kunpeng是一个Golang编写的开源POC框架/库,以动态链接库的形式提供各种语言调用,通过此项目可快速开发漏洞检测类的系统。

Overview

Kunpeng

License Golang

简介

Kunpeng是一个Golang编写的开源POC检测框架,集成了包括数据库、中间件、web组件、cms等等的漏洞POC(查看已收录POC列表),可检测弱口令、SQL注入、XSS、RCE等漏洞类型,以动态链接库的形式提供调用,通过此项目可快速开发漏洞检测类的系统,比攻击者快一步发现风险漏洞。

这不是一个POC框架轮子,而是为了解决轮子问题而设计的,也不仅仅只是框架,定位是期望成为一个大家共同维护的漏洞POC库,安全开发人员只需专注于相关安全检测系统的业务逻辑代码实现,而不必各自重复的耗费精力维护漏洞库。

为避免被恶意使用,此项目所有收录的漏洞均为验证POC和理论判断,不存在漏洞利用过程,不会对目标发起真实攻击和漏洞利用。

运行环境:Windows,Linux,Darwin
工作形态:动态链接库,so、dll、dylib、go plugin

404StarLink 2.0 - Galaxy

Kunpeng 是 404Team 星链计划2.0中的一环,如果对Kunpeng有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。

特点

  • 开箱即用,无需安装任何依赖
  • 跨语言使用,动态链接库形式提供调用
  • 单文件,更新方便,直接覆盖即可
  • 开源社区维护,内置常见漏洞POC
  • 最小化漏洞验证和理论判断,尽量避免攻击行为

使用场景

渗透测试辅助工具:例如msf,交互控制台 -> Kunpeng

网络资产安全监控:例如巡风,端口扫描 -> 指纹识别 -> kunpeng 或 nmap -> kunpeng

扫描器: 作为扫描器的漏洞库

更多使用场景可自由发挥

下载地址

releases

压缩包内的kunpeng_go.so为GO语言专版,其余语言使用 kunpeng_c.so

使用方法

接口调用说明

/*  传入需检测的目标JSON,格式为:
    {
        "type": "web", //目标类型web或者service
        "netloc": "http://xxx.com", //目标地址,web为URL,service格式为123.123.123.123:22
        "target": "wordpress", //目标名称,GO插件注册时使用的字符串(模糊匹配)、JSON插件的target属性(模糊匹配)、CVE编号(例:CVE-xx-xxx)、KPID(例:KP-0013)编号,决定使用哪些POC进行检测,具体查看 /doc/plguin.md
        "meta":{
            "system": "windows",  //操作系统,部分漏洞检测方法不同系统存在差异,提供给插件进行判断
            "pathlist":[], //目录路径URL列表,部分插件需要此类信息,例如列目录漏洞插件
            "filelist":[], //文件路径URL列表,部分插件需要此类信息,例如struts2漏洞相关插件
            "passlist":[] //自定义密码字典
        } // 非必填
    }
    返回是否存在漏洞和漏洞检测结果
*/
Check(taskJSON string) string

// 获取插件列表信息
GetPlugins() string


/*  配置设置,传入配置JSON,格式为:
    {
        "timeout": 15, // 插件连接超时
        "aider": "http://123.123.123.123:8088", // 漏洞辅助验证接口,部分漏洞无法通过回显判断是否存在漏洞,可通过辅助验证接口进行判断。python -c'import socket,base64;exec(base64.b64decode("aGlzdG9yeSA9IFtdCndlYiA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQp3ZWIuYmluZCgoJzAuMC4wLjAnLDgwODgpKQp3ZWIubGlzdGVuKDEwKQp3aGlsZSBUcnVlOgogICAgdHJ5OgogICAgICAgIGNvbm4sYWRkciA9IHdlYi5hY2NlcHQoKQogICAgICAgIGRhdGEgPSBjb25uLnJlY3YoNDA5NikKICAgICAgICByZXFfbGluZSA9IGRhdGEuc3BsaXQoIlxyXG4iKVswXQogICAgICAgIGFjdGlvbiA9IHJlcV9saW5lLnNwbGl0KClbMV0uc3BsaXQoJy8nKVsxXQogICAgICAgIHJhbmtfc3RyID0gcmVxX2xpbmUuc3BsaXQoKVsxXS5zcGxpdCgnLycpWzJdCiAgICAgICAgaHRtbCA9ICJORVcwMCIKICAgICAgICBpZiBhY3Rpb24gPT0gImFkZCI6CiAgICAgICAgICAgIGhpc3RvcnkuYXBwZW5kKHJhbmtfc3RyKQogICAgICAgICAgICBwcmludCAiYWRkIityYW5rX3N0cgogICAgICAgIGVsaWYgYWN0aW9uID09ICJjaGVjayI6CiAgICAgICAgICAgIHByaW50ICJjaGVjayIrcmFua19zdHIKICAgICAgICAgICAgaWYgcmFua19zdHIgaW4gaGlzdG9yeToKICAgICAgICAgICAgICAgIGh0bWw9IlZVTDAwIgogICAgICAgICAgICAgICAgaGlzdG9yeS5yZW1vdmUocmFua19zdHIpCiAgICAgICAgcmF3ID0gIkhUVFAvMS4wIDIwMCBPS1xyXG5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9dXRmLThcclxuQ29udGVudC1MZW5ndGg6ICVkXHJcbkNvbm5lY3Rpb246IGNsb3NlXHJcblxyXG4lcyIgJShsZW4oaHRtbCksaHRtbCkKICAgICAgICBjb25uLnNlbmQocmF3KQogICAgICAgIGNvbm4uY2xvc2UoKQogICAgZXhjZXB0OnBhc3M="))'
在辅助验证机器上运行以上代码,填入http://IP:8088,不开启则留空。
        "http_proxy": "http://123.123.123.123:1080", // HTTP代理,所有插件http请求流量将通过代理发送(需使用内置的http请求函数util.RequestDo)
        "pass_list": ["passtest"], // 默认密码字典,不定义则使用硬编码在代码里的小字典
        "extra_plugin_path": "/tmp/plugin/" // 除已编译好的插件(Go、JSON)外,可指定额外插件目录(仅支持JSON插件),指定后程序会周期读取加载插件
    }
*/
SetConfig(configJSON string)

// 开启web接口,开启后可通过web接口进行调用,webapi调用格式请查看例子:/example/call_webapi_test.py
StartWebServer(bindAddr string)

// 获取当前版本 例如:20190227
GetVersion() string

使用例子

Python

#coding:utf-8

import time
import json
from ctypes import *

# 加载动态连接库
kunpeng = cdll.LoadLibrary('./kunpeng_c.so')

# 定义出入参变量类型
kunpeng.GetPlugins.restype = c_char_p
kunpeng.Check.argtypes = [c_char_p]
kunpeng.Check.restype = c_char_p
kunpeng.SetConfig.argtypes = [c_char_p]
kunpeng.GetVersion.restype = c_char_p

# 获取插件信息
out = kunpeng.GetPlugins()
print(out)

# 修改配置
config = {
    'timeout': 10,
    # 'aider': 'http://xxxx:8080',
    # 'http_proxy': 'http://xxxxx:1080',
    # 'pass_list':['xtest']
    # 'extra_plugin_path': '/home/test/plugin/',
}
kunpeng.SetConfig(json.dumps(config))

# 开启日志打印
kunpeng.ShowLog()

# 扫描目标
task = {
    'type': 'web',
    'netloc': 'http://www.google.cn',
    'target': 'web'
}
task2 = {
    'type': 'service',
    'netloc': '192.168.0.105:3306',
    'target': 'mysql'
}
out = kunpeng.Check(json.dumps(task))
print(json.loads(out))
out = kunpeng.Check(json.dumps(task2))
print(json.loads(out))

更多例子查看: example 目录,目前已提供python、golang、nodejs、lua、java的调用例子,欢迎提交更多语言的调用样例。

插件开发

支持2种类型插件,Go和JSON插件,大部分漏洞使用JSON插件即可实现验证,分别存放在plugin/go/和plugin/json/目录中。

  • golang插件例子1
// 包名需定义goplugin
package goplugin

// 引入plugin
import (
	"fmt"
	"github.com/opensec-cn/kunpeng/plugin"
	"github.com/go-redis/redis"
)

// 定义插件结构,info,result需固定存在
type redisWeakPass struct {
	info   plugin.Plugin // 插件信息
	result []plugin.Plugin // 漏洞结果集,可返回多个
}

func init() {
    // 注册插件,定义插件目标名称
	plugin.Regist("redis", &redisWeakPass{})
}
func (d *redisWeakPass) Init() plugin.Plugin{
	d.info = plugin.Plugin{
		Name:    "Redis 未授权访问/弱口令", // 插件名称
		Remarks: "导致敏感信息泄露,严重可导致服务器直接被入侵控制。", // 漏洞描述
		Level:   0, // 漏洞等级 {0:"严重",1:"高危",2:"中危",3:"低危",4:"提示"}
		Type:    "WEAKPASS", // 漏洞类型,自由定义
		Author:  "wolf", // 插件编写作者
	    	References: plugin.References{
		    URL: "https://www.freebuf.com/vuls/162035.html", // 漏洞相关文章
		    CVE: "", // CVE编号,没有留空或不申明
		    KPID: "KP-0008", // kunpeng的POC编号,累加数字
		},
	}
	return d.info
}

func (d *redisWeakPass) GetResult() []plugin.Plugin {
	var result = d.result
	d.result = []plugin.Plugin{}
	return result
}

func (d *redisWeakPass) Check(netloc string, meta plugin.TaskMeta) bool {
	for _, pass := range meta.PassList {
		client := redis.NewClient(&redis.Options{
			Addr:     netloc,
			Password: pass,
			DB:       0,
		})
		_, err := client.Ping().Result()
		if err == nil {
			client.Close()
			result := d.info
			result.Request = fmt.Sprintf("redis://%[email protected]%s", pass, netloc)
			if pass == "" {
				result.Remarks = fmt.Sprintf("未授权访问,%s", result.Remarks)
			} else {
				result.Remarks = fmt.Sprintf("弱口令:%s,%s", pass, result.Remarks)
			}
			d.result = append(d.result, result)
			return true
		}
	}
	return false
}
  • golang插件例子2
package goplugin

import (
	"net/http"
	"strings"
	"github.com/opensec-cn/kunpeng/util"
	"github.com/opensec-cn/kunpeng/plugin"
)

type webDavRCE struct {
	info   plugin.Plugin
	result []plugin.Plugin
}

func init() {
	plugin.Regist("iis", &webDavRCE{})
}

func (d *webDavRCE) Init() plugin.Plugin{
	d.info = plugin.Plugin{
		Name:    "WebDav PROPFIND RCE(理论检测)",
		Remarks: "CVE-2017-7269,Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞",
		Level:   1,
		Type:    "RCE",
		Author:  "wolf",
		References: plugin.References{
			URL: "https://www.seebug.org/vuldb/ssvid-92834",
			CVE: "CVE-2017-7269",
			KPID: "KP-0009",
		},
	}
	return d.info
}

func (d *webDavRCE) GetResult() []plugin.Plugin {
	var result = d.result
	d.result = []plugin.Plugin{}
	return result
}

func (d *webDavRCE) Check(URL string, meta plugin.TaskMeta) bool {
	request, err := http.NewRequest("OPTIONS", URL, nil)
	if err != nil {
		return false
	}
	// 使用封装好的RequestDo函数发送http请求
	resp, err := util.RequestDo(request, true)
	if err != nil {
		return false
	}
	if resp.Other.Header.Get("Server") == "Microsoft-IIS/6.0" && strings.Contains(resp.Other.Header.Get("Allow"), "PROPFIND") {
		result := d.info
		result.Response = resp.ResponseRaw
		result.Request = resp.RequestRaw
		d.result = append(d.result, result)
		return true
	}
	return false
}
  • JSON插件例子
{
    "//": "用 Google 的方式进行注释",
    "//": "插件所属应用名,自由定义",
    "target": "wordpress",
    "meta":{
        "//": "插件名称",
        "name": "WordPress example.html jQuery DomXSS",
        "//": "漏洞描述",
        "remarks": "WordPress example.html jQuery 1.7.2 存在DomXSS漏洞",
        "//": "漏洞等级 {0:严重,1:高危,2:中危,3:低危,4:提示}",
        "level":   3,
        "//": "漏洞类型,自由定义",
        "type":    "XSS",
        "//": "插件编写作者",
        "author":  "wolf",
        "references": {
            "//": "漏洞相关文章",
            "url":"https://www.seebug.org/vuldb/ssvid-89179",
            "//": "CVE编号,没有留空",
            "cve":"",
	    "//": "kunpeng的POC编号,累加数字",
	    "kpid":"KP-0003"
        }
    },
    "request":{
        "//": "漏洞请求URL",
        "path": "/wp-content/themes/twentyfifteen/genericons/example.html",
        "//": "请求POST内容,留空即为GET",
        "postData": ""
    },
    "verify":{
        "//": "漏洞验证类型 {string:字符串判断,regex:正则匹配,md5:文件md5}",
        "type":  "string",
        "//": "漏洞验证值,与type相关联",
        "match": "jquery/1.7.2/jquery.min.js"
    }
}

编译

注意, 第三方库管理已更改为GoMod

go get -d github.com/opensec-cn/kunpeng
cd $GOPATH/src/github.com/opensec-cn/kunpeng


# 静态资源打包进工程的小程序
go install github.com/mjibson/esc

# 打包JSON插件到项目代码中
esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/

# 编译c版本(所有语言均可使用)
go build -buildmode=c-shared --ldflags="-w -s -X main.VERSION=20190226" -o kunpeng_c.so

# 编译Go专用版本(不支持win)
go build -buildmode=plugin --ldflags="-w -s -X main.VERSION=20190226" -o kunpeng_go.so

# 样例测试
python example/call_so_test.py
go run example/callsoTest.go

效果图

img

Comments
  • macOS下JSON插件加载个数为0

    macOS下JSON插件加载个数为0

    使用release版本或自行编译均无法加载内置JSON插件。

    系统版本:

    ➜  kunpeng git:(master) uname -a
    Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
    

    编译及测试过程:

    ➜  kunpeng git:(master) git status
    On branch master
    Your branch is up-to-date with 'origin/master'.
    
    nothing to commit, working tree clean
    ➜  kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
    ➜  kunpeng git:(master) esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/
    ➜  kunpeng git:(master) go build -buildmode=c-shared --ldflags="-w -s" -o kunpeng_c.so
    ➜  kunpeng git:(master) python example/call_so_test.py
    [info] 15:28:21 log.go:26: [init plugin: ActiveMQ 任意文件写入漏洞]
    [info] 15:28:21 log.go:26: [init plugin: Apache solr XXE漏洞]
    [info] 15:28:21 log.go:26: [init plugin: Axis2控制台 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: web目录浏览]
    [info] 15:28:21 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
    [info] 15:28:21 log.go:26: [init plugin: FTP 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: grafana 控制台弱口令]
    [info] 15:28:21 log.go:26: [init plugin: IIS 物理路径泄露]
    [info] 15:28:21 log.go:26: [init plugin: IIS 短文件名]
    [info] 15:28:21 log.go:26: [init plugin: JBoss 控制台弱口令]
    [info] 15:28:21 log.go:26: [init plugin: Memcache 未授权访问]
    [info] 15:28:21 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
    [info] 15:28:21 log.go:26: [init plugin: SQLServer 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: MySQL 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: PostgreSQL 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: Redis 未授权访问/弱口令]
    [info] 15:28:21 log.go:26: [init plugin: shellshock 破壳漏洞]
    [info] 15:28:21 log.go:26: [init plugin: SMB 匿名共享/弱口令]
    [info] 15:28:21 log.go:26: [init plugin: SSH 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: Struts2 远程代码执行]
    [info] 15:28:21 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
    [info] 15:28:21 log.go:26: [init plugin: Apache Tomcat 弱口令]
    [info] 15:28:21 log.go:26: [init plugin: UcServer 创始人弱口令]
    [info] 15:28:21 log.go:26: [init plugin: WebDav Put开启]
    [info] 15:28:21 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
    [info] 15:28:21 log.go:26: [init plugin: WebServer 任意文件读取]
    [info] 15:28:21 log.go:26: [init plugin: WebLogic WLS RCE ]
    [info] 15:28:21 log.go:26: [init plugin: Weblogic 控制台弱口令]
    [info] 15:28:21 log.go:26: [init plugin: WordPress Mailpress Plugin 远程代码执行漏洞]
    [info] 15:28:21 log.go:26: [init plugin: WordPress 后台弱口令]
    [info] 15:28:21 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
    [info] 15:28:21 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
    [info] 15:28:21 log.go:26: [init plugin: zookeeper 未授权访问]
    [info] 15:28:21 log.go:26: [init json plugin]
    [info] 15:28:21 log.go:31: [{"type": "web", "netloc": "http://www.google.cn", "target": "web", "meta": {"system": "", "pathlist": [], "filelist": [], "passlist": []}}]
    [info] 15:28:21 log.go:31: [{web http://www.google.cn web { [] [] []}}]
    [info] 15:28:21 log.go:31: [new task: {web http://www.google.cn web { [] [] []}}]
    [info] 15:28:21 log.go:31: [go plugin total: 24]
    [info] 15:28:21 log.go:31: [run go plugins: web]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn]
    [info] 15:28:21 log.go:31: [response code: 200 len: -1]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/css/]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1565]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/js/]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1564]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/img/]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1565]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/images/]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1568]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/upload/]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1568]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/inc/]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1565]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1571]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1571]
    [info] 15:28:21 log.go:31: [request do http://www.google.cn/../../../../../../../../etc/passwd]
    [info] 15:28:21 log.go:31: [response code: 404 len: 1571]
    [info] 15:28:21 log.go:31: [JSON Plugin total:  0]
    []
    

    从最后的[JSON Plugin total: 0]可以看到未能加载内置JSON插件,使用release版本也是同样的情况。在Linux(Ubuntu 16.04)下测试Linux版本可正常加载。

    bug 
    opened by imp0wd3r 5
  • 示例代码跑不起来,报错

    示例代码跑不起来,报错 "unexpected type from module symbol"

    系统版本

    macOS High Sierra 
    

    Go 版本:

    go version go1.11.4 darwin/amd64
    

    使用的.so文件是:

    kunpeng_darwin_v20190129/kunpeng_go.so
    

    示例代码跑不起来,报错,日志:

    [info] 19:07:04 log.go:26: [init plugin: Axis2控制台 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: web目录浏览]
    [info] 19:07:04 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
    [info] 19:07:04 log.go:26: [init plugin: FTP 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: grafana 控制台弱口令]
    [info] 19:07:04 log.go:26: [init plugin: IIS 物理路径泄露]
    [info] 19:07:04 log.go:26: [init plugin: IIS 短文件名]
    [info] 19:07:04 log.go:26: [init plugin: JBoss 控制台弱口令]
    [info] 19:07:04 log.go:26: [init plugin: Java调试线协议(JDWP)远程代码执行漏洞]
    [info] 19:07:04 log.go:26: [init plugin: Memcache 未授权访问]
    [info] 19:07:04 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
    [info] 19:07:04 log.go:26: [init plugin: SQLServer 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: MySQL 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: PostgreSQL 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: Redis 未授权访问/弱口令]
    [info] 19:07:04 log.go:26: [init plugin: shellshock 破壳漏洞]
    [info] 19:07:04 log.go:26: [init plugin: SMB 匿名共享/弱口令]
    [info] 19:07:04 log.go:26: [init plugin: SSH 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: Struts2 远程代码执行]
    [info] 19:07:04 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
    [info] 19:07:04 log.go:26: [init plugin: Apache Tomcat 弱口令]
    [info] 19:07:04 log.go:26: [init plugin: UcServer 创始人弱口令]
    [info] 19:07:04 log.go:26: [init plugin: WebDav Put开启]
    [info] 19:07:04 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
    [info] 19:07:04 log.go:26: [init plugin: WebServer 任意文件读取]
    [info] 19:07:04 log.go:26: [init plugin: WebLogic WLS RCE ]
    [info] 19:07:04 log.go:26: [init plugin: Weblogic 控制台弱口令]
    [info] 19:07:04 log.go:26: [init plugin: WordPress 后台弱口令]
    [info] 19:07:04 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
    [info] 19:07:04 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
    [info] 19:07:04 log.go:26: [init plugin: zookeeper 未授权访问]
    [info] 19:07:04 log.go:26: [init json plugin]
    [info] 19:07:04 log.go:26: [init plugin: discuz_admincp_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_ajax_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_announcement_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_api_pathinfo.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_attachment_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_focus_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_jianghu_sqli.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_member_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_misc_sqli.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_mp3player_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_post_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_shop_sqli.json]
    [info] 19:07:04 log.go:26: [init plugin: discuz_viewthread_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: django_urljump.json]
    [info] 19:07:04 log.go:26: [init plugin: docker_api.json]
    [info] 19:07:04 log.go:26: [init plugin: drupal_geddon2_rce.json]
    [info] 19:07:04 log.go:26: [init plugin: elasticsearch_unauth.json]
    [info] 19:07:04 log.go:26: [init plugin: hadoop_yarn_resourcemanager_unauth_rce.json]
    [info] 19:07:04 log.go:26: [init plugin: joomla_3.7_sqli.json]
    [info] 19:07:04 log.go:26: [init plugin: joomla_contushdvideoshare_lfi.json]
    [info] 19:07:04 log.go:26: [init plugin: joomla_departments_sqli.json]
    [info] 19:07:04 log.go:26: [init plugin: thinkphp5_invokefunction_rce.json]
    [info] 19:07:04 log.go:26: [init plugin: weblogic_debug.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_cmdownloads_rce.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_dzs_videogallery_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_jquery_domxss.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_mainwp_login.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_sexy_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_swfupload_xss.json]
    [info] 19:07:04 log.go:26: [init plugin: wordpress_wpml_xss.json]
    unexpected type from module symbol
    

    kunpeng_go.so:

    MD5 (kunpeng_go.so) = 183d8c4be12a0a733f55ff06d866e045
    
    opened by imfht 5
  • [误报] MongoDB 未授权访问插件

    [误报] MongoDB 未授权访问插件

    有问题的代码:

    https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/mongoWeakPass.go#L45-L52

    使用 session.Ping() == nil 来判断未授权访问是不正确的,即使 mongodb 加了认证,ping 也会返回正常。

    下面是 log:

    [email protected]:/# mongo 192.168.2.106:37017/test
    MongoDB shell version v4.0.10
    connecting to: mongodb://192.168.2.106:37017/test?gssapiServiceName=mongodb
    Implicit session: session { "id" : UUID("b67c65b0-fd06-4eb8-bc34-3917a0e99bb4") }
    MongoDB server version: 4.0.10
    > db.runCommand({"ping":1})
    { "ok" : 1 }
    > db.runCommand({"serverStatus":1})
    {
    	"ok" : 0,
    	"errmsg" : "command serverStatus requires authentication",
    	"code" : 13,
    	"codeName" : "Unauthorized"
    }
    >
    

    正确的做法是替换为:

    if err == nil && session.Run("serverStatus", nil) == nil {
     // ...
    }
    
    bug 
    opened by Medicean 1
  • 关于go调用并发时出现goroutine leak

    关于go调用并发时出现goroutine leak

    问题有点类似: https://github.com/docker/distribution/issues/473

    出现在net/http.(*persistConn).writeLoop,并发数量大概1000,但是出现了goroutine 2w+...

    9A9133F260DEDEFE5F33D6803D13B956

    问题以及得到解决: /github.com/opensec-cn/kunpeng/util/net.go

    使用DisableKeepAlives: true关闭一下

    transport := &http.Transport{
    		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
    		DisableKeepAlives: true,
    	}
    

    注意的是每次都会调用setProxy, 里面的逻辑会翻盖init()设置的client.Transport

    func RequestDo(request *http.Request, hasRaw bool) (Resp, error) {
    	setProxy()
    }
    
    bug 
    opened by l3m0n 1
  • 是否支持指定插件的调用?

    是否支持指定插件的调用?

    目前kunpeng调用哪些插件取决于task中的targettarget对应插件里的target字段,扫描时具有同样target的插件都会被调用。

    不过对于某些场景可能需要只调用指定的插件,比如出现高危漏洞时的应急响应,虽然可以通过将target设置成emergency等特殊值来实现,但是后续PoC分类是还是需要把target设置成插件所属的类别,这就多了一步操作。

    所以我想问下kunpeng有考虑通过除target之外其他唯一标识字段来加载插件吗?比如id、名称等。

    enhancement 
    opened by imp0wd3r 1
  • fix go/struts2-045 plugin return error bug

    fix go/struts2-045 plugin return error bug

    Error code position: https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/struts2-045.go#L53-L54

    resp.RequestRaw should be assigned to result.Request rather than result.Response.

    bug 
    opened by BLKStone 0
  • 代码跑不起来,提示FSMustByte FS undefined

    代码跑不起来,提示FSMustByte FS undefined

    # github.com/opensec-cn/kunpeng/plugin/json
    plugin/json/init.go:39:17: undefined: FSMustByte
    plugin/json/init.go:60:12: undefined: FS
    

    我拉取的是master分支的代码

    opened by cjphaha 4
  • 新写的 json 插件一直加载不上

    新写的 json 插件一直加载不上

    请问新写的 json 插件一直加载不上,也不报错,但是显示的 json 插件数一直不变,存在漏洞的请求访问也没有结果 一直是这个数 [info] 17:05:11 log.go:44: [go plugin total: 34] [info] 17:05:11 log.go:44: [json plugin total: 19]

    执行编译操作也没有问题,也会生成新的 so 文件,但是使用 so 文件进行漏洞测试,显示的插件数也不变,测试存在漏洞的请求,也没有结果,这种情况该怎么处理呢?谢谢

    opened by C0isini 3
Releases(20190527)
Owner
OpenSec
OpenSec