Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能

[email protected]:~/tools/vulmap# python3 vulmap.py -u https://paypal.com Traceback (most recent call last): File "vulmap.py", line 8, in from gevent import monkey;monkey.patch_all() File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 1214, in patch_all _notify_patch(events.GeventWillPatchAllEvent(modules_to_patch, kwargs), _warnings) File "/usr/local/lib/python3.6/dist-packages/gevent/monkey.py", line 185, in _notify_patch notify_and_call_entry_points(event) File "/usr/local/lib/python3.6/dist-packages/gevent/events.py", line 104, in notify_and_call_entry_points subscriber = plugin.load() File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2323, in load self.require(*args, **kwargs) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 2346, in require items = working_set.resolve(reqs, env, installer, extras=self.extras) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 783, in resolve raise VersionConflict(dist, req).with_context(dependent_req) pkg_resources.VersionConflict: (psutil 5.6.7 (/usr/local/lib/python3.6/dist-packages), Requirement.parse('psutil>=5.7.0; sys_platform != "win32" or platform_python_implementation == "CPython" and extra == "monitor"')) [email protected]:~/tools/vulmap

pip install -r requirement.txt 报错， python-3.9

Building wheels for collected packages: lxml                                                                                                                                             [1444/11751]  Building wheel for lxml (setup.py) ... error                                                                                                                                                         ERROR: Command errored out with exit status 1:
   command: /usr/local/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"'; __file__='"'"'/tmp/pip-install-iq38rq57/lxml/setup.py'"'"
';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-ad3_
9cqe
       cwd: /tmp/pip-install-iq38rq57/lxml/
  Complete output (731 lines):
  Building lxml version 4.3.2.
  Building without Cython.
  Using build configuration of libxslt 1.1.32
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib.linux-x86_64-3.9
  creating build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/sax.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/builder.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/cssselect.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/pyclasslookup.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/_elementpath.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/doctestcompare.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/__init__.py -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/ElementInclude.py -> build/lib.linux-x86_64-3.9/lxml
  creating build/lib.linux-x86_64-3.9/lxml/includes
  copying src/lxml/includes/__init__.py -> build/lib.linux-x86_64-3.9/lxml/includes
  creating build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/diff.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/usedoctest.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/defs.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_diffcommand.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/clean.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_setmixin.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/builder.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/ElementSoup.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/soupparser.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/formfill.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/__init__.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/_html5builder.py -> build/lib.linux-x86_64-3.9/lxml/html
  copying src/lxml/html/html5parser.py -> build/lib.linux-x86_64-3.9/lxml/html
  creating build/lib.linux-x86_64-3.9/lxml/isoschematron
  copying src/lxml/isoschematron/__init__.py -> build/lib.linux-x86_64-3.9/lxml/isoschematron
  copying src/lxml/etree.h -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/etree_api.h -> build/lib.linux-x86_64-3.9/lxml
  copying src/lxml/lxml.etree.h -> build/lib.linux-x86_64-3.9/lxml

py -3 vulmap.py --help __ [ | _ __ __ _ | | _ .--..--. ,--. _ .--. [ \ [ ][ | | | | | [ .-. .-. |'\ :[ '/'`\
\ / / | _/ |, | | | | | | | | // | |,| _/ | _/ '.__.'/[___][___||__||__]'-;/| ;._/ [__| usage: python3 vulmap [options]

target: you must to specify target

-u URL, --url URL target URL (e.g. -u "http://example.com") -f FILE, --file FILE select a target list file (e.g. -f "list.txt") --fofa keyword call fofa api to scan (e.g. --fofa "app=Apache-Shiro") --shodan keyword call shodan api to scan (e.g. --shodan "Shiro")

mode: options vulnerability scanning or exploit mode

-a APP [APP ...] specify webapps (e.g. -a "tomcat") allow multiple

general: general options

-h, --help show this help message and exit -t NUM, --thread NUM number of scanning function threads, default 10 threads --dnslog server dnslog server (hyuga,dnslog,ceye) default automatic --output-text file result export txt file (e.g. "result.txt") --output-json file result export json file (e.g. "result.json") --proxy-socks SOCKS socks proxy (e.g. --proxy-socks 127.0.0.1:1080) --proxy-http HTTP http proxy (e.g. --proxy-http 127.0.0.1:8080) --fofa-size SIZE fofa query target number, default 100 (1-10000) --user-agent UA you can customize the user-agent headers --delay DELAY delay check time, default 0s --timeout TIMEOUT scan timeout time, default 10s --list display the list of supported vulnerabilities --debug exp echo request and responses, poc echo vuln lists --check survival check (on and off), default on

support: types of vulnerability scanning: all, activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal elasticsearch, fastjson, jenkins, laravel, nexus, weblogic, jboss spring, thinkphp, druid, exchange, nodejs, saltstack, vmware bigip, ofbiz, coremail, ecology, eyou, qianxin, ruijie

examples: python3 vulmap.py -u http://example.com python3 vulmap.py -u http://example.com -a struts2 python3 vulmap.py -f list.txt -a weblogic -t 20 python3 vulmap.py -f list.txt --output-json results.json python3 vulmap.py --fofa "app=Apache-Shiro"

执行 python3 vulmap.py -u http://192.168.31.97:8080/

报： [09:56:52] [INFO] Currently the latest version: 0.7 [09:57:04] [INFO] Start scanning target: http://192.168.31.97:8080/ [09:57:17] [INFO] Unable to identify target, Run all pocs [09:57:51] [INFO] Scan completed and ended

无法识别是怎么回事，我的python版本是3.6.8的，有关系吗

其中poc使用echo + md5的payload检测。当页面中返回这些值的时候判断漏洞存在，会导致一些组件误报。测试代码：

<?php
echo 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
echo file_get_contents("php://input");
?>

误报情况：

命令执行用expr或者set等命令误报会更低

代码执行直接计算md5误报率更低，echo md5("xxx");

我的目标有 s2-045 漏洞。

注意以下 debug 信息中此行 [INFO] Start scanning target: http://192.168.200.132:8080/struts2-showcase 程序中 url 最后的 / 被丢弃了。所以检测不出来。

将数据包用 burp 重新发送

self.headers2 = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        try:
            self.req= requests.get(self.url, headers=self.headers1, timeout=self.timeout, verify=False)
            if r"54289" in self.request.headers['FUCK']:

self.req 应该为self.request

The POC check for CVE-2020-2555 and CVE-2020-2883 is only checking on the weblogic version number not if the target is actually vulnerable.

So even with the latest patches or giop/t3 disabled the poc scan shows that the target is vulnable.

ERROR: Command errored out with exit status 1:
   command: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"''
       cwd: None
  Complete output (31 lines):
  Traceback (most recent call last):
    File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
      "__main__", mod_spec)
    File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
      exec(code, run_globals)
    File "/usr/local/lib/python3.6/site-packages/pip/__main__.py", line 26, in <module>
      sys.exit(_main())
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/main.py", line 73, in main
      command = create_command(cmd_name, isolated=("--isolated" in cmd_args))
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/__init__.py", line 105, in create_command
      module = importlib.import_module(module_path)
    File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
      return _bootstrap._gcd_import(name[level:], package, level)
    File "<frozen importlib._bootstrap>", line 994, in _gcd_import
    File "<frozen importlib._bootstrap>", line 971, in _find_and_load
    File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
    File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
    File "<frozen importlib._bootstrap_external>", line 678, in exec_module
    File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/commands/install.py", line 17, in <module>
      from pip._internal.cli.req_command import RequirementCommand, with_cleanup
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/cli/req_command.py", line 23, in <module>
      from pip._internal.req.constructors import (
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/__init__.py", line 10, in <module>
      from .req_install import InstallRequirement
    File "/usr/local/lib/python3.6/site-packages/pip/_internal/req/req_install.py", line 10, in <module>
      import uuid
    File "/usr/local/lib/python3.6/site-packages/uuid.py", line 138
      if not 0 <= time_low < 1<<32L:
                                  ^
  SyntaxError: invalid syntax
  ----------------------------------------
ERROR: Command errored out with exit status 1: /usr/bin/python3 /usr/local/lib/python3.6/site-packages/pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-jzgza5un/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://mirrors.tencentyun.com/pypi/simple --trusted-host mirrors.tencentyun.com -- 'setuptools >= 40.8.0' wheel 'Cython >= 3.0a5' 'cffi >= 1.12.3 ; platform_python_implementation == '"'"'CPython'"'"'' 'greenlet >= 0.4.17, < 2.0 ; platform_python_implementation == '"'"'CPython'"'"'' Check the logs for full command output.

centosx64 用kali pip3 安装不会报错，但是运行项目的时候：

frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject

执行程序报错，0.2版本和0.1版本都有这个错误

Traceback (most recent call last):
  File "vulmap.py", line 7609, in <module>
    cmdlineparser(sys.argv)
  File "vulmap.py", line 7568, in cmdlineparser
    Target.allvuln_url(args.url)
  File "vulmap.py", line 7337, in allvuln_url
    Start.allvulnscan(self)
  File "vulmap.py", line 7126, in allvulnscan
    Start.apache_solr(self)
  File "vulmap.py", line 7139, in apache_solr
    PocApacheSolr.cve_2019_0193()
  File "vulmap.py", line 331, in cve_2019_0193
    self.solrhost = self.hostname+":"+str(self.port)
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

In the course of testing , I found that there are false positives in cve-2018-7602 . Please try using “python3 vulmap -u http://baidu.com” .In addition , can you write a python file for each vulnerability , just like your exphub project . Danke.

你好，使用代理了会抛出： Proxy URL had no scheme, should start with http:// or https:// 的错误，关了也一样，然后我是用了--proxy-http http://127.0.0.1又报错： ValueError: invalid literal for int() with base 10: '//127.0.0.1:10810'

 File "C:\Users\KC\Desktop\vulmap\vulmap.py", line 10, in <module>
    from module.allcheck import version_check
  File "C:\Users\KC\Desktop\vulmap\module\allcheck.py", line 4, in <module>
    import requests
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\__init__.py", line 58, in <module>
    from . import utils
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\utils.py", line 26, in <module>
    from .compat import parse_http_list as _parse_list_header
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\compat.py", line 7, in <module>
    from .packages import chardet
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\__init__.py", line 3, in <module>
    from . import urllib3
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\__init__.py", line 10, in <module>
    from .connectionpool import (
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\connectionpool.py", line 38, in <module>
    from .response import HTTPResponse
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\response.py", line 9, in <module>
    from ._collections import HTTPHeaderDict
  File "C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\site-packages\requests\packages\urllib3\_collections.py", line 1, in <module>
    from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (C:\Users\KC\AppData\Local\Programs\Python\Python311\Lib\collections\__init__.py)