Git Product home page Git Product logo

opensec-cn / kunpeng Goto Github PK

View Code? Open in Web Editor NEW
1.6K 56.0 322.0 13.72 MB

kunpeng是一个Golang编写的开源POC框架/库,以动态链接库的形式提供各种语言调用,通过此项目可快速开发漏洞检测类的系统。

License: Apache License 2.0

Go 76.23% Python 8.53% JavaScript 2.40% Lua 0.69% Java 1.38% HTML 9.64% Shell 0.21% C 0.91%
proof-of-concept poc-library security-vulnerability security-testing

kunpeng's People

Contributors

answerwa avatar blkstone avatar jrdw0 avatar kxcode avatar l3m0n avatar m4yfly avatar medicean avatar neargle avatar ozipin avatar phith0n avatar v1xingyue avatar wstart avatar ywolf avatar zema1 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

grayguest 5up3rc dean2021 shellb0y grant555 haoirui ddj0509 izpz vf3ng dongfangyuxiao t4di5 superf0sh zwx-zsy free-guangzhou rongqinglee crackercat m4d3bug alilangtest wuyouzi m00zh33 insqur superdong0 lubyruffy huangyuan666 abc333love iceyhexman lightmanwang test123test111 kmmao shaunstanislauslau kaide0521 aduan qiankeqin venscor kk98kk0 xuduofeng harry1080 krpronie kissthink getcode2git wstart dreamsroid isgasho yqyunjie killvxk 26597925 sdgdsffdsfff ldbqh mekoko yyxxzz qiqi1 huyanshuhan cc88cc simolin zx273983653 485653 intechceo ximumu shinpachi8 keloke 0bsid1an dennyx ywhere jacobjacob pysec h3ll0w0lrd xiaoyaodashao ver007 b-xiang hu-mou qsdj imnewer spadeslyn featuregod hadesangel awesome-security yi6ei2ifd l3ngd0n 5ty4ck re-expoc foxhack victor0013 songofhack freeide anquanzhu iceshijie l3m0n smileboywtu piggypage lpilp lp008 bgrstar freegit9527 zubeneschamali lordsky pe4ch ganiner bigbigx nidaye222 jdysn

kunpeng's Issues

是否支持指定插件的调用?

目前kunpeng调用哪些插件取决于task中的targettarget对应插件里的target字段,扫描时具有同样target的插件都会被调用。

不过对于某些场景可能需要只调用指定的插件,比如出现高危漏洞时的应急响应,虽然可以通过将target设置成emergency等特殊值来实现,但是后续PoC分类是还是需要把target设置成插件所属的类别,这就多了一步操作。

所以我想问下kunpeng有考虑通过除target之外其他唯一标识字段来加载插件吗?比如id、名称等。

json 插件加载不出来

麻烦问下,我这里的json插件一直没有初始化成功。
怎么才能加载出来json插件的啊。
[info] 17:04:19 log.go:44: [json plugin total: 0]

esc install 报错

新版本esc安装报错:

➜  kunpeng uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
➜  kunpeng cd $GOPATH/src/github.com/opensec-cn/kunpeng
➜  kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.

nothing to commit, working tree clean
➜  kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
vendor/github.com/mjibson/esc/embed/embed.go:20:2: cannot find package "github.com/pkg/errors" in any of:
	/Users/xx/Code/go/src/github.com/opensec-cn/kunpeng/vendor/github.com/pkg/errors (vendor tree)
	/usr/local/go/src/github.com/pkg/errors (from $GOROOT)
	/Users/xx/Code/go/src/github.com/pkg/errors (from $GOPATH)
vendor/github.com/mjibson/esc/embed/embed.go:21:2: cannot find package "golang.org/x/tools/imports" in any of:
	/Users/xx/Code/go/src/github.com/opensec-cn/kunpeng/vendor/golang.org/x/tools/imports (vendor tree)
	/usr/local/go/src/golang.org/x/tools/imports (from $GOROOT)
	/Users/xx/Code/go/src/golang.org/x/tools/imports (from $GOPATH)

新写的 json 插件一直加载不上

请问新写的 json 插件一直加载不上,也不报错,但是显示的 json 插件数一直不变,存在漏洞的请求访问也没有结果
一直是这个数
[info] 17:05:11 log.go:44: [go plugin total: 34]
[info] 17:05:11 log.go:44: [json plugin total: 19]

执行编译操作也没有问题,也会生成新的 so 文件,但是使用 so 文件进行漏洞测试,显示的插件数也不变,测试存在漏洞的请求,也没有结果,这种情况该怎么处理呢?谢谢

关于go调用并发时出现goroutine leak

问题有点类似: distribution/distribution#473

出现在net/http.(*persistConn).writeLoop,并发数量大概1000,但是出现了goroutine 2w+...

9A9133F260DEDEFE5F33D6803D13B956

问题以及得到解决:
/github.com/opensec-cn/kunpeng/util/net.go

使用DisableKeepAlives: true关闭一下

transport := &http.Transport{
		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
		DisableKeepAlives: true,
	}

注意的是每次都会调用setProxy, 里面的逻辑会翻盖init()设置的client.Transport

func RequestDo(request *http.Request, hasRaw bool) (Resp, error) {
	setProxy()
}

go install ./vendor/github.com/mjibson/esc [failed]

image
vendor/github.com/mjibson/esc/embed/embed.go:20:2: cannot find package "github.com/pkg/errors" in any of:
/Users/jrd/.go/src/github.com/opensec-cn/kunpeng/vendor/github.com/pkg/errors (vendor tree)
/usr/local/opt/go/libexec/src/github.com/pkg/errors (from $GOROOT)
/Users/jrd/.go/src/github.com/pkg/errors (from $GOPATH)
vendor/github.com/mjibson/esc/embed/embed.go:21:2: cannot find package "golang.org/x/tools/imports" in any of:
/Users/jrd/.go/src/github.com/opensec-cn/kunpeng/vendor/golang.org/x/tools/imports (vendor tree)
/usr/local/opt/go/libexec/src/golang.org/x/tools/imports (from $GOROOT)
/Users/jrd/.go/src/golang.org/x/tools/imports (from $GOPATH)

go version go1.11.5 darwin/amd64

plugin.GetPlugins()返回空

您好,请问一下我在直接调用获取插件时返回空,

	plugins := plugin.GetPlugins()
	fmt.Println(plugins) // []
}```
很迷惑为什么获取不到插件信息,期待您的解惑。

axisWeakPass登录验证

自己测试发现,弱口令验证时,需要添加{"Content-Type":"application/x-www-form-urlencoded"}头,才能弱口令登录

[误报] MongoDB 未授权访问插件

有问题的代码:

https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/mongoWeakPass.go#L45-L52

使用 session.Ping() == nil 来判断未授权访问是不正确的,即使 mongodb 加了认证,ping 也会返回正常。

下面是 log:

root@83dd9fca0b15:/# mongo 192.168.2.106:37017/test
MongoDB shell version v4.0.10
connecting to: mongodb://192.168.2.106:37017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b67c65b0-fd06-4eb8-bc34-3917a0e99bb4") }
MongoDB server version: 4.0.10
> db.runCommand({"ping":1})
{ "ok" : 1 }
> db.runCommand({"serverStatus":1})
{
	"ok" : 0,
	"errmsg" : "command serverStatus requires authentication",
	"code" : 13,
	"codeName" : "Unauthorized"
}
>

正确的做法是替换为:

if err == nil && session.Run("serverStatus", nil) == nil {
 // ...
}

macOS下JSON插件加载个数为0

使用release版本或自行编译均无法加载内置JSON插件。

系统版本:

➜  kunpeng git:(master) uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64

编译及测试过程:

➜  kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.

nothing to commit, working tree clean
➜  kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
➜  kunpeng git:(master) esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/
➜  kunpeng git:(master) go build -buildmode=c-shared --ldflags="-w -s" -o kunpeng_c.so
➜  kunpeng git:(master) python example/call_so_test.py
[info] 15:28:21 log.go:26: [init plugin: ActiveMQ 任意文件写入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Apache solr XXE漏洞]
[info] 15:28:21 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 15:28:21 log.go:26: [init plugin: web目录浏览]
[info] 15:28:21 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 15:28:21 log.go:26: [init plugin: FTP 弱口令]
[info] 15:28:21 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 15:28:21 log.go:26: [init plugin: IIS 短文件名]
[info] 15:28:21 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Memcache 未授权访问]
[info] 15:28:21 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SQLServer 弱口令]
[info] 15:28:21 log.go:26: [init plugin: MySQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 15:28:21 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SSH 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 15:28:21 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 15:28:21 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 15:28:21 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 15:28:21 log.go:26: [init plugin: WebDav Put开启]
[info] 15:28:21 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 15:28:21 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 15:28:21 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 15:28:21 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: WordPress Mailpress Plugin 远程代码执行漏洞]
[info] 15:28:21 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 15:28:21 log.go:26: [init json plugin]
[info] 15:28:21 log.go:31: [{"type": "web", "netloc": "http://www.google.cn", "target": "web", "meta": {"system": "", "pathlist": [], "filelist": [], "passlist": []}}]
[info] 15:28:21 log.go:31: [{web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [new task: {web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [go plugin total: 24]
[info] 15:28:21 log.go:31: [run go plugins: web]
[info] 15:28:21 log.go:31: [request do http://www.google.cn]
[info] 15:28:21 log.go:31: [response code: 200 len: -1]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/css/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/js/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1564]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/img/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/images/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/upload/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/inc/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/../../../../../../../../etc/passwd]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [JSON Plugin total:  0]
[]

从最后的[JSON Plugin total: 0]可以看到未能加载内置JSON插件,使用release版本也是同样的情况。在Linux(Ubuntu 16.04)下测试Linux版本可正常加载。

示例代码跑不起来,报错 "unexpected type from module symbol"

系统版本

macOS High Sierra

Go 版本:

go version go1.11.4 darwin/amd64

使用的.so文件是:

kunpeng_darwin_v20190129/kunpeng_go.so

示例代码跑不起来,报错,日志:

[info] 19:07:04 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 19:07:04 log.go:26: [init plugin: web目录浏览]
[info] 19:07:04 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 19:07:04 log.go:26: [init plugin: FTP 弱口令]
[info] 19:07:04 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 19:07:04 log.go:26: [init plugin: IIS 短文件名]
[info] 19:07:04 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Java调试线协议(JDWP)远程代码执行漏洞]
[info] 19:07:04 log.go:26: [init plugin: Memcache 未授权访问]
[info] 19:07:04 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SQLServer 弱口令]
[info] 19:07:04 log.go:26: [init plugin: MySQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 19:07:04 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SSH 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 19:07:04 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 19:07:04 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 19:07:04 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 19:07:04 log.go:26: [init plugin: WebDav Put开启]
[info] 19:07:04 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 19:07:04 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 19:07:04 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 19:07:04 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 19:07:04 log.go:26: [init json plugin]
[info] 19:07:04 log.go:26: [init plugin: discuz_admincp_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_ajax_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_announcement_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_api_pathinfo.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_attachment_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_focus_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_jianghu_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_member_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_misc_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_mp3player_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_post_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_shop_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_viewthread_xss.json]
[info] 19:07:04 log.go:26: [init plugin: django_urljump.json]
[info] 19:07:04 log.go:26: [init plugin: docker_api.json]
[info] 19:07:04 log.go:26: [init plugin: drupal_geddon2_rce.json]
[info] 19:07:04 log.go:26: [init plugin: elasticsearch_unauth.json]
[info] 19:07:04 log.go:26: [init plugin: hadoop_yarn_resourcemanager_unauth_rce.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_3.7_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_contushdvideoshare_lfi.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_departments_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: thinkphp5_invokefunction_rce.json]
[info] 19:07:04 log.go:26: [init plugin: weblogic_debug.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_cmdownloads_rce.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_dzs_videogallery_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_jquery_domxss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_mainwp_login.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_sexy_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_swfupload_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_wpml_xss.json]
unexpected type from module symbol

kunpeng_go.so:

MD5 (kunpeng_go.so) = 183d8c4be12a0a733f55ff06d866e045

extra 目录 插件删除问题

在extra 目录添加对应的json文件后,会把json文件作为json plugin 加载到内存。
因为,每次检查都用的append的方式加载。

所以,当某个本地json 文件被删除以后,内存里的json plugin 依然存在。

通过python celery无法执行

尝试使用celery异步执行ssh weakpassword, 发现任务卡死,在对应服务器上查看secure日志,发现也没有尝试连接的日志。不使用celery一切正常。

wrong payload

select 0updatexml --> select updatexml
cn/kunpeng/blob/e4a62c725bc5d7f84f4c52fad6122394c69a5534/plugin/go/zabbixLatestSQL.go#L55

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.