A powerful Web Vulnerability scanning and verification tools （Vulmap）

Preface

One 、Vulmap

Vulmap It's a powerful Web Vulnerability scanning and verification tools , This tool can be used for Web Containers 、Web The server 、Web Middleware and CMS etc. Web The program scans for vulnerabilities , And it has the function of vulnerability exploitation . Security researchers can use Vulmap Detect whether the target has specific vulnerabilities , And you can use the vulnerability exploitation function to verify whether the vulnerability really exists .

Vulmap There is currently vulnerability scanning (poc) And exploit (exp) Pattern , Use ”-m” Select now to specify which mode to use , Default is default poc Pattern , stay poc Mode also supports ”-f” Batch target scanning 、”-o” File output results and other main functions , For more functions, see options perhaps python3 vulmap.py -h, Exploit exp Mode will no longer provide poc function , But directly exploit vulnerabilities , And feed back the utilization results , Used to further verify whether the vulnerability exists , Whether it can be used .

Two 、 Tool installation

First , We need to install and configure in the local system Python 3 Environmental Science , We recommend using Python 3.7 Or later .

The majority of researchers can use the following command to clone the source code of the project to local , And complete the installation and configuration of dependent components and tools ：

git clone https://github.com/zhzyker/vulmap.git
# Dependent environment for installation
pip install -r requirements.txt
#Linux & MacOS & Windows
python vulmap.py -u http://example.com

3、 ... and 、 Tool options

Optional parameters :

-h, --help Display this help message and exit

-u URL, --url URL The goal is URL ( Example : -u “http://example.com”)

-f FILE, --file FILE Select a target list file , Every url Lines must be used to distinguish ( Example : -f “/home/user/list.txt”)

-m MODE, --mode MODE Mode support “poc” and “exp”, You can omit this option , Default entry “poc” Pattern

-a APP, --app APP Appoint Web Containers 、Web The server 、Web Middleware or CMD（ for example : “weblogic”） If not specified, all will be scanned by default

-c CMD, --cmd CMD Customize the commands executed by remote command execution , The default is echo

-v VULN, --vuln VULN Exploit loopholes , You need to specify the vulnerability number ( Example : -v “CVE-2020-2729”)

-o, --output FILE Text mode output results ( Example : -o “result.txt”)

–list Displays a list of supported vulnerabilities

–debug Debug Pattern , Will be displayed request and responses

–delay DELAY Delay Time , How often is it sent , Default 0s

–timeout TIMEOUT Timeout time , Default 10s

Four 、 Sample tool use

Test all vulnerabilities PoC：

python3 vulmap.py -u http://example.com

in the light of RCE Loophole , Custom command detection for vulnerabilities , For example, it is used for vulnerabilities that do not show up DNSlog：

python3 vulmap.py -u http://example.com -c “ping xxx.xxx”

Check http://example.com Whether there is struts2 Loophole ：

python3 vulmap.py -u http://example.com -a struts2
python3 vulmap.py -u http://example.com -m poc -a struts2

Yes http://example.com:7001 Conduct WebLogic Of CVE-2019-2729 Exploit ：

python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729
python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

Batch scan list.txt Medium url：

python3 vulmap.py -f list.txt

The scanning results are exported to result.txt：

python3 vulmap.py -u http://example.com:7001 -o result.txt

5、 ... and 、 List of supported vulnerabilities

8.5.3 (except 8.4.8) drupalgeddon2 rce |

| Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |

| Elasticsearch | CVE-2014-3120 | Y | Y | < 1.2, elasticsearch remote code execution |

| Elasticsearch | CVE-2015-1427 | Y | Y | 1.4.0 < 1.4.3, elasticsearch remote code execution |

| Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |

| Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |

| Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |

| Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |

| Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |

| Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |

| Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |

| Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |

| Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |

| Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |

| Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |

| Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |

| Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |

| Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |

| RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |

| RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |

| RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |

| ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |

| ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |

±------------------±-----------------±----±----±------------------------------------------------------------+

summary

Today, I have summarized the powerful Web Vulnerability scanning and verification tools vulmap, You can use it more often .