Vulmap – Web Vulnerability Scanning And Verification Tools
Vulmap is a vulnerability scanning tool that can scan for vulnerabilities in Internet containers, Internet servers, Internet middleware, and CMS and other Net programs, and has vulnerability exploitation features. Related testers can use vulmap to detect no matter whether the focus on has a specific vulnerability, and can use the vulnerability exploitation purpose to verify no matter whether the vulnerability in fact exists.
Vulmap at the moment has vulnerability scanning (poc) and exploiting (exp) modes. Use “-m” to decide on which mode to use, and the default poc manner is the default. In poc manner, it also supports “-f” batch focus on scanning, “-o” File output outcomes and other major capabilities, Other capabilities Alternatives Or python3 vulmap.py -h, the Poc purpose will no for a longer period be delivered in the exploit exploit method, but the exploit will be carried out immediately, and the exploit end result will be fed back again to further validate no matter whether the vulnerability exists and regardless of whether it can be exploited.
Test to use “-a” to establish focus on types to decrease fake positives, this sort of as “-a solr”
Set up
The operating process should have python3, python3.7 or increased is advised
- Installation dependency
pip3 install -r specifications.txt
- Linux & MacOS & Home windows
python3 vulmap.py -u http://case in point.com
Possibilities
optional arguments:
-h, --support show this help concept and exit
-u URL, --url URL Target URL (e.g. -u "http://illustration.com")
-f FILE, --file FILE Decide on a goal list file, and the url should be distinguished by strains (e.g. -f "/household/user/listing.txt")
-m Manner, --mode Mode The mode supports "poc" and "exp", you can omit this possibility, and enter poc method by default
-a App, --app App Specify a world-wide-web app or cms (e.g. -a "weblogic"). default scan all
-c CMD, --cmd CMD Customized RCE vuln command, Other than "netstat -an" and "id" can affect software judgment. defautl is "netstat -an"
-v VULN, --vuln VULN Exploit, Specify the vuln range (e.g. -v "CVE-2020-2729")
--checklist Shows a list of vulnerabilities that guidance scanning
--debug Debug manner echo ask for and responses
--hold off Delay Hold off check time, default 0s
--timeout TIMEOUT Scan timeout time, default 10s
--output FILE Text method export (e.g. -o "end result.txt")
Illustrations
Check all vulnerabilities poc manner
python3 vulmap.py -u http://illustration.com
For RCE vuln, use the “id” command to examination the vuln, simply because some linux does not have the “netstat -an” command
python3 vulmap.py -u http://case in point.com -c "id"
Test http://case in point.com for struts2 vuln
python3 vulmap.py -u http://illustration.com -a struts2
python3 vulmap.py -u http://instance.com -m poc -a struts2
Exploit the CVE-2019-2729 vuln of WebLogic on http://instance.com:7001
python3 vulmap.py -u http://instance.com:7001 -v CVE-2019-2729
python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729
Batch scan URLs in listing.txt
python3 vulmap.py -f list.txt
Export scan effects to outcome.txt
python3 vulmap.py -u http://example.com:7001 -o result.txt
Vulnerabilitys List
Vulmap supported vulnerabilities are as follows
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
| Goal type | Vuln Name | Poc | Exp | Impact Model && Vulnerability description |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
| Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |
| Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |
| Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |
| Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |
| Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |
| Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |
| Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |
| Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |
| Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |
| Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |
| Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |
| Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |
| Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |
| Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |
| Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |
| Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |
| Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |
| Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |
| Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |
| Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |
| Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |
| Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |
| Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |
| Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |
| Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |
| Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |
| Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |
| Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |
| Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |
| Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |
| Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |
| Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |
| Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |
| Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
| Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
| Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
| Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |
| Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
| Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |
| RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
| RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |
| RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
| ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |
| ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |
+-------------------+------------------+-----+-----+-------------------------------------------------------------+
Docker
docker build -t vulmap/vulmap .
docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com