Vulcat Versions Save

vulcat可用于扫描Web端常见的CVE、CNVD等编号的漏洞,发现漏洞时会返回Payload信息。部分漏洞还支持命令行交互模式,可以持续利用漏洞

v2.0.0

1 year ago

2023.03.15 vulcat-v2.0.0

  • 重写vulcat部分核心代码
  1. vulcat二代,初始版本号为v2.0.0
  2. 移除-a/--application选项,该选项的功能合并到-v/--vuln当中,点我查看示例
  3. POC插件化,即插即用,现在你可以轻松地编写自己的POC 并在vulcat中使用,点我查看示例
  • 新POC:
  1. 74cms v5.0.1 前台AjaxPersonalController.class.php存在SQL注入 (暂无编号)
  2. 74cms v6.0.4 帮助中心搜索框XSS (暂无编号)
  3. 2020年 VMware vCenter 6.5任意文件读取 (暂无编号)
  4. VMware vSphere Client 远程代码执行 (CVE-2021-21972)
  • Rewrite some of the core code
  1. vulcat-v2.0.0 !!!
  2. Remove the -a/--application option, the functionality of this option is merged into -v/--vuln, click me to see the example
  3. POC plug-in, plug and play, now you can easily write your own POC and use it in vulcat, click me to see the example
  • new POC:
  1. v5.0.1 AjaxPersonalController.class.php SQLinject (None)
  2. v6.0.4 help center search box-XSS (None)
  3. In 2020 VMware vCenter v6.5 Any file read (None)
  4. VMware vSphere Client RCE (CVE-2021-21972)

v1.2.0

1 year ago

2023.03.01 vulcat-v1.2.0

  • 新增POC:
  1. Fastjson <= 1.2.62 反序列化 (暂无编号)
  2. Fastjson <= 1.2.66 反序列化 (暂无编号)
  3. GoCD Business Continuity 任意文件读取 (CVE-2021-43287)---(查看漏洞复现)
  4. JBoss 未授权访问 (暂无编号)---(查看漏洞复现)
  5. Jenkins 未授权访问 (暂无编号)---(查看漏洞复现)
  6. Joomla 3.7 Core com_fields组件SQL注入 (CVE-2017-8917)---(查看漏洞复现)
  7. Joomla 4 未授权访问 (CVE-2023-23752)---(查看漏洞复现)
  8. Weblogic LDAP 远程代码执行 (CVE-2021-2109)---(查看漏洞复现)

  • 增加DNSLOG平台支持:http://dnslog.pw/ 你可以查询文档,配置dnslog.pw平台并使用

  • 其它优化

  • 修复一些Bug (感谢Teicu)

  • new POC:
  1. Fastjson <= 1.2.62 deSerialization (暂无编号)
  2. Fastjson <= 1.2.66 deSerialization (暂无编号)
  3. GoCD Business Continuity FileRead (CVE-2021-43287)---(Demo)
  4. JBoss unAuthorized (暂无编号)---(Demo)
  5. Jenkins unAuthorized (暂无编号)---(Demo)
  6. Joomla 3.7 Core com_fields SQLinject (CVE-2017-8917)---(Demo)
  7. Joomla 4 unAuthorized (CVE-2023-23752)---(Demo)
  8. Weblogic LDAP Remote code execution (CVE-2021-2109)---(Demo)

  • Added DNSLOG platform support:http://dnslog.pw/ You can query Documentation,Configure dnslog.pw and use

  • Other optimizations

  • Fix some bugs (Thanks Teicu)

v1.1.9

1 year ago

2023.02.10 vulcat-v1.1.9

  • 重写并优化所有POC
  • Rewrite and optimize all POCs

vulcat-v1.1.8

1 year ago

2023.01.20 vulcat-v1.1.8

  1. 更新-o/--output参数,可以导出 .html/.json/.txt 三种格式的报告,使用参数:“python vulcat.py -u http://xxx.com/ -o html” 点我查看演示

  2. vulcat现在采用config.yaml进行配置,你可以通过config.yaml配置“vulcat的语言”、“ceye.io的域名和token”、“默认的HTTP Header”等内容 点我查看介绍

  • -x/--exp参数替换为--shell参数,功能不变

  • 移除--output-json和--output-text参数

  • 优化部分POC

  1. Update the -o/--output parameter to export a report in three formats of .html/.json/.txt, using the parameter: "python vulcat.py -u http://xxx.com/ -o html" Click me to see an example

  2. Vulcat is now configured with config.yaml, and you can configure "vulcat language", "ceye.io domain name and token", "default HTTP header" and other contents through config.yaml Click me to see an example

  • The -x/--exp parameter is replaced with the --shell parameter, and the functionality remains unchanged

  • remove --output-json and --output-text

  • Optimized partial POC

vulcat-v1.1.7

1 year ago

2022.12.15 vulcat-v1.1.7

  • 新增POC
  1. Apache Druid 远程代码执行 (CVE-2021-25646) 点我查看示例
  2. Apache Druid 任意文件读取 (CVE-2021-36749) 点我查看示例
  3. Apache Unomi远程表达式代码执行 (CVE-2020-13942)
  4. ThinkPHP 多语言模块命令执行 (CNVD-2022-86535) 点我查看示例
  • new POC:
  1. Apache Druid Remote Code Execution (CVE-2020-13942) Click me to see an example
  2. Apache Druid arbitrary file reading (CVE-2021-25646) Click me to see an example
  3. Apache Unomi Remote Express Language Code Execution (CVE-2021-36749)
  4. ThinkPHP "think-lang" Remote code execution (CNVD-2022-86535) Click me to see an example

vulcat-v1.1.6

1 year ago

2022.11.25 vulcat-v1.1.6

  • 新POC:
  1. Zabbix "latest.php 或 jsrpc.php" SQLinject (CVE-2016-10134)
  • 优化"vulcat/payloads"目录结构,拆分POC文件,提高可读性,如图↓↓↓
  • new POC:
  1. Zabbix "latest.php or jsrpc.php" SQLinject (CVE-2016-10134)
  • Optimized "vulcat/payloads" directory structure, Split POC files to improve readability, As shown in figure↓↓↓

  • 更改前

  • Before

  • 更改后

  • After

vulcat-v1.1.5

1 year ago

2022.11.10 vulcat-v1.1.5

  • 优化部分POC

  • 新增POC:

  1. Supervisord 远程命令执行(CVE-2017-11610)
  • 移除POC:
  1. 移除ApacheStruts2的所有POC
  • !!!新功能!!!
  1. 新增vulcat/lib/plugins/exploit.py文件,部分漏洞已经支持Exp,可以使用--list参数查看支持Exp的漏洞列表,查看使用示例: https://github.com/CLincat/clincat.github.io/blob/main/vulcat/lib/plugins/exploit/README.zh-cn.md

  • Optimized partial POC

  • new POC:

  1. Supervisord Remote Command execution(CVE-2017-11610)
  • remove POC:
  1. Remove all POCs for ApacheStruts2
  • !!!New Functions!!!
  1. new "vulcat/lib/plugins/exploit.py" files,Some vulns already support Exp,You can use the --list argument to see a list of Exp supported vulnerabilities,View Usage Examples: https://github.com/CLincat/clincat.github.io/tree/main/vulcat/lib/plugins/exploit

vulcat-v1.1.4

1 year ago

2022.10.10 vulcat-v1.1.4

  • 新POC:
  1. Apache SkyWalking SQL注入(CVE-2020-9483)
  2. Solr 远程命令执行(CVE-2017-12629)
  3. Solr Velocity 注入远程命令执行(CVE-2019-17558)
  4. phpMyadmin Scripts/setup.php 反序列化(WooYun-2016-199433)
  5. phpMyadmin 4.8.1 远程文件包含(CVE-2018-12613)
  6. PHPUnit 远程代码执行(CVE-2017-9841)
  7. Spring Security OAuth2 远程命令执行(CVE-2016-4977)
  8. Spring Data Rest 远程命令执行(CVE-2017-8046)
  9. Spring Data Commons 远程命令执行(CVE-2018-1273)
  • 新功能:
  1. --list已经支持英文,可通过使用“python vulcat.py --list”查看英文的漏洞列表(vulcat默认语言改为英文,可以修改文件vulcat/lib/initial/language.py进行语言的切换)
  • New POC:
  1. Apache SkyWalking SQLinject (CVE-2020-9483)
  2. Solr Remote Command Execution (CVE-2017-12629)
  3. Solr Remote Code Execution Via Velocity Custom Template (CVE-2019-17558)
  4. phpMyAdmin Scripts/setup.php Deserialization (WooYun-2016-199433)
  5. phpMyAdmin 4.8.1 Remote File Inclusion (CVE-2018-12613)
  6. PHPUnit Remote Command Execution (CVE-2017-9841)
  7. Spring Security OAuth2 Remote Command Execution (CVE-2016-4977)
  8. Spring Data Rest Remote Command Execution (CVE-2017-8046)
  9. Spring Data Commons Remote Command Execution (CVE-2018-1273)
  • New features:
  1. --list already supports English, you can view the list of vulnerabilities in English by using "python vulcat.py --list" (the default language of vulcat is changed to English, and the file vulcat/lib/initial/language.py can be modified for language switching)

vulcat-v1.1.3

1 year ago

2022.09.05 vulcat-v1.1.3

  • 新增POC
  1. Apache httpd 2.4.48 mod_proxy SSRF (CVE-2021-40438)
  2. Apache httpd 2.4.49 路径遍历 (CVE-2021-41773)
  3. Apache HTTP Server 2.4.50 路径遍历 (CVE-2021-42013)
  4. influxdb 未授权访问 (暂无编号)
  5. jetty 模糊路径信息泄露 (CVE-2021-28164)
  6. jetty Utility Servlets ConcatServlet 双重解码信息泄露 (CVE-2021-28169)
  7. jetty 模糊路径信息泄露 (CVE-2021-34429)
  8. Jupyter 未授权访问 (暂无编号)
  9. mini_httpd 任意文件读取 (CVE-2018-18778)
  10. Nexus Repository Manager 3 远程命令执行 (CVE-2019-7238)
  11. Nexus Repository Manager 3 远程命令执行 (CVE-2020-10199)
  12. Nexus Repository Manager 3 远程命令执行 (CVE-2020-10204)
  13. Nexus Repository Manager 2 yum插件 远程命令执行 (CVE-2019-5475)
  14. Nexus Repository Manager 2 yum插件 二次远程命令执行 (CVE-2019-15588)

  • 新增参数 --auth: 添加Authorization (如: --auth "Basic YWRtaW46YWRtaW4=") --socks4-proxy: socks4代理 (如: --socks4-proxy 127.0.0.1:8080) --socks5-proxy: socks5代理 (如: --socks5-proxy 127.0.0.1:8080 或 admin:[email protected]:8080)

  • 优化部分POC

  • new POC:
  1. Apache httpd 2.4.48 mod_proxy SSRF (CVE-2021-40438)
  2. Apache httpd 2.4.49 Directory traversal (CVE-2021-41773)
  3. Apache HTTP Server 2.4.50 Directory traversal (CVE-2021-42013)
  4. influxdb unAuthorized (暂无编号)
  5. jetty Disclosure information (CVE-2021-28164)
  6. jetty Utility Servlets ConcatServlet Disclosure information (CVE-2021-28169)
  7. jetty Disclosure information (CVE-2021-34429)
  8. Jupyter unAuthorized (暂无编号)
  9. mini_httpd FileRead (CVE-2018-18778)
  10. Nexus Repository Manager 3 Remote code execution (CVE-2019-7238)
  11. Nexus Repository Manager 3 Remote code execution (CVE-2020-10199)
  12. Nexus Repository Manager 3 Remote code execution (CVE-2020-10204)
  13. Nexus Repository Manager 2 yum Remote code execution (CVE-2019-5475)
  14. Nexus Repository Manager 2 yum Remote code execution (CVE-2019-15588)

  • New parameters: --auth: add Authorization (e.g. --auth "Basic YWRtaW46YWRtaW4=") --socks4-proxy: socks4 Proxy (e.g. --socks4-proxy 127.0.0.1:8080) --socks5-proxy: socks5 Proxy (e.g. --socks5-proxy 127.0.0.1:8080 or admin:[email protected]:8080)

  • Optimized partial POC

vulcat-v1.1.2

1 year ago

2022.08.05 vulcat-v1.1.2

新增漏洞:

  1. ApacheHadoop YARN ResourceManager 未授权访问 (暂无编号)
  2. Gitea 1.4.0 未授权访问 (暂无编号)
  3. GitLab Pre-Auth 远程命令执行 (CVE-2021-22205)
  4. Gitlab CI Lint API未授权 SSRF (CVE-2021-22214)
  5. Grafana 8.x 插件模块文件路径遍历 (CVE-2021-43798)
  6. Ruby on Rails 路径遍历 (CVE-2018-3760)
  7. Ruby on Rails 路径穿越与任意文件读取 (CVE-2019-5418)
  8. Ruby on Rails 命令执行 (CVE-2020-8163)
  9. 蓝凌OA 任意文件读取/SSRF (CNVD-2021-28277)
  10. 用友GRP-U8 Proxy SQL注入 (CNNVD-201610-923)
  11. 用友U8 OA getSessionList.jsp 敏感信息泄漏 (暂无编号)
  12. 用友U8 OA test.jsp SQL注入 (暂无编号)

new POC:

  1. ApacheHadoop YARN ResourceManager unAuthorized (暂无编号)
  2. Gitea 1.4.0 unAuthorized (暂无编号)
  3. GitLab Pre-Auth Remote code execution (CVE-2021-22205)
  4. Gitlab CI Lint API SSRF (CVE-2021-22214)
  5. Grafana 8.x Directory traversal (CVE-2021-43798)
  6. Ruby on Rails Directory traversal (CVE-2018-3760)
  7. Ruby on Rails Directory traversal (CVE-2019-5418)
  8. Ruby on Rails Remote code execution (CVE-2020-8163)
  9. Landray-OA FileRead/SSRF (CNVD-2021-28277)
  10. Yonyou-GRP-U8 Proxy SQLinject (CNNVD-201610-923)
  11. Yonyou-U8-OA getSessionList.jsp Disclosure information (暂无编号)
  12. Yonyou-U8-OA test.jsp SQLinject (暂无编号)