zhzyker / vulmap Goto Github PK

View Code? Open in Web Editor NEW

3.3K 53.0 555.0 3.35 MB

Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞验证功能

Home Page: https://github.com/zhzyker/vulmap

License: GNU General Public License v3.0

Python 99.99% Dockerfile 0.01%

exploit cve rce vulnerabilities cve-2016-4437 security security-tools pentesting pentest-tool cve-2020-14882

vulmap's Introduction

🌟 Vulmap - Web vulnerability scanning and verification tools

[Click here for the English Version]

Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能, 目前支持的 webapps 包括 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, fastjson, jenkins, nexus, weblogic, jboss, spring, thinkphp

Vulmap 将漏洞扫描与验证（漏洞利用）结合到了一起, 及大程度便于测试人员在发现漏洞后及时进行下一步操作, 工具追求于于高效、便捷
高效: 逐步开发中慢慢引入了批量扫描、Fofa、Shodan 批量扫描, 且支持多线程默认开启协程, 以最快的速度扫描大量资产
便捷: 发现漏洞即可利用, 大量资产扫描可多格式输出结果

Vulmap 0.8 版本开始支持对 dismap 识别结果文件直接进行漏洞扫描 -f output.txt

🛒 Installation

操作系统中必须有 python3, 推荐 python3.8 或者更高版本

# git 或前往 release 获取原码
git clone https://github.com/zhzyker/vulmap.git
# 安装所需的 python 依赖
pip3 install -r requirements.txt
# Linux & MacOS & Windows
python3 vulmap.py -u http://example.com

配置 Fofa Api && Shodan Api && Ceye

使用 Fofa or Shodan 需要修改 vulmap.py 中的配置信息：

Fofa info: https://fofa.info/user/users/info

# 把xxxxxxxxxx替换成fofa的邮箱
globals.set_value("fofa_email", "xxxxxxxxxx")  
# 把xxxxxxxxxx替换成fofa的key
globals.set_value("fofa_key", "xxxxxxxxxx")

Shodan key: https://account.shodan.io

# 把xxxxxxxxxx替换成自己shodan的key
globals.set_value("shodan_key", "xxxxxxxxxx")

Ceye info: http://ceye.io

# 把xxxxxxxxxx替换为自己的域名
globals.set_value("ceye_domain","xxxxxxxxxx")  
# 把xxxxxxxxxx替换自己ceye的token
globals.set_value("ceye_token", "xxxxxxxxxx")

📑 Licenses

在原有协议LICENSE中追加以下免责声明。若与原有协议冲突均以免责声明为准。

本工具禁止进行未授权商业用途，禁止二次开发后进行未授权商业用途。

本工具仅面向合法授权的企业安全建设行为，在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。

如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。

在使用本工具前，请您务必审慎阅读、充分理解各条款内容，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。

📺 Video demo

YouTube: https://www.youtube.com/watch?v=g4czwS1Snc4
Bilibili: https://www.bilibili.com/video/BV1Fy4y1v7rd
Gif:

🙋 Discussion

Vulmap Bug 反馈或新功能建议点我
Twitter: https://twitter.com/zhzyker
WeChat: ~~扫码入群聊~~，群聊满200了，扫码再加群了

🔧 Options

可选参数:
  -h, --help            显示此帮助消息并退出
  -u URL, --url URL     目标 URL (e.g. -u "http://example.com")
  -f FILE, --file FILE  选择一个目标列表文件,每个url必须用行来区分 (e.g. -f "/home/user/list.txt")
  --fofa keyword        使用 fofa api 批量扫描 (e.g. --fofa "app=Apache-Shiro")
  --shodan keyword      使用 shodan api 批量扫描 (e.g. --shodan "Shiro")
  -m MODE, --mode MODE  模式支持"poc"和"exp",可以省略此选项,默认进入"poc"模式
  -a APP [APP ...]      指定 webapps（e.g. "weblogic"）不指定则自动指纹识别
  -c CMD, --cmd CMD     自定义远程命令执行执行的命令,默认是echo随机md5
  -v VULN, --vuln VULN  利用漏洞,需要指定漏洞编号 (e.g. -v "CVE-2019-2729")
  -t NUM, --thread NUM  扫描线程数量,默认10线程
  --dnslog server       dnslog 服务器 (hyuga,dnslog,ceye) 默认自动轮询
  --output-text file    扫描结果输出到 txt 文件 (e.g. "result.txt")
  --output-json file    扫描结果输出到 json 文件 (e.g. "result.json")
  --proxy-socks SOCKS   使用 socks 代理 (e.g. --proxy-socks 127.0.0.1:1080)
  --proxy-http HTTP     使用 http 代理 (e.g. --proxy-http 127.0.0.1:8080)
  --user-agent UA       允许自定义 User-Agent
  --fofa-size SIZE      fofa api 调用资产数量，默认100，可用(1-10000)
  --delay DELAY         延时时间,每隔多久发送一次,默认 0s
  --timeout TIMEOUT     超时时间,默认 5s
  --list                显示支持的漏洞列表
  --debug               exp 模式显示 request 和 responses, poc 模式显示扫描漏洞列表
  --check               目标存活检测 (on and off), 默认是 on

🐾 Examples

# 测试所有漏洞 poc 不指定 -a all 将默认开启指纹识别
python3 vulmap.py -u http://example.com

# 检查站点是否存在 struts2 漏洞
python3 vulmap.py -u http://example.com -a struts2

# 对 http://example.com:7001 进行 WebLogic 的 CVE-2019-2729 漏洞利用
python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729
python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

# 批量扫描 list.txt 中的 url
python3 vulmap.py -f list.txt

# 扫描结果导出到 result.json
python3 vulmap.py -u http://example.com:7001 --output-json result.json

# 调用 fofa api 批量扫描
python3 vulmap.py --fofa app=Apache-Shiro

🍵 Vulnerabilitys List

支持的漏洞列表 [点击展开]

 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Target type       | Vuln Name        | Poc | Exp | Impact Version && Vulnerability description                 |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Apache ActiveMQ   | CVE-2015-5254    |  Y  |  N  | < 5.13.0, deserialization remote code execution             |
 | Apache ActiveMQ   | CVE-2016-3088    |  Y  |  Y  | < 5.14.0, http put&move upload webshell                     |
 | Apache Druid      | CVE-2021-25646   |  Y  |  Y  | < 0.20.1, apache druid console remote code execution        |
 | Apache Flink      | CVE-2020-17518   |  Y  |  N  | < 1.11.3 or < 1.12.0, upload path traversal                 |
 | Apache Flink      | CVE-2020-17519   |  Y  |  Y  | 1.5.1 - 1.11.2, 'jobmanager/logs' path traversal            |
 | Apache OFBiz      | CVE-2021-26295   |  Y  |  N  | < 17.12.06, rmi deserializes arbitrary code execution       |
 | Apache OFBiz      | CVE-2021-29200   |  Y  |  N  | < 17.12.07, rmi deserializes arbitrary code execution       |
 | Apache OFBiz      | CVE-2021-30128   |  Y  |  Y  | < 17.12.07, deserialize remote command execution            | 
 | Apache Shiro      | CVE-2016-4437    |  Y  |  Y  | <= 1.2.4, shiro-550, rememberme deserialization rce         |
 | Apache Solr       | CVE-2017-12629   |  Y  |  Y  | < 7.1.0, runexecutablelistener rce & xxe, only rce is here  |
 | Apache Solr       | CVE-2019-0193    |  Y  |  N  | < 8.2.0, dataimporthandler module remote code execution     |
 | Apache Solr       | CVE-2019-17558   |  Y  |  Y  | 5.0.0 - 8.3.1, velocity response writer rce                 |
 | Apache Solr       | time-2021-0318   |  Y  |  Y  | all, apache solr arbitrary file reading                     |
 | Apache Solr       | CVE-2021-27905   |  Y  |  N  | 7.0.0-7.7.3, 8.0.0-8.8.1, replication handler ssrf          |
 | Apache Struts2    | S2-005           |  Y  |  Y  | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce   |
 | Apache Struts2    | S2-008           |  Y  |  Y  | 2.0.0 - 2.3.17, debugging interceptor rce                   |
 | Apache Struts2    | S2-009           |  Y  |  Y  | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce         |
 | Apache Struts2    | S2-013           |  Y  |  Y  | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce        |
 | Apache Struts2    | S2-015           |  Y  |  Y  | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce        |
 | Apache Struts2    | S2-016           |  Y  |  Y  | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce          |
 | Apache Struts2    | S2-029           |  Y  |  Y  | 2.0.0 - 2.3.24.1, ognl interpreter rce                      |
 | Apache Struts2    | S2-032           |  Y  |  Y  | 2.3.20-28, cve-2016-3081 rce can be performed via method    |
 | Apache Struts2    | S2-045           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-046           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-048           |  Y  |  Y  | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce             |
 | Apache Struts2    | S2-052           |  Y  |  Y  | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce  |
 | Apache Struts2    | S2-057           |  Y  |  Y  | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce  |
 | Apache Struts2    | S2-059           |  Y  |  Y  | 2.0.0 - 2.5.20, cve-2019-0230 ognl interpreter rce          |
 | Apache Struts2    | S2-061           |  Y  |  Y  | 2.0.0-2.5.25, cve-2020-17530 ognl interpreter rce           |
 | Apache Struts2    | S2-devMode       |  Y  |  Y  | 2.1.0 - 2.5.1, devmode remote code execution                |
 | Apache Tomcat     | Examples File    |  Y  |  N  | all version, /examples/servlets/servlet                     |
 | Apache Tomcat     | CVE-2017-12615   |  Y  |  Y  | 7.0.0 - 7.0.81, put method any files upload                 |
 | Apache Tomcat     | CVE-2020-1938    |  Y  |  Y  | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read  |
 | Apache Unomi      | CVE-2020-13942   |  Y  |  Y  | < 1.5.2, apache unomi remote code execution                 |
 | CoreMail          | time-2021-0414   |  Y  |  N  | Coremail configuration information disclosure vulnerability |
 | Drupal            | CVE-2018-7600    |  Y  |  Y  | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution          |
 | Drupal            | CVE-2018-7602    |  Y  |  Y  | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce            |
 | Drupal            | CVE-2019-6340    |  Y  |  Y  | < 8.6.10, drupal core restful remote code execution         |
 | Ecology           | time-2021-0515   |  Y  |  Y  | <= 9.0, e-cology oa workflowservicexml rce                  |
 | Elasticsearch     | CVE-2014-3120    |  Y  |  Y  | < 1.2, elasticsearch remote code execution                  |
 | Elasticsearch     | CVE-2015-1427    |  Y  |  Y  | < 1.3.7, < 1.4.3, elasticsearch remote code execution       |
 | Exchange          | CVE-2021-26855   |  Y  |  N  | 2010 2013 2016 2019, microsoft exchange server ssrf         |
 | Exchange          | CVE-2021-27065   |  Y  |  Y  | 2010 2013 2016 2019, exchange arbitrary file write          |
 | Eyou Email        | CNVD-2021-26422  |  Y  |  Y  | eyou email system has remote command execution              |
 | F5 BIG-IP         | CVE-2020-5902    |  Y  |  Y  | < 11.6.x, f5 big-ip remote code execution                   |
 | F5 BIG-IP         | CVE-2021-22986   |  Y  |  Y  | < 16.0.1, f5 big-ip remote code execution                   |
 | Fastjson          | VER-1224-1       |  Y  |  Y  | <= 1.2.24 fastjson parse object remote code execution       |
 | Fastjson          | VER-1224-2       |  Y  |  Y  | <= 1.2.24 fastjson parse object remote code execution       |
 | Fastjson          | VER-1224-3       |  Y  |  Y  | <= 1.2.24 fastjson parse object remote code execution       |
 | Fastjson          | VER-1247         |  Y  |  Y  | <= 1.2.47 fastjson autotype remote code execution           |
 | Fsatjson          | VER-1262         |  Y  |  Y  | <= 1.2.62 fastjson autotype remote code execution           |
 | Jenkins           | CVE-2017-1000353 |  Y  |  N  | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution    |
 | Jenkins           | CVE-2018-1000861 |  Y  |  Y  | <= 2.153, LTS <= 2.138.3, remote code execution             |
 | Laravel           | CVE-2018-15133   |  N  |  Y  | 5.5.x <= 5.5.40, 5.6.x <= 5.6.29, laravel get app_key rce   |
 | Laravel           | CVE-2021-3129    |  Y  |  N  | ignition <= 2.5.1, laravel debug mode remote code execution |
 | Nexus OSS/Pro     | CVE-2019-7238    |  Y  |  Y  | 3.6.2 - 3.14.0, remote code execution vulnerability         |
 | Nexus OSS/Pro     | CVE-2020-10199   |  Y  |  Y  | 3.x <= 3.21.1, remote code execution vulnerability          |
 | Node.JS           | CVE-2021-21315   |  Y  |  N  | systeminformation < 5.3.1, node.js command injection        |
 | Oracle Weblogic   | CVE-2014-4210    |  Y  |  N  | 10.0.2 - 10.3.6, weblogic ssrf vulnerability                |
 | Oracle Weblogic   | CVE-2016-0638    |  Y  |  N  | 10.3.6.0, 12.2.1-3, t3 deserialization rce                  |
 | Oracle Weblogic   | CVE-2017-3506    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2017-10271   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2018-2894    |  Y  |  Y  | 12.1.3.0, 12.2.1.2-3, deserialization any file upload       |
 | Oracle Weblogic   | CVE-2018-3191    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3, t3 deserialization rce        |
 | Oracle Weblogic   | CVE-2019-2725    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2019-2890    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3, t3 deserialization rce        |
 | Oracle Weblogic   | CVE-2019-2729    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2020-2551    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
 | Oracle Weblogic   | CVE-2020-2555    |  Y  |  Y  | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce  |
 | Oracle Weblogic   | CVE-2020-2883    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
 | Oracle Weblogic   | CVE-2020-14882   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0, console rce       |
 | Oracle Weblogic   | CVE-2020-2109    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0, unauthorized jndi |
 | QiAnXin           | time-2021-0410   |  Y  |  Y  | qianxin ns-ngfw netkang next generation firewall front rce  |
 | RedHat JBoss      | CVE-2010-0738    |  Y  |  Y  | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
 | RedHat JBoss      | CVE-2010-1428    |  Y  |  Y  | 4.2.0 - 4.3.0, web-console deserialization any files upload |
 | RedHat JBoss      | CVE-2015-7501    |  Y  |  Y  | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
 | RuiJie            | time_2021_0424   |  Y  |  N  | get account password, background rce                        |
 | Saltstack         | CVE-2021-25282   |  Y  |  Y  | < 3002.5, saltStack arbitrary file writing vulnerability    |
 | Spring Data       | CVE-2018-1273    |  Y  |  Y  | 1.13 - 1.13.10, 2.0 - 2.0.5, spring data commons rce        |
 | Spring Cloud      | CVE-2019-3799    |  Y  |  Y  | 2.1.0-2.1.1, 2.0.0-2.0.3, 1.4.0-1.4.5, directory traversal  |
 | Spring Cloud      | CVE-2020-5410    |  Y  |  Y  | < 2.2.3, < 2.1.9, directory traversal vulnerability         |
 | ThinkPHP          | CVE-2019-9082    |  Y  |  Y  | < 3.2.4, thinkphp rememberme deserialization rce            |
 | ThinkPHP          | CVE-2018-20062   |  Y  |  Y  | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce  |
 | Vmware vCenter    | time-2020-1013   |  Y  |  N  | <= 6.5u1, vmware vcenter arbitrary file reading (not cve)   |
 | Vmware vCenter    | CVE-2021-21972   |  Y  |  Y  | 7.0 < 7.0U1c, 6.7 < 6.7U3l, 6.5 < 6.5U3n, any file upload   |
 | VMware vRealize   | CVE-2021-21975   |  Y  |  N  | <= 8.3.0, vmware vrealize operations manager api ssrf       |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+

🐟 Docker

docker build -t vulmap/vulmap .
docker run --rm -ti vulmap/vulmap  python vulmap.py -u https://www.example.com

vulmap's People

Contributors

Stargazers

Watchers

Forkers

evi1hack adomore yuanxiangyua liutufang kenanat wangkun19930608 laowang1026 0x24bin lucifer315 cs4745 moyuwa b1gd0g ctrlaltdelet freefv richard6666 small-zero whyubullymexcc fuzz-security sslvtao pyking blackstarkk weiplanet lichon agic lpilp sydneechan davidce jackyvan tealover ohwami victor0013 02bx chenzishi happyqingye ldong2014 m3g4byt3 xiagw zjacai hackerhht rooseveltyy gysf666 zzhsec endual cc66528 yyming-sudo vis432 vv4r1ock blucewan huangzccn neelakandan-a aaroncaiii sunpeak huyanshuhan bill-bil shaojs crackercat amakerlee volcanohatred sanholy qtidusq securitycomplicance muke-sec rzbh63 wule108 herewshow 0day-l0gg3r skypoc bryson-1121 fgragpp shelu16 samueltt wht0425 bingpo marciopocebon harry1080 c3rb3rus-666 gmwshz geelph lbllbl9527 g0dark yewpu 0neatsec lcl99 dongfangyuxiao zshell th3gundy sashka3076 titounkle 5l1v3r1 office-of-tailored-access-operations mer163 leomatias tranngocquy123 channelchan22 likeshan168 lyrl fc4lee ichadhr weisk hhy5277

vulmap's Issues

这是啥情况

C:\vulmap-main\vulmap-main>python vulmap.py
                   __
                  [  |
  _   __  __   _   | |  _ .--..--.   ,--.  _ .--.
 [ \ [  ][  | | |  | | [ `.-. .-. | `'_\ :[ '/'`\ \
  \ \/ /  | \_/ |, | |  | | | | | | // | |,| \__/ |
   \__/   '.__.'_/[___][___||__||__]'-;__/| ;.___/
                                          [__|
Traceback (most recent call last):
  File "C:\vulmap-main\vulmap-main\vulmap.py", line 14, in <module>
    from core.core import core
  File "C:\vulmap-main\vulmap-main\core\core.py", line 16, in <module>
    from core.scan import scan
  File "C:\vulmap-main\vulmap-main\core\scan.py", line 12, in <module>
    from payload.OracleWeblogic import OracleWeblogic
ModuleNotFoundError: No module named 'payload.OracleWeblogic'

Traceback (most recent call last):
File "C:\vulmap-main\vulmap.py", line 32, in
from Crypto.Cipher import AES
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python38-32\lib\site-packages\Crypto\Cipher_init_.py", line 27, in
from Crypto.Cipher._mode_ecb import _create_ecb_cipher
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python38-32\lib\site-packages\Crypto\Cipher_mode_ecb.py", line 35, in
raw_ecb_lib = load_pycryptodome_raw_lib("Crypto.Cipher._raw_ecb", """
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python38-32\lib\site-packages\Crypto\Util_raw_api.py", line 308, in load_pycryptodome_raw_lib
raise OSError("Cannot load native module '%s': %s" % (name, ", ".join(attempts)))
OSError: Cannot load native module 'Crypto.Cipher._raw_ecb': Trying '_raw_ecb.cp38-win32.pyd': cannot load library 'C:\Users\Administrator\AppData\Local\Programs\Python\Python38-32\lib\site-packages\Crypto\Util..\Cipher_raw_ecb.cp38-win32.pyd': error 0x7e. Additionally, ctypes.util.find_library() did not manage to locate a library called 'C:\Users\Administrator\AppData\Local\Programs\Python\Python38-32\lib\site-packages\Crypto\Util\..\Cipher\_raw_ecb.cp38-win32.pyd', Trying '_raw_ecb.pyd': cannot load library 'C:\Users\Administrator\AppData\Local\Programs\Python\Python38-32\lib\site-packages\Crypto\Util..\Cipher_raw_ecb.pyd': error 0xc1

big code

oh man, your code so big

outputfile

output file showing only url not with CVES

-v 参数无效

大佬想进群，拉一下啦

gvent 问题怎么解决

误报非常严重

漏洞检测部分误报

其中poc使用echo + md5的payload检测。当页面中返回这些值的时候判断漏洞存在，会导致一些组件误报。测试代码：

<?php
echo 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
echo file_get_contents("php://input");
?>

误报情况：

命令执行用expr或者set等命令误报会更低

代码执行直接计算md5误报率更低，echo md5("xxx");

Delay延时参数无效

使用 --delay 60 参数无法延时请求

命令如下：python3 vulmap.py -u http://xxx.com/ --delay 60

pip3 install出了点小问题

ERROR: Command errored out with exit status 1:
   command: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"''
       cwd: None
  Complete output (31 lines):
  Traceback (most recent call last):
    File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
      "__main__", mod_spec)
    File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
      exec(code, run_globals)
    File "/usr/local/lib/python3.6/site-packages/pip/__main__.py", line 26, in <module>
      sys.exit(_main())
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/main.py", line 73, in main
      command = create_command(cmd_name, isolated=("--isolated" in cmd_args))
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/__init__.py", line 105, in create_command
      module = importlib.import_module(module_path)
    File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
      return _bootstrap._gcd_import(name[level:], package, level)
    File "<frozen importlib._bootstrap>", line 994, in _gcd_import
    File "<frozen importlib._bootstrap>", line 971, in _find_and_load
    File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
    File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
    File "<frozen importlib._bootstrap_external>", line 678, in exec_module
    File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/install.py", line 17, in <module>
      from pip._internal.cli.req_command import RequirementCommand, with_cleanup
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/req_command.py", line 23, in <module>
      from pip._internal.req.constructors import (
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/__init__.py", line 10, in <module>
      from .req_install import InstallRequirement
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/req_install.py", line 10, in <module>
      import uuid
    File "/usr/local/lib/python3.6/site-packages/uuid.py", line 138
      if not 0 <= time_low < 1<<32L:
                                  ^
  SyntaxError: invalid syntax
  ----------------------------------------
ERROR: Command errored out with exit status 1: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"'' Check the logs for full command output.

centosx64
用kali pip3 安装不会报错，但是运行项目的时候：

frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject

where is the exploit module?

py -3 vulmap.py --help
__
[ |
_ __ __ _ | | _ .--..--. ,--. _ .--.
[ \ [ ][ | | | | | [ .-. .-. | '\ :[ '/'`\
\ / / | _/ |, | | | | | | | | // | |,| _/ |
_/ '.__.'/[][||||]'-;/| ;./
[_|
usage: python3 vulmap [options]

target:
you must to specify target

-u URL, --url URL target URL (e.g. -u "http://example.com")
-f FILE, --file FILE select a target list file (e.g. -f "list.txt")
--fofa keyword call fofa api to scan (e.g. --fofa "app=Apache-Shiro")
--shodan keyword call shodan api to scan (e.g. --shodan "Shiro")

mode:
options vulnerability scanning or exploit mode

-a APP [APP ...] specify webapps (e.g. -a "tomcat") allow multiple

general:
general options

-h, --help show this help message and exit
-t NUM, --thread NUM number of scanning function threads, default 10 threads
--dnslog server dnslog server (hyuga,dnslog,ceye) default automatic
--output-text file result export txt file (e.g. "result.txt")
--output-json file result export json file (e.g. "result.json")
--proxy-socks SOCKS socks proxy (e.g. --proxy-socks 127.0.0.1:1080)
--proxy-http HTTP http proxy (e.g. --proxy-http 127.0.0.1:8080)
--fofa-size SIZE fofa query target number, default 100 (1-10000)
--user-agent UA you can customize the user-agent headers
--delay DELAY delay check time, default 0s
--timeout TIMEOUT scan timeout time, default 10s
--list display the list of supported vulnerabilities
--debug exp echo request and responses, poc echo vuln lists
--check survival check (on and off), default on

support:
types of vulnerability scanning:
all, activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal
elasticsearch, fastjson, jenkins, laravel, nexus, weblogic, jboss
spring, thinkphp, druid, exchange, nodejs, saltstack, vmware
bigip, ofbiz, coremail, ecology, eyou, qianxin, ruijie

examples:
python3 vulmap.py -u http://example.com
python3 vulmap.py -u http://example.com -a struts2
python3 vulmap.py -f list.txt -a weblogic -t 20
python3 vulmap.py -f list.txt --output-json results.json
python3 vulmap.py --fofa "app=Apache-Shiro"

建议

希望协议支持https,在使用过程中发现-u 后地址为https则会直接退出检测

pip install -r requirement.txt 报错，

pip install -r requirement.txt 报错，
python-3.9

Building wheels for collected packages: lxml                                                                                                                                             [1444/11751]  Building wheel for lxml (setup.py) ... error                                                                                                                                                         ERROR: Command errored out with exit status 1:
   command: /usr/local/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"'; __file__='"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"
';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-ad3_
9cqe
       cwd: /tmp/pip-install-iq38rq57/lxml/
  Complete output (731 lines):
  Building lxml version 4.3.2.
  Building without Cython.
  Using build configuration of libxslt 1.1.32
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib.linux-x86_64-3.9
  creating build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/sax.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/builder.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/cssselect.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/pyclasslookup.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/_elementpath.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/doctestcompare.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/__init__.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/ElementInclude.py -> build/lib.linux-x86_64-3.9/lxml
  creating build/lib.linux-x86_64-3.9/lxml/includes
  copying src/lxml/includes/__init__.py -> build/lib.linux-x86_64-3.9/lxml/includes
  creating build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/diff.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/defs.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_diffcommand.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/clean.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_setmixin.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/builder.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/ElementSoup.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/soupparser.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/formfill.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/__init__.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_html5builder.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/html5parser.py -> build/lib.linux-x86_64-3.9/lxml/html
  creating build/lib.linux-x86_64-3.9/lxml/isoschematron
  copying src/lxml/isoschematron/__init__.py -> build/lib.linux-x86_64-3.9/lxml/isoschematron
  copying src/lxml/etree.h -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/etree_api.h -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/lxml.etree.h -> build/lib.linux-x86_64-3.9/lxml

add proxy support

I think it's necessary to add proxy scan

poc 检查逻辑可能有 bug

我的目标有 s2-045 漏洞。

注意以下 debug 信息中此行 [INFO] Start scanning target: http://192.168.200.132:8080/struts2-showcase
程序中 url 最后的 / 被丢弃了。所以检测不出来。

将数据包用 burp 重新发送

1 0.4 扫描直接退出

于 2020-12-15 10:35:00 修复更新 0.4

0.6版本运行报错

找不到保存结果

mac big sur + python3.9
扫描完毕后找不到保存结果

aspx网站扫描出struts2漏洞

扫描一个aspx的网站的时候，查出来3个struts2的漏洞，是正常的吗

requests.get 301重定向问题

在使用的时候发现有的时候会出现这个问题

Traceback (most recent call last):
  File "vulmap.py", line 67, in <module>
    core.control_options(args)  # 运行核心选项控制方法用于处理不同选项并开始扫描
  File "/root/shell/core/core.py", line 78, in control_options
    core.control_webapps("file", args.file, args.app, "poc")
  File "/root/shell/core/core.py", line 186, in control_webapps
    if survival_check(furl) == "f":  # 如果存活检测失败就跳过
  File "/root/shell/module/allcheck.py", line 105, in survival_check
    elif _http_conn(url) == "s":
  File "/root/shell/module/allcheck.py", line 93, in _http_conn
    requests.get(target, timeout=timeout, headers=headers, verify=False)
  File "/root/shell/thirdparty/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/root/shell/thirdparty/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/root/shell/thirdparty/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/shell/thirdparty/requests/sessions.py", line 677, in send
    history = [resp for resp in gen]
  File "/root/shell/thirdparty/requests/sessions.py", line 677, in <listcomp>
    history = [resp for resp in gen]
  File "/root/shell/thirdparty/requests/sessions.py", line 166, in resolve_redirects
    raise TooManyRedirects('Exceeded {} redirects.'.format(self.max_redirects), response=resp)
thirdparty.requests.exceptions.TooManyRedirects: Exceeded 30 redirects.

小bug

windows下使用fofa 检索资产，无任何结果

建议

增加多线程，先检测存活，在验证

喜提BUG：扫描内网资产异常退出

ceye模块没有try，导致内网环境连接ceye失败错误退出
已经在 a3a9d7f 中修复，各位师傅更新一哈就好~

Good Job

非常棒，希望继续加入新的检测POC和EXP。可否将文档拆分，文件太大了可读性不强，而且不易再利用。

dnslog问题，以及最近ceye.io不明原因爆炸

最近的ceye.io爆炸导致无法通过dns检测，导致例如fastjson等均无法检测
计划引入更多的dnslog平台例如dnslog.cn
各位师傅也可推荐一些稳定开放的dns平台

扫描抛出异常

Traceback (most recent call last):
File "D:\Anaconda3\lib\site-packages\urllib3\connectionpool.py", line 670, in urlopen
httplib_response = self._make_request(
File "D:\Anaconda3\lib\site-packages\urllib3\connectionpool.py", line 426, in _make_request
six.raise_from(e, None)
File "", line 3, in raise_from
File "D:\Anaconda3\lib\site-packages\urllib3\connectionpool.py", line 421, in _make_request
httplib_response = conn.getresponse()
File "D:\Anaconda3\lib\http\client.py", line 1332, in getresponse
response.begin()
File "D:\Anaconda3\lib\http\client.py", line 303, in begin
version, status, reason = self._read_status()
File "D:\Anaconda3\lib\http\client.py", line 264, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "D:\Anaconda3\lib\socket.py", line 669, in readinto
return self._sock.recv_into(b)
File "D:\Anaconda3\lib\site-packages\gevent_socket3.py", line 505, in recv_into
return self._sock.recv_into(*args)
ConnectionResetError: [WinError 10054] 远程主机强迫关闭了一个现有的连接。

检测不到14882脆弱性

14882的检测模块似乎不好用

good job but RedHat JBoss exp has some problems

ApacheStruts2.py S2-045 poc有错误

self.headers2 = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        try:
            self.req= requests.get(self.url, headers=self.headers1, timeout=self.timeout, verify=False)
            if r"54289" in self.request.headers['FUCK']:

self.req 应该为self.request

speed up

why you not use thread so its going fast

TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

执行程序报错，0.2版本和0.1版本都有这个错误

Traceback (most recent call last):
  File "vulmap.py", line 7609, in <module>
    cmdlineparser(sys.argv)
  File "vulmap.py", line 7568, in cmdlineparser
    Target.allvuln_url(args.url)
  File "vulmap.py", line 7337, in allvuln_url
    Start.allvulnscan(self)
  File "vulmap.py", line 7126, in allvulnscan
    Start.apache_solr(self)
  File "vulmap.py", line 7139, in apache_solr
    PocApacheSolr.cve_2019_0193()
  File "vulmap.py", line 331, in cve_2019_0193
    self.solrhost = self.hostname+":"+str(self.port)
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

AttributeError: module 'random' has no attribute 'choices'

In python 3.5 random.choices() will fail because that method is not available on python 3.5.

Replacing random.choices() with random.sample() on modules/md5.py will work on python 3.5.

Adding a routine to check for python version and use one or the other works as well, for example:

import sys
if sys.version_info.major == 3 and sys.version_info.minor < 6:

Etc.

无文件输出

我使用命令：
python3 vulmap.py -u http://114.32.6.25 --output-json "123.json"
程序正常运行：
[19:45:38] [INFO] Start scanning target: http://114.32.6.25
[19:45:48] [INFO] Unable to identify target, Run all pocs
[19:46:10] [INFO] Scan completed and ended
[19:46:10] [INFO] Scan result json saved to: 123.json
但是文件夹并没有123.json这个文件

运行时报错

TypeError: an integer is required (got type bytes)

如何执行自定义命令

在0.7版本使用中，-c参数无效，是不支持了吗

CVE-2020-2555 and CVE-2020-2883 POC is only checking on version

The POC check for CVE-2020-2555 and CVE-2020-2883 is only checking on the weblogic version number not if the target is actually vulnerable.

So even with the latest patches or giop/t3 disabled the poc scan shows that the target is vulnable.

NameError: name 'AF_INET' is not defined

vulmap bug 解决办法汇总

🐞 BUG1:

<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject

✅ 修复

由于gevent和greenlet版本问题导致
再python3.8+中,需要gevent>=20.9; greenlet>=0.4.17
如果python3.7怎么办?需要gevent>=1.4.0, < 20.9; greenlet>=0.4.14,< 0.4.17ORgevent>=20.9; greenlet>=0.4.17
如果仍然无法解决且或有NameError: name 'AF_INET' is not defined报错使用以下命令修复:

pip3 install -U --force-reinstall --no-binary :all: gevent

bug来自#20 #19
解决参考python-greenlet/greenlet#178 gevent/gevent#1260

建议提供一个新功能让fofa扫的时候可以检测指定的类型漏洞

There are some false positives in cve-2018-7602

In the course of testing , I found that there are false positives in cve-2018-7602 . Please try using “python3 vulmap -u http://baidu.com” .In addition , can you write a python file for each vulnerability , just like your exphub project . Danke.

关于近期Apache Flink漏洞（CVE-2020-17519和CVE-2020-17518）的功能建议

成功的结果增加了扫描URL的内容，方便导出和整理存在漏洞的目标。示例如下，正则匹配即可快速整理。

P.S. 目前版本没有很好地优化扫描结果的导出，带参数-o也只是记录和导出扫描状态而已，建议-o参数可以按如下格式导出

扫描目标 - 漏洞编号 - 成功标志利用 -

启动扫描时提示 ModuleNotFoundError: No module named 'payload.OracleWeblogic'

环境win64，vulmap0.8，请问这个如何解决

无法识别目标

执行 python3 vulmap.py -u http://192.168.31.97:8080/

报：
[09:56:52] [INFO] Currently the latest version: 0.7
[09:57:04] [INFO] Start scanning target: http://192.168.31.97:8080/
[09:57:17] [INFO] Unable to identify target, Run all pocs
[09:57:51] [INFO] Scan completed and ended

无法识别是怎么回事，我的python版本是3.6.8的，有关系吗

批量扫描时，输出结果只显示有没有漏洞，没有漏洞的链接

Going to error in new

root@server:/tools/vulmap# python3 vulmap.py -u https://paypal.com
Traceback (most recent call last):
File "vulmap.py", line 8, in from gevent import monkey;monkey.patch_all()
File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 1214, in patch_all _notify_patch(events.GeventWillPatchAllEvent(modules_to_patch, kwargs), _warnings)
File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 185, in _notify_patch notify_and_call_entry_points(event)
File "/usr/local/lib/python3.6/dist-packages/gevent/events.py", line 104, in notify_and_call_entry_points
subscriber = plugin.load()
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2323, in load
self.require(*args, **kwargs) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2346, in require items = working_set.resolve(reqs, env, installer, extras=self.extras)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 783, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.VersionConflict: (psutil 5.6.7 (/usr/local/lib/python3.6/dist-packages), Requirement.parse('psutil>=5.7.0; sys_platform != "win32" or platform_python_implementation == "CPython" and extra == "monitor"')) root@server:/tools/vulmap

组件扫描

可不可以单独拉出某个框架漏洞进行扫描