent
--proxy-socks SOCKS 使用socks代理 (e.g. --proxy-socks 127.0.0.1:1080)
--proxy-http HTTP 使用http代理 (e.g. --proxy-http 127.0.0.1:8080)
-o, --output FILE 文本模式输出结果 (示例: -o "result.txt")
Update vulmap 0.5
- 新增多线程扫描,默认10线程,可自定义,默认开启协程(扫描变得非常快就对了)
- 支持添加代理扫描,支持socks和http代理
- 可自定义User-Agent
- 又改动--debug, exp模式开debug显示request和responses, poc模式显示扫描漏洞列表
- CVE-2016-4437 Apache Shiro新增三个回显gadget(共6个),key增至5个
- 新增Apache Flik CVE-2020-17518 & CVE-2020-17519
- 优化批量扫描和输出
Examples
# 测试所有漏洞 poc
python vulmap.py -u http://example.com
# 针对 RCE 漏洞,自定义命令检测是否存在漏洞,例如针对没有回现的漏洞使用dnslog
python vulmap.py -u http://example.com -c "ping xxx.xxx"
# 检查 http://example.com 是否存在 struts2 漏洞
python vulmap.py -u http://example.com -a struts2
python vulmap.py -u http://example.com -m poc -a struts2
# 对 http://example.com:7001 进行 WebLogic 的 CVE-2019-2729 漏洞利用
python vulmap.py -u http://example.com:7001 -v CVE-2019-2729
python vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729
# 批量扫描 list.txt 中的 url
python vulmap.py -f list.txt
# 扫描结果导出到 result.txt
python vulmap.py -u http://example.com:7001 -o result.txt
Vulnerabilitys List
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
| Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
| Apache ActiveMQ | CVE-2015-5254 | Y | N | < 5.13.0, deserialization remote code execution |
| Apache ActiveMQ | CVE-2016-3088 | Y | Y | < 5.14.0, http put&move upload webshell |
| Apache Flink | CVE-2020-17518 | Y | N | < 1.11.3 or < 1.12.0, upload path traversal |
| Apache Flink | CVE-2020-17519 | Y | Y | 1.5.1 - 1.11.2, 'jobmanager/logs' path traversal |
| Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |
| Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |
| Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |
| Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |
| Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |
| Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |
| Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |
| Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |
| Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |
| Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |
| Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |
| Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |
| Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |
| Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |
| Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |
| Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |
| Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |
| Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20, cve-2019-0230 ognl interpreter rce |
| Apache Struts2 | S2-061 | Y | Y | 2.0.0-2.5.25, cve-2020-17530 ognl interpreter rce |
| Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |
| Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet |
| Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |
| Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |
| Apache Unomi | CVE-2020-13942 | Y | Y | < 1.5.2, apache unomi remote code execution |
| Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |
| Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |
| Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |
| Elasticsearch | CVE-2014-3120 | Y | Y | < 1.2, elasticsearch remote code execution |
| Elasticsearch | CVE-2015-1427 | Y | Y | 1.4.0 < 1.4.3, elasticsearch remote code execution |
| Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |
| Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |
| Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |
| Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |
| Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |
| Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |
| Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |
| Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |
| Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
| Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
| Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
| Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |
| Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
| Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |
| RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
| RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |
| RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
| ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |
| ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
Docker
docker build -t vulmap/vulmap . docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK