{"id":13538798,"url":"https://github.com/opensec-cn/kunpeng","last_synced_at":"2025-05-15T16:09:39.185Z","repository":{"id":40738781,"uuid":"164648115","full_name":"opensec-cn/kunpeng","owner":"opensec-cn","description":"kunpeng是一个Golang编写的开源POC框架/库，以动态链接库的形式提供各种语言调用，通过此项目可快速开发漏洞检测类的系统。","archived":false,"fork":false,"pushed_at":"2023-02-25T00:56:58.000Z","size":14048,"stargazers_count":1677,"open_issues_count":25,"forks_count":319,"subscribers_count":55,"default_branch":"master","last_synced_at":"2025-03-31T20:11:15.133Z","etag":null,"topics":["poc-library","proof-of-concept","security-testing","security-vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opensec-cn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-01-08T12:50:42.000Z","updated_at":"2025-03-27T14:30:01.000Z","dependencies_parsed_at":"2024-01-13T23:01:35.323Z","dependency_job_id":"7e65c173-44e1-4944-9248-e29bcb6c2019","html_url":"https://github.com/opensec-cn/kunpeng","commit_stats":{"total_commits":155,"total_committers":15,"mean_commits":"10.333333333333334","dds":0.2967741935483871,"last_synced_commit":"22906a117527486d81a1896a5e7dc983e26ecebe"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fkunpeng","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fkunpeng/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fkunpeng/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensec-cn%2Fkunpeng/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opensec-cn","download_url":"https://codeload.github.com/opensec-cn/kunpeng/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247730069,"owners_count":20986404,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["poc-library","proof-of-concept","security-testing","security-vulnerability"],"created_at":"2024-08-01T09:01:16.262Z","updated_at":"2025-04-07T21:15:19.033Z","avatar_url":"https://github.com/opensec-cn.png","language":"Go","funding_links":[],"categories":["LLM分析过程","Tools","开源类库","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Go","Open source library","Go (531)"],"sub_categories":["Scanner","安全","\u003ca id=\"c0bec2b143739028ff4ec439e077aa63\"\u003e\u003c/a\u003e漏洞扫描\u0026\u0026挖掘\u0026\u0026发现","Security"],"readme":"# Kunpeng\n\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square)](https://github.com/opensec-cn/kunpeng/blob/master/LICENSE) [![Golang](https://img.shields.io/badge/Golang-1.10-yellow.svg?style=flat-square)](https://www.golang.org/) \n\n\n## 简介\n\nKunpeng是一个Golang编写的开源POC检测框架，集成了包括数据库、中间件、web组件、cms等等的漏洞POC（[查看已收录POC列表](doc/plugin.md)），可检测弱口令、SQL注入、XSS、RCE等漏洞类型，以动态链接库的形式提供调用，通过此项目可快速开发漏洞检测类的系统，比攻击者快一步发现风险漏洞。\n\n这不是一个POC框架轮子，而是为了解决轮子问题而设计的，也不仅仅只是框架，定位是期望成为一个大家共同维护的漏洞POC库，安全开发人员只需专注于相关安全检测系统的业务逻辑代码实现，而不必各自重复的耗费精力维护漏洞库。\n\n**为避免被恶意使用，此项目所有收录的漏洞均为验证POC和理论判断，不存在漏洞利用过程，不会对目标发起真实攻击和漏洞利用。**\n\n运行环境：Windows，Linux，Darwin  \n工作形态：动态链接库，so、dll、dylib、go plugin  \n\n## 404StarLink 2.0 - Galaxy\n![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)\n\nKunpeng 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy)中的一环，如果对Kunpeng有任何疑问又或是想要找小伙伴交流，可以参考星链计划的加群方式。\n\n- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)\n\n## 特点\n- 开箱即用，无需安装任何依赖\n- 跨语言使用，动态链接库形式提供调用\n- 单文件，更新方便，直接覆盖即可\n- 开源社区维护，内置常见漏洞POC\n- 最小化漏洞验证和理论判断，尽量避免攻击行为\n\n\n## 使用场景\n渗透测试辅助工具：例如msf，交互控制台 -\u003e **Kunpeng**\n\n网络资产安全监控：例如巡风，端口扫描 -\u003e 指纹识别 -\u003e **kunpeng**  或  nmap -\u003e **kunpeng**\n\n扫描器： 作为扫描器的漏洞库\n\n更多使用场景可自由发挥 \n\n\n## 下载地址\n\n[releases]\n\n\n压缩包内的kunpeng_go.so为GO语言专版，其余语言使用 kunpeng_c.so\n\n## 使用方法\n\n```go\n接口调用说明\n\n/*  传入需检测的目标JSON，格式为：\n    {\n        \"type\": \"web\", //目标类型web或者service\n        \"netloc\": \"http://xxx.com\", //目标地址，web为URL，service格式为123.123.123.123:22\n        \"target\": \"wordpress\", //目标名称，GO插件注册时使用的字符串（模糊匹配）、JSON插件的target属性（模糊匹配）、CVE编号（例：CVE-xx-xxx）、KPID(例：KP-0013)编号，决定使用哪些POC进行检测，具体查看 /doc/plguin.md\n        \"meta\":{\n            \"system\": \"windows\",  //操作系统，部分漏洞检测方法不同系统存在差异，提供给插件进行判断\n            \"pathlist\":[], //目录路径URL列表，部分插件需要此类信息，例如列目录漏洞插件\n            \"filelist\":[], //文件路径URL列表，部分插件需要此类信息，例如struts2漏洞相关插件\n            \"passlist\":[] //自定义密码字典\n        } // 非必填\n    }\n    返回是否存在漏洞和漏洞检测结果\n*/\nCheck(taskJSON string) string\n\n// 获取插件列表信息\nGetPlugins() string\n\n\n/*  配置设置，传入配置JSON，格式为：\n    {\n        \"timeout\": 15, // 插件连接超时\n        \"aider\": \"http://123.123.123.123:8088\", // 漏洞辅助验证接口，部分漏洞无法通过回显判断是否存在漏洞，可通过辅助验证接口进行判断。python -c'import socket,base64;exec(base64.b64decode(\"aGlzdG9yeSA9IFtdCndlYiA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQp3ZWIuYmluZCgoJzAuMC4wLjAnLDgwODgpKQp3ZWIubGlzdGVuKDEwKQp3aGlsZSBUcnVlOgogICAgdHJ5OgogICAgICAgIGNvbm4sYWRkciA9IHdlYi5hY2NlcHQoKQogICAgICAgIGRhdGEgPSBjb25uLnJlY3YoNDA5NikKICAgICAgICByZXFfbGluZSA9IGRhdGEuc3BsaXQoIlxyXG4iKVswXQogICAgICAgIGFjdGlvbiA9IHJlcV9saW5lLnNwbGl0KClbMV0uc3BsaXQoJy8nKVsxXQogICAgICAgIHJhbmtfc3RyID0gcmVxX2xpbmUuc3BsaXQoKVsxXS5zcGxpdCgnLycpWzJdCiAgICAgICAgaHRtbCA9ICJORVcwMCIKICAgICAgICBpZiBhY3Rpb24gPT0gImFkZCI6CiAgICAgICAgICAgIGhpc3RvcnkuYXBwZW5kKHJhbmtfc3RyKQogICAgICAgICAgICBwcmludCAiYWRkIityYW5rX3N0cgogICAgICAgIGVsaWYgYWN0aW9uID09ICJjaGVjayI6CiAgICAgICAgICAgIHByaW50ICJjaGVjayIrcmFua19zdHIKICAgICAgICAgICAgaWYgcmFua19zdHIgaW4gaGlzdG9yeToKICAgICAgICAgICAgICAgIGh0bWw9IlZVTDAwIgogICAgICAgICAgICAgICAgaGlzdG9yeS5yZW1vdmUocmFua19zdHIpCiAgICAgICAgcmF3ID0gIkhUVFAvMS4wIDIwMCBPS1xyXG5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9dXRmLThcclxuQ29udGVudC1MZW5ndGg6ICVkXHJcbkNvbm5lY3Rpb246IGNsb3NlXHJcblxyXG4lcyIgJShsZW4oaHRtbCksaHRtbCkKICAgICAgICBjb25uLnNlbmQocmF3KQogICAgICAgIGNvbm4uY2xvc2UoKQogICAgZXhjZXB0OnBhc3M=\"))'\n在辅助验证机器上运行以上代码，填入http://IP:8088，不开启则留空。\n        \"http_proxy\": \"http://123.123.123.123:1080\", // HTTP代理，所有插件http请求流量将通过代理发送（需使用内置的http请求函数util.RequestDo）\n        \"pass_list\": [\"passtest\"], // 默认密码字典，不定义则使用硬编码在代码里的小字典\n        \"extra_plugin_path\": \"/tmp/plugin/\" // 除已编译好的插件（Go、JSON）外，可指定额外插件目录（仅支持JSON插件），指定后程序会周期读取加载插件\n    }\n*/\nSetConfig(configJSON string)\n\n// 开启web接口，开启后可通过web接口进行调用，webapi调用格式请查看例子：/example/call_webapi_test.py\nStartWebServer(bindAddr string)\n\n// 获取当前版本 例如：20190227\nGetVersion() string\n\n\n```\n\n## 使用例子\nPython\n\n```python\n#coding:utf-8\n\nimport time\nimport json\nfrom ctypes import *\n\n# 加载动态连接库\nkunpeng = cdll.LoadLibrary('./kunpeng_c.so')\n\n# 定义出入参变量类型\nkunpeng.GetPlugins.restype = c_char_p\nkunpeng.Check.argtypes = [c_char_p]\nkunpeng.Check.restype = c_char_p\nkunpeng.SetConfig.argtypes = [c_char_p]\nkunpeng.GetVersion.restype = c_char_p\n\n# 获取插件信息\nout = kunpeng.GetPlugins()\nprint(out)\n\n# 修改配置\nconfig = {\n    'timeout': 10,\n    # 'aider': 'http://xxxx:8080',\n    # 'http_proxy': 'http://xxxxx:1080',\n    # 'pass_list':['xtest']\n    # 'extra_plugin_path': '/home/test/plugin/',\n}\nkunpeng.SetConfig(json.dumps(config))\n\n# 开启日志打印\nkunpeng.ShowLog()\n\n# 扫描目标\ntask = {\n    'type': 'web',\n    'netloc': 'http://www.google.cn',\n    'target': 'web'\n}\ntask2 = {\n    'type': 'service',\n    'netloc': '192.168.0.105:3306',\n    'target': 'mysql'\n}\nout = kunpeng.Check(json.dumps(task))\nprint(json.loads(out))\nout = kunpeng.Check(json.dumps(task2))\nprint(json.loads(out))\n```\n\n\n\n更多例子查看: [example] 目录，目前已提供python、golang、nodejs、lua、java的调用例子，欢迎提交更多语言的调用样例。\n\n\n\n## 插件开发\n支持2种类型插件，Go和JSON插件，大部分漏洞使用JSON插件即可实现验证，分别存放在plugin/go/和plugin/json/目录中。\n\n- golang插件例子1\n\n```go\n// 包名需定义goplugin\npackage goplugin\n\n// 引入plugin\nimport (\n\t\"fmt\"\n\t\"github.com/opensec-cn/kunpeng/plugin\"\n\t\"github.com/go-redis/redis\"\n)\n\n// 定义插件结构，info，result需固定存在\ntype redisWeakPass struct {\n\tinfo   plugin.Plugin // 插件信息\n\tresult []plugin.Plugin // 漏洞结果集，可返回多个\n}\n\nfunc init() {\n    // 注册插件，定义插件目标名称\n\tplugin.Regist(\"redis\", \u0026redisWeakPass{})\n}\nfunc (d *redisWeakPass) Init() plugin.Plugin{\n\td.info = plugin.Plugin{\n\t\tName:    \"Redis 未授权访问/弱口令\", // 插件名称\n\t\tRemarks: \"导致敏感信息泄露，严重可导致服务器直接被入侵控制。\", // 漏洞描述\n\t\tLevel:   0, // 漏洞等级 {0:\"严重\"，1:\"高危\"，2：\"中危\"，3：\"低危\"，4：\"提示\"}\n\t\tType:    \"WEAKPASS\", // 漏洞类型，自由定义\n\t\tAuthor:  \"wolf\", // 插件编写作者\n\t    \tReferences: plugin.References{\n\t\t    URL: \"https://www.freebuf.com/vuls/162035.html\", // 漏洞相关文章\n\t\t    CVE: \"\", // CVE编号，没有留空或不申明\n\t\t    KPID: \"KP-0008\", // kunpeng的POC编号，累加数字\n\t\t},\n\t}\n\treturn d.info\n}\n\nfunc (d *redisWeakPass) GetResult() []plugin.Plugin {\n\tvar result = d.result\n\td.result = []plugin.Plugin{}\n\treturn result\n}\n\nfunc (d *redisWeakPass) Check(netloc string, meta plugin.TaskMeta) bool {\n\tfor _, pass := range meta.PassList {\n\t\tclient := redis.NewClient(\u0026redis.Options{\n\t\t\tAddr:     netloc,\n\t\t\tPassword: pass,\n\t\t\tDB:       0,\n\t\t})\n\t\t_, err := client.Ping().Result()\n\t\tif err == nil {\n\t\t\tclient.Close()\n\t\t\tresult := d.info\n\t\t\tresult.Request = fmt.Sprintf(\"redis://%s@%s\", pass, netloc)\n\t\t\tif pass == \"\" {\n\t\t\t\tresult.Remarks = fmt.Sprintf(\"未授权访问，%s\", result.Remarks)\n\t\t\t} else {\n\t\t\t\tresult.Remarks = fmt.Sprintf(\"弱口令：%s,%s\", pass, result.Remarks)\n\t\t\t}\n\t\t\td.result = append(d.result, result)\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n```\n\n\n- golang插件例子2\n\n```go\npackage goplugin\n\nimport (\n\t\"net/http\"\n\t\"strings\"\n\t\"github.com/opensec-cn/kunpeng/util\"\n\t\"github.com/opensec-cn/kunpeng/plugin\"\n)\n\ntype webDavRCE struct {\n\tinfo   plugin.Plugin\n\tresult []plugin.Plugin\n}\n\nfunc init() {\n\tplugin.Regist(\"iis\", \u0026webDavRCE{})\n}\n\nfunc (d *webDavRCE) Init() plugin.Plugin{\n\td.info = plugin.Plugin{\n\t\tName:    \"WebDav PROPFIND RCE(理论检测)\",\n\t\tRemarks: \"CVE-2017-7269,Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞\",\n\t\tLevel:   1,\n\t\tType:    \"RCE\",\n\t\tAuthor:  \"wolf\",\n\t\tReferences: plugin.References{\n\t\t\tURL: \"https://www.seebug.org/vuldb/ssvid-92834\",\n\t\t\tCVE: \"CVE-2017-7269\",\n\t\t\tKPID: \"KP-0009\",\n\t\t},\n\t}\n\treturn d.info\n}\n\nfunc (d *webDavRCE) GetResult() []plugin.Plugin {\n\tvar result = d.result\n\td.result = []plugin.Plugin{}\n\treturn result\n}\n\nfunc (d *webDavRCE) Check(URL string, meta plugin.TaskMeta) bool {\n\trequest, err := http.NewRequest(\"OPTIONS\", URL, nil)\n\tif err != nil {\n\t\treturn false\n\t}\n\t// 使用封装好的RequestDo函数发送http请求\n\tresp, err := util.RequestDo(request, true)\n\tif err != nil {\n\t\treturn false\n\t}\n\tif resp.Other.Header.Get(\"Server\") == \"Microsoft-IIS/6.0\" \u0026\u0026 strings.Contains(resp.Other.Header.Get(\"Allow\"), \"PROPFIND\") {\n\t\tresult := d.info\n\t\tresult.Response = resp.ResponseRaw\n\t\tresult.Request = resp.RequestRaw\n\t\td.result = append(d.result, result)\n\t\treturn true\n\t}\n\treturn false\n}\n```\n\n- JSON插件例子\n\n```javascript\n{\n    \"//\": \"用 Google 的方式进行注释\",\n    \"//\": \"插件所属应用名，自由定义\",\n    \"target\": \"wordpress\",\n    \"meta\":{\n        \"//\": \"插件名称\",\n        \"name\": \"WordPress example.html jQuery DomXSS\",\n        \"//\": \"漏洞描述\",\n        \"remarks\": \"WordPress example.html jQuery 1.7.2 存在DomXSS漏洞\",\n        \"//\": \"漏洞等级 {0:严重，1:高危，2：中危，3：低危，4：提示}\",\n        \"level\":   3,\n        \"//\": \"漏洞类型，自由定义\",\n        \"type\":    \"XSS\",\n        \"//\": \"插件编写作者\",\n        \"author\":  \"wolf\",\n        \"references\": {\n            \"//\": \"漏洞相关文章\",\n            \"url\":\"https://www.seebug.org/vuldb/ssvid-89179\",\n            \"//\": \"CVE编号，没有留空\",\n            \"cve\":\"\",\n\t    \"//\": \"kunpeng的POC编号，累加数字\",\n\t    \"kpid\":\"KP-0003\"\n        }\n    },\n    \"request\":{\n        \"//\": \"漏洞请求URL\",\n        \"path\": \"/wp-content/themes/twentyfifteen/genericons/example.html\",\n        \"//\": \"请求POST内容，留空即为GET\",\n        \"postData\": \"\"\n    },\n    \"verify\":{\n        \"//\": \"漏洞验证类型 {string：字符串判断,regex：正则匹配,md5：文件md5}\",\n        \"type\":  \"string\",\n        \"//\": \"漏洞验证值，与type相关联\",\n        \"match\": \"jquery/1.7.2/jquery.min.js\"\n    }\n}\n```\n\n### 编译\n\n**注意, 第三方库管理已更改为GoMod**\n\n```shell\ngo get -d github.com/opensec-cn/kunpeng\ncd $GOPATH/src/github.com/opensec-cn/kunpeng\n\n\n# 静态资源打包进工程的小程序\ngo install github.com/mjibson/esc\n\n# 打包JSON插件到项目代码中\nesc -include='\\.json$' -o plugin/json/JSONPlugin.go -pkg jsonplugin plugin/json/\n\n# 编译c版本（所有语言均可使用）\ngo build -buildmode=c-shared --ldflags=\"-w -s -X main.VERSION=20190226\" -o kunpeng_c.so\n\n# 编译Go专用版本（不支持win）\ngo build -buildmode=plugin --ldflags=\"-w -s -X main.VERSION=20190226\" -o kunpeng_go.so\n\n# 样例测试\npython example/call_so_test.py\ngo run example/callsoTest.go\n```\n\n### 效果图\n\n![img](doc/img.png)\n\n[releases]: https://github.com/opensec-cn/kunpeng/releases\n[example]: https://github.com/ywolf/kunpeng/tree/master/example\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensec-cn%2Fkunpeng","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopensec-cn%2Fkunpeng","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensec-cn%2Fkunpeng/lists"}