weblogic/cve-2020-2551_poc.py

#!/usr/bin/python3 
# -*- coding:utf-8 -*-

import socket,argparse,sys,requests
from urllib.parse import urlparse
from multiprocessing.dummy import  Pool as ThreadPool


print ('''
+---------------------------------------------------   -----+
+ USE: python cve-2020-2551_poc.py <url:port>               +
+ VER: 10.3.6.0.0                                           +
+      12.1.3.0.0                                           +
+      12.2.1.3.0                                           +
+      12.2.1.4.0                                           +
+ EXP: python3 cve-2020-2551_poc.py -u http://1.1.1.1:7001  +
+-----------------------------------------------------------+
''')


def doThreads(fnCbk,lists,nThreads=32):
    pool = ThreadPool(nThreads)
    pool.map(fnCbk,lists)
    pool.close()
    pool.join()

def doSendOne(ip,port,data):
    sock=None
    res=None
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(7)
        server_addr = (ip, int(port))
        sock.connect(server_addr)
        sock.send(data)
        res = sock.recv(20)
        if b'GIOP' in res:
            return True
    except Exception as e:
        pass
    finally:
        if sock!=None:
            sock.close()
    return False
g_bPipe=False
def doOne(url):
    global g_bPipe
    oH=urlparse(url)
    a=oH.netloc.split(':')
    port=80
    if 2 == len(a):
        port=a[1]
    elif 'https' in oH.scheme:
        port=443
    if doSendOne(a[0],port,bytes.fromhex('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')):
        print('[+] found CVE-2020-2551 ', oH.netloc)
    elif g_bPipe == False:
        print('[-] not found CVE-2020-2551 ', oH.netloc)

def doPipe():
    global g_bPipe
    g_bPipe=True
    buff = ''
    a=[]
    while True:
        buff = sys.stdin.readline()
        if not buff:
            break 
        if buff.endswith('\n'):
            szTmpCmd = buff[:-1]
            szTmpCmd=szTmpCmd.rstrip()
        buff = ''
        if not szTmpCmd:
            break 
        a.append(szTmpCmd)
    doThreads(doOne,a)

if __name__=='__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("-u","--url",help="http://xxx.xxx.xxx:7001/")
    parser.add_argument("-e","--pipeCheck",help="pipe check is Ok,thread 32",action="store_true")
    args = parser.parse_args()
    if args.url:
        doOne(args.url)
    if args.pipeCheck:
        doPipe()