Skip to content

Commit

Permalink
更新插件
Browse files Browse the repository at this point in the history
  • Loading branch information
@iSafeBlue
iSafeBlue committed May 24, 2019
1 parent 548973c commit 1d5762c
Show file tree
Hide file tree
Showing 7 changed files with 422 additions and 4 deletions.
1 change: 1 addition & 0 deletions base/src/main/java/com/trackray/base/enums/WEBServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ public enum WEBServer {
NGINX("nginx/"),
TOMCAT("Apache Tomcat"),
APACHE("The requested URL","Apache/"),
WEBLOGIC("Hypertext Transfer Protocol","From RFC 2068","unavailable and has no forwarding address"),
OTHER;
private List<String> keywords = new ArrayList<>();
WEBServer() {
Expand Down
2 changes: 1 addition & 1 deletion module/src/main/java/com/trackray/module/auxiliary/AssetsScan.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

@Plugin(title = "资产扫描" , author = "浅蓝")
//@Plugin(title = "资产扫描" , author = "浅蓝")
@Rule(enable = false , params = {
@Param(key = "domain",defaultValue = "baidu.com" , desc = "目标域名"),
@Param(key = "port",defaultValue = "true" , desc = "是否扫描端口"),
Expand Down
132 changes: 132 additions & 0 deletions module/src/main/java/com/trackray/module/crawler/SQLErrorCrawler.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
package com.trackray.module.crawler;

import com.trackray.base.annotation.Plugin;
import com.trackray.base.attack.Payload;
import com.trackray.base.bean.Constant;
import com.trackray.base.bean.Vulnerable;
import com.trackray.base.plugin.CrawlerPlugin;
import com.trackray.base.utils.PageUtils;
import org.apache.commons.lang3.StringUtils;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Map;
import java.util.Set;

/**
* @author 浅蓝
* @email [email protected]
* @since 2019/5/20 15:13
*/
@Plugin(title = "SQL报错信息插件" , author = "浅蓝")
public class SQLErrorCrawler extends CrawlerPlugin{
@Override
public boolean check() {
if (target.toString().matches(".*\\?.*=.*"))
{
return true;
}
return false;
}

public static String[] flags = {"Microsoft OLE","附近有语法错误","SqlException","your SQL syntax","SQLException","ORA-","语句的语法错误","后的引号不完整"};

public static String[] payloads = {"'","\\","\""};

@Override
public void process() {

String url = target.toString();
URL u = target;
String urlstring = this.urltoString(u);

if (url.matches(Constant.Vuln.FILE_READ_VULN_REGEX)) {
Vulnerable build = Vulnerable.builder()
.title(Vulnerable.Type.FILE_OPERATION.getName())
.address(url)
.detail("该链接可能会存在文件读取/包含等漏洞")
.level(Vulnerable.Level.HIGH.getLevel())
.type(Vulnerable.Type.FILE_OPERATION.getType())
.build();
addVulnerable(build);
}

Map<String, String> param = PageUtils.getParam(u);
Set<String> keys = param.keySet();
Object[] karr = keys.toArray();
for (String payload : payloads) {
for (int i = 0; i < keys.size(); i++) {
String key = (String) karr[i];
StringBuffer path = new StringBuffer(urlstring.concat("?"));
for (String k : keys) {
String v = param.get(k);
if (k.equals(key)) {
path.append(k + ("="));
path.append(v + (payload));
path.append("&");
} else {
path.append(k + ("="));
path.append(v);
path.append("&");
}
}

path.delete(path.lastIndexOf("&"), path.length());
String content = "";
try {
requests.url(path.toString());
content = requests.get().body();

for (String flag : flags) {
if (StringUtils.contains(content,flag)){

addVulnerable(
Vulnerable.builder()
.type(Vulnerable.Type.SQL_INJECTION.getType())
.level(Vulnerable.Level.MIDDLE.getLevel())
.title("SQL 报错信息")
.address(path.toString())
.payload(path.toString())
.build()
);

}
}


} catch (MalformedURLException e) {

}
}
}


}

private String urltoString(URL u) {
int len = u.getProtocol().length() + 1;
if (u.getAuthority() != null && u.getAuthority().length() > 0)
len += 2 + u.getAuthority().length();
if (u.getPath() != null) {
len += u.getPath().length();
}
if (u.getQuery() != null) {
len += 1 + u.getQuery().length();
}
if (u.getRef() != null)
len += 1 + u.getRef().length();

StringBuffer result = new StringBuffer(len);
result.append(u.getProtocol());
result.append(":");
if (u.getAuthority() != null && u.getAuthority().length() > 0) {
result.append("//");
result.append(u.getAuthority());
}
if (u.getPath() != null) {
result.append(u.getPath());
}
return result.toString();
}

}
241 changes: 241 additions & 0 deletions module/src/main/java/com/trackray/module/exploit/WeblogicFuzz.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,241 @@
package com.trackray.module.exploit;

import com.trackray.base.annotation.Plugin;
import com.trackray.base.bean.Result;
import com.trackray.base.bean.Task;
import com.trackray.base.bean.Vulnerable;
import com.trackray.base.enums.WEBServer;
import com.trackray.base.exploit.AbstractExploit;
import net.sf.json.JSONArray;
import org.apache.commons.lang3.StringUtils;
import org.javaweb.core.net.HttpResponse;
import org.javaweb.core.net.HttpURLRequest;

import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.List;

/**
* @author 浅蓝
* @email [email protected]
* @since 2019/5/24 12:10
*/
@Plugin(title = "Weblogic 敏感路径扫描" , author = "浅蓝")
public class WeblogicFuzz extends AbstractExploit{

@Override
public void attack(Task task) {
for (String url : urls) {


Runnable runnable = new Runnable() {
@Override
public void run() {

try {
String u = getTarget().concat(url);

int statusCode = new HttpURLRequest().url(u).get().getStatusCode();

if (statusCode>0&&statusCode != 404) {
task.getResult().getSystemInfo().getDirs().put(u, statusCode);
}

} catch (MalformedURLException e) {
}


}
};

task.getExecutor().submit(runnable);

}



}

@Override
public boolean check(Result result) {

if (result.getSystemInfo().getWebServer() == WEBServer.WEBLOGIC)
return true;

String url404 = getTarget().concat("/asdasdsad");

String[] flag = {"Hypertext Transfer Protocol","From RFC 2068","unavailable and has no forwarding address"};

try {
HttpURLRequest url = requests.url(url404);
HttpResponse response = url.get();

String body = response.body();

if (StringUtils.containsAny(body , flag)){
this.getTask().getResult().getAdditional()
.put("网站的WEB服务器","Weblogic");
getTask().getResult().getSystemInfo().setWebServer(WEBServer.WEBLOGIC);
return true;
}

} catch (MalformedURLException e) {
}
return false;
}

public static String[] urls = ("/AdminCaptureRootCA\n" +
"/AdminClients\n" +
"/AdminConnections\n" +
"/AdminEvents\n" +
"/AdminJDBC\n" +
"/AdminLicense\n" +
"/AdminMain\n" +
"/AdminProps\n" +
"/AdminRealm\n" +
"/AdminThreads\n" +
"/AdminVersion\n" +
"/BizTalkServer\n" +
"/Bootstrap\n" +
"/Certificate\n" +
"/Classpath/\n" +
"/ConsoleHelp/\n" +
"/ConsoleHelp\n" +
"/DefaultWebApp\n" +
"/HTTPClntClose\n" +
"/HTTPClntLogin\n" +
"/HTTPClntRecv\n" +
"/HTTPClntSend\n" +
"/LogfileSearch\n" +
"/LogfileTail\n" +
"/Login.jsp\n" +
"/MANIFEST.MF\n" +
"/META-INF\n" +
"/SimpappServlet\n" +
"/StockServlet\n" +
"/T3AdminMain\n" +
"/UniversityServlet\n" +
"/WEB-INF\n" +
"/WEB-INF./web.xml\n" +
"/WEB-INF/web.xml\n" +
"/WLDummyInitJVMIDs\n" +
"/WebServiceServlet\n" +
"/_tmp_war\n" +
"/_tmp_war_DefaultWebApp\n" +
"/a2e2gp2r2/x.jsp\n" +
"/actions\n" +
"/admin/login.do\n" +
"/applet\n" +
"/applications\n" +
"/authenticatedy\n" +
"/bea_wls_internal/classes/\n" +
"/bea_wls_internal/WebServiceServlet\n" +
"/bea_wls_internal/getior\n" +
"/bea_wls_internal\n" +
"/bea_wls_internal/HTTPClntSend\n" +
"/bea_wls_internal/HTTPClntRecv\n" +
"/bea_wls_internal/iiop/ClientSend\n" +
"/bea_wls_internal/iiop/ClientRecv\n" +
"/bea_wls_internal/iiop/ClientLogin\n" +
"/bea_wls_internal/WLDummyInitJVMIDs\n" +
"/bea_wls_internal/a2e2gp2r2/x.jsp\n" +
"/bea_wls_internal/psquare/x.jsp\n" +
"/bea_wls_internal/iiop/ClientClose\n" +
"/beanManaged\n" +
"/certificate\n" +
"/classes\n" +
"/classes/\n" +
"/com\n" +
"/common\n" +
"/config\n" +
"/console\n" +
"/cookies\n" +
"/default\n" +
"/docs51\n" +
"/domain\n" +
"/drp-exports\n" +
"/drp-publish\n" +
"/dummy\n" +
"/e2ePortalProject/Login.portal\n" +
"/ejb\n" +
"/ejbSimpappServlet\n" +
"/error\n" +
"/examplesWebApp/EJBeanManagedClient.jsp\n" +
"/examplesWebApp/WebservicesEJB.jsp\n" +
"/examplesWebApp/OrderParser.jsp?xmlfile=C:/bea/weblogic81/samples/server/examples/src/examples/xml/orderParser/order.xml\n" +
"/examplesWebApp/index.jsp\n" +
"/examplesWebApp/InteractiveQuery.jsp\n" +
"/examplesWebApp/SessionServlet\n" +
"/fault\n" +
"/file\n" +
"/file/\n" +
"/fileRealm\n" +
"/fileRealm.properties\n" +
"/getior\n" +
"/graphics\n" +
"/helloKona\n" +
"/helloWorld\n" +
"/iiop/ClientClose\n" +
"/iiop/ClientRecv\n" +
"/iiop/ClientLogin\n" +
"/iiop/ClientSend\n" +
"/images\n" +
"/index\n" +
"/index.jsp\n" +
"/internal\n" +
"/jmssender\n" +
"/jmstrader\n" +
"/jspbuild\n" +
"/jwsdir\n" +
"/login.jsp\n" +
"/manifest.mf\n" +
"/mapping\n" +
"/mydomain\n" +
"/myservlet\n" +
"/page\n" +
"/patient/login.do\n" +
"/patient/register.do\n" +
"/phone\n" +
"/physican/login.do\n" +
"/portalAppAdmin/login.jsp\n" +
"/properties\n" +
"/proxy\n" +
"/psquare/x.jsp\n" +
"/public_html\n" +
"/servlet\n" +
"/servletimages\n" +
"/servlets/\n" +
"/session\n" +
"/simpapp\n" +
"/simple\n" +
"/simpleFormServlet\n" +
"/snoop\n" +
"/survey\n" +
"/system\n" +
"/taglib-uri\n" +
"/uddi\n" +
"/uddi/uddilistener\n" +
"/uddiexplorer\n" +
"/uddilistener\n" +
"/utils\n" +
"/web\n" +
"/web.xml\n" +
"/weblogic\n" +
"/weblogic.properties\n" +
"/weblogic.xml\n" +
"/webservice\n" +
"/webshare\n" +
"/wl_management_internal2/FileDistribution\n" +
"/wl_management_internal2/Bootstrap\n" +
"/wl_management_internal2/Admin\n" +
"/wl_management_internal2/wl_management\n" +
"/wl_management_internal1/LogfileTail\n" +
"/wl_management_internal1/LogfileSearch\n" +
"/wl_management_internal1\n" +
"/wl_management\n" +
"/wl_management_internal2\n" +
"/wliconsole\n" +
"/_async/AsyncResponseService\n"+
"/wls-wsat/CoordinatorPortType\n"+
"/wlserver\n").split("\n");
}
Loading

0 comments on commit 1d5762c

Please sign in to comment.