lucifer1993 / struts-scan Goto Github PK

老铁，这里是不是有点问题：
struts-scan.py 的 534 和 535
surl = self.url[self.url.rfind('/')::]
rurl = self.url.replace(surl, "") + self.shell["struts2-057-1"].replace("FUZZINGCOMMAND", command) + surl
print 出来（目标是 192.168.1.1:80） ：
surl 是 /192.168.1.1:80
rurl 是 http://%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/172.16.16.13:80

话说052和053出来有段日子，也有exp了，大佬抽空可以加上唉~

hi，readme里“https://github.com/Ivan1ee/struts2-057-exp。” 链接多了个句号。

采用Windows的cmd运行结果乱码，希望大佬可以优化下。

难道哪儿有问题？好多漏洞发现不了？

我看代码是：
req = requests.get(self.url+'/?redirect:https://www.baidu.com/%23', timeout=TMOUT, verify=False)
if req.status_code == 302:
cprint("目标存在struts2-017漏洞..(只提供检测)", "red")
filecontent.writelines("struts2-017 success!!!\n")

然后公网上很多服务器，无论对什么请求都返回 302 重定向到 baidu ....

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 15 Apr 2020 07:44:12 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://www.baidu.com/

Does S009, S013, S032, S037 vulnerabilities work¿? Because the other ones are scanned and identified correctly but those I told you, have you found any struts vulnerable to those ones¿? Thanks

struts2-048的检查方法和网上看到的045的方法差不多，和048的描述不符https://cwiki.apache.org/confluence/display/WW/S2-048

检测struts2漏洞--------
目标url:http://119.254.9.210/channel/doChannelList.action
检测struts2-005超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191a790>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-009超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191afd0>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-013超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191af50>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-016超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191a6d0>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-019超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191af10>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-devmode超时..

Vulhub上的Struts2漏洞环境（http://vulhub.org/#/environments/struts2/s2-016/），同时存在S2-016/045/046漏洞，使用shack2或PKAV的Struts2检测工具均可以发现这三个漏洞，但在Linux环境使用struts-scan-linux，三个漏洞均不能发现。
struts-scan-linux检测结果，Struts2-016提示超时，S2-045/046提示不存在漏洞。通过交互式命令，s2-016可以利用成功，s2-045/46无法利用。

11月5日的新漏洞

整理的不错，一些小细节可以优化下，url的拼接方面urlparse.urljoin更加严谨点，避免一些漏扫,命令执行测试可以用set /a 654321 * 789 && expr 654321 * 789 || echo，简化check函数；006的可以加上去

批量检查结果不保存= =尴尬！

建议使用click或者其他库优化命令行；整个程序的所有struts漏洞的验证和批量扫描全部是单线程操作，若超时严重会很浪费时间，建议使用多线程优化，有空我自己也优化一下^_^

执行python struts-scan.py [url]

报出：
File "struts-scan.py", line 195
print prompt,
^
SyntaxError: Missing parentheses in call to 'print'

是我使用的姿势不对么？

比如s2-053检测 命令是这样的吗？
example：
struts-scan.exe+url+username=admin