Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能

Overview

🌟 Vulmap - Web vulnerability scanning and verification tools

Release Release Release GitHub Repo stars GitHub forks

[Click here for the English Version]

Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能, 目前支持的 webapps 包括 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, fastjson, jenkins, nexus, weblogic, jboss, spring, thinkphp

Vulmap 将漏洞扫描与验证(漏洞利用)结合到了一起, 及大程度便于测试人员在发现漏洞后及时进行下一步操作, 工具追求于于高效、便捷
高效: 逐步开发中慢慢引入了批量扫描、Fofa、Shodan 批量扫描, 且支持多线程默认开启协程, 以最快的速度扫描大量资产
便捷: 发现漏洞即可利用, 大量资产扫描可多格式输出结果

🛒 Installation

操作系统中必须有 python3, 推荐 python3.8 或者更高版本

# git 或前往 release 获取原码
git clone https://github.com/zhzyker/vulmap.git
# 安装所需的 python 依赖
pip3 install -r requirements.txt
# Linux & MacOS & Windows
python3 vulmap.py -u http://example.com

配置 Fofa Api && Shodan Api && Ceye

使用 Fofa or Shodan 需要修改 vulmap.py 中的配置信息:

# 把xxxxxxxxxx替换成fofa的邮箱
globals.set_value("fofa_email", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换成fofa的key
globals.set_value("fofa_key", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换成自己shodan的key
globals.set_value("shodan_key", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换为自己的域名
globals.set_value("ceye_domain","xxxxxxxxxx")  
# 把xxxxxxxxxx替换自己ceye的token
globals.set_value("ceye_token", "xxxxxxxxxx")  

📺 video demo

YouTube: https://www.youtube.com/watch?v=g4czwS1Snc4
Bilibili: https://www.bilibili.com/video/BV1Fy4y1v7rd
Gif: https://github.com/zhzyker/vulmap/blob/main/images/vulmap-0.5-demo-gif.gif

🔥 Release 0.6

  1. 优化输出, 新增 json 输出, 格式与 xray 一致.
  2. 新增 fastjson 和 spring 漏洞扫描和利用.
  3. 引入 ceye 检测无回显 rce 漏洞.
  4. 添加 fofa api 和 shodan api 批量扫描.
  5. 重构 poc 模块, 重构 vulmap 变为模块化.
  6. 新添自动指纹识别.
  7. 替换echo命令为随机md5

🙋 Discussion

QR-code

🔧 Options

可选参数:
  -h, --help            显示此帮助消息并退出
  -u URL, --url URL     目标 URL (e.g. -u "http://example.com")
  -f FILE, --file FILE  选择一个目标列表文件,每个url必须用行来区分 (e.g. -f "/home/user/list.txt")
  --fofa keyword        使用 fofa api 批量扫描 (e.g. --fofa "app=Apache-Shiro")
  --shodan keyword      使用 shodan api 批量扫描 (e.g. --shodan "Shiro")
  -m MODE, --mode MODE  模式支持"poc"和"exp",可以省略此选项,默认进入"poc"模式
  -a APP [APP ...]      指定 webapps(e.g. "weblogic")不指定则自动指纹识别
  -c CMD, --cmd CMD     自定义远程命令执行执行的命令,默认是echo随机md5
  -v VULN, --vuln VULN  利用漏洞,需要指定漏洞编号 (e.g. -v "CVE-2019-2729")
  -t NUM, --thread NUM  扫描线程数量,默认10线程
  --output-text file    扫描结果输出到 txt 文件 (e.g. "result.txt")
  --output-json file    扫描结果输出到 json 文件 (e.g. "result.json")
  --proxy-socks SOCKS   使用 socks 代理 (e.g. --proxy-socks 127.0.0.1:1080)
  --proxy-http HTTP     使用 http 代理 (e.g. --proxy-http 127.0.0.1:8080)
  --user-agent UA       允许自定义 User-Agent
  --fofa-size SIZE      fofa api 调用资产数量,默认100,可用(1-10000)
  --delay DELAY         延时时间,每隔多久发送一次,默认 0s
  --timeout TIMEOUT     超时时间,默认 5s
  --list                显示支持的漏洞列表
  --debug               exp 模式显示 request 和 responses, poc 模式显示扫描漏洞列表

🐾 Examples

# 测试所有漏洞 poc 不指定 -a all 将默认开启指纹识别
python3 vulmap.py -u http://example.com

# 检查站点是否存在 struts2 漏洞
python3 vulmap.py -u http://example.com -a struts2

# 对 http://example.com:7001 进行 WebLogic 的 CVE-2019-2729 漏洞利用
python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729
python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

# 批量扫描 list.txt 中的 url
python3 vulmap.py -f list.txt

# 扫描结果导出到 result.json
python3 vulmap.py -u http://example.com:7001 --output-json result.json

# 调用 fofa api 批量扫描
python3 vulmap.py --fofa app=Apache-Shiro

🍵 Vulnerabilitys List

支持的漏洞列表 [点击展开]
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Target type       | Vuln Name        | Poc | Exp | Impact Version && Vulnerability description                 |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Apache ActiveMQ   | CVE-2015-5254    |  Y  |  N  | < 5.13.0, deserialization remote code execution             |
 | Apache ActiveMQ   | CVE-2016-3088    |  Y  |  Y  | < 5.14.0, http put&move upload webshell                     |
 | Apache Flink      | CVE-2020-17518   |  Y  |  N  | < 1.11.3 or < 1.12.0, upload path traversal                 |
 | Apache Flink      | CVE-2020-17519   |  Y  |  Y  | 1.5.1 - 1.11.2, 'jobmanager/logs' path traversal            |
 | Apache Shiro      | CVE-2016-4437    |  Y  |  Y  | <= 1.2.4, shiro-550, rememberme deserialization rce         |
 | Apache Solr       | CVE-2017-12629   |  Y  |  Y  | < 7.1.0, runexecutablelistener rce & xxe, only rce is here  |
 | Apache Solr       | CVE-2019-0193    |  Y  |  N  | < 8.2.0, dataimporthandler module remote code execution     |
 | Apache Solr       | CVE-2019-17558   |  Y  |  Y  | 5.0.0 - 8.3.1, velocity response writer rce                 |
 | Apache Struts2    | S2-005           |  Y  |  Y  | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce   |
 | Apache Struts2    | S2-008           |  Y  |  Y  | 2.0.0 - 2.3.17, debugging interceptor rce                   |
 | Apache Struts2    | S2-009           |  Y  |  Y  | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce         |
 | Apache Struts2    | S2-013           |  Y  |  Y  | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce        |
 | Apache Struts2    | S2-015           |  Y  |  Y  | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce        |
 | Apache Struts2    | S2-016           |  Y  |  Y  | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce          |
 | Apache Struts2    | S2-029           |  Y  |  Y  | 2.0.0 - 2.3.24.1, ognl interpreter rce                      |
 | Apache Struts2    | S2-032           |  Y  |  Y  | 2.3.20-28, cve-2016-3081 rce can be performed via method    |
 | Apache Struts2    | S2-045           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-046           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-048           |  Y  |  Y  | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce             |
 | Apache Struts2    | S2-052           |  Y  |  Y  | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce  |
 | Apache Struts2    | S2-057           |  Y  |  Y  | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce  |
 | Apache Struts2    | S2-059           |  Y  |  Y  | 2.0.0 - 2.5.20, cve-2019-0230 ognl interpreter rce          |
 | Apache Struts2    | S2-061           |  Y  |  Y  | 2.0.0-2.5.25, cve-2020-17530 ognl interpreter rce           |
 | Apache Struts2    | S2-devMode       |  Y  |  Y  | 2.1.0 - 2.5.1, devmode remote code execution                |
 | Apache Tomcat     | Examples File    |  Y  |  N  | all version, /examples/servlets/servlet                     |
 | Apache Tomcat     | CVE-2017-12615   |  Y  |  Y  | 7.0.0 - 7.0.81, put method any files upload                 |
 | Apache Tomcat     | CVE-2020-1938    |  Y  |  Y  | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read  |
 | Apache Unomi      | CVE-2020-13942   |  Y  |  Y  | < 1.5.2, apache unomi remote code execution                 |
 | Drupal            | CVE-2018-7600    |  Y  |  Y  | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution          |
 | Drupal            | CVE-2018-7602    |  Y  |  Y  | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce            |
 | Drupal            | CVE-2019-6340    |  Y  |  Y  | < 8.6.10, drupal core restful remote code execution         |
 | Elasticsearch     | CVE-2014-3120    |  Y  |  Y  | < 1.2, elasticsearch remote code execution                  |
 | Elasticsearch     | CVE-2015-1427    |  Y  |  Y  | < 1.3.7, < 1.4.3, elasticsearch remote code execution       |
 | Fastjson          | 1.2.24           |  Y  |  Y  | <= 1.2.24 fastjson parse object remote code execution       |
 | Fastjson          | 1.2.47           |  Y  |  Y  | <= 1.2.47 fastjson autotype remote code execution           |
 | Fsatjson          | 1.2.62           |  Y  |  Y  | <= 1.2.24 fastjson autotype remote code execution           |
 | Jenkins           | CVE-2017-1000353 |  Y  |  N  | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution    |
 | Jenkins           | CVE-2018-1000861 |  Y  |  Y  | <= 2.153, LTS <= 2.138.3, remote code execution             |
 | Nexus OSS/Pro     | CVE-2019-7238    |  Y  |  Y  | 3.6.2 - 3.14.0, remote code execution vulnerability         |
 | Nexus OSS/Pro     | CVE-2020-10199   |  Y  |  Y  | 3.x <= 3.21.1, remote code execution vulnerability          |
 | Oracle Weblogic   | CVE-2014-4210    |  Y  |  N  | 10.0.2 - 10.3.6, weblogic ssrf vulnerability                |
 | Oracle Weblogic   | CVE-2017-3506    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2017-10271   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2018-2894    |  Y  |  Y  | 12.1.3.0, 12.2.1.2-3, deserialization any file upload       |
 | Oracle Weblogic   | CVE-2019-2725    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2019-2729    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2020-2551    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
 | Oracle Weblogic   | CVE-2020-2555    |  Y  |  Y  | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce  |
 | Oracle Weblogic   | CVE-2020-2883    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
 | Oracle Weblogic   | CVE-2020-14882   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce     |
 | RedHat JBoss      | CVE-2010-0738    |  Y  |  Y  | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
 | RedHat JBoss      | CVE-2010-1428    |  Y  |  Y  | 4.2.0 - 4.3.0, web-console deserialization any files upload |
 | RedHat JBoss      | CVE-2015-7501    |  Y  |  Y  | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
 | Spring Data       | CVE-2018-1273    |  Y  |  Y  | 1.13 - 1.13.10, 2.0 - 2.0.5, spring data commons rce        |
 | Spring Cloud      | CVE-2019-3799    |  Y  |  Y  | 2.1.0-2.1.1, 2.0.0-2.0.3, 1.4.0-1.4.5, directory traversal  |
 | ThinkPHP          | CVE-2019-9082    |  Y  |  Y  | < 3.2.4, thinkphp rememberme deserialization rce            |
 | ThinkPHP          | CVE-2018-20062   |  Y  |  Y  | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce  |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+

🐟 Docker

docker build -t vulmap/vulmap .
docker run --rm -ti vulmap/vulmap  python vulmap.py -u https://www.example.com
Comments
  • Going to error in new

    Going to error in new

    [email protected]:~/tools/vulmap# python3 vulmap.py -u https://paypal.com Traceback (most recent call last): File "vulmap.py", line 8, in from gevent import monkey;monkey.patch_all() File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 1214, in patch_all _notify_patch(events.GeventWillPatchAllEvent(modules_to_patch, kwargs), _warnings) File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 185, in _notify_patch notify_and_call_entry_points(event) File "/usr/local/lib/python3.6/dist-packages/gevent/events.py", line 104, in notify_and_call_entry_points subscriber = plugin.load() File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2323, in load self.require(*args, **kwargs) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2346, in require items = working_set.resolve(reqs, env, installer, extras=self.extras) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 783, in resolve raise VersionConflict(dist, req).with_context(dependent_req) pkg_resources.VersionConflict: (psutil 5.6.7 (/usr/local/lib/python3.6/dist-packages), Requirement.parse('psutil>=5.7.0; sys_platform != "win32" or platform_python_implementation == "CPython" and extra == "monitor"')) [email protected]:~/tools/vulmap

    opened by shelu16 4
  • pip install -r requirement.txt 报错,

    pip install -r requirement.txt 报错,

    pip install -r requirement.txt 报错, python-3.9

    Building wheels for collected packages: lxml                                                                                                                                             [1444/11751]  Building wheel for lxml (setup.py) ... error                                                                                                                                                         ERROR: Command errored out with exit status 1:
       command: /usr/local/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"'; __file__='"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"
    ';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-ad3_
    9cqe
           cwd: /tmp/pip-install-iq38rq57/lxml/
      Complete output (731 lines):
      Building lxml version 4.3.2.
      Building without Cython.
      Using build configuration of libxslt 1.1.32
      running bdist_wheel
      running build
      running build_py
      creating build
      creating build/lib.linux-x86_64-3.9
      creating build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/sax.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/builder.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/cssselect.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/pyclasslookup.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/_elementpath.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/doctestcompare.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/__init__.py -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/ElementInclude.py -> build/lib.linux-x86_64-3.9/lxml
      creating build/lib.linux-x86_64-3.9/lxml/includes
      copying src/lxml/includes/__init__.py -> build/lib.linux-x86_64-3.9/lxml/includes
      creating build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/diff.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/defs.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/_diffcommand.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/clean.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/_setmixin.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/builder.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/ElementSoup.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/soupparser.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/formfill.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/__init__.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/_html5builder.py -> build/lib.linux-x86_64-3.9/lxml/html
      copying src/lxml/html/html5parser.py -> build/lib.linux-x86_64-3.9/lxml/html
      creating build/lib.linux-x86_64-3.9/lxml/isoschematron
      copying src/lxml/isoschematron/__init__.py -> build/lib.linux-x86_64-3.9/lxml/isoschematron
      copying src/lxml/etree.h -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/etree_api.h -> build/lib.linux-x86_64-3.9/lxml
      copying src/lxml/lxml.etree.h -> build/lib.linux-x86_64-3.9/lxml
    
    opened by xiagw 3
  • where is the exploit module?

    where is the exploit module?

    py -3 vulmap.py --help __ [ | _ __ __ _ | | _ .--..--. ,--. _ .--. [ \ [ ][ | | | | | [ .-. .-. |'\ :[ '/'`\
    \ / / | _/ |, | | | | | | | | // | |,| _
    / | _/ '.__.'/[___][___||__||__]'-;/| ;._/ [__| usage: python3 vulmap [options]

    target: you must to specify target

    -u URL, --url URL target URL (e.g. -u "http://example.com") -f FILE, --file FILE select a target list file (e.g. -f "list.txt") --fofa keyword call fofa api to scan (e.g. --fofa "app=Apache-Shiro") --shodan keyword call shodan api to scan (e.g. --shodan "Shiro")

    mode: options vulnerability scanning or exploit mode

    -a APP [APP ...] specify webapps (e.g. -a "tomcat") allow multiple

    general: general options

    -h, --help show this help message and exit -t NUM, --thread NUM number of scanning function threads, default 10 threads --dnslog server dnslog server (hyuga,dnslog,ceye) default automatic --output-text file result export txt file (e.g. "result.txt") --output-json file result export json file (e.g. "result.json") --proxy-socks SOCKS socks proxy (e.g. --proxy-socks 127.0.0.1:1080) --proxy-http HTTP http proxy (e.g. --proxy-http 127.0.0.1:8080) --fofa-size SIZE fofa query target number, default 100 (1-10000) --user-agent UA you can customize the user-agent headers --delay DELAY delay check time, default 0s --timeout TIMEOUT scan timeout time, default 10s --list display the list of supported vulnerabilities --debug exp echo request and responses, poc echo vuln lists --check survival check (on and off), default on

    support: types of vulnerability scanning: all, activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal elasticsearch, fastjson, jenkins, laravel, nexus, weblogic, jboss spring, thinkphp, druid, exchange, nodejs, saltstack, vmware bigip, ofbiz, coremail, ecology, eyou, qianxin, ruijie

    examples: python3 vulmap.py -u http://example.com python3 vulmap.py -u http://example.com -a struts2 python3 vulmap.py -f list.txt -a weblogic -t 20 python3 vulmap.py -f list.txt --output-json results.json python3 vulmap.py --fofa "app=Apache-Shiro"

    opened by IMnewer 2
  • 无法识别目标

    无法识别目标

    执行 python3 vulmap.py -u http://192.168.31.97:8080/

    报: [09:56:52] [INFO] Currently the latest version: 0.7 [09:57:04] [INFO] Start scanning target: http://192.168.31.97:8080/ [09:57:17] [INFO] Unable to identify target, Run all pocs [09:57:51] [INFO] Scan completed and ended

    无法识别是怎么回事,我的python版本是3.6.8的,有关系吗

    opened by 1248484417 2
  • 漏洞检测部分误报

    漏洞检测部分误报

    其中poc使用echo + md5的payload检测。当页面中返回这些值的时候判断漏洞存在,会导致一些组件误报。测试代码:

    <?php
    echo 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
    echo file_get_contents("php://input");
    ?>
    

    误报情况:

    image

    命令执行用expr或者set等命令误报会更低

    代码执行直接计算md5误报率更低,echo md5("xxx");

    opened by aStrowxyu 2
  • poc 检查逻辑可能有 bug

    poc 检查逻辑可能有 bug

    我的目标有 s2-045 漏洞。

    注意以下 debug 信息中此行 [INFO] Start scanning target: http://192.168.200.132:8080/struts2-showcase 程序中 url 最后的 / 被丢弃了。所以检测不出来。

    image-20210317161904247

    将数据包用 burp 重新发送

    image image

    opened by ChenYun4164 2
  • ApacheStruts2.py S2-045 poc有错误

    ApacheStruts2.py S2-045 poc有错误

    self.headers2 = {
                'User-Agent': self.ua,
                'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
            }
            try:
                self.req= requests.get(self.url, headers=self.headers1, timeout=self.timeout, verify=False)
                if r"54289" in self.request.headers['FUCK']:
    

    self.req 应该为self.request

    opened by shadow1ng 2
  • CVE-2020-2555 and CVE-2020-2883 POC is only checking on version

    CVE-2020-2555 and CVE-2020-2883 POC is only checking on version

    The POC check for CVE-2020-2555 and CVE-2020-2883 is only checking on the weblogic version number not if the target is actually vulnerable.

    So even with the latest patches or giop/t3 disabled the poc scan shows that the target is vulnable.

    opened by siriusnlz 2
  • pip3 install出了点小问题

    pip3 install出了点小问题

    ERROR: Command errored out with exit status 1:
       command: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"''
           cwd: None
      Complete output (31 lines):
      Traceback (most recent call last):
        File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
          "__main__", mod_spec)
        File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
          exec(code, run_globals)
        File "/usr/local/lib/python3.6/site-packages/pip/__main__.py", line 26, in <module>
          sys.exit(_main())
        File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/main.py", line 73, in main
          command = create_command(cmd_name, isolated=("--isolated" in cmd_args))
        File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/__init__.py", line 105, in create_command
          module = importlib.import_module(module_path)
        File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
          return _bootstrap._gcd_import(name[level:], package, level)
        File "<frozen importlib._bootstrap>", line 994, in _gcd_import
        File "<frozen importlib._bootstrap>", line 971, in _find_and_load
        File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
        File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
        File "<frozen importlib._bootstrap_external>", line 678, in exec_module
        File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
        File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/install.py", line 17, in <module>
          from pip._internal.cli.req_command import RequirementCommand, with_cleanup
        File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/req_command.py", line 23, in <module>
          from pip._internal.req.constructors import (
        File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/__init__.py", line 10, in <module>
          from .req_install import InstallRequirement
        File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/req_install.py", line 10, in <module>
          import uuid
        File "/usr/local/lib/python3.6/site-packages/uuid.py", line 138
          if not 0 <= time_low < 1<<32L:
                                      ^
      SyntaxError: invalid syntax
      ----------------------------------------
    ERROR: Command errored out with exit status 1: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"'' Check the logs for full command output.
    

    centosx64 用kali pip3 安装不会报错,但是运行项目的时候:

    frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    <frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    
    opened by mcblog 2
  • TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

    TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

    执行程序报错,0.2版本和0.1版本都有这个错误

    Traceback (most recent call last):
      File "vulmap.py", line 7609, in <module>
        cmdlineparser(sys.argv)
      File "vulmap.py", line 7568, in cmdlineparser
        Target.allvuln_url(args.url)
      File "vulmap.py", line 7337, in allvuln_url
        Start.allvulnscan(self)
      File "vulmap.py", line 7126, in allvulnscan
        Start.apache_solr(self)
      File "vulmap.py", line 7139, in apache_solr
        PocApacheSolr.cve_2019_0193()
      File "vulmap.py", line 331, in cve_2019_0193
        self.solrhost = self.hostname+":"+str(self.port)
    TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'
    
    opened by xiaofeng9527 2
  • There are some false positives in cve-2018-7602

    There are some false positives in cve-2018-7602

    In the course of testing , I found that there are false positives in cve-2018-7602 . Please try using “python3 vulmap -u http://baidu.com” .In addition , can you write a python file for each vulnerability , just like your exphub project . Danke.

    opened by ghost 2
  • 代理问题

    代理问题

    你好,使用代理了会抛出: Proxy URL had no scheme, should start with http:// or https:// 的错误,关了也一样,然后我是用了--proxy-http http://127.0.0.1又报错: ValueError: invalid literal for int() with base 10: '//127.0.0.1:10810'

    opened by vFREE-1 1
  • 第二次启动开始报错,python3.11的环境

    第二次启动开始报错,python3.11的环境

     File "C:\Users\KC\Desktop\vulmap\vulmap.py", line 10, in <module>
        from module.allcheck import version_check
      File "C:\Users\KC\Desktop\vulmap\module\allcheck.py", line 4, in <module>
        import requests
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\__init__.py", line 58, in <module>
        from . import utils
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\utils.py", line 26, in <module>
        from .compat import parse_http_list as _parse_list_header
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\compat.py", line 7, in <module>
        from .packages import chardet
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\__init__.py", line 3, in <module>
        from . import urllib3
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\__init__.py", line 10, in <module>
        from .connectionpool import (
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\connectionpool.py", line 38, in <module>
        from .response import HTTPResponse
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\response.py", line 9, in <module>
        from ._collections import HTTPHeaderDict
      File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\_collections.py", line 1, in <module>
        from collections import Mapping, MutableMapping
    ImportError: cannot import name 'Mapping' from 'collections' (C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\collections\__init__.py)
    
    opened by kcloveworld 1
Releases(v0.9)
  • v0.9(Sep 1, 2021)

  • v0.8(Aug 22, 2021)

    • 支持扫描 dismap 识别结果文件 -f output.txt
    • 种类新增 coremail, ecology, eyou, qianxin, ruijie 漏洞
    • POC新增 Apache OFBiz CVE-2021-29200 CVE-2021-30128
    • POC新增 Apache Solr CVE-2021-27905
    • POC新增 Fastjson 回显 VER-1224-2 VER-1224-3
    • POC新增 Oracle Weblogic CVE-2016-0638 CVE-2018-3191 CVE-2019-2890

    • Support scanning dismap recognition result file -f output.txt
    • Added coremail, ecology, eyou, qianxin, ruijie vulnerabilities in categories
    • POC added Apache OFBiz CVE-2021-29200 CVE-2021-30128
    • POC added Apache Solr CVE-2021-27905
    • POC added Fastjson echo VER-1224-2 VER-1224-3
    • POC added Oracle Weblogic CVE-2016-0638 CVE-2018-3191 CVE-2019-2890
    Source code(tar.gz)
    Source code(zip)
  • v0.7(Apr 8, 2021)

    • 改用三个Dnslog轮询,感谢@Buzz2d0提供的hyuga.co
    • 内置大部分Python第三方依赖库
    • 常规RCE的极致误报处理
    • 优化结果,显示,参数等功能模块
    • 新增多个PoC包括Exchange, Vmware, BIG-IP, Druid, Laravel, Saltstack, Node.JS等
    • 修复多个遗留bug

    • Use three Dnslog polls instead, thanks to hyuga.co provided by @Buzz2d0
    • Built-in most Python third-party dependency libraries
    • The extreme false alarm handling of conventional RCE
    • Optimization results, display, parameters and other functional modules
    • Added multiple PoCs including Exchange, Vmware, BIG-IP, Druid, Laravel, Saltstack, Node.JS, etc.
    • Fix multiple remaining bugs
    Source code(tar.gz)
    Source code(zip)
  • v0.6(Feb 5, 2021)

    • 优化输出, 新增 json 输出, 格式与 xray 一致.
    • 新增 fastjson 和 spring 漏洞扫描和利用.
    • 引入 ceye 检测无回显 rce 漏洞.
    • 添加 fofa api 和 shodan api 批量扫描.
    • 重构 poc 模块, 重构 vulmap 变为模块化.
    • 新添自动指纹识别.
    • 替换echo命令为随机md5

    • Optimize output, add json output, the format is consistent with xray.
    • Added fastjson and spring vulnerability scanning and exploitation.
    • Introduce ceye to detect the rce vulnerability without echo.
    • Add fofa api and shodan api batch scanning.
    • Refactored the poc module and refactored vulmap to become modular.
    • Added automatic fingerprint recognition.
    • Replace the echo command with random md5
    Source code(tar.gz)
    Source code(zip)
  • v0.5(Jan 8, 2021)

    • 新增多线程扫描,默认10线程,可自定义,默认开启协程(扫描变得非常快就对了)
    • 支持添加代理扫描,支持socks和http代理
    • 可自定义User-Agent
    • 又改动--debug, exp模式开debug显示request和responses, poc模式显示扫描漏洞列表
    • CVE-2016-4437 Apache Shiro新增三个回显gadget(共6个),key增至5个
    • 新增Apache Flink CVE-2020-17518 & CVE-2020-17519
    • 优化批量扫描和输出

    • Newly increased thread scanning, default 10 threads, customizable, open coroutine by default (scanning becomes very fast, right)
    • Support adding proxy scanning, support socks and http proxy
    • Customizable User-Agent
    • Another change --debug, open debug in exp mode to display requests and responses, poc mode to display the list of scan vulnerabilities
    • CVE-2016-4437 Apache Shiro added three echo gadgets (6 in total), and the key increased to 5
    • Added Apache Flink CVE-2020-17518 & CVE-2020-17519
    • Optimize batch scanning and output
    Source code(tar.gz)
    Source code(zip)
  • 0.4(Dec 14, 2020)

    • 新增 ActiveMQ CVE-2015-5254
    • 新增 ActiveMQ CVE-2016-3088
    • 新增 Apache Struts2 S2-061
    • 新增 Apache Unomi CVE-2020-13942
    • 新增 Elasticsearch CVE-2014-3120
    • 新增 Elasticsearch CVE-2015-1427
    • 优化程序滚动输出
    • 增加了URL存活检测
    • 添加了URL格式检测和拼接,支持ip:port,ip
    • 优化了--output输出格式
    • 修复多个struts2误报
    • 重构--debug功能,为配合-v使用显示requests和reponse
    • 修复多个小问题
    Source code(tar.gz)
    Source code(zip)
  • v0.3(Nov 7, 2020)

    • 新蹭 Weblogic CVE-2020-14882
    • 新蹭 Weblogic CVE-2020-2883
    • 新蹭 Weblogic CVE-2020-2555
    • 新蹭 Drupal CVE-2019-6340
    • 修复了windows中input乱码
    • 修复了port提取问题
    • 修改了依赖项目
    • 修复多个小bug
    Source code(tar.gz)
    Source code(zip)
  • v0.2(Oct 23, 2020)

    • 修改了默认检测命令,使用echo替代netstat
    • 修复了Drupal、Jenkins、Nexus的POC误报问题
    • 重构Weblogic部分POC
    • 新增Apache Shiro: CVE-2016-4437
    • 新增ThinkPHP: CVE-2019-9082
    • 新增ThinkPHP: CVE-2018-20062
    • 修复批量模式下漏洞检测失败问题
    • 修复批量模式下提取url问题
    • 修复多个Bug
    • ... ...
    Source code(tar.gz)
    Source code(zip)
  • v0.1(Oct 10, 2020)

Owner
之乎者也
天苍苍,野茫茫,风吹的我就像头羊~
之乎者也
the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

Taroballz 14 Nov 09, 2022
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Curated Intel 172 Nov 17, 2022
Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for

Black Lantern Security 35 Oct 25, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

9.4k Jan 04, 2023
Buffer Overflow para SLmail5.5 32 bits

SLmail5.5-Exploit-BoF Buffer Overflow para SLmail5.5 32 bits con un par de utilidades para que puedas hacer el tuyo REQUISITOS PARA QUE FUNCIONE: Desa

Luis Javier 15 Jul 30, 2022
OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238. It generates and validates OTPs based

1 Nov 15, 2021
DependConfusion-X Tool is written in Python3 that scans and monitors list of hosts for Dependency Confusion

DependConfusion-X Tool is written in Python3 which allows security researcher/bug bounty hunter to scan and monitor list of hosts for Dependency Confusion.

Ali Fathi Ali Sawehli 4 Dec 21, 2021
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

Pushpender Singh 9 Dec 12, 2022
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF) 221 Jan 01, 2023
Brute Force Guess the password for Instgram accounts with python

Brute-Force-instagram Guess the password for Instgram accounts Tool features : It has two modes: 1- Combo system from you 2- Automatic (random) system

45 Dec 11, 2022
Generate MIPS reverse shell shellcodes easily !

MIPS-Reverse MIPS-Reverse is a tool that can generate shellcodes for the MIPS architecture that launches a reverse shell where you can specify the IP

29 Jul 27, 2021
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

Joe Helle 56 Mar 25, 2022
Let's you scan the entire internet in a couple of hours and identify all Minecraft servers on IPV4

Minecraft-Server-Scanner Let's you scan the entire internet in a couple of hours and identify all Minecraft servers on IPV4 Installation and running i

116 Jan 08, 2023
Burp Extensions

Burp Extensions This is a collection of extensions to Burp Suite that I have written. getAllParams.py - Version 1.2 This is a python extension that ru

/XNL-h4ck3r 364 Dec 30, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

26 Dec 26, 2022
CVE-2021-21972

CVE-2021-21972 % python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e [*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authoriz

Keith Lee 30 Nov 19, 2022
The probability of having the password you want in the PassMaker is +90%!!

PasswordMaker Strong listing password Introduction The probability of having the password you want in the tool is +90%!! How to Install Open the termi

MasterBurnt 4 Sep 05, 2021
Discord-email-spammer-exploit - A discord email spammer exploit with python

Discord-email-spammer-exploit was made by Love ❌ code ✅ 🎈 ・Description First it

Rdimo 25 Aug 13, 2022