Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能

Related tags

Security related resources security exploit scanner rce pentesting vulnerabilities cve security-tools pentest-tool cve-2019-17558 cve-2020-1938 cve-2020-2555 cve-2020-2883 cve-2016-4437 cve-2020-14882 cve-2020-13942 s2-061 cve-2020-17530 cve-2020-17519 cve-2020-17518
Overview

🌟 Vulmap - Web vulnerability scanning and verification tools

Release Release Release GitHub Repo stars GitHub forks

[Click here for the English Version]

Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能, 目前支持的 webapps 包括 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, fastjson, jenkins, nexus, weblogic, jboss, spring, thinkphp

Vulmap 将漏洞扫描与验证(漏洞利用)结合到了一起, 及大程度便于测试人员在发现漏洞后及时进行下一步操作, 工具追求于于高效、便捷
高效: 逐步开发中慢慢引入了批量扫描、Fofa、Shodan 批量扫描, 且支持多线程默认开启协程, 以最快的速度扫描大量资产
便捷: 发现漏洞即可利用, 大量资产扫描可多格式输出结果

🛒 Installation

操作系统中必须有 python3, 推荐 python3.8 或者更高版本

# git 或前往 release 获取原码
git clone https://github.com/zhzyker/vulmap.git
# 安装所需的 python 依赖
pip3 install -r requirements.txt
# Linux & MacOS & Windows
python3 vulmap.py -u http://example.com

配置 Fofa Api && Shodan Api && Ceye

使用 Fofa or Shodan 需要修改 vulmap.py 中的配置信息:

# 把xxxxxxxxxx替换成fofa的邮箱
globals.set_value("fofa_email", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换成fofa的key
globals.set_value("fofa_key", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换成自己shodan的key
globals.set_value("shodan_key", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换为自己的域名
globals.set_value("ceye_domain","xxxxxxxxxx")  
# 把xxxxxxxxxx替换自己ceye的token
globals.set_value("ceye_token", "xxxxxxxxxx")

📺 video demo

YouTube: https://www.youtube.com/watch?v=g4czwS1Snc4
Bilibili: https://www.bilibili.com/video/BV1Fy4y1v7rd
Gif: https://github.com/zhzyker/vulmap/blob/main/images/vulmap-0.5-demo-gif.gif

🔥 Release 0.6

  1. 优化输出, 新增 json 输出, 格式与 xray 一致.
  2. 新增 fastjson 和 spring 漏洞扫描和利用.
  3. 引入 ceye 检测无回显 rce 漏洞.
  4. 添加 fofa api 和 shodan api 批量扫描.
  5. 重构 poc 模块, 重构 vulmap 变为模块化.
  6. 新添自动指纹识别.
  7. 替换echo命令为随机md5

🙋 Discussion

QR-code

🔧 Options

可选参数:
  -h, --help            显示此帮助消息并退出
  -u URL, --url URL     目标 URL (e.g. -u "http://example.com")
  -f FILE, --file FILE  选择一个目标列表文件,每个url必须用行来区分 (e.g. -f "/home/user/list.txt")
  --fofa keyword        使用 fofa api 批量扫描 (e.g. --fofa "app=Apache-Shiro")
  --shodan keyword      使用 shodan api 批量扫描 (e.g. --shodan "Shiro")
  -m MODE, --mode MODE  模式支持"poc"和"exp",可以省略此选项,默认进入"poc"模式
  -a APP [APP ...]      指定 webapps(e.g. "weblogic")不指定则自动指纹识别
  -c CMD, --cmd CMD     自定义远程命令执行执行的命令,默认是echo随机md5
  -v VULN, --vuln VULN  利用漏洞,需要指定漏洞编号 (e.g. -v "CVE-2019-2729")
  -t NUM, --thread NUM  扫描线程数量,默认10线程
  --output-text file    扫描结果输出到 txt 文件 (e.g. "result.txt")
  --output-json file    扫描结果输出到 json 文件 (e.g. "result.json")
  --proxy-socks SOCKS   使用 socks 代理 (e.g. --proxy-socks 127.0.0.1:1080)
  --proxy-http HTTP     使用 http 代理 (e.g. --proxy-http 127.0.0.1:8080)
  --user-agent UA       允许自定义 User-Agent
  --fofa-size SIZE      fofa api 调用资产数量,默认100,可用(1-10000)
  --delay DELAY         延时时间,每隔多久发送一次,默认 0s
  --timeout TIMEOUT     超时时间,默认 5s
  --list                显示支持的漏洞列表
  --debug               exp 模式显示 request 和 responses, poc 模式显示扫描漏洞列表

🐾 Examples

# 测试所有漏洞 poc 不指定 -a all 将默认开启指纹识别
python3 vulmap.py -u http://example.com

# 检查站点是否存在 struts2 漏洞
python3 vulmap.py -u http://example.com -a struts2

# 对 http://example.com:7001 进行 WebLogic 的 CVE-2019-2729 漏洞利用
python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729
python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

# 批量扫描 list.txt 中的 url
python3 vulmap.py -f list.txt

# 扫描结果导出到 result.json
python3 vulmap.py -u http://example.com:7001 --output-json result.json

# 调用 fofa api 批量扫描
python3 vulmap.py --fofa app=Apache-Shiro

🍵 Vulnerabilitys List

支持的漏洞列表 [点击展开] 
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Target type       | Vuln Name        | Poc | Exp | Impact Version && Vulnerability description                 |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Apache ActiveMQ   | CVE-2015-5254    |  Y  |  N  | < 5.13.0, deserialization remote code execution             |
 | Apache ActiveMQ   | CVE-2016-3088    |  Y  |  Y  | < 5.14.0, http put&move upload webshell                     |
 | Apache Flink      | CVE-2020-17518   |  Y  |  N  | < 1.11.3 or < 1.12.0, upload path traversal                 |
 | Apache Flink      | CVE-2020-17519   |  Y  |  Y  | 1.5.1 - 1.11.2, 'jobmanager/logs' path traversal            |
 | Apache Shiro      | CVE-2016-4437    |  Y  |  Y  | <= 1.2.4, shiro-550, rememberme deserialization rce         |
 | Apache Solr       | CVE-2017-12629   |  Y  |  Y  | < 7.1.0, runexecutablelistener rce & xxe, only rce is here  |
 | Apache Solr       | CVE-2019-0193    |  Y  |  N  | < 8.2.0, dataimporthandler module remote code execution     |
 | Apache Solr       | CVE-2019-17558   |  Y  |  Y  | 5.0.0 - 8.3.1, velocity response writer rce                 |
 | Apache Struts2    | S2-005           |  Y  |  Y  | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce   |
 | Apache Struts2    | S2-008           |  Y  |  Y  | 2.0.0 - 2.3.17, debugging interceptor rce                   |
 | Apache Struts2    | S2-009           |  Y  |  Y  | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce         |
 | Apache Struts2    | S2-013           |  Y  |  Y  | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce        |
 | Apache Struts2    | S2-015           |  Y  |  Y  | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce        |
 | Apache Struts2    | S2-016           |  Y  |  Y  | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce          |
 | Apache Struts2    | S2-029           |  Y  |  Y  | 2.0.0 - 2.3.24.1, ognl interpreter rce                      |
 | Apache Struts2    | S2-032           |  Y  |  Y  | 2.3.20-28, cve-2016-3081 rce can be performed via method    |
 | Apache Struts2    | S2-045           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-046           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-048           |  Y  |  Y  | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce             |
 | Apache Struts2    | S2-052           |  Y  |  Y  | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce  |
 | Apache Struts2    | S2-057           |  Y  |  Y  | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce  |
 | Apache Struts2    | S2-059           |  Y  |  Y  | 2.0.0 - 2.5.20, cve-2019-0230 ognl interpreter rce          |
 | Apache Struts2    | S2-061           |  Y  |  Y  | 2.0.0-2.5.25, cve-2020-17530 ognl interpreter rce           |
 | Apache Struts2    | S2-devMode       |  Y  |  Y  | 2.1.0 - 2.5.1, devmode remote code execution                |
 | Apache Tomcat     | Examples File    |  Y  |  N  | all version, /examples/servlets/servlet                     |
 | Apache Tomcat     | CVE-2017-12615   |  Y  |  Y  | 7.0.0 - 7.0.81, put method any files upload                 |
 | Apache Tomcat     | CVE-2020-1938    |  Y  |  Y  | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read  |
 | Apache Unomi      | CVE-2020-13942   |  Y  |  Y  | < 1.5.2, apache unomi remote code execution                 |
 | Drupal            | CVE-2018-7600    |  Y  |  Y  | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution          |
 | Drupal            | CVE-2018-7602    |  Y  |  Y  | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce            |
 | Drupal            | CVE-2019-6340    |  Y  |  Y  | < 8.6.10, drupal core restful remote code execution         |
 | Elasticsearch     | CVE-2014-3120    |  Y  |  Y  | < 1.2, elasticsearch remote code execution                  |
 | Elasticsearch     | CVE-2015-1427    |  Y  |  Y  | < 1.3.7, < 1.4.3, elasticsearch remote code execution       |
 | Fastjson          | 1.2.24           |  Y  |  Y  | <= 1.2.24 fastjson parse object remote code execution       |
 | Fastjson          | 1.2.47           |  Y  |  Y  | <= 1.2.47 fastjson autotype remote code execution           |
 | Fsatjson          | 1.2.62           |  Y  |  Y  | <= 1.2.24 fastjson autotype remote code execution           |
 | Jenkins           | CVE-2017-1000353 |  Y  |  N  | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution    |
 | Jenkins           | CVE-2018-1000861 |  Y  |  Y  | <= 2.153, LTS <= 2.138.3, remote code execution             |
 | Nexus OSS/Pro     | CVE-2019-7238    |  Y  |  Y  | 3.6.2 - 3.14.0, remote code execution vulnerability         |
 | Nexus OSS/Pro     | CVE-2020-10199   |  Y  |  Y  | 3.x <= 3.21.1, remote code execution vulnerability          |
 | Oracle Weblogic   | CVE-2014-4210    |  Y  |  N  | 10.0.2 - 10.3.6, weblogic ssrf vulnerability                |
 | Oracle Weblogic   | CVE-2017-3506    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2017-10271   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2018-2894    |  Y  |  Y  | 12.1.3.0, 12.2.1.2-3, deserialization any file upload       |
 | Oracle Weblogic   | CVE-2019-2725    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2019-2729    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2020-2551    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
 | Oracle Weblogic   | CVE-2020-2555    |  Y  |  Y  | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce  |
 | Oracle Weblogic   | CVE-2020-2883    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
 | Oracle Weblogic   | CVE-2020-14882   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce     |
 | RedHat JBoss      | CVE-2010-0738    |  Y  |  Y  | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
 | RedHat JBoss      | CVE-2010-1428    |  Y  |  Y  | 4.2.0 - 4.3.0, web-console deserialization any files upload |
 | RedHat JBoss      | CVE-2015-7501    |  Y  |  Y  | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
 | Spring Data       | CVE-2018-1273    |  Y  |  Y  | 1.13 - 1.13.10, 2.0 - 2.0.5, spring data commons rce        |
 | Spring Cloud      | CVE-2019-3799    |  Y  |  Y  | 2.1.0-2.1.1, 2.0.0-2.0.3, 1.4.0-1.4.5, directory traversal  |
 | ThinkPHP          | CVE-2019-9082    |  Y  |  Y  | < 3.2.4, thinkphp rememberme deserialization rce            |
 | ThinkPHP          | CVE-2018-20062   |  Y  |  Y  | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce  |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+

🐟 Docker

docker build -t vulmap/vulmap .
docker run --rm -ti vulmap/vulmap  python vulmap.py -u https://www.example.com
Comments
  • Going to error in new

    Going to error in new

    root@server:~/tools/vulmap# python3 vulmap.py -u https://paypal.com Traceback (most recent call last): File "vulmap.py", line 8, in from gevent import monkey;monkey.patch_all() File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 1214, in patch_all _notify_patch(events.GeventWillPatchAllEvent(modules_to_patch, kwargs), _warnings) File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 185, in _notify_patch notify_and_call_entry_points(event) File "/usr/local/lib/python3.6/dist-packages/gevent/events.py", line 104, in notify_and_call_entry_points subscriber = plugin.load() File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2323, in load self.require(*args, **kwargs) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2346, in require items = working_set.resolve(reqs, env, installer, extras=self.extras) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 783, in resolve raise VersionConflict(dist, req).with_context(dependent_req) pkg_resources.VersionConflict: (psutil 5.6.7 (/usr/local/lib/python3.6/dist-packages), Requirement.parse('psutil>=5.7.0; sys_platform != "win32" or platform_python_implementation == "CPython" and extra == "monitor"')) root@server:~/tools/vulmap

    opened by shelu16 4
  • pip install -r requirement.txt 报错,

    pip install -r requirement.txt 报错,

    pip install -r requirement.txt 报错, python-3.9

    Building wheels for collected packages: lxml                                                                                                                                             [1444/11751]  Building wheel for lxml (setup.py) ... error                                                                                                                                                         ERROR: Command errored out with exit status 1:
   command: /usr/local/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"'; __file__='"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"
';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-ad3_
9cqe
       cwd: /tmp/pip-install-iq38rq57/lxml/
  Complete output (731 lines):
  Building lxml version 4.3.2.
  Building without Cython.
  Using build configuration of libxslt 1.1.32
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib.linux-x86_64-3.9
  creating build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/sax.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/builder.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/cssselect.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/pyclasslookup.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/_elementpath.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/doctestcompare.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/__init__.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/ElementInclude.py -> build/lib.linux-x86_64-3.9/lxml
  creating build/lib.linux-x86_64-3.9/lxml/includes
  copying src/lxml/includes/__init__.py -> build/lib.linux-x86_64-3.9/lxml/includes
  creating build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/diff.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/defs.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_diffcommand.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/clean.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_setmixin.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/builder.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/ElementSoup.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/soupparser.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/formfill.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/__init__.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_html5builder.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/html5parser.py -> build/lib.linux-x86_64-3.9/lxml/html
  creating build/lib.linux-x86_64-3.9/lxml/isoschematron
  copying src/lxml/isoschematron/__init__.py -> build/lib.linux-x86_64-3.9/lxml/isoschematron
  copying src/lxml/etree.h -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/etree_api.h -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/lxml.etree.h -> build/lib.linux-x86_64-3.9/lxml
    opened by xiagw 3
  • where is the exploit module?

    where is the exploit module?

    py -3 vulmap.py --help __ [ | _ __ __ _ | | _ .--..--. ,--. _ .--. [ \ [ ][ | | | | | [ .-. .-. |'\ :[ '/'`\
    \ / / | _/ |, | | | | | | | | // | |,| _    / | _/ '.__.'/[___][___||__||__]'-;/| ;._/ [__| usage: python3 vulmap [options]

    target: you must to specify target

    -u URL, --url URL target URL (e.g. -u "http://example.com") -f FILE, --file FILE select a target list file (e.g. -f "list.txt") --fofa keyword call fofa api to scan (e.g. --fofa "app=Apache-Shiro") --shodan keyword call shodan api to scan (e.g. --shodan "Shiro")

    mode: options vulnerability scanning or exploit mode

    -a APP [APP ...] specify webapps (e.g. -a "tomcat") allow multiple

    general: general options

    -h, --help show this help message and exit -t NUM, --thread NUM number of scanning function threads, default 10 threads --dnslog server dnslog server (hyuga,dnslog,ceye) default automatic --output-text file result export txt file (e.g. "result.txt") --output-json file result export json file (e.g. "result.json") --proxy-socks SOCKS socks proxy (e.g. --proxy-socks 127.0.0.1:1080) --proxy-http HTTP http proxy (e.g. --proxy-http 127.0.0.1:8080) --fofa-size SIZE fofa query target number, default 100 (1-10000) --user-agent UA you can customize the user-agent headers --delay DELAY delay check time, default 0s --timeout TIMEOUT scan timeout time, default 10s --list display the list of supported vulnerabilities --debug exp echo request and responses, poc echo vuln lists --check survival check (on and off), default on

    support: types of vulnerability scanning: all, activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal elasticsearch, fastjson, jenkins, laravel, nexus, weblogic, jboss spring, thinkphp, druid, exchange, nodejs, saltstack, vmware bigip, ofbiz, coremail, ecology, eyou, qianxin, ruijie

    examples: python3 vulmap.py -u http://example.com python3 vulmap.py -u http://example.com -a struts2 python3 vulmap.py -f list.txt -a weblogic -t 20 python3 vulmap.py -f list.txt --output-json results.json python3 vulmap.py --fofa "app=Apache-Shiro"

    opened by IMnewer 2
  • 无法识别目标

    无法识别目标

    执行 python3 vulmap.py -u http://192.168.31.97:8080/

    报: [09:56:52] [INFO] Currently the latest version: 0.7 [09:57:04] [INFO] Start scanning target: http://192.168.31.97:8080/ [09:57:17] [INFO] Unable to identify target, Run all pocs [09:57:51] [INFO] Scan completed and ended

    无法识别是怎么回事,我的python版本是3.6.8的,有关系吗

    opened by 1248484417 2
  • 漏洞检测部分误报

    漏洞检测部分误报

    其中poc使用echo + md5的payload检测。当页面中返回这些值的时候判断漏洞存在,会导致一些组件误报。测试代码:

    <?php
echo 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
echo file_get_contents("php://input");
?>

    误报情况:

    image

    命令执行用expr或者set等命令误报会更低

    代码执行直接计算md5误报率更低,echo md5("xxx");

    opened by aStrowxyu 2
  • poc 检查逻辑可能有 bug

    poc 检查逻辑可能有 bug

    我的目标有 s2-045 漏洞。

    注意以下 debug 信息中此行 [INFO] Start scanning target: http://192.168.200.132:8080/struts2-showcase 程序中 url 最后的 / 被丢弃了。所以检测不出来。

    image-20210317161904247

    将数据包用 burp 重新发送

    image image

    opened by ChenYun4164 2
  • ApacheStruts2.py S2-045 poc有错误

    ApacheStruts2.py S2-045 poc有错误 

    self.headers2 = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        try:
            self.req= requests.get(self.url, headers=self.headers1, timeout=self.timeout, verify=False)
            if r"54289" in self.request.headers['FUCK']:

    self.req 应该为self.request

    opened by shadow1ng 2
  • CVE-2020-2555 and CVE-2020-2883 POC is only checking on version

    CVE-2020-2555 and CVE-2020-2883 POC is only checking on version

    The POC check for CVE-2020-2555 and CVE-2020-2883 is only checking on the weblogic version number not if the target is actually vulnerable.

    So even with the latest patches or giop/t3 disabled the poc scan shows that the target is vulnable.

    opened by siriusnlz 2
  • pip3 install出了点小问题

    pip3 install出了点小问题 

    ERROR: Command errored out with exit status 1:
   command: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"''
       cwd: None
  Complete output (31 lines):
  Traceback (most recent call last):
    File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
      "__main__", mod_spec)
    File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
      exec(code, run_globals)
    File "/usr/local/lib/python3.6/site-packages/pip/__main__.py", line 26, in <module>
      sys.exit(_main())
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/main.py", line 73, in main
      command = create_command(cmd_name, isolated=("--isolated" in cmd_args))
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/__init__.py", line 105, in create_command
      module = importlib.import_module(module_path)
    File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
      return _bootstrap._gcd_import(name[level:], package, level)
    File "<frozen importlib._bootstrap>", line 994, in _gcd_import
    File "<frozen importlib._bootstrap>", line 971, in _find_and_load
    File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
    File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
    File "<frozen importlib._bootstrap_external>", line 678, in exec_module
    File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/install.py", line 17, in <module>
      from pip._internal.cli.req_command import RequirementCommand, with_cleanup
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/req_command.py", line 23, in <module>
      from pip._internal.req.constructors import (
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/__init__.py", line 10, in <module>
      from .req_install import InstallRequirement
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/req_install.py", line 10, in <module>
      import uuid
    File "/usr/local/lib/python3.6/site-packages/uuid.py", line 138
      if not 0 <= time_low < 1<<32L:
                                  ^
  SyntaxError: invalid syntax
  ----------------------------------------
ERROR: Command errored out with exit status 1: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"'' Check the logs for full command output.

    centosx64 用kali pip3 安装不会报错,但是运行项目的时候:

    frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
    opened by mcblog 2
  • TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

    TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

    执行程序报错,0.2版本和0.1版本都有这个错误

    Traceback (most recent call last):
  File "vulmap.py", line 7609, in <module>
    cmdlineparser(sys.argv)
  File "vulmap.py", line 7568, in cmdlineparser
    Target.allvuln_url(args.url)
  File "vulmap.py", line 7337, in allvuln_url
    Start.allvulnscan(self)
  File "vulmap.py", line 7126, in allvulnscan
    Start.apache_solr(self)
  File "vulmap.py", line 7139, in apache_solr
    PocApacheSolr.cve_2019_0193()
  File "vulmap.py", line 331, in cve_2019_0193
    self.solrhost = self.hostname+":"+str(self.port)
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'
    opened by xiaofeng9527 2
  • There are some false positives in cve-2018-7602

    There are some false positives in cve-2018-7602

    In the course of testing , I found that there are false positives in cve-2018-7602 . Please try using “python3 vulmap -u http://baidu.com” .In addition , can you write a python file for each vulnerability , just like your exphub project . Danke.

    opened by ghost 2
  • 代理问题

    代理问题

    你好,使用代理了会抛出: Proxy URL had no scheme, should start with http:// or https:// 的错误,关了也一样,然后我是用了--proxy-http http://127.0.0.1又报错: ValueError: invalid literal for int() with base 10: '//127.0.0.1:10810'

    opened by vFREE-1 1
  • 第二次启动开始报错,python3.11的环境

    第二次启动开始报错,python3.11的环境 

     File "C:\Users\KC\Desktop\vulmap\vulmap.py", line 10, in <module>
    from module.allcheck import version_check
  File "C:\Users\KC\Desktop\vulmap\module\allcheck.py", line 4, in <module>
    import requests
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\__init__.py", line 58, in <module>
    from . import utils
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\utils.py", line 26, in <module>
    from .compat import parse_http_list as _parse_list_header
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\compat.py", line 7, in <module>
    from .packages import chardet
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\__init__.py", line 3, in <module>
    from . import urllib3
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\__init__.py", line 10, in <module>
    from .connectionpool import (
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\connectionpool.py", line 38, in <module>
    from .response import HTTPResponse
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\response.py", line 9, in <module>
    from ._collections import HTTPHeaderDict
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\_collections.py", line 1, in <module>
    from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\collections\__init__.py)
    opened by kcloveworld 1
Releases(v0.9)

  • v0.9(Sep 1, 2021)

  • v0.8(Aug 22, 2021)

    • 支持扫描 dismap 识别结果文件 -f output.txt
    • 种类新增 coremail, ecology, eyou, qianxin, ruijie 漏洞
    • POC新增 Apache OFBiz CVE-2021-29200 CVE-2021-30128
    • POC新增 Apache Solr CVE-2021-27905
    • POC新增 Fastjson 回显 VER-1224-2 VER-1224-3
    • POC新增 Oracle Weblogic CVE-2016-0638 CVE-2018-3191 CVE-2019-2890
    • Support scanning dismap recognition result file -f output.txt
    • Added coremail, ecology, eyou, qianxin, ruijie vulnerabilities in categories
    • POC added Apache OFBiz CVE-2021-29200 CVE-2021-30128
    • POC added Apache Solr CVE-2021-27905
    • POC added Fastjson echo VER-1224-2 VER-1224-3
    • POC added Oracle Weblogic CVE-2016-0638 CVE-2018-3191 CVE-2019-2890
    Source code(tar.gz)
    Source code(zip)

  • v0.7(Apr 8, 2021)

    • 改用三个Dnslog轮询,感谢@Buzz2d0提供的hyuga.co
    • 内置大部分Python第三方依赖库
    • 常规RCE的极致误报处理
    • 优化结果,显示,参数等功能模块
    • 新增多个PoC包括Exchange, Vmware, BIG-IP, Druid, Laravel, Saltstack, Node.JS等
    • 修复多个遗留bug
    • Use three Dnslog polls instead, thanks to hyuga.co provided by @Buzz2d0
    • Built-in most Python third-party dependency libraries
    • The extreme false alarm handling of conventional RCE
    • Optimization results, display, parameters and other functional modules
    • Added multiple PoCs including Exchange, Vmware, BIG-IP, Druid, Laravel, Saltstack, Node.JS, etc.
    • Fix multiple remaining bugs
    Source code(tar.gz)
    Source code(zip)

  • v0.6(Feb 5, 2021)

    • 优化输出, 新增 json 输出, 格式与 xray 一致.
    • 新增 fastjson 和 spring 漏洞扫描和利用.
    • 引入 ceye 检测无回显 rce 漏洞.
    • 添加 fofa api 和 shodan api 批量扫描.
    • 重构 poc 模块, 重构 vulmap 变为模块化.
    • 新添自动指纹识别.
    • 替换echo命令为随机md5
    • Optimize output, add json output, the format is consistent with xray.
    • Added fastjson and spring vulnerability scanning and exploitation.
    • Introduce ceye to detect the rce vulnerability without echo.
    • Add fofa api and shodan api batch scanning.
    • Refactored the poc module and refactored vulmap to become modular.
    • Added automatic fingerprint recognition.
    • Replace the echo command with random md5
    Source code(tar.gz)
    Source code(zip)

  • v0.5(Jan 8, 2021)

    • 新增多线程扫描,默认10线程,可自定义,默认开启协程(扫描变得非常快就对了)
    • 支持添加代理扫描,支持socks和http代理
    • 可自定义User-Agent
    • 又改动--debug, exp模式开debug显示request和responses, poc模式显示扫描漏洞列表
    • CVE-2016-4437 Apache Shiro新增三个回显gadget(共6个),key增至5个
    • 新增Apache Flink CVE-2020-17518 & CVE-2020-17519
    • 优化批量扫描和输出
    • Newly increased thread scanning, default 10 threads, customizable, open coroutine by default (scanning becomes very fast, right)
    • Support adding proxy scanning, support socks and http proxy
    • Customizable User-Agent
    • Another change --debug, open debug in exp mode to display requests and responses, poc mode to display the list of scan vulnerabilities
    • CVE-2016-4437 Apache Shiro added three echo gadgets (6 in total), and the key increased to 5
    • Added Apache Flink CVE-2020-17518 & CVE-2020-17519
    • Optimize batch scanning and output
    Source code(tar.gz)
    Source code(zip)

  • 0.4(Dec 14, 2020)

    • 新增 ActiveMQ CVE-2015-5254
    • 新增 ActiveMQ CVE-2016-3088
    • 新增 Apache Struts2 S2-061
    • 新增 Apache Unomi CVE-2020-13942
    • 新增 Elasticsearch CVE-2014-3120
    • 新增 Elasticsearch CVE-2015-1427
    • 优化程序滚动输出
    • 增加了URL存活检测
    • 添加了URL格式检测和拼接,支持ip:port,ip
    • 优化了--output输出格式
    • 修复多个struts2误报
    • 重构--debug功能,为配合-v使用显示requests和reponse
    • 修复多个小问题
    Source code(tar.gz)
    Source code(zip)

  • v0.3(Nov 7, 2020)

    • 新蹭 Weblogic CVE-2020-14882
    • 新蹭 Weblogic CVE-2020-2883
    • 新蹭 Weblogic CVE-2020-2555
    • 新蹭 Drupal CVE-2019-6340
    • 修复了windows中input乱码
    • 修复了port提取问题
    • 修改了依赖项目
    • 修复多个小bug
    Source code(tar.gz)
    Source code(zip)

  • v0.2(Oct 23, 2020)

    • 修改了默认检测命令,使用echo替代netstat
    • 修复了Drupal、Jenkins、Nexus的POC误报问题
    • 重构Weblogic部分POC
    • 新增Apache Shiro: CVE-2016-4437
    • 新增ThinkPHP: CVE-2019-9082
    • 新增ThinkPHP: CVE-2018-20062
    • 修复批量模式下漏洞检测失败问题
    • 修复批量模式下提取url问题
    • 修复多个Bug
    • ... ...
    Source code(tar.gz)
    Source code(zip)

  • v0.1(Oct 10, 2020)

Owner
之乎者也
天苍苍,野茫茫,风吹的我就像头羊~
之乎者也
GitHub https://github.com/zhzyker/vulmap
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Dec 25, 2022
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

null 44 Nov 15, 2022
A web-app helping to create strong passwords that are easy to remember.

This is a simple Web-App that demonstrates a method of creating strong passwords that are still easy to remember. It also provides time estimates how long it would take an attacker to crack a password using the zxcvbn library developed by Dropbox.

null 2 Jun 4, 2021
Docker Compose based system for running remote browsers (including Flash and Java support) connected to web archives

pywb Remote Browsers This repository provides a simple configuration for deploying any pywb with remote browsers provided by OWT/Shepherd Remote Brows

Webrecorder 10 Jul 28, 2022
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

null 6 May 17, 2022
Yara Based Detection Engine for web browsers

Yobi Yara Based Detection for web browsers System Requirements Yobi requires python3 and and right now supports only firefox and other Gecko-based bro

imp0rtp3 44 Nov 20, 2022
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 12 Dec 2, 2022
Subdomain enumeration,Web scraping and finding usernames automation script written in python

Subdomain enumeration,Web scraping and finding usernames automation script written in python

Syam 12 Nov 22, 2022
A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

Zhe 1 Dec 28, 2021
command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CVE-2021-36260 CVE-2021-36260 POC command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validatio

Aiminsun 165 Dec 21, 2022
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022
Kriecher is a simple Web Scanner which will run it's own checks for the OWASP

Kriecher is a simple Web Scanner which will run it's own checks for the OWASP top 10 https://owasp.org/www-project-top-ten/# as well as run a

null 1 Nov 12, 2021
Yet another web fuzzer

yafuzz Yet another web fuzzer Usage This script can run in two modes of operation. Supplying a wordlist -W argument will initiate a multithreaded fuzz

FooBallZ 5 Feb 2, 2022
A toolkit for web reconnaissance, it's fast and easy to use.

A toolkit for web reconnaissance, it's fast and easy to use. File Structure httpsuite/ main.py init.py db/ db.py init.py subdomains_db directories_db

whoami security 22 Jul 22, 2022
The Web Application Firewall Paranoia Level Test Tool.

Quick WAF "paranoid" Doctor Evaluation WAFPARAN01D3 The Web Application Firewall Paranoia Level Test Tool. — From alt3kx.github.io Introduction to Par

null 22 Jul 25, 2022
Natas teaches the basics of serverside web-security.

over-the-wire-natas Natas teaches the basics of serverside web-security. Each level of natas consists of its own website located at http://natasX.nata

Siddhant Chouhan 1 Nov 27, 2021
This is tools hacking for scan vuln in port web, happy using

Xnuvers007 PortInjection this is tools hacking for scan vuln in port web, happy using view/show python 3.9 solo coder (tangerang) 19 y/o installation

XnuxersXploitXen 6 Dec 24, 2022
Simples brute forcer de diretorios para web pentest.

?? dirbruter Simples brute forcer de diretorios para web pentest. ❕ Atenção Não ataque sites privados. Isto é illegal. ??️ Pré-requisitos Ultima versã

Dio brando 6 Jan 22, 2022
Log4jake works by spidering a web application for GET/POST requests

Log4jake Log4jake works by spidering a web application for GET/POST requests. It will then automatically execute the GET/POST requests, filling any di

null 16 May 9, 2022