opensec-cn / kunpeng Goto Github PK
View Code? Open in Web Editor NEWkunpeng是一个Golang编写的开源POC框架/库,以动态链接库的形式提供各种语言调用,通过此项目可快速开发漏洞检测类的系统。
License: Apache License 2.0
kunpeng是一个Golang编写的开源POC框架/库,以动态链接库的形式提供各种语言调用,通过此项目可快速开发漏洞检测类的系统。
License: Apache License 2.0
https://github.com/opensec-cn/kunpeng/blob/master/plugin/json/elasticsearch_unauth.json
有点疑惑这个es的插件为什么target是docker呢?
里面\think运行win, linux下\t都会解析为制表符
您好,请问一下我在直接调用获取插件时返回空,
plugins := plugin.GetPlugins()
fmt.Println(plugins) // []
}```
很迷惑为什么获取不到插件信息,期待您的解惑。
使用release版本或自行编译均无法加载内置JSON插件。
系统版本:
➜ kunpeng git:(master) uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
编译及测试过程:
➜ kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working tree clean
➜ kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
➜ kunpeng git:(master) esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/
➜ kunpeng git:(master) go build -buildmode=c-shared --ldflags="-w -s" -o kunpeng_c.so
➜ kunpeng git:(master) python example/call_so_test.py
[info] 15:28:21 log.go:26: [init plugin: ActiveMQ 任意文件写入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Apache solr XXE漏洞]
[info] 15:28:21 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 15:28:21 log.go:26: [init plugin: web目录浏览]
[info] 15:28:21 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 15:28:21 log.go:26: [init plugin: FTP 弱口令]
[info] 15:28:21 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 15:28:21 log.go:26: [init plugin: IIS 短文件名]
[info] 15:28:21 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Memcache 未授权访问]
[info] 15:28:21 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SQLServer 弱口令]
[info] 15:28:21 log.go:26: [init plugin: MySQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 15:28:21 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SSH 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 15:28:21 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 15:28:21 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 15:28:21 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 15:28:21 log.go:26: [init plugin: WebDav Put开启]
[info] 15:28:21 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 15:28:21 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 15:28:21 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 15:28:21 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: WordPress Mailpress Plugin 远程代码执行漏洞]
[info] 15:28:21 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 15:28:21 log.go:26: [init json plugin]
[info] 15:28:21 log.go:31: [{"type": "web", "netloc": "http://www.google.cn", "target": "web", "meta": {"system": "", "pathlist": [], "filelist": [], "passlist": []}}]
[info] 15:28:21 log.go:31: [{web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [new task: {web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [go plugin total: 24]
[info] 15:28:21 log.go:31: [run go plugins: web]
[info] 15:28:21 log.go:31: [request do http://www.google.cn]
[info] 15:28:21 log.go:31: [response code: 200 len: -1]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/css/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/js/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1564]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/img/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/images/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/upload/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/inc/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/../../../../../../../../etc/passwd]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [JSON Plugin total: 0]
[]
从最后的[JSON Plugin total: 0]
可以看到未能加载内置JSON插件,使用release版本也是同样的情况。在Linux(Ubuntu 16.04)下测试Linux版本可正常加载。
真垃圾 你自己看看下面issue多少了
刷这么多star造垃圾
https://github.com/chaitin/xray/tree/master/pocs
xray的POC有很多,全部是yml格式,与kunpeng的json格式POC类似。建议兼容xray的POC。
每次有新的go插件都需要重新编译运行吗?
背景是我司内部维护上万个Python编写的POC脚本,可以把这些POC脚本导入到此项目里进行调用吗?期待支持现在有其它语言编写的POC脚本的集成
vendor/github.com/mjibson/esc/embed/embed.go:20:2: cannot find package "github.com/pkg/errors" in any of:
/Users/jrd/.go/src/github.com/opensec-cn/kunpeng/vendor/github.com/pkg/errors (vendor tree)
/usr/local/opt/go/libexec/src/github.com/pkg/errors (from $GOROOT)
/Users/jrd/.go/src/github.com/pkg/errors (from $GOPATH)
vendor/github.com/mjibson/esc/embed/embed.go:21:2: cannot find package "golang.org/x/tools/imports" in any of:
/Users/jrd/.go/src/github.com/opensec-cn/kunpeng/vendor/golang.org/x/tools/imports (vendor tree)
/usr/local/opt/go/libexec/src/golang.org/x/tools/imports (from $GOROOT)
/Users/jrd/.go/src/golang.org/x/tools/imports (from $GOPATH)
go version go1.11.5 darwin/amd64
能不能更新下编译文件
有问题的代码:
https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/mongoWeakPass.go#L45-L52
使用 session.Ping() == nil
来判断未授权访问是不正确的,即使 mongodb 加了认证,ping 也会返回正常。
下面是 log:
root@83dd9fca0b15:/# mongo 192.168.2.106:37017/test
MongoDB shell version v4.0.10
connecting to: mongodb://192.168.2.106:37017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b67c65b0-fd06-4eb8-bc34-3917a0e99bb4") }
MongoDB server version: 4.0.10
> db.runCommand({"ping":1})
{ "ok" : 1 }
> db.runCommand({"serverStatus":1})
{
"ok" : 0,
"errmsg" : "command serverStatus requires authentication",
"code" : 13,
"codeName" : "Unauthorized"
}
>
正确的做法是替换为:
if err == nil && session.Run("serverStatus", nil) == nil {
// ...
}
尝试使用celery异步执行ssh weakpassword, 发现任务卡死,在对应服务器上查看secure日志,发现也没有尝试连接的日志。不使用celery一切正常。
# github.com/opensec-cn/kunpeng/plugin/json
plugin/json/init.go:39:17: undefined: FSMustByte
plugin/json/init.go:60:12: undefined: FS
我拉取的是master分支的代码
比如MySQLWeakPass只有几个用户名,SSHWeakPass只有一个Root用户名,是否可以将用户名作为参数传入,不然太少了
目前kunpeng调用哪些插件取决于task
中的target
,target
对应插件里的target
字段,扫描时具有同样target
的插件都会被调用。
不过对于某些场景可能需要只调用指定的插件,比如出现高危漏洞时的应急响应,虽然可以通过将target
设置成emergency
等特殊值来实现,但是后续PoC分类是还是需要把target
设置成插件所属的类别,这就多了一步操作。
所以我想问下kunpeng有考虑通过除target
之外其他唯一标识字段来加载插件吗?比如id、名称等。
能给一个struts2漏洞检测的配置的demo吗?
统一的target名称可以方便精准调用poc进行测试,防止因为目标名称的问题导致无法调取poc,从而漏测。
系统版本
macOS High Sierra
Go 版本:
go version go1.11.4 darwin/amd64
使用的.so文件是:
kunpeng_darwin_v20190129/kunpeng_go.so
示例代码跑不起来,报错,日志:
[info] 19:07:04 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 19:07:04 log.go:26: [init plugin: web目录浏览]
[info] 19:07:04 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 19:07:04 log.go:26: [init plugin: FTP 弱口令]
[info] 19:07:04 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 19:07:04 log.go:26: [init plugin: IIS 短文件名]
[info] 19:07:04 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Java调试线协议(JDWP)远程代码执行漏洞]
[info] 19:07:04 log.go:26: [init plugin: Memcache 未授权访问]
[info] 19:07:04 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SQLServer 弱口令]
[info] 19:07:04 log.go:26: [init plugin: MySQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 19:07:04 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SSH 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 19:07:04 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 19:07:04 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 19:07:04 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 19:07:04 log.go:26: [init plugin: WebDav Put开启]
[info] 19:07:04 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 19:07:04 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 19:07:04 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 19:07:04 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 19:07:04 log.go:26: [init json plugin]
[info] 19:07:04 log.go:26: [init plugin: discuz_admincp_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_ajax_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_announcement_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_api_pathinfo.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_attachment_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_focus_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_jianghu_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_member_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_misc_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_mp3player_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_post_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_shop_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_viewthread_xss.json]
[info] 19:07:04 log.go:26: [init plugin: django_urljump.json]
[info] 19:07:04 log.go:26: [init plugin: docker_api.json]
[info] 19:07:04 log.go:26: [init plugin: drupal_geddon2_rce.json]
[info] 19:07:04 log.go:26: [init plugin: elasticsearch_unauth.json]
[info] 19:07:04 log.go:26: [init plugin: hadoop_yarn_resourcemanager_unauth_rce.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_3.7_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_contushdvideoshare_lfi.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_departments_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: thinkphp5_invokefunction_rce.json]
[info] 19:07:04 log.go:26: [init plugin: weblogic_debug.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_cmdownloads_rce.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_dzs_videogallery_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_jquery_domxss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_mainwp_login.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_sexy_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_swfupload_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_wpml_xss.json]
unexpected type from module symbol
kunpeng_go.so:
MD5 (kunpeng_go.so) = 183d8c4be12a0a733f55ff06d866e045
实际测试环境遇到各种Check response不对的问题
请问新写的 json 插件一直加载不上,也不报错,但是显示的 json 插件数一直不变,存在漏洞的请求访问也没有结果
一直是这个数
[info] 17:05:11 log.go:44: [go plugin total: 34]
[info] 17:05:11 log.go:44: [json plugin total: 19]
执行编译操作也没有问题,也会生成新的 so 文件,但是使用 so 文件进行漏洞测试,显示的插件数也不变,测试存在漏洞的请求,也没有结果,这种情况该怎么处理呢?谢谢
新版本esc安装报错:
➜ kunpeng uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
➜ kunpeng cd $GOPATH/src/github.com/opensec-cn/kunpeng
➜ kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working tree clean
➜ kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
vendor/github.com/mjibson/esc/embed/embed.go:20:2: cannot find package "github.com/pkg/errors" in any of:
/Users/xx/Code/go/src/github.com/opensec-cn/kunpeng/vendor/github.com/pkg/errors (vendor tree)
/usr/local/go/src/github.com/pkg/errors (from $GOROOT)
/Users/xx/Code/go/src/github.com/pkg/errors (from $GOPATH)
vendor/github.com/mjibson/esc/embed/embed.go:21:2: cannot find package "golang.org/x/tools/imports" in any of:
/Users/xx/Code/go/src/github.com/opensec-cn/kunpeng/vendor/golang.org/x/tools/imports (vendor tree)
/usr/local/go/src/golang.org/x/tools/imports (from $GOROOT)
/Users/xx/Code/go/src/golang.org/x/tools/imports (from $GOPATH)
自己测试发现,弱口令验证时,需要添加{"Content-Type":"application/x-www-form-urlencoded"}头,才能弱口令登录
对于某些 Nmap 未识别的端口,target 无法确定,所以有没有一个设置可以调用全部 PoC?
select 0updatexml --> select updatexml
cn/kunpeng/blob/e4a62c725bc5d7f84f4c52fad6122394c69a5534/plugin/go/zabbixLatestSQL.go#L55
在extra 目录添加对应的json文件后,会把json文件作为json plugin 加载到内存。
因为,每次检查都用的append的方式加载。
所以,当某个本地json 文件被删除以后,内存里的json plugin 依然存在。
麻烦问下,我这里的json插件一直没有初始化成功。
怎么才能加载出来json插件的啊。
[info] 17:04:19 log.go:44: [json plugin total: 0]
问题有点类似: distribution/distribution#473
出现在net/http.(*persistConn).writeLoop,并发数量大概1000,但是出现了goroutine 2w+...
问题以及得到解决:
/github.com/opensec-cn/kunpeng/util/net.go
使用DisableKeepAlives: true关闭一下
transport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
DisableKeepAlives: true,
}
注意的是每次都会调用setProxy, 里面的逻辑会翻盖init()设置的client.Transport
func RequestDo(request *http.Request, hasRaw bool) (Resp, error) {
setProxy()
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.