CVE-2022-22947

Author: SummerSec

cmd/commons/attack/attack.go

@@ -0,0 +1,34 @@
+package attack
+
+import (
+	"github.com/SummerSec/SpringExploit/cmd/commons/poc"
+	log "github.com/sirupsen/logrus"
+)
+
+func Sevice(url string, hashmap map[string]interface{}) {
+	log.Debugln("github.com/SummerSec/SpringExploit/cmd/commons/attack/attack.go")
+	log.Debugf("[*] Start attack %s", url)
+	pocs := make(map[string]interface{})
+	a := addPoc(pocs)
+	//for k, v := range hashmap {
+	//	log.Debugln("key: ", k, " value: ", v)
+	//}
+	for _, v := range a { // 循环添加poc
+		t := v.(poc.PoC)
+		t.SendPoc(url, hashmap)
+	}
+
+}
+
+func init() {
+	log.Debug("[*] Init attack")
+}
+
+func addPoc(pocs map[string]interface{}) map[string]interface{} {
+	log.Debugln("github.com/SummerSec/SpringExploit/cmd/commons/attack/attack.go:25")
+	log.Debug("[*] Add PoC")
+	//pocs["demo"] = &poc.Demo{}
+	pocs["CVE202222947"] = &poc.CVE202222947{}
+	return pocs
+
+}

cmd/commons/core/banner.go

@@ -1,15 +1,23 @@
 package core
 
-import log "github.com/sirupsen/logrus"
+import (
+	"fmt"
+)
 
 const banner = `
-
-
-
+  _________               .__                  ___________                .__           .__   __   
+ /   _____/______ _______ |__|  ____    ____   \_   _____/___  _________  |  |    ____  |__|_/  |_ 
+ \_____  \ \____ \\_  __ \|  | /    \  / ___\   |    __)_ \  \/  /\____ \ |  |   /  _ \ |  |\   __\
+ /        \|  |_> >|  | \/|  ||   |  \/ /_/  >  |        \ >    < |  |_> >|  |__(  <_> )|  | |  |  
+/_______  /|   __/ |__|   |__||___|  /\___  /  /_______  //__/\_ \|   __/ |____/ \____/ |__| |__|  
+        \/ |__|                    \//_____/           \/       \/|__|                             
+																			
 `
 
 func ShowBanner(Version string) {
-	log.Println(banner)
-	log.Println("Version:", Version)
+	fmt.Println(banner)
+	fmt.Println("\t\t\tAuthor: SummerSec Version:", Version+" Github: https://Github.com/SummerSec\n")
+	//log.Println(banner)
+	//log.Println("Version:", Version)
 
 }

cmd/commons/core/options.go

@@ -13,6 +13,8 @@ type Options struct {
 	File string
 	// 传入的url
 	Url string
+	// 设置超时时间
+	Timeout int
 
 	// 代理设置
 	Proxy string
@@ -26,9 +28,12 @@ type Options struct {
 	// 日志输出文件
 	LogFile string
 	// 重复请求次数
-	Repeat int
+	Retry int
 	// ip 段
 	IP string
+
+	// 保存结果
+	Out string
 }
 
 func (o Options) toString() interface{} {
@@ -38,16 +43,18 @@ func (o Options) toString() interface{} {
 
 func ParseOptions() *Options {
 	options := &Options{}
-	flag.IntVar(&options.Mode, "mode", 6, "debug mode off (default Infolevel = 0  PanicLevel = 1 FatalLevel = 2 \n"+"\t\t ErrorLevel = 3  WarnLevel = 4  InfoLevel = 5  DebugLevel = 6  TraceLevel = 7)")
-	flag.IntVar(&options.Thread, "thread", 1, "thread number (default thread = 1)")
-	flag.StringVar(&options.File, "file", "", "file to read example: -file=test.txt")
-	flag.StringVar(&options.Url, "url", "", "url to read example: -url=http://www.baidu.com")
+	flag.IntVar(&options.Mode, "m", 6, "debug mode off ( Infolevel = 0  PanicLevel = 1 FatalLevel = 2 \n"+"\t ErrorLevel = 3  WarnLevel = 4  InfoLevel = 5  DebugLevel = 6  TraceLevel = 7)")
+	flag.IntVar(&options.Thread, "t", 1, "threads number ")
+	flag.StringVar(&options.File, "f", "", "file to read example: -file=test.txt")
+	flag.StringVar(&options.Url, "u", "", "url to read example: -url=http://www.baidu.com")
 	flag.StringVar(&options.Proxy, "proxy", "", "proxy example: -proxy=http://127.0.0.1:8080 or -proxy=socks5://127.0.0.1:1080")
 	flag.BoolVar(&options.Version, "version", false, "show version")
 	flag.BoolVar(&options.Verbose, "verbose", false, "show verbose")
 	flag.StringVar(&options.LogFile, "log", "logs.txt", "log file example: -log=/logs/logs.txt")
-	flag.IntVar(&options.Repeat, "repeat", 3, "repeat request times")
-	flag.StringVar(&options.IP, "ip", "", "ip segment example: -ip=192.168.0.1/24 ")
+	flag.IntVar(&options.Retry, "retry", 3, "repeat request times")
+	flag.StringVar(&options.IP, "i", "", "ip segment example: -ip=192.168.0.1/24 ")
+	flag.IntVar(&options.Timeout, "timeout", 10, "timeout")
+	flag.StringVar(&options.Out, "o", "result.txt", "out file example: -o=result.txt default result.txt")
 	flag.Parse()
 
 	v := "0.0.1"
@@ -62,6 +69,7 @@ func ParseOptions() *Options {
 		options.Url = ""
 
 	} else {
+		ShowBanner(v)
 		flag.PrintDefaults()
 	}
 	showVerbose(options)

cmd/commons/core/request.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"encoding/json"
+	"github.com/SummerSec/SpringExploit/cmd/commons/attack"
 	"github.com/SummerSec/SpringExploit/cmd/commons/utils"
 	"github.com/fatih/structs"
 	log "github.com/sirupsen/logrus"
@@ -13,6 +14,7 @@ type Runner struct {
 
 func NewRunner(options *Options) (*Runner, error) {
 	r := Runner{options: options}
+
 	mops := structs.Map(&r.options)
 	data, _ := json.Marshal(mops)
 	log.Info("Runner created")
@@ -23,21 +25,33 @@ func NewRunner(options *Options) (*Runner, error) {
 }
 
 func (r *Runner) Run() {
+	log.Debugln("github.com/SummerSec/SpringExploit/cmd/commons/core/runner.go: Run()")
 	log.Info("Runner Running")
 	f := r.options.File
 	var urls []string
+	// TODO: check if options are valid
+	//r.options.Url = "http://127.0.0.1:8090/"
+
 	if f == "" {
 		urls = append(urls, r.options.Url)
 	} else {
 		urls, _ = utils.ReadFile(r.options.File)
 	}
+	log.Debugln("URLs: ", urls)
 	var i = 0
 	k := r.options.Thread
+	hashmap := structs.Map(&r.options)
 	for i < len(urls) {
 		for t := 0; t < k; t++ {
+			if i == len(urls) {
+				break
+			}
 			if urls[i] != "" {
-				go Start(urls[i]) // Start 3 goroutines
-				i++
+				log.Debugln("Running attack on: ", urls[i])
+				// 通道通信 发送url 并且 i++
+				c := make(chan int)
+				go Start(urls[i], hashmap, i, c) // Start 3 goroutines
+				i = <-c
 			} else {
 				break
 			}
@@ -46,8 +60,17 @@ func (r *Runner) Run() {
 
 }
 
-func Start(url string) {
+func Start(url string, hashmap map[string]interface{}, i int, c chan int) {
+	log.Debugln("github/SummerSec/SpringExploit/cmd/commons/core/runner.go: Start")
+
 	log.Info("Runner started")
 	log.Infoln("testing URL: ", url)
+	//for k, v := range hashmap {
+	//	log.Debugln("key: ", k, " value: ", v)
+	//}
+	attack.Sevice(url, hashmap)
+
+	// 放到最后，不然无法生效
+	c <- i + 1
 
 }