STRLCPY/afrog

update memcache mongodb redis poc
zan8in committed 2 years ago

157dbec1

1 parent ac8f86ca

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

pkg/gopoc/memcache.go

1	+	package gopoc
2	+
3	+	import (
4	+	"bytes"
5	+	"errors"
6	+
7	+	"github.com/zan8in/afrog/pkg/poc"
8	+	"github.com/zan8in/afrog/pkg/proto"
9	+	"github.com/zan8in/afrog/pkg/utils"
10	+	)
11	+
12	+	var (
13	+	memcachePort = "11211"
14	+	memcacheUnAuthName = "memcache-unauth"
15	+	)
16	+
17	+	func memcacheUnAuth(args *GoPocArgs) (Result, error) {
18	+	poc := poc.Poc{
19	+	Id: memcacheUnAuthName,
20	+	Info: poc.Info{
21	+	Name: "Memcache 未授权访问",
22	+	Author: "zan8in",
23	+	Severity: "critical",
24	+	Description: "Memcached是一套分布式的高速缓存系统。它以Key-Value（键值对）形式将数据存储在内存中，由于memcached安全设计缺陷，客户端连接memcached服务器后无需认证就可读取、修改服务器缓存内容。",
25	+	Reference: []string{
26	+	"http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/Memcache%2011211%E7%AB%AF%E5%8F%A3.html",
27	+	},
28	+	},
29	+	}
30	+	args.SetPocInfo(poc)
31	+	result := Result{Gpa: args, IsVul: false}
32	+
33	+	if len(args.Host) == 0 {
34	+	return result, errors.New("no host")
35	+	}
36	+
37	+	if len(args.Port) > 0 && args.Port != "80" && args.Port != "443" {
38	+	addr := args.Host + ":" + args.Port
39	+	payload := []byte("stats\n")
40	+
41	+	resp, err := utils.Tcp(addr, payload)
42	+	if err != nil {
43	+	return result, err
44	+	}
45	+
46	+	if bytes.Contains(resp, []byte("STAT pid")) {
47	+	result.IsVul = true
48	+	url := proto.UrlType{Host: addr, Port: args.Port}
49	+	result.SetAllPocResult(true, &url, payload, resp)
50	+	return result, nil
51	+	}
52	+	}
53	+
54	+	addr := args.Host + ":" + memcachePort
55	+	payload := []byte("stats\n")
56	+
57	+	resp, err := utils.Tcp(addr, payload)
58	+	if err != nil {
59	+	return result, err
60	+	}
61	+
62	+	if bytes.Contains(resp, []byte("STAT pid")) {
63	+	result.IsVul = true
64	+	url := proto.UrlType{Host: addr, Port: memcachePort}
65	+	result.SetAllPocResult(true, &url, payload, resp)
66	+	return result, nil
67	+	}
68	+
69	+	return result, errors.New("check result: no vul")
70	+	}
71	+
72	+	func init() {
73	+	GoPocRegister(memcacheUnAuthName, memcacheUnAuth)
74	+	}
75	+

■ ■ ■ ■ ■ ■

pkg/gopoc/mongodb.go

		skipped 43 lines
44	44		err := mongodbPayload(addr, senddata, getlogdata)
45	45		if err == nil {
46	46		result.IsVul = true
47		-	url := proto.UrlType{Host: args.Host, Port: args.Port}
	47	+	url := proto.UrlType{Host: addr, Port: args.Port}
48	48		result.SetAllPocResult(true, &url, []byte(addr), []byte("MongoDB 未授权访问"))
49	49		return result, nil
50	50		}
		skipped 3 lines
54	54		err := mongodbPayload(addr, senddata, getlogdata)
55	55		if err == nil {
56	56		result.IsVul = true
57		-	url := proto.UrlType{Host: args.Host, Port: mongodbPort}
	57	+	url := proto.UrlType{Host: addr, Port: mongodbPort}
58	58		result.SetAllPocResult(true, &url, []byte(addr), []byte("MongoDB 未授权访问"))
59	59		return result, nil
60	60		}
		skipped 41 lines

■ ■ ■ ■ ■ ■

pkg/gopoc/redis.go

		skipped 34 lines
35	35		}
36	36
37	37		if len(args.Port) > 0 && args.Port != "80" && args.Port != "443" {
38		-	addr := args.Host + args.Port
	38	+	addr := args.Host + ":" + args.Port
39	39		payload := []byte("*1\r\n$4\r\ninfo\r\n")
40	40
41	41		resp, err := utils.Tcp(addr, payload)
		skipped 3 lines
45	45
46	46		if bytes.Contains(resp, []byte("redis_version")) {
47	47		result.IsVul = true
48		-	url := proto.UrlType{Host: args.Host, Port: args.Port}
	48	+	url := proto.UrlType{Host: addr, Port: args.Port}
49	49		result.SetAllPocResult(true, &url, payload, resp)
50	50		return result, nil
51	51		}
		skipped 9 lines
61	61
62	62		if bytes.Contains(resp, []byte("redis_version")) {
63	63		result.IsVul = true
64		-	url := proto.UrlType{Host: args.Host, Port: redisPort}
	64	+	url := proto.UrlType{Host: addr, Port: redisPort}
65	65		result.SetAllPocResult(true, &url, payload, resp)
66	66		return result, nil
67	67		}
		skipped 8 lines

update memcache mongodb redis poc