Git Product home page Git Product logo

opensec-cn / kunpeng Goto Github PK

View Code? Open in Web Editor NEW
1.6K 56.0 322.0 13.72 MB

kunpeng是一个Golang编写的开源POC框架/库,以动态链接库的形式提供各种语言调用,通过此项目可快速开发漏洞检测类的系统。

License: Apache License 2.0

Go 76.23% Python 8.53% JavaScript 2.40% Lua 0.69% Java 1.38% HTML 9.64% Shell 0.21% C 0.91%
proof-of-concept poc-library security-vulnerability security-testing

kunpeng's Issues

macOS下JSON插件加载个数为0

使用release版本或自行编译均无法加载内置JSON插件。

系统版本:

➜  kunpeng git:(master) uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64

编译及测试过程:

➜  kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.

nothing to commit, working tree clean
➜  kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
➜  kunpeng git:(master) esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/
➜  kunpeng git:(master) go build -buildmode=c-shared --ldflags="-w -s" -o kunpeng_c.so
➜  kunpeng git:(master) python example/call_so_test.py
[info] 15:28:21 log.go:26: [init plugin: ActiveMQ 任意文件写入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Apache solr XXE漏洞]
[info] 15:28:21 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 15:28:21 log.go:26: [init plugin: web目录浏览]
[info] 15:28:21 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 15:28:21 log.go:26: [init plugin: FTP 弱口令]
[info] 15:28:21 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 15:28:21 log.go:26: [init plugin: IIS 短文件名]
[info] 15:28:21 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Memcache 未授权访问]
[info] 15:28:21 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SQLServer 弱口令]
[info] 15:28:21 log.go:26: [init plugin: MySQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 15:28:21 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SSH 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 15:28:21 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 15:28:21 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 15:28:21 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 15:28:21 log.go:26: [init plugin: WebDav Put开启]
[info] 15:28:21 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 15:28:21 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 15:28:21 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 15:28:21 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: WordPress Mailpress Plugin 远程代码执行漏洞]
[info] 15:28:21 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 15:28:21 log.go:26: [init json plugin]
[info] 15:28:21 log.go:31: [{"type": "web", "netloc": "http://www.google.cn", "target": "web", "meta": {"system": "", "pathlist": [], "filelist": [], "passlist": []}}]
[info] 15:28:21 log.go:31: [{web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [new task: {web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [go plugin total: 24]
[info] 15:28:21 log.go:31: [run go plugins: web]
[info] 15:28:21 log.go:31: [request do http://www.google.cn]
[info] 15:28:21 log.go:31: [response code: 200 len: -1]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/css/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/js/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1564]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/img/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/images/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/upload/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/inc/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/../../../../../../../../etc/passwd]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [JSON Plugin total:  0]
[]

从最后的[JSON Plugin total: 0]可以看到未能加载内置JSON插件,使用release版本也是同样的情况。在Linux(Ubuntu 16.04)下测试Linux版本可正常加载。

关于go调用并发时出现goroutine leak

问题有点类似: distribution/distribution#473

出现在net/http.(*persistConn).writeLoop,并发数量大概1000,但是出现了goroutine 2w+...

9A9133F260DEDEFE5F33D6803D13B956

问题以及得到解决:
/github.com/opensec-cn/kunpeng/util/net.go

使用DisableKeepAlives: true关闭一下

transport := &http.Transport{
		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
		DisableKeepAlives: true,
	}

注意的是每次都会调用setProxy, 里面的逻辑会翻盖init()设置的client.Transport

func RequestDo(request *http.Request, hasRaw bool) (Resp, error) {
	setProxy()
}

axisWeakPass登录验证

自己测试发现,弱口令验证时,需要添加{"Content-Type":"application/x-www-form-urlencoded"}头,才能弱口令登录

go install ./vendor/github.com/mjibson/esc [failed]

image
vendor/github.com/mjibson/esc/embed/embed.go:20:2: cannot find package "github.com/pkg/errors" in any of:
/Users/jrd/.go/src/github.com/opensec-cn/kunpeng/vendor/github.com/pkg/errors (vendor tree)
/usr/local/opt/go/libexec/src/github.com/pkg/errors (from $GOROOT)
/Users/jrd/.go/src/github.com/pkg/errors (from $GOPATH)
vendor/github.com/mjibson/esc/embed/embed.go:21:2: cannot find package "golang.org/x/tools/imports" in any of:
/Users/jrd/.go/src/github.com/opensec-cn/kunpeng/vendor/golang.org/x/tools/imports (vendor tree)
/usr/local/opt/go/libexec/src/golang.org/x/tools/imports (from $GOROOT)
/Users/jrd/.go/src/golang.org/x/tools/imports (from $GOPATH)

go version go1.11.5 darwin/amd64

[误报] MongoDB 未授权访问插件

有问题的代码:

https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/mongoWeakPass.go#L45-L52

使用 session.Ping() == nil 来判断未授权访问是不正确的,即使 mongodb 加了认证,ping 也会返回正常。

下面是 log:

root@83dd9fca0b15:/# mongo 192.168.2.106:37017/test
MongoDB shell version v4.0.10
connecting to: mongodb://192.168.2.106:37017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b67c65b0-fd06-4eb8-bc34-3917a0e99bb4") }
MongoDB server version: 4.0.10
> db.runCommand({"ping":1})
{ "ok" : 1 }
> db.runCommand({"serverStatus":1})
{
	"ok" : 0,
	"errmsg" : "command serverStatus requires authentication",
	"code" : 13,
	"codeName" : "Unauthorized"
}
>

正确的做法是替换为:

if err == nil && session.Run("serverStatus", nil) == nil {
 // ...
}

esc install 报错

新版本esc安装报错:

➜  kunpeng uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
➜  kunpeng cd $GOPATH/src/github.com/opensec-cn/kunpeng
➜  kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.

nothing to commit, working tree clean
➜  kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
vendor/github.com/mjibson/esc/embed/embed.go:20:2: cannot find package "github.com/pkg/errors" in any of:
	/Users/xx/Code/go/src/github.com/opensec-cn/kunpeng/vendor/github.com/pkg/errors (vendor tree)
	/usr/local/go/src/github.com/pkg/errors (from $GOROOT)
	/Users/xx/Code/go/src/github.com/pkg/errors (from $GOPATH)
vendor/github.com/mjibson/esc/embed/embed.go:21:2: cannot find package "golang.org/x/tools/imports" in any of:
	/Users/xx/Code/go/src/github.com/opensec-cn/kunpeng/vendor/golang.org/x/tools/imports (vendor tree)
	/usr/local/go/src/golang.org/x/tools/imports (from $GOROOT)
	/Users/xx/Code/go/src/golang.org/x/tools/imports (from $GOPATH)

是否支持指定插件的调用?

目前kunpeng调用哪些插件取决于task中的targettarget对应插件里的target字段,扫描时具有同样target的插件都会被调用。

不过对于某些场景可能需要只调用指定的插件,比如出现高危漏洞时的应急响应,虽然可以通过将target设置成emergency等特殊值来实现,但是后续PoC分类是还是需要把target设置成插件所属的类别,这就多了一步操作。

所以我想问下kunpeng有考虑通过除target之外其他唯一标识字段来加载插件吗?比如id、名称等。

通过python celery无法执行

尝试使用celery异步执行ssh weakpassword, 发现任务卡死,在对应服务器上查看secure日志,发现也没有尝试连接的日志。不使用celery一切正常。

wrong payload

select 0updatexml --> select updatexml
cn/kunpeng/blob/e4a62c725bc5d7f84f4c52fad6122394c69a5534/plugin/go/zabbixLatestSQL.go#L55

json 插件加载不出来

麻烦问下,我这里的json插件一直没有初始化成功。
怎么才能加载出来json插件的啊。
[info] 17:04:19 log.go:44: [json plugin total: 0]

新写的 json 插件一直加载不上

请问新写的 json 插件一直加载不上,也不报错,但是显示的 json 插件数一直不变,存在漏洞的请求访问也没有结果
一直是这个数
[info] 17:05:11 log.go:44: [go plugin total: 34]
[info] 17:05:11 log.go:44: [json plugin total: 19]

执行编译操作也没有问题,也会生成新的 so 文件,但是使用 so 文件进行漏洞测试,显示的插件数也不变,测试存在漏洞的请求,也没有结果,这种情况该怎么处理呢?谢谢

示例代码跑不起来,报错 "unexpected type from module symbol"

系统版本

macOS High Sierra

Go 版本:

go version go1.11.4 darwin/amd64

使用的.so文件是:

kunpeng_darwin_v20190129/kunpeng_go.so

示例代码跑不起来,报错,日志:

[info] 19:07:04 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 19:07:04 log.go:26: [init plugin: web目录浏览]
[info] 19:07:04 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 19:07:04 log.go:26: [init plugin: FTP 弱口令]
[info] 19:07:04 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 19:07:04 log.go:26: [init plugin: IIS 短文件名]
[info] 19:07:04 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Java调试线协议(JDWP)远程代码执行漏洞]
[info] 19:07:04 log.go:26: [init plugin: Memcache 未授权访问]
[info] 19:07:04 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SQLServer 弱口令]
[info] 19:07:04 log.go:26: [init plugin: MySQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 19:07:04 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SSH 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 19:07:04 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 19:07:04 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 19:07:04 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 19:07:04 log.go:26: [init plugin: WebDav Put开启]
[info] 19:07:04 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 19:07:04 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 19:07:04 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 19:07:04 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 19:07:04 log.go:26: [init json plugin]
[info] 19:07:04 log.go:26: [init plugin: discuz_admincp_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_ajax_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_announcement_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_api_pathinfo.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_attachment_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_focus_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_jianghu_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_member_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_misc_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_mp3player_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_post_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_shop_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_viewthread_xss.json]
[info] 19:07:04 log.go:26: [init plugin: django_urljump.json]
[info] 19:07:04 log.go:26: [init plugin: docker_api.json]
[info] 19:07:04 log.go:26: [init plugin: drupal_geddon2_rce.json]
[info] 19:07:04 log.go:26: [init plugin: elasticsearch_unauth.json]
[info] 19:07:04 log.go:26: [init plugin: hadoop_yarn_resourcemanager_unauth_rce.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_3.7_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_contushdvideoshare_lfi.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_departments_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: thinkphp5_invokefunction_rce.json]
[info] 19:07:04 log.go:26: [init plugin: weblogic_debug.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_cmdownloads_rce.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_dzs_videogallery_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_jquery_domxss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_mainwp_login.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_sexy_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_swfupload_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_wpml_xss.json]
unexpected type from module symbol

kunpeng_go.so:

MD5 (kunpeng_go.so) = 183d8c4be12a0a733f55ff06d866e045

plugin.GetPlugins()返回空

您好,请问一下我在直接调用获取插件时返回空,

	plugins := plugin.GetPlugins()
	fmt.Println(plugins) // []
}```
很迷惑为什么获取不到插件信息,期待您的解惑。

extra 目录 插件删除问题

在extra 目录添加对应的json文件后,会把json文件作为json plugin 加载到内存。
因为,每次检查都用的append的方式加载。

所以,当某个本地json 文件被删除以后,内存里的json plugin 依然存在。

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.