kunpeng是一个Golang编写的开源POC框架/库,以动态链接库的形式提供各种语言调用,通过此项目可快速开发漏洞检测类的系统。

Kunpeng

License Golang

简介

Kunpeng是一个Golang编写的开源POC检测框架,集成了包括数据库、中间件、web组件、cms等等的漏洞POC(查看已收录POC列表),可检测弱口令、SQL注入、XSS、RCE等漏洞类型,以动态链接库的形式提供调用,通过此项目可快速开发漏洞检测类的系统,比攻击者快一步发现风险漏洞。

这不是一个POC框架轮子,而是为了解决轮子问题而设计的,也不仅仅只是框架,定位是期望成为一个大家共同维护的漏洞POC库,安全开发人员只需专注于相关安全检测系统的业务逻辑代码实现,而不必各自重复的耗费精力维护漏洞库。

为避免被恶意使用,此项目所有收录的漏洞均为验证POC和理论判断,不存在漏洞利用过程,不会对目标发起真实攻击和漏洞利用。

运行环境:Windows,Linux,Darwin
工作形态:动态链接库,so、dll、dylib、go plugin

404StarLink 2.0 - Galaxy

Kunpeng 是 404Team 星链计划2.0中的一环,如果对Kunpeng有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。

特点

  • 开箱即用,无需安装任何依赖
  • 跨语言使用,动态链接库形式提供调用
  • 单文件,更新方便,直接覆盖即可
  • 开源社区维护,内置常见漏洞POC
  • 最小化漏洞验证和理论判断,尽量避免攻击行为

使用场景

渗透测试辅助工具:例如msf,交互控制台 -> Kunpeng

网络资产安全监控:例如巡风,端口扫描 -> 指纹识别 -> kunpeng 或 nmap -> kunpeng

扫描器: 作为扫描器的漏洞库

更多使用场景可自由发挥

下载地址

releases

压缩包内的kunpeng_go.so为GO语言专版,其余语言使用 kunpeng_c.so

使用方法

接口调用说明

/*  传入需检测的目标JSON,格式为:
    {
        "type": "web", //目标类型web或者service
        "netloc": "http://xxx.com", //目标地址,web为URL,service格式为123.123.123.123:22
        "target": "wordpress", //目标名称,GO插件注册时使用的字符串(模糊匹配)、JSON插件的target属性(模糊匹配)、CVE编号(例:CVE-xx-xxx)、KPID(例:KP-0013)编号,决定使用哪些POC进行检测,具体查看 /doc/plguin.md
        "meta":{
            "system": "windows",  //操作系统,部分漏洞检测方法不同系统存在差异,提供给插件进行判断
            "pathlist":[], //目录路径URL列表,部分插件需要此类信息,例如列目录漏洞插件
            "filelist":[], //文件路径URL列表,部分插件需要此类信息,例如struts2漏洞相关插件
            "passlist":[] //自定义密码字典
        } // 非必填
    }
    返回是否存在漏洞和漏洞检测结果
*/
Check(taskJSON string) string

// 获取插件列表信息
GetPlugins() string


/*  配置设置,传入配置JSON,格式为:
    {
        "timeout": 15, // 插件连接超时
        "aider": "http://123.123.123.123:8088", // 漏洞辅助验证接口,部分漏洞无法通过回显判断是否存在漏洞,可通过辅助验证接口进行判断。python -c'import socket,base64;exec(base64.b64decode("aGlzdG9yeSA9IFtdCndlYiA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQp3ZWIuYmluZCgoJzAuMC4wLjAnLDgwODgpKQp3ZWIubGlzdGVuKDEwKQp3aGlsZSBUcnVlOgogICAgdHJ5OgogICAgICAgIGNvbm4sYWRkciA9IHdlYi5hY2NlcHQoKQogICAgICAgIGRhdGEgPSBjb25uLnJlY3YoNDA5NikKICAgICAgICByZXFfbGluZSA9IGRhdGEuc3BsaXQoIlxyXG4iKVswXQogICAgICAgIGFjdGlvbiA9IHJlcV9saW5lLnNwbGl0KClbMV0uc3BsaXQoJy8nKVsxXQogICAgICAgIHJhbmtfc3RyID0gcmVxX2xpbmUuc3BsaXQoKVsxXS5zcGxpdCgnLycpWzJdCiAgICAgICAgaHRtbCA9ICJORVcwMCIKICAgICAgICBpZiBhY3Rpb24gPT0gImFkZCI6CiAgICAgICAgICAgIGhpc3RvcnkuYXBwZW5kKHJhbmtfc3RyKQogICAgICAgICAgICBwcmludCAiYWRkIityYW5rX3N0cgogICAgICAgIGVsaWYgYWN0aW9uID09ICJjaGVjayI6CiAgICAgICAgICAgIHByaW50ICJjaGVjayIrcmFua19zdHIKICAgICAgICAgICAgaWYgcmFua19zdHIgaW4gaGlzdG9yeToKICAgICAgICAgICAgICAgIGh0bWw9IlZVTDAwIgogICAgICAgICAgICAgICAgaGlzdG9yeS5yZW1vdmUocmFua19zdHIpCiAgICAgICAgcmF3ID0gIkhUVFAvMS4wIDIwMCBPS1xyXG5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9dXRmLThcclxuQ29udGVudC1MZW5ndGg6ICVkXHJcbkNvbm5lY3Rpb246IGNsb3NlXHJcblxyXG4lcyIgJShsZW4oaHRtbCksaHRtbCkKICAgICAgICBjb25uLnNlbmQocmF3KQogICAgICAgIGNvbm4uY2xvc2UoKQogICAgZXhjZXB0OnBhc3M="))'
在辅助验证机器上运行以上代码,填入http://IP:8088,不开启则留空。
        "http_proxy": "http://123.123.123.123:1080", // HTTP代理,所有插件http请求流量将通过代理发送(需使用内置的http请求函数util.RequestDo)
        "pass_list": ["passtest"], // 默认密码字典,不定义则使用硬编码在代码里的小字典
        "extra_plugin_path": "/tmp/plugin/" // 除已编译好的插件(Go、JSON)外,可指定额外插件目录(仅支持JSON插件),指定后程序会周期读取加载插件
    }
*/
SetConfig(configJSON string)

// 开启web接口,开启后可通过web接口进行调用,webapi调用格式请查看例子:/example/call_webapi_test.py
StartWebServer(bindAddr string)

// 获取当前版本 例如:20190227
GetVersion() string

使用例子

Python

#coding:utf-8

import time
import json
from ctypes import *

# 加载动态连接库
kunpeng = cdll.LoadLibrary('./kunpeng_c.so')

# 定义出入参变量类型
kunpeng.GetPlugins.restype = c_char_p
kunpeng.Check.argtypes = [c_char_p]
kunpeng.Check.restype = c_char_p
kunpeng.SetConfig.argtypes = [c_char_p]
kunpeng.GetVersion.restype = c_char_p

# 获取插件信息
out = kunpeng.GetPlugins()
print(out)

# 修改配置
config = {
    'timeout': 10,
    # 'aider': 'http://xxxx:8080',
    # 'http_proxy': 'http://xxxxx:1080',
    # 'pass_list':['xtest']
    # 'extra_plugin_path': '/home/test/plugin/',
}
kunpeng.SetConfig(json.dumps(config))

# 开启日志打印
kunpeng.ShowLog()

# 扫描目标
task = {
    'type': 'web',
    'netloc': 'http://www.google.cn',
    'target': 'web'
}
task2 = {
    'type': 'service',
    'netloc': '192.168.0.105:3306',
    'target': 'mysql'
}
out = kunpeng.Check(json.dumps(task))
print(json.loads(out))
out = kunpeng.Check(json.dumps(task2))
print(json.loads(out))

更多例子查看: example 目录,目前已提供python、golang、nodejs、lua、java的调用例子,欢迎提交更多语言的调用样例。

插件开发

支持2种类型插件,Go和JSON插件,大部分漏洞使用JSON插件即可实现验证,分别存放在plugin/go/和plugin/json/目录中。

  • golang插件例子1
// 包名需定义goplugin
package goplugin

// 引入plugin
import (
	"fmt"
	"github.com/opensec-cn/kunpeng/plugin"
	"github.com/go-redis/redis"
)

// 定义插件结构,info,result需固定存在
type redisWeakPass struct {
	info   plugin.Plugin // 插件信息
	result []plugin.Plugin // 漏洞结果集,可返回多个
}

func init() {
    // 注册插件,定义插件目标名称
	plugin.Regist("redis", &redisWeakPass{})
}
func (d *redisWeakPass) Init() plugin.Plugin{
	d.info = plugin.Plugin{
		Name:    "Redis 未授权访问/弱口令", // 插件名称
		Remarks: "导致敏感信息泄露,严重可导致服务器直接被入侵控制。", // 漏洞描述
		Level:   0, // 漏洞等级 {0:"严重",1:"高危",2:"中危",3:"低危",4:"提示"}
		Type:    "WEAKPASS", // 漏洞类型,自由定义
		Author:  "wolf", // 插件编写作者
	    	References: plugin.References{
		    URL: "https://www.freebuf.com/vuls/162035.html", // 漏洞相关文章
		    CVE: "", // CVE编号,没有留空或不申明
		    KPID: "KP-0008", // kunpeng的POC编号,累加数字
		},
	}
	return d.info
}

func (d *redisWeakPass) GetResult() []plugin.Plugin {
	var result = d.result
	d.result = []plugin.Plugin{}
	return result
}

func (d *redisWeakPass) Check(netloc string, meta plugin.TaskMeta) bool {
	for _, pass := range meta.PassList {
		client := redis.NewClient(&redis.Options{
			Addr:     netloc,
			Password: pass,
			DB:       0,
		})
		_, err := client.Ping().Result()
		if err == nil {
			client.Close()
			result := d.info
			result.Request = fmt.Sprintf("redis://%s@%s", pass, netloc)
			if pass == "" {
				result.Remarks = fmt.Sprintf("未授权访问,%s", result.Remarks)
			} else {
				result.Remarks = fmt.Sprintf("弱口令:%s,%s", pass, result.Remarks)
			}
			d.result = append(d.result, result)
			return true
		}
	}
	return false
}
  • golang插件例子2
package goplugin

import (
	"net/http"
	"strings"
	"github.com/opensec-cn/kunpeng/util"
	"github.com/opensec-cn/kunpeng/plugin"
)

type webDavRCE struct {
	info   plugin.Plugin
	result []plugin.Plugin
}

func init() {
	plugin.Regist("iis", &webDavRCE{})
}

func (d *webDavRCE) Init() plugin.Plugin{
	d.info = plugin.Plugin{
		Name:    "WebDav PROPFIND RCE(理论检测)",
		Remarks: "CVE-2017-7269,Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞",
		Level:   1,
		Type:    "RCE",
		Author:  "wolf",
		References: plugin.References{
			URL: "https://www.seebug.org/vuldb/ssvid-92834",
			CVE: "CVE-2017-7269",
			KPID: "KP-0009",
		},
	}
	return d.info
}

func (d *webDavRCE) GetResult() []plugin.Plugin {
	var result = d.result
	d.result = []plugin.Plugin{}
	return result
}

func (d *webDavRCE) Check(URL string, meta plugin.TaskMeta) bool {
	request, err := http.NewRequest("OPTIONS", URL, nil)
	if err != nil {
		return false
	}
	// 使用封装好的RequestDo函数发送http请求
	resp, err := util.RequestDo(request, true)
	if err != nil {
		return false
	}
	if resp.Other.Header.Get("Server") == "Microsoft-IIS/6.0" && strings.Contains(resp.Other.Header.Get("Allow"), "PROPFIND") {
		result := d.info
		result.Response = resp.ResponseRaw
		result.Request = resp.RequestRaw
		d.result = append(d.result, result)
		return true
	}
	return false
}
  • JSON插件例子
{
    "//": "用 Google 的方式进行注释",
    "//": "插件所属应用名,自由定义",
    "target": "wordpress",
    "meta":{
        "//": "插件名称",
        "name": "WordPress example.html jQuery DomXSS",
        "//": "漏洞描述",
        "remarks": "WordPress example.html jQuery 1.7.2 存在DomXSS漏洞",
        "//": "漏洞等级 {0:严重,1:高危,2:中危,3:低危,4:提示}",
        "level":   3,
        "//": "漏洞类型,自由定义",
        "type":    "XSS",
        "//": "插件编写作者",
        "author":  "wolf",
        "references": {
            "//": "漏洞相关文章",
            "url":"https://www.seebug.org/vuldb/ssvid-89179",
            "//": "CVE编号,没有留空",
            "cve":"",
	    "//": "kunpeng的POC编号,累加数字",
	    "kpid":"KP-0003"
        }
    },
    "request":{
        "//": "漏洞请求URL",
        "path": "/wp-content/themes/twentyfifteen/genericons/example.html",
        "//": "请求POST内容,留空即为GET",
        "postData": ""
    },
    "verify":{
        "//": "漏洞验证类型 {string:字符串判断,regex:正则匹配,md5:文件md5}",
        "type":  "string",
        "//": "漏洞验证值,与type相关联",
        "match": "jquery/1.7.2/jquery.min.js"
    }
}

编译

注意, 第三方库管理已更改为GoMod

go get -d github.com/opensec-cn/kunpeng
cd $GOPATH/src/github.com/opensec-cn/kunpeng


# 静态资源打包进工程的小程序
go install github.com/mjibson/esc

# 打包JSON插件到项目代码中
esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/

# 编译c版本(所有语言均可使用)
go build -buildmode=c-shared --ldflags="-w -s -X main.VERSION=20190226" -o kunpeng_c.so

# 编译Go专用版本(不支持win)
go build -buildmode=plugin --ldflags="-w -s -X main.VERSION=20190226" -o kunpeng_go.so

# 样例测试
python example/call_so_test.py
go run example/callsoTest.go

效果图

img

Owner
OpenSec
OpenSec
https://github.com/opensec-cn/kunpeng
Comments
  • macOS下JSON插件加载个数为0

    macOS下JSON插件加载个数为0

    使用release版本或自行编译均无法加载内置JSON插件。

    系统版本:

    ➜  kunpeng git:(master) uname -a
Darwin localhost 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64

    编译及测试过程:

    ➜  kunpeng git:(master) git status
On branch master
Your branch is up-to-date with 'origin/master'.

nothing to commit, working tree clean
➜  kunpeng git:(master) go install ./vendor/github.com/mjibson/esc
➜  kunpeng git:(master) esc -include='\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/
➜  kunpeng git:(master) go build -buildmode=c-shared --ldflags="-w -s" -o kunpeng_c.so
➜  kunpeng git:(master) python example/call_so_test.py
[info] 15:28:21 log.go:26: [init plugin: ActiveMQ 任意文件写入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Apache solr XXE漏洞]
[info] 15:28:21 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 15:28:21 log.go:26: [init plugin: web目录浏览]
[info] 15:28:21 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 15:28:21 log.go:26: [init plugin: FTP 弱口令]
[info] 15:28:21 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 15:28:21 log.go:26: [init plugin: IIS 短文件名]
[info] 15:28:21 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Memcache 未授权访问]
[info] 15:28:21 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SQLServer 弱口令]
[info] 15:28:21 log.go:26: [init plugin: MySQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 15:28:21 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 15:28:21 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 15:28:21 log.go:26: [init plugin: SSH 弱口令]
[info] 15:28:21 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 15:28:21 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 15:28:21 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 15:28:21 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 15:28:21 log.go:26: [init plugin: WebDav Put开启]
[info] 15:28:21 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 15:28:21 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 15:28:21 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 15:28:21 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 15:28:21 log.go:26: [init plugin: WordPress Mailpress Plugin 远程代码执行漏洞]
[info] 15:28:21 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 15:28:21 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 15:28:21 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 15:28:21 log.go:26: [init json plugin]
[info] 15:28:21 log.go:31: [{"type": "web", "netloc": "http://www.google.cn", "target": "web", "meta": {"system": "", "pathlist": [], "filelist": [], "passlist": []}}]
[info] 15:28:21 log.go:31: [{web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [new task: {web http://www.google.cn web { [] [] []}}]
[info] 15:28:21 log.go:31: [go plugin total: 24]
[info] 15:28:21 log.go:31: [run go plugins: web]
[info] 15:28:21 log.go:31: [request do http://www.google.cn]
[info] 15:28:21 log.go:31: [response code: 200 len: -1]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/css/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/js/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1564]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/img/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/images/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/upload/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1568]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/inc/]
[info] 15:28:21 log.go:31: [response code: 404 len: 1565]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/x47abr.txt]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [request do http://www.google.cn/../../../../../../../../etc/passwd]
[info] 15:28:21 log.go:31: [response code: 404 len: 1571]
[info] 15:28:21 log.go:31: [JSON Plugin total:  0]
[]

    从最后的[JSON Plugin total: 0]可以看到未能加载内置JSON插件,使用release版本也是同样的情况。在Linux(Ubuntu 16.04)下测试Linux版本可正常加载。

  • 示例代码跑不起来,报错

    示例代码跑不起来,报错 "unexpected type from module symbol"

    系统版本

    macOS High Sierra

    Go 版本:

    go version go1.11.4 darwin/amd64

    使用的.so文件是:

    kunpeng_darwin_v20190129/kunpeng_go.so

    示例代码跑不起来,报错,日志:

    [info] 19:07:04 log.go:26: [init plugin: Axis2控制台 弱口令]
[info] 19:07:04 log.go:26: [init plugin: web目录浏览]
[info] 19:07:04 log.go:26: [init plugin: Discuz! 6.x/7.x 代码执行]
[info] 19:07:04 log.go:26: [init plugin: FTP 弱口令]
[info] 19:07:04 log.go:26: [init plugin: grafana 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: IIS 物理路径泄露]
[info] 19:07:04 log.go:26: [init plugin: IIS 短文件名]
[info] 19:07:04 log.go:26: [init plugin: JBoss 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Java调试线协议(JDWP)远程代码执行漏洞]
[info] 19:07:04 log.go:26: [init plugin: Memcache 未授权访问]
[info] 19:07:04 log.go:26: [init plugin: MongoDB 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SQLServer 弱口令]
[info] 19:07:04 log.go:26: [init plugin: MySQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: PostgreSQL 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Redis 未授权访问/弱口令]
[info] 19:07:04 log.go:26: [init plugin: shellshock 破壳漏洞]
[info] 19:07:04 log.go:26: [init plugin: SMB 匿名共享/弱口令]
[info] 19:07:04 log.go:26: [init plugin: SSH 弱口令]
[info] 19:07:04 log.go:26: [init plugin: Struts2 远程代码执行]
[info] 19:07:04 log.go:26: [init plugin: ThinkPHP5 SQL Injection Vulnerability]
[info] 19:07:04 log.go:26: [init plugin: Apache Tomcat 弱口令]
[info] 19:07:04 log.go:26: [init plugin: UcServer 创始人弱口令]
[info] 19:07:04 log.go:26: [init plugin: WebDav Put开启]
[info] 19:07:04 log.go:26: [init plugin: WebDav PROPFIND RCE(理论检测)]
[info] 19:07:04 log.go:26: [init plugin: WebServer 任意文件读取]
[info] 19:07:04 log.go:26: [init plugin: WebLogic WLS RCE ]
[info] 19:07:04 log.go:26: [init plugin: Weblogic 控制台弱口令]
[info] 19:07:04 log.go:26: [init plugin: WordPress 后台弱口令]
[info] 19:07:04 log.go:26: [init plugin: Zabbix jsrpc.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: Zabbix latest.php SQL注入漏洞]
[info] 19:07:04 log.go:26: [init plugin: zookeeper 未授权访问]
[info] 19:07:04 log.go:26: [init json plugin]
[info] 19:07:04 log.go:26: [init plugin: discuz_admincp_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_ajax_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_announcement_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_api_pathinfo.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_attachment_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_focus_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_jianghu_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_member_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_misc_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_mp3player_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_post_xss.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_shop_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: discuz_viewthread_xss.json]
[info] 19:07:04 log.go:26: [init plugin: django_urljump.json]
[info] 19:07:04 log.go:26: [init plugin: docker_api.json]
[info] 19:07:04 log.go:26: [init plugin: drupal_geddon2_rce.json]
[info] 19:07:04 log.go:26: [init plugin: elasticsearch_unauth.json]
[info] 19:07:04 log.go:26: [init plugin: hadoop_yarn_resourcemanager_unauth_rce.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_3.7_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_contushdvideoshare_lfi.json]
[info] 19:07:04 log.go:26: [init plugin: joomla_departments_sqli.json]
[info] 19:07:04 log.go:26: [init plugin: thinkphp5_invokefunction_rce.json]
[info] 19:07:04 log.go:26: [init plugin: weblogic_debug.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_cmdownloads_rce.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_dzs_videogallery_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_jquery_domxss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_mainwp_login.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_sexy_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_swfupload_xss.json]
[info] 19:07:04 log.go:26: [init plugin: wordpress_wpml_xss.json]
unexpected type from module symbol

    kunpeng_go.so:

    MD5 (kunpeng_go.so) = 183d8c4be12a0a733f55ff06d866e045
  • [误报] MongoDB 未授权访问插件

    [误报] MongoDB 未授权访问插件

    有问题的代码:

    https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/mongoWeakPass.go#L45-L52

    使用 session.Ping() == nil 来判断未授权访问是不正确的,即使 mongodb 加了认证,ping 也会返回正常。

    下面是 log:

    root@83dd9fca0b15:/# mongo 192.168.2.106:37017/test
MongoDB shell version v4.0.10
connecting to: mongodb://192.168.2.106:37017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b67c65b0-fd06-4eb8-bc34-3917a0e99bb4") }
MongoDB server version: 4.0.10
> db.runCommand({"ping":1})
{ "ok" : 1 }
> db.runCommand({"serverStatus":1})
{
	"ok" : 0,
	"errmsg" : "command serverStatus requires authentication",
	"code" : 13,
	"codeName" : "Unauthorized"
}
>

    正确的做法是替换为:

    if err == nil && session.Run("serverStatus", nil) == nil {
 // ...
}
  • 关于go调用并发时出现goroutine leak

    关于go调用并发时出现goroutine leak

    问题有点类似: https://github.com/docker/distribution/issues/473

    出现在net/http.(*persistConn).writeLoop,并发数量大概1000,但是出现了goroutine 2w+...

    9A9133F260DEDEFE5F33D6803D13B956

    问题以及得到解决: /github.com/opensec-cn/kunpeng/util/net.go

    使用DisableKeepAlives: true关闭一下

    transport := &http.Transport{
		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
		DisableKeepAlives: true,
	}

    注意的是每次都会调用setProxy, 里面的逻辑会翻盖init()设置的client.Transport

    func RequestDo(request *http.Request, hasRaw bool) (Resp, error) {
	setProxy()
}
  • 是否支持指定插件的调用?

    是否支持指定插件的调用?

    目前kunpeng调用哪些插件取决于task中的targettarget对应插件里的target字段,扫描时具有同样target的插件都会被调用。

    不过对于某些场景可能需要只调用指定的插件,比如出现高危漏洞时的应急响应,虽然可以通过将target设置成emergency等特殊值来实现,但是后续PoC分类是还是需要把target设置成插件所属的类别,这就多了一步操作。

    所以我想问下kunpeng有考虑通过除target之外其他唯一标识字段来加载插件吗?比如id、名称等。

  • fix go/struts2-045 plugin return error bug

    fix go/struts2-045 plugin return error bug

    Error code position: https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/struts2-045.go#L53-L54

    resp.RequestRaw should be assigned to result.Request rather than result.Response.

  • Bump github.com/gin-gonic/gin from 1.3.0 to 1.7.0

    Bump github.com/gin-gonic/gin from 1.3.0 to 1.7.0

    Bumps github.com/gin-gonic/gin from 1.3.0 to 1.7.0.

    Release notes

    Sourced from github.com/gin-gonic/gin's releases.

    Release v1.7.0

    BUGFIXES

    • fix compile error from #2572 (#2600)
    • fix: print headers without Authorization header on broken pipe (#2528)
    • fix(tree): reassign fullpath when register new node (#2366)

    ENHANCEMENTS

    • Support params and exact routes without creating conflicts (#2663)
    • chore: improve render string performance (#2365)
    • Sync route tree to httprouter latest code (#2368)
    • chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa (#2375)
    • chore(performance): improve countParams (#2378)
    • Remove some functions that have the same effect as the bytes package (#2387)
    • update:SetMode function (#2321)
    • remove a unused type SecureJSONPrefix (#2391)
    • Add a redirect sample for POST method (#2389)
    • Add CustomRecovery builtin middleware (#2322)
    • binding: avoid 2038 problem on 32-bit architectures (#2450)
    • Prevent panic in Context.GetQuery() when there is no Request (#2412)
    • Add GetUint and GetUint64 method on gin.context (#2487)
    • update content-disposition header to MIME-style (#2512)
    • reduce allocs and improve the render WriteString (#2508)
    • implement ".Unwrap() error" on Error type (#2525) (#2526)
    • Allow bind with a map[string]string (#2484)
    • chore: update tree (#2371)
    • Support binding for slice/array obj [Rewrite] (#2302)
    • basic auth: fix timing oracle (#2609)
    • Add mixed param and non-param paths (port of httprouter#329) (#2663)
    • feat(engine): add trustedproxies and remoteIP (#2632)

    Improve performance

    ENHANCEMENTS

    • Improve performance: Change *sync.RWMutex to sync.RWMutex in context. #2351

    release v1.6.2

    Release Notes

    • BUGFIXES
      • fix missing initial sync.RWMutex (#2305)
    • ENHANCEMENTS
      • Add set samesite in cookie. (#2306)

    Contributors

    release v1.6.1

    ... (truncated)

    Changelog

    Sourced from github.com/gin-gonic/gin's changelog.

    Gin v1.7.0

    BUGFIXES

    • fix compile error from #2572 (#2600)
    • fix: print headers without Authorization header on broken pipe (#2528)
    • fix(tree): reassign fullpath when register new node (#2366)

    ENHANCEMENTS

    • Support params and exact routes without creating conflicts (#2663)
    • chore: improve render string performance (#2365)
    • Sync route tree to httprouter latest code (#2368)
    • chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa (#2375)
    • chore(performance): improve countParams (#2378)
    • Remove some functions that have the same effect as the bytes package (#2387)
    • update:SetMode function (#2321)
    • remove an unused type SecureJSONPrefix (#2391)
    • Add a redirect sample for POST method (#2389)
    • Add CustomRecovery builtin middleware (#2322)
    • binding: avoid 2038 problem on 32-bit architectures (#2450)
    • Prevent panic in Context.GetQuery() when there is no Request (#2412)
    • Add GetUint and GetUint64 method on gin.context (#2487)
    • update content-disposition header to MIME-style (#2512)
    • reduce allocs and improve the render WriteString (#2508)
    • implement ".Unwrap() error" on Error type (#2525) (#2526)
    • Allow bind with a map[string]string (#2484)
    • chore: update tree (#2371)
    • Support binding for slice/array obj [Rewrite] (#2302)
    • basic auth: fix timing oracle (#2609)
    • Add mixed param and non-param paths (port of httprouter#329) (#2663)
    • feat(engine): add trustedproxies and remoteIP (#2632)

    Gin v1.6.3

    ENHANCEMENTS

    • Improve performance: Change *sync.RWMutex to sync.RWMutex in context. #2351

    Gin v1.6.2

    BUGFIXES

    • fix missing initial sync.RWMutex #2305

    ENHANCEMENTS

    • Add set samesite in cookie. #2306

    Gin v1.6.1

    BUGFIXES

    • Revert "fix accept incoming network connections" #2294

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 代码跑不起来,提示FSMustByte FS undefined

    代码跑不起来,提示FSMustByte FS undefined 

    # github.com/opensec-cn/kunpeng/plugin/json
plugin/json/init.go:39:17: undefined: FSMustByte
plugin/json/init.go:60:12: undefined: FS

    我拉取的是master分支的代码