From 1da6cf12a3b9856ad4e532d94ed31ffa2b745dad Mon Sep 17 00:00:00 2001 From: 13ph03nix <17541483+13ph03nix@users.noreply.github.com> Date: Mon, 22 Aug 2022 16:42:26 -0700 Subject: [PATCH 1/3] fix: auto correct url based on poc's protocol attribute --- pocsuite3/lib/core/enums.py | 15 ++++++++- pocsuite3/lib/core/interpreter.py | 5 +-- pocsuite3/lib/core/poc.py | 51 +++++++++++++++++++++++++++---- pocsuite3/pocs/ftp_burst.py | 2 +- pocsuite3/pocs/telnet_burst.py | 2 +- 5 files changed, 62 insertions(+), 13 deletions(-) diff --git a/pocsuite3/lib/core/enums.py b/pocsuite3/lib/core/enums.py index 090a8be2..87dc605e 100644 --- a/pocsuite3/lib/core/enums.py +++ b/pocsuite3/lib/core/enums.py @@ -133,8 +133,21 @@ class POC_CATEGORY: PROTOCOL.HTTP = "Http" PROTOCOL.FTP = "Ftp" PROTOCOL.SSH = "Ssh" - PROTOCOL.TELENT = "Telent" + PROTOCOL.TELNET = "Telnet" PROTOCOL.REDIS = "Redis" + PROTOCOL.SMTP = 'SMTP' + PROTOCOL.DNS = 'DNS' + PROTOCOL.SNMP = 'SNMP' + PROTOCOL.SMB = 'SMB' + PROTOCOL.MQTT = 'MQTT' + PROTOCOL.MYSQL = 'MySQL' + PROTOCOL.RDP = 'RDP' + PROTOCOL.UPNP = 'UPnP' + PROTOCOL.AJP = 'AJP' + PROTOCOL.XMPP = 'XMPP' + PROTOCOL.WINBOX = 'Winbox' + PROTOCOL.MEMCACHED = 'Memcached' + PROTOCOL.BACNET = 'BACnet' class OPTION_TYPE: diff --git a/pocsuite3/lib/core/interpreter.py b/pocsuite3/lib/core/interpreter.py index 34344d31..609365c4 100644 --- a/pocsuite3/lib/core/interpreter.py +++ b/pocsuite3/lib/core/interpreter.py @@ -363,10 +363,7 @@ def _attack_mode(self, mod): rhost = self.current_module.getg_option("rhost") rport = self.current_module.getg_option("rport") ssl = self.current_module.getg_option("ssl") - scheme = "http" - if ssl: - scheme = "https" - target = "{scheme}://{rhost}:{rport}".format(scheme=scheme, rhost=rhost, rport=rport) + target = f"https://{rhost}:{rport}" if ssl else f"{rhost}:{rport}" conf.mode = mod kb.task_queue.put((target, self.current_module)) try: diff --git a/pocsuite3/lib/core/poc.py b/pocsuite3/lib/core/poc.py index b0370b68..865a1bfe 100644 --- a/pocsuite3/lib/core/poc.py +++ b/pocsuite3/lib/core/poc.py @@ -6,7 +6,7 @@ from collections import OrderedDict from requests.exceptions import ConnectTimeout, ConnectionError, HTTPError, TooManyRedirects -from pocsuite3.lib.core.common import parse_target_url, mosaic, check_port, OrderedSet, get_host_ip +from pocsuite3.lib.core.common import mosaic, check_port, OrderedSet, get_host_ip from pocsuite3.lib.core.data import conf, logger from pocsuite3.lib.core.enums import OUTPUT_STATUS, CUSTOM_LOGGING, ERROR_TYPE_ID, POC_CATEGORY from pocsuite3.lib.core.exception import PocsuiteValidationException @@ -164,13 +164,49 @@ def check_requirement(self, *args): return True def build_url(self): - target = parse_target_url(self.target) + target = self.target + # https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers + protocol_default_port_map = { + POC_CATEGORY.PROTOCOL.FTP: 21, + POC_CATEGORY.PROTOCOL.SSH: 22, + POC_CATEGORY.PROTOCOL.TELNET: 23, + POC_CATEGORY.PROTOCOL.REDIS: 6379, + POC_CATEGORY.PROTOCOL.SMTP: 25, + POC_CATEGORY.PROTOCOL.DNS: 53, + POC_CATEGORY.PROTOCOL.SNMP: 161, + POC_CATEGORY.PROTOCOL.SMB: 445, + POC_CATEGORY.PROTOCOL.MQTT: 1883, + POC_CATEGORY.PROTOCOL.MYSQL: 3306, + POC_CATEGORY.PROTOCOL.RDP: 3389, + POC_CATEGORY.PROTOCOL.UPNP: 1900, + POC_CATEGORY.PROTOCOL.AJP: 8009, + POC_CATEGORY.PROTOCOL.XMPP: 5222, + POC_CATEGORY.PROTOCOL.WINBOX: 8291, + POC_CATEGORY.PROTOCOL.MEMCACHED: 11211, + POC_CATEGORY.PROTOCOL.BACNET: 47808 + } + try: pr = urlparse(target) - self.scheme = 'https' if pr.scheme.startswith('https') else 'http' + self.scheme = pr.scheme self.rhost = pr.hostname - self.rport = pr.port if pr.port else 443 if pr.scheme.startswith('https') else 80 + self.rport = pr.port self.netloc = pr.netloc + + if self.current_protocol in protocol_default_port_map: + # adjust protocol + self.scheme = self.current_protocol.lower() + # adjust port + if not self.rport: + self.rport = protocol_default_port_map[self.current_protocol] + self.netloc = f'{self.rhost}:{self.rport}' + else: + if self.scheme not in ['http', 'https']: + self.scheme = 'https' if str(self.rport).endswith('443') else 'http' + self.rport = self.rport if self.rport else 443 if self.scheme.startswith('https') else 80 + pr = pr._replace(scheme=self.scheme) + pr = pr._replace(netloc=f'{self.rhost}:{self.rport}') + target = pr.geturl() except ValueError: pass if self.target and self.current_protocol != POC_CATEGORY.PROTOCOL.HTTP and not conf.console_mode: @@ -194,6 +230,8 @@ def _execute(self): def execute(self, target, headers=None, params=None, mode='verify', verbose=True): self.target = target self.url = self.build_url() + if self.url != self.target: + logger.debug(f'auto correct url: {mosaic(self.target)} -> {mosaic(self.url)}') # TODO: Thread safe problem in self.headers # https://github.com/knownsec/pocsuite3/issues/262 # The value should not be modified in PoC Plugin !!! @@ -291,13 +329,13 @@ def _check(self, dork='', allow_redirects=False, return_obj=False, is_http=True, if k.lower() in res.text.lower(): self.url = f'https://{netloc}' res = requests.get(self.url, allow_redirects=allow_redirects) - logger.warn(f'auto correct url to: {mosaic(self.url)}') + logger.warn(f'auto correct url: {mosaic(self.target)} -> {mosaic(self.url)}') corrected = True break # another protocol is access ok if not corrected and url != self.url: self.url = url - logger.warn(f'auto correct url to: {mosaic(self.url)}') + logger.warn(f'auto correct url: {mosaic(self.target)} -> {mosaic(self.url)}') break except requests.RequestException: pass @@ -306,6 +344,7 @@ def _check(self, dork='', allow_redirects=False, return_obj=False, is_http=True, self.scheme = 'https' if self.url.startswith('https') else 'http' port = urlparse(self.url).port self.rport = port if port else 443 if self.scheme.startswith('https') else 80 + self.netloc = f'{self.rhost}:{self.rport}' if return_obj: return res diff --git a/pocsuite3/pocs/ftp_burst.py b/pocsuite3/pocs/ftp_burst.py index dc168ee6..17513519 100644 --- a/pocsuite3/pocs/ftp_burst.py +++ b/pocsuite3/pocs/ftp_burst.py @@ -65,7 +65,7 @@ def parse_attack(self, result): def get_word_list(): - common_username = ('ftp', 'test', 'root', 'guest', 'admin', 'daemon', 'user') + common_username = ('admin', 'ftp', 'test', 'root', 'guest', 'daemon', 'user') with open(paths.WEAK_PASS) as f: return itertools.product(common_username, f) diff --git a/pocsuite3/pocs/telnet_burst.py b/pocsuite3/pocs/telnet_burst.py index 65e546b3..a7cf1cb4 100644 --- a/pocsuite3/pocs/telnet_burst.py +++ b/pocsuite3/pocs/telnet_burst.py @@ -29,7 +29,7 @@ class DemoPOC(POCBase): desc = '''telnet 存在弱密码,导致攻击者可登录主机进行恶意操作''' samples = [''] category = POC_CATEGORY.TOOLS.CRACK - protocol = POC_CATEGORY.PROTOCOL.TELENT + protocol = POC_CATEGORY.PROTOCOL.TELNET def _verify(self): result = {} From 3b6fa3e403ebf6a3bd42bbb190982000bdbea5a8 Mon Sep 17 00:00:00 2001 From: 13ph03nix <17541483+13ph03nix@users.noreply.github.com> Date: Mon, 22 Aug 2022 16:54:35 -0700 Subject: [PATCH 2/3] fix: update --- pocsuite3/lib/core/poc.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pocsuite3/lib/core/poc.py b/pocsuite3/lib/core/poc.py index 865a1bfe..f300514e 100644 --- a/pocsuite3/lib/core/poc.py +++ b/pocsuite3/lib/core/poc.py @@ -204,8 +204,9 @@ def build_url(self): if self.scheme not in ['http', 'https']: self.scheme = 'https' if str(self.rport).endswith('443') else 'http' self.rport = self.rport if self.rport else 443 if self.scheme.startswith('https') else 80 + self.netloc = f'{self.rhost}:{self.rport}' pr = pr._replace(scheme=self.scheme) - pr = pr._replace(netloc=f'{self.rhost}:{self.rport}') + pr = pr._replace(netloc=self.netloc) target = pr.geturl() except ValueError: pass From 01e7cf16682a0d33b9c652dd8711821268d234a4 Mon Sep 17 00:00:00 2001 From: 13ph03nix <17541483+13ph03nix@users.noreply.github.com> Date: Mon, 22 Aug 2022 16:59:35 -0700 Subject: [PATCH 3/3] fix: update --- pocsuite3/lib/core/poc.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pocsuite3/lib/core/poc.py b/pocsuite3/lib/core/poc.py index f300514e..7d9b55c9 100644 --- a/pocsuite3/lib/core/poc.py +++ b/pocsuite3/lib/core/poc.py @@ -316,6 +316,7 @@ def _check(self, dork='', allow_redirects=False, return_obj=False, is_http=True, # https://www.zoomeye.org/searchResult?q=%22running%20in%20SSL%20mode.%20Try%22 'running in ssl mode. try' ] + origin_url = self.url netloc = self.url.split('://', 1)[-1] urls = OrderedSet() urls.add(self.url) @@ -330,13 +331,13 @@ def _check(self, dork='', allow_redirects=False, return_obj=False, is_http=True, if k.lower() in res.text.lower(): self.url = f'https://{netloc}' res = requests.get(self.url, allow_redirects=allow_redirects) - logger.warn(f'auto correct url: {mosaic(self.target)} -> {mosaic(self.url)}') + logger.warn(f'auto correct url: {mosaic(origin_url)} -> {mosaic(self.url)}') corrected = True break # another protocol is access ok if not corrected and url != self.url: self.url = url - logger.warn(f'auto correct url: {mosaic(self.target)} -> {mosaic(self.url)}') + logger.warn(f'auto correct url: {mosaic(origin_url)} -> {mosaic(self.url)}') break except requests.RequestException: pass