python>> web-cve-tests>> 返回
项目作者: foospidy

项目描述 :
A simple framework for sending test payloads for known web CVEs.
高级语言: Python
项目地址: git://github.com/foospidy/web-cve-tests.git
创建时间: 2018-12-21T18:58:13Z
项目社区:https://github.com/foospidy/web-cve-tests
开源协议:
下载


web-cve-tests

PRs Welcome

The goal of this tool is to send PoC payloads to verify server-side attack detection solutions. If detected, the server side should return a specified HTTP status code.

This tool is not intended to actually exploit the vulnerability or to test for the existence of the vulnerability.

Usage

Basic:

  1. ./webcve.py --url https://target-site.com

Specify detected response code (default is 403):

  1. ./webcve.py --url https://target-site.com --status-code 406

Verbose (output CVE descriptions):

  1. ./webcve.py --url https://target-site.com -v

Test a single CVE (with example output):

  1. ./webcve.py --url https://target-site.com --status-code 406 --cve CVE-2017-9791 -v
  2. CVE-2017-9791
  3. The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution
  4. via a malicious field value passed in a raw message to the ActionMessage.
  5.         Test passed (406)
  6.         Test passed (406)
  7.         Test passed (406)
  8.         Test passed (406)

Test for a group of CVEs. Groups are defined in groups.json.

  1. ./webcve.py --url https://target-site.com --group struts

Test for a group type of CVEs. Types are defined in groups.json.

  1. ./webcve.py --url https://target-site.com --type cms

List available groups or types.

  1. ./webcve.py --list group
  1. ./webcve.py --list type

Contributions

Pull requests are welcome. Please use the existing CVE directories as examples of how you should structure your submission.